[Dnsmasq-discuss] dnsmasq to provide public DNS service

T o n g mlist4suntong at yahoo.com
Tue Jul 5 01:42:25 BST 2016


On Mon, 04 Jul 2016 16:15:51 +0200, Albert ARIBAUD wrote:

> Hi Tong,
> 
> Le Mon, 4 Jul 2016 13:05:35 +0000 (UTC)
> T o n g <mlist4suntong at yahoo.com> a écrit:
> 
>> On Mon, 04 Jul 2016 10:56:05 +0200, Albert ARIBAUD wrote:
>> 
>> >> >> The machine from which I run dig gets its DNS servers is the one
>> >> >> that I tweaked the /etc/dnsmasq.d/public.conf file, by doing
>> >> >> which my DNS breaks. And on removing the file, my DNS service
>> >> >> (servered by local dnsmasq) works again.
>> >> >> 
>> >> >> And, yes, basically I'm creating an open DNS server, and since
>> >> >> nobody is doing that, I can't find any information on how to set
>> >> >> it up properly.
>> >> > 
>> >> > Nobody should do that indeed, because it is a very bad idea: your
>> >> > machine may then serve as an amplifier for DDoS attacks.
>> >> 
>> >> I'm more interested to know how to do that than actually provide the
>> >> DNS service. BTW, on to that thought, how the ISP or Google's DNS
>> >> server able to avoid being an amplifier for DDoS attacks?
>> > 
>> > They have DDoS mitigation machines between their DNS servers and the
>> > rest of the world, which watch traffic and curb / cut it when they
>> > detect abnormal traffic, e.g. sudden heavy traffic to one (set of)
>> > destination(s).
>> 
>> Thanks,
>> 
>> >> > Still, the configuration -- as far as dnsmasq is concerned -- is
>> >> > the same for an open DNS and a LAN DNS.
>> >> > 
>> >> > Could you please describe your setup from a network perspective ?
>> >> 
>> >> I don't quite understand what you are asking. Consider it is my own
>> >> box behind my ISP. How this network setup has anything to do with
>> >> the question?
>> > 
>> > Basically, my question boils down to two questions: is dnsmasq using
>> > external DNS servers as upstreams, or does it use a local recursive
>> > server such as bind or unbound? Also, do you test your dnsmasq with
>> > another host on the LAN, or from the same machine that hosts dnsmasq?
>> >> Ideally, I just want to use a file,
>> >> say /etc/dnsmasq.d/public.conf, to turn it on. Then, I can easily
>> >> turn it off by removing the file. It's not just I'm broadcasting to
>> >> the world that I have this. It's for my own personal usage.
>> > 
>> > Lots of people use dnsmasq for serving their LAN, myself included, so
>> > that works pretty much out-of-the-box if you just make dnsmasq listen
>> > to the LAN interface of the host running it.
>> > 
>> > Providing worldwide access is then not a dnsmasq question, but a
>> > LAN-to-Internet routing question.
>> 
>> OK. that explains why when I changed mine from 192.168.1.1 of the
>> following to 0.0.0.0 and it stops working:
> 
> Actually no, that does not explain it.
> 
>>     $ cat /etc/dnsmasq.d/public.conf # listen to public
>>     listen-address=0.0.0.0 # provide only DNS service and disable DHCP
>>     and TFTP on it no-dhcp-interface=eth0
>> 
>> So, it confirms that dnsmasq only works for LAN, but not for the
>> public.
> 
> Actually, it can perfectly work for open access, as long as 1) the host
> it is running on can access the Internet, and 2) outside hosts can send
> DNS requests to your dnsmasq host. So,

Oh, good. I thought it was the end. 

> 1) Does your dnsmasq host have access to the Internet?
> 
> 2) Have you configured your Internet access so that DNS requests
> incoming from the outside are routed to your dnsmasq host?

Yeah, those "out-side" factors, I know how to control, and they are 
working fine. For example, I have use `listen-address=192.168.1.1` before 
to provide DNS service for my own home network, and it works fine. 

This box I'm configuring, it has its own public IP, not on 192.168.x.x. 
The SSH, DNS, etc ports are open to the would as well. 

Oh, should I listen to its Gateway IP instead of 0.0.0.0?

So far I can't get itself working. I.e., this is all it is using its own 
server within itself:

    $ dig +short docs.google.com
    ;; connection timed out; no servers could be reached

The outside world is not involved yet -- I haven't been able to make 
itself work first. 





More information about the Dnsmasq-discuss mailing list