I think you should use bind-dynamic and spawn more instances of dnsmasq
for each interface instead. Each would contain only information it can
One instance could have server= entries pointing to dynamic allocated
domains of other instances, so queries to that one would know all the
names. Others would know only their own domains and public internet.
I think you are requesting something like views. It seems against idea
of dnsmasq to me.
Dne 5.7.2017 v 18:54 mario napsal(a):
> I have configured my dnsmasq server to provide both DHCP and DNS
> services for my network, which includes
> a few VLANs. It works flawlessly, except that users on the guest VLAN
> can do direct and reverse queries of
> machines on different VLANs, and obtain meaningful replies from dnsmasq.
> While the above requires knowldege of the other VLANs' subnets and/or
> the names of machines on more
> private, and of course iptables keeps good guard that no packets are
> exchanged between the guest VLAN
> and the more private ones, I feel a determined attacker may easily guess
> the other subnets, and possibly
> the names of some machines on the other VLANs, weakening my configuration.
> Hence: can dnsmasq be configured to drop queries about different private
> subnets? Thanks for your time.
> The backbone of my dnsmasq.conf follows:
> Dnsmasq-discuss mailing list
Dnsmasq-discuss mailing list