dnsmasq is a simple DHCP/DNS server which can be used in a local network of up to a 1000 clients. Key features are easy configuration and a small system footprint. It also has support for IPv6.
Make a proper USE flag selection:
USE flags for net-dns/dnsmasq Small forwarding DNS server
||Add support for acting as an authorative DNS server.|
||Add support for Linux conntrack connection marking.|
||Enable dbus support for anything that needs it (gpsd, gnomemeeting, etc)|
||Enable support for acting as a DHCP server.|
||Install extra command line tools for manually managing DHCP leases.|
||Enable support DNSSEC validation and caching.|
||Include code to dump packets to a libpcap-format file for debugging|
||Whether report *.bind CHAOS info to clients, otherwise forward such requests upstream instead|
||Enable support for Internationalized Domain Names|
||Enable inotify filesystem monitoring support|
||Add support for IP version 6|
||Enable support for Internationalized Domain Names, via net-dns/libidn2 rather than net-dns/libidn|
||Include functionality to probe for and remove DNS forwarding loops|
||Enable Lua scripting support|
||Use hashing functions from dev-libs/nettle|
||Add Native Language Support (using gettextGNU locale utilities)|
||Enable support for calling scripts when leases change.|
||!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur|
||!!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically|
||Enables built in TFTP server for netbooting.|
Next, install the net-dns/dnsmasq package:
emerge --ask net-dns/dnsmasq
There are various resources that can be modified to change dnsmasq behavior. These include
- the command line options as provided through /etc/conf.d/dnsmasq
- the main configuration file (/etc/dnsmasq.conf)
Add dnsmasq to the default runlevel if it needs to be started automatically:
rc-update add dnsmasq default
To start the service now:
service dnsmasq start
In /etc/conf.d/dnsmasq, the command line options passed on to the dnsmasq daemon at start-up can be configured.
DNSMASQ_OPTS="--user=dnsmasq --group=dnsmasq -H /srv/virt/gentoo/hosts --max-cache-ttl=10"
Main configuration file
The main configuration of dnsmasq is done through its configuration file, /etc/dnsmasq.conf. The file uses a
key[=value] syntax and the one provided by the package is well documented and recommended to read through. Inside the file, or through the command line options, additional resources can be referred to (such as a DHCP hosts file).
Below is a sample configuration file:
# Listen only to this interface interface=eth1 # Assign names based on mac address dhcp-host=00:1e:68:c2:ff:ee,endor,192.168.0.54,24h # Any other DHCP request gets an ip from this range dhcp-range=eth1,192.168.0.100,192.168.0.120,12h # Enable the TFTP server and set the root directory for files available via TFTP. enable-tftp tftp-root=/var/lib/tftpboot dhcp-boot=/pxelinux.0
After editing the configuration file, the service has to be restarted - reloading is supported, but for other resources.
The dnsmasq application uses the /etc/hosts file as one of its sources for providing DNS services, unless the
--no-hosts) command line argument is passed along.
If the /etc/hosts file is updated, the dnsmasq service needs to receive a SIGHUP signal in order to reload the settings. This is also supported through the init scripts' reload command:
This behavior can also be disabled through the
no-hosts parameter in the configuration file.
Additional hosts file
It is possible to refer to an (additional) hosts file to use as source for DNS queries. To do so, add the
-H /path/to/hostsfile (
--addn-hosts=/path/to/hostsfile) command line option. It is also possible to pass a directory; in that case, all files inside that directory will be treated as additional hosts files.
Similar to the standard hosts file, a SIGHUP signal reloads the file.
This behavior can also be set through the
addn-hosts parameter in the configuration file.
By default, dnsmasq uses the name servers specified in /etc/resolv.conf as its upstream nameservers.
A different file can be used through the
--resolv-file) command line option.
This behavior can also be set through the
resolv-file parameter in the configuration file.
Dnsmasq supports DNS, TFTP, PXE, router advertisements and DHCP services. As such, it is a versatile network management tool for small and medium-sized networks.
In order to (only) provide DNS services, first identify the upstream nameserver to use. If this is the same nameserver as specified in /etc/resolv.conf then no additional steps need to be taken. Otherwise, point dnsmasq to the proper resolv.conf file through the
--resolv-file) command line. Its syntax is the one used by the /etc/resolv.conf file, although dnsmasq only looks at the nameserver definitions.
echo "nameserver 188.8.131.52" >> /etc/dnsmasq.conf.resolv
Next point dnsmasq to this file through the configuration file:
To verify that the service is running (after restarting as the configuration file has just been changed), use the dig command (provided through net-dns/bind-tools), asking the DNS server (running on localhost in the following example) to resolve a local or remote address:
dig @localhost +short www.gentoo.org
Dnsmasq can validate DNSSEC data while passing through data. This can be accomplished by adding these lines to the config file:
# DNSSEC setup dnssec trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 dnssec-check-unsigned
The trusted anchor can be found on the iana.org site. After this change dnsmasq will return SERVFAIL and no DNS data if the validation fails. If the validation succeeds it sets the ad flag. In case the domain does not support DNSSEC dnsmasq behaves as before.
In order to enable the DHCP services of dnsmasq, use the
dhcp-range configuration setting.
For instance, to enable IPv6 address configuration through router advertisement (RA) with infinite lease time, and IPv4 address configuration also with infinite lease time:
It is possible to use static definitions for known hosts, either through the main configuration file (
dhcp-host= settings) or through a separate file. If a separate file is used, point dnsmasq to it through the
--dhcp-hostsfile command line option. The advantage of the latter approach is that it is sufficient to send a SIGHUP signal (or reload the service) in order to reread the entries, whereas definitions in the configuration file require a full service restart.
For more information about the syntax of the
dhcp-host parameter please refer to the manual page or configuration file as its syntax is very extensive.
This section covers various usage scenarios (maintenance and operational tasks) for the dnsmasq service.
Clients that had a network interface update which results in a different MAC address might not get the intended IP address immediately. This is because the dnsmasq service has provided this IP address to the old MAC address, and will wait until the lease of this address has expired before re-assigning it.
The dnsmasq service stores its leases in /var/lib/misc/dnsmasq.leases. If the lease needs to be removed faster, shut down the dnsmasq service, remove the lease from the dnsmasq.leases file and start the service again.
nano -w /var/lib/misc/dnsmasq.leases
Reloading non-main configuration settings
Next to the dnsmasq.conf file, the dnsmasq service can use external definitions for the following services:
- DHCP host configuration entries (through
--dhcp-hostsfilecommand line option)
- DHCP options (through
--dhcp-optsfilecommand line option)
When these files are modified, a SIGHUP signal has dnsmasq reload these configuration files.
The resolv.conf files are by default polled by dnsmasq; changes on these files are automatically picked up unless the
--no-poll) command line option is set or the
no-pollconfiguration parameter is used.