[Dnsmasq-discuss] Can I set up dnsmasq to act as a local caching recursive DNS server?

/dev/rob0 rob0 at gmx.co.uk
Sat Jun 22 14:19:02 BST 2013

On Sat, Jun 22, 2013 at 09:05:25PM +1000, Robert S wrote:
> I am having difficulties with lookups by spamassassin - I'm
> The query to URIBL was blocked.See 
> http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
> for more information.
> I've been advised that my URIBL query traffic may be
> aggregated with many others and that I need to use a local
> caching recursive DNS server.

This is also true of Spamhaus and other major DNSBLs.

> Is dnsmasq able to do this?  I've been using it for quite a
> few years and am not keen to switch to something else.

This isn't a problem for me, because my mail server is also an 
authoritative NS server, and it runs BIND named. I only run dnsmasq 
in SOHO settings.

That said, I don't trust ISP (nor other external) caches. I set up 
dnsmasq to use a local named listening on an alternate port. The 
dnsmasq.conf (dnsmasq.d/ if you prefer) and named.conf are both 
rather simple:

dnsmasq.conf :

# we use "nameserver" in resolv.conf
# other settings not shown

named.conf :

options {
        directory "/var/named";
        listen-on port 1053 {; };
        # this also lets me control my own DNSSEC
        #dnssec-accept-expired yes;
        dnssec-lookaside auto;
        dnssec-validation auto;

(This assumes a recent enough BIND version for DNSSEC support, which 
is not the case in older RHEL/CentOS and recent OpenBSD.)

Is it overkill to run two daemons which do the same thing? Perhaps, 
but these do not do the same thing. Dnsmasq is a DHCP server and 
authoritative nameserver; named here is only caching/recursive. It 
has long been considered a best practice to separate authoritative 
from caching/recursive name service.
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the Dnsmasq-discuss mailing list