dnsmasq

[NomadCF]

I'm using OPNsense 18.7.10 how can I get dnsmasq to NOT bind to 127.X.X.X ? I've tried to checking the "Strict Interface Binding". But that doesn't really seem to be working ?

My end goal is to have dnsmasq listen on lan:53 (and wan:53 limited to X ips (firewall rules)) then have dnscrypt-proxy bind to 127.0.0.1:53

[franco]

The topic should be about dnscrypt-proxy, not dnsmasq. Dnsmasq and unbound will always be listening on 127.0.0.1 if enabled.

What you do for dnscrypt-proxy is create a VIP for loopback with e.g. IP 127.0.0.2 and let dnscrypt-proxy bind to it. For now, however, that is not supported by the plugin and must be configured manually with the package. There is a good tutorial available in this forum.


Cheers,
Franco

[NomadCF]

Respectfully I disagree, if "Strict Interface Binding" doesn't really mean only the selected interfaces. Then it should either be stated clearly or really only bind to the defined interfaces. Dnsmasq isn't required to bind to 127 in order to function. It's clearly a maintainers choice they are choosing to make the default. 

[franco]

I'm not sure if this is a technical proposal that will somehow not deliberately break some people's setups (fw resolving through Unbound/Dnsmasq) or grief over not being able to do something the way that you want.

We deal with a couple of hard decisions to break with historic complexity every now and then and this was one of those things[1].

My only wish here would be: complain early and often.

[1] https://github.com/opnsense/changelog/blob/master/doc/18.7/18.7#L74