Hi,
First of all, I use Dnsmasq + Unbound, as recommended by the docs.
What I do:
In Unbound, I have DNS overrides, including wildcard overrides. They are meant for my trusted LAN network, with those I get forwarded to my LAN reverse proxy and get convenient access to all kinds of services in my network. It works fine.
Example override: *.mydomain.com -> reverse proxy ip
Problem:
Well now if I have a device on the guest network, it of course has firewall rules so it can't access any private networks.
But now if that device tries to add access anything on *.mydomain.com, it also hits the dns override that is meant for my LAN network, and it is of course denied access by the firewall and nothing happens.
Now you might think "where's the problem?", well many of my services under *.mydomain.com also have public dns entries and hit a public-facing reverse proxy of mine. Devices from the guest network should go through the public internet for these, just like any other device from the public internet does.
Overall, I feel like I would like the guest network to just use public dns (like 8.8.8.8 or 1.1.1.1). I don't think I have any need for the guest network to be using the same DNS my trusted LAN stuff does. But at the very least, I just need the guest network to not follow my dns overrides.
Any solutions?
ChatGPT has confidently told me multiple times to "just hand out 8.8.8.8 dns from the DHCP settings to the guest network". That would be very nice indeed, but I can not find from anywhere how this could be done, maybe it could be done for something other than Dnsmasq DHCP, or maybe ChatGPT is just hallucinating hard.
Via Googling I also find something about Unbound "views", which is apparently not supported from the GUI.
I won't even pretend to have understood what they are about, and it seems very advanced. Sure, I'll learn it if it's the only way, but I'd rather have something simpler.
Services > Dnsmasq DNS & DHCP > DHCP options
Add an entry for your guest network interface, pick option #6 (dns-server), specifiy IP address to your liking.
Quote from: Patrick M. Hausen on September 13, 2025, 06:34:41 PMServices > Dnsmasq DNS & DHCP > DHCP options
Add an entry for your guest network interface, pick option #6 (dns-server), specifiy IP address to your liking.
Brilliant, thanks.
Any way to put a fallback DNS this way?
(I just put "8.8.8.8" to the "value" field)
If not, I'm not too worried about that, whatever, how often could a fallback even be needed for Google's DNS.
Just try adding a second IP address - I don't run DNSmasq, I just quickly looked up where to find that option for you ;-) Check what a client receives with "ipconfig /all" or equivalent.
Use 9.9.9.11, help us all keep malware out of our systems.
And if you use dst IP NAT for the guest VLAN subnet for dst port 53, then it doesnt matter what DHCP hands out, you can control where DNS goes using NAT.
Quote from: BrandyWine on September 13, 2025, 08:06:36 PMUse 9.9.9.11, help us all keep malware out of our systems.
And if you use dst IP NAT for the guest VLAN subnet for dst port 53, then it doesnt matter what DHCP hands out, you can control where DNS goes using NAT.
Ok this is actually nice.
Just to clarify, you mean this and these would be the correct settings?
(https://i.imgur.com/viV48bV.png)
Yep.
And, your cfg also helps keep malware from trying to scoot around dns that has malware blocking like 9.9.9.11
Many times we firewall users just have an outbound rule to allow DNS to any destination, but lets say DHCP says to use 9.9.9.11, malware can still use it's own DNS because the fw rule is wide open for outbound DNS so it can bypass 9.9.9.11
When forcing it via NAT there's no way to get around it, any outbound DNS will go to your set DNS, in this case 9.9.9.11
Your fw rule then can actually just be "allow outbound any any tcp/udp-53", NAT will force the use of a specific DNS. And it's also good to have DST IP ANY in NAT rule because it covers all DST IP.
Just a last tidbit, your outbound DNS (for public DNS), all your internal stuff should be using a DNS service (free or paid for) that has anti-malware ability. It's not 100%, but nothing is.