Skip to content

Add UI support for managing DNS requests from remote networks #1451

New issue
New issue
Open
Open
Add UI support for managing DNS requests from remote networks#1451
@cotosso

Description

@cotosso
cotosso
opened on Dec 9, 2025

Brief description
The current NethSecurity 8.7.1 UI does not allow administrators to configure dnsmasq options that control on which interfaces the DNS service listens. This limitation affects scenarios where routed subnets must query the firewall’s local DNS resolver.

Why this is needed
In routed network setups, dnsmasq responds only to clients in directly connected subnets unless explicit configuration overrides this behavior. When the UI does not expose these parameters, administrators must manually edit configuration files, which increases operational complexity and the risk of misconfiguration.

Purpose
Provide a simple and safe way to adjust dnsmasq’s interface binding behavior directly from the UI, ensuring that networks reachable through routing (not only directly attached interfaces) can use the firewall as DNS server when intended.

Proposed solution
Introduce a simple UI control to allow administrators to enable dnsmasq to respond to queries from routed networks. Only the localservice option needs to be exposed, keeping the interface clear and user-friendly.

  • Modify the existing localservice setting

    • Current default value: option localservice '1'
    • When set to 1, dnsmasq replies only to clients in directly connected subnets.
    • Adding a UI toggle allows administrators to set localservice '0', enabling DNS service for routed networks.

UI recommendation

  • Suggested wording: “Allow DNS service for routed networks”
  • Tooltip or help text should explain that enabling this allows remote or routed networks to use the firewall DNS, while all other DNS security settings (e.g., rebind protection) remain active.
  • No additional options like exceptinterface are required, keeping the UI simple and avoiding confusion.

Additional context
This feature is especially useful when the firewall handles traffic from remote routed networks that rely on its DNS resolver but are not part of the primary LAN subnet. Without UI support, administrators must manually edit /etc/config/dhcp, which is discouraged in managed environments.

Components

  • NethSecurity 8.7.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    NethSecurity

    Status

    ToDo 🕐

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions