Skip to content

DNSmasq

masq-chacho

Dnsmasq: the unsung hero of network management, where DNS meets DHCP with a side of TFTP, just to keep things spicy. (Speaking of spicy, how do you like the novelty glasses?) DNSmasq is a lightweight, yet robust service that doesn't just juggle network requests—it makes local network life easier. Ideal for smaller networks like your home or that tiny, yet over-ambitious office, Dnsmasq helps devices play nice with each other by resolving hostnames and dishing out IP addresses. So why bother? Because manually handling network configurations is about as enjoyable as stepping on LEGOs. Read on for the more boring installation and config instructions/considerations.

Installation Walkthrough for a Local DNS Server.

To set up dnsmasq on an Ubuntu server for local DNS queries, with forwarding to Cloudflare's nameservers for internet queries, follow these detailed step-by-step instructions:

Install dnsmasq

  1. Update your package list to ensure you get the latest version available: 

    sudo apt update

  2. Install dnsmasq: 

    sudo apt install dnsmasq

Configure dnsmasq

  1. Backup the original configuration file for safety: 

    sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.backup

  2. Edit the configuration file: 

    sudo nano /etc/dnsmasq.conf
    Add/update the following settings to tailor dnsmasq for your needs:

  3. Set the listening interface, if you want dnsmasq to listen only on specific network interfaces (e.g., eth0 for Ethernet): 

    interface=eth0
listen-address=127.0.0.1  # Listen on localhost
bind-interfaces           # Bind to the interface specified

  4. Specify Cloudflare's DNS servers as upstream servers for internet queries: 

    server=1.1.1.1  # Cloudflare DNS
server=1.0.0.1  # Cloudflare DNS

  5. Configure DNS settings to improve local DNS querying and security: 

    domain-needed              # Ignore queries with no TLD
bogus-priv                 # Ignore bogus private IP ranges
dnssec                     # Enable DNSSEC to verify the authenticity of the DNS data

  6. Cache size (optional but recommended for better performance): 

    cache-size=1000

Secure the DNS Service

  1. Configure the firewall to allow only local network access to DNS service: 

    sudo ufw allow from 192.168.1.0/24 to any port 53 proto udp
sudo ufw allow from 192.168.1.0/24 to any port 53 proto tcp

  2. Enable and configure the firewall if not already enabled: 

    sudo ufw enable

Start and enable dnsmasq service

  1. Restart dnsmasq to apply configuration changes: 

    sudo systemctl restart dnsmasq

  2. Enable dnsmasq to start automatically at boot: 

    sudo systemctl enable dnsmasq

Test the DNS Service

  1. Test local DNS resolution: 

    dig @localhost example.com

  2. Test internet DNS resolution to verify that queries are being forwarded to Cloudflare: 

    dig @localhost google.com

  3. Check for DNSSEC validation (if configured): 

    dig @localhost sigfail.verteiltesysteme.net +dnssec

This test domain is intentionally set up to fail DNSSEC validation, so no results should be returned.

Monitor and Maintain

  • Monitor logs to keep track of activities and potential issues: 

    sudo journalctl -u dnsmasq

  • Update regularly: 

    sudo apt update
sudo apt upgrade