Caching DNS using Dnsmasq

Dnsmasq  Linux  Security  App 

 16 Jun 2018 - Turkey


Follow
Follow
Follow

5 minutes to read

For BOOK information:

BIOMIMETICTECHNOLOGY IMITATES NATURE

How to speed up the internet through caching DNS on Linux machines with Dnsmasq

Dnsmasq is a lightweight DHCP and DNS caching nameserver. Unlike BIND, dnsmasq is incredibly simple to get up and running. The benefits of adding this will be quite obvious (like your DNS queries getting dramatically faster).

I want to walk you through the steps of installing and configuring dnsmasq.

Installation

The first thing you must do is install dnsmasq.

Once that command completes, the software is installed and ready to be configured.

Browsers • Dnsmasq.

Configuration

There are three files that must be configured. The first is /etc/dnsmasq.conf. Open that file in your text editor of choice and look for the line:

#listen-address=
#resolv-file=

Change the above lines to:

listen-address=127.0.0.1
resolv-file=/etc/resolv-dnsmasq.conf

Optionally, you could increase the cache size for dnsmasq. Look for the line #cache-size=150. Remove the # and change the 150 to 1000 or whatever size you might need (there is a hard-limit of 10000).

Save and close the file.

DNS • Dnsmasq.

Next open up the file /etc/dhcp/dhclient.conf. Look for the line supersede domain-search "example.com", "isc.org"; and make sure the following section looks exactly like this:

prepend domain-name-servers 127.0.0.1;
request subnet-mask, broadcast-address, time-offset, routers,
domain-name, domain-name-servers, domain-search, host-name,
netbios-name-servers, netbios-scope, interface-mtu,
rfc3442-classless-static-routes, ntp-servers,
dhcp6.domain-search, dhcp6.fqdn,
dhcp6.name-servers, dhcp6.sntp-servers;

Save and close that file.

Open up your /etc/NetworkManager/NetworkManager.conf file and make sure that it includes (at least) the line:

[main]
plugins=ifupdown,keyfile
dns=dnsmasq

Finally, open up your /etc/resolv-dnsmasq.conf file and make sure that it includes (at least) the line:

nameserver 208.67.222.222
nameserver 208.67.220.220

Optionally, you could increase the cache size for dnsmasq and change to 2048 for single machine or whatever size you might need (there is a hard-limit of 10000).

echo "cache-size=2048" | sudo tee /etc/NetworkManager/dnsmasq.d/cache

Restart the dnsmasq service with the systemd:

Run Dnsmasq with systemd

Create /etc/systemd/system/dnsmasq@.service with these contents:

# '%i' becomes 'virbr10' when running
# `systemctl start dnsmasq@virbr10.service`
# Remember to run `systemctl daemon-reload`
# after creating or editing this file.


[Unit]
Description=DHCP and DNS caching server for %i.
After=network.target

[Service]
ExecStart=/usr/bin/dnsmasq -k --conf-file=/etc/dnsmasq.conf
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

It is best to only start dnsmasq when the bridge is up. If using NetworkManager, create /etc/NetworkManager/dispatcher.d/99-virbr10 and make it executable.

#!/bin/sh
# See the "DISPATCHER SCRIPTS" section of `man NetworkManager`.
# Remember to make this file executable!
[ "$1" != "virbr10" ] && exit 0
case "$2" in
    "up")
        /bin/systemctl start dnsmasq@virbr10.service || :
        ;;
    "down")
        /bin/systemctl stop dnsmasq@virbr10.service || :
        ;;
esac

If using Debian, append two command options to /etc/network/interfaces.

auto virbr10
iface virbr10 inet static
    ... snipped ...
    up /bin/systemctl start dnsmasq@virbr10.service || :
    down /bin/systemctl stop dnsmasq@virbr10.service || :

Alternatively, just start dnsmasq at every boot.

# systemctl enable dnsmasq@virbr10.service
# systemctl start dnsmasq@virbr10.service


How to avoid conflicts between dnsmasq and systemd-resolved?

You can edit /etc/systemd/resolved.conf and add this line:

DNSStubListener=no

Or,

sudo systemctl disable systemd-resolved

Testing the improvements

Testing dnsmasq is quite simple.

$ dig www.google.com | grep "Query time"

Notice the query time of 48 msec.

Run the same command again, and you should see a considerable improvement over the query times.

We now see a 0 or near 0 query time for the same command. When a machine is having to query a significant amount of addresses, that time savings adds up.

Vulnerabilities in the free DNS server Dnsmasq

Software developers and manufacturers should bring Dnsmasq up to date for security reasons.

Security • Dnsmasq.

A much-needed improvement:

I’ve used dnsmasq on a number of Linux machines and have always found it adds a much needed improvement to network speeds. Give this easy DHCP and DNS caching nameserver a shot and see if it finds your screaming Linux machines on the network.



Last Update: 11 Jun 2021

Share on:


comments powered by Disqus