Now I have replaced my old firewall with OpenWRT, I needed to enhance the configuration of dnsmasq
to support the network. The old Ubunutu based firewall was already running dnsmasq
, as does the DNS server on the LAN.
I run a mixed network with wired and wireless clients on separate address ranges. DHCP services are provided by the OpenWRT router. An Ubuntu server is the primary DNS server for the wired network.
These examples have been sanitized. You will need to replace the provided IP addresses. Also replace example.com
with your domain. If you do not have your own domain, I suggest you use localnet
. Use of local
as domain will conflict with zero configuration software running on modern operating systems.
I took the opportunity to split the common setting into /etc/dnsmasq.common
. This contains settings which should be the same on all servers.
# /etc/dsnmasq.common #### Common dnsmasq settings (Ordered by man page order) # Provide a time to live on local resolution local-ttl=1800 # Filter window look-ups filterwin2k # Never forward plain names (with a dot or domain part) domain-needed # Email configuration mx-target=mail.example.com localmx # Increase the cache limit cache-size=960 #### Hide sites responding for unregistered domains bogus-nxdomain=65.39.183.210 # domain-dns.com (.us.ca) # EOF
OpenWRT starts dnsmasq
with a number of settings already defined. This includes bogus-priv
which prevents others servers from supplying IP addresses in the private zones. DHCP ranges are also supplied on the command line, as is the resolv.conf
file location. DHCP range names are the names used for the interfaces on the web interface.
This configuration expects both /etc/hosts
and /etc/ethers
to be provided. Local server names are provided by /etc/hosts
. Static IP addresses for Ethernet and wireless cards are provided by /etc/ethers
.
# /etc/dnsmasq.conf - dnsmasq configuration for openwrt #### Server specific settings # Don't listen on the external interface listen-address=127.0.0.1 listen-address=192.168.10.1 listen-address=192.168.11.1 # We are master for these domains local=/lan.example.com/ local=/wifi.example.com/ local=/example.com/ # Stop bogus addresses from upstream stop-dns-rebind #### DHCP Configuration ( DHCP range setup on command line # Set the domains domain=lan.example.com domain=wifi.example.com,192.168.11.0/24 # Include info from /etc/ethers read-ethers # Prevent DOS dhcp-lease-max=8 # Take over all leases on networks dhcp-authoritative # Allow same name on different nets (wifi/wired) dhcp-fqdn # Set options to be sent dhcp-option=wifi:6,192.168.11.1,192.168.10.2 # DNS servers dhcp-option=wired:6,192.168.10.2,192.168.10.1 dhcp-option=44,192.168.10.2 # WINS server dhcp-option=42,192.168.10.1,192.168.10.2 # NTP time servers dhcp-option=wifi:15,wifi.example.com # DNS network dhcp-option=wired:15,lan.example.com dhcp-option=19,0 # Option ip-forwarding off dhcp-option=20,0 # Source routing off dhcp-option=27,1 # All sub-nets are local dhcp-option=31,0 # Router Discovery off dhcp-option=46,8 # Netbios node type dhcp-option=47 # Empty netbios scope. dhcp-option=119,lan.example.com # Search List #### Include common settings conf-file=/etc/dnsmasq.common # EOF
The Ubuntu server on the wired network provides dns resolution for the wired network and acts as a backup server for the wireless network. The normal /etc/resolve.conf
with external DNS servers listed should be copied to /etc/resolv.dnsmasq
.
# /etc/dnsmasq.conf - dnsmasq configuration for Ubuntu # These domains (and address ranges) have a local server server=/lan.example.com/10.168.192.in-addr.arpa/192.168.10.1 server=/wifi.example.com/11.168.192.in-addr.arpa/192.168.10.1 # We are master for these domains (Fixed addresses only) local=/example.com/ # Where to get our resove config - use in order resolv-file=/etc/resolv.dnsmasq strict-order # Stop bogus addresses from upstream -- Test stop-dns-rebind #### Include common settings conf-file=/etc/dnsmasq.common # EOF
The process of sanitizing addresses and domains can be used to verify some of your settings. Examine your sanitized files for unconverted entries. These may point to errors in your files.