Many tech enthusiasts find the ability to control their host name resolution important. Setting up servers and services usually requires some form of fixed address, and sometimes also requires special forms of resolution such as defining Kerberos or LDAP servers, mail servers, etc. All of this can be achieved with dnsmasq.
dnsmasq is a lightweight and simple program which enables issuing DHCP addresses on your network and registering the hostname & IP address in DNS. This configuration also allows external resolution, so your whole network will be able to speak to itself and find external sites too.
This article covers installing and configuring dnsmasq on either a virtual machine or small physical machine like a Raspberry Pi so it can provide these services in your home network or lab. If you have an existing setup and just need to adjust the settings for your local workstation, read the previous article which covers configuring the dnsmasq plugin in NetworkManager.
Install dnsmasq
First, install the dnsmasq package:
sudo dnf install dnsmasq
Next, enable and start the dnsmasq service:
sudo systemctl enable --now dnsmasq
Configure dnsmasq
First, make a backup copy of the dnsmasq.conf file:
sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
Next, edit the file and make changes to the following to reflect your network. In this example, mydomain.org is the domain name, 192.168.1.10 is the IP address of the dnsmasq server and 192.168.1.1 is the default gateway.
sudo vi /etc/dnsmasq.conf
Insert the following contents:
domain-needed bogus-priv no-resolv server=8.8.8.8 server=8.8.4.4 local=/mydomain.org/ listen-address=::1,127.0.0.1,192.168.1.10 expand-hosts domain=mydomain.org dhcp-range=192.168.1.100,192.168.1.200,24h dhcp-option=option:router,192.168.1.1 dhcp-authoritative dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases
Test the config to check for typos and syntax errors:
$ sudo dnsmasq --test dnsmasq: syntax check OK.
Now edit the hosts file, which can contain both statically- and dynamically-allocated hosts. Static addresses should lie outside the DHCP range you specified earlier. Hosts using DHCP but which need a fixed address should be entered here with an address within the DHCP range.
sudo vi /etc/hosts
The first two lines should be there already. Add the remaining lines to configure the router, the dnsmasq server, and two additional servers.
127.0.0.1 localhost localhost.localdomain ::1 localhost localhost.localdomain 192.168.1.1 router 192.168.1.10 dnsmasq 192.168.1.20 server1 192.168.1.30 server2
Restart the dnsmasq service:
sudo systemctl restart dnsmasq
Next add the services to the firewall to allow the clients to connect:
sudo firewall-cmd --add-service={dns,dhcp}
sudo firewall-cmd --runtime-to-permanent
Test name resolution
First, install bind-utils to get the nslookup and dig packages. These allow you to perform both forward and reverse lookups. You could use ping if you’d rather not install extra packages. but these tools are worth installing for the additional troubleshooting functionality they can provide.
sudo dnf install bind-utils
Now test the resolution. First, test the forward (hostname to IP address) resolution:
$ nslookup server1 Server: 127.0.0.1 Address: 127.0.0.1#53 Name: server1.mydomain.org Address: 192.168.1.20
Next, test the reverse (IP address to hostname) resolution:
$ nslookup 192.168.1.20 20.1.168.192.in-addr.arpa name = server1.mydomain.org.
Finally, test resolving hostnames outside of your network:
$ nslookup fedoramagazine.org Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: fedoramagazine.org Address: 35.196.109.67
Test DHCP leases
To test DHCP leases, you need to boot a machine which uses DHCP to obtain an IP address. Any Fedora variant will do that by default. Once you have booted the client machine, check that it has an address and that it corresponds to the lease file for dnsmasq.
From the machine running dnsmasq:
$ sudo cat /var/lib/dnsmasq/dnsmasq.leases 1598023942 52:54:00:8e:d5:db 192.168.1.100 server3 01:52:54:00:8e:d5:db 1598019169 52:54:00:9c:5a:bb 192.168.1.101 server4 01:52:54:00:9c:5a:bb
Extending functionality
You can assign hosts a fixed IP address via DHCP by adding it to your hosts file with the address you want (within your DHCP range). Do this by adding into the dnsmasq.conf file the following line, which assigns the IP listed to any host that has that name:
dhcp-host=myhost
Alternatively, you can specify a MAC address which should always be given a fixed IP address:
dhcp-host=11:22:33:44:55:66,192.168.1.123
You can specify a PXE boot server if you need to automate machine builds
tftp-root=/tftpboot
dhcp-boot=/tftpboot/pxelinux.0,boothost,192.168.1.240
This should point to the actual URL of your TFTP server.
If you need to specify SRV or TXT records, for example for LDAP, Kerberos or similar, you can add these:
srv-host=_ldap._tcp.mydomain.org,ldap-server.mydomain.org,389
srv-host=_kerberos._udp.mydomain.org,krb-server.mydomain.org,88
srv-host=_kerberos._tcp.mydomain.org,krb-server.mydomain.org,88
srv-host=_kerberos-master._udp.mydomain.org,krb-server.mydomain.org,88
srv-host=_kerberos-adm._tcp.mydomain.org,krb-server.mydomain.org,749
srv-host=_kpasswd._udp.mydomain.org,krb-server.mydomain.org,464
txt-record=_kerberos.mydomain.org,KRB-SERVER.MYDOMAIN.ORG
There are many other options in dnsmasq. The comments in the original config file describe most of them. For full details, read the man page, either locally or online.
Joao Rodrigues
Don’t forget to open ports in the firewall
sudo firewall-cmd –add-service dhcp –add-service dns
sudo firewall-cmd –runtime-to-permanent
There are other public resolvers besides Google. A few examples include:
CloudFlare:
1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001
Quad9:
9.9.9.9
149.112.112.112
2620:fe::11
2620:fe::fe:11
OpenDNS
208.67.222.222
208.67.220.220
2620:119:35::35
2620:119:53::53
Pablo
Hey Andy, thanks for the post! May I raise a couple questions:
where are you making the machine should resolve names on itself? You didn’t mention anything about /etc/resolv.conf – I am a bit old school and I really feel I don’t know the resolver anymore xD
you are enumerating some hosts in /etc/hosts but you didn’t mention how this gets into dnsmasq.
While I was typing I re-read and figured out the linked article about the NetworkManager plugin gives some of the required background. But it is actually about NetworkManager and I feel that leaves us target readers with a bit of lack of context.
Andy Mott
Hi Pablo, glad you found this useful.
By default dnsmasq reads /etc/hosts for any configuration, so there’s no need to specifically add it in. This is one of the reasons I like to use it as it works seamlessly with a file people are usually familiar and comfortable with.
Regarding resolution of itself, you’re correct and I didn’t mention that. As a DNS server the machine should have a static IP address, and on mine the resolv.conf file simply points to localhost:
search mydomain.org
nameserver 127.0.0.1
Jean Forgeron
I’d like to see a similar article focused around systemd services networkd and resolved.
Ben Cotton
Good news! I was talking to one of the systemd developers earlier today about writing an article on resolved. That’s one of the changes coming in Fedora 33.
Bruno
Nice article.
Be sure to configure your Internet BOX to not use the same DHCP range as your dnsmasq config.
You might have some machine configured by default to use Internet BOX (routeur) while some other are configured to use the machine you setup with dnsmasq. In this case there is a risk that the BOX DHCP service gives the same address as your dnsmasq DHCP service.
Or does dnsmasq respond to DHCPDISCOVER broadcast ??
Bruno
Brian
So I just need to turn off DCHP on my router and clients on my network will find this DHCP server automatically?
Asking as my router does not do DNS, so this could fix that.
Andy Mott
Hi Brian
If you configure this on a machine with a network address on the same network as your router then it should offer DNS and DHCP for the network, so you should be able to turn off DHCP on your router and have this take its place.
Jeffrey Goh
I have yet to meet a router that doesn’t do DNS – but regardless, if you already have a proper Linux box that you can upgrade freely, you’re better off running your own full function Linux router with DHCP, DNS and arguably firewall etc
Vernon Van Steenkist
Since Fedora and most other Linux Distributions, and printers and even Windows 10 support Apple’s Bonjour out of the box, the need for running a local DNS has become greatly diminished. For example, if you have a Raspberry Pi on your network, you can access it simply by typing
assuming that you did not change the Raspberry Pi’s default host-name and username.
Note that
is the automatic Bonjour domain. So, machine’s on your network automagically gets assigned a fully qualified domain name of `hostname.local’
Brian
Nice, thanks. Will give it a go.
Christian von Behren
cant get this fixed (worked fine in fedora32 though)
dnsmasq[20478]: failed to create listening socket for port 53: Address already in use.
Is there any new service compromosing dnsmasq beneath network-monitor?
Andy Mott
Hi Christian
It’s possibly systemd-resolved that’s bound to port 53. Try sudo ss -lp “sport = :domain” and see what the output is, then stop the service and try dnsmasq again. If it is the systemd-resolved service you could disable it, or you could change dnsmasq to listen on a different port.
Christian von Behren
This is driving me nuts…
Andy, You are right, NetworkManager seems to open a separate dnsmasq on 53.
systemd-resolved gets in the way too…
(https://fedoraproject.org/wiki/Changes/systemd-resolved#Split_DNS)
Furthermore: Connected to an VPN, the only nameserver set in /etc/resolv.conf is 127.0.0.53 (which is not configured by /etc/dnsmasq.conf) though a different DNS Server is configured within vpn ipv4 settings in NetworkMonitor settings.
Even when I set the company’s local DNS in /etc/resolve.conf, nslookup works fine and private vhost based wildcard subdomains get propperly resolved, I am unable to ping them 🙁
(looks like https://bugzilla.redhat.com/show_bug.cgi?id=504951)
I am practically unable to work with this setup unless I setup every single project in /etc/hosts manually.
Vouchersort
Is commenting still permitted?
Stephen Snow
Yes it certainly is! What is your comment?