Interface binding behavior¶
Interface listening settings¶
Pi-hole offers three choices for interface listening behavior on its dashboard:
Listen on all interfaces¶
This setting accepts DNS queries only from hosts whose address is on a local subnet, i.e. a subnet for which an interface exists on the server. It is intended to be set as a default on installation, to allow unconfigured installations to be useful but also safe from being used for DNS amplification attacks if (accidentally) running public.
local-service is used.
Listen only on interface
Listen only on the specified interface. The loopback (
lo) interface is automatically added to the list of interfaces to use when this option is used. When the optional settings
bind-dynamic are in effect, IP alias interface labels (e.g.
eth1:0) are checked, rather than interface names.
In the degenerate case when an interface has one address, this amounts to the same thing but when an interface has multiple addresses it allows control over which of those addresses are accepted. The same effect is achievable in default mode by using
interface=eth0 is used (the interface may be different).
Listen on all interfaces, permit all origins¶
We intentionally add this option to disable any possible
local-service settings from other files. This truly allows any traffic to be replied to and a dangerous thing to do. You should always ask yourself if the first option doesn't work for you as well.
except-interface=nonexisting is used.
By default, FTL binds the wildcard address, even when it is listening on only some interfaces. It then discards requests that it shouldn't reply to. This has the big advantage of working even when interfaces come and go and change address (this happens way more often than one would think).
If this is not what you want, you can add the option
to some file like
/etc/dnsmasq.d/99-user.conf and see the comment above. This config forces FTL to really bind only the interfaces it is listening on.
About the only time when this is useful is when running another nameserver on the same port on the same machine.