Dnsmasq

Dnsmasq is small utility designed to provide DNS (domain name) services to a small network connected to the internet via a NAT (network address translation, AKA ip-masquerade) firewall and a modem, cable-modem or ADSL connection.

Since a NAT firewall will pass DNS queries it's perfectly possible for all the machines on such a network to be configured to talk directly to the ISP's name server, and the HOWTO recommends doing exactly that. The advantages of using dnsmasq instead are:

  • The dns configuration of machines behind the firewall is simple and doesn't depend on the details of the ISP's dns servers
  • Clients which try to do DNS lookups while a modem link to the internet is down will time out immediately.
  • Dnsmasq will serve names from the /etc/hosts file on the firewall machine: If the names of local machines are there, then they can all be addressed without having to maintain /etc/hosts on each machine.
  • Dnsmasq caches internet addresses (A records) and adrress-to-name mappings (PTR records), reducing the load on upsteam servers and improving performance (especially on modem connections). From version 0.95 the cache honours Time-to-live information and expires old records as they expire.
  • Dnsmasq can be configured to automatically pick up the addresses of it's upstream nameservers from ppp or dhcp configuration. It will automatically reload this information of it changes. This facility will be of particular interest to maintainer of Linux firewall distributions since it allows dns configuration to be made automatic.

    • Dnsmasq has one further feature; it can be configured to return an MX record for the firewall host. This makes it easy to configure the mailer on the local machines to forward all mail to the central mailer on the firewall host. Never lose root messages from your machines again!

    Download.

    Download dsmasq here. The tarballs includes this documentation, source, and a binary linked against glibc2.1 for Linux-i386. There are also i386 .debs.

    A very simple INSTALL script is provided which will compile dnsmasq if necessary and install the binary and man page.

    If you wish to compile the source yourself, the following command is enough. 

    gcc -o dnsmasq dnsmasq.c

    Installation.

    Dnsmasq should be run on your firewall machine (the machine with the modem connection to your ISP.) Put the binary in /usr/local/sbin/dnsmasq (The INSTALL script will do this) and arrange for it to be started at boot time. Note that dnsmasq needs to run as root, since it binds priveliged ports. It logs problems using the syslog facility as a daemon.

    Configuration.

    Simplest.

    Put the address(es) of your ISP's DNS server(s) in /etc/resolv.conf on the firewall machine, and the names and internal network addresses of all your machines in /etc/hosts on the firewall machine. All the other machines on your network can simply have their own name and localhost in /etc/hosts and should have the address of the firewall machine on the internal network as the only nameserver in /etc/resolv.conf. For windows machines use the network applet in the control panel to set the address of the DNS server as the address of the firewall machine.

    Cacheing for firewall.

    If you want dnsmasq to cache DNS queries for the firewall machine also, simply put "nameserver 127.0.0.1" in /etc/resolv.conf. Put the real nameservers in another file, say /etc/resolv.dnsmasq, and use the -r command line flag to make dnsmasq read that instead of /etc/resolv.conf.

    Automatic DNS server configuration with PPP.

    pppd has an option "usepeerdns" which instructs it to write a file containing the address(es) of the dns severs in /etc/ppp/resolv.conf. Configure dnsmasq as above with "nameserver 127.0.0.1" in /etc/resolv.conf and run dnsmasq with to option "-r /etc/ppp/resolv.conf"

    Automatic DNS server configuration with DHCP.

    dhcpcd writes a nameserver file in /etc/dhcpc/resolv.conf, so configure dnsmasq as for PPP, but with the option "-r /etc/dhcpc/resolv.conf". I assume other DHCP clients such as pump have similar facilities. See their documentation for details.

    Setting up a mailhub.

    If you generate mail on the machines attached to your private network, you may be interested in the MX record feature of dnsmasq. This allows you to have all the machines on your network use your firewall machine as a "smarthost" and deliver mail to it. The details of how to set this up are highly dependent on your mailer, system and distribution. (On Debian GNU/Linux, using the smail mailer, there's an option in the smailconfig program to set up this configuration.) The only thing that's relevant to dnsmasq is that the mailer needs to be able to interogate the DNS and find an MX record for your mailhub. By starting dnsmasq with the -m option 
    dnsmasq -m mailhubname
    you instruct dnsmasq to server an MX record for mailhubname. The MX record always points to the machine on which dnsmasq is running, so mail delivered to that name will get sent to the mailer on your firewall machine.

    Other configuration details.

    dnsmasq writes its process-id into /var/run/dnsmasq.pid at startup.

    Sending SIGHUP to the dnsmasq process will cause it to empty it's cache and re-load /etc/hosts.

    The -h option suppresses use of /etc/hosts.

    License.

    Dnsmasq is distributed under the GPL. See the file COPYING in the distribution for details.

    Contact.

    Dnsmasq was written by Simon Kelley. You can contact me at simon@thekelleys.org.uk. Bugreports, patches, and sugestions for improvements gratefully accepted.