Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[dnsmasq] Make additional dnsmasq options available in GUI #8440

Closed
2 tasks done
gspannu opened this issue Mar 14, 2025 · 4 comments · Fixed by #8447
Closed
2 tasks done

[dnsmasq] Make additional dnsmasq options available in GUI #8440

gspannu opened this issue Mar 14, 2025 · 4 comments · Fixed by #8447
Assignees

Comments

@gspannu
Copy link

gspannu commented Mar 14, 2025

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Is your feature request related to a problem? Please describe.
Earlier issue reported here: #8416

Describe the solution you like

Make the following 2 dnsmasq options available in the GUI under OPNsense > dnsmasq

These are options available in dnsmasq and explained in manpages here.

  1. --add-mac=
    From dnsmasq manpage
    --add-mac[=base64|text]
    Add the MAC address of the requestor to DNS queries which are forwarded upstream. This may be used to DNS filtering by the upstream server.

  2. --add-subnet
    From dnsmasq manpage
    --add-subnet[[=[/]][,[/]]]
    Add a subnet address to the DNS queries which are forwarded upstream. If an address is specified in the flag, it will be used, otherwise, the address of the requestor will be used. The amount of the address forwarded depends on the prefix length parameter: 32 (128 for IPv6) forwards the whole address, zero forwards none of it but still marks the request so that no upstream nameserver will add client address information either. The default is zero for both IPv4 and IPv6. For example, —add-subnet=32,128 will add the /32 and /128 subnets of the request or for IPv4 and IPv6, --add-subnet=24,96 will add the /24 and /96 subnets of the requestor for IPv4 and IPv6 requestors, respectively. --add-subnet=1.2.3.4/24 will add 1.2.3.0/24 for IPv4 requestors and ::/0 for IPv6 requestors. --add-subnet=1.2.3.4/24,1.2.3.4/24 will add 1.2.3.0/24 for both IPv4 and IPv6 requestors.

Why these features are required?

  • OPNsense users who run an external Adblocker (e.g. PiHole, etc.) require the mac-address/ip address of clients requesting dns queries to better display statistics and manage adblocking.
  • Without these directives, all queries forwarded to external servers appear as coming from OPNsense itself (rather than the actual client ip/mac-address)

Way to implement
Dnsmasq settings GUI:
Make 2 additional checkboxes with text boxes (to add optional text)
add-mac, add-subnet


Describe the solution you like

Allow upstream dns servers to be defined with more granularity (e.g. port definitions, etc.)

These are options available in dnsmasq and explained in manpages here.

  1. --server=
    From dnsmasq manpage
    --server=[/[]/[domain/]][[#]][@][@[#]]
    Specify upstream servers directly. Setting this flag does not suppress reading of /etc/resolv.conf, use --no-resolv to do that. If one or more optional domains are given, that server is used only for those domains and they are queried only using the specified server. This is intended for private nameservers: if you have a nameserver on your network which deals with names of the form xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag --server=/internal.thekelleys.org.uk/192.168.1.1 will send all queries for internal machines to that nameserver, everything else will go to the servers in /etc/resolv.conf. A non-standard port may be specified as part of the IP address using a # character. More than one --server flag is allowed, with repeated domain or ipaddr parts as required.

Why these features are required?

  • If a dns server is running on a non-standard port, it cannot be defined currently in dnsmasq (Although Unbound supports specifying non-standard ports for upstream dns servers)
  • e.g. OPNsense setup: dnsmasq running on port 53 and some other DNS server like AdGuardHome/ Blocky running on OPNsense itself but on different port (e.g. 53535.). This setup requires that an upstream server be defined with a port number.e.g. 192.168.1.1#53535 or maybe 192.168.99.99#53535
  • OPNsense users who run such dns servers at non-standard ports cannot define this in current implementation.

Way to implement
Two possibilities:
a) Under dnsmasq settings: Make available 3/4 additional text boxes that allow specifying a dns server along with additional parameters, e.g. 192.168.1.1#53035, 1.1.1.1#53, 192.168.99.99#53535
b) Change existing dns server settings in System>Settings>General and allow specifying extra parameters (e.g. 1.1.1.1#53, 192.168.1.1#53053, etc…)

@AdSchellevis
Copy link
Member

If a dns server is running on a non-standard port, it cannot be defined currently in dnsmasq (Although Unbound supports specifying non-standard ports for upstream dns servers)

Image

no?

@gspannu
Copy link
Author

gspannu commented Mar 15, 2025

no?

I did not realise this…

Is this the equivalent of the dnsmasq ‘--server=‘ option as described in manpages?

Also, can multiple entries of domain * be provided?
e.g.

*,  127.0.0.10,  1234
*,  192.168.99.99,  53035
*,  1.1.1.1,
*,  8.8.8.8,  53

if so, then I guess Item (3) above is already implemented?

@gspannu
Copy link
Author

gspannu commented Mar 17, 2025

Any way of testing this with a patch or any other way?
Many thanks...

@Monviech
Copy link
Member

I guess you could use it if you update to the latest development edition and then use:

opnsense-patch https://github.com/opnsense/core/commit/d2b78e1639d906edc9df4f4f3d39eee327926b57

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging a pull request may close this issue.

3 participants