Bind dnsmasq DNS to just localhost (127.0.0.1)
Solution 1
I had to add "bind-interfaces" to the config file, so that interface and listen-address had the desired effect. E.g.:
listen-address=127.0.0.1
interface=lo
bind-interfaces
This will have the desired effect of listening only on localhost. I was running into issues, since I was running a public dns (that resolves just my own domains) on the public ip of the server, but I wanted to run dnsmasq on localhost, too. So if I remove "bind-interfaces", I will get "dnsmasq: failed to create listening socket for port 53: Address already in use", as it tries to listen on the public IP.
Solution 2
Yes you can do that
The dnsmasq man page says this about the --interface argument:
-i, --interface=<interface name>
Listen only on the specified interface(s). Dnsmasq automatically adds the loopback (local) interface to the list of interfaces to use
when the --interface option is used. If no --interface or --listen-address options are given dnsmasq listens on all available inter‐
faces except any given in --except-interface options. IP alias interfaces (eg "eth1:0") cannot be used with --interface or --except-
interface options, use --listen-address instead. A simple wildcard, consisting of a trailing '*', can be used in --interface and
--except-interface options.
The interface name for localhost/127.0.0.1 would be lo
by default on most systems.
You can put it right in your config file like so
interface=lo
Or specify it on the command line like so
dnsmasq --interface=lo
Related videos on Youtube
D.K.
Updated on September 18, 2022Comments
-
D.K. almost 2 years
I would like to ask a question about configuring of dnsmasq DNS server. I know about such configuration option as "listen-address". But even if I set this option to "listen-address=127.0.0.1" dnsmasq still open port on both internal 127.0.0.1:53 and external 192.168.x.x:53 sides.
So I would like to ask if it is possible to configure dnsmasq so that it opens port 53 just for localhost (127.0.0.1) like for example it is possible for MySQL database.
# Configuration file for dnsmasq. port=53 proxy-dnssec no-resolv no-poll server=127.0.0.1#[some port here] server=127.0.0.1#[some another port here] listen-address=127.0.0.1 no-hosts
-
techraf almost 8 yearsSure you can. Please post your configuration file and the transcript. Of course, don't forget a sanity check: stop dnsmasq and verify if nothing else listens on 53 on external interface.
-
D.K. almost 8 years@techraf # Configuration file for dnsmasq. port=53 proxy-dnssec no-resolv no-poll server=127.0.0.1#[some port here] server=127.0.0.1#[some another port here] listen-address=127.0.0.1 no-hosts Also when I stop dnsmasq service so port 53 is closed on 127.0.0.1 and 192.168.x.x sides.
-
-
D.K. almost 8 yearsI tried your advice, Ryan, but unfortunatelly such way it still opens port on external side. Also when interface is set like "interface=lo" dnsmasq always response to request like "dig @192.168.x.x" even if "listen-address=127.0.0.1" But when "interface" option is commented out dnsmasq follows "listen-address" option and response just to "dig @127.0.0.1" if "listen-address=127.0.0.1"
-
Ryan Babchishin almost 8 years@LargoWinch That doesn't make sense. And, in your question you said
listen-address
didn't work, and that was why you were asking for help. What's going on? -
D.K. almost 8 yearsThere are 2 thing here. 1) Dnsmasq always opens ports on 127.0.0.1 and 192.168.x.x (I check this with nmap) 2) another thing is dnsmasq respons on just "@127.0.0.1" when "listen-address=127.0.0.1". When I set "interface=lo" dnsmasq starts to ignore "listen-address=127.0.0.1" and answers requests for "@192.168.x.x". But my question was if it is possible to do so that dnsmasq not open port on 192.168.x.x side at all. For now I managed to do just so that dnsmasq opens port on both sides but ignores requests "@192.168.x.x".
-
Ryan Babchishin almost 8 years@LargoWinch try to pass --interface=lo on the command line to dnsmasq instead.
-
D.K. almost 8 yearsThis is how I tried, Ryan: dnsmasq is run as service, so line for starting looks like this one. (ExecStart=/usr/bin/dnsmasq -k --enable-dbus --user=dnsmasq --pid-file --interface=lo). So I tested and results was the same as with changes in configuration. Dnsmasq just ignores "listen-address" in this case and ports being still opened both sides.
-
Ryan Babchishin almost 8 years@LargoWinch Interesting, it sounds like you might have found a bug. Your only option may be to report it if you don't want to work around it. What is your OS and DNSMasq version?
-
D.K. almost 8 yearsYes, maybe the fastest way to clarify this case will be just to report this as an issue to developers. I think I will try this. Should I delete this question or mark it in title as [CLOSED] for example. What is the common practice on this? As about my system there is: OS: Arch Linux x86_64 Linux 4.7.2-1-ARCH, and DNSMasq: version 2.76
-
Håkan Lindqvist over 7 yearsthekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html for all the details
-
Eduardo over 6 yearsyou can use listen-address=127.0.0.1 OR interface=lo ... don't need to specify both
-
JGurtz almost 4 yearsYes and nice to use interface rather than the address since then both ipv4 and ipv6 are added. I needed to specify
bind-interfaces
to get this working on rhel7. Otherwise it was listening on '*:53'. The comments are a little vague in the conf file "On systems which support it..." -
batfastad over 2 yearsDNS
should
always be able to use TCP. See datatracker.ietf.org/doc/html/rfc1123#section-6.1.3.2 from 1989DNS servers MUST be able to service UDP queries and SHOULD be able to service TCP queries. A name server MAY limit the resources it devotes to TCP queries, but it SHOULD NOT refuse to service a TCP query just because it would have succeeded with UDP.
DNS responses over 4096 bytes will be returned with aTR
bit set (truncated) and the client should retry over TCP. This is common in regular operation in the last 15 years due to larger record sizes (DNSSEC and IPv6 AAAA). -
jan-glx over 2 yearsadding
bind-interfaces
made dnsmasq listen on127.0.0.1
instead of0.0.0.0
, somehow fixing the problem of it not being used in my Ubuntu WSL1 instance..