Dnsmasq

Dnsmasq is small utility designed to provide DNS (domain name) services to a small network connected to the internet via a NAT (network address translation, AKA ip-masquerade) firewall and a part-time, ie modem, connection.

Since a NAT firewall will pass DNS queries it's perfectly possible for all the machines on such a network to be configured to talk directly to the ISP's name server, and the HOWTO recommends doing exactly that. Such a scheme has a few problems, which dnsmasq solves.

  • When the modem link is down, clients which try to do DNS lookups will wait a long time for the transaction to time out.
  • Since the names of the machines on the firewalled net are not in the global DNS, they have to be put into the /etc/hosts file of each machine.
    • Dnsmasq runs on the firewall machine, an acts as a forwarder for DNS requests. Since it uses the standard libc calls to look up host names, it can look up local hostnames in the /etc/hosts file on the firewall: none of the other machines need an /etc/hosts containing all the local machines. Lookups fail without a long timeout when the PPP link is down.

    Dnsmasq contains a small and simple cache of name<->IP translations. The most recently used names are kept in the cache and queries are answered from the cache if possible. This speeds things up and reduces the load on the downstream DNS server. Both forward (name->IP) and reverse (IP->name) lookups are served from the cache. By default the cache hold 200 names, this can be overridden using the -c command-line option. Sending a SIGHUP to the dnsmasq process causes it to clear the cache. The process-id is stored in /var/run/dnsmasq.pid

    Dnsmasq has one further feature; it can be configured to return an MX record for the firewall host. This makes it easy to configure the mailer on the local machines to forward all mail to the central mailer on the firewall host. Never lose root messages from your machines again.

    Download.

    Download dsmasq here. The tarballs includes this documentation, source, and binaries linked against glibc2.1 for Linux-i386 and Linux-alpha.

    If you wish to compile the source yourself, the following command is enough. 

    gcc -o dnsmasq dnsmasq.c

    Installation.

    Dnsmasq should be run on you firewall machine (the machine with the modem connection to your ISP.) Put the binary in /usr/local/sbin/dnsmasq and arrange for it to be started at boot time. On my Debian machine I put a file in /etc/rc.boot called dnsmasq and containing the following. 
    #!/bin/sh
/usr/local/sbin/dnsmasq
    Note that dnmasq needs to run as root, since it binds priveliged ports. It logs problems using the syslog facility as a daemon.

    Put the address(es) of your ISP's DNS server(s) in /etc/resolv.conf on the firewall machine, and the names an internal network addresses of all your machines in /etc/hosts on the firewall machine.

    All the other machines on your network can simply have their own name and localhost in /etc/hosts and should have the address of the firewall machine on the internal network as the only nameserver in /etc/resolv.conf. For windows machines use the network applet in the control panel to set the address of the DNS server as the address of the firewall machine.

    Setting up a mailhub.

    If you generate mail on the machines attached to your private network, you may be interested in the MX record feature of dnsmasq. This allows you to have all the machines on your network use your firewall machine as a "smarthost" and deliver mail to it. The details of how to set this up are highly dependent on your mailer, system and distribution. (On Debian GNU/Linux, using the smail mailer, there's an option in the smailconfig program to set up this configuration.) The only thing that's relevant to dnsmasq is that the mailer needs to be able to interogate the DNS and find an MX record for your mailhub. By starting dnsmasq with the -m option 
    dnsmasq -m mailhubname
    you instruct dnsmasq to server an MX record for mailhubname. The MX record always points to the machine on which dnsmasq is running, so mail delivered to that name will get sent to the mailer on your firewall machine.

    License.

    Dnsmasq is distributed under the GPL. See the file COPYING in the distribution for details.

    Contact.

    Dnsmasq was written by Simon Kelley. You can contact me at simon@thekelleys.org.uk. Bugreports, patches, and sugestions for improvements gratefully accepted.