Differences between revisions 1 and 6 (spanning 5 versions)
Revision 1 as of 2020-11-10 17:59:06
Size: 1147
Editor: DominicRicottone
Comment:
Revision 6 as of 2023-04-04 16:22:16
Size: 3337
Editor: DominicRicottone
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
'''`dnsmasq(8)`''' is a lightweight DNS and DHCP server. '''`dnsmasq(8)`''' is a lightweight [[Protocols/DNS|DNS]] server. It also offers [[Protocols/DHCP|DHCP]], proxy DHCP, TFTP, and PXE.
Line 13: Line 13:
Install the `dnsmasq` package through your preferred package manager. Most [[Linux]] and [[BSD]] distributions offer a `dnsmasq` package.
Line 16: Line 16:

For BSD distributions, try:

{{{
service dnsmasq restart
}}}

To launch the server on startup, update /etc/rc.conf:

{{{
dnsmasq_enable="YES"
dnsmasq_conf="/usr/local/etc/dnsmasq.conf"
}}}
Line 23: Line 36:
`dnsmasq(8)` is configured in `/etc/dnsmasq.conf`. You can test the configuration using `dnsmasq --test`. `dnsmasq(8)` is configured with a configuration file. This typically is located in either `/etc/dnsmasq.conf` (for Linux distributions) or `/usr/local/etc/dnsmasq.conf` (for BSD distributions).

Test the configuration using `dnsmasq --test`.

A basic configuration file is:

{{{
listen-address=::1,127.0.0.1
cache-size=150

# DNSSEC
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
}}}
Line 27: Line 53:
=== Trusted Forwarding === === Disable DNS ===
Line 29: Line 55:
`dnsmasq(8)` is ''not'' a recursive DNS server, so trusted (i.e. DNSSEC) forwarding must be setup. Either configure `openresolv(8)` as described in [[Linux/resolvconf.conf|this example]], or manually edit `/etc/resolv.conf` as: To disable the DNS features of `dnsmasq(8)`, edit the configuration file such that...

{{{
port=0
}}}



=== Recursive DNS ===

`dnsmasq(8)` is ''not'' a recursive DNS server, so trusted (i.e. DNSSEC) forwarding must be setup. Pursue one of the following configurations:

 1. Configure `openresolv` as described in [[Linux/resolvconf.conf#Example|this example]], and include the below lines in the configuration file:

{{{
# Configurations generated by `resolvconf(1)`
conf-file=/etc/dnsmasq-conf.conf
resolv-file=/etc/dnsmasq-resolv.conf
}}}

 2.#2 Manually configure like...
Line 37: Line 83:


=== Local-only DNS Cache ===

To use `dnsmasq(8)` strictly locally, ensure that it only listens on the loopback addresses.		  ...and manually configure like...
Line 44: Line 86:
listen-address=::1,127.0.0.1 no-hosts
no-resolv

server=8.8.8.8
server=8.8.4.4
Line 49: Line 95:
=== Local Network DNS === === Network DNS ===
Line 51: Line 97:
To use `dnsmasq(8)` on the local network, ensure that it listens on a private address. To operate `dnsmasq(8)` as a DNS server, ensure that it listens on a private address.
Line 59: Line 105:
=== Overriding Names ===

`dnsmasq(8)` offers a search/replace syntax for forcing names to resolve into hardcoded addresses. Specificity wins, so given...

{{{
address=/example.com/1.2.3.4
address=/www.example.com/2.3.4.5
}}}

...`www.example.com` would resolve to `2.3.4.5`.



=== Blacklisting Names ===

To blacklist a name, use the search/replace syntax and return a blank address.

{{{
address=/example.com/
}}}

Managed blacklists can be inserted, as with `conf-file=/etc/dnsmasq.d/blocklist.conf` or `conf-dir=/etc/dnsmasq.d/,*.conf`.

----



== Troubleshooting ==



=== WireGuard Interfaces ===

The service will fail if one of the listening IPs isn't bindable, as would be the case with a [[Encryption/WireGuard|WireGuard]] interface that has not opened yet.

One solution is to switch to dynamic binding. In `/etc/dnsmasq.conf`...

{{{
bind-dynamic
}}}

Note that some distributions vendor the configurations to set `bind-interface`. For example, [[Linux/Ubuntu|Ubuntu]] ships `/etc/dnsmasq.d/ubuntu-fan`.

Another solution is to ensure that the interface opens first. With `systemctl edit dnsmasq`...

{{{
[Unit]
[email protected]
[email protected]
}}}

----



== See also ==

[[https://man.archlinux.org/man/dnsmasq.8|dnsmasq(8)]]

dnsmasq

dnsmasq(8) is a lightweight DNS server. It also offers DHCP, proxy DHCP, TFTP, and PXE.

Contents

  1. dnsmasq
    1. Installation
    2. Configuration
      1. Disable DNS
      2. Recursive DNS
      3. Network DNS
      4. Overriding Names
      5. Blacklisting Names
    3. Troubleshooting
      1. WireGuard Interfaces
    4. See also

Installation

Most Linux and BSD distributions offer a dnsmasq package.

For systemd-capable systems, start and enable dnsmasq.service.

For BSD distributions, try: 

service dnsmasq restart

To launch the server on startup, update /etc/rc.conf: 

dnsmasq_enable="YES"
dnsmasq_conf="/usr/local/etc/dnsmasq.conf"

Configuration

dnsmasq(8) is configured with a configuration file. This typically is located in either /etc/dnsmasq.conf (for Linux distributions) or /usr/local/etc/dnsmasq.conf (for BSD distributions).

Test the configuration using dnsmasq --test.

A basic configuration file is: 

listen-address=::1,127.0.0.1
cache-size=150

# DNSSEC
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec

Disable DNS

To disable the DNS features of dnsmasq(8), edit the configuration file such that... 

port=0

Recursive DNS

dnsmasq(8) is not a recursive DNS server, so trusted (i.e. DNSSEC) forwarding must be setup. Pursue one of the following configurations:

  1. Configure openresolv as described in this example, and include the below lines in the configuration file: 

# Configurations generated by `resolvconf(1)`
conf-file=/etc/dnsmasq-conf.conf
resolv-file=/etc/dnsmasq-resolv.conf
  1. Manually configure like... 

127.0.0.1 localhost
::1       localhost
trust-ad
  • ..and manually configure like... 

no-hosts
no-resolv

server=8.8.8.8
server=8.8.4.4

Network DNS

To operate dnsmasq(8) as a DNS server, ensure that it listens on a private address. 

listen-address=::1,127.0.0.1,192.168.86.1

Overriding Names

dnsmasq(8) offers a search/replace syntax for forcing names to resolve into hardcoded addresses. Specificity wins, so given... 

address=/example.com/1.2.3.4
address=/www.example.com/2.3.4.5

...www.example.com would resolve to 2.3.4.5.

Blacklisting Names

To blacklist a name, use the search/replace syntax and return a blank address. 

address=/example.com/

Managed blacklists can be inserted, as with conf-file=/etc/dnsmasq.d/blocklist.conf or conf-dir=/etc/dnsmasq.d/,*.conf.

Troubleshooting

WireGuard Interfaces

The service will fail if one of the listening IPs isn't bindable, as would be the case with a WireGuard interface that has not opened yet.

One solution is to switch to dynamic binding. In /etc/dnsmasq.conf... 

bind-dynamic

Note that some distributions vendor the configurations to set bind-interface. For example, Ubuntu ships /etc/dnsmasq.d/ubuntu-fan.

Another solution is to ensure that the interface opens first. With systemctl edit dnsmasq... 

[Unit]
[email protected]
[email protected]

See also

dnsmasq(8)

CategoryRicottone

Dnsmasq (last edited 2023-06-22 20:37:33 by DominicRicottone)