Dnsmasq
is a lightweight, easy to configure DNS forwarder, designed to provide DNS (and optionally DHCP and TFTP) services to a small-scale network.
As compared to `BIND`, which is a bit complex to configure for beginners, `DNSMASQ` is very easy and requires minimum configuration. This post is just a reference guide for myself.
Install DNSMASQ in Ubuntu !
apt-get update sudo apt-get install -y dnsmasq
After this edit /etc/dnsmasq.conf
file , For Shorter version, I am pasting required important options only, (by removing all lines & using these one only …)
nano /etc/dnsmasq.conf
domain-needed #IF you want to listen on multiple interface, add them (by duplicating following line) interface=enp6s0 bogus-priv strict-order expand-hosts cache-size=10000
After every change in the config, make sure to restart DNSMASQ
service.
service dnsmasq restart
Forwarding Queries to Upstream DNS
By default, DNSMASQ
forwards all requests which are not able to be resolved in /etc/hosts
to the upstream DNS servers defined in /etc/resolve.conf
like below
cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver 8.8.8.8
Make Sure to setup 127.0.0.1 in your network adapter as well exampledns-nameservers 127.0.0.1 8.8.8.8
Add DNS Records (static dns entries if required for local servers like media sharing etc)
Adding customized domain entries, dns spoofing i guess. Add the records in /etc/hosts
file
cat /etc/hosts
127.0.0.1 localhost
1.2.3.4 zaib.com
Restart DNSMASQ Service
After every change in the config, make sure to restart dnsmasq
service.
service dnsmasq restart
Monitor DNS traffic
DSNTOP
is your best friend. for full details read
http://dns.measurement-factory.com/tools/dnstop/dnstop.8.html
# ACL / Secure you DNS from open relay / flooding
To allow only specific ip series to query your dns server, you can use following bash script.
We have multiple ip pools, and we have made a small text file , we can small bash script to read from the file and add iptables rules accordingly
Sample of /temp/localips.txt
10.0.0.0/8 172.16.0.0/16 192.168.0.0/16
Now you can execute the bash script manually or add it in /etc/rc.local file to execute on every reboot.
cat /etc/fw.sh
#!/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # Very Basic Level of Firewall to allow DNS only for some ip range # Script by Syed Jahanzaib # 26-SEP-2018 #set -x # Setting various Variables #Local IP files which contains ip/ranges IPFILE="/temp/localips.txt" #Destination Port we want to restrict DPORT="53" #Destination Port type we want to restrict DPORT_TYPE1="udp" DPORT_TYPE2="tcp" # Flush all previous iptables Rules iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Allow localhost access to query DNS service iptables -A INPUT -s 127.0.0.1 -p $DPORT_TYPE1 --dport $DPORT -j ACCEPT iptables -A INPUT -s 127.0.0.1 -p $DPORT_TYPE2 --dport $DPORT -j ACCEPT # LOOP - Read from localip.txt file , and apply iptables rules for IP in $(cat $IPFILE); do echo "Allowing $IP for $DPORT_TYPE1 $DPORT Server queries access ..."; iptables -A INPUT -s $IP -p $DPORT_TYPE1 --dport $DPORT -j ACCEPT; done for IP in $(cat $IPFILE); do echo "Allowing $IP for $DPORT_TYPE2 $DPORT Server queries access ..."; iptables -A INPUT -s $IP -p $DPORT_TYPE2 --dport $DPORT -j ACCEPT; done # DROP all other requests going to DNS service iptables -A INPUT -p $DPORT_TYPE1 --dport $DPORT -j DROP iptables -A INPUT -p $DPORT_TYPE1 --dport $DPORT -j DROP # Script ends here # Syed Jahanzaib
add this in /etc/rc.local
so that it can run on every reboot!
Also note that if you have large ip pool, its better to use IPSET
which is more efficient
SIMPLE QUEUE for traffic going to/from DNS Server
/queue simple add max-limit=10M/10M name="NS1 DNS Traffic 10mb limit" target=X.X.X.X/32
NSLOOKUP with details on Windows BOX
nslookup -all - 8.8.8.8
Regard’s
Syed Jahanzaib