ubuntu14.04 dnsmasq搭建本地名字服務器

1 修改dnsmasq配置文件/etc/dnsmasq.conf

在/etc/dnsmasq.conf文件底部增加

#++++++++++++++++++++++++++++++++++++++++

# Change this line if you want dns to get its upstream servers from somewhere other that /etc/resolv.conf

#如果你想讓dns從某個地方（而不是/etc/resolv.conf）獲得上游服務

resolv-file=/etc/dnsmasq/resolv.conf ##從/etc/dnsmasq/resolv.conf文件中獲得上游DNS服務的IP地址

 

# By default, dnsmasq will send queries to any of the upstream servers it knows about

# 默認dnsmasq會把查詢請求發送到它知道的任意一個上游DNS服務器

# and tries to favour servers to are known to be up.

# Uncommenting this forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf

# 解注該行，強制dnsmasq嚴格以/etc/resolv.conf文件中每個服務的出現順序嘗試查詢

strict-order

 

# Or which to listen on by address (remember to include 127.0.0.1 if you use this.)

listen-address=192.168.145.131,127.0.0.1

 

# For debugging purposes, log each DNS query as it passes through dnsmasq.

log-queries

 

# If you don't want dnsmasq to read /etc/hosts, uncomment the following line.

no-hosts

# or if you want it to read another file, as well as /etc/hosts, use this.

addn-hosts=/etc/dnsmasq/hosts.conf

 

listen-address=127.0.0.1，表示這個 dnsmasq 本機自己使用有效。

注意：如果你想讓本機所在的局域網的其它電腦也能夠使用上Dnsmasq，應該把本機的局域網IP加上去：listen-address=192.168.1.123,127.0.0.1

 

2 保持/etc/resolv.conf文件設置的時本地名字服務器地址

grid_hd@hadoop1:~$ cat /etc/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)

# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

nameserver 127.0.0.1 ##指定先在本地緩存中進行解析域名，找不到是再到/etc/dnsmasq/resolv.conf文件指定的上游名字服務查找

 

3 配置真正的DNS域名服務器地址

grid_hd@hadoop1:~$ cat /etc/dnsmasq/resolv.conf

nameserver 192.168.145.2

nameserver 8.8.8.8

nameserver 8.8.4.4

 

4 安裝后，dnsmasq默認使用文件/var/run/dnsmasq/resolv.conf作為上游名字服務列表文件

grid_hd@hd1:~$ ps -ef | grep dns

dnsmasq 1601 1 0 19:30 ? 00:00:00 /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -r /var/run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d

 

/var/run/dnsmasq/resolv.conf文件內容為空

 

要讓dnsmasq服務進程啟動時加載我們配置的上游名字服務列表文件/etc/dnsmasq/resolv.conf

有2種方法：

1）取消dnsmasq開機啟動，我們手動啟動時指定加載/etc/dnsmasq/resolv.conf文件

取消dnsmasq的默認開機啟動

sudo apt-get install sysv-rc-conf

sudo sysv-rc-conf

 

 

/etc/rc.local腳本會在每個多用戶運行級別啟動結束后運行

grid_hd@hadoop1:~$ sudo cat /etc/rc.local

#!/bin/sh -e

#

# rc.local

#

# This script is executed at the end of each multiuser runlevel.

# Make sure that the script will "exit 0" on success or any other value on error.

#

# In order to enable or disable this script just change the execution bits.

#

# By default this script does nothing.

 

dnsmasq -u dnsmasq -r /etc/resolv.dnsmasq

 

exit 0

 

grid_hd@hadoop1:~/Desktop$ ps -ef | grep dnsmasq

nobody 1958 1 0 19:00 ? 00:00:00 dnsmasq -u dnsmasq -r /etc/dnsmasq/resolv.conf ##已加載指定的上游名字服務列表文件

 

2）更改dnsmasq環境變量配置文件，解注IGNORE_RESOLVCONF=yes

/etc/init.d/dnsmasq文件中的一部分：

# RESOLV_CONF:

# If the resolvconf package is installed then use the resolv conf file that it provides as the default.

# Otherwise use /etc/resolv.conf as the default.

#

# If IGNORE_RESOLVCONF is set in /etc/default/dnsmasq or an explicit filename is set there

# then this inhibits the use of the resolvconf-provided information.

#

# Note that if the resolvconf package is installed

# it is not possible to override it just by configuration in /etc/dnsmasq.conf,

# it is necessary to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq.

 

if [ ! "$RESOLV_CONF" ] &&

[ "$IGNORE_RESOLVCONF" != "yes" ] &&

[ -x /sbin/resolvconf ]

then

    RESOLV_CONF=/var/run/dnsmasq/resolv.conf

fi

 

/etc/default/dnsmasq文件內容：

# This file has five functions: 該文件有5個功能

# 1) to completely disable starting dnsmasq, 完全禁用dnsmasq

# 2) to set DOMAIN_SUFFIX by running `dnsdomainname` 設置domain_suffix

# 3) to select an alternative config file 選擇一個替代的配置文件 dnsmassq_opts

# by setting DNSMASQ_OPTS to --conf-file=<file>

# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for more configuration variables.

# 告訴dnsmasq讀/etc/dnsmasq.d目錄下的文件以獲得更多的配置變量

# 5) to stop the resolvconf package from controlling dnsmasq's idea of which upstream nameservers to use.

#

# For upgraders from very old versions,

# all the shell variables set here in previous versions are still honored by the init script

# so if you just keep your old version of this file nothing will break.

 

#DOMAIN_SUFFIX=`dnsdomainname`

#DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt"

 

# Whether or not to run the dnsmasq daemon; set to 0 to disable.

ENABLED=1

 

# By default search this drop directory for configuration options.

# Libvirt leaves a file here to make the system dnsmasq play nice.

# Comment out this line if you don't want this. The dpkg-* are file

# endings which cause dnsmasq to skip that file. This avoids pulling

# in backups made by dpkg.

CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new

 

# If the resolvconf package is installed, dnsmasq will use its output rather than the contents of /etc/resolv.conf to find upstream nameservers.

# 如果安裝了resolvconf包，dnsmasq將會使用resolvconf的輸出，而不是使用/etc/resolv.conf文件的內容，去發現上游名字服務器

# Uncommenting this line inhibits this behaviour.

# Not that including a "resolv-file=<filename>" line in

# /etc/dnsmasq.conf is not enough to override resolvconf if it is

# installed: the line below must be uncommented.

IGNORE_RESOLVCONF=yes

 

rid_hd@hd1:~$ sudo service dnsmasq restart

* Restarting DNS forwarder and DHCP server dnsmasq [ OK ]

grid_hd@hd1:~$ ps -ef | grep dns

dnsmasq 3365 2653 0 19:48 ? 00:00:00 /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new

grid_hd 3411 3208 0 19:48 pts/12 00:00:00 grep --color=auto dns

 

=====

-r, --resolv-file=<file>

Read the IP addresses of the upstream nameservers from <file>, instead of /etc/resolv.conf. 從指定的文件中獲取上游名字服務的IP地址（而不是/etc/resolv.conf）

For the format of this file see resolv.conf(5).

The only lines relevant to dnsmasq are nameserver ones.

Dnsmasq can be told to poll more than one resolv.conf file, the first file name specified overrides the default, subsequent ones add to the list.

This is only allowed when polling; the file with the currently latest modification time is the one used.

-R, --no-resolv

Don't read /etc/resolv.conf.

Get upstream servers only from the command line or the dnsmasq configuration file.

 

Dnsmasq提供DNS緩存和DHCP服務功能。

作為域名解析服務器(DNS)，dnsmasq可以通過緩存DNS請求來提高對訪問過的網址的連接速度。

作為DHCP服務器，dnsmasq可以為局域網電腦提供內網ip地址和路由，DNS和DHCP兩個功能可以同時或分別單獨實現。

dnsmasq輕量且易配置，此外它還自帶了一個PXE服務器。

本文對這兩項功能做比較實用的使用說明，有自己也有他人的經驗。

Dnsmasq的默認的配置文件中有許多選項，而且在設置上有很當靈活。

dns與dhcp的許多功能它都具備。

它可服務於那些只在本地適用的域名，這些域名是不會在全球DNS服務器中出現的(私有域名)。

DHCP服務器和DNS服務器結合，並且允許DHCP分配的地址能在DNS中正常解析，而這些DHCP分配的地址和相關命令可以配置到每台主機中，也可以配置到一台核心設備中(比如路由器)，DNSmasq支持靜態和動態兩種DHCP配置方式。

一般情況下，我們可以用bind解決dns的問題，dhcpd解決dhcp的問題，可用dnsmasq解決下面的一些維護問題：

1、局域網有很多機器希望使用一致的hosts文件，你需要經常維護這份列表。
2、你希望局域網的人訪問某個域名時，攔截下來到指定的ip，做緩存節省帶寬或者其它用途都可以。優先使用本地自定義dns。
3、阻止對某個域名的正常解析。

---------------------------
DNS配置
要在本機上以守護進程方式啟動dnsmasq做DNS緩存服務器，編輯/etc/dnsmasq.conf，添加監聽地址：
listen-address=127.0.0.1

如果用此計算機作為一組主機的默認 DNS，就需要使用固定 IP 地址：
listen-address=192.168.1.1 # Example IP

其它主機的dns設置使用這個ip為dns服務器(/etc/resolv.conf)。

默認情況下：
resolv-file= /etc/resolv.dnsmasq

指定dnsmasq從哪里獲取上行DNS Server， 默認是從/etc/resolv.conf獲取。

配置 dnsmasq 的上游 dns 服務器，(因為這是一個 dns 緩存, 那么其還是需要有上級服務器進行一次域名解析的來源)

addn-hosts指定dnsmasq從哪個文件中讀取"地址 域名"記錄， 默認是系統文件/etc/hosts。配置系統的 dns 服務器, 將 dnsmasq 設置在首位尋找。

1、首先配置 resolv-file=/etc/resolv.dnsmasq

表示 dnsmasq 會從這個指定的文件中尋找上級 dns 服務器列表，而不是從本機的(resolv.conf)中讀取dns服務器列表，如果機器的地址是通過dhcp取得的話，該文件容易受到影響從而影響dnsmasq。

系統首先尋找本地的 dnsmasq 服務器 取消注釋的 strict-order 表示嚴格安裝 resolv-file 文件中的順序從上到下進行 DNS 解析, 直到第一個成功解析成功為止

2、no-hosts, 默認情況下這是注釋掉的, dnsmasq 會首先尋找本地的 hosts 文件，再去尋找緩存下來的域名, 最后去上級 dns 服務器中尋找；

而addn-hosts可以使用額外的hosts文件。所以說dnsmasq是一個很不錯的外部DNS中繼。

3、設置 listen-address=127.0.0.1,192.168.0.1 表示該 dnsmasq 服務可以在哪些地址上偵聽，127那個地址即本機，對外提供服務的話要寫上對應的網口所有的地址。

4、其他配置項:
cache-size=1024 設置緩存大小

log-queries 開啟debug模式，記錄客戶端查詢記錄到/var/log/debug中

5、客戶端機器配置 --- 使用上面配置好的DNS域名解析服務

編輯/etc/resolv.conf ，調整內容為 'nameserver 192.168.0.1' (其中該IP是內部dns的IP，也即dnsmasq的地址)
客戶端測試域名是否生效：nslookup www.freeoa.net檢查解析的IP即可，或使用dig指令。

6自定義主機名的ip地址指向 -- 在DNS域名解析服務所在的主機

先在'/etc/hosts'文件里加入兩行：
192.168.0.1 gateway
192.168.0.8 home.freeoa.net

編輯dnsmasq.conf，找到如下配置行：
# Add local-only domains here, queries in these domains are answered from /etc/hosts or DHCP only.
local=/localnet/

# Add domains which you want to force to an IP address here. ##增加一些域名，你希望強制這些域名到一個指定的IP地址
# The example below send any host in doubleclick.net to a local webserver.
#address=/doubleclick.net/127.0.0.1 ##任何發送到域名doubleclick.net的任何主機定位到一個本地web服務器
address=/163.com/192.168.0.2

重啟dnsmasq即可，我們可在局域網另外一個機器用dig命令測試。
$ dig gateway

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> gateway
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43215
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gateway.            IN    A

;; ANSWER SECTION:
gateway.        0    IN    A    192.168.0.1

;; Query time: 2 msec

由於默認的本機所使用的dns服務是dnsmasq所的機器，所以上面的查詢是有效的。

$ dig gateway @8.8.8.8

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> gateway @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31552
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;gateway.            IN    A

;; AUTHORITY SECTION:
.            910    IN    SOA    a.root-servers.net. nstld.verisign-grs.com. 2014041000 1800 900 604800 86400

;; Query time: 35 msec

上面是使用google的dns所返回的結果，明顯是沒有找到，另外從'Query time'也可看出，使用了dnsmasq后性能提高了不少。

在來看一下攔截並修改過的dns記錄。

$ dig home.freeoa.net
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> home.freeoa.net

;; QUESTION SECTION:
;home.freeoa.net.        IN    A

;; ANSWER SECTION:
home.freeoa.net.    0    IN    A    192.168.0.8 ##內部nat地址

 

$ dig home.freeoa.net @8.8.4.4

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> home.freeoa.net @8.8.4.4

;; QUESTION SECTION:
;home.freeoa.net.        IN    A

;; ANSWER SECTION:
home.freeoa.net.    199    IN    A    180.158.255.10 ##公網地址

---------------------------
DHCP配置
dnsmasq 配置文件(/etc/dnsmasq.conf)，必要的配置如下：

#選定需要偵聽的網口
# Only listen to routers' LAN NIC. 
# Doing so opens up tcp/udp port 53 to localhost and udp port 67 to world:
interface=<LAN-NIC>

# dnsmasq will open tcp/udp port 53 and udp port 67 to world to help with dynamic interfaces (assigning dynamic ips).
# Dnsmasq will discard world requests to them,
# but the paranoid might like to close them and let thekernel handle them:
# bind-interfaces


# Dynamic range of IPs to make available to LAN pc #設定可分配的ip地址段和租約時間
dhcp-range=192.168.1.50,192.168.1.100,12h

#綁定某些機器的ip-mac地址對，使其具有固定的ip地址
# If you'd like to have dnsmasq assign static IPs, bind the LAN computer's NIC MAC address:
dhcp-host=aa:bb:cc:dd:ee:ff,192.168.1.50
dhcp-host=00:0e:7b:ca:1c:6e,daunbook,192.168.0.12 #為192.168.0.12設置主機名：dannbook


總結相關的配置選項如下：
expand-hosts
domain=freeoa.net
dhcp-range=192.168.0.20,192.168.0.100,12h
dhcp-option=3,192.168.0.1

以上配置選項開啟了DHCP服務，並且設置domain為"freeoa.net"。

DHCP服務提供地址范圍為 '192.168.0.20到 192.168.0.100' 續訂期為12個小時。最后的一個選項指定了默認網關。
如果要配置靜態地址，可以對dhcp-host選項作以下設置：
dhcp-host=00:0e:7b:ca:1c:6e,daunbook,192.168.0.12
這樣就會對MAC地址 11:22:33:44:55:66 賦主機名為 daunbook (.freeoa.net) IP 地址 192.168.0.12。

dnsmasq另外一個特性是能夠提供tftp服務，讓網絡啟動(PXE)也得以實現。它可以設定默認MX記錄，多種caching。提LDAP使用的SRV記錄信息，PTR、SPF甚至是zeroconf記錄等。


測試
測試一下 DNS 查詢然后測量響應時間：
$ dig archlinux.org | grep "Query time"

 

查看日志/var/log/syslog

Jul 29 22:04:57 hadoop1 dnsmasq[3805]: query[A] hadoop1 from 172.17.0.2

Jul 29 22:04:57 hadoop1 dnsmasq[3805]: /etc/hosts hadoop1 is 192.168.145.131

Jul 29 22:04:57 hadoop1 dnsmasq[3805]: query[PTR] 131.145.168.192.in-addr.arpa from 172.17.0.2

Jul 29 22:04:57 hadoop1 dnsmasq[3805]: /etc/hosts 192.168.145.131 is hadoop1.asn.cn

============================================

 

參考 http://blogging.dragon.org.uk/howto-setup-dnsmasq-as-dns-dhcp/

HOWTO: Setup dnsmasq as DNS DHCP

dnsmasq is a lightweight DNS, TFTP, PXE, router advertisement and DHCP server.  

It is intended to provide coupled DNS and DHCP service to a LAN. 

Dnsmasq accepts DNS queries and either answers them from a small, local, cache or forwards them to a real, recursive, DNS server.

dnsmasq接受DNS查詢，或者從本地的緩存中回答他們，或把查詢請求轉發個一個真實的上游DNS服務器

 

It loads the contents of /etc/hosts so that local hostnames which do not appear in the global DNS can be resolved and also answers DNS queries for DHCP configured hosts.

加載/etc/hosts，以便為出現在全局DNS中的本地主機名能夠被解析，還能夠回答對DHCP配置的hosts的DNS查詢

It can also act as the authoritative DNS server for one or more domains, allowing local names to appear in the global DNS.

還可以為一個、多個域名充當一個官方的DNS服務器，允許本地的名字出現在全局的DNS中

The dnsmasq DHCP server supports static address assignments and multiple networks.

It automatically sends a sensible default set of DHCP options, and can be configured to send any desired set of DHCP options, including vendor-encapsulated options.

It includes a secure, read-only, TFTP server to allow net/PXE boot of DHCP hosts and also supports BOOTP.

The PXE support is full featured, and includes a proxy mode which supplies PXE information to clients whilst DHCP address allocation is done by another server.

The dnsmasq DHCPv6 server provides the same set of features as the DHCPv4 server,

and in addition, it includes router advertisements and a neat feature which allows naming for clients which use DHCPv4 and stateless auto-configuration only for IPv6 configuration.

There is support for doing address allocation (both DHCPv6 and RA) from subnets which are dynamically delegated via DHCPv6 prefix delegation.

Dnsmasq is coded with small embedded systems in mind.

It aims for the smallest possible memory footprint compatible with the supported functions, and allows unneeded functions to be omitted from the compiled binary.

In short, IT IS EXCELLENT!!

Installing dnsmasq is just a case of using apt-get or yum

sudo apt-get install dnsmasq

Looking at the file /etc/dnsmasq.conf first.

The lines are listed are those that I changed from their defaults.

Just uncomment and amend them as necessary. (Remove the ‘#’ from the beginning of the line).

sudo nano /etc/dnsmasq.conf

domain-needed

bogus-priv

no-resolv

no-poll

server=/example.com/192.168.0.5

server=8.8.8.8

server=208.67.220.220

local=/example.com/

address=/doubleclick.net/127.0.0.1

no-hosts

addn-hosts=/etc/dnsmasq.d/hosts.conf

expand-hosts

domain=example.com

dhcp-range=192.168.0.20,192.168.0.50,72h

dhcp-range=tftp,192.168.0.250,192.168.0.254  

hcp-host=mylaptop,192.168.0.199,36h

dhcp-option=option:router,192.168.0.1

dhcp-option=option:ntp-server,192.168.0.5

dhcp-option=19,0 # ip-forwarding off

dhcp-option=44,192.168.0.5 # set netbios-over-TCP/IP aka WINS

dhcp-option=45,192.168.0.5 # netbios datagram distribution server

dhcp-option=46,8           # netbios node type

 

What these lines will do for you.

• domain-needed 

This tells dnsmasq to never pass short names to the upstream DNS servers.  If the name is not in the local /etc/hosts file then “not found” will be returned.

告訴dnsmasq不要把短名傳給上游DNS服務器，如果短名不在/etc/hosts文件中，返回not found

• bogus-priv 

All reverse IP (192.168.x.x) lookups that are not found in /etc/hosts will be returned as “no such domain” and not forwarded to the upstream servers.

ip反查域名

• no-resolv 

Do not read resolv.conf to find the servers where to lookup dns. 不讀/etc/resolv.conf文件發現名字服務

• no-poll 

Do not poll resolv.conf for changes  不要輪詢/etc/resolv.conf的更改

• server=8.8.8.8 

Set one or more DNS servers to use when addresses are not local.  當地址不是本地時，設置一個、多個DNS服務器

These are open DNS servers.

• local=/example.com/ 

Our local domain, queries in these domains are answered from /etc/hosts or the static-hosts files.

• address=/doubleclick.net/127.0.0.1 

Use this force an address for the specified domains. 給指定的域名強制一個IP地址

e.g to block adverts force doubleclck.net to localhost

• no-hosts 

This options stops dnsmasq using the local /etc/hosts file as a source for lookups . 停止dnsmasq使用本地的/etc/hosts文件作為一個查詢源

• addn-hosts=/etc/dnsmasq.d/static/hosts.conf 

Force dnsmasq to use this file for lookups.

It is in the same format as /etc/hosts.

• expand_hosts 

So we can see our local hosts via our home domain without having to repeatedly specify the domain in our /etc/hosts file.

通過home域，本地hosts可見，無需在/etc/hosts文件中重復指定

• domain 

This is your local domain name.

It will tell the DHCP server which host to give out IP addresses for.

• dhcp-range 

This is the range of IPs that DHCP will serve: 192.168.0.20 to 192.168.0.50, with a lease time of 72 hours.

The lease time is how long that IP will be linked to a host.

• dhcp-range=tftp,192.168.0.250,192.168.0.255 

For tftp connections use this range of IP addresses

• dhcp-host=mylaptop,192.168.0.199,36h 

Any machine saying they are hostname = ‘mylaptop’ gets this IP address

• dhcp-option=option:router,192.168.0.1 

When a host is requesting an IP address via DHCP also tell it the gateway to use.

• dhcp-option=option:ntp-server,192.168.0.5 

When a host is requesting an IP address via DHCP also tell it the NTP to use.

In the file /etc/dnsmasq.d/hosts.conf you can add a list of local machines with static IP addresses in the same format as the hosts file. It is also an easy way of creating aliases or CNAME records.

192.168.0.8  mail mail.example.com

192.168.0.9  smtp smtp.example.com

192.168.0.120 mythtvbox mythtvbox.example.com

Starting and stopping the service

sudo service dnsmasq start

sudo service dnsmasq stop

sudo service dnsmasq restart

Useful links

 

 

===========================

resolvconf命令

-- 相關配置文件

NAME

resolvconf - manage nameserver information

 

SYNOPSIS

cat FILE | resolvconf -a IFACE.PROG

 

resolvconf -d IFACE.PROG

 

resolvconf -u

 

resolvconf --enable-updates | --disable-updates | --updates-are-enabled | --create-runtime-directories | --wipe-runtime-directories

 

DESCRIPTION

The resolvconf package comprises a simple database for run-time nameserver information 運行時名字服務器信息的數據庫

and a simple framework for notifying applications of changes in that information. 通知應用關於運行時名字服務器信息的改變

Resolvconf thus sets itself up as the intermediary between programs that supply nameserver information and applications that use that information.

 

Information is added to or removed from the database using the resolvconf program. 使用resolvconf命令，向數據庫中添加信息、從數據庫中移除信息

See the OPTIONS section below for a discussion of the available options.

 

SUPPLIERS OF NAMESERVER INFORMATION suppliers of nameserver information

Normally the resolvconf program is run only by network interface configuration programs such as pppd(8) (for ppp interfaces);

by DHCP clients such as dhclient(8); by ifup(8) and ifdown; and by DNS caches such as dnsmasq(8) (for the loopback interface).

These programs obtain nameserver information from some source and push it to resolvconf.

 

dhclient

The dhclient program, for example, may receive nameserver addresses and domain search list information during its negotiation with the DHCP server;

if so, its hook script /etc/dhcp/dhclient-enter-hooks.d/resolvconf pushes this information to resolvconf.

 

ifup

The ifup program can be used to configure network interfaces according to settings in /etc/network/interfaces.

To make ifup push nameserver information to resolvconf when it configures an interface

the administrator must add dns- option lines to the relevant iface stanza in interfaces(5).

The following option names are supported: dns-nameservers, dns-search, and dns-sortlist.

The dns-domain option is deprecated in favor of dns-search.

 

To add nameserver addresses, add a single line beginning with dns-nameservers.

 

dns-nameservers 192.168.1.254 8.8.8.8

 

Note that one or more addresses can be given on this line, separated by spaces, and note the "s" at the end of the option name,

in contrast with the resolv.conf(5) option name nameserver.

Remember that in interfaces(5) each option can be used at most once per stanza.

 

To add search domain names, add a line beginning with dns-search.

dns-search foo.org bar.com

 

The resulting stanza might look like the following example.

 

iface eth0 inet static

address 192.168.1.3

netmask 255.255.255.0

gateway 192.168.1.1

dns-nameservers 192.168.1.254 8.8.8.8

dns-search foo.org bar.com

 

N.B.: On a machine where resolvconf has just been or is about to be installed and which previously relied on a static /etc/resolv.conf file,

the nameserver information in that static file should be migrated to the appropriate iface stanza(s) in interfaces(5).

 

 

Command line

The administrator can run resolvconf from the command line to add or delete nameserver information, but this is not normally necessary or advisable.

 

CONSUMERS OF NAMESERVER INFORMATION consumer of nameserver information名字服務器信息消費者

Nameserver information provided to resolvconf is stored for use by subscribers to resolvconf's notification service.

Subscriber packages that need to know when nameserver information has changed

should install a script in /etc/resolv conf/update.d/ (or in /etc/resolvconf/update-libc.d/: see below).

For example, DNS caches such as dnsmasq(8) and pdnsd(8) subscribe to the notification service so that they know whither to forward queries.

Client hook scripts will find the files containing nameserver information in the current directory.

 

libc

The most important software package that subscribes to the notification service is the GNU C Library resolver(3).

This library is used by many applications that need to resolve domain names.

When nameserver information is updated,

the script /etc/resolvconf/update.d/libc generates a new version of the resolver configuration file, /run/resolvconf/resolv.conf, as described below.

If the new version of the file differs from the previously generated one, then the hook scripts found in /etc/resolvconf/update-libc.d/ are executed.

 

The dynamically generated resolver configuration file

always starts with the contents of /etc/resolvconf/resolv.conf.d/head and ends with the contents of /etc/resolvconf/resolv.conf.d/tail.

 

Between head and tail the libc script inserts dynamic nameserver information compiled from, first, information provided for configured interfaces;

second, static information from /etc/resolvconf/resolv.conf.d/base.

 

Specifically, it writes:

 

1) up to three nameserver lines, ordered according to /etc/resolvconf/interface-order, possibly fewer if one of the

addresses is a loopback address and the TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS environment variable is affirmatively set,

as discussed in the ENVIRONMENT VARIABLES section;

 

2) up to one search line containing the combined domain search list from all "domain" and "search" input lines,

also ordered according to interface-order(5);

 

3) all other non-comment input lines.

To make the resolver use this dynamically generated resolver configuration file

the administrator should ensure that /etc/resolv.conf is a symbolic link to /run/resolvconf/resolv.conf.

This link is normally created on installation of the resolvconf package.

The link is never modified by the resolvconf program itself.

If you find that /etc/resolv.conf is not being updated, please check to make sure that the link is intact.

 

The GNU C Library resolver library isn't the only resolver library available.

However, any resolver library that reads /etc/resolv.conf (and most of them do, in order to be compatible) should work fine with resolvconf.

 

Subscriber packages that need to know only when the resolver configuration file has changed should install a script in

/etc/resolvconf/update-libc.d/ rather than in /etc/resolvconf/update.d/.

(For example, two packages that install update-libc.d/ hook scripts are fetchmail and squid.)

This is important for synchronization purposes: scripts in update-libc.d/ are run after resolv.conf has been updated; the same is not necessarily true of scripts in update.d/.

 

OPTIONS

-a IFACE.PROG

Add or overwrite the record IFACE.PROG then run the update scripts if updating is enabled.

When this option is used the information must be provided to resolvconf on its standard input in the format of the resolv.conf(5) file.

Each line in the file must be terminated by a newline.

 

-d IFACE.PROG

Delete the record IFACE.PROG then run the update scripts if updating is enabled.

 

The string IFACE.PROG may not contain spaces, slashes, an initial dot, an initial hyphen or an initial tilde. ‐

It is conventionally formed from IFACE, the name of the interface involved, a dot, and IPROG, the name of the interface configuration

program, e.g., "eth0.dhclient".

 

-u Just run the update scripts (if updating is enabled).

 

With -a, -d or -u:

if updating is not enabled, schedule a delayed update.

The delayed update will be carried out when updates are enabled.

 

--enable-updates

Set the flag indicating that resolvconf should run update scripts when invoked in the future with -a, -d or -u.

If a delayed update was scheduled then run update scripts.

 

--disable-updates

Clear the flag.

 

--updates-are-enabled

Return 0 if the flag is set, otherwise return 1.

 

--create-runtime-directories

Create the directories where resolver information records and other run-time files are stored.

 

--wipe-runtime-directories

Delete everything in the directories where resolver information records and other run-time files are stored.

 

ENVIRONMENT VARIABLES

The following variables can be set in the configuration file /etc/default/resolvconf.

If the file does not exist you will have to create it.

 

REPORT_ABSENT_SYMLINK

If set to "yes" then resolvconf will print a message when /etc/resolv.conf is not a symbolic link to the resolvconf generated resolver configuration file.

Set to "no" to prevent the printing of this message. The default is "yes".

 

TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS truncate_nameserver_list_after_loopback_address

If set to "yes" then the libc script will include no more nameserver addresses after the first nameserver address that is a loopback address.

(In IPv4 a loopback address is any one that starts with "127.". In IPv6 the loopback address is "::1".)

 

The advantage of truncating the nameserver list after a loopback address is that doing so inhibits unnecessary changes to resolv.conf

and thus reduces the number of instances in which the update-libc.d/ scripts have to be run.

When an interface is brought up or down the local caching nameserver that listens on the loopback address is still informed of the change and adapts accordingly;

the clients of the resolver which use the local caching nameserver do not need to be notified of the change.

A disadvantage of this mode of operation is that applications have no secondary or tertiary nameserver address to fall back on should the local caching nameserver crash.

Insofar as a local nameserver crash can be regarded as an unlikely event, this is a relatively minor disadvantage.

Set to "no" to disable truncation.

The default is "yes".

 

A deprecated synonym for this variable is TRUNCATE_NAMESERVER_LIST_AFTER_127.

 

FILES

/etc/default/resolvconf

See the ENVIRONMENT VARIABLES section.

 

/etc/resolvconf/interface-order

Determines the order of precedence of nameserver addresses and search domain names. See above and interface-order(5).

 

/etc/resolvconf/resolv.conf.d/base

File containing basic resolver information.

The lines in this file are included in the resolver configuration file even when no interfaces are configured.

 

/etc/resolvconf/resolv.conf.d/head

File to be prepended to the dynamically generated resolver configuration file. Normally this is just a comment line.

 

/etc/resolvconf/resolv.conf.d/tail

File to be appended to the dynamically generated resolver configuration file. To append nothing, make this an empty file.

This file is a good place to put a resolver options line if one is needed, e.g., options inet6

 

 

/etc/resolvconf/resolv.conf.d/original

Copy of the /etc/resolv.conf file before the resolvconf package was installed. ‐

This file has no effect on the functioning of resolvconf;

it is retained so that /etc/resolv.conf can be restored to its original state if the resolvconf package is removed.

 

Note also that a copy of this file is included in the database until the first reboot after installation of the resolvconf package;

this ensures that nameservers reachable before installation of resolvconf are still reachable after installation of resolvconf

even though at that point not all suppliers of nameserver information may have supplied their information to resolvconf(8).

 

 

Note also that the administrator can choose to create a symbolic link in /etc/resolvconf/resolv.conf.d/ from tail to original

so that the contents of original are always added to the end of the dynamically generated file.

 

BUGS

Currently resolvconf does not check the sanity of the information provided to it.

 

AUTHOR

Written by Thomas Hood <jdthood@gmail.com> with contributions by Nathan Stratton Treadway.

 

COPYRIGHT

Copyright © 2004-2012 Thomas Hood.

This is free software; see the source for copying conditions.

 

SEE ALSO

interface-order(5), resolv.conf(5), resolver(3).

 

Read the resolvconf package README file for more in-depth information.

 

 

ubuntu14.04

主機名配置（帶搜索域）

 

/etc/hostname

hd1

 

/etc/hosts

127.0.0.1        localhost

127.0.0.1        hd1.asn.cn    hd1

 

/etc/resolv.conf

nameserver    127.0.0.1

search        asn.cn

 

======================

Dnsmasq setup

Installation.

To compile and install dnsmasq, the following command (as root) is enough.

make install 

You might want to edit config.h. Dnsmasq has been run on (at least) Linux, uCLinux, AIX 4.1.5, FreeBSD 4.4 OpenBSD and Tru64 4.x Dnsmasq is normally run on a firewall machine (the machine with the modem or other connection to your ISP.) but it can run on any machine with access to the ISPs nameservers.

Put the binary in /usr/local/sbin/dnsmasq (running make install will do this) and arrange for it to be started at boot time.

Note that dnsmasq needs to run as root, since it binds privileged ports.

It will drop root privileges after start-up.

Dnsmasq logs problems using the syslog facility as a daemon.

It logs debugging information to local0

Configuration.

Configuration for dnsmasq is pretty simple in almost all cases.

The program has collected a fair few options as it has developed but most of them are not needed most of the time.

A machine which already has a DNS configuration (ie one or more external nameservers in /etc/resolv.conf and any local hosts in /etc/hosts) can be turned into a nameserver simply by running dnsmasq, with no options or configuration at all.

Set the IP address of the machine running dnsmasq as the DNS server in all the other machines on your network, and you're done.

With a few option flags, it is possible to make dnsmasq do more clever tricks.

Options for dnsmasq can be set either on the command line when starting dnsmasq, or in its configuration file, /etc/dnsmasq.conf.

Making the nameserver machine use dnsmasq.

In the simple configuration described above,

processes local to the machine will not use dnsmasq, since they get their information about which nameservers to use from /etc/resolv.conf, which is set to the upstream nameservers.

To fix this, simply replace the nameserver in /etc/resolv.conf with the local address 127.0.0.1 and give the address(es) of the upstream nameserver(s) to dnsmasq directly.

You can do this using either the server option, or by putting them into another file, and telling dnsmasq about its location with the resolv-file option.

Automatic nameserver configuration.

The two protocols most used for automatic IP network configuration (PPP and DHCP) can determine the IP addresses for nameservers automatically.

The daemons can be made to write out a file in the resolv.conf format with the nameservers in which is perfect for dnsmasq to use.

When the nameservers change, for instance on dialling into a new ISP using PPP, dnsmasq will automatically re-read this file and begin using the new nameserver(s) completely transparently.

Automatic DNS server configuration with PPP.

Later versions of pppd have an option "usepeerdns" which instructs it to write a file containing the address(es) of the DNS severs in /etc/ppp/resolv.conf.

Configure dnsmasq as above with "nameserver 127.0.0.1" in /etc/resolv.conf and run dnsmasq with to option resolv-file=/etc/ppp/resolv.conf.

On Redhat (at least versions 7.1, 7.2 and 7.3) you can set pppd options by adding "PPPOPTIONS=usepeerdns" to /etc/sysconfig/network-scripts/ifcfg-ippp0.

In the same file, make sure that "PEERDNS=no" to stop RedHat's network initscripts from copying /etc/ppp/resolv.conf into/etc/resolv.conf.
On SuSE (at least version 8.1, and 8.2) you should use YaST to activate [x] Modify DNS when connected then stop SuSEs network initscripts from copying /etc/ppp/resolv.conf into /etc/resolv.conf by modifying MODIFY_RESOLV_CONF_DYNAMICALLY="no" in/etc/sysconfig/network/config.

Automatic DNS server configuration with DHCP.

You need to get your DHCP client to write the addresse(s) of the DNS servers to a file other than /etc/resolv.conf.

For dhcpcd, the dhcpcd.exe script gets run with the addresses of the nameserver(s) in the shell variable $DNS.

The following bit of shell script uses that to write a file suitable for dnsmasq.

 

echo -n >|/etc/dhcpc/resolv.conf 

dnsservs=${DNS//,/ } 

for serv in $dnsservs; do 

 echo "nameserver $serv" >>/etc/dhcpc/resolv.conf 

done 

 

Remember to give dhcpcd the -R flag to stop it overwriting /etc/resolv.conf.

For other DHCP clients it should be possible to achieve the same effect.

DHCP and PPP.

On a laptop which may potentially connect via a modem and PPP or ethernet and DHCP it is possible to combine both of the above configurations. Running dnsmasq with the flags resolv-file=/etc/ppp/resolv.conf resolv-file=/etc/dhcpc/resolv.conf makes it poll both files and use whichever was updated last. The result is automatic switching between DNS servers.

Integration with DHCP.

Dnsmasq reads /etc/hosts so that the names of local machines are available in DNS. This is fine when you give all your local machines static IP addresses which can go in /etc/hosts, but it doesn't work when local machines are configured via DHCP, since the IP address allocated to machine is not fixed. Dnsmasq comes with an integrated DHCP daemon to solve this problem.

The dnsmasq DHCP daemon allocates addresses to hosts on the network and tries to determine their names. If it succeeds it add the name and address pair to the DNS. There are basically two ways to associate a name with a DHCP-configured machine; either the machine knows its name which it gets a DHCP lease, or dnsmasq gives it a name, based on the MAC address of its ethernet card. For the former to work, a machine needs to know its name when it requests a DHCP lease. For dhcpcd, the -h option specifies this. The names may be anything as far as DHCP is concerned, but dnsmasq adds some limitations. By default the names must no have a domain part, ie they must just be a alphanumeric name, without any dots. This is a security feature to stop a machine on your network telling DHCP that its name is "www.microsoft.com" and thereby grabbing traffic which shouldn't go to it. A domain part is only allowed by dnsmasq in DHCP machine names if the domain-suffix option is set, the domain part must match the suffix.

As an aside, make sure not to tell DHCP to set the hostname when it obtains a lease (in dhcpcd that's the -H flag.) This is not reliable since the DHCP server gets the hostname from DNS which in this case is dnsmasq. There is a race condition because the host's name in the DNS may change as a result of it getting a DHCP lease, but this does not propagate before the name is looked up. The net effect may be that the host believes it is called something different to its name in the DNS. To be safe, set the hostname on a machine locally, and pass the same name to DHCP when requesting a lease.

Setting up a mailhub.

If you generate mail on the machines attached to your private network, you may be interested in the MX record feature of dnsmasq. This allows you to have all the machines on your network use your firewall or another machine as a "smarthost" and deliver mail to it. The details of how to set this up are highly dependent on your mailer, system and distribution. The only thing that's relevant to dnsmasq is that the mailer needs to be able to interrogate the DNS and find an MX record for your mailhub.

By giving dnsmasq the mx-host option you instruct dnsmasq to serve an MX record for the specified address. By default the MX record points to the machine on which dnsmasq is running, so mail delivered to that name will get sent to the mailer on your firewall machine. You can have the MX record point to another machine by using the mx-target option.

In some cases it's useful for all local machines to see an MX record pointing at themselves: this allows mailers which insist on an MX record and don't fall back to A records to deliver mail within the machine. These MX records are enabled using the selfmx option.

Using special servers.

Dnsmasq has the ability to direct DNS queries for certain domains to specific upstream nameservers.

This feature was added for use with VPNs but it is fully general.

The scenario is this:

you have a standard internet connection via an ISP, and dnsmasq is configured to forward queries to the ISP's nameservers, then you make a VPN connection into your companies network, giving access to hosts inside the company firewall.

You have access, but since many of the internal hosts aren't visible on the public internet, your company doesn't publish them to the public DNS and you can't get their IP address from the ISP nameservers.

The solution is to use the companies nameserver for private domains within the company, and dnsmasq allows this.

Assuming that internal company machines are all in the domain internal.myco.com

and the companies nameserver is at 192.168.10.1

then the option server=/internal.myco.com/192.168.10.1 will direct all queries in the internal domain to the correct nameserver.

You can specify more than one domain in each server option.

If there is more than one nameserver just include as many server options as is needed to specify them all.

Local domains.

Sometimes people have local domains which they do not want forwarded to upstream servers.

This is accomodated by using server options without the server IP address.

To make things clearer local is a synonym for server.

For example

the option local=/localnet/ ensures that

any domain name query which ends in .localnet will be answered if possible from /etc/hosts or DHCP, but never sent to an upstream server.

Defeating wildcards in top level domains.

In September 2003 Verisign installed a wildcard record in the .com and .net top level domains.

The effect of this is that queries for unregistered .com and .net names now return the address of Verisign's sitefinder service, rather than a "no such domain" response.

To restore the correct behaviour, you can tell dnsmasq the address of the sitefinder host and have it substitute an NXDOMAIN reply when it sees that address. The sitefinder address is currently 64.94.110.11, so giving the option bogus-nxdomain=64.94.110.11 will enable this facility for Verisign. If other TLDs do that same thing you can add the correct addresses for them too. See the dnsmasq FAQ for more details on the bogus-nxdomain option.

Other configuration details.

By default dnsmasq offers DNS service on all the configured interfaces of a host.

It's likely that you don't (for instance) want to offer a DNS service to the world via an interface connected to ADSL or cable-modem

so dnsmasq allows you to specify which interfaces it will listen on.

Use either the interface or address options to do this.

The filterwin2k option makes dnsmasq ignore certain DNS requests which are made by Windows boxen every few minutes.

The requests generally don't get sensible answers in the global DNS and cause trouble by triggering dial-on-demand internet links.

Sending SIGHUP to the dnsmasq process will cause it to empty its cache and then re-load /etc/hosts and /etc/resolv.conf.

Sending SIGUSR1 (killall -10 dnsmasq) to the dnsmasq process will cause to write cache usage statisticss to the log, typically /var/log/syslog or /var/log/messages.

The log-queries option tells dnsmasq to verbosely log the queries it is handling and causes SIGUSR1 to trigger a complete dump of the contents of the cache to the syslog.

For a complete listing of options please take a look at the manpage dnsmasq(8).

 

 

=======================

Automating dnsmasq and resolvconf

Posted on 07 November 2013

I've been working a lot with dnsmasq for DNS forwarding recently, and have hit enough problems that I thought it would be worth writing about them.

On my current project, we're using Ubuntu 12.04, which uses dnsmasq as a local DNS cacher and forwarder, and resolvconf (the service as opposed to the resolv.conf file) to manage DNS server configuration.

dnsmasq

Dnsmasq is a simple DNS forwarder.

It proxies multiple upstream DNS servers, add caching, and can even serve up A records from an /etc/hosts-style configuration file.

Dnsmasq is configured by giving it an /etc/resolv.conf-style file with a list of nameservers.

It will regularly poll this file for changes, and change its forwarding behaviour accordingly. 會定期輪詢該文件的改變，相應更改轉發行為

Dnsmasq can also be configured to direct requests for particular domains to particular servers; 還可以配置，把特定域的請求轉發到特定的名字服務器

for example, if you want everything in mycompany.com to go to your internal office server, but everything else to go to public DNS servers, dnsmasq can do that for you.

Dnsmasq does NOT perform recursive DNS lookups;

you will still need some form of recursive DNS server in order to achieve full DNS functionality.

resolvconf

resolvconf is part of the ubuntu-minimal install, which means that it's considered a pretty core part of the distribution these days. It's an evolution from the traditional /etc/resolv.conf file, which lists nameservers and search domains to use when resolving DNS names to IP addresses.

You associate a nameserver with a particular network interface with a line such as:

echo nameserver 192.0.2.6 | resolvconf -a IFACE.PROGNAME 

where IFACE is an interface, and PROGNAME is the name of an associated program.

For example, dnsmasq itself registers itself with resolvconf by associating with the lo.dnsmasq entry.

You can remove entries with resolvconf -d.

Generally, you don't call resolvconf directly;

instead, it is called automatically as part of bringing up a network interface, or starting a DNS service, or similar.

Each time an interface is added or removed, resolvconf updates associated configuration files by running scripts in the/etc/resolvconf/update.d directory; one of these, libc, updates the traditional /etc/resolv.conf file.

The problem

This is where I get to the problem I was facing.

I was trying to install and configure dnsmasq in a puppet run.

However, immediately after dnsmasq was installed, I would start getting name resolution errors, and the rest of the puppet run would fail.

But by the time I had logged onto the box to investigate, name resolution was working again! What was going on?

It turns out there's a bit of a race condition when starting dnsmasq, particularly for the first time. What happens is this:

1. /etc/init.d/dnsmasq starts the dnsmasq daemon.

Dnsmasq, in its default configuration on ubuntu, looks for upstream nameservers in /var/run/dnsmasq/resolv.conf.

Dnsmasq checks for the file, finds it missing, and gives up for the moment. It will poll again later.

1. Once dnsmasq has started and returned, the init.d script registers 127.0.0.1 with lo.dnsmasq in resolvconf.
2. resolvconf runs its updates, generating configuration for dnsmasq in /var/run/dnsmasq/resolv.conf and also changing the standard libc resolver file /etc/resolv.conf to only refer to 127.0.0.1, the dnsmasq process
3. At this point, the dnsmasq service is the sole DNS server that the local resolver can see, but dnsmasq itself hasn't yet seen any upstream nameservers. Therefore it can't give any useful answers. At this point, my puppet run starts failing.
4. After a few seconds, dnsmasq polls the /var/run/dnsmasq/resolv.conf file again and finally finds the upstream nameservers left for it by resolvconf in step #3 above.
5. I log into the machine, try to resolve a name, and everything works.