Configuring different DNS servers per interface with DNSMasq

In my home I happen to run a small Windows Server 2012 R2 domain, I have two Active Directory servers, one is the primary and the other replicates the primary AD server in the event of it ever going down. Because of this AD setup, I am running the DNS role on these servers but leave DHCP duties to my ASUS RT N66U router, running DD-WRT. I configured my RT N66U to push Static DNS addresses of the AD servers to clients, however I also have Virtual Wireless interfaces which are not part of the same subnet and unbridged. Pushing these DNS servers at clients connecting via these interfaces will essentially sink hole their DNS lookup ability, so I needed a way to configure DNS servers addresses based on the interface, fortunately with DNSmasq you can!

Different subnets means you can’t set Static DNS entries directly.

If you only had one subnet, you’d be able to go to Setup > Network Address Server Settings (DHCP), set the DNS servers as Static DNS entries and uncheck “Use DNSMasq for DNS” and be done with it. Problem with that is, globally applying these DNS servers to all interfaces would be a bad idea for my setup, here’s why.

All interfaces in my network:

• Main LAN/WiFi br0 – 192.168.1.0
• 2.4 Ghz Guest WiFi VAP wl0.1 – 192.168.10.0
• 5.0Ghz VAP wl1.1 – 192.168.11.0

I have two VAP (Virtual Access Point) interfaces, one of each running off my 2.4 GHz and 5.0 Ghz radios, they are both on a different subnet from the main LAN and unbridged deliberately. They cannot communicate with each other or the LAN due to the intended firewall configuration to isolate them. As these two virtual access points are isolated from the LAN, they will be unable to resolve or access any server on the 192.168.1.0 subnet, hence internet connectivity will be nuked by pushing such DNS servers globally to them. Bad times.

Configure DNS servers per interface with DNSmasq

To configure DNS per interface you’ll first need to know what your interfaces are called, you can do this simply by running ifconfig. From there you can view the output and look for the inet addr value that corresponds to each interface, the interfaces names will vary depending on the router.

In order for clients on the normal LAN to use the Windows DNS server addresses while maintaining generic DNS lookup functionality for other clients on the virtual interfaces was using a bit of additional DNSMasq configuration with dhcp-option. Using the man page of DNSmasq as a guide, I was able to cook up this solution:

dhcp-option=br0,6,192.168.1.3,192.168.1.2 # LAN/WiFi (br0, wl0 and wl1)
dhcp-option=wl0.1,6,192.168.10.1 # Guest WiFi (wl0.1)
dhcp-option=wl1.1,6,192.168.11.1 # Separate 5Ghz Wireless Network (wl1.1)

Using dhcp-option I could set different DNS servers based on each interface, the dhcp-option command itself takes the following parameters in the case of DNS related configuration.

dhcp-option=[interface][option number][dns servers]

Its fairly simple when you look at, the key point here is using 6 as the option value, which corresponds to DNS as per RFC2132.

I placed this in the “Additional DNSMasq Options” section, which can be found within Services > DNSmasq. Rather than stop DNSmasq from handling DNS on the router entirely, I’ve configured it so it will essentially push the Active Directory server addresses as DNS for LAN clients, while providing working DNS for the virtual interfaces which can bypass them entirely.

With this additional configuration my clients on the LAN will receive the Windows DNS server addresses via DHCP, while the Virtual Interfaces will directly get my ISP’s DNS servers from the router. The two virtual access point DNS server entries of 192.168.10.1 and 192.168.11.1 are basically the same as using 192.168.1.1 as the DNS server.

After this change, I rebooted the router for the DNSmasq settings to be properly applied and also renewed the lease on DHCP clients to ensure the corrent DNS servers were being pushed through.