dnsmasq
dnsmasq 提供 DNS 伺服器、支持 DHCPv6 和 PXE 的 DHCP 伺服器、TFTP 伺服器。它設計為輕量且佔用空間小,適用於資源受限的路由器和防火牆。還可以將 dnsmasq 配置為 DNS 緩存查詢,以提高對以前訪問過站點的 DNS 查找速度。
安裝[編輯 | 編輯原始碼]
啟動守護程序[編輯 | 編輯原始碼]
啟動/啟用 dnsmasq.service
。
要查看 dnsmasq 是否正確啟動,可以檢查系統的 journal:
# journalctl -u dnsmasq.service
還需要重新啟動網絡,以便 DHCP 客户端可以創建新的 /etc/resolv.conf
。
配置[編輯 | 編輯原始碼]
要配置 dnsmasq,需要編輯 /etc/dnsmasq.conf
。該文件包含選項的註釋。有關全部可用選項,請參閱 dnsmasq(8)。
port=0
來禁用它。
如果 dnsmasq 不用作本地 DNS 解析程序,還需要 編輯 dnsmasq.service
,使其不喚起 nss-lookup.target
:
/etc/systemd/system/dnsmasq.service.d/no-nss-lookup-target.conf
[Unit] Wants=
$ dnsmasq --test
DNS 伺服器[編輯 | 編輯原始碼]
要在單台計算機上將 dnsmasq 設置為 DNS 緩存守護程序,請指定 listen-address
指令,添加本地主機 IP 地址:
listen-address=::1,127.0.0.1
使用此計算機在其 LAN IP 地址上偵聽網絡上的其他計算機,建議使用靜態 LAN IP。例如:
listen-address=::1,127.0.0.1,192.168.1.1
使用 cache-size=size
設置緩存域名的數量(默認值為 150
,硬限制為 10000
):
cache-size=1000
要驗證 DNSSEC,請加載 dnsmasq包 軟件包提供的 DNSSEC 信任錨,並設置選項 dnssec
:
conf-file=/usr/share/dnsmasq/trust-anchors.conf dnssec
要了解更多選項,請參閱 dnsmasq(8)。
DNS 地址文件和轉發[編輯 | 編輯原始碼]
配置 dnsmasq 後,需要將本地主機地址添加為 /etc/resolv.conf
中的唯一名稱伺服器。這會導致所有查詢都發送到 dnsmasq。
由於 dnsmasq 是存根解析器而不是遞歸解析器,因此必須設置轉發到外部 DNS 伺服器。可以通過 openresolv 自動完成或在 dnsmasq 的配置中手動指定 DNS 伺服器完成。
openresolv[編輯 | 編輯原始碼]
如果網絡管理器支持 resolvconf 而不是直接更改 /etc/resolv.conf
,可以使用 openresolv 生成 dnsmasq 的配置文件。
編輯 /etc/resolvconf.conf
並將 loopback 地址添加為名稱伺服器,然後配置 openresolv 輸出 dnsmasq 配置:
/etc/resolvconf.conf
# 使用本地名稱伺服器 name_servers="::1 127.0.0.1" resolv_conf_options="trust-ad" # 輸出 dnsmasq 擴展配置和解析文件 dnsmasq_conf=/etc/dnsmasq-conf.conf dnsmasq_resolv=/etc/dnsmasq-resolv.conf
運行 resolvconf -u
創建配置文件。如果文件不存在,則 dnsmasq.service
無法啟動。
編輯 dnsmasq 的配置文件使用 openresolv 生成的配置 [1]:
# 读取 openresolv 生成的配置文件 conf-file=/etc/dnsmasq-conf.conf resolv-file=/etc/dnsmasq-resolv.conf
手動轉發[編輯 | 編輯原始碼]
首先,必須將本地主機地址設置為 /etc/resolv.conf
中的唯一名稱伺服器:
/etc/resolv.conf
nameserver ::1 nameserver 127.0.0.1 options trust-ad
確保 /etc/resolv.conf
不被修改,詳述見 Domain name resolution#Overwriting of /etc/resolv.conf。
然後,必須在 dnsmasq 的配置文件中設置 server=server_address
指定上游 DNS 伺服器地址。還要添加 no-resolv
,以便 dnsmasq 不會非必要地讀取只包含本地主機地址的 /etc/resolv.conf
。
/etc/dnsmasq.conf
[...] no-resolv # 示例:Google 的名稱伺服器 server=8.8.8.8 server=8.8.4.4
現在,DNS 查詢將使用 dnsmasq 解析,僅在緩存查詢無結果時才會從外部伺服器查詢。
添加自定域[編輯 | 編輯原始碼]
可以將自定域主機添加到(本地)網絡中:
local=/lan/ domain=lan
在此示例中,可以 ping (在 /etc/hosts
文件中定義的)主機/設備為 hostname.lan
。
取消註釋 expand-hosts
將自定域添加到主機條目:
expand-hosts
如果沒有此設置,則必須將域添加到 /etc/hosts
的條目中。
測試[編輯 | 編輯原始碼]
要執行查找速度測試,請選擇自 dnsmasq 啟動以來未訪問過的網站(drill 是 ldns包 軟件包的一部分):
$ drill archlinux.org | grep "Query time"
再次運行該命令將使用緩存的 DNS IP,如果正確設置了 dnsmasq,則查找時間會縮短:
$ drill archlinux.org | grep "Query time"
;; Query time: 18 msec
$ drill archlinux.org | grep "Query time"
;; Query time: 2 msec
若要測試 DNSSEC 驗證是否正常工作,請參閱 DNSSEC#Testing。
DHCP 伺服器[編輯 | 編輯原始碼]
默認情況下,dnsmasq 關閉了 DHCP 功能,如要使用則必須將其打開。以下是重要的設置:
# 僅偵聽路由器的 LAN NIC。這樣會將 tcp/udp 端口 53 開放給本地主機,並將 udp 端口 67 開放給全世界: interface=enp0s0 # dnsmasq 將向全世界開放 tcp/udp 端口 53 和 udp 端口 67,以幫助動態接口(分配動態 IP)。 # dnsmasq 將丟棄全部請求,但某些人可能希望關閉它並由內核處理。 bind-interfaces # 設置域名(可選) domain=example.org # 設置默認網關 dhcp-option=3,0.0.0.0 # 設置要公佈的 DNS 伺服器 dhcp-option=6,0.0.0.0 # 如果 dnsmasq 伺服器同時也為網絡執行路由,則可以使用選項 121 推出靜態路由。 # x.x.x.x 是目標 LAN,yy 是 CIDR 表示法(通常為 /24),z.z.z.z 是執行路由的主機。 dhcp-option=121,x.x.x.x/yy,z.z.z.z # 提供給 LAN PC 的 IP 動態範圍和租賃時間。 # 建議首先將租賃時間設置為 5m,以便測試一切正常之後再設置持久記錄。 dhcp-range=192.168.111.50,192.168.111.100,12h # 提供 IPv6 DHCP 租約,使用網絡接口作為前綴構建範圍 dhcp-range=::f,::ff,constructor:enp0s0 # 如果要讓 dnsmasq 將固定 IP 分配給某些客户端,請綁定 LAN 計算機的 NIC MAC 地址: dhcp-host=aa:bb:cc:dd:ee:ff,192.168.111.50 dhcp-host=aa:bb:cc:ff:dd:ee,192.168.111.51
更多選項請參閱 dnsmasq(8)。
Proxy DHCP[編輯 | 編輯原始碼]
In case there is already a DHCP server running on the network and you want to interoperate with it, dnsmasq can be set to behave as a "proxy DHCP", therefore only serving the #PXE server specific information to the client. This mode is only available with IPv4. Use the following syntax, providing the existing DHCP server address:
dhcp-range=192.168.0.1,proxy
Test[編輯 | 編輯原始碼]
From a computer that is connected to the one with dnsmasq on it, configure it to use DHCP for automatic IP address assignment, then attempt to log into the network normally.
If you inspect the /var/lib/misc/dnsmasq.leases
file on the server, you should be able to see the lease.
TFTP server[編輯 | 編輯原始碼]
dnsmasq has built-in TFTP server.
To use it, create a root directory for TFTP (e.g. /srv/tftp
) to put transferable files in.
enable-tftp tftp-root=/srv/tftp
For increased security it is advised to use dnsmasq's TFTP secure mode. In secure mode only files owned by the dnsmasq
user will be served over TFTP. You will need to chown TFTP root and all files in it to dnsmasq
user to use this feature.
tftp-secure
See dnsmasq(8) for more options.
PXE server[編輯 | 編輯原始碼]
PXE requires a DHCP and a TFTP server; both can be provided by dnsmasq. To setup the PXE server, follow these steps:
- Setup the #TFTP server and the #DHCP server (in full DHCP or proxy mode) in the dnsmasq configuration file,
- Copy and configure a PXE compatible bootloader (e.g. PXELINUX) in the TFTP root directory,
- Enable PXE in the dnsmasq configuration file:
To simply send one file:
dhcp-boot=lpxelinux.0
To send a file depending on client architecture:
pxe-service=x86PC,"PXELINUX (BIOS)",bios/lpxelinux pxe-service=X86-64_EFI,"PXELINUX (EFI)",efi64/syslinux.efi
- File paths are relative to the TFTP root path
- If the file has a .0 suffix, you must exclude the suffix in
pxe-service
options
In case pxe-service
does not work to identify the architecture (especially for UEFI-based clients), combination of dhcp-match
and dhcp-boot
can be used. See RFC 4578 2.1 for more client-arch
numbers for use with dhcp boot protocol.
dhcp-match=set:efi-x86_64,option:client-arch,7 dhcp-match=set:efi-x86_64,option:client-arch,9 dhcp-match=set:efi-x86,option:client-arch,6 dhcp-match=set:bios,option:client-arch,0 dhcp-boot=tag:efi-x86_64,efi64/syslinux.efi dhcp-boot=tag:efi-x86,efi32/syslinux.efi dhcp-boot=tag:bios,bios/lpxelinux.0
See dnsmasq(8) for more options.
The rest is up to the bootloader.
Tips and tricks[編輯 | 編輯原始碼]
Prevent OpenDNS redirecting Google queries[編輯 | 編輯原始碼]
To prevent OpenDNS from redirecting all Google queries to their own search server, add to /etc/dnsmasq.conf
:
server=/www.google.com/<ISP DNS IP>
Override addresses[編輯 | 編輯原始碼]
In some cases, such as when operating a captive portal, it can be useful to resolve specific domains names to a hard-coded set of addresses. This is done with the address
config:
address=/example.com/1.2.3.4
Furthermore, it is possible to return a specific address for all domain names that are not answered from /etc/hosts
or DHCP by using a special wildcard:
address=/#/1.2.3.4
More than one instance[編輯 | 編輯原始碼]
If we want two or more dnsmasq servers works per interface(s).
Static[編輯 | 編輯原始碼]
To do this staticly, server per interface, use interface
and bind-interfaces
options. This enforce start second dnsmasq.
Dynamic[編輯 | 編輯原始碼]
In this case we can exclude per interface and bind any others:
except-interface=lo bind-dynamic
Domain blocklisting[編輯 | 編輯原始碼]
To blocklist domains, i.e. answer queries for them with NXDOMAIN, use the address
option without specifying the IP address:
address=/blocked.example/ address=/anotherblocked.example/
/etc/hosts
file, dnsmasq will block these domains and also all subdomains such as subdomain.blocked.example.Wildcards are also supported. Add a *
to the start of the pattern:
# blocks both blocked.example and anotherblocked.example and all their subdomains address=/*blocked.example/ # blocks subdomains like mail.google.com but not google.com address=/*.google.com/
Some specific subdomains can be unblocked using #
as the server address:
# blocks google.com and all subdomains except mail.google.com. address=/google.com/ server=/mail.google.com/#
- The options
address=/example.com/
andserver=/example.com/
are equivalent. Both will answer queries for them with NXDOMAIN. - The options
address=/example.com/#
andserver=/example.com/#
are not equivalent.address=/example.com/#
will answer queries for the domain with the NULL address (0.0.0.0 or :: for IPv6).server=/example.com/#
will send queries for the domain to the standard configured servers.
- The patterns
/example.com/
and/.example.com/
are equivalent. Both will match example.com and all its subdomains.
For ease of use place the blocklist in a separate file, e.g. /etc/dnsmasq.d/blocklist.conf
and load it from /etc/dnsmasq.conf
with conf-file=/etc/dnsmasq.d/blocklist.conf
or conf-dir=/etc/dnsmasq.d/,*.conf
.
- A list of potential sources for the blocklist can be found in OpenWrt's adblock package's README.
- A hosts file blocklist can be used with the
addn-hosts=hosts.txt
option or it can be converted to a dnsmasq blocklist with this awk command:awk '/^[^#]/ { print "address=/"$2"/"$1"" }' hosts.txt
.