![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2023-12-01
介紹
A lightweight caching DNS server & DHCP server
Installed size: 282 k
* It will loads the contents of /etc/hosts
目錄
- Installation
- Reload
- Test Config File(--test)
- 基本設定
- Listen 的設定
- Log & Debug
- Local domain name
- Cache Settings
- dnsmasq 的 DHCP 設定
- Assign Static IP by MAC
- Per MAC Settings
- dhcp-match
- Doc
Installation
# R8
dnf install dnsmasq
Check Version
dnsmasq -v
Dnsmasq version 2.78 ...
Reload
No way to reload the configuration file without killing and restarting the dnsmasq process
The -HUP signal only reloads the /etc/hosts.conf and /etc/resolv.conf
Reason is that dnsmasq starts as root, does all the things that need root permissions
(like opening sockets on priviledged ports and opening the DHCP lease file) and then permanently changes it's identity from root to nobody.
Test Config File(--test)
Read and syntax check configuration file(s).
dnsmasq --test
dnsmasq: syntax check OK.
基本設定
/etc/dnsmasq.conf
# 當是用作 DNS cacher 時, 此會更安全
listen-address=127.0.0.1
# Never forward plain names (without a dot or domain part) to upstream nameservers.
# 當問的不是 domain 時只回應 /etc/hosts 的內容
domain-needed# 當 result 係 private IP ranges 時, 只 /etc/hosts 內有的才會覆
bogus-priv# filter useless windows-originated DNS requests
# This blocks all SRV, SOA requests
filterwin2k# forces dnsmasq to try each query with each server strictly in the order
strict-order# upstream servers from somewhere
resolv-file=/etc/resolv.conf.dnsmasq# don't want dnsmasq to read /etc/resolv.conf or "--resolv-file=<file>"
# 到時只會食 command line 及 dnsmasq configuration file 內的設定
#no-resolv
# No to poll resolv.conf for changes and re-read them
# (當有 --resolv-file 時就檢查它指定的那個檔案)
# If --no-poll is set SIGHUP also re-reads /etc/resolv.conf. SIGHUP does NOT re-read the configuration file.
# "poll" allows the DNS servers to be set dynamically by PPP or DHCP since both protocols provide the information.
no-poll# Add other name servers here, with domain specs if they are for non-public domains.
#server=/localnet/192.168.0.1
Listen 的設定
# Repeat the line for more than one interface
interface=eth1當使用 "interface=X" 時, Dnsmasq 會自動加入 interface=lo
# 配合 interface 一起用, 那 NIC 只提供 DNS
no-dhcp-interface=eth1# dnsmasq binds the wildcard address (0.0.0.0)
# even when it is listening on only some interfaces. (default behavior)
# It then discards requests that it shouldn't reply to.
# (advantage: working even when interfaces come and go and change address)
# This option forces dnsmasq to really bind only the interfaces it is listening on.
bind-interfaces# Listen on the given IP address(es).
# Both --interface and --listen-address options may be given,
# in which case the set of both interfaces and addresses is used.
# Note
# if no --interface option is given, but --listen-address is,
# dnsmasq will not automatically listen on the loopback interface.
# dnsmasq automatically adds the loopback (local) interface to the list of interfaces to use
# when the --interface option is used.
listen-address=127.0.0.1
listen-address=192.168.200.254Notes
[1]
如果只想 Listen 某 NIC, 唔建議用 "interface" & "no-dhcp-interface"
因為在 boot 機時有 NIC 未 start 會令 dnsmasq FAILED
/var/log/messages
... dnsmasq[959]: dnsmasq: unknown interface lxcbr0 ... dnsmasq[959]: FAILED to start up
/etc/dnsmasq.conf
interface=lxcbr0 no-dhcp-interface=lxcbr0
[2]
* 當沒有 "--interface" 或 " --listen-address" 設定時, 除 "--except-interface" 指定的 NIC 都會 listen
[3] Local cacher settings
/etc/dnsmasq.d/my.conf
resolv-file=/etc/resolv.conf.dnsmasq
domain-needed
bogus-priv
no-poll
bind-interfaces
interface=lo
Log & Debug
# For debugging purposes, log each DNS query as it passes through dnsmasq
log-queries
# 設定 log 到那裡
log-facility=/var/log/dnsmasq.log
# Log lots of extra information about DHCP transactions
log-dhcp
--log-async[=<lines>]
Enable asynchronous logging and optionally set the limit on the number of lines which will be queued by dnsmasq
when writing to the syslog is slow.
Dnsmasq can log asynchronously:
this allows it to continue functioning without being blocked by syslog,
and allows syslog to use dnsmasq for DNS queries without risking deadlock.
If the queue of log-lines becomes full, dnsmasq will log the overflow, and the number of messages lost.
The default queue length is 5, a sane value would be 5-25, and a maximum limit of 100 is imposed.
SIGUSR2
When it is logging direct to a file (see --log-facility ) dnsmasq will close and reopen the log file.
(log rotate without stopping dnsmasq)
Debug
# For debugging purposes log-queries log-dhcp
Local domain name
Local Domain
# Add domains which you want to force to an IP address # queries in these domains are answered from /etc/hosts or DHCP only address=/doubleclick.net/127.0.0.1 # no-hosts ( 只影響 /etc/hosts, 不影響 "addn-hosts" ) # Additional hosts file. # Read the specified file as well as /etc/hosts. If -h is given, # read only the specified file. # This option may be repeated for more than one additional hosts file. # If a directory is given, then read all the files contained in that directory. addn-hosts=/etc/banner_hosts addn-hosts=/etc/myhosts # local-only domains # queries in these domains are answered from /etc/hosts or DHCP only local=/localnet/ # domain automatically added to simple names in a hosts-file # 沒有加 expand-hosts 時, ping result 如下 # ping timpc <= Success # ping timpc.localnet <= Fail expand-hosts
Linux 主機設定自己的 Default Domain
search lan
Include
# Include a another lot of configuration options. #conf-file=/etc/dnsmasq.myconfig.conf #conf-dir=/etc/dnsmasq.d
--address 與 --server 分別
-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>]
Specify IP address of upstream servers directly. Setting this flag does not suppress reading of /etc/resolv.conf
If one or more optional domains are given, that server is used only for those domains and
they are queried only using the specified server.
i.e.
--server=/google.com/1.2.3.4
--server=/www.google.com/#
# will send queries for *.google.com to 1.2.3.4, except *www.google.com
# The special server address '#' means, "use the standard servers"
Remark
An empty domain specification, "//" has the special meaning of "unqualified names only" ie names without any dots in them.
"--server=/example.com/" returns NXDOMAIN for example.com and all its subdomains.
Cache Settings
# Set the cachesize here. (The default is 150 names) cache-size=1024 # Negative caching (no such domain) #no-negcache
hard code cache limit (cache-size)
10000 entries
測試
dig datahunter.org | grep "Query time"
;; Query time: 168 msec
dig datahunter.org | grep "Query time"
;; Query time: 0 msec
統計
SIGUSR1 # dnsmasq writes statistics to the system log.
killall -SIGUSR1 dnsmasq
Nov 20 12:31:08 myserver dnsmasq[15267]: time 1574224268 Nov 20 12:31:08 myserver dnsmasq[15267]: cache size 10000, 0/254 cache insertions re-used unexpired cache entries. Nov 20 12:31:08 myserver dnsmasq[15267]: queries forwarded 548, queries answered locally 394 Nov 20 12:31:08 myserver dnsmasq[15267]: queries for authoritative zones 0 Nov 20 12:31:08 myserver dnsmasq[15267]: server 8.8.8.8#53: queries sent 374, retried or failed 0 Nov 20 12:31:08 myserver dnsmasq[15267]: server 8.8.4.4#53: queries sent 214, retried or failed 0
N/M
N:
the number of names which have had to removed from the cache before they expired
in order to make room for new names
M:
the total number of names that have been inserted into the cache.
SIGHUP # refresh the cache
dnsmasq clears its cache and then re-loads some config
(/etc/hosts, /etc/ethers, /etc/resolv.conf --dhcp-* --addn-hosts, --hostsdir)
--min-cache-ttl=<time>
Extend short TTL values to the time given when caching them.
i.e.
--min-cache-ttl=600
This will cause all DNS records to be considered valid for 10 minutes.
dnsmasq 的 DHCP 設定
By default, the DHCP server will attempt to ensure that an address is not in use before allocating it to a host.
It does this by sending an ICMP echo request (aka "ping") to the address in question.
udp port 67 (bootps) <-- (client 找 server 時 broadcast 出去)
- DHCPDISCOVER (1,9,13,16s)
- DHCPREQUEST
udp port 68 (bootpc) <-- (client listen server broadcast 回來的資料的 port)
- DHCPOFFER
- DHCPACK
Diagram:
Server: 192.168.1.1
Client: 192.168.1.101
[1] Client request
UDP 0.0.0.0:68 -> 255.255.255.255:67
[2] Server responds
UDP 192.168.1.1:67 -> 255.255.255.255:68
[3] Client reply
UDP 192.168.1.101:67 -> 192.168.1.1:68
設定:
# Set the domain for dnsmasq. Allows DHCP hosts to have fqdn domain=localnet dhcp-range=10.1.1.51,10.1.1.150,12h # Set Gateway # option:router => 3 # dhcp-option=option:router,10.1.1.254 dhcp-option=3,10.1.1.254 # Set DNS dhcp-option=6,8.8.8.8,8.8.4.4 # maximum number of DHCP leases # For prevent DoS. The default is 1000 dhcp-lease-max=150 # dhcp-leasefile=/var/lib/misc/dnsmasq.leases
DHCP Leases
-X, --dhcp-lease-max=<number>
Limits dnsmasq to the specified maximum number of DHCP leases. The default is 1000.
This limit is to prevent DoS attacks from hosts which create thousands of leases and use lots of memory in the dnsmasq process.
/var/lib/misc/dnsmasq.leases
/var/db/dnsmasq.leases
Disable DHCP
方式 1
Comment out "dhcp-range="
# dhcp-range=192.168.0.100,192.168.0.199,1h
方式 2
唔建議, 因為 boot 機時 lxcbr0 未存在
no-dhcp-interface=lxcbr0
Assign Static IP by MAC
dhcp-host=aa:bb:cc:dd:ee:ff,192.168.123.241
Usage
# lease: m, h, infinite
dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
# 更新 IP openwrt
/etc/init.d/dnsmasq stop
vim /tmp/dhcp.leases
刪除 aa:bb:cc:dd:ee:ff 那行
/etc/init.d/dnsmasq start
Per MAC Settings
用 "set:<tag>"
dhcp-host=<hwaddr>,set:<tag>,<ipaddr>[,<hostname>][,<lease_time>]
用 "tag:<tag>"
dhcp-boot=tag:<tag>,<filename>,<servername>,<server address>
i.e.
#### PXE # u16 dhcp-option=tag:u16,17,iscsi:192.168.123.10::::iqn.2018-03.local.home:u16 dhcp-option=tag:u16,203,iqn.2018-03.local.u16 dhcp-host=88:88:88:88:88:56,set:u16,192.168.123.56,u16,infinite # u16b dhcp-boot=tag:u16b,pxelinux.0,pxeserver,192.168.123.10 dhcp-host=88:88:88:88:88:57,set:u16b,192.168.123.57,u16b,infinite
dhcp-match
Usage
dhcp-match=<network-id>,<option number>[,<value>]
Without a value, set the network-id tag if the client sends a DHCP option of the given number
When a value is given, set the tag only if the option is sent and matches the value.
The value may be of the form "01:ff:*:02" in which case the value must match (apart from widcards) but the option sent may have unmatched
i.e.
# will set the tag "efi-ia32" if the the number 6 appears in the list of architectures sent by the client in option 93.
dhcp-match=efi-ia32,93,6
# load undionly.kpxe for clients not tagged with 'iPXE'
dhcp-match=set:ipxe,77,iPXE dhcp-boot=tag:!ipxe,undionly.kpxe dhcp-boot=http://10.37.129.3/bootstrap.ipxe
Doc
man 8 dnsmasq
相關:
