Hello Nicolas,
The choices made for dnsmasq sound overly complex, peculiar and
subject to incompatibilities with the vast majority of other
softwares.
What's wrong with listening only on a single interface when asked to?
For instance, when nginx is configured to be listening only on the
loopback interface, it does not "take over" all interfaces but listen
only on 127.0.0.1 and ::1.
Furthermore, there is another issue I just discovered when using the
listen-address= option instead of interface=
listen-address=192.168.1.1
...
ss --all --numeric --processes --tcp --udp --oneline | sort -V | full
| grep dnsmasq
udp UNCONN 0 0
0.0.0.0:67 0.0.0.0:*
users:(("dnsmasq",pid=3485870,fd=4))
instead of
interface=eth0
...
ss --all --numeric --processes --tcp --udp --oneline | sort -V | full
| grep dnsmasq
udp UNCONN 0 0
0.0.0.0%eth0:67 0.0.0.0:*
users:(("dnsmasq",pid=3542561,fd=4))
In this example, using the listen-address= option results in dnsmasq
listening on **all** addresses instead of just the eth0 interface with
the interface= option.
On Fri, Mar 7, 2025 at 9:39 AM Nicolas Cavallari
<nicolas.cavall...@green-communications.fr> wrote:
>
> On 06/03/2025 17:10, jean-christophe manciot wrote:
> > ubuntu oracular
> > linux 6.12.0-15-generic
> > dnsmasq 2.90-4 or 2.90-7
> >
> > With the following specific configuration in /etc/dnsmasq.conf:
> > port=0
> > interface=eth0
> > bind-interfaces
> > dhcp-range=192.168.1.2,192.168.1.254
> >
> > I get:
> > # /usr/bin/netstat -tunpevaW | grep dnsmasq
> > udp 0 0 0.0.0.0:67 0.0.0.0:* 0 19371604 3877093/dnsmasq
> >
> > which contradicts your own documentation (please read until the end):
>
> This line does not indicate that dnsmasq does not bind to an interface. It
> only
> indicates that dnsmasq does not bind to a specific address. On Linux, the two
> are separate, since it uses a weak host model. Binding to an address is
> useless
> considering DHCP is mostly broadcast.
>
> netstat is also deprecated. Use ss instead, which shows the bound device in
> the
> "Local Address" column, e.g. "0.0.0.0%eth0:67".
>
> > # If you want dnsmasq to listen for DHCP and DNS requests only on
> > # specified interfaces (and the loopback) give the name of the
> > # interface (eg eth0) here.
> > # Repeat the line for more than one interface.
> > # interface=
> >
> > # On systems which support it, dnsmasq binds the wildcard address,
> > # even when it is listening on only some interfaces. It then discards
> > # requests that it shouldn't reply to. This has the advantage of
> > # working even when interfaces come and go and change address. If you
> > # want dnsmasq to really bind only the interfaces it is listening on,
> > # uncomment this option. About the only time you may need this is when
> > # running another nameserver on the same machine.
> > # bind-interfaces
> >
> > So, bind-interfaces is not applied as it takes over all interfaces.
> >
> > This dnsmasq issue prevents the coexistence with other DHCP server(s)
> > such as kea as it binds to **all** interfaces and prevent other
> > servers from listening on the interface(s) they are setup for.
>
> The documentation is correct, dnsmasq uses SO_BINDTODEVICE when the option is
> specified, as well as SO_REUSEADDR and SO_REUSEPORT.
>
> >
> > Then kea-dhcp4-server refuses to start on any other interface with the
> > message:
> > DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket
> > on interface virbr1, reason: failed to bind fallback socket to address
> > 192.168.2.1, port 67, reason: Address already in use - is another DHCP
> > server running?
>
> You need to check if they really bind to an interface and if they set
> SO_REUSEADDR/SO_REUSEPORT.
>
> The details of what combination of sockets Linux allows is a bit complicated.
> The first 300 lines of net/ipv4/inet_connection_sock.c deals with this.
--
Jean-Christophe
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
