Make pihole-FTL bind only on certain IPs [v4.0]

Slippery · August 14, 2018, 5:35pm

I recently upgraded to pihole v4.0 and I can't force the DNS resolver to listen only on certain IPs.

My set-up is like a special VPN concentrator and I need different DNS resolver for different subnets. Since pihole-FTL seems to always bind to 0.0.0.0 I cannot start any different daemon on port 53.

Expected Behaviour:

The DNS service (pihole-FTL) should listen only on specified IP (e.g. 10.10.0.1)

Actual Behaviour:

pihole-FTL listens on 0.0.0.0 for both IPv4/IPv6

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name     Timer
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      15631/lighttpd       off (0.00/0/0)
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      15798/pihole-FTL     off (0.00/0/0)
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      15798/pihole-FTL     off (0.00/0/0)
tcp6       0      0 :::80                   :::*                    LISTEN      15631/lighttpd       off (0.00/0/0)
tcp6       0      0 :::53                   :::*                    LISTEN      15798/pihole-FTL     off (0.00/0/0)
tcp6       0      0 ::1:4711                :::*                    LISTEN      15798/pihole-FTL     off (0.00/0/0)
udp        0      0 0.0.0.0:53              0.0.0.0:*                           15798/pihole-FTL     off (0.00/0/0)
udp6       0      0 :::53                   :::*                                15798/pihole-FTL     off (0.00/0/0)

Debug Token:

ptofzbqjhe

deHakkelaar · August 15, 2018, 3:37am

Try the "listen-address=" directive:

pi@noads:~ $ man dnsmasq
[..]
  -a, --listen-address=<ipaddr>
        Listen on the given IP address(es). Both --interface and  --lis‐
        ten-address  options may be given, in which case the set of both
        interfaces and addresses is used. Note that  if  no  --interface
        option is given, but --listen-address is, dnsmasq will not auto‐
        matically listen on the loopback interface. To achieve this, its
        IP  address,  127.0.0.1, must be explicitly given as a --listen-
        address option.

[..]

You can put that directive in a new dnsmasq config file that will be read by pihole-FTL:

sudo nano /etc/dnsmasq.d/99-my-settings.conf

Slippery · August 16, 2018, 10:54am

I just did a test but the configuration seems to be ignored and it keeps listening on 0.0.0.0

For completeness this is the conf file:

root@vps:~# cat /etc/dnsmasq.d/02-pihole-my.conf 
listen-address=::1,127.0.0.1,10.10.0.1
root@vps:~# ls -la /etc/dnsmasq.d/
total 60
drwxr-xr-x  2 root root  4096 Aug 16 12:27 .
drwxr-xr-x 83 root root 45056 Aug 14 19:07 ..
-rw-r--r--  1 root root  1522 Aug 14 19:07 01-pihole.conf
-rw-r--r--  1 root root    64 Aug 16 12:27 02-pihole-my.conf

Actually I used the "listen-address=" directive on previous pihole versions to achieve my goal. On v4.0, however, the standard dnsmasq installation seems to be dropped and embedded in pihole-FTL. In fact I totally uninstalled dnsmasq from the system and pihole set-up does not install it anymore.

Moreover pihole-FTL seems to read only its dedicated conf file (no mention of dnsmasq config files in logfiles):

root@vps:~# egrep 'conf' /var/log/pihole*.log
/var/log/pihole-FTL.log:[2018-08-16 12:28:25.689] Starting config file parsing (/etc/pihole/pihole-FTL.conf)
/var/log/pihole-FTL.log:[2018-08-16 12:28:25.689] Finished config file parsing
/var/log/pihole-FTL.log:[2018-08-16 12:28:25.690] Successfully accessed setupVars.conf
/var/log/pihole-FTL.log:[2018-08-16 12:30:24.137] Starting config file parsing (/etc/pihole/pihole-FTL.conf)
/var/log/pihole-FTL.log:[2018-08-16 12:30:24.138] Finished config file parsing
/var/log/pihole-FTL.log:[2018-08-16 12:30:24.148] Successfully accessed setupVars.conf
root@vps:~# egrep '/etc/dnsmasq' /var/log/pihole*.log
root@vps:~#

Was it too early for me to switch to v4.0?

deHakkelaar · August 16, 2018, 1:34pm

Seems you also need the "bind-interfaces" directive:

pi@noads:~ $ cat /etc/dnsmasq.d/99-my-settings.conf
listen-address=::1,127.0.0.1,10.0.0.2
bind-interfaces

pi@noads:~ $ sudo systemctl restart pihole-FTL`

pi@noads:~ $ sudo netstat -nltup | grep 'Proto\|:53 \|:67 \|:80 \|:471'
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      20645/pihole-FTL
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      8101/lighttpd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      20645/pihole-FTL
tcp        0      0 10.0.0.2:53             0.0.0.0:*               LISTEN      20645/pihole-FTL
tcp6       0      0 ::1:4711                :::*                    LISTEN      20645/pihole-FTL
tcp6       0      0 :::80                   :::*                    LISTEN      8101/lighttpd
tcp6       0      0 ::1:53                  :::*                    LISTEN      20645/pihole-FTL
udp        0      0 127.0.0.1:53            0.0.0.0:*                           20645/pihole-FTL
udp        0      0 10.0.0.2:53             0.0.0.0:*                           20645/pihole-FTL
udp        0      0 0.0.0.0:67              0.0.0.0:*                           20645/pihole-FTL
udp6       0      0 ::1:53                  :::*                                20645/pihole-FTL

From the man page:

   -z, --bind-interfaces
          On systems which support it, dnsmasq binds the wildcard address, even when
          it is listening on only some interfaces. It then discards requests that it
          shouldn't reply to. This has the advantage of working even when interfaces
          come  and go and change address. This option forces dnsmasq to really bind
          only the interfaces it is listening on. About the only time when  this  is
          useful is when running another nameserver (or another instance of dnsmasq)
          on the same machine. Setting this option also enables  multiple  instances
          of dnsmasq which provide DHCP service to run in the same machine.

Slippery · August 16, 2018, 3:49pm

Thank you, the "bind-interfaces" did it!

In fact this setting, coupled with "interface=" (already set in /etc/dnsmasq.d/01-pihole.conf), renders the "listen-address" useless, and I get the same results even commenting the latter out.

What was puzzling me, however, was that pihole-FTL still used dnsmasq own location for configuration files. Since a standalone dnsmasq is not needed anymore, IMHO it would be clear to move that files within /etc/pihole subdir, wouldn't it?
May be possible to add also in the docs that pihole-FTL still honors /etc/dnsmasq* files?

Thank-you again for your help @deHakkelaar!

deHakkelaar · August 16, 2018, 3:55pm

Or maybe symlinks.

pi@noads:~ $ sudo ln -s /etc/dnsmasq.d /etc/pihole/

pi@noads:~ $ ll /etc/pihole/
lrwxrwxrwx  1 root   root            14 Aug 16 18:03 dnsmasq.d -> /etc/dnsmasq.d

pi@noads:~ $ ll /etc/pihole/dnsmasq.d/
total 24
drwxr-xr-x  2 root root 4096 Aug 16 15:51 .
drwxr-xr-x 92 root root 4096 Aug  9 05:50 ..
-rw-r--r--  1 root root 1519 Aug  8 20:49 01-pihole.conf
-rw-r--r--  1 root root  479 Aug  8 20:49 02-pihole-dhcp.conf
-rw-r--r--  1 root root  349 Nov 23  2017 04-pihole-static-dhcp.conf
-rw-r--r--  1 root root  211 Apr 12  2017 README

Put in a feature request

Mcat12 · August 16, 2018, 8:48pm

All of the major modifications to the embedded dnsmasq are noted in the docs, and beyond that everything is the same as normal dnsmasq, so this is already documented.

system · September 6, 2018, 8:48pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.