I'm using Elementary OS Freya (Ubuntu 14.04). I've install DNSMASQ and running the command and getting the error below: $ sudo service dnsmasq start * Starting DNS forwarder and DHCP server dnsmasq dnsmasq: bad command line options: try --help [fail] In the /var/log/syslog, I found: Dec 22 10:34:10 Marcelo-PC dnsmasq: bad command line options: try --help Dec 22 10:34:10 Marcelo-PC dnsmasq: FAILED to start up Running sh -x /etc/init.d/dnsmasq I get: marcelo@Marcelo-PC:~$ sh -x /etc/init.d/dnsmasq start + set +e + PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + DAEMON=/usr/sbin/dnsmasq + NAME=dnsmasq + DESC=DNS forwarder and DHCP server + ENABLED=1 + [ -r /etc/default/dnsmasq ] + . /etc/default/dnsmasq + ENABLED=1 + CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new + [ -r /etc/default/locale ] + . /etc/default/locale + LANG=en_US.UTF-8 + export LANG + test -x /usr/sbin/dnsmasq + [ -f /lib/lsb/init-functions ] + . /lib/lsb/init-functions + run-parts --lsbsysinit --list /lib/lsb/init-functions.d + [ -r /lib/lsb/init-functions.d/01-upstart-lsb ] + . /lib/lsb/init-functions.d/01-upstart-lsb + unset UPSTART_SESSION + _RC_SCRIPT=/etc/init.d/dnsmasq + [ -r /etc/init//etc/init.d/dnsmasq.conf ] + _UPSTART_JOB=dnsmasq + [ -r /etc/init/dnsmasq.conf ] + [ -r /lib/lsb/init-functions.d/20-left-info-blocks ] + . /lib/lsb/init-functions.d/20-left-info-blocks + [ -r /lib/lsb/init-functions.d/50-ubuntu-logging ] + . /lib/lsb/init-functions.d/50-ubuntu-logging + LOG_DAEMON_MSG= + FANCYTTY= + [ -e /etc/lsb-base-logging.sh ] + true + [ ! ] + [ != yes ] + [ -x /sbin/resolvconf ] + RESOLV_CONF=/var/run/dnsmasq/resolv.conf + [ ! ] + DNSMASQ_USER=dnsmasq + test 1 != 0 + log_daemon_msg Starting DNS forwarder and DHCP server dnsmasq + [ -z Starting DNS forwarder and DHCP server ] + log_use_fancy_output + TPUT=/usr/bin/tput + EXPR=/usr/bin/expr + [ -t 1 ] + [ xxterm != x ] + [ xxterm != xdumb ] + [ -x /usr/bin/tput ] + [ -x /usr/bin/expr ] + /usr/bin/tput hpa 60 + /usr/bin/tput setaf 1 + [ -z ] + FANCYTTY=1 + true + /usr/bin/tput xenl + /usr/bin/tput cols + COLS=169 + [ 169 ] + [ 169 -gt 6 ] + /usr/bin/expr 169 - 7 + COL=162 + log_use_plymouth + [ n = y ] + plymouth --ping + printf * Starting DNS forwarder and DHCP server dnsmasq * Starting DNS forwarder and DHCP server dnsmasq + /usr/bin/expr 169 - 1 + /usr/bin/tput hpa 168 + printf + start + [ ! -d /var/run/dnsmasq ] + start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/dnsmasq.pid --exec /usr/sbin/dnsmasq --test + start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/dnsmasq.pid --exec /usr/sbin/dnsmasq -- -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -r /var/run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new dnsmasq: opções inválidas de linha de comando: tente --help + return 2 + log_end_msg 1 + [ -z 1 ] + [ 162 ] + [ -x /usr/bin/tput ] + log_use_plymouth + [ n = y ] + plymouth --ping + printf \r + /usr/bin/tput hpa 162 + [ 1 -eq 0 ] + printf [ [+ /usr/bin/tput setaf 1 + printf fail fail+ /usr/bin/tput op + echo ] ] + return 1 + exit 1 And I can't put the DNSMASQ to work. The only uncommented line in my dnsmasq.conf is (you can see the entire file here ): address=/nintendowifi.net/192.168.0.8 How can I see what the problem is?

I'm having trouble setting up my computer (running Ubuntu 18.04) as a hotspot with a manually fixed IP. I want devices to be able to connect to it via WiFi, and for them to be able to access my website hosted on the computer on port 80. So I wanted to set the fixed IP of my computer as 192.168.10.1, so I set up the hotspot as such:

INTERFACE=wlan0 # My wifi card interface
CONNECTION_NAME=testhotspot
MY_IP="192.168.10.1"

sudo nmcli con add type wifi ifname $INTERFACE con-name $CONNECTION_NAME autoconnect yes ssid $CONNECTION_NAME
sudo nmcli con modify $CONNECTION_NAME 802-11-wireless.mode ap ipv4.method manual ipv4.addresses $MY_IP/24 ipv4.gateway $MY_IP
sudo nmcli con modify $CONNECTION_NAME wifi-sec.key-mgmt wpa-psk 
sudo nmcli con modify $CONNECTION_NAME wifi-sec.psk "somepassword"
# do I need to set ipv4.dns?

I then set up dnsmasq (in /etc/dnsmasq) as:

address=/#/127.0.0.1
interface=wlan0
except-interface=lo
listen-address=::1,127.0.0.1,192.168.10.1

# DHCP setup
dhcp-range=192.168.10.100,192.168.10.200,12h # lease out 192.168.10.100-200
dhcp-option=option:router,192.168.10.1
dhcp-option=option:dns-server,192.168.10.1
dhcp-option=option:netmask,255.255.255.0
dhcp-leasefile=/var/lib/misc/dnsmasq.leases
dhcp-authoritative

Startup dnsmasq and the hotspot:

sudo nmcli con up testhotspot
sudo systemctl restart dnsmasq.service

With this setup, I found that connecting to the wifi hotspot on another computer running Ubuntu (let's call this computer B), I could successfully ping 192.168.1.10 and access my website on 192.168.10.1:80. However, I had issues trying to connect to it using an Android phone, with the connection continuously dropping. I had to change my Android wifi settings to "Static" instead of "DHCP", and specify the DNS to 192.168.10.1 for me to successfully ping 192.168.10.1. Thus, I guessed that I hadn't "announced" to clients properly about my DNS/DHCP server? I tried changing my hotspot settings as nmcli con modify testhotspot ipv4.dns 192.168.10.1. However, this did not solve the issue on my Android device (It stopped dropping the wifi connection, but I still could not ping 192.168.10.1?). I also noticed that on computer B, while connected to both the wifi of my hotspot server, and an internet-providing router, some public websites (such as this askubuntu site) could not be reached until I turned off the wifi connection to the hotspot server. What did I do wrong in the setup above?

I run dnsmasq on a server (specifically OpenWrt) to act as both DHCP and DNS. OpenWrt DHCP configuration /etc/config/dhcp: option readethers '1' list address '/my-phone.lan/172.28.79.133' Which is equivalent to running: dnsmasq --read-ethers --address='/my-phone.lan/172.28.79.133' nslookup works and resolves the name to IP correctly. I set this in /etc/ethers: 00:c7:11:b4:19:1a my-phone.lan From dnsmasq manpage: > **-Z, --read-ethers** > Read /etc/ethers for information about hosts for the DHCP server. The format of /etc/ethers is a hardware address, followed > by either a hostname or dotted-quad IP address. When read by dnsmasq > these lines have exactly the same effect as --dhcp-host options > containing the same information. /etc/ethers is re-read when dnsmasq > receives SIGHUP. IPv6 addresses are NOT read from /etc/ethers. When my phone connects to the network, it does not receive the DHCP lease 172.28.79.133. But if I don't use dnsmasq --address and instead set it in /etc/hosts: 172.28.79.133 my-phone.lan It works and my phone does receive the correct DHCP lease. Why is that?

I have a custom dnsmasq instance running locally as my main dns provider and I want to forward *.vm requests to libvirt's instance of dnsmasq, but there's something wrong with my local network configuration. This dig request used to work:

$ virsh list
 Id   Name          State
-----------------------------
 1    recovery.vm   running

$ dig @192.168.122.1 recovery.vm.
;; communications error to 192.168.122.1#53: timed out

; > DiG 9.20.10 > @192.168.122.1 recovery.vm.
; (1 server found)
;; global options: +cmd
;; no servers could be reached

I think it is strange that is says "no servers could be reached", instead of the usual "NXDOMAIN" response. I know for a fact dnsmasq is running...

sudo lsof -nP -iTCP -sTCP:LISTEN | grep dnsmasq
dnsmasq    1579       nobody   6u  IPv4  27785      0t0  TCP 192.168.122.1:53 (LISTEN)
dnsmasq   19342      dnsmasq   5u  IPv4 236233      0t0  TCP 127.0.0.1:53 (LISTEN)
dnsmasq   19342      dnsmasq   7u  IPv6 236235      0t0  TCP [::1]:53 (LISTEN)

SO libvirt's dnsmasq is definitely running with pid=1579, but for some reason, dig cannot reach it... I am not sure what could be happening here.

$ sudo nft list ruleset
table ip libvirt_network {
	chain forward {
		type filter hook forward priority filter; policy accept;
		counter packets 178240 bytes 171747714 jump guest_cross
		counter packets 178240 bytes 171747714 jump guest_input
		counter packets 65829 bytes 3589986 jump guest_output
	}

	chain guest_output {
		ip saddr 192.168.122.0/24 iif "virbr0" counter packets 0 bytes 0 accept
		iif "virbr0" counter packets 0 bytes 0 reject
	}

	chain guest_input {
		oif "virbr0" ip daddr 192.168.122.0/24 ct state established,related counter packets 0 bytes 0 accept
		oif "virbr0" counter packets 0 bytes 0 reject
	}

	chain guest_cross {
		iif "virbr0" oif "virbr0" counter packets 0 bytes 0 accept
	}

	chain guest_nat {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
		ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
		meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
		meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
		ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade
	}
}
table ip6 libvirt_network {
	chain forward {
		type filter hook forward priority filter; policy accept;
		counter packets 0 bytes 0 jump guest_cross
		counter packets 0 bytes 0 jump guest_input
		counter packets 0 bytes 0 jump guest_output
	}

	chain guest_output {
	}

	chain guest_input {
	}

	chain guest_cross {
	}

	chain guest_nat {
		type nat hook postrouting priority srcnat; policy accept;
	}
}

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Looking for suggestions on how to fix it or further investigate, please. Thank you.

I am learning linux networking. I am very confused by the config file locations. What I read on the web doesn't match how my machine is set up. I am using Mint 18. I am using network-manager & dnsmasq. On the dnsmasq setup page , they mention that dnsmasq can be configured in /etc/dnsmasq.conf. I do not have this file... However there is a /etc/dnsmasq.d/network-manager and there is also /etc/NetworkManager/dnsmasq.d/ I think (alhtough I do not know), that /etc/NetworkManager/dnsmasq.d is where I should place my config file. Is this to do with NetworkManager's plugins? If so what is /etc/dnsmasq.d? Should I put my config file here?

I have a wired connection on Ubuntu 20.04. I create a Hotspot connection. I believe NetworkManager automatically creates the following for my wireless interface:

inet 10.42.0.1  netmask 255.255.255.0  broadcast 10.42.0.255

I want to connect to the Hotspot connection with my iPhone. This is what i set up on my iPhone manually:

IP Address: 192.168.0.11
Subnet Mask: 255.255.0.0
Router: 10.42.0.1

I assume that I have to set the IP of the wireless interface as the router, because the Hotspot connction will be acting as the router in a sense. Is this correct? Where I have Router: 10.42.0.1 I am able to connect to the Hotspot, however upon examination of the traffic in Wireshark, it seems that the DNS is not resolving. The DNS settings on my iPhone are pointed to Google resolvers 8.8.8.8 and 8.8.4.4. I am seeing DNS queries to Google resolvers, however no response is coming back. It also seems like when i created the Hotspot connection NetworkManager magically started dnsmasq as the local-resolver on the wireless interface. This is what netstat -tupln looks like:

tcp        0      0 10.42.0.1:53            0.0.0.0:*               LISTEN      148021/dnsmasq      
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      147835/systemd-reso 
udp        0      0 10.42.0.1:53            0.0.0.0:*                           148021/dnsmasq      
udp        0      0 127.0.0.53:53           0.0.0.0:*                           147835/systemd-reso 
udp        0      0 0.0.0.0:67              0.0.0.0:*                           148021/dnsmasq

I am not really sure what to do, I have tried disabling ufw as well in case it was a firewall issue. Still no luck. I have also tried setting the ipv4.addresses and ipv4.dns manually in nmcli instead of shared. Still nothing. Please let me know what I'm missing here. Been at this all day.

I'm trying to set up DHCP for my lxcontainers without using lxc-net. The reason for this decision is that I'd like to place my containers in different networks, such that they are unable to talk to each other by default. I have successfully created and run containers using static IPs assigned within the containers' config file before, but I'd like to use a DHCP server on the host this time. I've installed dnsmasq on my host and configured it like this: # /etc/dnsmasq.d/dnsmasq.lxcbr.conf domain=local.lxc,10.10.10.0/24 interface=lxcbr dhcp-range=lxcbr,10.10.10.1,10.10.10.200,24h dhcp-option=option:router,10.10.10.254 According to this the file is being loaded correctly: root@host:~# service dnsmasq status ● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled) [...] Feb 03 19:06:39 host dnsmasq: dnsmasq: syntax check OK. Feb 03 19:06:39 host dnsmasq: started, version 2.72 cachesize 150 Feb 03 19:06:39 host dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect Feb 03 19:06:39 host dnsmasq-dhcp: DHCP, IP range 10.10.10.1 -- 10.10.10.200, lease time 1d Feb 03 19:06:39 host dnsmasq: reading /etc/resolv.conf Feb 03 19:06:39 host dnsmasq: using nameserver upstream.nameserver.ip.here#53 Feb 03 19:06:39 host dnsmasq: using nameserver upstream.nameserver.ip.here#53 Feb 03 19:06:39 host dnsmasq: read /etc/hosts - 5 addresses lxcbr is the host's interface in the container's network: root@host:~# ifconfig [...] lxcbrBind Link encap:Ethernet HWaddr fe:60:7a:cc:56:64 inet addr:10.10.10.254 Bcast:10.10.10.255 Mask:255.255.255.0 inet6 addr: fe80::7a:56ff:fe82:921f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:92 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:5688 (5.5 KiB) TX bytes:928 (928.0 B) veth0 Link encap:Ethernet HWaddr fe:60:7a:cc:56:64 inet6 addr: fe80::fc60:7aff:fecc:5664/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:648 (648.0 B) TX bytes:648 (648.0 B) veth0 is the container's veth interface: # /var/lib/lxc/container lxc.network.type = veth lxc.network.name = veth0 lxc.network.flags = up lxc.network.link = lxcbr lxc.network.veth.pair = veth0 I assume I'm doing something very stupid but I've run out of ideas at this point. I appreciate your help, Christopher

My hostapd, after some minutes of execution, it does this:

wlan1: INTERFACE-DISABLED
wlan1: INTERFACE-ENABLED

then, connected clients lose connection and, if i try reconnecting, it wont't connect anymore. I also tried with WPA2, but if reconnecting it says wrong password. My hostapd.conf:

interface=wlan1
driver=nl80211
ssid=the-bash-guy
hw_mode=g
channel=6
macaddr_acl=0
ignore_broadcast_ssid=0
ieee80211n=1
wme_enabled=1

My dnsmasq.conf:

interface=wlan1
dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
server=8.8.8.8
server=8.8.4.4
log-queries
log-dhcp
listen-address=127.0.0.1

Before starting hostapd, i did these (.sh file):

echo "BEFORE MONITOR MODE\n\n"
iwconfig wlan1
ifconfig wlan1 down
iwconfig wlan1 mode monitor
ifconfig wlan1 up
echo "AFTER MONITOR MODE\n\n"
iwconfig wlan1
echo "\n\nSTART HOSTAPD!\n\n"
ifconfig wlan1 192.168.1.1 netmask 255.255.255.0
hostapd ./hostapd.conf

then:

iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
iptables --append FORWARD --in-interface wlan1 -j ACCEPT
dnsmasq -C dnsmasq.conf -d

(wlan0 is Intel Wi-Fi AX200) (wlan1 is RTL8812BU with the following driver: https://github.com/morrownr/88x2bu-20210702) OS: 5.16.0-kali7-amd64

I am struggling for a few weeks to be able to query domains against spamhaus' DBL. I am capturing a list of newly registered domains, and looking to see if any of these domains have been flagged by spamhaus DBL block list. I am using the command dig dbltest.com.dbl.spamhaus.org which should return a response: `;; ANSWER SECTION: dbltest.com.dbl.spamhaus.org. 60 IN A 127.0.1.2` to confirm that it has been flaged as phishing but instead I just receive an error: communications error to 127.0.0.1#53: timed out . I have set up a new Ubunutu server and have also installed unbound and DNSMasq to see if using these would resolve the issues but to no avail. Has anyone been able to query against Spamhaus DBL?

I have a dnsmasq server (10.0.0.1) with knowledge of a hostnames and IP addresses for couple of local networks, say a Guest Wireless and Wired Networks. I also have a bind9 DNS running on a separate server (192.168.1.1), which is the authoritative DNS for the LAN. I'd like forward queries asked to the bind9 server to be resolved by the dnsmasq server. It would be acceptable if all the queries should share a common top-level domain, e.g. myhostname.lan, or myhostname.arpa, etc. What I have tried: I setup a "lan" zone with "masters" set to the dnsmasq server, similar to the setup in this article

zone "lan" 
  type slave;   
  masters { 10.0.0.225; };
};

However, this fails in a way similar to what is described in this forum question

==> /var/log/named/general.log  /var/log/named/xfer-in.log <==                                                                       12-Mar-2025 21:26:06.894 zone lan/IN: Transfer started.
12-Mar-2025 21:26:06.898 transfer of 'lan/IN' from 10.0.0.1#53: failed to connect: connection refused  12-Mar-2025 21:26:06.898 transfer of 'lan/IN' from 10.0.0.1#53: Transfer status: connection refused
12-Mar-2025 21:26:06.898 transfer of 'lan/IN' from 10.0.0.1#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.003 secs (0 bytes/sec) (serial 0)

I've also tried to simply set up 10.0.0.1 as a forwarder in the bind9 configuration:

...
forwarders {
	  10.0.0.1;
};
...

But I get bind9 errors of the form:

12-Mar-2025 21:13:45.884 zone lan/IN: refresh: unexpected rcode (REFUSED) from primary 10.0.0.1#53 (source 0.0.0.0#0)

I also tried simply adding 10.0.0.1 as a resolver in /etc/resolv.conf, but I still see those unexpected rcode errors. How can I set up bind9 to use my dnsmasq server at 10.0.0.1 to resolve DNS queries?

I'm trying to make captive portal with nginx, hostapd, nftables, dnsmasq and python-flask. I have two main problems 1) I'm not getting a popup on Android, but am on Iphone/OSX. 2) I'm not sure how to redirect the user after the connection. I have a nftables command, but I need an IP address for this. Since nginx is formwarding from port 80 to 8080 (python app) I don't know how to get this. Here's the nginx.conf

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;

        if ($request_method !~ ^(GET|HEAD|POST)$) { return 444; }

        # Handle iOS
        if ($http_user_agent ~* (CaptiveNetworkSupport) ) {
            return 302 http://go.portal ;
        }

        # Handle Android captive portal detection
        location = /generate_204 {
            return 302 http://go.portal ;
        }

        location = /gen_204 {
            return 302 http://go.portal ;
        }

        # Default redirect for any unexpected requests to trigger captive portal
        # sign in screen on device.
        location / {
            return 302 http://go.portal ;
        }
    }

    server {
        listen 80;
        listen [::]:80;
        server_name go.portal;

        # Only allow GET, HEAD, POST
        if ($request_method !~ ^(GET|HEAD|POST)$) { return 444; }

        root /var/www;

        index index.html;

        location /api/ {
            proxy_pass http://127.0.0.1:8080/api/ ;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
        }

        location / {
            try_files $uri $uri/ =404;
        }

        # Redirect these errors to the home page.
        error_page 401 403 404 =200 /index.html;
    }
}

dnsmasq.conf

listen-address=192.168.2.1
no-hosts
# log-queries
log-facility=/var/log/dnsmasq.log
dhcp-range=192.168.2.2,192.168.2.254,72h
dhcp-option=option:router,192.168.2.1
dhcp-authoritative
dhcp-option=114,http://go.portal/index.html 

# Resolve captive portal check domains to a "fake" external IP
address=/connectivitycheck.gstatic.com/10.45.12.1
address=/connectivitycheck.android.com/10.45.12.1
address=/clients3.google.com/10.45.12.1
address=/clients.l.google.com/10.45.12.1
address=/play.googleapis.com/10.45.12.1

# Resolve everything to the portal's IP address.
address=/#/192.168.2.1

Here's the bash that starts everything.

INET_NIC=$(cat /run/inet_nic 2>/dev/null) || { echo "Connect to WiFi first"; exit 1; }
AP_NIC=$(cat /run/ap_nic 2>/dev/null) || { echo "Create AP first"; exit 1; }

echo 1 > /proc/sys/net/ipv4/ip_forward

nft flush ruleset

# Set up the filter table (Mode 1)
nft add table ip filter
nft add chain ip filter input  '{ type filter hook input priority 0; policy accept; }'
nft add chain ip filter forward '{ type filter hook forward priority 0; policy accept; }'
nft add chain ip filter output '{ type filter hook output priority 0; policy accept; }'

# Set up the NAT table and chain for masquerading (Mode 2)
nft add table ip nat
nft add chain ip nat postrouting '{ type nat hook postrouting priority 100; }'

kill -9 $(pidof dnsmasq) 2>/dev/null
dnsmasq -C /etc/dnsmasq.conf -d 2>&1 > $LOG_F &

kill -9 $(pidof nginx) 2>/dev/null
mkdir /var/log/nginx 2>/dev/null
nginx &

kill -9 $(pidof evil_portal) 2>/dev/null
ip link set lo up
/usr/bin/evil_portal &

And here's the command I would issue when the user accepts the terms.

nft add rule ip nat postrouting oifname wlan1 ip saddr 192.168.2.217 masquerade

I won't share the python/html stuff because that's all working fine. Basically I'm getting the users button push, and my python function is calling. But python is telling me the IP is 127.0.0.1 because nginx if forwarding the traffic from port 80 to 8080 Thanks :)

I have a laptop that I'm working on, a FreshTomato-based router, and a Raspberry Pi running NixOS, on which I have installed [Blocky](https://0xerr0r.github.io/blocky/) to try to use it as my DNS server. However, requests from my laptop don't resolve:

$  curl https://0xerr0r.github.io/blocky 
curl: (6) Could not resolve host: 0xerr0r.github.io

Requests in Firefox don't ever seem to complete. That is from my laptop, which has picked up the correct IP for the DNS server, as far as I can see: This also is from my laptop:

$ dig @192.168.1.4 https://0xerr0r.github.io 
;; communications error to 192.168.1.4#53: timed out
;; communications error to 192.168.1.4#53: timed out
;; communications error to 192.168.1.4#53: timed out

; > DiG 9.18.30 > @192.168.1.4 https://0xerr0r.github.io 
; (1 server found)
;; global options: +cmd
;; no servers could be reached

However, running the same from the Pi itself (through SSH):

$ nix-shell --packages dig --run "dig @192.168.1.4 https://0xerr0r.github.io "
; > DiG 9.18.28 > @192.168.1.4 https://0xerr0r.github.io 
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31507
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;https://0xerr0r.github.io .	IN	A

;; ANSWER SECTION:
https://0xerr0r.github.io . 3600	IN	A	185.199.109.153
https://0xerr0r.github.io . 3600	IN	A	185.199.108.153
https://0xerr0r.github.io . 3600	IN	A	185.199.111.153
https://0xerr0r.github.io . 3600	IN	A	185.199.110.153

;; Query time: 335 msec
;; SERVER: 192.168.1.4#53(192.168.1.4) (UDP)
;; WHEN: Sun Feb 16 13:44:31 CET 2025
;; MSG SIZE  rcvd: 118

These are my Blocky settings:

settings = {
      ports.dns = 53; # Port for incoming DNS Queries.
      ports.http = 4000;
      upstreams.groups.default = [
        "https://one.one.one.one/dns-query " # Using Cloudflare's DNS over HTTPS server for resolving queries.
      ];
      # For initially solving DoH/DoT Requests when no system Resolver is available.
      bootstrapDns = {
        upstream = "https://one.one.one.one/dns-query ";
        ips = [ "1.1.1.1" "1.0.0.1" ];
      };
      #Enable Blocking of certain domains.
      blocking = {
        denylists = {
          #Adblocking
          ads = ["https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts "];
          #Another filter for blocking adult sites
          adult = ["https://blocklistproject.github.io/Lists/porn.txt "];
          #You can add additional categories
        };
        #Configure what block categories are used
        clientGroupsBlock = {
          default = [ "ads" ];
          kids-ipad = ["ads" "adult"];
        };
      };
    };

It also appears to be running fine:

$  blocky blocking status
[2025-02-16 13:55:27]  INFO blocking enabled

Some potentially relevant settings from my router follow. Setting the DNS server to that IP address: I thought that would have been sufficient, but I also had to add this dnsmasq configuration for my laptop to actually pick up the DNS server: Anyone have any idea what could be wrong? Thanks in advance!

first, I installed apache & started its service

yum install httpd && systemctl enabled httpd --now

then I mounted dvd iso & copied its content to apache dir

mount -o ro ~/Downloads/rockylinux9.iso /mnt/iso

cp -rv /mnt/iso/* /var/www/html/install-media/

and copied kickstart file under

cp ~/kickstart-rockylinux9.cfg /var/www/html/install-media/kickstart/

then I installed tftp-server & syslinux & started tftp-server

yum install tftp-server syslinux

then I created these dirs & copied kernel files to below path

mkdir -p /var/lib/tftpboot/{images,pxelinux.cfg}

cp /var/www/html/install-media/images/pxeboot/{vmlinuz,initrd.img} /var/lib/tftpboot/images/

then I copied menu files from syslinux dir

cp /usr/share/syslinux/{menu.c32,pxelinux.0} /var/lib/tftpboot/

finally created menu file /var/lib/tftpboot/pxelinux.cfg/default with below content

default menu.c32
prompt 0
timeout 300
ontimeout 2

menu title PXE Boot Menu
label 1
  menu label ^1 - Install Rocky Linux 9
  kernel images/vmlinuz
  append initrd=images/initrd.img showopts method=http://192.168.1.254/install-media/  devfs=nomount ks=http://192.168.1.254/install-media/kickstart/kickstart-rockylinux9.cfg 

Now the critical part is dnsmasq.conf, as my physical host is on bridged network with kvm installed on it. so dnsmasq is supposed to proxy dhcp request to my router

# cat /etc/dnsmasq.con

# Enable proxy DHCP for PXE
port=0
dhcp-range=192.168.1.0,proxy
# Specify PXE options
dhcp-boot=pxelinux.0,,192.168.1.254
enable-tftp
tftp-root=/var/lib/tftpboot

here's my kickstart file

# Generated by Anaconda 34.25.5.9
# Generated by pykickstart v3.32
#version=RHEL9
# Use graphical install
graphical

# Remove CDROM installation media line
# cdrom

# Specify the HTTP repository
repo --name="AppStream" --baseurl=http://192.168.1.254/install-media/ 

%addon com_redhat_kdump --disable
%end

# Keyboard layouts
keyboard --xlayouts='us'

# System language
lang en_US.UTF-8

# Network information
network --bootproto=dhcp --device=enp1s0 --noipv6 --activate
network --hostname=ks-sample2

# Packages to install
%packages
@^minimal-environment
%end

# Firstboot configuration
firstboot --enable

# Disk and partition configuration
ignoredisk --only-use=vda
clearpart --none --initlabel
part /boot --fstype="xfs" --ondisk=vda --size=1024
part pv.50 --fstype="lvmpv" --ondisk=vda --size=70655
volgroup rl --pesize=4096 pv.50
logvol swap --fstype="swap" --size=7167 --name=swap --vgname=rl
logvol / --fstype="xfs" --size=63484 --name=root --vgname=rl

I am unable to boot, after getting IP info properly from dhcp it says, No boot devices found.

A bizarre problem that I haven't found anywhere else on the internet, hinting it's probably me f'ing something up, but what? Trying to start dnsmasq.service, no matter if on boot or from user session when all network services are available and working, fails with unknown interface enp2s0 error... except the entire rest of the system claims it's up. andrzej@andrzej-PC ~ $ sudo systemctl start dnsmasq Job for dnsmasq.service failed because the control process exited with error code. See "systemctl status dnsmasq.service" and "journalctl -xe" for details. andrzej@andrzej-PC ~ $ systemctl status dnsmasq ● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server Loaded: loaded (/lib/systemd/system/dnsmasq.service; disabled; vendor preset: Drop-In: /run/systemd/generator/dnsmasq.service.d └─50-dnsmasq-$named.conf, 50-insserv.conf-$named.conf Active: failed (Result: exit-code) since Mon 2017-07-10 02:09:41 CEST; 3s ago Process: 5551 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status= Process: 5548 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUC Jul 10 02:09:41 andrzej-PC systemd: Starting dnsmasq - A lightweight DHCP and Jul 10 02:09:41 andrzej-PC dnsmasq: dnsmasq: syntax check OK. Jul 10 02:09:41 andrzej-PC dnsmasq: dnsmasq: unknown interface enp2s0 Jul 10 02:09:41 andrzej-PC systemd: dnsmasq.service: Control process exited, Jul 10 02:09:41 andrzej-PC systemd: Failed to start dnsmasq - A lightweight D Jul 10 02:09:41 andrzej-PC systemd: dnsmasq.service: Unit entered failed stat Jul 10 02:09:41 andrzej-PC systemd: dnsmasq.service: Failed with result 'exit Right, except: andrzej@andrzej-PC ~ $ ifconfig enp2s0 Link encap:Ethernet HWaddr /*correct address*/ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:921 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:147421 (147.4 KB) and same for ip addr: 2: enp2s0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether /*same*/ brd ff:ff:ff:ff:ff:ff and finally: andrzej@andrzej-PC ~ $ cat /sys/class/net/enp2s0/operstate up What? Oh, and my config file looks like this: port=0 interface=enp2s0 dhcp-range=192.168.0.50,192.168.0.150,12h dhcp-boot=/install/netboot/pxelinux.0 dhcp-option-force=209,install/netboot/pxelinux.cfg dhcp-option-force=210,/ dhcp-option-force=66,192.168.0.1 enable-tftp tftp-root=/mnt

Most of the info I see online says to edit /etc/resolv.conf, but any changes I make there just get overridden. $ cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- # YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.1.1 It seems that 127.0.1.1 is a local instance of dnsmasq. The dnsmasq docs say to edit /etc/resolv.conf. I tried putting custom nameservers in /etc/resolv.conf.d/base, but the changes didn't show up in /etc/resolv.conf after running sudo resolvconf -u. FYI, I don't want to change DNS on a per-connection basis, I want to set default DNS settings to use for all connections when not otherwise specified. ***UPDATE:*** I answered this question myself: https://unix.stackexchange.com/a/163506/67024 I think it's the best solution since: 1. It works. 2. It requires the least amount of changes and 3. It still works in conjunction with dnsmasq's DNS cache, rather than bypassing it.

I use dnsmasq with "hosts" as a domains table provider. When I am trying to nslookup mole.mishland, it throws that: nslookup mole.mishland Server: 192.168.0.34 Address: 192.168.0.34#53 Name: mole.mishland Address: 192.168.0.34 ** server can't find mole.mishland: REFUSED But I can succesfully dig, ping this domain and telnet 53 port: ; > DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu > mole.mishland ;; global options: +cmd ;; Got answer: ;; ->>HEADERname queries for 192.168.3/24 to nameserver 10.1.2.3 #server=/3.168.192.in-addr.arpa/10.1.2.3 # Add local-only domains here, queries in these domains are answered # from /etc/hosts or DHCP only. #local=/localnet/ # Add domains which you want to force to an IP address here. # The example below send any host in double-click.net to a local # web-server. #address=/mole.mishland/192.168.0.34 # --address (and --server) work with IPv6 addresses too. #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 # Add the IPs of all queries to yahoo.com, google.com, and their # subdomains to the vpn and search ipsets: #ipset=/yahoo.com/google.com/vpn,search # Add the IPs of all queries to yahoo.com, google.com, and their # subdomains to netfilters sets, which is equivalent to # 'nft add element ip test vpn { ... }; nft add element ip test search { ... }' #nftset=/yahoo.com/google.com/ip#test#vpn,ip#test#search # Use netfilters sets for both IPv4 and IPv6: # This adds all addresses in *.yahoo.com to vpn4 and vpn6 for IPv4 and IPv6 addresses. #nftset=/yahoo.com/4#ip#test#vpn4 #nftset=/yahoo.com/6#ip#test#vpn6 # You can control how dnsmasq talks to a server: this forces # queries to 10.1.2.3 to be routed via eth1 # server=10.1.2.3@eth1 # and this sets the source (ie local) address used to talk to # 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that # IP on the machine, obviously). # server=10.1.2.3@192.168.1.1#55 # If you want dnsmasq to change uid and gid to something other # than the default, edit the following lines. #user= #group= # If you want dnsmasq to listen for DHCP and DNS requests only on # specified interfaces (and the loopback) give the name of the # interface (eg eth0) here. # Repeat the line for more than one interface. interface=enp5s0 # Or you can specify which interface _not_ to listen on #except-interface= # Or which to listen on by address (remember to include 127.0.0.1 if # you use this.) listen-address=192.168.0.34, 127.0.0.1 # If you want dnsmasq to provide only DNS service on an interface, # configure it as shown above, and then use the following line to # disable DHCP and TFTP on it. #no-dhcp-interface= # On systems which support it, dnsmasq binds the wildcard address, # even when it is listening on only some interfaces. It then discards # requests that it shouldn't reply to. This has the advantage of # working even when interfaces come and go and change address. If you # want dnsmasq to really bind only the interfaces it is listening on, # uncomment this option. About the only time you may need this is when # running another nameserver on the same machine. bind-interfaces # If you don't want dnsmasq to read /etc/hosts, uncomment the # following line. #no-hosts # or if you want it to read another file, as well as /etc/hosts, use # this. #addn-hosts=/etc/banner_add_hosts # Set this (and domain: see below) if you want to have a domain # automatically added to simple names in a hosts-file. #expand-hosts # Set the domain for dnsmasq. this is optional, but if it is set, it # does the following things. # 1) Allows DHCP hosts to have fully qualified domain names, as long # as the domain part matches this setting. # 2) Sets the "domain" DHCP option thereby potentially setting the # domain of all systems configured by DHCP # 3) Provides the domain part for "expand-hosts" domain=mishland # Set a different domain for a particular subnet #domain=wireless.thekelleys.org.uk,192.168.2.0/24 # Same idea, but range rather then subnet #domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 # Uncomment this to enable the integrated DHCP server, you need # to supply the range of addresses available for lease and optionally # a lease time. If you have more than one network, you will need to # repeat this for each network on which you want to supply DHCP # service. #dhcp-range=192.168.0.50,192.168.0.150,12h # This is an example of a DHCP range where the netmask is given. This # is needed for networks we reach the dnsmasq DHCP server via a relay # agent. If you don't know what a DHCP relay agent is, you probably # don't need to worry about this. #dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h # This is an example of a DHCP range which sets a tag, so that # some DHCP options may be set only for this network. #dhcp-range=set:red,192.168.0.50,192.168.0.150 # Use this DHCP range only when the tag "green" is set. #dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h # Specify a subnet which can't be used for dynamic address allocation, # is available for hosts with matching --dhcp-host lines. Note that # dhcp-host declarations will be ignored unless there is a dhcp-range # of some type for the subnet in question. # In this case the netmask is implied (it comes from the network # configuration on the machine running dnsmasq) it is possible to give # an explicit netmask instead. #dhcp-range=192.168.0.0,static # Enable DHCPv6. Note that the prefix-length does not need to be specified # and defaults to 64 if missing/ #dhcp-range=1234::2, 1234::500, 64, 12h # Do Router Advertisements, BUT NOT DHCP for this subnet. #dhcp-range=1234::, ra-only # Do Router Advertisements, BUT NOT DHCP for this subnet, also try and # add names to the DNS for the IPv6 address of SLAAC-configured dual-stack # hosts. Use the DHCPv4 lease to derive the name, network segment and # MAC address and assume that the host will also have an # IPv6 address calculated using the SLAAC algorithm. #dhcp-range=1234::, ra-names # Do Router Advertisements, BUT NOT DHCP for this subnet. # Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) #dhcp-range=1234::, ra-only, 48h # Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA # so that clients can use SLAAC addresses as well as DHCP ones. #dhcp-range=1234::2, 1234::500, slaac # Do Router Advertisements and stateless DHCP for this subnet. Clients will # not get addresses from DHCP, but they will get other configuration information. # They will use SLAAC for addresses. #dhcp-range=1234::, ra-stateless # Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses # from DHCPv4 leases. #dhcp-range=1234::, ra-stateless, ra-names # Do router advertisements for all subnets where we're doing DHCPv6 # Unless overridden by ra-stateless, ra-names, et al, the router # advertisements will have the M and O bits set, so that the clients # get addresses and configuration from DHCPv6, and the A bit reset, so the # clients don't use SLAAC addresses. #enable-ra # Supply parameters for specified hosts using DHCP. There are lots # of valid alternatives, so we will give examples of each. Note that # IP addresses DO NOT have to be in the range given above, they just # need to be on the same network. The order of the parameters in these # do not matter, it's permissible to give name, address and MAC in any # order. # Always allocate the host with Ethernet address 11:22:33:44:55:66 # The IP address 192.168.0.60 #dhcp-host=11:22:33:44:55:66,192.168.0.60 # Always set the name of the host with hardware address # 11:22:33:44:55:66 to be "fred" #dhcp-host=11:22:33:44:55:66,fred # Always give the host with Ethernet address 11:22:33:44:55:66 # the name fred and IP address 192.168.0.60 and lease time 45 minutes #dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m # Give a host with Ethernet address 11:22:33:44:55:66 or # 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume # that these two Ethernet interfaces will never be in use at the same # time, and give the IP address to the second, even if it is already # in use by the first. Useful for laptops with wired and wireless # addresses. #dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 # Give the machine which says its name is "bert" IP address # 192.168.0.70 and an infinite lease #dhcp-host=bert,192.168.0.70,infinite # Always give the host with client identifier 01:02:02:04 # the IP address 192.168.0.60 #dhcp-host=id:01:02:02:04,192.168.0.60 # Always give the InfiniBand interface with hardware address # 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the # ip address 192.168.0.61. The client id is derived from the prefix # ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of # hex digits of the hardware address. #dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61 # Always give the host with client identifier "marjorie" # the IP address 192.168.0.60 #dhcp-host=id:marjorie,192.168.0.60 # Enable the address given for "judge" in /etc/hosts # to be given to a machine presenting the name "judge" when # it asks for a DHCP lease. #dhcp-host=judge # Never offer DHCP service to a machine whose Ethernet # address is 11:22:33:44:55:66 #dhcp-host=11:22:33:44:55:66,ignore # Ignore any client-id presented by the machine with Ethernet # address 11:22:33:44:55:66. This is useful to prevent a machine # being treated differently when running under different OS's or # between PXE boot and OS boot. #dhcp-host=11:22:33:44:55:66,id:* # Send extra options which are tagged as "red" to # the machine with Ethernet address 11:22:33:44:55:66 #dhcp-host=11:22:33:44:55:66,set:red # Send extra options which are tagged as "red" to # any machine with Ethernet address starting 11:22:33: #dhcp-host=11:22:33:*:*:*,set:red # Give a fixed IPv6 address and name to client with # DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 # Note the MAC addresses CANNOT be used to identify DHCPv6 clients. # Note also that the [] around the IPv6 address are obligatory. #dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] # Ignore any clients which are not specified in dhcp-host lines # or /etc/ethers. Equivalent to ISC "deny unknown-clients". # This relies on the special "known" tag which is set when # a host is matched. #dhcp-ignore=tag:!known # Send extra options which are tagged as "red" to any machine whose # DHCP vendorclass string includes the substring "Linux" #dhcp-vendorclass=set:red,Linux # Send extra options which are tagged as "red" to any machine one # of whose DHCP userclass strings includes the substring "accounts" #dhcp-userclass=set:red,accounts # Send extra options which are tagged as "red" to any machine whose # MAC address matches the pattern. #dhcp-mac=set:red,00:60:8C:*:*:* # If this line is uncommented, dnsmasq will read /etc/ethers and act # on the ethernet-address/IP pairs found there just as if they had # been given as --dhcp-host options. Useful if you keep # MAC-address/host mappings there for other purposes. #read-ethers # Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039. # In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit # option with a DHCPACK including a Rapid Commit option and fully committed address # and configuration information. This must only be enabled if either the server is # the only server for the subnet, or multiple servers are present and they each # commit a binding for all clients. #dhcp-rapid-commit # Run an executable when a DHCP lease is created or destroyed. # The arguments sent to the script are "add" or "del", # then the MAC address, the IP address and finally the hostname # if there is one. #dhcp-script=/bin/echo # Set the cachesize here. #cache-size=150 # If you want to disable negative caching, uncomment this. #no-negcache # Normally responses which come from /etc/hosts and the DHCP lease # file have Time-To-Live set as zero, which conventionally means # do not cache further. If you are happy to trade lower load on the # server for potentially stale date, you can set a time-to-live (in # seconds) here. #local-ttl= # If you want dnsmasq to detect attempts by Verisign to send queries # to unregistered .com and .net hosts to its sitefinder service and # have dnsmasq instead return the correct NXDOMAIN response, uncomment # this line. You can add similar lines to do the same for other # registries which have implemented wildcard A records. #bogus-nxdomain=64.94.110.11 # If you want to fix up DNS results from upstream servers, use the # alias option. This only works for IPv4. # This alias makes a result of 1.2.3.4 appear as 5.6.7.8 #alias=1.2.3.4,5.6.7.8 # and this maps 1.2.3.x to 5.6.7.x #alias=1.2.3.0,5.6.7.0,255.255.255.0 # and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 #alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 # Change these lines if you want dnsmasq to serve MX records. # Return an MX record named "maildomain.com" with target # servermachine.com and preference 50 mx-host=mole.mishland,mole.mishland # Set the default target for MX records created using the localmx option. #mx-target=servermachine.com # Return an MX record pointing to the mx-target for all local # machines. #localmx # Return an MX record pointing to itself for all local machines. #selfmx # Change the following lines if you want dnsmasq to serve SRV # records. These are useful if you want to serve ldap requests for # Active Directory and other windows-originated DNS requests. # See RFC 2782. # You may add multiple srv-host lines. # The fields are ,,,, # If the domain part if missing from the name (so that is just has the # service and protocol sections) then the domain given by the domain= # config option is used. (Note that expand-hosts does not need to be # set for this to work.) # A SRV record sending LDAP for the example.com domain to # ldapserver.example.com port 389 #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 # A SRV record sending LDAP for the example.com domain to # ldapserver.example.com port 389 (using domain=) #domain=example.com #srv-host=_ldap._tcp,ldapserver.example.com,389 # Two SRV records for LDAP, each with different priorities #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 # A SRV record indicating that there is no LDAP server for the domain # example.com #srv-host=_ldap._tcp.example.com # The following line shows how to make dnsmasq serve an arbitrary PTR # record. This is useful for DNS-SD. (Note that the # domain-name expansion done for SRV records _does_not # occur for PTR records.) #ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" # Change the following lines to enable dnsmasq to serve TXT records. # These are used for things like SPF and zeroconf. (Note that the # domain-name expansion done for SRV records _does_not # occur for TXT records.) #Example SPF. #txt-record=example.com,"v=spf1 a -all" #Example zeroconf #txt-record=_http._tcp.example.com,name=value,paper=A4 # Provide an alias for a "local" DNS name. Note that this _only_ works # for targets which are names from DHCP or /etc/hosts. Give host # "bert" another name, bertrand #cname=bertrand,bert # For debugging purposes, log each DNS query as it passes through # dnsmasq. #log-queries # Log lots of extra information about DHCP transactions. #log-dhcp # Include another lot of configuration options. #conf-file=/etc/dnsmasq.more.conf #conf-dir=/etc/dnsmasq.d # Include all the files in a directory except those ending in .bak #conf-dir=/etc/dnsmasq.d,.bak # Include all files in a directory which end in .conf #conf-dir=/etc/dnsmasq.d/,*.conf # If a DHCP client claims that its name is "wpad", ignore that. # This fixes a security hole. see CERT Vulnerability VU#598349 #dhcp-name-match=set:wpad-ignore,wpad #dhcp-ignore-names=tag:wpad-ignore My "hosts" file: 127.0.0.1 localhost 127.0.1.1 Torial-Server 192.168.0.34 mole.mishland # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.0.34 mole.mishland 192.168.0.34 mole.mishland My resolv.conf file: nameserver 192.168.0.34 nameserver 8.8.8.8

I have been configuring NixOS as a dev machine lately (and so far I really love it). I was planning of using a nginx image as reverse proxy to route all *.dev requests to running docker images. This works for requests to localhost already, as I can reach apps of started conainers when they're connected to the same network. Now for resolving *.dev requests I added a dnsmasq configuration to my nixos config: services.dnsmasq = { enable = true; resolveLocalQueries = true; servers = [ ''/.dev/127.0.0.1'' ''8.8.8.8'' ''8.8.4.4'' ]; }; When rebuilding, I get the output starting the following units: dnsmasq.service, but when I try to reach my .dev URI's, I still only get DNS_PROBE_FINISHED_NXDOMAIN. What could be the issue here?

to test the IPv6 capability of our end devices, i need to set up a hotspot on a raspberry pi that only provides ipv6 adresses. I followed this guide: https://partiallydisassembled.net/posts/pi-nat64.html I verified, that i have an IPv6 Adress on my wlan0 interface:

wlan0: flags=4163  mtu 1500
        inet6 fe80::da3a:ddff:fe91:634  prefixlen 64  scopeid 0x20
        inet6 fec0::1  prefixlen 64  scopeid 0x40
        ether d8:3a:dd:91:06:34  txqueuelen 1000  (Ethernet)
        RX packets 17  bytes 2780 (2.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 42  bytes 6004 (6.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

And hostapd is set up correct and running. I try to connect with my phone to the access point and i get a message, that no connection is possible. If i check the debug output of dnsmasq, i see, that my phone sends a RTR-SOLICIT message and the router sends RTR-ADVERTs, but then nothing happens.

-dhcp: RTR-ADVERT(wlan0) fec0::
dnsmasq-dhcp: RTR-ADVERT(wlan0) fec0::
dnsmasq-dhcp: RTR-SOLICIT(wlan0) 48:bc:e1:fb:2a:ba
dnsmasq-dhcp: RTR-ADVERT(wlan0) fec0::
dnsmasq-dhcp: RTR-ADVERT(wlan0) fec0::
dnsmasq-dhcp: RTR-ADVERT(wlan0) fec0::

If switch everyhing to IPv4, everything works fine, so i think the issue is with dnsmasq configuration. My configuration file looks like this:

interface=wlan0
bind-interfaces
domain-needed
bogus-priv
server=2001:4860:4860::6464
local=/pi64/
domain=pi64
dhcp-fqdn
enable-ra
dhcp-range=::,constructor:wlan0,slaac
dhcp-option=option6:dns-server,2001:4860:4860::6464
dhcp-authoritative

On Debian-based Linux, dnsmasq works by replacing the nameservers in /etc/resolv.conf with 127.0.0.1 (referring to "Linux for Wireless Engineers: How to Do DNS Caching with dnsmasq "). But I find that on Alpine (and Alpine based docker) it does not work that way. When dnsmasq starts, /etc/resolv.conf remains the same. So if I just start dnsmasq it makes no difference in term of dns resolving. I write a script to start dnsmasq and it feels awkward. cp /etc/resolv.conf /etc/resolv.dnsmasq sed -i 's/^nameserver.*/nameserver 127.0.0.1/' /etc/resolv.conf dnsmasq -r /etc/resolv.dnsmasq So is there a better ("proper") way make dnsmasq work on Alpine ?

I have set up dnsmasq on my local network that consists of Linux/macOS computers. I have added a line like this in my /etc/dnsmasq.d/home.lan file: dhcp-host=dc:cd:2f:bf:44:12,printer,192.168.0.3 I was hoping/expecting that would mean I can use a command like: ping printer from all the machines on my network, but it cannot resolve it. I know that dnsmasq is working to some extent because the printer requests an IP address when it starts up and configures itself to the correct IP address above. I want to keep all DNS/DHCP configuration in /etc/dnsmasq.d/home.lan as far as possible, rather than editing /etc/hosts or anything else, either on the DNS server or any clients. I researched and found this so I also tried adding: host-record=printer,192.168.0.3 but that didn't help either. --- Here is my config file, running on latest Raspberry Pi OS with the latest dnsmasq: # General configuration domain-needed bogus-priv no-resolv no-hosts server=8.8.8.8 server=1.1.1.1 dhcp-range=192.168.0.3,192.168.0.200,4h dhcp-authoritative # Set default gateway and DNS server for DHCP clients dhcp-option=option:router,192.168.0.1 dhcp-option=option:dns-server,192.168.0.2 # Logging log-facility=/var/log/dnsmasq.log log-queries # Reserved IPs dhcp-host=c8:7f:5f:df:0f:08,router,192.168.0.1 dhcp-host=dc:ab:3f:bf:bb:ab,dnsserver,192.168.0.2 dhcp-host=dc:cd:2f:bf:44:12,printer,192.168.0.3 --- As requested in the comments, if I try this: dig printer @192.168.0.2 I get: ; > DiG 9.18.28-1~deb12u2-Debian > printer @192.168.0.2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18880 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;printer. IN A ;; Query time: 0 msec ;; SERVER: 192.168.0.2#53(192.168.0.2) (UDP) ;; WHEN: Tue Aug 20 13:25:32 BST 2024 ;; MSG SIZE rcvd: 36 In the log at /var/log/dnsmasq.log, I see: query [A] printer from 192.168.0.2 config printer is NXDOMAIN --- Note that my router is at 192.168.0.1 and the machine running dnsmasq is at 192.168.0.2