Posted: Wed Mar 25, 2015 6:08 Post subject: [RESOLVED] Isolated VLANs, can DNSMasq isolate local DNS?
I followed some wiki guides for setting up separate VLANs based on my router's physical ethernet ports, and that worked out fine. My iptables rules completely prevent devices in each VLAN from talking to devices in other VLANs. Great!
But now I have a problem with DNSMasq and local DNS: Any device on any VLAN can look up the hostname of a device on any other VLAN, and get that device's local IP address. These devices can't communicate with each other, but they're able to detect each others' presence, and I don't want that to be possible.
I do want each individual VLAN to have its own local DNS, so that devices on VLAN X can detect one another, and devices on VLAN Y can detect one another. But I don't want a device on VLAN X to be able to see a name from VLAN Y, nor vice-versa.
Is there any way to configure this behavior, either using the DD-WRT GUI, or with options set directly in /tmp/dnsmasq.conf ?
I would prefer to avoid doing something outside the router itself, like disabling DNSMasq there and installing a separate DNSMasq service on some device living in each VLAN, but that's all I can come up with so far.
Should have replied to this a while back, but life got in the way. I did eventually figure this out.
The important thing to note is that the dnsmasq "localise-queries" option does not solve this problem. If a device has an address on more than one VLAN, setting this option can choose the right one to advertise on each VLAN subnet; but it does not make the device appear invisible to VLANs on which it isn't addressable.
The correct solution is to run multiple instances of dnsmasq, one for each VLAN that should be isolated. There are some instructions on this process throughout the web, here is the executive summary-
* dd-wrt will start one instance of dnsmasq on its own, using a temporary configuration file written based on what's entered in the Services/DNSMasq webpage. So additional instances will have to get their configuration elsewhere. Enable some form of non-volatile filesystem (such as JFFS) so that you can save your dnsmasq configurations there.
* Each dnsmasq instance, including the one that's started by dd-wrt automatically, must be configured with the "bind-interfaces" option. dnsmasq will try to bind to the wildcard interface by default, which means that any subsequent attempts to bind there (by other instances of dnsmasq) will fail. Using "bind-interfaces" in each dnsmasq instance will limit each instance to binding only on the network interfaces named by the "interface" setting.
* The "interface" setting for each dnsmasq instance's configuration should be set to whatever VLAN/interface name the instance should be limited to. (The dnsmasq instance started by dd-wrt may already have this setting, e.g. "interface=br0")
* Additionally, the "except-interfaces=lo" config setting will be required on each dnsmasq instance, because otherwise they will all try to bind to the loopback interface by default.
* For DNS and DHCP settings, simply adapt what dd-wrt generates by default to each VLAN-specific dnsmasq instance. Take a look at /tmp/dnsmasq.conf as a model for these settings.
* Again, dd-wrt will only start one instance of dnsmasq, so additional instances of dnsmasq will have to be started in another way, e.g. by setting a command in the "Startup" commands section. (You can start a new instance of dnsmasq by issuing the command "dnsmasq -u root -g root --conf-file=/path/to/instance/configuration.conf")
Once this is all set up, you should have multiple, VLAN-isolated dnsmasq instances each time the router starts up.
One more catch: when I tried all this on my router initially, multiple instances of dnsmasq simply wouldn't start. This was due to a bug in the version of dnsmasq included in my dd-wrt version. I wasn't able to nail down specifically what dnsmasq version fixed it -- I suspect it might have been version 2.48, "Fixed bug which broke binding of servers to physical interfaces when interface names were longer than four characters."
At any rate, my current dd-wrt version - build 26635, with dnsmasq 2.73rc3 - allows concurrent interface-specific instances just fine.
Posted: Wed Jul 01, 2015 10:40 Post subject: Re: [RESOLVED] Isolated VLANs, can DNSMasq isolate local DNS
kErI4r1TR5E2J7it wrote:
I followed some wiki guides for setting up separate VLANs based on my router's physical ethernet ports, and that worked out fine. My iptables rules completely prevent devices in each VLAN from talking to devices in other VLANs. Great!
But now I have a problem with DNSMasq and local DNS: Any device on any VLAN can look up the hostname of a device on any other VLAN, and get that device's local IP address. These devices can't communicate with each other, but they're able to detect each others' presence, and I don't want that to be possible.
I do want each individual VLAN to have its own local DNS, so that devices on VLAN X can detect one another, and devices on VLAN Y can detect one another. But I don't want a device on VLAN X to be able to see a name from VLAN Y, nor vice-versa.
Is there any way to configure this behavior, either using the DD-WRT GUI, or with options set directly in /tmp/dnsmasq.conf ?
I would prefer to avoid doing something outside the router itself, like disabling DNSMasq there and installing a separate DNSMasq service on some device living in each VLAN, but that's all I can come up with so far.
