Dnsmasq

Dnsmasq is small utility designed to provide DNS (domain name) services to a small network connected to the internet via a NAT (network address translation, AKA ip-masquerade) firewall and a modem, cable-modem or ADSL connection.

Since a NAT firewall will pass DNS queries it's perfectly possible for all the machines on such a network to be configured to talk directly to the ISP's name server, and the HOWTO recommends doing exactly that. The advantages of using dnsmasq instead are:

  • The DNS configuration of machines behind the firewall is simple and doesn't depend on the details of the ISP's dns servers
  • Clients which try to do DNS lookups while a modem link to the internet is down will time out immediately.
  • Dnsmasq will serve names from the /etc/hosts file on the firewall machine: If the names of local machines are there, then they can all be addressed without having to maintain /etc/hosts on each machine.
  • Dnsmasq will serve names from the DHCP leases file on the firewall machine: If machines specify a hostname when they take out a DHCP lease, then they are addressable in the local DNS.
  • Dnsmasq caches internet addresses (A records and AAAA records) and address-to-name mappings (PTR records), reducing the load on upstream servers and improving performance (especially on modem connections). From version 0.95 the cache honours time-to-live information and removes old records as they expire. From version 0.996 dnsmasq does negative caching. From version 1.2 dnsmasq supports IPv6 addresses, both in its cache and in /etc/hosts.
  • Dnsmasq can be configured to automatically pick up the addresses of it's upstream nameservers from ppp or dhcp configuration. It will automatically reload this information if it changes. This facility will be of particular interest to maintainers of Linux firewall distributions since it allows dns configuration to be made automatic.
  • On IPv6-enabled boxes, dnsmasq can both talk to upstream servers via IPv6 and offer DNS service via IPv6. On dual-stack (IPv4 and IPv6) boxes it talks both protocols and can even act as IPv6-to-IPv4 or IPv4-to-IPv6 forwarder.

    • Dnsmasq has one further feature; it can be configured to return an MX record for the firewall host. This makes it easy to configure the mailer on the local machines to forward all mail to the central mailer on the firewall host. Never lose root messages from your machines again!

    Download.

    Download dnsmasq here. The tarball includes this documentation, source, manpage and control files for building .rpms. There are also pre-built i386 .rpms, and a CHANGELOG. Dnsmasq is part of the Debian distribution, it can be downloaded from here or installed using apt.

    Installation.

    To compile and install dnsmasq, the following command (as root) is enough. 
    make install
    On non-Linux machines, you might want to edit config.h. Dnsmasq has been run on (at least) AIX 4.1.5, FreeBSD 4.4 and Tru64 4.x Dnsmasq should be run on your firewall machine (the machine with the modem or other connection to your ISP.) Put the binary in /usr/local/sbin/dnsmasq (running make install will do this) and arrange for it to be started at boot time. Note that dnsmasq needs to run as root, since it binds privileged ports. It will drop root priviliges after start-up. Dnsmasq logs problems using the syslog facility as a daemon.

    Building rpms.

    Assuming you have the relevant tools installed, you can rebuild .rpms simply by running (as root) 
    rpm -ta dnsmasq-xxx.tar.gz

    Configuration.

    Simplest.

    Put the address(es) of your ISP's DNS server(s) in /etc/resolv.conf on the firewall machine, and the names and internal network addresses of all your machines in /etc/hosts on the firewall machine. All the other machines on your network can simply have their own name and localhost in /etc/hosts and should have the address of the firewall machine on the internal network as the only nameserver in /etc/resolv.conf. For windows machines use the network applet in the control panel to set the address of the DNS server as the address of the firewall machine.

    Caching for firewall.

    If you want dnsmasq to cache DNS queries for the firewall machine also, simply put "nameserver 127.0.0.1" in /etc/resolv.conf. Put the real nameservers in another file, say /etc/resolv.dnsmasq, and use the -r command line flag to make dnsmasq read that instead of /etc/resolv.conf.

    Automatic DNS server configuration with PPP.

    Later versions of pppd have an option "usepeerdns" which instructs it to write a file containing the address(es) of the DNS severs in /etc/ppp/resolv.conf. Configure dnsmasq as above with "nameserver 127.0.0.1" in /etc/resolv.conf and run dnsmasq with to option "-r /etc/ppp/resolv.conf"

    Automatic DNS server configuration with DHCP.

    On Debian, dhcpcd writes a nameserver file in /etc/dhcpc/resolv.conf, with a link to that at /etc/resolv.conf. Remove the link at /etc/resolv.conf and configure dnsmasq as for PPP, but with the option "-r /etc/dhcpc/resolv.conf". For other DHCP clients and other distros, you might have to patch the source of your DHCP client to achieve the same effect.

    Setting up a mailhub.

    If you generate mail on the machines attached to your private network, you may be interested in the MX record feature of dnsmasq. This allows you to have all the machines on your network use your firewall or another machine as a "smarthost" and deliver mail to it. The details of how to set this up are highly dependent on your mailer, system and distribution. (On Debian GNU/Linux, using the smail mailer, there's an option in the smailconfig program to set up this configuration.) The only thing that's relevant to dnsmasq is that the mailer needs to be able to interrogate the DNS and find an MX record for your mailhub. 
    dnsmasq -m mailhubname
    By starting dnsmasq with the -m option you instruct dnsmasq to server an MX record for mailhubname. By default the MX record points to the machine on which dnsmasq is running, so mail delivered to that name will get sent to the mailer on your firewall machine. You can have the MX record point to another machine by using the -t command line flag.

    Other configuration details.

    dnsmasq writes its process-id into /var/run/dnsmasq.pid at startup.

    Sending SIGHUP to the dnsmasq process will cause it to empty it's cache and then re-load /etc/hosts and /etc/resolv.conf.

    Sending SIGUSR1 to the dnsmasq process will cause to to write cache usage stats to the log.

    The -h option suppresses use of /etc/hosts.

    The -n option suppresses polling of /etc/resolv.conf.

    For a complete listing of options please take a look at the manpage dnsmasq(8).

    If you installed dnsmasq as a debian package, the various options can be set be editing /etc/init.d/dnsmasq.

    If you installed dnsmasq as an rpm package, set options by editing /etc/rc.d/init.d/dnsmasq

    License.

    Dnsmasq is distributed under the GPL. See the file COPYING in the distribution for details.

    Contact.

    Dnsmasq was written by Simon Kelley. You can contact me at simon@thekelleys.org.uk. Bugreports, patches, and suggestions for improvements gratefully accepted.