Hi,
I think you should have 2 DNSMASQ instances running, one for each interface. So each one only registers their own known DHCP clients (I assume the DHCP is also different for both subnets) and also returns them. You just need to make DNSMASQ bind to the interfaces directly (see bind-interfaces) option. Uwe ----- Uwe Schindler Achterdiek 19, D-28357 Bremen <https://www.thetaphi.de> https://www.thetaphi.de eMail: u...@thetaphi.de From: Dnsmasq-discuss <dnsmasq-discuss-boun...@lists.thekelleys.org.uk> On Behalf Of Koos Pol Sent: Saturday, December 21, 2019 9:11 AM To: dnsmasq-discuss@lists.thekelleys.org.uk Subject: [Dnsmasq-discuss] How to prevent LAN DNS for remote guests Hi, I'm setting up my openwrt modem as an internet gateway for remote guests. The modem is running openvpn and dnsmasq. The guests arrive at their own interface (tun1 = openvpn) with a different subnet. Guest > LAN forwarding is disabled in the firewall for security reasons. However, once the guests have connected, dnsmasq will resolve the LAN for them. Although guests won't be able to connect to anything on the LAN (forwarding is off) they are still able to go on a fishing expedition thanks to DNS. I don't want to turn off DNS completely. So --except-interface=tun1 is not an option. So, for anything connecting to tun1, how can I enable DNS resolving the internet space, while preventing resolving my LAN? Thanks! Koos
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss