Differences between revisions 3 and 4
Revision 3 as of 2020-11-19 15:57:07
Size: 2894
Editor: DominicRicottone
Comment:
Revision 4 as of 2021-11-18 09:20:39
Size: 2919
Editor: DominicRicottone
Comment:
Deletions are marked like this. Additions are marked like this.
Line 121: Line 121:
`dnsmasq.service` will fail if one of the listening IPs isn't bindable, as would be the case with a WireGuard interface. `dnsmasq.service` will fail if one of the listening IPs isn't bindable, as would be the case with a [[Encryption/WireGuard|WireGuard]] interface.

dnsmasq

dnsmasq(8) is a lightweight DNS server. It also offers DHCP, proxy DHCP, TFTP, PXE... none of which will be described here.

Contents

  1. dnsmasq
    1. Installation
    2. Configuration
      1. Disable DNS
      2. Recursive DNS
      3. Network DNS
      4. Overriding Names
      5. Blacklisting Names
    3. Troubleshooting
      1. WireGuard Interfaces

Installation

Install the dnsmasq package through your preferred package manager.

For systemd-capable systems, start and enable dnsmasq.service.

Configuration

dnsmasq(8) is configured in /etc/dnsmasq.conf. You can test the configuration using dnsmasq --test.

A basic configuration file is: 

listen-address=::1,127.0.0.1
cache-size=150

# DNSSEC
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec

Disable DNS

To disable the DNS features of dnsmasq(8), edit /etc/dnsmasq.conf such that... 

port=0

Recursive DNS

dnsmasq(8) is not a recursive DNS server, so trusted (i.e. DNSSEC) forwarding must be setup. Pursue one of the following configurations:

  1. Configure openresolv as described in this example, and include the below lines in /etc/dnsmasq.conf: 

# Configurations generated by `resolvconf(1)`
conf-file=/etc/dnsmasq-conf.conf
resolv-file=/etc/dnsmasq-resolv.conf

  1. Manually configure /etc/resolv.conf like... 

127.0.0.1 localhost
::1       localhost
trust-ad

  • ..and manually configure /etc/dnsmasq.conf like... 

no-hosts
no-resolv

server=8.8.8.8
server=8.8.4.4

Network DNS

To operate dnsmasq(8) as a DNS server, ensure that it listens on a private address. 

listen-address=::1,127.0.0.1,192.168.86.1

Overriding Names

dnsmasq(8) offers a search/replace syntax for forcing names to resolve into hardcoded addresses. Specificity wins, so given... 

address=/example.com/1.2.3.4
address=/www.example.com/2.3.4.5

...www.example.com would resolve to 2.3.4.5.

Blacklisting Names

To blacklist a name, use the search/replace syntax and return a blank address. 

address=/example.com/

Managed blacklists can be inserted, as with conf-file=/etc/dnsmasq.d/blocklist.conf or conf-dir=/etc/dnsmasq.d/,*.conf.

Troubleshooting

WireGuard Interfaces

dnsmasq.service will fail if one of the listening IPs isn't bindable, as would be the case with a WireGuard interface.

One solution is to switch to dynamic binding. In /etc/dnsmasq.conf... 

bind-dynamic

Note that some distributions vendor the configurations to set bind-interface. For example, ubuntu ships /etc/dnsmasq.d/ubuntu-fan.

Another solution is to force systemd to start [email protected] first. With systemctl edit dnsmasq... 

[Unit]
[email protected]
[email protected]

CategoryRicottone

Dnsmasq (last edited 2023-06-22 20:37:33 by DominicRicottone)