In a DNS bind? Get Out With dnsmasq

By Carla Schroder | Jul 6, 2004 | Print this Page
http://www.enterprisenetworkingplanet.com/netsysm/article.php/10954_3377351_2/In-a-DNS-bind-Get-Out-With-dnsmasq.htm

There you are on your small home LAN, or small business, feeling ignored by the Linux world. You want to take advantage of nice labor-saving tools like DHCP (dynamic host configuration protocol) and DNS (domain name system), but it feels like only uber-geeks need apply.

Feel ignored no more, for there is an excellent DNS/DHCP utility for real people: Dnsmasq. Dnsmasq is especially suited for small networks that share a single Internet connection, behind a NAT firewall. Creative admins will find all sorts of ways to put Dnsmasq to work; this article will focus on simple local DNS and DHCP.

What's the Big Deal, Anyway

DNS is simply matching names to numbers. DHCP is simply automatically assigning an IP address, and optionally other information, from a pool of addresses. Dnsmasq leans the entire process down to a few essential bits. You probably wouldn't want to use it to power an ISP, but then this article isn't aimed at gigantic mondo users with complex needs anyway: Think branch office.

Starting and Stopping Dnsmasq

The Dnsmasq .debs and .rpms come with init scripts. Start, restart, and stop in the usual manner:

# /etc/init.d/dnsmasq start
# /etc/init.d/dnsmasq restart
# /etc/init.d/dnsmasq stop

Local Caching Nameserver

Setting up a local caching nameserver is a common chore. By caching DNS requests locally, your users will see faster network response times. Any PC on your LAN can be the local nameserver cache. Install Dnsmasq on this PC.

In small LANs that share a single Internet connection, typically all the hosts use the ISP's (internet service provider) nameservers. This is configured in /etc/resolv.conf:

nameserver 12.345.678.8
nameserver 12.345.678.9

Leave this configuration on your local nameserver. On all the other PCs in your LAN, make this the only entry in /etc/resolv.conf:

nameserver 192.168.1.10

Windows PCs are configured in "Network and Dial-up Connections." Any time your primary nameservers change, the only change you need to make is on your local nameserver. Yes, that's easy, like it should be.

Easy Local DNS Server

Maintaining /etc/hosts files on more than three or four PCs gets to be a pain. Running BIND is a far bigger pain. djbdns is a lovely DNS server, and is my personal favorite. But nothing beats Dnsmasq for simple administration and setup. With Dnsmasq, you only need to maintain the /etc/hosts file on the Dnsmasq server:

127.0.0.1                localhost
192.168.1.5            mail1
192.168.1.100        workstation1
192.168.1.101        workstation2
192.168.1.102        workstation3
192.168.1.103        workstation4

What, you say, why no domain names? Everyone knows that domain names have to go in /etc/hosts. Stay tuned, my little Grasshoppers, and all will be revealed.

DHCP Server

The simplest way to use the DHCP server in Dnsmasq is to set the hostnames on each host on your LAN. Then make these edits to /etc/dnsmasq.conf:

expand-hosts
domain=test.net (use your own domain here, of course)
dhcp-range=192.168.1.100,192.168.1.150,168h

The first line automatically expands the hostnames to include the domain name, which is specified on the next line. The third line shows how to set a range of IP addresses for your DHCP pool, with a 168-hour lease. You can set the lease to any interval you like, either in hours (h) or minutes (m) or infinite, for a permanent lease.

Setting Hostnames Correctly
The key to making all this work nicely is to have hostnames correctly configured on your PCs. On most Linux systems, you must edit /etc/hostname. /etc/hostname sets only the system's hostname:

workstation1

On Red Hat and Fedora, you must edit /etc/sysconfig/network instead of /etc/hostname:

HOSTNAME=workstation1

Anytime you change the hostname, you must reboot. Then you can check your work with the hostname command:

$ hostname
workstation1

Foiling Sitefinder and Related Foolishnesses

Verisign's Sitefinder has gone away, for the moment, but they are making noises about trying again. A number of registries for various domains still do it. For those who have mercifully erased this nonsense from their memory banks: Sitefinder, instead of returning a proper NXDOMAIN response for non-existent .com and .net addresses, instead re-directed to a Verisign search page. Which broke DNS, messed up applications that depended on accurate DNS queries, subjected users to yet more advertising, and did not help anyone at all. Except Verisign, who collected ad revenue.

As usual, the tech community swiftly responded with various workarounds. Should Sitefinder return, or you encounter other that registries implement a similar "service", Dnsmasq can foil it. Simply enter the offending IP address in /etc/dnsmasq.conf:

bogus-nxdomain=64.94.110.11

That was the IP used by Sitefinder, so all DNS redirected to that IP is considered bogus, and forced to return a proper NXDOMAIN response. This page has a list of other offending IPs that do, or have done, the same thing. Testing for this DNS-breaking silliness is simple enough, using the host command and bogus addresses:

$ host jd89hv8eef09jvoiuew90ofhjyfhf.ws
jd89hv8eef09jvoiuew90ofhjyfhf.ws has address 216.35.187.246

Oho, a live one! A correct response would be

Host jd89hv8eef09jvoiuew90ofhjyfhf.ws not found: 3(NXDOMAIN)

Try www.jd89hv8eef09jvoiuew90ofhjyfhf.ws in a Web browser, and see what you get. Not a correct "Page not found", but one of those annoying registrar pages. You should probably try a few improbable domain names just to make sure. When you're certain you've tracked down a bogus redirect IP, in this example 216.35.187.246, just slap it into /etc/dnsmasq.conf:

bogus-nxdomain=216.35.187.246

Documentation

See /etc/dnsmasq.conf for a lot of good, well-commented examples, and dnsmasq (8) for complete options, and more examples.

Resources