Hi Mario,

I think you should use bind-dynamic and spawn more instances of dnsmasq
for each interface instead. Each would contain only information it can
know about.

One instance could have server= entries pointing to dynamic allocated
domains of other instances, so queries to that one would know all the
names. Others would know only their own domains and public internet.

I think you are requesting something like views. It seems against idea
of dnsmasq to me.

Dne 5.7.2017 v 18:54 mario napsal(a):
> Hello,
> I have configured my dnsmasq server to provide both DHCP and DNS
> services for my network, which includes
> a few VLANs. It works flawlessly, except that users on the guest VLAN
> can do direct and reverse queries of
> machines on different VLANs, and obtain meaningful replies from dnsmasq.
> While the above requires knowldege of the other VLANs' subnets and/or
> the names of machines on more
> private, and of course iptables keeps good guard that no packets are
> exchanged between the guest VLAN
> and the more private ones, I feel a determined attacker may easily guess
> the other subnets, and possibly
> the names of some machines on the other VLANs, weakening my configuration.
> Hence: can dnsmasq be configured to drop queries about different private
> subnets? Thanks for your time.
> mario
> The backbone of my dnsmasq.conf follows:
> localise-queries
> domain-needed
> bogus-priv
> dhcp-authoritative
> no-dhcp-interface=tun0
> no-resolv
> stop-dns-rebind
> interface=eth0
> interface=eth0.10
> interface=eth0.20
> interface=eth0.30
> interface=tun0
> server=/GCTlab.lan/
> local=/faculty.lan/students.lan/administration.lan/guest.lan/
> server=
> server=
> expand-hosts
> domain=faculty.lan,
> domain=students.lan,
> .....
> dhcp-range=interface:eth0,,,12h
> dhcp-range=interface:eth0.10,,,12h
> ......
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Dnsmasq-discuss mailing list

Reply via email to