dnsmasq

dnsmasq provides a DNS server, a DHCP server with support for DHCPv6 and PXE, and a TFTP server. It is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls. dnsmasq can also be configured to cache DNS queries for improved DNS lookup speeds to previously visited sites.

Installation

Install the dnsmasq package.

Start the daemon

Start/enable dnsmasq.service.

To see if dnsmasq started properly, check the system's journal:

# journalctl -u dnsmasq.service

The network will also need to be restarted so the DHCP client can create a new /etc/resolv.conf.

Configuration

To configure dnsmasq, edit /etc/dnsmasq.conf. The file contains comments explaining the options. For all available options see dnsmasq(8).

Note: dnsmasq's default configuration enables its DNS server. If you do not require it, you need to explicitly disable it by setting port=0.

If dnsmasq will not be used as a local DNS resolver, you may also want to edit dnsmasq.service so that it does not pull in nss-lookup.target:

/etc/systemd/system/dnsmasq.service.d/no-nss-lookup-target.conf
[Unit]
Wants=
Tip: To check configuration file(s) syntax, execute:
$ dnsmasq --test

DNS server

To set up dnsmasq as a DNS caching daemon on a single computer specify a directive, adding in the localhost IP address:

listen-address=::1,127.0.0.1

To use this computer to listen on its LAN IP address for other computers on the network. It is recommended that you use a static LAN IP in this case. E.g.:

listen-address=::1,127.0.0.1,192.168.1.1

Set the number of cached domain names with (the default is and the hard limit is ):

cache-size=1000

To validate DNSSEC load the DNSSEC trust anchors provided by the dnsmasq package and set the option dnssec:

conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec

See dnsmasq(8) for more options you might want to use.

DNS addresses file and forwarding

After configuring dnsmasq, you need to add the localhost addresses as the only nameservers in /etc/resolv.conf. This causes all queries to be sent to dnsmasq.

Since dnsmasq is a stub resolver not a recursive resolver you must set up forwarding to an external DNS server. This can be done automatically by using openresolv or by manually specifying the DNS server address in dnsmasq's configuration.

openresolv

If your network manager supports resolvconf, instead of directly altering /etc/resolv.conf, you can use openresolv to generate configuration files for dnsmasq.

Edit and add the loopback addresses as name servers, and configure openresolv to write out dnsmasq configuration:

/etc/resolvconf.conf
# Use the local name server
name_servers="::1 127.0.0.1"
resolv_conf_options="trust-ad"

# Write out dnsmasq extended configuration and resolv files
dnsmasq_conf=/etc/dnsmasq-conf.conf
dnsmasq_resolv=/etc/dnsmasq-resolv.conf

Run so that the configuration files get created. If the files do not exist dnsmasq.service will fail to start.

Edit dnsmasq's configuration file to use openresolv's generated configuration:

# Read configuration generated by openresolv
conf-file=/etc/dnsmasq-conf.conf
resolv-file=/etc/dnsmasq-resolv.conf
Manual forwarding

First you must set localhost addresses as the only nameservers in /etc/resolv.conf:

Make sure to protect /etc/resolv.conf from modification as described in Domain name resolution#Overwriting of /etc/resolv.conf.

The upstream DNS server addresses must then be specified in dnsmasq's configuration file as . Also add so dnsmasq does not needlessly read /etc/resolv.conf which only contains the localhost addresses of itself.

Now DNS queries will be resolved with dnsmasq, only checking external servers if it cannot answer the query from its cache.

Adding a custom domain

It is possible to add a custom domain to hosts in your (local) network:

local=/lan/
domain=lan

In this example it is possible to ping a host/device (e.g. defined in your file) as .

Uncomment to add the custom domain to hosts entries:

expand-hosts

Without this setting, you will have to add the domain to entries of .

Test

To do a lookup speed test choose a website that has not been visited since dnsmasq has been started (drill is part of the ldns package):

$ drill archlinux.org | grep "Query time"

Running the command again will use the cached DNS IP and result in a faster lookup time if dnsmasq is setup correctly:

To test if DNSSEC validation is working see DNSSEC#Testing.

DHCP server

By default dnsmasq has the DHCP functionality turned off, if you want to use it you must turn it on. Here are the important settings:

See dnsmasq(8) for more options.

Proxy DHCP

In case there is already a DHCP server running on the network and you want to interoperate with it, dnsmasq can be set to behave as a "proxy DHCP", therefore only serving the #PXE server specific information to the client. This mode is only available with IPv4. Use the following syntax, providing the existing DHCP server address:

dhcp-range=192.168.0.1,proxy

Test

From a computer that is connected to the one with dnsmasq on it, configure it to use DHCP for automatic IP address assignment, then attempt to log into the network normally.

If you inspect the file on the server, you should be able to see the lease.

TFTP server

dnsmasq has built-in TFTP server.

To use it, create a root directory for TFTP (e.g. ) to put transferable files in.

enable-tftp
tftp-root=/srv/tftp

For increased security it is advised to use dnsmasq's TFTP secure mode. In secure mode only files owned by the user will be served over TFTP. You will need to chown TFTP root and all files in it to user to use this feature.

tftp-secure

See dnsmasq(8) for more options.

PXE server

PXE requires a DHCP and a TFTP server; both can be provided by dnsmasq. To setup the PXE server, follow these steps:

  1. Setup the #TFTP server and the #DHCP server (in full DHCP or proxy mode) in the dnsmasq configuration file,
  2. Copy and configure a PXE compatible bootloader (e.g. PXELINUX) in the TFTP root directory,
  3. Enable PXE in the dnsmasq configuration file:

To simply send one file:

dhcp-boot=lpxelinux.0

To send a file depending on client architecture:

pxe-service=x86PC,"PXELINUX (BIOS)",bios/lpxelinux
pxe-service=X86-64_EFI,"PXELINUX (EFI)",efi64/syslinux.efi

In case pxe-service does not work to identify the architecture (especially for UEFI-based clients), combination of and dhcp-boot can be used. See RFC 4578 2.1 for more numbers for use with dhcp boot protocol.

dhcp-match=set:efi-x86_64,option:client-arch,7
dhcp-match=set:efi-x86_64,option:client-arch,9
dhcp-match=set:efi-x86,option:client-arch,6
dhcp-match=set:bios,option:client-arch,0
dhcp-boot=tag:efi-x86_64,efi64/syslinux.efi
dhcp-boot=tag:efi-x86,efi32/syslinux.efi
dhcp-boot=tag:bios,bios/lpxelinux.0

See dnsmasq(8) for more options.

The rest is up to the bootloader.

Tips and tricks

Prevent OpenDNS redirecting Google queries

To prevent OpenDNS from redirecting all Google queries to their own search server, add to /etc/dnsmasq.conf:

Override addresses

In some cases, such as when operating a captive portal, it can be useful to resolve specific domains names to a hard-coded set of addresses. This is done with the config:

address=/example.com/1.2.3.4

Furthermore, it is possible to return a specific address for all domain names that are not answered from or DHCP by using a special wildcard:

address=/#/1.2.3.4

More than one instance

If we want two or more dnsmasq servers works per interface(s).

Static

To do this staticly, server per interface, use and options. This enforce start second dnsmasq.

Dynamic

In this case we can exclude per interface and bind any others:

except-interface=lo
bind-dynamic

Domain blocklisting

To blocklist domains, i.e. answer queries for them with NXDOMAIN, use the option without specifying the IP address:

address=/blocked.example/
address=/anotherblocked.example/

Wildcards are also supported. Add a to the start of the pattern:

# blocks both blocked.example and anotherblocked.example and all their subdomains
address=/*blocked.example/

# blocks subdomains like mail.google.com but not google.com
address=/*.google.com/

Some specific subdomains can be unblocked using # as the server address:

# blocks google.com and all subdomains except mail.google.com.
address=/google.com/
server=/mail.google.com/#
Note:
  • The options address=/example.com/ and server=/example.com/ are equivalent. Both will answer queries for them with NXDOMAIN.
  • The options address=/example.com/# and server=/example.com/# are not equivalent.
    • address=/example.com/# will answer queries for the domain with the NULL address (0.0.0.0 or :: for IPv6).
    • server=/example.com/# will send queries for the domain to the standard configured servers.
  • The patterns /example.com/ and /.example.com/ are equivalent. Both will match example.com and all its subdomains.

For ease of use place the blocklist in a separate file, e.g. and load it from /etc/dnsmasq.conf with or .

gollark: I'm sure that *some of it* is just altruism, but there *is* clearly profit-making, and I am kind of offended that he's decided that pointing that out makes me pure evil.
gollark: I can still talk here.
gollark: MC is being crashy today.
gollark: ```HydroNitrogenToday at 13:34> diamonds> why buy them?Well I'm only taking diamonds, not because I profit from them, but becuase I want to give players an opportunity to make some krist!You greedy fuck think this world is all about making profits from the poorergollarkToday at 13:36Well. It is, given the pricing.HydroNitrogenToday at 13:37You're incapable of understanding all the discussion, donations, concepts and thoughts that went to making sell shopif you for one second think that I'm doing Wolf Mall, SELL SHOP, my public services for gaining my self better kristthen you're so so so wrongrot in hell you poisonous mean bullyYou fucking make my days miserableI haven't banned you yet ONLY because it's not according to my own ethics to ban people out of personal hateBut man you are capable of making me so so sad and unhappyI really wish this were diffrentI fucking tried being nice, tried arguing youbut I'm just so so fed upof youWish you could realise how much happier you yourself could be and you could make others if not being venom and evilgollarkToday at 13:40Profit is clearly a goal of yours, if not the goal.HydroNitrogenToday at 13:40I'm not going to argue even more```
gollark: Dragon freeing as in the end portal is now publicly accessible and hi.

See also

This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.