FUN WITH LINUX

What if dnsmasq and ubound marry?

11 April 2018

Dnsmasq is a great piece of software. Described in few words I would say that it is a dns-forwarder, dhcp-server and tftp-server. I like the way dnsmasq can be configured. A-Records can be created by simply adding entries in /etc/hosts and I define dhcp-hosts by adding lines in /etc/ethers. But we live in very strange times. Google-DNS, Cloudflare-DNS and QUAD9 are open dns servers, but might spy on us(if a service is free to use in the internet, then we might not be the customer but the product). All the DNS-resolvers of our ISP aren’t trustworthy either since the EU already decided to force ISP’s to block sites. But blocking sites might not be the only problem. The one who controlls your dns-requests, is also able to route your traffic which could be used for Man-in-the-middle-attacks to gain control. So I decided to install a dns-recursor in my network. Dnsmasq does its jobs satisfyingly but it needs another dns-recursor. That’s why I want to add a recursor and use it together with dnsmasq. A very handy dns-recursor is unbound. It’s easy to configure and does DNSsec.

Preparing DNSmasq

In order to install DNSmasq and unbound on the same host I decided to bind the dns-port on 5353 instead of 53. Unbound will listen on port 53. DNSmasq is for custom DNS-Records only in this configuration. The following sample configuration will configure a dhcp-server that uses /etc/ethers and a dns-server that listens at port 5353 and resolves the domain “home.”.

/etc/dnsmasq.d/my.conf:

port=5353
local=/home/
interface=br0
domain=home
dhcp-range=br0,192.168.10.100,192.168.10.150,12h
read-ethers
dhcp-authoritative
dhcp-option=6,192.168.10.1

Setting up unbound

If unbound is installed via Debian-packages, it is already configured for dnssec. So I just need to configure the forwarding of the “home.”-domain:

/etc/unbound/unbound.conf.d/my.conf:

server:
    num-threads: 4
	interface: 192.168.10.1
	access-control: 192.168.10.0/24 allow
	private-domain: "home."
    domain-insecure: "home."
	local-zone: "home." nodefault
forward-zone:
	name: "home."
	forward-addr: 192.168.10.1@5353

Restart dnsmasq and unbound and enjoy the recursor. With this setup, I can simply create home-dnsrecords by adding lines in /etc/hosts:

192.168.10.1 ns1.home
192.168.10.2 nas.home
# ...

Conclusio

Even if unbound could handle the home-domain by it’s own, I prefer using /etc/hosts. Since a dhcp-server is needed anyway, I use dnsmasq for that. It’s easy to setup and works perfectly.

[ Linux  Sysadmin  Network  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti