3 <TITLE> Configuring Dnsmasq.
</TITLE>
6 <H1 ALIGN=center
>Dnsmasq setup
</H1>
8 To compile and install dnsmasq, the following command (as root) is enough.
14 You might want to edit config.h. Dnsmasq has
15 been run on (at least) Linux, uCLinux, AIX
4.1.5, FreeBSD
4.4 OpenBSD and Tru64
4.x
17 Dnsmasq is normally run on a firewall machine (the machine with the
18 modem or other connection to your ISP.) but it can run on any machine
19 with access to the ISPs nameservers.
21 Put the binary in
<TT>/usr/local/sbin/dnsmasq
</TT> (running
<TT>make install
</TT> will do this) and arrange for it
22 to be started at boot time.
24 Note that dnsmasq needs to run as root, since it binds privileged ports. It will drop root privileges after start-up. Dnsmasq
25 logs problems using the syslog facility as a daemon. It logs debugging
28 <H2>Configuration.
</H2>
29 Configuration for dnsmasq is pretty simple in almost all cases. The
30 program has collected a fair few options as it has developed but most of them
31 are not needed most of the time. A machine which already has a DNS
32 configuration (ie one or more external nameservers in
<TT>/etc/resolv.conf
</TT>
33 and any local hosts in
<TT>/etc/hosts
</TT>) can be turned into a nameserver
34 simply by running dnsmasq, with no options or configuration at
35 all. Set the IP address of the machine running dnsmasq as the DNS
36 server in all the other machines on your network, and you're done.
38 With a few option flags, it is possible to make dnsmasq do more clever
39 tricks. Options for dnsmasq can be set either on the command line
40 when starting dnsmasq, or in its configuration file,
<TT>/etc/dnsmasq.conf
</TT>.
42 <h2>Making the nameserver machine use dnsmasq.
</h2>
43 In the simple configuration described above, processes local to the
44 machine will not use dnsmasq, since they get their information about
45 which nameservers to use from /etc/resolv.conf, which is set to the
46 upstream nameservers. To fix this, simply replace the nameserver in
47 <TT>/etc/resolv.conf
</TT> with the local address
127.0.0.1 and give the
48 address(es) of the upstream nameserver(s) to dnsmasq directly. You can
49 do this using either the
<TT>server
</TT> option, or by putting them into
50 another file, and telling dnsmasq about its location with
51 the
<TT>resolv-file
</TT> option.
53 <h2>Automatic nameserver configuration.
</h2>
54 The two protocols most used for automatic IP network configuration
55 (PPP and DHCP) can determine the IP addresses for nameservers automatically.
56 The daemons can be made to write out a file in the resolv.conf format with the
57 nameservers in which is perfect for dnsmasq to use. When the
58 nameservers change, for instance on dialling into a new ISP using PPP,
59 dnsmasq will automatically re-read this file and begin using the new
60 nameserver(s) completely transparently.
62 <h3>Automatic DNS server configuration with PPP.
</h3>
63 Later versions of pppd have an option
"usepeerdns" which instructs it to write a file containing
64 the address(es) of the DNS severs in
<TT>/etc/ppp/resolv.conf
</TT>. Configure dnsmasq
65 as above with
"nameserver 127.0.0.1" in
<TT>/etc/resolv.conf
</TT> and run dnsmasq
66 with to option
<TT>resolv-file=/etc/ppp/resolv.conf
</TT>.
68 On Redhat (at least versions
7.1,
7.2 and
7.3) you can set pppd
69 options by adding
"PPPOPTIONS=usepeerdns" to
70 <TT>/etc/sysconfig/network-scripts/ifcfg-ippp0
</TT>. In the same file, make sure
71 that
"PEERDNS=no" to stop RedHat's network initscripts from copying
72 <TT>/etc/ppp/resolv.conf
</TT> into
<TT>/etc/resolv.conf
</TT>.
<BR>
74 On SuSE (at least version
8.1, and
8.2) you should use YaST to activate
75 <TT>[x] Modify DNS when connected
</TT> then stop SuSEs network initscripts
76 from copying
<TT>/etc/ppp/resolv.conf
</TT> into
<TT>/etc/resolv.conf
</TT>
77 by modifying
MODIFY_RESOLV_CONF_DYNAMICALLY=
"no" in
<TT>/etc/sysconfig/network/config
</TT>.
80 <h3>Automatic DNS server configuration with DHCP.
</h3>
81 You need to get your DHCP client to write the addresse(s) of the DNS
82 servers to a file other than
<TT>/etc/resolv.conf
</TT>. For dhcpcd, the
83 <TT>dhcpcd.exe
</TT> script gets run with the addresses of the nameserver(s) in
84 the shell variable
<TT>$DNS
</TT>. The following bit of shell script
85 uses that to write a file suitable for dnsmasq.
88 echo -n
>|/etc/dhcpc/resolv.conf
90 for serv in $dnsservs; do
91 echo
"nameserver $serv" >>/etc/dhcpc/resolv.conf
96 Remember to give dhcpcd the
<TT>-R
</TT> flag to stop it overwriting
97 <TT>/etc/resolv.conf
</TT>.
100 For other DHCP clients it should be possible to achieve the same effect.
102 <h3> DHCP and PPP.
</h3>
103 On a laptop which may potentially connect via a modem and PPP or
104 ethernet and DHCP it is possible to combine both of the above
105 configurations. Running dnsmasq with the flags
106 <TT>resolv-file=/etc/ppp/resolv.conf resolv-file=/etc/dhcpc/resolv.conf
</TT>
107 makes it poll
<B>both
</B> files and use whichever was updated
108 last. The result is automatic switching between DNS servers.
111 <H2> Integration with DHCP.
</H2>
112 Dnsmasq reads
<TT>/etc/hosts
</TT> so that the names of local machines are
113 available in DNS. This is fine when you give all your local machines
114 static IP addresses which can go in
<TT>/etc/hosts
</TT>, but it doesn't work
115 when local machines are configured via DHCP, since the IP address
116 allocated to machine is not fixed. Dnsmasq comes with an integrated
117 DHCP daemon to solve this problem.
119 The dnsmasq DHCP daemon allocates addresses to hosts on the network and tries
120 to determine their names. If it succeeds it add the name and address
121 pair to the DNS. There are basically two ways to associate a name with
122 a DHCP-configured machine; either the machine knows its name which it
123 gets a DHCP lease, or dnsmasq gives it a name, based on the MAC
124 address of its ethernet card. For the former to work, a machine needs to know its name when it
125 requests a DHCP lease. For dhcpcd, the -h option specifies this. The
126 names may be anything as far as DHCP is concerned, but dnsmasq adds
127 some limitations. By default the names must no have a domain part, ie
128 they must just be a alphanumeric name, without any dots. This is a
129 security feature to stop a machine on your network telling DHCP that
130 its name is
"www.microsoft.com" and thereby grabbing traffic which
131 shouldn't go to it. A domain part is only allowed by dnsmasq in DHCP machine names
132 if the
<TT>domain-suffix
</TT> option is set, the domain part must match the
135 As an aside, make sure not to tell DHCP to set the hostname when it
136 obtains a lease (in dhcpcd that's the -H flag.)
137 This is not reliable since the DHCP server gets the
138 hostname from DNS which in this case is dnsmasq. There is a race
139 condition because the host's name in the DNS may change as a
140 result of it getting a DHCP lease, but this does not propagate before
141 the name is looked up. The net effect may be that the host believes it
142 is called something different to its name in the DNS. To be safe, set
143 the hostname on a machine locally, and pass the same name to DHCP when
146 <H2>Setting up a mailhub.
</H2>
147 If you generate mail on the machines attached to your private network, you may
148 be interested in the MX record feature of dnsmasq. This allows you to have all
149 the machines on your network use your firewall or another machine as a
"smarthost" and
150 deliver mail to it. The details of how to set this up are highly dependent on
151 your mailer, system and distribution. The only thing that's relevant to dnsmasq is that the mailer
152 needs to be able to interrogate the DNS and find an MX record for your mailhub.
154 By giving dnsmasq the
<TT>mx-host
</TT> option
155 you instruct dnsmasq to serve an MX record for the specified address.
156 By default the MX record
157 points to the machine on which dnsmasq is running, so mail delivered to that
158 name will get sent to the mailer on your firewall machine. You can
159 have the MX record point to another machine by using the
<TT>mx-target
</TT>
162 In some cases it's useful for all local machines to see an MX record
163 pointing at themselves: this allows mailers which insist on an MX record and
164 don't fall back to A records to deliver mail within the
165 machine. These MX records are enabled using the
<TT>selfmx
</TT> option.
167 <H2>Using special servers.
</H2>
168 Dnsmasq has the ability to direct DNS queries for certain domains to
169 specific upstream nameservers. This feature was added for use with
170 VPNs but it is fully general. The scenario is this: you have a
171 standard internet connection via an ISP, and dnsmasq is configured to
172 forward queries to the ISP's nameservers, then you make a VPN
173 connection into your companies network, giving access to hosts inside
174 the company firewall. You have access, but since many of the internal hosts
175 aren't visible on the public internet, your company doesn't publish
176 them to the public DNS and you can't get their IP address from the ISP
177 nameservers. The solution is to use the companies nameserver for
178 private domains within the company, and dnsmasq allows this. Assuming
179 that internal company machines are all in the domain internal.myco.com
180 and the companies nameserver is at
192.168.10.1 then the option
181 <TT>server=/internal.myco.com/
192.168.10.1</TT> will direct all
182 queries in the internal domain to the correct nameserver. You can
183 specify more than one domain in each server option. If there is
184 more than one nameserver just include as many
185 <TT>server
</TT> options as is needed to specify them all.
187 <H2>Local domains.
</H2>
188 Sometimes people have local domains which they do not want forwarded
189 to upstream servers. This is accomodated by using server options
190 without the server IP address. To make things clearer
<TT>local
</TT>
191 is a synonym for
<TT>server
</TT>. For example the option
192 <TT>local=/localnet/
</TT> ensures that any domain name query which ends in
193 <TT>.localnet
</TT> will be answered if possible from
194 <TT>/etc/hosts
</TT> or DHCP, but never sent to an upstream server.
196 <H2>Defeating wildcards in top level domains.
</H2>
197 In September
2003 Verisign installed a wildcard record in the .com and
198 .net top level domains. The effect of this is that queries for
199 unregistered .com and .net names now return the address of Verisign's
200 sitefinder service, rather than a
"no such domain" response. To
201 restore the correct behaviour, you can tell dnsmasq the address of the
202 sitefinder host and have it substitute an NXDOMAIN reply when it sees
203 that address. The sitefinder address is currently
64.94.110.11, so
204 giving the option
<TT>bogus-nxdomain=
64.94.110.11</TT> will enable
205 this facility for Verisign. If other TLDs do that same thing you can
206 add the correct addresses for them too. See the dnsmasq FAQ for more
207 details on the
<TT>bogus-nxdomain
</TT> option.
209 <H2>Other configuration details.
</H2>
210 By default dnsmasq offers DNS service on all the configured interfaces
211 of a host. It's likely that you don't (for instance) want to offer a
212 DNS service to the world via an interface connected to ADSL or
213 cable-modem so dnsmasq allows you to specify which interfaces it will
214 listen on. Use either the
<TT>interface
</TT> or
<TT>address
</TT> options to do this.
216 The
<TT>filterwin2k
</TT> option makes dnsmasq ignore certain DNS requests which
217 are made by Windows boxen every few minutes. The requests generally
218 don't get sensible answers in the global DNS and cause trouble by
219 triggering dial-on-demand internet links.
221 Sending SIGHUP to the dnsmasq process will cause it to empty its cache and
222 then re-load
<TT>/etc/hosts
</TT> and
<TT>/etc/resolv.conf
</TT>.
223 <P> Sending SIGUSR1 (killall -
10 dnsmasq) to the dnsmasq process will
224 cause to to write cache usage statisticss to the log, typically
225 <TT>/var/log/syslog
</TT> or
<TT>/var/log/messages
</TT>.
226 <P> The
<TT>log-queries
</TT> option tells dnsmasq to verbosely log the queries
227 it is handling and causes SIGUSR1 to trigger a complete dump of the
228 contents of the cache to the syslog.
230 <P>For a complete listing of options please take a look at the manpage