[Dnsmasq-discuss] dnsmasq to provide public DNS service

Albert ARIBAUD albert.aribaud at free.fr
Mon Jul 4 15:15:51 BST 2016


Hi Tong,

Le Mon, 4 Jul 2016 13:05:35 +0000 (UTC)
T o n g <mlist4suntong at yahoo.com> a écrit:

> On Mon, 04 Jul 2016 10:56:05 +0200, Albert ARIBAUD wrote:
> 
> >> >> The machine from which I run dig gets its DNS servers is the one
> >> >> that I tweaked the /etc/dnsmasq.d/public.conf file, by doing
> >> >> which my DNS breaks. And on removing the file, my DNS service
> >> >> (servered by local dnsmasq) works again.
> >> >> 
> >> >> And, yes, basically I'm creating an open DNS server, and since
> >> >> nobody is doing that, I can't find any information on how to
> >> >> set it up properly.  
> >> > 
> >> > Nobody should do that indeed, because it is a very bad idea: your
> >> > machine may then serve as an amplifier for DDoS attacks.  
> >> 
> >> I'm more interested to know how to do that than actually provide
> >> the DNS service. BTW, on to that thought, how the ISP or Google's
> >> DNS server able to avoid being an amplifier for DDoS attacks?  
> > 
> > They have DDoS mitigation machines between their DNS servers and the
> > rest of the world, which watch traffic and curb / cut it when they
> > detect abnormal traffic, e.g. sudden heavy traffic to one (set of)
> > destination(s).  
> 
> Thanks,
> 
> >> > Still, the configuration -- as far as dnsmasq is concerned -- is
> >> > the same for an open DNS and a LAN DNS.
> >> > 
> >> > Could you please describe your setup from a network
> >> > perspective ?  
> >> 
> >> I don't quite understand what you are asking. Consider it is my
> >> own box behind my ISP. How this network setup has anything to do
> >> with the question?  
> > 
> > Basically, my question boils down to two questions: is dnsmasq using
> > external DNS servers as upstreams, or does it use a local recursive
> > server such as bind or unbound? Also, do you test your dnsmasq with
> > another host on the LAN, or from the same machine that hosts
> > dnsmasq? 
> >> Ideally, I just want to use a file,
> >> say /etc/dnsmasq.d/public.conf, to turn it on. Then, I can easily
> >> turn it off by removing the file. It's not just I'm broadcasting
> >> to the world that I have this. It's for my own personal usage.  
> > 
> > Lots of people use dnsmasq for serving their LAN, myself included,
> > so that works pretty much out-of-the-box if you just make dnsmasq
> > listen to the LAN interface of the host running it.
> > 
> > Providing worldwide access is then not a dnsmasq question, but a
> > LAN-to-Internet routing question.  
> 
> OK. that explains why when I changed mine from 192.168.1.1 of the 
> following to 0.0.0.0 and it stops working:

Actually no, that does not explain it.

>     $ cat /etc/dnsmasq.d/public.conf
>     # listen to public
>     listen-address=0.0.0.0
>     # provide only DNS service and disable DHCP and TFTP on it
>     no-dhcp-interface=eth0
> 
> So, it confirms that dnsmasq only works for LAN, but not for the
> public. 

Actually, it can perfectly work for open access, as long as 1) the host
it is running on can access the Internet, and 2) outside hosts can send
DNS requests to your dnsmasq host. So,

1) Does your dnsmasq host have access to the Internet?

2) Have you configured your Internet access so that DNS requests
incoming from the outside are routed to your dnsmasq host?

Amicalement,
-- 
Albert.



More information about the Dnsmasq-discuss mailing list