Image may be NSFW.
Clik here to view.
Dnsmasq
is a lightweight, easy to configure DNS forwarder, designed to provide DNS (and optionally DHCP and TFTP) services to a small-scale network.
As compared to `BIND`, which is a bit complex to configure for beginners, `DNSMASQ` is very easy and requires minimum configuration. This post is just a reference guide for myself.
Install DNSMASQ in Ubuntu !
sudo apt-get install dnsmasq
After this edit /etc/dnsmasq.conf
file , I modified only 2 options as defined below
# Specify your interface interface=eth1 # Cache size cache-size=10000
After every change in the config, make sure to restart DNSMASQ
service.
Forwarding Queries to Upstream DNS
By default, DNSMASQ
forwards all requests which are not able to be resolved in /etc/hosts
to the upstream DNS servers defined in /etc/resolve.conf
like below
cat /etc/resolv.conf
nameserver 8.8.8.8
Add DNS Records (static dns entries if required for local servers like media sharing etc)
Adding customized domain entries, dns spoofing i guess. Add the records in /etc/hosts
file
cat /etc/hosts
127.0.0.1 localhost
1.2.3.4 mynetwork.com
Restart DNSMASQ Service
After every change in the config, make sure to restart dnsmasq
service.
service dnsmasq restart
Monitor DNS traffic
DSNTOP
is your best friend. for full details read
http://dns.measurement-factory.com/tools/dnstop/dnstop.8.html
# ACL / Secure you DNS from open relay / flooding
To allow only specific ip series to query your dns server, you can use following bash script.
We have multiple ip pools, and we have made a small text file , we can small bash script to read from the file and add iptables rules accordingly
Sample of localips.txt
10.0.0.0/8 172.16.0.0/16 192.168.0.0/16
Now you can execute the bash script manually or add it in /etc/rc.local file to execute on every reboot.
cat /etc/fw.sh
#!/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # Very Basic Level of Firewall to allow DNS only for some ip range # Script by Syed Jahanzaib # 26-SEP-2018 #set -x # Setting various Variables #Local IP files which contains ip/ranges IPFILE="/temp/localip.txt" #Destination Port we want to restrict DPORT="53" #Destination Port type we want to restrict DPORT_TYPE1="udp" DPORT_TYPE2="tcp" # Flush all previous iptables Rules iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Allow localhost access to query DNS service iptables -A INPUT -s 127.0.0.1 -p $DPORT_TYPE1 --dport $DPORT -j ACCEPT iptables -A INPUT -s 127.0.0.1 -p $DPORT_TYPE2 --dport $DPORT -j ACCEPT # LOOP - Read from localip.txt file , and apply iptables rules for IP in $(cat $IPFILE); do echo "Allowing $IP for $DPORT_TYPE1 $DPORT Server queries access ..."; iptables -A INPUT -s $IP -p $DPORT_TYPE1 --dport $DPORT -j ACCEPT; done for IP in $(cat $IPFILE); do echo "Allowing $IP for $DPORT_TYPE2 $DPORT Server queries access ..."; iptables -A INPUT -s $IP -p $DPORT_TYPE2 --dport $DPORT -j ACCEPT; done # DROP all other requests going to DNS service iptables -A INPUT -p $DPORT_TYPE1 --dport $DPORT -j DROP iptables -A INPUT -p $DPORT_TYPE1 --dport $DPORT -j DROP # Script ends here # Syed Jahanzaib
add this in /etc/rc.local
so that it can run on every reboot!
Also note that if you have large ip pool, its better to use IPSET
which is more efficient
Regard’s
Syed Jahanzaib