I’m trying to set up a DHCP Proxy server using dnsmasq on a machine that is running Incus(a nas running NixOS). But it seems like incus binds dnsmasq for internal dhcp to 0.0.0.0:67. Is there any way to change this? Can I somehow change the bind ip address, so I can still use another dhcp server on this machine.
Welcome!
The Incus network interfaces, those that are managed by Incus, have a dnsmasq process that only binds to said interfaces. That is, most likely the other dnsmasq is the one that tries to bind all network interfaces (the default with dnsmasq).
To verify, run the following. It will show which process and under what USERID is binding on port :53 (domain). If unsure, post the output.
sudo lsof -n -i :53
It seems that this is the case for port 53, but not for 67
lsof -n -i :53
dnsmasq 5545 nobody 8u IPv4 10087 0t0 UDP 10.33.38.1:domain
dnsmasq 5545 nobody 9u IPv4 10088 0t0 TCP 10.33.38.1:domain (LISTEN)
dnsmasq 5545 nobody 10u IPv6 10089 0t0 UDP [fd42:28de:750:afa0::1]:domain
dnsmasq 5545 nobody 11u IPv6 10090 0t0 TCP [fd42:28de:750:afa0::1]:domain (LISTEN)
lsof -n -i :67
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dnsmasq 5545 nobody 4u IPv4 10082 0t0 UDP *:bootps
When I check using netstat:
tcp 0 0 10.33.38.1:53 0.0.0.0:* LISTEN 5545/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 5545/dnsmasq
j@Tungsten:~/nixos-config/ > ps -o ppid= 5545
5172
j@Tungsten:~/nixos-config/ > ps -f 5172
UID PID PPID C STIME TTY STAT TIME CMD
root 5172 1 0 May11 ? Ssl 3:05 /nix/store/k00jdzsf64vz3lifmigza3l7wgqhkvrp-incus-6.12.0/bin/incusd --group incus-admin
See this from the dnsmasq man page.
-z, --bind-interfaces
On systems which support it, dnsmasq binds the wildcard address, even when it is listening on only some interfaces. It then discards requests that it shouldn’t reply to. This has the advantage of working even when interfaces come and go and change address. This option forces dnsmasq to really bind only the interfaces it is listening on. About the only time when this is useful is when running another nameserver (or another instance of dnsmasq) on the same machine. Setting this option also enables multiple instances of dnsmasq which provide DHCP service to run in the same machine.
Also, you can pass extra options to the Incus dnsmasq using the raw.dnsmasq key. See example.
Incus’ own dnsmasq process doesn’t just bind to 0.0.0.0; it binds to 0.0.0.0 on a specific interface which is the managed bridge:
root@nuc3:~# ss -naup sport = 67
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
UNCONN 0 0 0.0.0.0%incusbr0:67 0.0.0.0:* users:(("dnsmasq",pid=2986,fd=4))
(and if you have multiple managed bridges, there will be multiple dnsmasq processes).
This does not prevent another process from listening on 0.0.0.0:67 on a different interface:
root@nuc3:~# nc -l -u 67
<< waits here>>
# In another window
root@nuc3:~# ss -naup sport = 67
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
UNCONN 0 0 0.0.0.0:67 0.0.0.0:* users:(("nc",pid=1595899,fd=3))
UNCONN 0 0 0.0.0.0%incusbr0:67 0.0.0.0:* users:(("dnsmasq",pid=2986,fd=4))
Therefore, the problem as you’ve described it doesn’t make sense.
Please can you describe more clearly exactly what you’re trying to do, what you’ve tried to run, and at which point it fails, including any error message you see.
(The above examples are from a system running Ubuntu 22.04 + incus 6.0.4 zabbly)
1 Like
Thanks for this command, which does not require sudo and provides more details than lsof. We should be recommending this command in similar situations.
ss -naup sport = 67
1 Like