<div dir="ltr"><div style="font-size:small" class="gmail_default">Anton&#39;s post led me down the path of getting a workable setup.</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">Basically, as Anton asserted, I left systemd-resolved as it is, and </div><div style="font-size:small" class="gmail_default">that didn&#39;t disturb DNS on the gateway.</div><div style="font-size:small" class="gmail_default">Then in /etc/dnsmasq.conf, I uncommented this line:</div><div style="font-size:small" class="gmail_default"><br></div>conf-dir=/etc/dnsmasq.d/,*.conf<span class="gmail_default" style="font-size:small"></span><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr"><br></div><div dir="ltr" class="gmail_attr"><div style="font-size:small" class="gmail_default">Then created an /etc/dnsmasq.d/local.conf with the following in it:</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">no-resolv # Ignore /etc/resolve.conf<br>no-poll<br>bind-dynamic # See below<br></div><div style="font-size:small" class="gmail_default">interface=wg0 # Only serve DNS on Wireguard&#39;s network interface<br></div><div style="font-size:small" class="gmail_default">bogus-priv<br>domain-needed<br>expand-hosts<br>domain=home.priv<br>local=/home.priv/<br>server=9.9.9.9<br>server=1.1.1.1</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">I am not sure if the last two lines do anything, because resolved</div><div style="font-size:small" class="gmail_default">is still active, and should handle regular DNS.</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">The bind-dynamic replaces bind-interfaces, because there was this </div><div style="font-size:small" class="gmail_default">warning in syslog:</div><div style="font-size:small" class="gmail_default"><br></div><span>LOUD WARNING: use --bind-dynamic rather than --bind-interfaces </span></div><div dir="ltr" class="gmail_attr"><span>to avoid DNS amplification attacks via these interface(s)</span></div><div dir="ltr" class="gmail_attr"><span><br></span></div><div class="gmail_attr"><span><span class="gmail_default" style="font-size:small">/etc/hosts on the gateway that runs dnsmasq has:</span></span></div><div class="gmail_attr"><span><span class="gmail_default" style="font-size:small"><br></span></span></div><div class="gmail_attr"><span><span class="gmail_default" style="font-size:small">host1.home.priv 10.10.0.1</span></span></div><div class="gmail_attr"><span><span class="gmail_default" style="font-size:small">host2.home.priv 10.10.0.2</span></span></div><div class="gmail_attr"><span><span class="gmail_default" style="font-size:small">host3.home.priv 10.10.0.3</span></span></div><div class="gmail_attr"><span><span class="gmail_default" style="font-size:small"><br></span></span></div><div class="gmail_attr"><span><span class="gmail_default" style="font-size:small">And so on.<br></span></span></div><div class="gmail_attr"><span><span class="gmail_default" style="font-size:small"><br></span></span></div><div class="gmail_attr"><span><span class="gmail_default" style="font-size:small">Then in each Wireguard peer, the .conf file has a line saying:</span></span></div><div class="gmail_attr"><span><span class="gmail_default" style="font-size:small">DNS = 10.10.0.1</span></span></div><div class="gmail_attr"><span><span class="gmail_default" style="font-size:small"><br></span></span></div><div class="gmail_attr"><span><span class="gmail_default" style="font-size:small">For good measure, even though I am not sure if does anything, <br></span></span></div><div class="gmail_attr"><span><span class="gmail_default" style="font-size:small">I did:</span></span></div><div class="gmail_attr"><span><span class="gmail_default" style="font-size:small"><br></span></span></div><div class="gmail_attr">sudo ufw allow 53<br>sudo ufw reload</div><div class="gmail_attr"><br></div><div class="gmail_attr"><span><span class="gmail_default" style="font-size:small">And that makes DNS work on the gateway, and all the peers. <br></span></span></div></div></div>