OpenWRT and Ubuntu dnmasq setup

Now I have replaced my old firewall with OpenWRT, I needed to enhance the configuration of dnsmasq to support the network.  The old Ubunutu based firewall was already running dnsmasq, as does the DNS server on the LAN.

I run a mixed network with wired and wireless clients on separate address ranges. DHCP services are provided by the OpenWRT router. An Ubuntu server is the primary DNS server for the wired network.

These examples have been sanitized. You will need to replace the provided IP addresses. Also replace example.com with your domain. If you do not have your own domain, I suggest you use localnet. Use of local as domain will conflict with zero configuration software running on modern operating systems.

I took the opportunity to split the common setting into /etc/dnsmasq.common.  This contains settings which should be the same on all servers.

# /etc/dsnmasq.common
#### Common dnsmasq settings (Ordered by man page order)

# Provide a time to live on local resolution
local-ttl=1800

# Filter window look-ups
filterwin2k

# Never forward plain names (with a dot or domain part)
domain-needed

# Email configuration
mx-target=mail.example.com
localmx

# Increase the cache limit
cache-size=960

#### Hide sites responding for unregistered domains
bogus-nxdomain=65.39.183.210            # domain-dns.com (.us.ca)

# EOF

OpenWRT starts dnsmasq with a number of settings already defined.   This includes bogus-priv which prevents others servers from supplying IP addresses in the private zones.  DHCP ranges are also supplied on the command line, as is the resolv.conf file location.  DHCP range names are the names used for the interfaces on the web interface.

This configuration expects both /etc/hosts and /etc/ethers to be provided. Local server names are provided by /etc/hosts. Static IP addresses for Ethernet and wireless cards are provided by /etc/ethers.

# /etc/dnsmasq.conf - dnsmasq configuration for openwrt

#### Server specific settings

# Don't listen on the external interface
listen-address=127.0.0.1
listen-address=192.168.10.1
listen-address=192.168.11.1

# We are master for these domains
local=/lan.example.com/
local=/wifi.example.com/
local=/example.com/

# Stop bogus addresses from upstream
stop-dns-rebind

#### DHCP Configuration ( DHCP range setup on command line

# Set the domains
domain=lan.example.com
domain=wifi.example.com,192.168.11.0/24

# Include info from /etc/ethers
read-ethers

# Prevent DOS
dhcp-lease-max=8

# Take over all leases on networks
dhcp-authoritative

# Allow same name on different nets (wifi/wired)
dhcp-fqdn

# Set options to be sent
dhcp-option=wifi:6,192.168.11.1,192.168.10.2    # DNS servers
dhcp-option=wired:6,192.168.10.2,192.168.10.1
dhcp-option=44,192.168.10.2                     # WINS server
dhcp-option=42,192.168.10.1,192.168.10.2        # NTP time servers
dhcp-option=wifi:15,wifi.example.com            # DNS network
dhcp-option=wired:15,lan.example.com
dhcp-option=19,0                                # Option ip-forwarding off
dhcp-option=20,0                                # Source routing off
dhcp-option=27,1                                # All sub-nets are local
dhcp-option=31,0                                # Router Discovery off
dhcp-option=46,8                                # Netbios node type
dhcp-option=47                                  # Empty netbios scope.
dhcp-option=119,lan.example.com         # Search List

#### Include common settings
conf-file=/etc/dnsmasq.common

# EOF

The Ubuntu server on the wired network provides dns resolution for the wired network and acts as a backup server for the wireless network. The normal /etc/resolve.conf with external DNS servers listed should be copied to /etc/resolv.dnsmasq.

# /etc/dnsmasq.conf - dnsmasq configuration for Ubuntu

# These domains (and address ranges) have a local server
server=/lan.example.com/10.168.192.in-addr.arpa/192.168.10.1
server=/wifi.example.com/11.168.192.in-addr.arpa/192.168.10.1

# We are master for these domains (Fixed addresses only)
local=/example.com/

# Where to get our resove config - use in order
resolv-file=/etc/resolv.dnsmasq
strict-order

# Stop bogus addresses from upstream -- Test
stop-dns-rebind

#### Include common settings
conf-file=/etc/dnsmasq.common

# EOF

The process of sanitizing addresses and domains can be used to verify some of your settings. Examine your sanitized files for unconverted entries. These may point to errors in your files.