Dnsmasq

dnsmasq(8) is a lightweight DNS server. It also offers DHCP, proxy DHCP, TFTP, and PXE.

Contents

  1. Dnsmasq
    1. Installation
      1. Containers
    2. Configuration
      1. Disable DNS
      2. Recursive DNS
      3. Network DNS
      4. Overriding Names
      5. Blacklisting Names
    3. Troubleshooting
      1. WireGuard Interfaces
    4. See also

Installation

Most Linux and BSD distributions offer a dnsmasq package.

For systemd-capable systems, start and enable dnsmasq.service.

For BSD distributions, try: 

service dnsmasq restart

To launch the server on startup, update /etc/rc.conf: 

dnsmasq_enable="YES"
dnsmasq_conf="/usr/local/etc/dnsmasq.conf"

Containers

To containerize dnsmasq(8), consider the following Dockerfile as a template. 

FROM alpine:latest
RUN apk add --no-cache dnsmasq dumb-init
EXPOSE 53 53/udp
ENTRYPOINT ["/usr/bin/dumb-init", "--"]
CMD ["dnsmasq", "--keep-in-foreground"]

To publish this service on an interface like 10.0.0.1, try: 

sudo docker build --tag dnsmasq .
sudo docker run --detach --name my-dnsmasq \
  --restart=always \
  --mount type=bind,src=/path/to/dnsmasq.conf,target=/etc/dnsmasq.conf,readonly \
  --publish 10.0.0.1:53:53/udp \
  dnsmasq

Configuration

dnsmasq(8) is configured with a configuration file. This typically is located in either /etc/dnsmasq.conf (for Linux distributions) or /usr/local/etc/dnsmasq.conf (for BSD distributions).

Test the configuration using dnsmasq --test.

A basic configuration file is: 

listen-address=::1,127.0.0.1
cache-size=150

# DNSSEC
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec

Disable DNS

To disable the DNS features of dnsmasq(8), edit the configuration file such that... 

port=0

Recursive DNS

dnsmasq(8) is not a recursive DNS server, so trusted (i.e. DNSSEC) forwarding must be setup. Pursue one of the following configurations:

  1. Configure openresolv and include the below lines in the configuration file: 

# Configurations generated by `resolvconf(1)`
conf-file=/etc/dnsmasq-conf.conf
resolv-file=/etc/dnsmasq-resolv.conf
  1. Manually configure like... 

127.0.0.1 localhost
::1       localhost
trust-ad

no-hosts
no-resolv

server=8.8.8.8
server=8.8.4.4

Network DNS

To operate dnsmasq(8) as a DNS server, ensure that it listens on a private address. 

listen-address=::1,127.0.0.1,192.168.86.1

Provide an additional hosts(5) file (i.e. /etc/dnsmasq.hosts) by configuring like: 

no-hosts
no-resolv

addn-hosts=/etc/dnsmasq.hosts

server=8.8.8.8
server=8.8.4.4

Overriding Names

dnsmasq(8) offers a search/replace syntax for forcing names to resolve into hardcoded addresses. Specificity wins, so given... 

address=/example.com/1.2.3.4
address=/www.example.com/2.3.4.5

...www.example.com would resolve to 2.3.4.5.

Note that this breaks reverse DNS.

Blacklisting Names

To blacklist a name, use the search/replace syntax and return a blank address. 

address=/example.com/

Managed blacklists can be inserted, as with conf-file=/etc/dnsmasq.d/blocklist.conf or conf-dir=/etc/dnsmasq.d/,*.conf.

Troubleshooting

WireGuard Interfaces

The service will fail if one of the listening IPs isn't bindable, as would be the case with a WireGuard interface that has not opened yet.

One solution is to switch to dynamic binding. In /etc/dnsmasq.conf... 

bind-dynamic

Note that some distributions vendor the configurations to set bind-interface. For example, Ubuntu ships /etc/dnsmasq.d/ubuntu-fan.

Another solution is to ensure that the interface opens first. With systemctl edit dnsmasq... 

[Unit]
[email protected]
[email protected]

See also

dnsmasq(8)

CategoryRicottone

Dnsmasq (last edited 2023-06-22 20:37:33 by DominicRicottone)