When you want a good reliable and easy-to-configure LAN name server, try Dnsmasq. Dnsmasq does DHCP, DNS, DNS caching, and TFTP, so it’s four servers in one. If you have no public servers it should meet all of your needs, and it’s a great complement to an authoritative name server. In this tutorial we’ll learn how to deliver all network configurations to our LAN hosts through DHCP.
All of your network hosts must have their own hostnames, and be configured to get their network configurations via DHCP (dynamic host configuration protocol.) If you have some machines with static IP addresses Dnsmasq can incorporate them as well, so there is no need to change them. You should have a correctly-configured network, and all hosts able to ping each other.
A Bit of Terminology
Let’s review some basic terms so we know what the heck we’re talking about.
An authoritative name server is for publishing the addresses of public servers. If you have an Internet-facing server such as a Web site, mail server, or FTP server, then somewhere there is an authoritative server that advertises their IP addresses and names. This may be an authoritative DNS (domain name services) server on your premises, or managed by a third party like your Internet service provider or a hosting service. You can query any public server with the
dig command to see how its name and IP address are matched up:
$ dig +nocmd www.linux.com +noall +answer www.linux.com. 5276 IN A 22.214.171.124 www.linux.com. 5276 IN A 126.96.36.199
Think of an authoritative DNS server as the master address book for an Internet domain. This address book is copied to the world’s root DNS servers, and then copied by countless other servers all over the Internet. It is a beautiful distributed system that provides speed and fault-tolerance. Keeping authoritative servers completely separate from the other types of name servers — recursive and caching — is a fundamental security practice. So you might use BIND, PowerDNS, or MaraDNS for your authoritative server, and Dnsmasq for private LAN name services and caching.
A dns cache is a local copy of the addresses of sites you have visited. This speeds up your network performance because network applications don’t have to wait for DNS queries to be answered by remote servers.
A recursive name server is the one that looks up the address of sites you want to visit. Recursive and cache functions are often combined in the same server. For example, when you configure the DNS for your Internet account, your ISP’s DNS servers are most likely recursive and caching servers. Public DNS servers like Google Public DNS and OpenDNS are recursive and caching servers. Sometimes you get can speed up your Internetworking by using different third-party servers; try Namebench to help you find the fastest ones. Dnsmasq is not a recursive name server, but it can be configured to query any recursive server you want.
Trivial File Transfer Protocol (TFTP) is a very simple, insecure FTP server used inside private networks for network booting of PCs and embedded devices like routers and VoIP (voice over IP) endpoints.
Dnsmasq is configured in
/etc/dnsmasq.conf. I recommend copying the original to keep as a reference, and start over with a blank file. Every time you make a change to dnsmasq.conf you have to restart Dnsmasq. In these here modern times there are multiple ways to do this, hurrah, though running
/etc/init.d/dnsmasq restart still works on most distros.
For this article let’s assume a small network with two subnets: one wired and one wireless, at 192.168.1.0 and 192.168.2.0. Dnsmasq is installed on a LAN router with both wired and wireless interfaces at 192.168.1.10 and 192.168.2.10. First let’s take care of some important global settings:
#/etc/dnsmasq.conf domain-needed bogus-priv domain=mydomain.net expand-hosts local=/mydomain.net/ listen-address=127.0.0.1 listen-address=192.168.1.10 listen-address=192.168.2.10 bind-interfaces
domain-needed blocks incomplete requests from leaving your network, such as google instead of google.com.
bogus-priv prevents non-routable private addresses from being forwarded out of your network. Using these is simply good netizenship.
Set your private domain name with
mydomain with any domain name your heart desires. You don’t need to register it with a domain name registrar because it’s private and never leaves your LAN.
expand-hosts directive adds the domain name to your hostnames, so you get fully-qualified domain names like hostname.mydomain.net. Again, these are completely arbitrary and can be whatever you want.
local=/mydomain.net/ ensures that queries for your private domain are only answered by Dnsmasq, from
/etc/hosts or DHCP.
listen-address directive tells Dnsmasq which interface or interfaces to listen on. Always use
listen-address because you don’t want Dnsmasq exposed to the wrong networks, and especially not the Internet. Always include the loopback address. You could use the
interface= directive instead, for example
interface=eth0, but the Linux kernel doesn’t always bring up network interfaces with the same names after reboot. If you have more than one NIC the names could get changed, and then your name services will be messed up.
bind-interfaces directive ensures that Dnsmasq will listen only to the addresses specificied with
Now let’s set up DHCP for our two subnets. This is so easy you will dance for joy:
I like to reserve addresses below .100 for servers. This example supplies a hundred DHCP addresses per subnet. Note that they are labeled with the tags lan and wifi. This is a brilliantly simple system that simplifies delivering different services to different subnets, as in the following examples:
#set default gateway dhcp-option=lan,3,192.168.1.50 dhcp-option=wifi,3,192.168.2.50 #set DNS server dhcp-option=lan,6,192.168.1.10 dhcp-option=wifi,6,192.168.2.10
The first stanza sets the default route for each subnet. The number 3 tag means router. You can see all the tag numbers with the
dnsmasq --help dhcp command. The second stanza tells our LAN clients to get their DNS from the Dnsmasq server.
Upstream Name Servers
You need to tell Dnsmasq where to forward Internet DNS requests. This could be your ISP’s nameservers, or any DNS service you want to use. It is good to use at least two completely different services. This example uses Google Public DNS and OpenDNS:
server=188.8.131.52 server=184.108.40.206 server=220.127.116.11
Static IP Addresses
Dnsmasq painlessly incorporates hosts with static IP addresses into your local DNS. Suppose you have three servers with static addresses; all you do is add them to the
/etc/hosts file on the Dnsmasq server:
127.0.0.1 localhost 192.168.1.15 server1 192.168.1.16 server2 192.168.1.17 server3
Always include the localhost line.
You can enable Dnsmasq’s built-in TFTP server by adding this line to
And then you’ll need to set up your boot directory and pxelinux configuration, which is a subject for another day. If you already have a working TFTP/pxelinux server, then point Dnsmasq to it like this, using your own server name and address:
Once again we have run out of paper and it is time to end. Please visit Dnsmasq to learn more about this excellent server.