[Dnsmasq-discuss] DNSmasq on a VPS instead of bind

Aaron J Weber aweber at comcast.net
Fri Jan 5 21:23:47 GMT 2007 

dnsmasq will read /etc/hosts if you just put your local servers in there (if they're static) then that'll work fine.  Otherwise, if you're using DHCP (not likely for servers, granted) you can reserve the names and ip-addresses for the leases in the conf file too.

If you don't want to edit the files (which I found clean-enough to keep, IMHO), I think the "server=" syntax allows you to specify other nameservers.

To protect yourself from the "RED" interface (Internet) from servicing lookups, set "except-interface=eth#"  (where "eth#" is the interface name from ifconfig).

Does that help?

-AJ

  ----- Original Message ----- 
  From: Carl 
  To: dnsmasq-discuss at lists.thekelleys.org.uk 
  Sent: Friday, January 05, 2007 3:45 PM
  Subject: Re: [Dnsmasq-discuss] DNSmasq on a VPS instead of bind


  On 1/5/07, Aaron J Weber <aweber at comcast.net> wrote:
  > dnsmasq will be a lot more lightweight to configure/install/maintain (by
  > far, IMHO).

  Also as far as memory-use and security go, you think?

  > For the first two bullets, I've found that setting up a resolv.dnsmasq file
  > (in /etc) with the name of the "upstream servers" -- the three external
  > IP-Addresses you reference in your first bullet.  It's basically your
  > current resolv.conf with the name changed.
  >
  > Then set your actual resolv.conf to:
  > nameserver 127.0.0.1
  >
  > And set the "resolv-file=/etc/resolv.dnsmasq" in the
  > dnsmasq.conf file.

  Yes, I got that, but I also read you wouldn't even need the dnsmasq
  resolv file, and put them straight in the config? Then I read on, but
  never saw it mentioned further, as in:

   # If you don't want dnsmasq to read /etc/resolv.conf or any other
   # file, getting its servers from this file instead (see below), then
   # uncomment this
   #no-resolv

  So where is 'see below' ? I could not find it. It indeed seems silly
  to have to resort to separate files for only 2 or 3 IP-addresses that
  rarely change, if at all.

  > This should keep you from the round-trips -- your localhost should look to
  > dnsmasq first for name resolution, and if dnsmasq doesn't find it in the
  > cache, dhcp leases (if feature-used), (or in your configured hosts files,
  > etc.) it'll then go to the upstream nameservers.  If I understood the
  > questions correctly! ;)

  Well not entirely. Say the mail-server sends mail to an internal
  domain, for which I use the same server, shouldn't it stick with
  127.0.0.1 instead of even looking for public IP's?
  How do I tell this machine or dnsmasq these domains are local?
  Or should I use those Alias options for their IP-addresses?

  So should I use this :

  # Add domains which you want to force to an IP address here.
  # The example below send any host in doubleclick.net to a local
  # webserver.
  #address=/doubleclick.net/127.0.0.1

  (and how do I enter more names and more IPs?)

  or this :

  # If you want to fix up DNS results from upstream servers, use the
  # alias option. This only works for IPv4.
  # This alias makes a result of 1.2.3.4 appear as 5.6.7.8
  alias=the.outside.ip.address,127.0.0.1

  ?

  Or does dnsmasq use /etc/hosts for that?

  # If you don't want dnsmasq to read /etc/hosts, uncomment the
  # following line.
  #no-hosts
  ?
  By the way, it gets more complicated:

  What do I put in the hosts file for each of the served domains?

    127.0.0.1   domain.org  otherdomain.net  localhost localhost.localdomain

  or do I also need to add

    some.public.ip.address   domain.org
    some.public.ip.address   otherdomain.net

  ?



  > As for being on the internet, your iptables should keep name-resolution
  > requests (port 53, right?) blocked from the internet interface, but you can
  > also set an ignore for that NIC/interface in the config file to be sure.

  Do I use this for that :

  # Or which to listen on by address (remember to include 127.0.0.1 if
  # you use this.)
  #listen-address=

  And then only set

  listen-address=127.0.0.1

  ? Or will something go wrong there?

  To me there seem to be a thousand ways to Rome, but I am at a loss
  about what actually happens, and mainly looking for the fastest
  method, using the least memory/cpu-resources.

  Hope to see some more advice,

  thanks!

  Carl

  _______________________________________________
  Dnsmasq-discuss mailing list
  Dnsmasq-discuss at lists.thekelleys.org.uk
  http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20070105/855f4532/attachment.htm

More information about the Dnsmasq-discuss mailing list