[Dnsmasq-discuss] DNSmasq on a VPS instead of bind

Fri Jan 5 21:14:03 GMT 2007

Carl (marsepein at gmail.com) wrote on 5 January 2007 21:45:
 >On 1/5/07, Aaron J Weber <aweber at comcast.net> wrote:
 >> dnsmasq will be a lot more lightweight to configure/install/maintain (by
 >> far, IMHO).
 >
 >Also as far as memory-use and security go, you think?

In memory surely. I think in security it should be at least
equivalent. It changes to another user, so it cannot do harm except
for consuming memory/cpu, which you can limit with limits, or
stopping. It's much smaller and written in a direct way, so it's
easier to audit.

 >> For the first two bullets, I've found that setting up a resolv.dnsmasq file
 >> (in /etc) with the name of the "upstream servers" -- the three external
 >> IP-Addresses you reference in your first bullet.  It's basically your
 >> current resolv.conf with the name changed.
 >>
 >> Then set your actual resolv.conf to:
 >> nameserver 127.0.0.1
 >>
 >> And set the "resolv-file=/etc/resolv.dnsmasq" in the
 >> dnsmasq.conf file.
 >
 >Yes, I got that, but I also read you wouldn't even need the dnsmasq
 >resolv file, and put them straight in the config?

Yes, use no-resolv and no-poll, plus server = <ipaddr> in the config.
If you want certain domains answered by certain servers you can do
server = /domain/<ipaddr>.

 >Well not entirely. Say the mail-server sends mail to an internal
 >domain, for which I use the same server, shouldn't it stick with
 >127.0.0.1 instead of even looking for public IP's?
 >How do I tell this machine or dnsmasq these domains are local?
 >Or should I use those Alias options for their IP-addresses?

You have to tell the MTA which domains the machine responsible for,
and then it won't look anywhere and do local delivery directly. The
dns (whatever it is) is not the place to do this.

 >So should I use this :
 >
 ># Add domains which you want to force to an IP address here.
 ># The example below send any host in doubleclick.net to a local
 ># webserver.
 >#address=/doubleclick.net/127.0.0.1
 >
 >(and how do I enter more names and more IPs?)

Use other address lines but as I said I don't recommend in this case.

 >Or does dnsmasq use /etc/hosts for that?

It always uses /etc/hosts first, if not disabled.

 >> As for being on the internet, your iptables should keep name-resolution
 >> requests (port 53, right?) blocked from the internet interface, but you can
 >> also set an ignore for that NIC/interface in the config file to be sure.
 >
 >Do I use this for that :
 >
 ># Or which to listen on by address (remember to include 127.0.0.1 if
 ># you use this.)
 >#listen-address=
 >
 >And then only set
 >
 >listen-address=127.0.0.1

That's fine.

 >To me there seem to be a thousand ways to Rome, but I am at a loss
 >about what actually happens, and mainly looking for the fastest
 >method, using the least memory/cpu-resources.

Sometimes the same thing happens even if you use different ways to
configure it. For example, using listen-address, interfaces or
except-interfaces will make the program take the same actions in a
simple case. The differences appear in more complicated situations
only.