Bind DHCP dnsmasq to specific ip

I’m trying to set up a DHCP Proxy server using dnsmasq on a machine that is running Incus(a nas running NixOS). But it seems like incus binds dnsmasq for internal dhcp to 0.0.0.0:67. Is there any way to change this? Can I somehow change the bind ip address, so I can still use another dhcp server on this machine.

Welcome!

The Incus network interfaces, those that are managed by Incus, have a dnsmasq process that only binds to said interfaces. That is, most likely the other dnsmasq is the one that tries to bind all network interfaces (the default with dnsmasq).

To verify, run the following. It will show which process and under what USERID is binding on port :53 (domain). If unsure, post the output.

sudo lsof -n -i :53

It seems that this is the case for port 53, but not for 67
lsof -n -i :53

dnsmasq   5545          nobody  8u  IPv4    10087      0t0  UDP 10.33.38.1:domain
dnsmasq   5545          nobody  9u  IPv4    10088      0t0  TCP 10.33.38.1:domain (LISTEN)
dnsmasq   5545          nobody 10u  IPv6    10089      0t0  UDP [fd42:28de:750:afa0::1]:domain
dnsmasq   5545          nobody 11u  IPv6    10090      0t0  TCP [fd42:28de:750:afa0::1]:domain (LISTEN)

lsof -n -i :67

COMMAND  PID   USER FD   TYPE DEVICE SIZE/OFF NODE NAME
dnsmasq 5545 nobody 4u  IPv4  10082      0t0  UDP *:bootps

When I check using netstat:

tcp        0      0 10.33.38.1:53           0.0.0.0:*               LISTEN      5545/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           5545/dnsmasq
j@Tungsten:~/nixos-config/ > ps -o ppid= 5545
   5172
j@Tungsten:~/nixos-config/ > ps -f 5172
UID          PID    PPID  C STIME TTY      STAT   TIME CMD
root        5172       1  0 May11 ?        Ssl    3:05 /nix/store/k00jdzsf64vz3lifmigza3l7wgqhkvrp-incus-6.12.0/bin/incusd --group incus-admin

See this from the dnsmasq man page.

-z, --bind-interfaces
On systems which support it, dnsmasq binds the wildcard address, even when it is listening on only some interfaces. It then discards requests that it shouldn’t reply to. This has the advantage of working even when interfaces come and go and change address. This option forces dnsmasq to really bind only the interfaces it is listening on. About the only time when this is useful is when running another nameserver (or another instance of dnsmasq) on the same machine. Setting this option also enables multiple instances of dnsmasq which provide DHCP service to run in the same machine.

Also, you can pass extra options to the Incus dnsmasq using the raw.dnsmasq key. See example.

Incus’ own dnsmasq process doesn’t just bind to 0.0.0.0; it binds to 0.0.0.0 on a specific interface which is the managed bridge:

root@nuc3:~# ss -naup sport = 67
State            Recv-Q           Send-Q                        Local Address:Port                     Peer Address:Port          Process
UNCONN           0                0                          0.0.0.0%incusbr0:67                            0.0.0.0:*              users:(("dnsmasq",pid=2986,fd=4))

(and if you have multiple managed bridges, there will be multiple dnsmasq processes).

This does not prevent another process from listening on 0.0.0.0:67 on a different interface:

root@nuc3:~# nc -l -u 67
<< waits here>>

# In another window
root@nuc3:~# ss -naup sport = 67
State         Recv-Q        Send-Q                  Local Address:Port               Peer Address:Port       Process
UNCONN        0             0                             0.0.0.0:67                      0.0.0.0:*           users:(("nc",pid=1595899,fd=3))
UNCONN        0             0                    0.0.0.0%incusbr0:67                      0.0.0.0:*           users:(("dnsmasq",pid=2986,fd=4))

Therefore, the problem as you’ve described it doesn’t make sense.

Please can you describe more clearly exactly what you’re trying to do, what you’ve tried to run, and at which point it fails, including any error message you see.

(The above examples are from a system running Ubuntu 22.04 + incus 6.0.4 zabbly)

1 Like

Thanks for this command, which does not require sudo and provides more details than lsof. We should be recommending this command in similar situations.

ss -naup sport = 67
1 Like