dnsmasq detailed explanation and configuration
LH DNS
1. Introduction to dnsmasq
Dnsmasq provides DNS caching and DHCP services. As a domain name resolution server (DNS), dnsmasq can improve the connection speed of visited web addresses by caching DNS requests. As a DHCP server, dnsmasq can be used to assign intranet ip addresses and provide routing for LAN computers. DNS and DHCP can be implemented simultaneously or separately. Dnsmasq is lightweight and easy to configure. It is suitable for individual users or networks with less than 50 hosts. In addition, it comes with a PXE server.
2. Main role of Dnsmasq
(1) Use Dnsmasq as a local DNS server and directly modify the IP address of the local DNS of the computer.
(2) In response to ISP DNS hijacking (anti DNS hijacking), enter a nonexistent domain name. Under normal circumstances, the browser displays that it cannot connect, and DNS hijacking will jump to an advertising page. Just nslookup a nonexistent domain name and look at the IP address hijacked by the ISP.
(3) Intelligent DNS can speed up the resolution. Open the / etc/dnsmasq.conf file and add the specified DNS after server = for example, different websites at home and abroad use different DNS.
Domestic designated DNS
server=/cn/114.114.114.114 server=/taobao.com/114.114.114.114 server=/taobaocdn.com/114.114.114.114
Foreign designated DNS
server=/google.com/8.8.8.8
(4) Screen web ads and specify 127 as the IP address for the URL of the ad, so as to remove the annoying ads on the web page.
address=/ad.youku.com/127.0.0.1 address=/ad.iqiyi.com/127.0.0.1
(5) The specified domain name resolves to a specific IP. This function allows you to control the access of some websites. Illegal DNS often resolves some formal websites to incorrect IP addresses.
address=/freehao123.com/123.123.123.123
(6) To manage and control intranet DNS, first set the local DNS of all devices in the LAN to the IP address of the server with Dnsmasq installed. Then modify the Hosts file of the server where Dnsmasq has been installed: / etc/hosts, and specify the domain name to a specific IP.
For example, if you want all users in the LAN to visit www.freehao123.com, jump to 192.168.0.2 and add:
192.168.0.2 www.freehao123.com
In the Hosts file, the whole process can also be described as "DNS hijacking".
3. Parsing process of dnsmasq
Dnsmasq first resolves the hosts file, then resolves the *. Conf file under / etc/dnsmasq.d /, and the priority of these files is higher than dnsmasq.conf. DNS in our custom resolv.dnsmasq.conf is also called upstream DNS, which is the last to query and resolve;
If we don't want to use the hosts file for parsing, we can add the no hosts statement in / etc/dnsmasq.conf, so that we can directly query the upstream DNS. If we don't want to do the upstream query, we don't want to do the normal parsing, we can add the no reslov statement.
4. Description of parameters and common settings of dnsmasq
Edit the dnsmasq configuration file / etc/dnsmasq.conf. This file contains a large number of option comments.
(1) Description of important parameters frequently modified by dnsmasq
Specific parameters Parameter description resolv-file definition dnsmasq Where to get upstream DNS Server address, default from/etc/resolv.conf obtain. strict-order Means strictly in accordance with resolv-file The order in the file is from top to bottom DNS Parsing until the first parsing succeeds. listen-address definition dnsmasq The monitored address is on all network cards of this machine by default. address Enable pan domain name resolution, that is, custom resolution a Records, such as: address=/long.com/192.168.115.10 visit long.com All domain names will be resolved to 192.168.115.10 bogus-nxdomain For any resolved to this IP The domain name will respond NXDOMAIN Invalidate its resolution, which can be specified multiple times It is usually used to prohibit the access to non-existent domain names from jumping to the operator's advertising sites server Specify which to use DNS The server resolves. Different domain names can be used for different websites. For example: server=/google.com/8.8.8.8 #Indicates that google DNS resolution is used for google services.
(2) To check whether the syntax of the configuration file is correct, execute the following command
[root@localhost ~]# dnsmasq -test dnsmasq: syntax check OK.
(3) DNS cache settings
To start dnsmasq as a DNS cache server in a daemon mode on a single computer, edit / etc/dnsmasq.conf and add a listening address:
listen-address=127.0.0.1 If you use this host to provide a default for your LAN DNS,Use to bind the fixed for this host IP Address, setting: listen-address=192.168.x.x Static configuration is recommended in this case IP Multiple ip Address setting: listen-address=127.0.0.1,192.168.x.x
(4) More than three domain name servers
There is a limitation when Linux processes DNS requests. At most three domain name servers can be configured in resolv.conf. As a workaround, you can leave only localhost as the domain name server in the resolv.conf file, and then create another resolv file for the external domain name server. First, create a new domain name resolution file for dnsmasq:
[root@localhost ~]# vim /etc/resolv.dnsmasq.conf # Google's nameservers, for example nameserver 8.8.8.8 nameserver 8.8.4.4 Then edit /etc/dnsmasq.conf Give Way dnsmasq Use the newly created domain name resolution file: [root@localhost ~]# vim /etc/dnsmasq.conf ... resolv-file=/etc/resolv.dnsmasq.conf
(5) Using dhcpcd
Dhcpcd can specify the dns server by creating (or editing) / etc/resolv.conf.head file or / etc/resolv.conf.tail file, so that / etc/resolv.conf will not be rewritten by dhcpcd every time
echo "nameserver 127.0.0.1" > /etc/resolv.conf.head //Set dns server to 127.0.0.1
(6) Using dhclient
To use dhclient, uncomment the following line in the / etc/dhclient.conf file:
prepend domain-name-servers 127.0.0.1;
(7) Using network manager
Network manager can start dnsmasq by setting items in its own configuration file. Add dns=dnsmasq configuration statement in the [main] section of NetworkManager.conf file, and then disable dnsmasq.service started by systemd:
[root@localhost ~]# vim /etc/NetworkManager/NetworkManager.conf [main] plugins=keyfile dns=dnsmasq Can be in /etc/NetworkManager/dnsmasq.d/ Directory is dnsmasq Create a custom profile. For example, adjust DNS Cache size (saved in memory): [root@localhost ~]# vim /etc/NetworkManager/dnsmasq.d/cache cache-size=1000 dnsmasq cover NetworkManager After startup, the configuration in the configuration file in this directory will replace the default configuration. IPv6 Enable dnsmasq stay NetworkManager May interrupt hold only IPv6 of DNS query (for example dig -6 [hostname]) Otherwise it will work. To solve this problem, create the following file to configure dnsmasq Always listening IPv6 of loopback: [root@localhost ~]# vim /etc/NetworkManager/dnsmasq.d/ipv6_listen.conf listen-address=::1
In addition, dnsmasq does not give priority to DNS of upstream IPv6. Unfortunately, NetworkManager no longer does this (Ubuntu Bug). One solution is to disable the configuration of NetworkManager for IPv4 DNS, assuming it exists.
Other ways
Another option is to set (usually by right clicking the applet) and manually enter the settings in NetworkManagers. The settings will depend on the type used in the front end; this process usually involves right clicking the applet, editing (or creating) a configuration file, and then selecting the DHCP type as "automatic (specify address)." The DNS address will need to be entered, usually in this form: 127.0.0.1, DNS server one
(8) DHCP server settings
Dnsmasq turns off the DHCP function by default. If the host needs to provide IP and routing for other devices in the LAN, the necessary configurations for the dnsmasq configuration file (/ etc/dnsmasq.conf) are as follows:
[root@localhost ~]# vim /etc/dnsmasq.conf # Only listen to routers' LAN NIC. Doing so opens up tcp/udp port 53 to # localhost and udp port 67 to world: interface=<LAN-NIC> # dnsmasq will open tcp/udp port 53 and udp port 67 to world to help with # dynamic interfaces (assigning dynamic ips). Dnsmasq will discard world # requests to them, but the paranoid might like to close them and let the # kernel handle them: bind-interfaces # Dynamic range of IPs to make available to LAN pc dhcp-range=192.168.111.50,192.168.111.100,12h # If you'd like to have dnsmasq assign static IPs, bind the LAN computer's # NIC MAC address: dhcp-host=aa:bb:cc:dd:ee:ff,192.168.111.50 View lease [root@localhost ~]# cat /var/lib/misc/dnsmasq.leases
(9) Add custom field
It can add a custom domain to the (local) network in the host:
local=/home.lan/
domain=home.lan
(10) Start daemon
Set to boot:
[root@localhost ~]# systemctl enable dnsmasq
Start dnsmashq now:
[root@localhost ~]# systemctl start dnsnsmasq
The network service needs to be restarted to enable the DHCP client to rebuild a new / etc/resolv.conf
Check whether dnsmasq is started normally, and check the system log:
[root@localhost ~]# journalctl -u d
5. Detailed explanation of dnsmasq configuration file / etc/dnsmasq.conf
# Do not load the local / etc/hosts file #no-hosts # Add and read additional hosts file paths, which can be specified multiple times. If specified as a directory, all files in the directory are read. #addn-hosts=/etc/dnsmasq.hosts.d # Read all files in the directory, and file updates will be read automatically #hostsdir=/etc/dnsmasq.hosts.d # For example, os01 in / etc/hosts will be extended to os01.example.com #expand-hosts ############################################################################## # The cache time setting is generally unnecessary # The cache time of the local hosts file is usually not required to cache the local hosts file, so it will take effect immediately after changing the hosts file. #local-ttl=3600 # The same as local TTL only affects DHCP leases #dhcp-ttl=<time> # When there is no ttl for the upstream returned value, dnsmasq gives a default ttl, which generally does not need to be set, #neg-ttl=<time> # Specifies the ttl time returned to the client, which generally does not need to be set #max-ttl=<time> # Sets the maximum TTL of entries in the cache. #max-cache-ttl=<time> # It doesn't need to be set unless you know what you're doing. #min-cache-ttl=<time> # Generally, no setting is required #auth-ttl=<time> ############################################################################## # Record dns query logs. If log queries = extra is specified, there will be additional log information at the beginning of each line. #log-queries # Set the logger with '-' as stderr or file path. The default is DAEMON. LOCAL0 is used during debugging. #log-facility=<facility> #log-facility=/var/log/dnsmasq/dnsmasq.log # Asynchronous log, ease congestion and improve performance. The default is 5 and the maximum is 100. #log-async[=<lines>] #log-async=50 ############################################################################## # Specify users and groups #user=nobody #group=nobody ############################################################################## # Specify the DNS port. The default is 53. Setting port=0 will completely disable the DNS function and only use DHCP/TFTP #port=53 # Specifies the maximum size of EDNS.0 UDP packets. The default is EDNS packet max = 4096 recommended by RFC5625 #edns-packet-max=<size> # Specify the UDP port for upstream query. The default is random port. After specifying, it reduces security, speeds up speed and reduces resource consumption. # Set to '0' assigned by the operating system. #query-port=53535 # Specify the UDP port range queried from the upstream to facilitate firewall settings. #min-port=<port> #max-port=<port> # Specify the interface, and attach lo interface after specifying. You can use '*' wildcard. # The interface alias (for example: "eth1:0") cannot be used. Please use the listen address option instead. #interface=wlp2s0 # Specify the excluded interface. The exclusion priority is high. You can use the '*' wildcard #except-interface= # Only DNS requests from the same subnet are accepted. # Valid only if no interface, except interface, listen address or auth server is specified. #local-service # Specify an interface that does not provide DHCP or TFTP services and only provides DNS services. #no-dhcp-interface=enp3s0 # Specify the IP address, which can be specified multiple times. # The interface option and the listen address option can be used simultaneously. # The following two lines are similar to specifying the interface option. listen-address=192.168.10.17 #listen-address=127.0.0.1 # Generally, even if the interface option is set (for example: interface=wlp2s0) # Will still be bound to wildcard addresses (for example: *: 53). # Turn this on to listen only to the specified interface. # It is suitable for running multiple dns servers on different interfaces or IP addresses of the same host. bind-interfaces # The newly added interface is not bound. Supported only on Linux systems, other systems are equivalent to the bind interfaces option. #bind-dynamic ############################################################################## # If the host in hosts has multiple IP addresses, only the IP address of the corresponding subnet is returned. localise-queries # If the reverse lookup is a private address, such as 192.168.X.X, only the hosts file will be searched and will not be forwarded to the upstream server #bogus-priv # For any domain name resolved to this IP, it will respond to NXDOMAIN to invalidate its resolution. It can be specified multiple times # It is usually used to prohibit the access to the non-existent domain name from jumping to the operator's advertising site. #bogus-nxdomain=64.94.110.11 # Ignore the reply to the A record query containing the specified address. # For example, a dns server in the upstream forges the IP of www.baidu.com as 1.1.1.1, and the response speed is very fast. # Specify ignore address = 1.1.1.1 to ignore its response information, # So as to wait for the correct query results of www.baidu.com. #ignore-address=<ipaddr> filterwin2k ############################################################################## # Specify the resolv file path. The default is / etc/resolv.conf #resolv-file=/etc/resolv.conf # The resolv file is not read to determine the upstream server #no-resolv # DBus support needs to be enabled at compile time. #enable-dbus[=<service-name>] # Search in strict order in resolv.conf #strict-order # Send queries to all upstream servers instead of one. all-servers # Enable forwarding loop detection #dns-loop-detect ############################################################################## # This security setting is to refuse to resolve domain names containing private IP addresses, # These IP addresses include the following private address ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. # Its original intention is to prevent the upstream DNS server from hijacking users by deliberately resolving some domain names to specific private intranet IP. # The stop DNS rebind configuration item is directly unregistered in the configuration file to disable this function. # This method can solve the problem of resolving intranet IP addresses once and for all, # But we also lost the feature of this security protection, so I don't recommend this method here. # Use rebind domain OK for specific configuration. As the name suggests, this configuration item can selectively ignore the rebind behavior of the domain name stop-dns-rebind rebind-localhost-ok #rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/] rebind-domain-ok=/.test.com/ ############################################################################## # Also, do not detect changes in / etc/resolv.conf #no-poll # Empty cache after restart clear-on-reload # Only the complete domain name can be found from the upstream server. If it is only the host name, only the hosts file can be found domain-needed ############################################################################## # IP address translation #alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>] ############################################################################## #local=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]] #server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]] server=/test.com/192.168.10.117 server=/10.168.192.in-addr.arpa/192.168.10.117 #rev-server=<ip-address>/<prefix-len>,<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]] # Resolve any domain name belonging to < domain > to the specified < IPADDR > address. # That is, resolve < domain > and all its subdomain names to the specified < IPADDR > IPv4 or IPv6 address, which is usually used to shield specific domain names. # Only one IPv4 or IPv6 address can be specified at a time. To return both IPv4 and IPv6 addresses, please specify the address = option multiple times. # Note: / etc/hosts and DHCP lease will override this setting. #address=/<domain>/[domain/][<ipaddr>] #ipset=/<domain>/[domain/]<ipset>[,<ipset>] #mx-host=<mx name>[[,<hostname>],<preference>] #mx-target=<hostname> # SRV record #srv-host=<_service>.<_prot>.[<domain>],[<target>[,<port>[,<priority>[,<weight>]]]] # A. AAAA and PTR records #host-record=<name>[,<name>....],[<IPv4-address>],[<IPv6-address>][,<TTL>] # TXT record #txt-record=<name>[[,<text>],<text>] # PTR record #ptr-record=<name>[,<target>] #naptr-record=<name>,<order>,<preference>,<flags>,<service>,<regexp>[,<replacement>] # CNAME alias record #cname=<cname>,<target>[,<TTL>] #dns-rr=<name>,<RR-number>,[<hex data>] #interface-name=<name>,<interface>[/4|/6] #synth-domain=<domain>,<address range>[,<prefix>] #add-mac[=base64|text] #add-cpe-id=<string> #add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 address>/]<IPv6 prefix length>]] ############################################################################## ############################################################################## # The number of caches is 150 by default. Cache size = 0 disables caching. cache-size=1000 # Do not cache unknown domain names. By default, dnsmasq caches unknown domain names and returns them directly to the client. no-negcache # Specifies the number of DNS co ownership query forwards dns-forward-max=1000 ############################################################################## #dnssec #trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-type>,<digest> #dnssec-check-unsigned #dnssec-no-timecheck #dnssec-timestamp=<path> #proxy-dnssec #dnssec-debug ############################################################################## #auth-server=<domain>,<interface>|<ip-address> #auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix length>].....]] #auth-zone=<domain>[,<interface name>[/6|/4][,<interface name>[/6|/4].....]] #auth-soa=<serial>[,<hostmaster>[,<refresh>[,<retry>[,<expiry>]]]] #auth-sec-servers=<domain>[,<domain>[,<domain>...]] #auth-peer=<ip-address>[,<ip-address>[,<ip-address>...]] # Enable connection tracking, read the connection tracking flag of Linux stack DNS query request, # And set the same flag for the response information returned upstream. # For bandwidth control and Firewall deployment. # This option must have conntrack support enabled at compile time and the kernel properly configured and loaded conntrack. # This option cannot be used with query port. #conntrack ############################################################################## # # DHCP options # ############################################################################## # Set DHCP address pool and enable DHCP function. # IPv4 < mode > can be specified as static proxy. When < mode > is specified as static, # DHCP host is required to manually allocate IP addresses in the address pool. # When < mode > is specified as proxy, DHCP proxy is provided for the specified address pool. #dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-addr>][,<mode>][,<netmask>[,<broadcast>]][,<lease time>] #dhcp-range=172.16.0.2,172.16.0.250,255.255.255.0,1h #dhcp-range=192.168.10.150,192.168.10.180,static,255.255.255.0,1h # The IP address, host name and lease term of the client are fixed according to the MAC address or id. # Specified ID under IPv4: * the ID of DHCP client will be ignored and the IP address will be allocated only according to MAC. # When reading / etc/hosts, you can also allocate the corresponding IP address according to the host name in / etc/hosts. # Specify ignore to ignore DHCP requests from the specified client. #dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore] #dhcp-hostsfile=<path> #dhcp-hostsdir=<path> # Reading the / etc/ethers file is the same as using DHCP host. IPv6 is invalid. #read-ethers # Option information assigned to DHCP clients, # By default, dnsmasq will send subnet mask, broadcast address, DNS server address, gateway address, domain and other information. # Specifying this option also overrides these defaults and sets other option values. # Important: you can use option: < option name > or option number to specify. # For the correspondence between < option name > and option number, you can use the command: # It is important to view dnsmasq --help dhcp and dnsmasq --help dhcp6. # For example, to set gateway parameters, you can use either DHCP option = 3192.168.4.4 or DHCP option = option: router, 192.168.4.4. # 0.0.0.0 means the host address where dnsmasq is currently running. # If multiple tags are specified: < tag > must match at the same time. # [encap: < opt >,] [vi encap: < Enterprise >,] [vendor: [< vendor class >],] to be further studied. #dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>|option6:<opt>|option6:<opt-name>],[<value>[,<value>]] #dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]] #dhcp-optsfile=<path> #dhcp-optsdir=<path> #dhcp-option=3,1.2.3.4 #dhcp-option=option:router,1.2.3.4 #dhcp-option=option:router,192.168.10.254 #dhcp-option=option:dns-server,192.168.10.254,221.12.1.227,221.12.33.227 ############################################################################## # (IPv4 only) disable reuse of server name and file fields as additional DHCP option options. # Generally, dnsmasq moves the boot server and file information from DHCP boot to DHCP option. # This makes additional option space available in the DHCP option packet, but it will confuse the old client. # This option forces a simple and safe way to avoid such situations. It can be considered a compatibility option. #dhcp-no-override ############################################################################## # Configure DHCP relay. # < local address > is the IP address of the interface running dnsmasq. # All DHCP requests received on the < local address > interface will be relayed to the remote DHCP server specified by < server address >. # You can configure this option multiple times and use the same < local address > to forward to multiple different remote DHCP servers specified by < server address >. # < server address > only IP addresses are allowed, and other formats such as domain names are not allowed. # For DHCPv6, < server address > can be all_ The multicast address of servers ff05::1:3. # In this case, the interface < interface > must be specified. Wildcards cannot be used for direct multicast to the interface where the corresponding DHCP server is located. # < interface > specifies that only DHCP server corresponding information from the < interface > interface is allowed to be received. #dhcp-relay=<local address>,<server address>[,<interface>] ############################################################################## # Set label #dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise number>,]<vendor-class> #dhcp-userclass=set:<tag>,<user-class> #dhcp-mac=set:<tag>,<MAC address> #dhcp-circuitid=set:<tag>,<circuit-id> #dhcp-remoteid=set:<tag>,<remote-id> #dhcp-subscrid=set:<tag>,<subscriber-id> #dhcp-match=set:<tag>,<option number>|option:<option name>|vi-encap:<enterprise>[,<value>] #tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]] #dhcp-proxy[=<ip addr>]...... ############################################################################## # Do not allocate DHCP requests that match these tags: < tag >. #dhcp-ignore=tag:<tag>[,tag:<tag>] #dhcp-ignore-names[=tag:<tag>[,tag:<tag>]] #dhcp-generate-names=tag:<tag>[,tag:<tag>] # IPv4 only uses broadcast to communicate with clients matching tag: < tag >. It is generally used to be compatible with old BOOT clients. #dhcp-broadcast[=tag:<tag>[,tag:<tag>]] ############################################################################## # IPv4 only sets the BOOTP option returned by the DHCP server, # < servername > < server address > optional, # If not set, the server name will be set to null and the server address will be set to the IP address of dnsmasq. # If multiple tags are specified: < tag > must match at the same time. # If < TFTP is specified_ Servername > will perform polling load balancing according to the corresponding IP address in / etc/hosts. #dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server address>|<tftp_servername>]] # Use different options according to different types. # Use example: # dhcp-match=set:EFI_x86-64,option:client-arch,9 # dhcp-boot=tag:EFI_x86-64,uefi/grubx64.efi # #dhcp-match=set:EFI_Xscale,option:client-arch,8 # #dhcp-boot=tag:EFI_Xscale,uefi/grubx64.efi # #dhcp-match=set:EFI_BC,option:client-arch,7 # #dhcp-boot=tag:EFI_BC,uefi/grubx64.efi # #dhcp-match=set:EFI_IA32,option:client-arch,6 # #dhcp-boot=tag:EFI_IA32,uefi/grubx64.efi # #dhcp-match=set:Intel_Lean_Client,option:client-arch,5 # #dhcp-boot=tag:Intel_Lean_Client,uefi/grubx64.efi # #dhcp-match=set:Arc_x86,option:client-arch,4 # #dhcp-boot=tag:Arc_x86,uefi/grubx64.efi # #dhcp-match=set:DEC_Alpha,option:client-arch,3 # #dhcp-boot=tag:DEC_Alpha,uefi/grubx64.efi # #dhcp-match=set:EFI_Itanium,option:client-arch,2 # #dhcp-boot=tag:EFI_Itanium,uefi/grubx64.efi # #dhcp-match=set:NEC/PC98,option:client-arch,1 # #dhcp-boot=tag:NEC/PC98,uefi/grubx64.efi # dhcp-match=set:Intel_x86PC,option:client-arch,0 # dhcp-boot=tag:Intel_x86PC,pxelinux.0 ############################################################################## # DHCP uses the hash value of the client's MAC address to assign an IP address to the client, # Generally, even if the client expires its lease, the client's IP address will remain stable for a long time. # In default mode, IP addresses are randomly assigned. # Enabling the DHCP sequential IP option assigns IP addresses sequentially. # In sequential allocation mode, the client makes the lease expiration more like just moving the IP address. # In general, this method is not recommended. #dhcp-sequential-ip ############################################################################## # In most cases, we use PXE, which simply allows PXE clients to obtain IP addresses, # Then, the PXE client downloads and executes the file specified by the DHCP boot option, that is, BOOTP. # However, with the support of properly configured DHCP server, PXE system can realize more complex functions. # The PXE service option specifies the boot menu for the PXE environment. # Set different startup menus for different types of systems, and override the DHCP boot option. # < CSA > is the client system type: x86 PC, PC98, IA64_ EFI, Alpha, Arc_ x86, Intel_ Lean_ Client, # IA32_EFI, X86-64_EFI, Xscale_EFI, BC_EFI, ARM32_EFI and ARM64_EFI, other types may be an integer. # < basename > bootstrap PXE clients from < server address > or < server address > using tftp_ Name > download the file. # Note: "layer" suffix (usually ". 0") is provided by PXE, that is, PXE client attaches. 0 suffix to file name by default. # Example: PXE service = x86 PC, "install Linux", pxelinux (read pxelinux.0 file and execute it) # PXE service = x86 PC, "install Linux", pxelinux, 1.2.3.4 (not applicable to old PXE) # < bootservicetype > integer, PXE client will broadcast or through < server address > # Or < server_ Name > search for the appropriate startup service of the corresponding type.. # Example: PXE service = x86 PC, "install windows from RIS server", 1 # pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 # If < basename >, < bootservicetype > or < bootservicetype > is not specified as "0", it will be started locally. # Example: PXE service = x86 PC, "boot from local disk" # pxe-service=x86PC, "Boot from local disk", 0 # If < server is specified_ Name > will perform polling load balancing according to the corresponding IP address in / etc/hosts. #pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basename>|<bootservicetype>][,<server address>|<server_name>] # A prompt will pop up after PXE startup, < prompt > is the prompt content, < timeout > is the timeout, and if it is 0, it will be executed immediately. # If you do not specify this option, you will wait for the user to select when there are multiple startup options and will not time out. #pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>] # Different menus are used according to different types. Examples: # #pxe-prompt="What system shall I netboot?", 120 # # or with timeout before first available action is taken: # pxe-prompt="Press F8 or Enter key for menu.", 60 # pxe-service=x86PC, "Now in x86PC (BIOS mode), boot from local", 0 # pxe-service=x86PC, "Now in x86PC (BIOS mode)", pxelinux # pxe-service=PC98, "Now in PC98 mode", PC98 # pxe-service=IA64_EFI, "Now in IA64_EFI mode", IA64_EFI # pxe-service=Alpha, "Now in Alpha mode", Alpha # pxe-service=Arc_x86, "Now in Arc_x86 mode", Arc_x86 # pxe-service=Intel_Lean_Client, "Now in Intel_Lean_Client mode", Intel_Lean_Client # pxe-service=IA32_EFI, "Now in IA32_EFI mode", IA32_EFI # pxe-service=X86-64_EFI, "Now in X86-64_EFI (UEFI mode), boot from local", 0 # pxe-service=X86-64_EFI, "Now in X86-64_EFI (UEFI mode)", grub/grub-x86_64.efi # pxe-service=Xscale_EFI, "Now in Xscale_EFI mode", Xscale_EFI # pxe-service=BC_EFI, "Now in BC_EFI mode", BC_EFI # # CentOS7 system does not support the following two options # #pxe-service=ARM32_EFI,"Now in ARM32_EFI mode",ARM32_EFI # #pxe-service=ARM64_EFI,"Now in ARM64_EFI mode",ARM64_EFI ############################################################################## # The default value is 150, that is, 150 ip addresses are allocated at most and 1000 ip addresses are allocated at most #dhcp-lease-max=150 # (IPv4 only) specifies the DHCP port, which defaults to 67 and 68. If not specified, it is 1067 and 1068. Specify one and add 1 to the second #dhcp-alternate-port[=<server port>[,<client port>]] # Use this option with caution to avoid IP address waste. (IPv4 only) allows dynamic allocation of IP addresses to BOOTP clients. # Note: the IP address obtained by BOOTP client is permanent and cannot be assigned to other clients again. #bootp-dynamic[=<network-id>[,<network-id>]] # Use this option with caution. # By default, the DHCP server uses ping to allocate IP addresses when the IP address is not used. # Enabling this option will not use ping for confirmation. #no-ping ############################################################################## # Record additional DHCP logs, and record all option s and tag s sent to DHCP clients #log-dhcp # It is forbidden to record the daily operation log, and the error log is still recorded. Enabling log DHCP overrides the following options. #quiet-dhcp #quiet-dhcp6 #quiet-ra # Modify the DHCP default lease file path. No modification is required by default #dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases # (IPv6 only) #dhcp-duid=<enterprise-id>,<uid> ############################################################################## #dhcp-script=<path> #dhcp-luascript=<path> #dhcp-scriptuser=root #script-arp #leasefile-ro #bridge-interface=<interface>,<alias>[,<alias>] ############################################################################## # Specify the domain name information for the DHCP server or the domain name for the corresponding IP address pool. # Specify domain name directly # Example: domain=thekelleys.org.uk # Domain name corresponding to subnet # Example: domain=wireless.thekelleys.org.uk,192.168.2.0/24 # Domain name corresponding to ip range # Example: domain = reserved.thekelleys.org.uk, 192.68.3.100192.168.3.200 #domain=<domain>[,<address range>[,local]] # By default, dnsmasq inserts the normal client host name into DNS. # In this case, the host name must be unique, even if the two clients have different domain name suffixes. # If the second client uses the same host name, the DNS query is automatically updated to the IP address of the second client. # If the DHCP FQDN option is set, the normal host name will no longer be inserted into DNS, # Only qualified host names with domain name suffixes are allowed to be inserted into DNS servers. # To specify this option, you must also specify the domain option without the < address range > address range. #dhcp-fqdn # Normally, after the DHCP lease is allocated, dnsmasq sets the FQDN option to tell the client not to try DDNS to update the host name and IP address. # This is because the name IP has been automatically added to the DNS view of dnsmasq. # Setting this option will allow client DDNS updates, # It is very useful to allow clients to update windows AD server under windows. # See RFC 4702. #dhcp-client-update #enable-ra #ra-param=<interface>,[high|low],[[<ra-interval>],<router lifetime>] ############################################################################## # # TFTP options # ############################################################################## # For most configurations, you only need to specify the enable TFTP and TFTP root options. # Whether to enable the built-in tftp server, you can specify multiple comma separated network interfaces #enable-tftp[=<interface>[,<interface>]] #enable-tftp #enable-tftp=enp3s0,lo # Specify the root directory of tftp, that is, the relative path used when looking for transfer files. You can attach interfaces, #tftp-root=<directory>[,<interface>] #tftp-root=/var/lib/tftpboot/ # If you uncomment, the tftp service will be started even if the specified tftp root cannot be accessed. #tftp-no-fail # Attach the IP address of the client as the file path. This option is only available if TFTP root is set correctly, # Example: if TFTP root = / TFTP, when the client requests the myfile.txt file at 192.168.1.15, # The / tftp/192.168.1.15/myfile.txt file will be requested first, followed by / tftp/myfile.txt file. # It doesn't feel useful. #tftp-unique-root # Enable safe mode. If this option is enabled, only tftp processes are allowed to access their own files. # If this option is not enabled, access to all tftp process owner readable files is allowed. # If dnsmasq is running as root, the TFTP secure option will allow access to globally readable files. # In general, running dnsmasq as root is not recommended. # It is not important when TFTP root is specified. #tftp-secure # Converts all file requests to lowercase. It is very useful for Windows clients. It is recommended to enable this item. # Note: the TFTP server of dnsmasq always converts "\" in the file path to "/". #tftp-lowercase # The maximum number of connections allowed is 50 by default. # If the number of connections is set to be large, pay attention to the maximum file descriptor limit for each process. See the documentation manual for details. #tftp-max=<connections> #tftp-max=50 # Set the MTU value during transmission. It is recommended not to set it or set it on demand. # If the set value is greater than the MTU value of the network interface, it will be automatically transmitted in pieces according to the MTU value of the network interface (not recommended). #tftp-mtu=<mtu size> # Stop the tftp server from negotiating the "blocksize" option with the client. When enabled, it prevents problems with some strange clients. #tftp-no-blocksize # Specify the connection port range of tftp to facilitate Firewall deployment. # tftp listens on 69/udp, and the connection port is automatically allocated by the system by default, # The connection port number specified by non root users should be greater than 1025 and the maximum is 65535. #tftp-port-range=<start>,<end> ############################################################################### #conf-dir=<directory>[,<file-extension>......] #conf-file=/etc/dnsmasq.more.conf conf-dir=/etc/dnsmasq.d #servers-file=<file>
6. Using Dnsmasq to build its own ad free DNS server
(1) Use Dnsmasq to build its own DNS
Every day our work, entertainment and leisure are inseparable from the computer. We often see picture advertisements pop up in the lower right corner of the computer! Most of these are pushed by hijacked DNS businesses, which looks very annoying. Although many portal websites, such as 360, Baidu and Alibaba, have launched their DNS services, we replace the local DNS IP address with theirs, which can solve the problems of access speed and advertising interception to a certain extent. But they will push their own advertising business. So we can set up our own local DNS server, so that there will be no advertising problem with our own DNS.
Dnsmasq is not just for this purpose. We can also be used for batch IP maintenance of LAN machines, and the LAN can solve the access prohibition of specific website domain names.
(2) Installation of dnsmasq
[root@localhost ~]# yum install -y dnsmasq
The CentOS 7.x environment is used here. If you need to compile and install, you can go directly to the official website( http://www.thekelleys.org.uk/dnsmasq/ )Select the version to compile.
After installation, you can view the version through the dnsmasq -v command. If the version number comes out, it means that it is installed.
(3) Modify Dnsmasq configuration file dnsmasq.conf
Be sure to back up the configuration file before modifying it
[root@localhost ~]# echo 'resolv-file=/etc/dnsmasq.d/resolv.dnsmasq.conf'>> /etc/dnsmasq.conf
Indicates that dnsmasq will find the upstream dns server from the specified file.
[root@localhost ~]# echo 'addn-hosts=/etc/dnsmasq.d/dnsmasq.hosts' >> /etc/dnsmasq.conf
Add and read additional hosts file paths, which can be specified multiple times
[root@localhost ~]# vim /etc/dnsmasq.conf strict-order Uncomment this line to indicate strict compliance resolv.conf Find in the order in. listen-address=127.0.0.1 Add listening address dnsmasq This machine is effective for its own use. listen-address=192.168.115.120 Use this host to provide default for LAN DNS,Write local area network IP listen-address=127.0.0.1,192.168.115.120 Multiple ip Address settings. If you want to allow all users to use your DNS Parse server listen-address Just remove it.
(4) Modify the / etc/resolv.conf file and create the resolv.dnsmasq.conf and dnsmasq.hosts files
[root@localhost ~]# echo 'nameserver 127.0.0.1' > /etc/resolv.conf [root@localhost ~]# cp /etc/resolv.conf /etc/dnsmasq.d/resolv.dnsmasq.conf [root@localhost ~]# echo 'nameserver 8.8.8.8' >>/etc/dnsmasq.d/resolv.dnsmasq.conf [root@localhost ~]# echo 'nameserver 192.168.115.120' >>/etc/dnsmasq.d/resolv.dnsmasq.conf [root@localhost ~]# cp /etc/hosts /etc/dnsmasq.d/dnsmasq.hosts resolv.dnsmasq.conf What is set in is real Nameserver,You can fill in the free information provided by major businesses DNS Address.
(5) Start Dnsmasq
[root@localhost ~]# systemctl restart dnsmasq restart dnsmasq service [root@localhost ~]# systemctl enable dnsmasq is set to start automatically [root@localhost ~]# netstat -antp|grep 53 check whether the port is started successfully
(6) Test whether the configuration is successful.
[root@localhost ~]# dig www.taobao.com .........................................................Omit several ;; Query time: 77 mse The first query has no cache, time 77 ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: II. January 16-13:09:32 CST 2018 ;; MSG SIZE rcvd: 120 [root@localhost ~]# dig www.taobao.com .........................................................Omit several ;; Query time: 0 msec Query again for the second time at 0 ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: II. January 16-13:11:39 CST 2018 ;; MSG SIZE rcvd: 123
7. Use and function of Dnsmasq
(1) Use as local DNS
Use Dnsmasq as a local DNS server and directly modify the IP address of the local DNS of the computer
(2) Deal with DNS hijacking by ISP.
Enter a domain name that does not exist. Under normal circumstances, the browser displays that it cannot connect. DNS hijacking will jump to an advertising page. Just nslookup a nonexistent domain name and look at the IP address hijacked by the ISP.
Then edit the / etc/dnsmasq.conf file and add bogus nxdomain = 'hijacked IP'. The following IP is the DNS hijacked IP address just queried.
Restart dnsmasq and try to open the nonexistent domain name. At this time, the browser will display the normal unable to connect page.
(3) Intelligent DNS speeds up resolution.
Open the / etc/dnsmasq.conf file, server = add the specified DNS, for example, different websites at home and abroad use different DNS.
[root@localhost ~]# vim /etc/dnsmasq.conf Domestic designation DNS server=/cn/114.114.114.114 server=/taobao.com/114.114.114.114 server=/taobaocdn.com/114.114.114.114 Foreign designation DNS server=/google.com/223.5.5.5
(4) Block web advertising.
By specifying 127.0.0.1 as the IP address of the advertisement URL, you can remove the annoying advertisements on the web page.
[root@localhost ~]# vim /etc/dnsmasq.conf address=/ad.youku.com/127.0.0.1 address=/ad.iqiyi.com/127.0.0.1
(5) Specifies that the domain name resolves to a specific IP
This function allows you to control the access of some websites. Illegal DNS often resolves some formal websites to incorrect IP addresses.
[root@localhost ~]# vim /etc/dnsmasq.conf address=/freehao123.com/123.123.123.123
(6) Management control intranet DNS
First, set the local DNS of all devices in the LAN to the server IP address where Dnsmasq has been installed. Then modify the Hosts file of the server where Dnsmasq has been installed: / etc/hosts, and specify the domain name to a specific IP.
For example, you want all users in the LAN to access www.abc.com Jump to 192 when.168.115.100,add to'192.168.115.100 www.abc.com'reach Hosts In the document, the whole process can also be said to be“ DNS Hijacking ".