[Dnsmasq-discuss] DNSmasq on a VPS instead of bind

Sat Jan 6 02:50:14 GMT 2007

Carl (marsepein at gmail.com) wrote on 6 January 2007 02:47:
 ># If you want dnsmasq to provide only DNS service on an interface,
 ># configure it as shown above, and then use the following line to
 ># disable DHCP on it.
 >#no-dhcp-interface=
 >
 >In the above, what do I do?
 >
 >I have two physical network interfaces on the machine:
 >
 >venet0:0 ... inet addr: 88.1x.2x.8x
 >venet0:1 ... inet addr: 88.1x.2x.9x
 >
 >they are both connected to the world and should not allow requests
 >from the outside going in (the other way around is of course needed
 >for cacheing).

 >Then I have the one non-physical interface, 127.0.0.1 i.e. localhost.
 >
 >Which one do I enter what way in the interfaces config?

It seems you want service only on localhost, so you shoud use

interfaces = lo
bind-interfaces

 >I also need none of them to echo anything on DHCP.
 >Can I disable DHCP for dnsmasq entirely with a switch?

To enable DHCP you must have a dhcp-range statement in the config. If
you have none there'll be no dhcp service at all.

 >And then, also: Carlos Carvalho <carlos at fisica.ufpr.br> wrote:
 >
 >> Yes, use no-resolv and no-poll, plus server = <ipaddr> in the config.
 >> If you want certain domains answered by certain servers you can do
 >> server = /domain/<ipaddr>.
 >
 >What is the syntax for 3 addresses?

server = /domain1/ip1
server = /domain2/ip2
server = /domain3/ip3

 >> You have to tell the MTA which domains the machine responsible for,
 >> and then it won't look anywhere and do local delivery directly. The
 >> dns (whatever it is) is not the place to do this.
 >
 >Not only MTAs, there are virus and spamfilters etc.
 >many applications that can throw in a local domain,
 >and then - to me anyway - it's unclear what happens
 >with the resolving if it's a local domain.
 >If it resolves to the public IP, will it then go through the NIC and back?
 >What physical routes do the packets actually take?

This is done by the kernel and probably in different ways for
different OSs. This is not the way to proceed. If you need dns just
for the machine simply tell it to use lo only, as shown above.

 >But does that suffice? Will it block DNS requests from outside?
 >I never really understood that, since packets simply go straight
 >from the NIC address to localhost. At what layer does dnsmasq
 >'block' queries? Does it function as a software firewall in that regard?

This is not done by dnsmasq, and has nothing to do with firewalls;
it's done by the kernel. If a program binds to a given interface the
kernel only delivers to that program the bits that come through that
interface.

This kind of filtering is better done by a firewall because you have
all the control in a single place, and it's done directly by the
kernel, which is more efficient. Doing the selection by the program is
a second line of defense.