dnsmasq

dnsmasq(8) is a lightweight DNS server. It also offers DHCP, proxy DHCP, TFTP, PXE... none of which will be described here.

Contents

Installation

Install the dnsmasq package through your preferred package manager.

For systemd-capable systems, start and enable dnsmasq.service.

dnsmasq(8) is configured in /etc/dnsmasq.conf. You can test the configuration using dnsmasq --test.

A basic configuration file is:

listen-address=::1,127.0.0.1
cache-size=150

# DNSSEC
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec

To disable the DNS features of dnsmasq(8), edit /etc/dnsmasq.conf such that...

port=0

dnsmasq(8) is not a recursive DNS server, so trusted (i.e. DNSSEC) forwarding must be setup. Pursue one of the following configurations:

Configure openresolv as described in this example, and include the below lines in /etc/dnsmasq.conf:

# Configurations generated by `resolvconf(1)`
conf-file=/etc/dnsmasq-conf.conf
resolv-file=/etc/dnsmasq-resolv.conf

127.0.0.1 localhost
::1       localhost
trust-ad

no-hosts
no-resolv

server=8.8.8.8
server=8.8.4.4

To operate dnsmasq(8) as a DNS server, ensure that it listens on a private address.

listen-address=::1,127.0.0.1,192.168.86.1

dndmasq(8) offers a search/replace syntax for forcing names to resolve into hardcoded addresses. Specificity wins, so given...

address=/example.com/1.2.3.4
address=/www.example.com/2.3.4.5

...www.example.com would resolve to 2.3.4.5.

To blacklist a name, use the search/replace syntax and return a blank address.

address=/example.com/

Managed blacklists can be inserted, as with conf-file=/etc/dnsmasq.d/blocklist.conf or conf-dir=/etc/dnsmasq.d/,*.conf.