DNSMasq, source interface and IPSec VPNs



  • dnsmasq has the capability to use the internal interface IP when querying the override domains.  IE when overriding internal.local use the IP address 192.168.111.12 (server on the VPN at the other end of the link)  However, as the request goes out from pfSense it uses the WAN interface and isn't encrypted.  Normally, this can be overcome by sending the query from the internal interface which dnsmasq supports through the syntax of 192.168.111.12@192.168.1.1.  However, the valid ip address checks on line 72 in  services_dnsmasq_domainoverride_edit.php stop this being entered.  If the line is commented out, then it all works as desired.

    Could the tests please be modified to support this feature please?



  • Patches accepted.
    Please open a feature request on redmine.pfsense.org to not get this lost.



  • well here is my first bit of php coding, so hopefully it is ok.  It seems to do what I wanted it to do.

    diff services_dnsmasq_domainoverride_edit.php.orig services_dnsmasq_domainoverride_edit.php
    54c54,61
    <        $pconfig['ip'] = $a_domainOverrides[$id]['ip'];
    –-

    if (is_ipaddr($a_domainOverrides[$id]['ip']) && ($a_domainOverrides[$id]['ip'] != '#')) {
                  $pconfig['ip'] = $a_domainOverrides[$id]['ip'];
            }
            else {
                  $dnsmasqpieces = explode('@', $a_domainOverrides[$id]['ip'], 2);
                  $pconfig['ip'] = $dnsmasqpieces[0];
                  $pconfig['dnssrcip'] = $dnsmasqpieces[1];
            }
    73c80,83
    <                $input_errors[] = gettext("A valid IP address must be specified, or # for an exclusion.");
    –-
                  $input_errors[] = gettext("A valid IP address must be specified, or # for an exclusion.");
            }
            if ($_POST['dnssrcip'] && !in_array($_POST['dnssrcip'], get_configured_ip_addresses())) {
                  $input_errors[] = gettext("An interface IP address must be specified for the DNS query source.");
    78c88,91
    <                      $doment['ip'] = $_POST['ip'];
    –-
                          if (empty($_POST['dnssrcip']))
                                    $doment['ip'] = $_POST['ip'];
                          else
                                  $doment['ip'] = $_POST['ip'] . "@" . $_POST['dnssrcip'];
    118a132,138



  • I had created Feature 1361 in redmine as suggested and I have updated it with the patch.

    http://redmine.pfsense.org/issues/1361


Log in to reply