In a DNS bind? Get Out With dnsmasq
There you are on your small home LAN, or small business, feeling ignored by the Linux world. You want to take advantage of nice labor-saving tools like DHCP (dynamic host configuration protocol) and DNS (domain name system), but it feels like only uber-geeks need apply.
Feel ignored no more, for there is an excellent DNS/DHCP utility for real people: Dnsmasq. Dnsmasq is especially suited for small networks that share a single Internet connection, behind a NAT firewall. Creative admins will find all sorts of ways to put Dnsmasq to work; this article will focus on simple local DNS and DHCP.
What's the Big Deal, AnywayDNS is simply matching names to numbers. DHCP is simply automatically assigning an IP address, and optionally other information, from a pool of addresses. Dnsmasq leans the entire process down to a few essential bits. You probably wouldn't want to use it to power an ISP, but then this article isn't aimed at gigantic mondo users with complex needs anyway: Think branch office.
Starting and Stopping Dnsmasq
The Dnsmasq .debs and .rpms come with init scripts. Start, restart, and stop in the usual manner:
# /etc/init.d/dnsmasq start # /etc/init.d/dnsmasq restart # /etc/init.d/dnsmasq stop
Local Caching Nameserver
Setting up a local caching nameserver is a common chore. By caching DNS requests locally, your users will see faster network response times. Any PC on your LAN can be the local nameserver cache. Install Dnsmasq on this PC.
In small LANs that share a single Internet connection, typically all the hosts use the ISP's (internet service provider) nameservers. This is configured in /etc/resolv.conf:
nameserver 12.345.678.8 nameserver 12.345.678.9
Leave this configuration on your local nameserver. On all the other PCs in your LAN, make this the only entry in /etc/resolv.conf:
Windows PCs are configured in "Network and Dial-up Connections." Any time your primary nameservers change, the only change you need to make is on your local nameserver. Yes, that's easy, like it should be.
Easy Local DNS Server
Maintaining /etc/hosts files on more than three or four PCs gets to be a pain. Running BIND is a far bigger pain. djbdns is a lovely DNS server, and is my personal favorite. But nothing beats Dnsmasq for simple administration and setup. With Dnsmasq, you only need to maintain the /etc/hosts file on the Dnsmasq server:
127.0.0.1 localhost 192.168.1.5 mail1 192.168.1.100 workstation1 192.168.1.101 workstation2 192.168.1.102 workstation3 192.168.1.103 workstation4
What, you say, why no domain names? Everyone knows that domain names have to go in /etc/hosts. Stay tuned, my little Grasshoppers, and all will be revealed.
The simplest way to use the DHCP server in Dnsmasq is to set the hostnames on each host on your LAN. Then make these edits to /etc/dnsmasq.conf:
expand-hosts domain=test.net (use your own domain here, of course) dhcp-range=192.168.1.100,192.168.1.150,168h
The first line automatically expands the hostnames to include the domain name, which is specified on the next line. The third line shows how to set a range of IP addresses for your DHCP pool, with a 168-hour lease. You can set the lease to any interval you like, either in hours (h) or minutes (m) or infinite, for a permanent lease.
Setting Hostnames Correctly
The key to making all this work nicely is to have hostnames correctly configured on your PCs. On most Linux systems, you must edit /etc/hostname. /etc/hostname sets only the system's hostname:
On Red Hat and Fedora, you must edit /etc/sysconfig/network instead of /etc/hostname:
Anytime you change the hostname, you must reboot. Then you can check your work with the hostname command:
$ hostname workstation1
Foiling Sitefinder and Related Foolishnesses
Verisign's Sitefinder has gone away, for the moment, but they are making noises about trying again. A number of registries for various domains still do it. For those who have mercifully erased this nonsense from their memory banks: Sitefinder, instead of returning a proper NXDOMAIN response for non-existent .com and .net addresses, instead re-directed to a Verisign search page. Which broke DNS, messed up applications that depended on accurate DNS queries, subjected users to yet more advertising, and did not help anyone at all. Except Verisign, who collected ad revenue.
As usual, the tech community swiftly responded with various workarounds. Should Sitefinder return, or you encounter other that registries implement a similar "service", Dnsmasq can foil it. Simply enter the offending IP address in /etc/dnsmasq.conf:
That was the IP used by Sitefinder, so all DNS redirected to that IP is considered bogus, and forced to return a proper NXDOMAIN response. This page has a list of other offending IPs that do, or have done, the same thing. Testing for this DNS-breaking silliness is simple enough, using the host command and bogus addresses:
$ host jd89hv8eef09jvoiuew90ofhjyfhf.ws jd89hv8eef09jvoiuew90ofhjyfhf.ws has address 18.104.22.168
Oho, a live one! A correct response would be
Host jd89hv8eef09jvoiuew90ofhjyfhf.ws not found: 3(NXDOMAIN)
Try www.jd89hv8eef09jvoiuew90ofhjyfhf.ws in a Web browser, and see what you get. Not a correct "Page not found", but one of those annoying registrar pages. You should probably try a few improbable domain names just to make sure. When you're certain you've tracked down a bogus redirect IP, in this example 22.214.171.124, just slap it into /etc/dnsmasq.conf:
See /etc/dnsmasq.conf for a lot of good, well-commented examples, and dnsmasq (8) for complete options, and more examples.
- Dnsmasq home page
- If you are interested in more heavy-duty DNS servers, see djbdns home page, with bales of good documentation.
- BIND home page
- This covers the traditional DHCP server for Linux: the DHCP mini-howto