DoTheEvolution 28be709f53 update
2020-06-13 18:51:23 +02:00

231 lines
7.2 KiB

# dnsmasq
###### guide-by-example
# Purpose & Overview
Lightweight DHCP and DNS server.
* [Official site](
* [Arch wiki](
dnsmasq solves the problem of accessing self hosted stuff when you are inside
your network. As asking google's DNS for `` will return your
very own public IP and most routers/firewalls wont allow this loopback,
where your requests should go out and then right back.<br>
Usual quick way to solve this issue is
[editing the `hosts` file](
on your machine, adding `` IP-hostname pair.
This tells your machine to fuck asking google's DNS, the rule is right there,
`` goes directly to the local server ip ``.<br>
But if more devices should "just work" it is a no-go, since this just works
one the machine which `hosts` file was edited.
So the answer is running a DNS server that does this
paring of IPs with hostnames, and a DHCP server that tells the devices
on the network to use this DNS.
*extra info*<br>
DNS servers run on port 53.
# Prerequisites
* the machine that will be running it should have set static IP
# Files and directory structure
├── dnsmasq.conf
├── hosts
└── resolve.conf
* `dnsmasq.conf` - the main config file for dnsmasq where DNS and DHCP functionality is set
* `resolve.conf` - a file containing ip addresses of DNS nameservers to be used
by the machine it resides on
* `hosts` - a file that can provide additional hostname-ip mapping
`hosts` and `resolve.conf` are just normal system files always in use on any linux
`dnsmasq.conf` comes with the dnsmasq installation.
# Installation
Install dnsmasq from your linux official repos.
# Configuration
# DNS --------------------------------------------------------------------------
# Never forward plain names (without a dot or domain part)
# Never forward addresses in the non-routed address spaces.
# If you don't want dnsmasq to read /etc/resolv.conf
# interface and address
# Upstream Google and Cloudflare nameservers
# DNS entries ------------------------------------------------------------------
# wildcard DNS entry sending domain and all its subdomains to an ip
# subdomain override
# DHCP -------------------------------------------------------------------------
# gateway
# DHCP static IPs --------------------------------------------------------------
# mac address : ip address
*extra info*
* `dnsmasq --test` - validates the config
* `dnsmasq --help dhcp` - lists all the DHCP options
You can also run **just DNS server**, by deleting the DHCP section
in the `dnsmasq.conf` to the end.<br>
Then on your router, in the DHCP>DNS settings, you just put in the ip address
of the dnsmasq host as the DNS server.
# resolv.conf
A file that contains DNS nameservers to be used by the linux machine it sits on.<br>
Since dnsmasq, a DNS server, is running right on this machine,
the entries just point to localhost.<br>
nameserver ::1
Bit of an issue is that `resolv.conf` belongs to glibc, a core linux library.
But there are other network related services that like to fuck with it.
Like dhcpcd, networkmanager, systemd-resolved,...<br>
Ideally you know what is running on your host linux system, but just in case
`resolv.conf` will be flagged as immutable.
This prevents all possible changes to it unless the attribute is removed.
Edit `/etc/resolv.conf` and set localhost as the DNS nameserver, as shown above.
* Make it immutable to prevent any changes to it.<br>
`sudo chattr +i /etc/resolv.conf`
* Check if the content is what was set.<br>
`cat /etc/resolv.conf`
# /etc/hosts
``` docker-host gateway
This is a file present on every system, linux, windows, mac, android,...
where you can assign a hostname to an IP.<br>
dnsmasq reads `/etc/hosts` for IP hostname pairs and adds them to its own
resolve records.
Unfortunately no wildcard support.<br>
But as seen in the `dnsmasq.conf`, when domain is set it acts as a wildcard
rule. So `` stuff here is just for show.
# Start the service
`sudo systemctl enable --now dnsmasq`
* Check if it started without errors<br>
`journalctl -u dnsmasq.service`
* If you get "port already in use" error, check which service is using port 53<br>
`sudo ss -tulwnp`<br>
stop and disable that service, for example if it is `systemd-resolved`<br>
`sudo systemctl disable --now systemd-resolved`
* Make sure you **disable other DHCP servers** on the network,
usually a router is running one.
# Test it
#### DHCP
Set some machine on the network to use DHCP for its network setting.<br>
Network connection should just work with full connectivity.
You can check on the dnsmasq host, file `/var/lib/misc/dnsmasq.leases`
for the active leases. Location of the file can vary base on your linux distro.
#### DNS
nslookup is a utility that checks DNS mapping,
part of `bind-utils` or `bind-tools` packages, again depending on the distro,
but also available on windows.
* `nslookup`
* `nslookup docker-host`
* `nslookup`
* `nslookup`
* `nslookup`
### Troubleshooting
* **ping fails from windows when using hostname**<br>
windows ping does not do dns lookup when just plain hostname is used<br>
`ping meh-pc`<br>
it's a [quirk](
of windows ping utility.
Can be solved by adding dot, which makes it look like domain name and this
forces the dns lookup before pinging<br>
`ping meh-pc.`<br>
* **slow ping of a hostname, but fast nslookup on a linux machine**<br>
for me it was `systemd-resolved` running on the machine I was doing ping from.<br>
It can be stopped and disabled.<br>
`sudo systemctl disable --now systemd-resolved`
# Update
During host linux packages update.
# Backup and restore
#### Backup
Using [borg](
that makes daily snapshot of the /etc directory which contains the config files.
#### restore
Replace the content of the config files with the one from the backup.