# Change this line if you want dns to get its upstream servers from somewhere other that /etc/resolv.conf
# By default, dnsmasq will send queries to any of the upstream servers it knows about
# and tries to favour servers to are known to be up.
# Uncommenting this forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf
# Or which to listen on by address (remember to include 127.0.0.1 if you use this.)
# For debugging purposes, log each DNS query as it passes through dnsmasq.
# If you don't want dnsmasq to read /etc/hosts, uncomment the following line.
# or if you want it to read another file, as well as /etc/hosts, use this.
listen-address=127.0.0.1，表示这个 dnsmasq 本机自己使用有效。
grid_hd@hadoop1:~$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
ameserver 127.0.0.1 ##指定先在本地缓存中进行解析域名，找不到是再到/etc/dnsmasq/resolv.conf文件指定的上游名字服务查找
grid_hd@hadoop1:~$ cat /etc/dnsmasq/resolv.conf
grid_hd@hd1:~$ ps -ef | grep d
dnsmasq 1601 1 0 19:30 ? 00:00:00 /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -r /var/run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d
udo apt-get install sysv-rc-conf
grid_hd@hadoop1:~$ sudo cat /etc/rc.local
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other value on error.
# In order to enable or disable this script just change the execution bits.
# By default this script does nothing.
dnsmasq -u dnsmasq -r /etc/resolv.dnsmasq
grid_hd@hadoop1:~/Desktop$ ps -ef | grep dnsmasq
obody 1958 1 0 19:00 ? 00:00:00 dnsmasq -u dnsmasq -r /etc/dnsmasq/resolv.conf ##已加载指定的上游名字服务列表文件
# If the resolvconf package is installed then use the resolv conf file that it provides as the default.
# Otherwise use /etc/resolv.conf as the default.
# If IGNORE_RESOLVCONF is set in /etc/default/dnsmasq or an explicit filename is set there
# then this inhibits the use of the resolvconf-provided information.
# Note that if the resolvconf package is installed
# it is not possible to override it just by configuration in /etc/dnsmasq.conf,
# it is necessary to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq.
if [ ! "$RESOLV_CONF" ] &&am
[ "$IGNORE_RESOLVCONF" != "yes" ] &&am
[ -x /sbin/resolvconf ]
# This file has five functions: 该文件有5个功能
# 1) to completely disable starting dnsmasq, 完全禁用dnsmasq
# 2) to set DOMAIN_SUFFIX by running `dnsdomainname` 设置domain_suffix
# 3) to select an alternative config file 选择一个替代的配置文件 dnsmassq_opt
# by setting DNSMASQ_OPTS to --conf-file=<file>
# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for more configuration variables.
# 5) to stop the resolvconf package from controlling dnsmasq's idea of which upstream nameservers to use.
# For upgraders from very old versions,
# all the shell variables set here in previous versions are still honored by the init script
# so if you just keep your old version of this file nothing will break.
# Whether or not to run the dnsmasq daemon; set to 0 to disable.
# By default search this drop directory for configuration options.
# Libvirt leaves a file here to make the system dnsmasq play nice.
# Comment out this line if you don't want this. The dpkg-* are file
# endings which cause dnsmasq to skip that file. This avoids pulling
# in backups made by dpkg.
# If the resolvconf package is installed, dnsmasq will use its output rather than the contents of /etc/resolv.conf to find upstream nameservers.
# Uncommenting this line inhibits this behaviour.
# Not that including a "resolv-file=<filename>" line i
# /etc/dnsmasq.conf is not enough to override resolvconf if it i
# installed: the line below must be uncommented.
rid_hd@hd1:~$ sudo service dnsmasq restart
* Restarting DNS forwarder and DHCP server dnsmasq [ OK ]
grid_hd@hd1:~$ ps -ef | grep d
dnsmasq 3365 2653 0 19:48 ? 00:00:00 /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
grid_hd 3411 3208 0 19:48 pts/12 00:00:00 grep --color=auto d
Read the IP addresses of the upstream nameservers from <file>, instead of /etc/resolv.conf. 从指定的文件中获取上游名字服务的IP地址（而不是/etc/resolv.conf）
For the format of this file see resolv.conf(5).
The only lines relevant to dnsmasq are nameserver ones.
Dnsmasq can be told to poll more than one resolv.conf file, the first file name specified overrides the default, subsequent ones add to the list.
This is only allowed when polling; the file with the currently latest modification time is the one used.
Don't read /etc/resolv.conf.
Get upstream servers only from the command line or the dnsmasq configuration file.
如果用此计算机作为一组主机的默认 DNS，就需要使用固定 IP 地址：
listen-address=192.168.1.1 # Example IP
指定dnsmasq从哪里获取上行DNS Server， 默认是从/etc/resolv.conf获取。
配置 dnsmasq 的上游 dns 服务器，(因为这是一个 dns 缓存, 那么其还是需要有上级服务器进行一次域名解析的来源)
addn-hosts指定dnsmasq从哪个文件中读取"地址 域名"记录， 默认是系统文件/etc/hosts。配置系统的 dns 服务器, 将 dnsmasq 设置在首位寻找。
表示 dnsmasq 会从这个指定的文件中寻找上级 dns 服务器列表，而不是从本机的(resolv.conf)中读取dns服务器列表，如果机器的地址是通过dhcp取得的话，该文件容易受到影响从而影响dnsmasq。
系统首先寻找本地的 dnsmasq 服务器 取消注释的 strict-order 表示严格安装 resolv-file 文件中的顺序从上到下进行 DNS 解析, 直到第一个成功解析成功为止
2、no-hosts, 默认情况下这是注释掉的, dnsmasq 会首先寻找本地的 hosts 文件，再去寻找缓存下来的域名, 最后去上级 dns 服务器中寻找；
3、设置 listen-address=127.0.0.1,192.168.0.1 表示该 dnsmasq 服务可以在哪些地址上侦听，127那个地址即本机，对外提供服务的话要写上对应的网口所有的地址。
5、客户端机器配置 --- 使用上面配置好的DNS域名解析服务
编辑/etc/resolv.conf ，调整内容为 'nameserver 192.168.0.1' (其中该IP是内部dns的IP，也即dnsmasq的地址)
6自定义主机名的ip地址指向 -- 在DNS域名解析服务所在的主机
# Add local-only domains here, queries in these domains are answered from /etc/hosts or DHCP only.
# Add domains which you want to force to an IP address here. ##增加一些域名，你希望强制这些域名到一个指定的IP地址
# The example below send any host in doubleclick.net to a local webserver.
$ dig gateway
lt;<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> gateway
global options: +cmd
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43215
flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
gateway. IN A
gateway. 0 IN A 192.168.0.1
Query time: 2 msec
$ dig gateway @22.214.171.124
lt;<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> gateway @126.96.36.199
global options: +cmd
->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31552
flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
gateway. IN A
. 910 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2014041000 1800 900 604800 86400
Query time: 35 msec
$ dig home.freeoa.net
lt;<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> home.freeoa.net
home.freeoa.net. IN A
home.freeoa.net. 0 IN A 192.168.0.8 ##内部nat地址
$ dig home.freeoa.net @188.8.131.52
lt;<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> home.freeoa.net @184.108.40.206
home.freeoa.net. IN A
home.freeoa.net. 199 IN A 220.127.116.11 ##公网地址
# Only listen to routers' LAN NIC.
# Doing so opens up tcp/udp port 53 to localhost and udp port 67 to world:
# dnsmasq will open tcp/udp port 53 and udp port 67 to world to help with dynamic interfaces (assigning dynamic ips).
# Dnsmasq will discard world requests to them,
# but the paranoid might like to close them and let thekernel handle them:
# Dynamic range of IPs to make available to LAN pc #设定可分配的ip地址段和租约时间
# If you'd like to have dnsmasq assign static IPs, bind the LAN computer's NIC MAC address:
DHCP服务提供地址范围为 '192.168.0.20到 192.168.0.100' 续订期为12个小时。最后的一个选项指定了默认网关。
这样就会对MAC地址 11:22:33:44:55:66 赋主机名为 daunbook (.freeoa.net) IP 地址 192.168.0.12。
测试一下 DNS 查询然后测量响应时间：
$ dig archlinux.org | grep "Query time"
Jul 29 22:04:57 hadoop1 dnsmasq: query[A] hadoop1 from 172.17.0.2
Jul 29 22:04:57 hadoop1 dnsmasq: /etc/hosts hadoop1 is 192.168.145.131
Jul 29 22:04:57 hadoop1 dnsmasq: query[PTR] 18.104.22.168.in-addr.arpa from 172.17.0.2
Jul 29 22:04:57 hadoop1 dnsmasq: /etc/hosts 192.168.145.131 is hadoop1.asn.c
dnsmasq is a lightweight DNS, TFTP, PXE, router advertisement and DHCP server.
It is intended to provide coupled DNS and DHCP service to a LAN.
Dnsmasq accepts DNS queries and either answers them from a small, local, cache or forwards them to a real, recursive, DNS server.
It loads the contents of /etc/hosts so that local hostnames which do not appear in the global DNS can be resolved and also answers DNS queries for DHCP configured hosts.
It can also act as the authoritative DNS server for one or more domains, allowing local names to appear in the global DNS.
The dnsmasq DHCP server supports static address assignments and multiple networks.
It automatically sends a sensible default set of DHCP options, and can be configured to send any desired set of DHCP options, including vendor-encapsulated options.
It includes a secure, read-only, TFTP server to allow net/PXE boot of DHCP hosts and also supports BOOTP.
The PXE support is full featured, and includes a proxy mode which supplies PXE information to clients whilst DHCP address allocation is done by another server.
The dnsmasq DHCPv6 server provides the same set of features as the DHCPv4 server,
and in addition, it includes router advertisements and a neat feature which allows naming for clients which use DHCPv4 and stateless auto-configuration only for IPv6 configuration.
There is support for doing address allocation (both DHCPv6 and RA) from subnets which are dynamically delegated via DHCPv6 prefix delegation.
Dnsmasq is coded with small embedded systems in mind.
It aims for the smallest possible memory footprint compatible with the supported functions, and allows unneeded functions to be omitted from the compiled binary.
In short, IT IS EXCELLENT!!
Installing dnsmasq is just a case of using apt-get or yum
sudo apt-get install dnsmasq
Looking at the file /etc/dnsmasq.conf first.
The lines are listed are those that I changed from their defaults.
Just uncomment and amend them as necessary. (Remove the ‘#’ from the beginning of the line).
sudo nano /etc/dnsmasq.conf
dhcp-option=19,0 # ip-forwarding off
dhcp-option=44,192.168.0.5 # set netbios-over-TCP/IP aka WINS
dhcp-option=45,192.168.0.5 # netbios datagram distribution server
dhcp-option=46,8 # netbios node type
What these lines will do for you.
This tells dnsmasq to never pass short names to the upstream DNS servers. If the name is not in the local /etc/hosts file then “not found” will be returned.
All reverse IP (192.168.x.x) lookups that are not found in /etc/hosts will be returned as “no such domain” and not forwarded to the upstream servers.
Do not read resolv.conf to find the servers where to lookup dns. 不读/etc/resolv.conf文件发现名字服务
Do not poll resolv.conf for changes 不要轮询/etc/resolv.conf的更改
Set one or more DNS servers to use when addresses are not local. 当地址不是本地时，设置一个、多个DNS服务器
These are open DNS servers.
Our local domain, queries in these domains are answered from /etc/hosts or the static-hosts files.
Use this force an address for the specified domains. 给指定的域名强制一个IP地址
e.g to block adverts force doubleclck.net to localhost
This options stops dnsmasq using the local /etc/hosts file as a source for lookups . 停止dnsmasq使用本地的/etc/hosts文件作为一个查询源
Force dnsmasq to use this file for lookups.
It is in the same format as /etc/hosts.
So we can see our local hosts via our home domain without having to repeatedly specify the domain in our /etc/hosts file.
This is your local domain name.
It will tell the DHCP server which host to give out IP addresses for.
This is the range of IPs that DHCP will serve: 192.168.0.20 to 192.168.0.50, with a lease time of 72 hours.
The lease time is how long that IP will be linked to a host.
For tftp connections use this range of IP addresse
Any machine saying they are hostname = ‘mylaptop’ gets this IP addre
When a host is requesting an IP address via DHCP also tell it the gateway to use.
When a host is requesting an IP address via DHCP also tell it the NTP to use.
In the file /etc/dnsmasq.d/hosts.conf you can add a list of local machines with static IP addresses in the same format as the hosts file. It is also an easy way of creating aliases or CNAME records.
192.168.0.8 mail mail.example.com
192.168.0.9 smtp smtp.example.com
192.168.0.120 mythtvbox mythtvbox.example.com
Starting and stopping the service
sudo service dnsmasq start
sudo service dnsmasq stop
sudo service dnsmasq restart
resolvconf - manage nameserver informatio
cat FILE | resolvconf -a IFACE.PROG
resolvconf -d IFACE.PROG
resolvconf --enable-updates | --disable-updates | --updates-are-enabled | --create-runtime-directories | --wipe-runtime-directorie
The resolvconf package comprises a simple database for run-time nameserver information 运行时名字服务器信息的数据库
and a simple framework for notifying applications of changes in that information. 通知应用关于运行时名字服务器信息的改变
Resolvconf thus sets itself up as the intermediary between programs that supply nameserver information and applications that use that information.
Information is added to or removed from the database using the resolvconf program. 使用resolvconf命令，向数据库中添加信息、从数据库中移除信息
See the OPTIONS section below for a discussion of the available options.
SUPPLIERS OF NAMESERVER INFORMATION suppliers of nameserver informatio
Normally the resolvconf program is run only by network interface configuration programs such as pppd(8) (for ppp interfaces)
y DHCP clients such as dhclient(8); by ifup(8) and ifdown; and by DNS caches such as dnsmasq(8) (for the loopback interface).
These programs obtain nameserver information from some source and push it to resolvconf.
The dhclient program, for example, may receive nameserver addresses and domain search list information during its negotiation with the DHCP server
if so, its hook script /etc/dhcp/dhclient-enter-hooks.d/resolvconf pushes this information to resolvconf.
The ifup program can be used to configure network interfaces according to settings in /etc/network/interfaces.
To make ifup push nameserver information to resolvconf when it configures an interface
the administrator must add dns- option lines to the relevant iface stanza in interfaces(5).
The following option names are supported: dns-nameservers, dns-search, and dns-sortlist.
The dns-domain option is deprecated in favor of dns-search.
To add nameserver addresses, add a single line beginning with dns-nameservers.
dns-nameservers 192.168.1.254 22.214.171.124
Note that one or more addresses can be given on this line, separated by spaces, and note the "s" at the end of the option name,
in contrast with the resolv.conf(5) option name nameserver.
Remember that in interfaces(5) each option can be used at most once per stanza.
To add search domain names, add a line beginning with dns-search.
dns-search foo.org bar.com
The resulting stanza might look like the following example.
iface eth0 inet static
dns-nameservers 192.168.1.254 126.96.36.199
dns-search foo.org bar.com
N.B.: On a machine where resolvconf has just been or is about to be installed and which previously relied on a static /etc/resolv.conf file,
the nameserver information in that static file should be migrated to the appropriate iface stanza(s) in interfaces(5).
The administrator can run resolvconf from the command line to add or delete nameserver information, but this is not normally necessary or advisable.
CONSUMERS OF NAMESERVER INFORMATION consumer of nameserver information名字服务器信息消费者
Nameserver information provided to resolvconf is stored for use by subscribers to resolvconf's notification service.
Subscriber packages that need to know when nameserver information has changed
hould install a script in /etc/resolv conf/update.d/ (or in /etc/resolvconf/update-libc.d/: see below).
For example, DNS caches such as dnsmasq(8) and pdnsd(8) subscribe to the notification service so that they know whither to forward queries.
Client hook scripts will find the files containing nameserver information in the current directory.
The most important software package that subscribes to the notification service is the GNU C Library resolver(3).
This library is used by many applications that need to resolve domain names.
When nameserver information is updated,
the script /etc/resolvconf/update.d/libc generates a new version of the resolver configuration file, /run/resolvconf/resolv.conf, as described below.
If the new version of the file differs from the previously generated one, then the hook scripts found in /etc/resolvconf/update-libc.d/ are executed.
The dynamically generated resolver configuration file
always starts with the contents of /etc/resolvconf/resolv.conf.d/head and ends with the contents of /etc/resolvconf/resolv.conf.d/tail.
Between head and tail the libc script inserts dynamic nameserver information compiled from, first, information provided for configured interface
econd, static information from /etc/resolvconf/resolv.conf.d/base.
Specifically, it writes:
1) up to three nameserver lines, ordered according to /etc/resolvconf/interface-order, possibly fewer if one of the
addresses is a loopback address and the TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS environment variable is affirmatively set,
as discussed in the ENVIRONMENT VARIABLES sectio
2) up to one search line containing the combined domain search list from all "domain" and "search" input lines,
also ordered according to interface-order(5)
3) all other non-comment input lines.
To make the resolver use this dynamically generated resolver configuration file
the administrator should ensure that /etc/resolv.conf is a symbolic link to /run/resolvconf/resolv.conf.
This link is normally created on installation of the resolvconf package.
The link is never modified by the resolvconf program itself.
If you find that /etc/resolv.conf is not being updated, please check to make sure that the link is intact.
The GNU C Library resolver library isn't the only resolver library available.
However, any resolver library that reads /etc/resolv.conf (and most of them do, in order to be compatible) should work fine with resolvconf.
Subscriber packages that need to know only when the resolver configuration file has changed should install a script i
/etc/resolvconf/update-libc.d/ rather than in /etc/resolvconf/update.d/.
(For example, two packages that install update-libc.d/ hook scripts are fetchmail and squid.)
This is important for synchronization purposes: scripts in update-libc.d/ are run after resolv.conf has been updated; the same is not necessarily true of scripts in update.d/.
Add or overwrite the record IFACE.PROG then run the update scripts if updating is enabled.
When this option is used the information must be provided to resolvconf on its standard input in the format of the resolv.conf(5) file.
Each line in the file must be terminated by a newline.
Delete the record IFACE.PROG then run the update scripts if updating is enabled.
The string IFACE.PROG may not contain spaces, slashes, an initial dot, an initial hyphen or an initial tilde. ‐
It is conventionally formed from IFACE, the name of the interface involved, a dot, and IPROG, the name of the interface configuratio
rogram, e.g., "eth0.dhclient".
-u Just run the update scripts (if updating is enabled).
With -a, -d or -u:
if updating is not enabled, schedule a delayed update.
The delayed update will be carried out when updates are enabled.
Set the flag indicating that resolvconf should run update scripts when invoked in the future with -a, -d or -u.
If a delayed update was scheduled then run update scripts.
Clear the flag.
Return 0 if the flag is set, otherwise return 1.
Create the directories where resolver information records and other run-time files are stored.
Delete everything in the directories where resolver information records and other run-time files are stored.
The following variables can be set in the configuration file /etc/default/resolvconf.
If the file does not exist you will have to create it.
If set to "yes" then resolvconf will print a message when /etc/resolv.conf is not a symbolic link to the resolvconf generated resolver configuration file.
Set to "no" to prevent the printing of this message. The default is "yes".
If set to "yes" then the libc script will include no more nameserver addresses after the first nameserver address that is a loopback address.
(In IPv4 a loopback address is any one that starts with "127.". In IPv6 the loopback address is "::1".)
The advantage of truncating the nameserver list after a loopback address is that doing so inhibits unnecessary changes to resolv.conf
and thus reduces the number of instances in which the update-libc.d/ scripts have to be run.
When an interface is brought up or down the local caching nameserver that listens on the loopback address is still informed of the change and adapts accordingly
the clients of the resolver which use the local caching nameserver do not need to be notified of the change.
A disadvantage of this mode of operation is that applications have no secondary or tertiary nameserver address to fall back on should the local caching nameserver crash.
Insofar as a local nameserver crash can be regarded as an unlikely event, this is a relatively minor disadvantage.
Set to "no" to disable truncation.
The default is "yes".
A deprecated synonym for this variable is TRUNCATE_NAMESERVER_LIST_AFTER_127.
See the ENVIRONMENT VARIABLES section.
Determines the order of precedence of nameserver addresses and search domain names. See above and interface-order(5).
File containing basic resolver information.
The lines in this file are included in the resolver configuration file even when no interfaces are configured.
File to be prepended to the dynamically generated resolver configuration file. Normally this is just a comment line.
File to be appended to the dynamically generated resolver configuration file. To append nothing, make this an empty file.
This file is a good place to put a resolver options line if one is needed, e.g., options inet6
Copy of the /etc/resolv.conf file before the resolvconf package was installed. ‐
This file has no effect on the functioning of resolvconf
it is retained so that /etc/resolv.conf can be restored to its original state if the resolvconf package is removed.
Note also that a copy of this file is included in the database until the first reboot after installation of the resolvconf package
this ensures that nameservers reachable before installation of resolvconf are still reachable after installation of resolvconf
even though at that point not all suppliers of nameserver information may have supplied their information to resolvconf(8).
Note also that the administrator can choose to create a symbolic link in /etc/resolvconf/resolv.conf.d/ from tail to original
o that the contents of original are always added to the end of the dynamically generated file.
Currently resolvconf does not check the sanity of the information provided to it.
Written by Thomas Hood <email@example.com> with contributions by Nathan Stratton Treadway.
Copyright © 2004-2012 Thomas Hood.
This is free software; see the source for copying conditions.
interface-order(5), resolv.conf(5), resolver(3).
Read the resolvconf package README file for more in-depth information.
127.0.0.1 hd1.asn.cn hd1
Dnsmasq setup Installation.
To compile and install dnsmasq, the following command (as root) is enough.
You might want to edit config.h. Dnsmasq has been run on (at least) Linux, uCLinux, AIX 4.1.5, FreeBSD 4.4 OpenBSD and Tru64 4.x Dnsmasq is normally run on a firewall machine (the machine with the modem or other connection to your ISP.) but it can run on any machine with access to the ISPs nameservers.
Put the binary in /usr/local/sbin/dnsmasq (running make install will do this) and arrange for it to be started at boot time.
Note that dnsmasq needs to run as root, since it binds privileged ports.
It will drop root privileges after start-up.
Dnsmasq logs problems using the syslog facility as a daemon.
It logs debugging information to local0
Configuration for dnsmasq is pretty simple in almost all cases.
The program has collected a fair few options as it has developed but most of them are not needed most of the time.
A machine which already has a DNS configuration (ie one or more external nameservers in /etc/resolv.conf and any local hosts in /etc/hosts) can be turned into a nameserver simply by running dnsmasq, with no options or configuration at all.
Set the IP address of the machine running dnsmasq as the DNS server in all the other machines on your network, and you're done.
With a few option flags, it is possible to make dnsmasq do more clever tricks.
Options for dnsmasq can be set either on the command line when starting dnsmasq, or in its configuration file, /etc/dnsmasq.conf.
Making the nameserver machine use dnsmasq.
In the simple configuration described above,
rocesses local to the machine will not use dnsmasq, since they get their information about which nameservers to use from /etc/resolv.conf, which is set to the upstream nameservers.
To fix this, simply replace the nameserver in /etc/resolv.conf with the local address 127.0.0.1 and give the address(es) of the upstream nameserver(s) to dnsmasq directly.
You can do this using either the server option, or by putting them into another file, and telling dnsmasq about its location with the resolv-file option.
Automatic nameserver configuration.
The two protocols most used for automatic IP network configuration (PPP and DHCP) can determine the IP addresses for nameservers automatically.
The daemons can be made to write out a file in the resolv.conf format with the nameservers in which is perfect for dnsmasq to use.
When the nameservers change, for instance on dialling into a new ISP using PPP, dnsmasq will automatically re-read this file and begin using the new nameserver(s) completely transparently.
Automatic DNS server configuration with PPP.
Later versions of pppd have an option "usepeerdns" which instructs it to write a file containing the address(es) of the DNS severs in /etc/ppp/resolv.conf.
Configure dnsmasq as above with "nameserver 127.0.0.1" in /etc/resolv.conf and run dnsmasq with to option resolv-file=/etc/ppp/resolv.conf.
On Redhat (at least versions 7.1, 7.2 and 7.3) you can set pppd options by adding "PPPOPTIONS=usepeerdns" to /etc/sysconfig/network-scripts/ifcfg-ippp0.
In the same file, make sure that "PEERDNS=no" to stop RedHat's network initscripts from copying /etc/ppp/resolv.conf into/etc/resolv.conf.
On SuSE (at least version 8.1, and 8.2) you should use YaST to activate [x] Modify DNS when connected then stop SuSEs network initscripts from copying /etc/ppp/resolv.conf into /etc/resolv.conf by modifying MODIFY_RESOLV_CONF_DYNAMICALLY="no" in/etc/sysconfig/network/config.
Automatic DNS server configuration with DHCP.
You need to get your DHCP client to write the addresse(s) of the DNS servers to a file other than /etc/resolv.conf.
For dhcpcd, the dhcpcd.exe script gets run with the addresses of the nameserver(s) in the shell variable $DNS.
The following bit of shell script uses that to write a file suitable for dnsmasq.
echo -n >|/etc/dhcpc/resolv.conf
for serv in $dnsservs; do
echo "nameserver $serv" >>/etc/dhcpc/resolv.conf
Remember to give dhcpcd the -R flag to stop it overwriting /etc/resolv.conf.
For other DHCP clients it should be possible to achieve the same effect.
DHCP and PPP.
On a laptop which may potentially connect via a modem and PPP or ethernet and DHCP it is possible to combine both of the above configurations. Running dnsmasq with the flags resolv-file=/etc/ppp/resolv.conf resolv-file=/etc/dhcpc/resolv.conf makes it poll both files and use whichever was updated last. The result is automatic switching between DNS servers.
Integration with DHCP.
Dnsmasq reads /etc/hosts so that the names of local machines are available in DNS. This is fine when you give all your local machines static IP addresses which can go in /etc/hosts, but it doesn't work when local machines are configured via DHCP, since the IP address allocated to machine is not fixed. Dnsmasq comes with an integrated DHCP daemon to solve this problem.
The dnsmasq DHCP daemon allocates addresses to hosts on the network and tries to determine their names. If it succeeds it add the name and address pair to the DNS. There are basically two ways to associate a name with a DHCP-configured machine; either the machine knows its name which it gets a DHCP lease, or dnsmasq gives it a name, based on the MAC address of its ethernet card. For the former to work, a machine needs to know its name when it requests a DHCP lease. For dhcpcd, the -h option specifies this. The names may be anything as far as DHCP is concerned, but dnsmasq adds some limitations. By default the names must no have a domain part, ie they must just be a alphanumeric name, without any dots. This is a security feature to stop a machine on your network telling DHCP that its name is "www.microsoft.com" and thereby grabbing traffic which shouldn't go to it. A domain part is only allowed by dnsmasq in DHCP machine names if the domain-suffix option is set, the domain part must match the suffix.
As an aside, make sure not to tell DHCP to set the hostname when it obtains a lease (in dhcpcd that's the -H flag.) This is not reliable since the DHCP server gets the hostname from DNS which in this case is dnsmasq. There is a race condition because the host's name in the DNS may change as a result of it getting a DHCP lease, but this does not propagate before the name is looked up. The net effect may be that the host believes it is called something different to its name in the DNS. To be safe, set the hostname on a machine locally, and pass the same name to DHCP when requesting a lease.
Setting up a mailhub.
If you generate mail on the machines attached to your private network, you may be interested in the MX record feature of dnsmasq. This allows you to have all the machines on your network use your firewall or another machine as a "smarthost" and deliver mail to it. The details of how to set this up are highly dependent on your mailer, system and distribution. The only thing that's relevant to dnsmasq is that the mailer needs to be able to interrogate the DNS and find an MX record for your mailhub.
By giving dnsmasq the mx-host option you instruct dnsmasq to serve an MX record for the specified address. By default the MX record points to the machine on which dnsmasq is running, so mail delivered to that name will get sent to the mailer on your firewall machine. You can have the MX record point to another machine by using the mx-target option.
In some cases it's useful for all local machines to see an MX record pointing at themselves: this allows mailers which insist on an MX record and don't fall back to A records to deliver mail within the machine. These MX records are enabled using the selfmx option.
Using special servers.
Dnsmasq has the ability to direct DNS queries for certain domains to specific upstream nameservers.
This feature was added for use with VPNs but it is fully general.
The scenario is this:
you have a standard internet connection via an ISP, and dnsmasq is configured to forward queries to the ISP's nameservers, then you make a VPN connection into your companies network, giving access to hosts inside the company firewall.
You have access, but since many of the internal hosts aren't visible on the public internet, your company doesn't publish them to the public DNS and you can't get their IP address from the ISP nameservers.
The solution is to use the companies nameserver for private domains within the company, and dnsmasq allows this.
Assuming that internal company machines are all in the domain internal.myco.com
and the companies nameserver is at 192.168.10.1
then the option server=/internal.myco.com/192.168.10.1 will direct all queries in the internal domain to the correct nameserver.
You can specify more than one domain in each server option.
If there is more than one nameserver just include as many server options as is needed to specify them all.
Sometimes people have local domains which they do not want forwarded to upstream servers.
This is accomodated by using server options without the server IP address.
To make things clearer local is a synonym for server.
the option local=/localnet/ ensures that
any domain name query which ends in .localnet will be answered if possible from /etc/hosts or DHCP, but never sent to an upstream server.
Defeating wildcards in top level domains.
In September 2003 Verisign installed a wildcard record in the .com and .net top level domains.
The effect of this is that queries for unregistered .com and .net names now return the address of Verisign's sitefinder service, rather than a "no such domain" response.
To restore the correct behaviour, you can tell dnsmasq the address of the sitefinder host and have it substitute an NXDOMAIN reply when it sees that address. The sitefinder address is currently 188.8.131.52, so giving the option bogus-nxdomain=184.108.40.206 will enable this facility for Verisign. If other TLDs do that same thing you can add the correct addresses for them too. See the dnsmasq FAQ for more details on the bogus-nxdomain option.
Other configuration details.
By default dnsmasq offers DNS service on all the configured interfaces of a host.
It's likely that you don't (for instance) want to offer a DNS service to the world via an interface connected to ADSL or cable-modem
o dnsmasq allows you to specify which interfaces it will listen on.
Use either the interface or address options to do this.
The filterwin2k option makes dnsmasq ignore certain DNS requests which are made by Windows boxen every few minutes.
The requests generally don't get sensible answers in the global DNS and cause trouble by triggering dial-on-demand internet links.
Sending SIGHUP to the dnsmasq process will cause it to empty its cache and then re-load /etc/hosts and /etc/resolv.conf.
Sending SIGUSR1 (killall -10 dnsmasq) to the dnsmasq process will cause to write cache usage statisticss to the log, typically /var/log/syslog or /var/log/messages.
The log-queries option tells dnsmasq to verbosely log the queries it is handling and causes SIGUSR1 to trigger a complete dump of the contents of the cache to the syslog.
For a complete listing of options please take a look at the manpage dnsmasq(8).
Automating dnsmasq and resolvconf
Posted on 07 November 2013
I've been working a lot with dnsmasq for DNS forwarding recently, and have hit enough problems that I thought it would be worth writing about them.
On my current project, we're using Ubuntu 12.04, which uses dnsmasq as a local DNS cacher and forwarder, and resolvconf (the service as opposed to the resolv.conf file) to manage DNS server configuration.
Dnsmasq is a simple DNS forwarder.
It proxies multiple upstream DNS servers, add caching, and can even serve up A records from an /etc/hosts-style configuration file.
Dnsmasq is configured by giving it an /etc/resolv.conf-style file with a list of nameservers.
It will regularly poll this file for changes, and change its forwarding behaviour accordingly. 会定期轮询该文件的改变，相应更改转发行为
Dnsmasq can also be configured to direct requests for particular domains to particular servers; 还可以配置，把特定域的请求转发到特定的名字服务器
for example, if you want everything in mycompany.com to go to your internal office server, but everything else to go to public DNS servers, dnsmasq can do that for you.
Dnsmasq does NOT perform recursive DNS looku
you will still need some form of recursive DNS server in order to achieve full DNS functionality.
resolvconf is part of the ubuntu-minimal install, which means that it's considered a pretty core part of the distribution these days. It's an evolution from the traditional /etc/resolv.conf file, which lists nameservers and search domains to use when resolving DNS names to IP addresses.
You associate a nameserver with a particular network interface with a line such as:
echo nameserver 192.0.2.6 | resolvconf -a IFACE.PROGNAME
where IFACE is an interface, and PROGNAME is the name of an associated program.
For example, dnsmasq itself registers itself with resolvconf by associating with the lo.dnsmasq entry.
You can remove entries with resolvconf -d.
Generally, you don't call resolvconf directly
instead, it is called automatically as part of bringing up a network interface, or starting a DNS service, or similar.
Each time an interface is added or removed, resolvconf updates associated configuration files by running scripts in the/etc/resolvconf/update.d directory; one of these, libc, updates the traditional /etc/resolv.conf file.
This is where I get to the problem I was facing.
I was trying to install and configure dnsmasq in a puppet run.
However, immediately after dnsmasq was installed, I would start getting name resolution errors, and the rest of the puppet run would fail.
But by the time I had logged onto the box to investigate, name resolution was working again! What was going on?
It turns out there's a bit of a race condition when starting dnsmasq, particularly for the first time. What happens is this:
/etc/init.d/dnsmasq starts the dnsmasq daemon.
Dnsmasq, in its default configuration on ubuntu, looks for upstream nameservers in /var/run/dnsmasq/resolv.conf.
Dnsmasq checks for the file, finds it missing, and gives up for the moment. It will poll again later.Once dnsmasq has started and returned, the init.d script registers 127.0.0.1 with lo.dnsmasq in resolvconf. resolvconf runs its updates, generating configuration for dnsmasq in /var/run/dnsmasq/resolv.conf and also changing the standard libc resolver file /etc/resolv.conf to only refer to 127.0.0.1, the dnsmasq process At this point, the dnsmasq service is the sole DNS server that the local resolver can see, but dnsmasq itself hasn't yet seen any upstream nameservers. Therefore it can't give any useful answers. At this point, my puppet run starts failing. After a few seconds, dnsmasq polls the /var/run/dnsmasq/resolv.conf file again and finally finds the upstream nameservers left for it by resolvconf in step #3 above. I log into the machine, try to resolve a name, and everything works.