Quantcast
Viewing all articles
Browse latest Browse all 408

DNSMASQ Short Notes to self

Image may be NSFW.
Clik here to view.
dnsmasq.jpg

Dnsmasq is a lightweight, easy to configure DNS forwarder, designed to provide DNS (and optionally DHCP and TFTP) services to a small-scale network.

As compared to `​BIND`​, which is a bit complex to configure for beginners, `DNSMASQ` is very easy and requires minimum configuration. This post is just a reference guide for myself.


Install DNSMASQ in Ubuntu !

sudo apt-get install dnsmasq

After this edit /etc/dnsmasq.conf file , I modified only 2 options as defined below

# Specify your interface
interface=eth1
# Cache size
cache-size=10000

 

After every change in the config, make sure to restart DNSMASQ service.


Forwarding Queries to Upstream DNS

By default, DNSMASQ forwards all requests which are not able to be resolved in /etc/hosts to the upstream DNS servers defined in /etc/resolve.conf like below

cat /etc/resolv.conf

nameserver 8.8.8.8

Add DNS Records (static dns entries if required for local servers like media sharing etc)

Adding customized domain entries, dns spoofing i guess. Add the records in /etc/hosts file

cat /etc/hosts

127.0.0.1 localhost

1.2.3.4 mynetwork.com

 


Restart DNSMASQ Service

After every change in the config, make sure to restart dnsmasq service.

service dnsmasq restart

Monitor DNS traffic

DSNTOP is your best friend. for full details read

http://dns.measurement-factory.com/tools/dnstop/dnstop.8.html


# ACL / Secure you DNS from open relay / flooding

To allow only specific ip series to query your dns server, you can use following bash script.

We have multiple ip pools, and we have made a small text file , we can small bash script to read from the file and add iptables rules accordingly

Sample of localips.txt

10.0.0.0/8
172.16.0.0/16
192.168.0.0/16

Now you can execute the bash script manually or add it in /etc/rc.local file to execute on every reboot.

cat /etc/fw.sh

#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Very Basic Level of Firewall to allow DNS only for some ip range
# Script by Syed Jahanzaib
# 26-SEP-2018
#set -x

# Setting various Variables

#Local IP files which contains ip/ranges
IPFILE="/temp/localip.txt"

#Destination Port we want to restrict
DPORT="53"

#Destination Port type we want to restrict
DPORT_TYPE1="udp"
DPORT_TYPE2="tcp"

# Flush all previous iptables Rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Allow localhost access to query DNS service
iptables -A INPUT -s 127.0.0.1 -p $DPORT_TYPE1 --dport $DPORT -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -p $DPORT_TYPE2 --dport $DPORT -j ACCEPT

# LOOP - Read from localip.txt file , and apply iptables rules
for IP in $(cat $IPFILE); do echo "Allowing $IP for $DPORT_TYPE1 $DPORT Server queries access ..."; iptables -A INPUT -s $IP -p $DPORT_TYPE1 --dport $DPORT -j ACCEPT; done
for IP in $(cat $IPFILE); do echo "Allowing $IP for $DPORT_TYPE2 $DPORT Server queries access ..."; iptables -A INPUT -s $IP -p $DPORT_TYPE2 --dport $DPORT -j ACCEPT; done

# DROP all other requests going to DNS service
iptables -A INPUT -p $DPORT_TYPE1 --dport $DPORT -j DROP
iptables -A INPUT -p $DPORT_TYPE1 --dport $DPORT -j DROP

# Script ends here
# Syed Jahanzaib

add this in /etc/rc.local so that it can run on every reboot!

Also note that if you have large ip pool, its better to use IPSET which is more efficient


Regard’s
Syed Jahanzaib


Viewing all articles
Browse latest Browse all 408

Trending Articles