Dnsmasq is a great piece of software. Described in few words I would say that it is a dns-forwarder, dhcp-server and tftp-server. I like the way dnsmasq can be configured. A-Records can be created by simply adding entries in /etc/hosts and I define dhcp-hosts by adding lines in /etc/ethers. But we live in very strange times. Google-DNS, Cloudflare-DNS and QUAD9 are open dns servers, but might spy on us(if a service is free to use in the internet, then we might not be the customer but the product). All the DNS-resolvers of our ISP aren’t trustworthy either since the EU already decided to force ISP’s to block sites. But blocking sites might not be the only problem. The one who controlls your dns-requests, is also able to route your traffic which could be used for Man-in-the-middle-attacks to gain control. So I decided to install a dns-recursor in my network. Dnsmasq does its jobs satisfyingly but it needs another dns-recursor. That’s why I want to add a recursor and use it together with dnsmasq. A very handy dns-recursor is unbound. It’s easy to configure and does DNSsec.
Preparing DNSmasq
In order to install DNSmasq and unbound on the same host I decided to bind the dns-port on 5353 instead of 53. Unbound will listen on port 53. DNSmasq is for custom DNS-Records only in this configuration. The following sample configuration will configure a dhcp-server that uses /etc/ethers and a dns-server that listens at port 5353 and resolves the domain “home.”.
/etc/dnsmasq.d/my.conf:
port=5353
local=/home/
interface=br0
domain=home
dhcp-range=br0,192.168.10.100,192.168.10.150,12h
read-ethers
dhcp-authoritative
dhcp-option=6,192.168.10.1
Setting up unbound
If unbound is installed via Debian-packages, it is already configured for dnssec. So I just need to configure the forwarding of the “home.”-domain:
/etc/unbound/unbound.conf.d/my.conf:
server:
num-threads: 4
interface: 192.168.10.1
access-control: 192.168.10.0/24 allow
private-domain: "home."
domain-insecure: "home."
local-zone: "home." nodefault
forward-zone:
name: "home."
forward-addr: 192.168.10.1@5353
Restart dnsmasq and unbound and enjoy the recursor. With this setup, I can simply create home-dnsrecords by adding lines in /etc/hosts:
192.168.10.1 ns1.home
192.168.10.2 nas.home
# ...
Conclusio
Even if unbound could handle the home-domain by it’s own, I prefer using /etc/hosts. Since a dhcp-server is needed anyway, I use dnsmasq for that. It’s easy to setup and works perfectly.