Can I get dnsmasq to drop/reject/redirect any address queries except one?

Solution 1

Sure! Redirect all name resolutions to one address with the command:

address=/#/10.0.0.101

That is the entry required in the /etc/dnsmasq.conf file. Which I recommend using as that will enforce such configuration if the server is reboot for any reason.

On the command line, the option is called:

-A, --address=/<domain>[/<domain>...]/[<ipaddr>]  

A copy of the dnsmasq manual for address= is below.

However, even if it may seem reasonable to set -i vlan (to the expected interface to be used) and -a 10.6.66.1 (to the address in which it is expected that dnsmasq will listen for DNS resolution). Do not do that!.

Allow dnsmasq to bind in wildcard mode to any and all the server addresses on port 53. That way any request to the server about DNS resolution will be answered by dnsmasq.

The three modes are "wildcard", "bind-interfaces" and "bind-dynamic".
In "wildcard" mode, dnsmasq binds the wildcard IP address (0.0.0.0 or ::). This allows it to receive all the packets sent to the server on the relevant port. Access control (--interface, --except-interface, --listen-address, etc) is implemented by dnsmasq: it queries the kernel to determine the interface on which a packet was received and the address to which it was sent, and applies the configured rules. Wildcard mode is the default if neither of the other modes are specified.

Use port 53 (as external clients will expect that by default):

port=53   # It is set to be 53 by default, not really needed.

Turn off (and disallow) both avahi-dns and systemd.resolved

Make sure that no other program/service is listening on ports 53 or 5353.

$ netstat -pantu | grep ':53'

Also set this options to enforce that names like mylocaldomain (no dots) are resolved with an error (NXDOMAIN) by the dnsmasq DNS resolver and that (some) name resolutions are not forwarded to any other server:

# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv

Ensure that any server set in /etc/resolv.conf is not used:

no-resolv
no-poll

All the above will configure the DNS side of dnsmasq to resolve all domains to one simple address. It is still possible to add any other name to resolve other needed addresses by including it in the /etc/hosts file, like

127.0.0.1
10.0.3.101   linum

This last address should be the address to the web-server for the survey.
The initial address above (10.0.0.101) should be the error page that explain what to do to access the survey page.

But that is not all. You also need to configure the DHCP server to supply a nameserver option with the address of the dnsmasq DNS resolver (d not use option number 5, it is obsolete (and should have been for more than 20 years)):

dhcp-option=6,10.0.0.101

Plus all the other needed configurations for the DHCP part of dnsmasq.

That will allow a computer (tablet or phone also) to get a DHCP given address with a defined DNS server. All protocol compliant computers will follow such configured options and be unable to resolve any other address.

However, it is also possible that a device may try to access directly a IP number (no DNS resolution requested). That must be avoided using IPFilter configuration on the router that serve the local network.

From man dnsmasq:

-A, --address=/[/...]/[]
Specify an IP address to return for any host in the given domains. Queries in the domains are never forwarded and always replied to with the specified IP address which may be IPv4 or IPv6. To give both IPv4 and IPv6 addresses for a domain, use repeated -A flags. To include multiple IP addresses for a single query, use --addn- hosts= instead. Note that /etc/hosts and DHCP leases override this for individual names. A common use of this is to redirect the entire doubleclick.net domain to some friendly local web server to avoid banner ads. The domain specification works in the same was as for --server, with the additional facility that /#/ matches any domain. Thus --address=/#/1.2.3.4 will always return 1.2.3.4 for any query not answered from /etc/hosts or DHCP and not sent to an upstream nameserver by a more specific --server directive. As for --server, one or more domains with no address returns a no-such-domain answer, so --address=/example.com/ is equivalent to --server=/example.com/ and returns NXDOMAIN for example.com and all its subdomains.

Also read:

Add forged DNS entries
Bind configuration to resolve all queries to only one address

Solution 2

First I would focus in the solution working normally with the client writing a simple name URL as http://lime to make debugging easier.

As you might not need to provide Internet access, you might not need entirely to implement a captive portal, as you will eventually answer any DNS answer that you give will point out to your page, with dnsmasq.

So the easiest way is in your web server, to create the intended vhost, and the default listening socket (*) redirecting any request to that vhost.

However, and it is a big however, Androids and iOS devices are a bit adamant on getting access to some URLs to think they are connected. Nonetheless, I would place those URLs on your site, and be done with it.

Related videos on Youtube

01 : 00 : 29

Defensive programming, or how to NOT code in C in dnsmasq!

Bits inside by René Rebe

749

16 : 39

Implementing DNS via dnsmasq

Kris Reese

39

09 : 56

Configuring DNS With Dnsmasq and Ubuntu Server

Joe Neville

5

07 : 44

How to do DNS Caching with dnsmasq

NetBeez

1

02 : 48

Can I get dnsmasq to drop/reject/redirect any address queries except one? (2 Solutions!!)

Roel Van de Paar

1

Author by

r0berts

I am a hobbyist in statistical programming and my main field is psychological medicine. I like the StackExchange community. What else - oh, yes, I am a linux fan and most computers I have run linux on them - Manjaro or Debian.

Updated on September 18, 2022