Dnsmasq is a lightweight, easy to configure DNS forwarder, designed to provide DNS (and optionally DHCP and TFTP) services to a small-scale network. It can serve the names of local machines which are not in the global DNS.
Dnsmasq’s DHCP server supports static and dynamic DHCP leases, multiple networks and IP address ranges. The DHCP server integrates with the DNS server and allows local machines with DHCP-allocated addresses to appear in the DNS. Dnsmasq caches DNS records, reducing the load on upstream nameservers and improving performance, and can be configured to automatically pick up the addresses of its upstream servers.
Dnsmasq accepts DNS queries and either answers them from a small, local cache or forwards them to a real, recursive DNS server. It loads the contents of /etc/hosts, so that local host names which do not appear in the global DNS can be resolved. This also means that records added to your local /etc/hosts file with the format “0.0.0.0 annoyingsite.com” can be used to prevent references to “annoyingsite.com” from being resolved by your browser. This can quickly evolve to a local ad blocker when combined with adblocking site list providers. If done on your router, you can efficiently remove advertising content for an entire household or company.
Dnsmasq supports modern Internet standards such as IPv6 and DNSSEC, network booting with support for BOOTP, PXE and TFTP and also Lua scripting.
Some Internet service-providers rewrite the NXDOMAIN (domain does not exist) responses from DNS servers, which forces web browsers to a search page whenever a user attempts to browse to a domain that does not exist. Dnsmasq can filter out these “bogus” NXDOMAIN records, preventing this potentially unwanted behavior.
Most Linux distributions come with Dnsmasq packaged, so it is a simple apt-get, yum, or urpmi.
When a request comes in, Dnsmasq does not look in zone or similar files; it consults /etc/hosts first and then will look externally for addresses by consulting the name server(s) defined in /etc/resolv.conf. This is a quick and easy way to override external DNS addresses by simply defining them in /etc/hosts on the system that is running Dnsmasq.
DNS Spoofing with Dnsmasq
DNS spoofing is a bad thing. A couple of legitimate uses I can think of are: easier testing of locked smart phones when they need to be jail-broken to edit their hosts files, or playing “funny” pranks on the people who use your Dnsmasq server. DNS spoofing is forgery; it’s faking a DNS entry to hijack site traffic. Some governments and businesses do this to control Internet activities. It is an effective monkey-in-the-middle trick for eavesdropping and altering packets. HTTP sessions are sent in the clear, so an eavesdropper sees everything. HTTPS sessions are also vulnerable; packet headers are not encrypted (they can’t be, as random routers need to read them), and there are tools like sslstrip that break SSL.
The good news is that DNS spoofing is self-limiting, because it only works on DNS servers that you control, and savvy users can find other servers to use.
Install Dnsmasq and configure Network Manager on Ubuntu
sudo apt-get install dnsmasq resolvconf
Then comment out dns=dnsmasq in /etc/NetworkManager/NetworkManager.conf
Stop Dnsmasq with
sudo killall -9 dnsmasq
After configuring Dnsmasq, restart Network Manager with
sudo service network-manager restart
The distributed nature of DNS means that DNS spoofing is impossible to implement on a large scale. The simplest test is to use dig to query multiple DNS servers and compare the results. This example queries an OpenDNS server:
$ dig +short @22.214.171.124 example.com 126.96.36.199
Dnsmasq provides a number of features that make it a compelling replacement for BIND and dhcpd, or any other DNS or DHCP server software you may be using. It can set default MX records, various caching options, a wide variety of DHCP options, SRV records to provide LDAP information, PTR records, SPF records, and even Zeroconf records.
For small office and home networks, Dnsmasq is hard to beat in terms of simplicity and power. The configuration file is loaded with examples and information so, while initial setup for a larger network will require a commitment of some time, it is all very straightforward.