ubuntu14.04 dnsmasq搭建本地名字服务器

1 修改dnsmasq配置文件/etc/dnsmasq.conf

在/etc/dnsmasq.conf文件底部增加

#++++++++++++++++++++++++++++++++++++++++

# Change this line if you want dns to get its upstream servers from somewhere other that /etc/resolv.conf

#如果你想让dns从某个地方(而不是/etc/resolv.conf)获得上游服务

resolv-file=/etc/dnsmasq/resolv.conf ##从/etc/dnsmasq/resolv.conf文件中获得上游DNS服务的IP地址

 

# By default, dnsmasq will send queries to any of the upstream servers it knows about

# 默认dnsmasq会把查询请求发送到它知道的任意一个上游DNS服务器

# and tries to favour servers to are known to be up.

# Uncommenting this forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf

# 解注该行,强制dnsmasq严格以/etc/resolv.conf文件中每个服务的出现顺序尝试查询

strict-order

 

# Or which to listen on by address (remember to include 127.0.0.1 if you use this.)

listen-address=192.168.145.131,127.0.0.1

 

# For debugging purposes, log each DNS query as it passes through dnsmasq.

log-queries

 

# If you don't want dnsmasq to read /etc/hosts, uncomment the following line.

no-hosts

# or if you want it to read another file, as well as /etc/hosts, use this.

addn-hosts=/etc/dnsmasq/hosts.conf

 

listen-address=127.0.0.1,表示这个 dnsmasq 本机自己使用有效。

注意:如果你想让本机所在的局域网的其它电脑也能够使用上Dnsmasq,应该把本机的局域网IP加上去:listen-address=192.168.1.123,127.0.0.1

 

2 保持/etc/resolv.conf文件设置的时本地名字服务器地址

grid_hd@hadoop1:~$ cat /etc/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)

# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

nameserver 127.0.0.1 ##指定先在本地缓存中进行解析域名,找不到是再到/etc/dnsmasq/resolv.conf文件指定的上游名字服务查找

 

3 配置真正的DNS域名服务器地址

grid_hd@hadoop1:~$ cat /etc/dnsmasq/resolv.conf

nameserver 192.168.145.2

nameserver 8.8.8.8

nameserver 8.8.4.4

 

4 安装后,dnsmasq默认使用文件/var/run/dnsmasq/resolv.conf作为上游名字服务列表文件

grid_hd@hd1:~$ ps -ef | grep dns

dnsmasq 1601 1 0 19:30 ? 00:00:00 /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -r /var/run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d

 

/var/run/dnsmasq/resolv.conf文件内容为空

 

要让dnsmasq服务进程启动时加载我们配置的上游名字服务列表文件/etc/dnsmasq/resolv.conf

有2种方法:

1)取消dnsmasq开机启动,我们手动启动时指定加载/etc/dnsmasq/resolv.conf文件

取消dnsmasq的默认开机启动

sudo apt-get install sysv-rc-conf

sudo sysv-rc-conf

 

 

/etc/rc.local脚本会在每个多用户运行级别启动结束后运行

grid_hd@hadoop1:~$ sudo cat /etc/rc.local

#!/bin/sh -e

#

# rc.local

#

# This script is executed at the end of each multiuser runlevel.

# Make sure that the script will "exit 0" on success or any other value on error.

#

# In order to enable or disable this script just change the execution bits.

#

# By default this script does nothing.

 

dnsmasq -u dnsmasq -r /etc/resolv.dnsmasq

 

exit 0

 

grid_hd@hadoop1:~/Desktop$ ps -ef | grep dnsmasq

nobody 1958 1 0 19:00 ? 00:00:00 dnsmasq -u dnsmasq -r /etc/dnsmasq/resolv.conf ##已加载指定的上游名字服务列表文件

 

2)更改dnsmasq环境变量配置文件,解注IGNORE_RESOLVCONF=yes

/etc/init.d/dnsmasq文件中的一部分:

# RESOLV_CONF:

# If the resolvconf package is installed then use the resolv conf file that it provides as the default.

# Otherwise use /etc/resolv.conf as the default.

#

# If IGNORE_RESOLVCONF is set in /etc/default/dnsmasq or an explicit filename is set there

# then this inhibits the use of the resolvconf-provided information.

#

# Note that if the resolvconf package is installed

# it is not possible to override it just by configuration in /etc/dnsmasq.conf,

# it is necessary to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq.

 

if [ ! "$RESOLV_CONF" ] &&

[ "$IGNORE_RESOLVCONF" != "yes" ] &&

[ -x /sbin/resolvconf ]

then

    RESOLV_CONF=/var/run/dnsmasq/resolv.conf

fi

 

/etc/default/dnsmasq文件内容

# This file has five functions: 该文件有5个功能

# 1) to completely disable starting dnsmasq, 完全禁用dnsmasq

# 2) to set DOMAIN_SUFFIX by running `dnsdomainname` 设置domain_suffix

# 3) to select an alternative config file 选择一个替代的配置文件 dnsmassq_opts

# by setting DNSMASQ_OPTS to --conf-file=<file>

# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for more configuration variables.

# 告诉dnsmasq读/etc/dnsmasq.d目录下的文件以获得更多的配置变量

# 5) to stop the resolvconf package from controlling dnsmasq's idea of which upstream nameservers to use.

#

# For upgraders from very old versions,

# all the shell variables set here in previous versions are still honored by the init script

# so if you just keep your old version of this file nothing will break.

 

#DOMAIN_SUFFIX=`dnsdomainname`

#DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt"

 

# Whether or not to run the dnsmasq daemon; set to 0 to disable.

ENABLED=1

 

# By default search this drop directory for configuration options.

# Libvirt leaves a file here to make the system dnsmasq play nice.

# Comment out this line if you don't want this. The dpkg-* are file

# endings which cause dnsmasq to skip that file. This avoids pulling

# in backups made by dpkg.

CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new

 

# If the resolvconf package is installed, dnsmasq will use its output rather than the contents of /etc/resolv.conf to find upstream nameservers.

# 如果安装了resolvconf包,dnsmasq将会使用resolvconf的输出,而不是使用/etc/resolv.conf文件的内容,去发现上游名字服务器

# Uncommenting this line inhibits this behaviour.

# Not that including a "resolv-file=<filename>" line in

# /etc/dnsmasq.conf is not enough to override resolvconf if it is

# installed: the line below must be uncommented.

IGNORE_RESOLVCONF=yes

 

rid_hd@hd1:~$ sudo service dnsmasq restart

* Restarting DNS forwarder and DHCP server dnsmasq [ OK ]

grid_hd@hd1:~$ ps -ef | grep dns

dnsmasq 3365 2653 0 19:48 ? 00:00:00 /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new

grid_hd 3411 3208 0 19:48 pts/12 00:00:00 grep --color=auto dns

 

=====

-r, --resolv-file=<file>

Read the IP addresses of the upstream nameservers from <file>, instead of /etc/resolv.conf. 从指定的文件中获取上游名字服务的IP地址(而不是/etc/resolv.conf

For the format of this file see resolv.conf(5).

The only lines relevant to dnsmasq are nameserver ones.

Dnsmasq can be told to poll more than one resolv.conf file, the first file name specified overrides the default, subsequent ones add to the list.

This is only allowed when polling; the file with the currently latest modification time is the one used.

-R, --no-resolv

Don't read /etc/resolv.conf.

Get upstream servers only from the command line or the dnsmasq configuration file.

 

Dnsmasq提供DNS缓存和DHCP服务功能。

作为域名解析服务器(DNS),dnsmasq可以通过缓存DNS请求来提高对访问过的网址的连接速度。

作为DHCP服务器,dnsmasq可以为局域网电脑提供内网ip地址和路由,DNS和DHCP两个功能可以同时或分别单独实现。

dnsmasq轻量且易配置,此外它还自带了一个PXE服务器。

本文对这两项功能做比较实用的使用说明,有自己也有他人的经验。

Dnsmasq的默认的配置文件中有许多选项,而且在设置上有很当灵活。

dns与dhcp的许多功能它都具备。

它可服务于那些只在本地适用的域名,这些域名是不会在全球DNS服务器中出现的(私有域名)。

DHCP服务器和DNS服务器结合,并且允许DHCP分配的地址能在DNS中正常解析,而这些DHCP分配的地址和相关命令可以配置到每台主机中,也可以配置到一台核心设备中(比如路由器),DNSmasq支持静态动态两种DHCP配置方式。

一般情况下,我们可以用bind解决dns的问题,dhcpd解决dhcp的问题,可用dnsmasq解决下面的一些维护问题:

1、局域网有很多机器希望使用一致的hosts文件,你需要经常维护这份列表。
2、你希望局域网的人访问某个域名时,拦截下来到指定的ip,做缓存节省带宽或者其它用途都可以。优先使用本地自定义dns。
3、阻止对某个域名的正常解析。

---------------------------
DNS配置

在本机上以守护进程方式启动dnsmasq做DNS缓存服务器,编辑/etc/dnsmasq.conf,添加监听地址:
listen-address=127.0.0.1

如果用此计算机作为一组主机的默认 DNS,就需要使用固定 IP 地址:
listen-address=192.168.1.1 # Example IP

其它主机的dns设置使用这个ip为dns服务器(/etc/resolv.conf)。

默认情况下:
resolv-file=
/etc/resolv.dnsmasq

指定dnsmasq从哪里获取上行DNS Server, 默认是从/etc/resolv.conf获取。

配置 dnsmasq 的上游 dns 服务器,(因为这是一个 dns 缓存, 那么其还是需要有上级服务器进行一次域名解析的来源)

addn-hosts指定dnsmasq从哪个文件中读取"地址 域名"记录, 默认是系统文件/etc/hosts。配置系统的 dns 服务器, 将 dnsmasq 设置在首位寻找。

1、首先配置 resolv-file=/etc/resolv.dnsmasq

表示 dnsmasq 会从这个指定的文件中寻找上级 dns 服务器列表,而不是从本机的(resolv.conf)中读取dns服务器列表,如果机器的地址是通过dhcp取得的话,该文件容易受到影响从而影响dnsmasq。

系统首先寻找本地的 dnsmasq 服务器 取消注释的 strict-order 表示严格安装 resolv-file 文件中的顺序从上到下进行 DNS 解析, 直到第一个成功解析成功为止

2、no-hosts, 默认情况下这是注释掉的, dnsmasq 会首先寻找本地的 hosts 文件再去寻找缓存下来的域名, 最后去上级 dns 服务器中寻找

而addn-hosts可以使用额外的hosts文件。所以说dnsmasq是一个很不错的外部DNS中继。

3、设置 listen-address=127.0.0.1,192.168.0.1 表示该 dnsmasq 服务可以在哪些地址上侦听,127那个地址即本机,对外提供服务的话要写上对应的网口所有的地址。

4、其他配置项:
cache-size=1024 设置缓存大小

log-queries 开启debug模式,记录客户端查询记录到/var/log/debug中

5、客户端机器配置 --- 使用上面配置好的DNS域名解析服务

编辑/etc/resolv.conf ,调整内容为 'nameserver 192.168.0.1' (其中该IP是内部dns的IP,也即dnsmasq的地址)
客户端测试域名是否生效:nslookup www.freeoa.net检查解析的IP即可,或使用dig指令。

6自定义主机名的ip地址指向 -- DNS域名解析服务所在的主机

先在'/etc/hosts'文件里加入两行:
192.168.0.1 gateway
192.168.0.8 home.freeoa.net


编辑dnsmasq.conf,找到如下配置行:
# Add local-only domains here, queries in these domains are answered from /etc/hosts or DHCP only.
local=/localnet/

# Add domains which you want to force to an IP address here. ##增加一些域名,你希望强制这些域名到一个指定的IP地址
# The example below send any host in doubleclick.net to a local webserver.
#address=/doubleclick.net/127.0.0.1 ##任何发送到域名doubleclick.net的任何主机定位到一个本地web服务器
address=/163.com/192.168.0.2

重启dnsmasq即可,我们可在局域网另外一个机器用dig命令测试。
$ dig gateway

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> gateway
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43215
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gateway.            IN    A

;; ANSWER SECTION:
gateway.        0    IN    A    192.168.0.1

;; Query time: 2 msec

由于默认的本机所使用的dns服务是dnsmasq所的机器,所以上面的查询是有效的。

$ dig gateway @8.8.8.8

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> gateway @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31552
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;gateway.            IN    A

;; AUTHORITY SECTION:
.            910    IN    SOA    a.root-servers.net. nstld.verisign-grs.com. 2014041000 1800 900 604800 86400

;; Query time: 35 msec


上面是使用google的dns所返回的结果,明显是没有找到,另外从'Query time'也可看出,使用了dnsmasq后性能提高了不少。

在来看一下拦截并修改过的dns记录。

$ dig home.freeoa.net
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> home.freeoa.net

;; QUESTION SECTION:
;home.freeoa.net.        IN    A

;; ANSWER SECTION:
home.freeoa.net.    0    IN    A    192.168.0.8 ##
内部
nat地址

 


$ dig home.freeoa.net @8.8.4.4

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> home.freeoa.net @8.8.4.4

;; QUESTION SECTION:
;home.freeoa.net.        IN    A

;; ANSWER SECTION:
home.freeoa.net.    199    IN    A    180.158.255.10 ##
公网地址



---------------------------
DHCP配置

dnsmasq 配置文件(/etc/dnsmasq.conf),必要的配置如下:

#选定需要侦听的网口
# Only listen to routers' LAN NIC. 
# Doing so opens up tcp/udp port 53 to localhost and udp port 67 to world:
interface=<LAN-NIC>

# dnsmasq will open tcp/udp port 53 and udp port 67 to world to help with dynamic interfaces (assigning dynamic ips).
# Dnsmasq will discard world requests to them,
# but the paranoid might like to close them and let thekernel handle them:
# bind-interfaces


# Dynamic range of IPs to make available to LAN pc #设定可分配的ip地址段和租约时间
dhcp-range=192.168.1.50,192.168.1.100,12h

#绑定某些机器的ip-mac地址对,使其具有固定的ip地址
# If you'd like to have dnsmasq assign static IPs, bind the LAN computer's NIC MAC address:
dhcp-host=aa:bb:cc:dd:ee:ff,192.168.1.50
dhcp-host=00:0e:7b:ca:1c:6e,daunbook,192.168.0.12 #为192.168.0.12设置主机名:dannbook


总结相关的配置选项如下:
expand-hosts
domain=freeoa.net
dhcp-range=192.168.0.20,192.168.0.100,12h
dhcp-option=3,192.168.0.1

以上配置选项开启了DHCP服务,并且设置domain为"freeoa.net"。

DHCP服务提供地址范围为 '192.168.0.20到 192.168.0.100' 续订期为12个小时。最后的一个选项指定了默认网关。
如果要配置静态地址,可以对dhcp-host选项作以下设置:
dhcp-host=00:0e:7b:ca:1c:6e,daunbook,192.168.0.12
这样就会对MAC地址 11:22:33:44:55:66 赋主机名为 daunbook (.freeoa.net) IP 地址 192.168.0.12。


dnsmasq另外一个特性是能够提供tftp服务,让网络启动(PXE)也得以实现。它可以设定默认MX记录,多种caching。提LDAP使用的SRV记录信息,PTR、SPF甚至是zeroconf记录等。


测试
测试一下 DNS 查询然后测量响应时间:
$ dig archlinux.org | grep "Query time"

 

查看日志/var/log/syslog

Jul 29 22:04:57 hadoop1 dnsmasq[3805]: query[A] hadoop1 from 172.17.0.2

Jul 29 22:04:57 hadoop1 dnsmasq[3805]: /etc/hosts hadoop1 is 192.168.145.131

Jul 29 22:04:57 hadoop1 dnsmasq[3805]: query[PTR] 131.145.168.192.in-addr.arpa from 172.17.0.2

Jul 29 22:04:57 hadoop1 dnsmasq[3805]: /etc/hosts 192.168.145.131 is hadoop1.asn.cn

============================================

 

参考 http://blogging.dragon.org.uk/howto-setup-dnsmasq-as-dns-dhcp/

HOWTO: Setup dnsmasq as DNS DHCP

dnsmasq is a lightweight DNS, TFTP, PXE, router advertisement and DHCP server.  

It is intended to provide coupled DNS and DHCP service to a LAN. 

Dnsmasq accepts DNS queries and either answers them from a small, local, cache or forwards them to a real, recursive, DNS server.

dnsmasq接受DNS查询,或者从本地的缓存中回答他们,或把查询请求转发个一个真实的上游DNS服务器

 

It loads the contents of /etc/hosts so that local hostnames which do not appear in the global DNS can be resolved and also answers DNS queries for DHCP configured hosts.

加载/etc/hosts,以便为出现在全局DNS中的本地主机名能够被解析,还能够回答对DHCP配置的hosts的DNS查询

It can also act as the authoritative DNS server for one or more domains, allowing local names to appear in the global DNS.

还可以为一个、多个域名充当一个官方的DNS服务器,允许本地的名字出现在全局的DNS中

The dnsmasq DHCP server supports static address assignments and multiple networks.

It automatically sends a sensible default set of DHCP options, and can be configured to send any desired set of DHCP options, including vendor-encapsulated options.

It includes a secure, read-only, TFTP server to allow net/PXE boot of DHCP hosts and also supports BOOTP.

The PXE support is full featured, and includes a proxy mode which supplies PXE information to clients whilst DHCP address allocation is done by another server.

The dnsmasq DHCPv6 server provides the same set of features as the DHCPv4 server,

and in addition, it includes router advertisements and a neat feature which allows naming for clients which use DHCPv4 and stateless auto-configuration only for IPv6 configuration.

There is support for doing address allocation (both DHCPv6 and RA) from subnets which are dynamically delegated via DHCPv6 prefix delegation.

Dnsmasq is coded with small embedded systems in mind.

It aims for the smallest possible memory footprint compatible with the supported functions, and allows unneeded functions to be omitted from the compiled binary.

In short, IT IS EXCELLENT!!

Installing dnsmasq is just a case of using apt-get or yum

sudo apt-get install dnsmasq

Looking at the file /etc/dnsmasq.conf first.

The lines are listed are those that I changed from their defaults.

Just uncomment and amend them as necessary. (Remove the ‘#’ from the beginning of the line).

sudo nano /etc/dnsmasq.conf
domain-needed
bogus-priv
no-resolv
no-poll
server=/example.com/192.168.0.5
server=8.8.8.8
server=208.67.220.220
local=/example.com/
address=/doubleclick.net/127.0.0.1
no-hosts
addn-hosts=/etc/dnsmasq.d/hosts.conf
expand-hosts
domain=example.com
dhcp-range=192.168.0.20,192.168.0.50,72h
dhcp-range=tftp,192.168.0.250,192.168.0.254  
hcp-host=mylaptop,192.168.0.199,36h
dhcp-option=option:router,192.168.0.1
dhcp-option=option:ntp-server,192.168.0.5
dhcp-option=19,0 # ip-forwarding off
dhcp-option=44,192.168.0.5 # set netbios-over-TCP/IP aka WINS
dhcp-option=45,192.168.0.5 # netbios datagram distribution server
dhcp-option=46,8           # netbios node type

 

What these lines will do for you.

  • domain-needed 

This tells dnsmasq to never pass short names to the upstream DNS servers.  If the name is not in the local /etc/hosts file then “not found” will be returned.

告诉dnsmasq不要把短名传给上游DNS服务器,如果短名不在/etc/hosts文件中,返回not found

  • bogus-priv 

All reverse IP (192.168.x.x) lookups that are not found in /etc/hosts will be returned as “no such domain” and not forwarded to the upstream servers.

ip反查域名

  • no-resolv 

Do not read resolv.conf to find the servers where to lookup dns. 不读/etc/resolv.conf文件发现名字服务

  • no-poll 

Do not poll resolv.conf for changes  不要轮询/etc/resolv.conf的更改

  • server=8.8.8.8 

Set one or more DNS servers to use when addresses are not local.  当地址不是本地时,设置一个、多个DNS服务器

These are open DNS servers.

  • local=/example.com/ 

Our local domain, queries in these domains are answered from /etc/hosts or the static-hosts files.

  • address=/doubleclick.net/127.0.0.1 

Use this force an address for the specified domains. 给指定的域名强制一个IP地址

e.g to block adverts force doubleclck.net to localhost

  • no-hosts 

This options stops dnsmasq using the local /etc/hosts file as a source for lookups . 停止dnsmasq使用本地的/etc/hosts文件作为一个查询源

  • addn-hosts=/etc/dnsmasq.d/static/hosts.conf 

Force dnsmasq to use this file for lookups.

It is in the same format as /etc/hosts.

  • expand_hosts 

So we can see our local hosts via our home domain without having to repeatedly specify the domain in our /etc/hosts file.

通过home域,本地hosts可见,无需在/etc/hosts文件中重复指定

  • domain 

This is your local domain name.

It will tell the DHCP server which host to give out IP addresses for.

  • dhcp-range 

This is the range of IPs that DHCP will serve: 192.168.0.20 to 192.168.0.50, with a lease time of 72 hours.

The lease time is how long that IP will be linked to a host.

  • dhcp-range=tftp,192.168.0.250,192.168.0.255 

For tftp connections use this range of IP addresses

  • dhcp-host=mylaptop,192.168.0.199,36h 

Any machine saying they are hostname = ‘mylaptop’ gets this IP address

  • dhcp-option=option:router,192.168.0.1 

When a host is requesting an IP address via DHCP also tell it the gateway to use.

  • dhcp-option=option:ntp-server,192.168.0.5 

When a host is requesting an IP address via DHCP also tell it the NTP to use.

In the file /etc/dnsmasq.d/hosts.conf you can add a list of local machines with static IP addresses in the same format as the hosts file. It is also an easy way of creating aliases or CNAME records.

192.168.0.8  mail mail.example.com
192.168.0.9  smtp smtp.example.com
192.168.0.120 mythtvbox mythtvbox.example.com

Starting and stopping the service

sudo service dnsmasq start
sudo service dnsmasq stop
sudo service dnsmasq restart

Useful links

 

 

===========================

resolvconf命令

-- 相关配置文件

NAME

resolvconf - manage nameserver information

 

SYNOPSIS

cat FILE | resolvconf -a IFACE.PROG

 

resolvconf -d IFACE.PROG

 

resolvconf -u

 

resolvconf --enable-updates | --disable-updates | --updates-are-enabled | --create-runtime-directories | --wipe-runtime-directories

 

DESCRIPTION

The resolvconf package comprises a simple database for run-time nameserver information 运行时名字服务器信息的数据库

and a simple framework for notifying applications of changes in that information. 通知应用关于运行时名字服务器信息的改变

Resolvconf thus sets itself up as the intermediary between programs that supply nameserver information and applications that use that information.

 

Information is added to or removed from the database using the resolvconf program. 使用resolvconf命令,向数据库中添加信息、从数据库中移除信息

See the OPTIONS section below for a discussion of the available options.

 

SUPPLIERS OF NAMESERVER INFORMATION suppliers of nameserver information

Normally the resolvconf program is run only by network interface configuration programs such as pppd(8) (for ppp interfaces);

by DHCP clients such as dhclient(8); by ifup(8) and ifdown; and by DNS caches such as dnsmasq(8) (for the loopback interface).

These programs obtain nameserver information from some source and push it to resolvconf.

 

dhclient

The dhclient program, for example, may receive nameserver addresses and domain search list information during its negotiation with the DHCP server;

if so, its hook script /etc/dhcp/dhclient-enter-hooks.d/resolvconf pushes this information to resolvconf.

 

ifup

The ifup program can be used to configure network interfaces according to settings in /etc/network/interfaces.

To make ifup push nameserver information to resolvconf when it configures an interface

the administrator must add dns- option lines to the relevant iface stanza in interfaces(5).

The following option names are supported: dns-nameservers, dns-search, and dns-sortlist.

The dns-domain option is deprecated in favor of dns-search.

 

To add nameserver addresses, add a single line beginning with dns-nameservers.

 

dns-nameservers 192.168.1.254 8.8.8.8

 

Note that one or more addresses can be given on this line, separated by spaces, and note the "s" at the end of the option name,

in contrast with the resolv.conf(5) option name nameserver.

Remember that in interfaces(5) each option can be used at most once per stanza.

 

To add search domain names, add a line beginning with dns-search.

dns-search foo.org bar.com

 

The resulting stanza might look like the following example.

 

iface eth0 inet static

address 192.168.1.3

netmask 255.255.255.0

gateway 192.168.1.1

dns-nameservers 192.168.1.254 8.8.8.8

dns-search foo.org bar.com

 

N.B.: On a machine where resolvconf has just been or is about to be installed and which previously relied on a static /etc/resolv.conf file,

the nameserver information in that static file should be migrated to the appropriate iface stanza(s) in interfaces(5).

 

 

Command line

The administrator can run resolvconf from the command line to add or delete nameserver information, but this is not normally necessary or advisable.

 

CONSUMERS OF NAMESERVER INFORMATION consumer of nameserver information名字服务器信息消费者

Nameserver information provided to resolvconf is stored for use by subscribers to resolvconf's notification service.

Subscriber packages that need to know when nameserver information has changed

should install a script in /etc/resolv conf/update.d/ (or in /etc/resolvconf/update-libc.d/: see below).

For example, DNS caches such as dnsmasq(8) and pdnsd(8) subscribe to the notification service so that they know whither to forward queries.

Client hook scripts will find the files containing nameserver information in the current directory.

 

libc

The most important software package that subscribes to the notification service is the GNU C Library resolver(3).

This library is used by many applications that need to resolve domain names.

When nameserver information is updated,

the script /etc/resolvconf/update.d/libc generates a new version of the resolver configuration file, /run/resolvconf/resolv.conf, as described below.

If the new version of the file differs from the previously generated one, then the hook scripts found in /etc/resolvconf/update-libc.d/ are executed.

 

The dynamically generated resolver configuration file

always starts with the contents of /etc/resolvconf/resolv.conf.d/head and ends with the contents of /etc/resolvconf/resolv.conf.d/tail.

 

Between head and tail the libc script inserts dynamic nameserver information compiled from, first, information provided for configured interfaces;

second, static information from /etc/resolvconf/resolv.conf.d/base.

 

Specifically, it writes:

 

1) up to three nameserver lines, ordered according to /etc/resolvconf/interface-order, possibly fewer if one of the

addresses is a loopback address and the TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS environment variable is affirmatively set,

as discussed in the ENVIRONMENT VARIABLES section;

 

2) up to one search line containing the combined domain search list from all "domain" and "search" input lines,

also ordered according to interface-order(5);

 

3) all other non-comment input lines.

To make the resolver use this dynamically generated resolver configuration file

the administrator should ensure that /etc/resolv.conf is a symbolic link to /run/resolvconf/resolv.conf.

This link is normally created on installation of the resolvconf package.

The link is never modified by the resolvconf program itself.

If you find that /etc/resolv.conf is not being updated, please check to make sure that the link is intact.

 

The GNU C Library resolver library isn't the only resolver library available.

However, any resolver library that reads /etc/resolv.conf (and most of them do, in order to be compatible) should work fine with resolvconf.

 

Subscriber packages that need to know only when the resolver configuration file has changed should install a script in

/etc/resolvconf/update-libc.d/ rather than in /etc/resolvconf/update.d/.

(For example, two packages that install update-libc.d/ hook scripts are fetchmail and squid.)

This is important for synchronization purposes: scripts in update-libc.d/ are run after resolv.conf has been updated; the same is not necessarily true of scripts in update.d/.

 

OPTIONS

-a IFACE.PROG

Add or overwrite the record IFACE.PROG then run the update scripts if updating is enabled.

When this option is used the information must be provided to resolvconf on its standard input in the format of the resolv.conf(5) file.

Each line in the file must be terminated by a newline.

 

-d IFACE.PROG

Delete the record IFACE.PROG then run the update scripts if updating is enabled.

 

The string IFACE.PROG may not contain spaces, slashes, an initial dot, an initial hyphen or an initial tilde. ‐

It is conventionally formed from IFACE, the name of the interface involved, a dot, and IPROG, the name of the interface configuration

program, e.g., "eth0.dhclient".

 

-u Just run the update scripts (if updating is enabled).

 

With -a, -d or -u:

if updating is not enabled, schedule a delayed update.

The delayed update will be carried out when updates are enabled.

 

--enable-updates

Set the flag indicating that resolvconf should run update scripts when invoked in the future with -a, -d or -u.

If a delayed update was scheduled then run update scripts.

 

--disable-updates

Clear the flag.

 

--updates-are-enabled

Return 0 if the flag is set, otherwise return 1.

 

--create-runtime-directories

Create the directories where resolver information records and other run-time files are stored.

 

--wipe-runtime-directories

Delete everything in the directories where resolver information records and other run-time files are stored.

 

ENVIRONMENT VARIABLES

The following variables can be set in the configuration file /etc/default/resolvconf.

If the file does not exist you will have to create it.

 

REPORT_ABSENT_SYMLINK

If set to "yes" then resolvconf will print a message when /etc/resolv.conf is not a symbolic link to the resolvconf generated resolver configuration file.

Set to "no" to prevent the printing of this message. The default is "yes".

 

TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS truncate_nameserver_list_after_loopback_address

If set to "yes" then the libc script will include no more nameserver addresses after the first nameserver address that is a loopback address.

(In IPv4 a loopback address is any one that starts with "127.". In IPv6 the loopback address is "::1".)

 

The advantage of truncating the nameserver list after a loopback address is that doing so inhibits unnecessary changes to resolv.conf

and thus reduces the number of instances in which the update-libc.d/ scripts have to be run.

When an interface is brought up or down the local caching nameserver that listens on the loopback address is still informed of the change and adapts accordingly;

the clients of the resolver which use the local caching nameserver do not need to be notified of the change.

A disadvantage of this mode of operation is that applications have no secondary or tertiary nameserver address to fall back on should the local caching nameserver crash.

Insofar as a local nameserver crash can be regarded as an unlikely event, this is a relatively minor disadvantage.

Set to "no" to disable truncation.

The default is "yes".

 

A deprecated synonym for this variable is TRUNCATE_NAMESERVER_LIST_AFTER_127.

 

FILES

/etc/default/resolvconf

See the ENVIRONMENT VARIABLES section.

 

/etc/resolvconf/interface-order

Determines the order of precedence of nameserver addresses and search domain names. See above and interface-order(5).

 

/etc/resolvconf/resolv.conf.d/base

File containing basic resolver information.

The lines in this file are included in the resolver configuration file even when no interfaces are configured.

 

/etc/resolvconf/resolv.conf.d/head

File to be prepended to the dynamically generated resolver configuration file. Normally this is just a comment line.

 

/etc/resolvconf/resolv.conf.d/tail

File to be appended to the dynamically generated resolver configuration file. To append nothing, make this an empty file.

This file is a good place to put a resolver options line if one is needed, e.g., options inet6

 

 

/etc/resolvconf/resolv.conf.d/original

Copy of the /etc/resolv.conf file before the resolvconf package was installed. ‐

This file has no effect on the functioning of resolvconf;

it is retained so that /etc/resolv.conf can be restored to its original state if the resolvconf package is removed.

 

Note also that a copy of this file is included in the database until the first reboot after installation of the resolvconf package;

this ensures that nameservers reachable before installation of resolvconf are still reachable after installation of resolvconf

even though at that point not all suppliers of nameserver information may have supplied their information to resolvconf(8).

 

 

Note also that the administrator can choose to create a symbolic link in /etc/resolvconf/resolv.conf.d/ from tail to original

so that the contents of original are always added to the end of the dynamically generated file.

 

BUGS

Currently resolvconf does not check the sanity of the information provided to it.

 

AUTHOR

Written by Thomas Hood <jdthood@gmail.com> with contributions by Nathan Stratton Treadway.

 

COPYRIGHT

Copyright © 2004-2012 Thomas Hood.

This is free software; see the source for copying conditions.

 

SEE ALSO

interface-order(5), resolv.conf(5), resolver(3).

 

Read the resolvconf package README file for more in-depth information.

 

 

ubuntu14.04

主机名配置(带搜索域)

 

/etc/hostname

hd1

 

/etc/hosts

127.0.0.1        localhost

127.0.0.1        hd1.asn.cn    hd1

 

/etc/resolv.conf

nameserver    127.0.0.1

search        asn.cn

 

======================

Dnsmasq setup

Installation.

To compile and install dnsmasq, the following command (as root) is enough.

make install

You might want to edit config.h. Dnsmasq has been run on (at least) Linux, uCLinux, AIX 4.1.5, FreeBSD 4.4 OpenBSD and Tru64 4.x Dnsmasq is normally run on a firewall machine (the machine with the modem or other connection to your ISP.) but it can run on any machine with access to the ISPs nameservers.

Put the binary in /usr/local/sbin/dnsmasq (running make install will do this) and arrange for it to be started at boot time.

Note that dnsmasq needs to run as root, since it binds privileged ports.

It will drop root privileges after start-up.

Dnsmasq logs problems using the syslog facility as a daemon.

It logs debugging information to local0

Configuration.

Configuration for dnsmasq is pretty simple in almost all cases.

The program has collected a fair few options as it has developed but most of them are not needed most of the time.

A machine which already has a DNS configuration (ie one or more external nameservers in /etc/resolv.conf and any local hosts in /etc/hosts) can be turned into a nameserver simply by running dnsmasq, with no options or configuration at all.

Set the IP address of the machine running dnsmasq as the DNS server in all the other machines on your network, and you're done.

With a few option flags, it is possible to make dnsmasq do more clever tricks.

Options for dnsmasq can be set either on the command line when starting dnsmasq, or in its configuration file, /etc/dnsmasq.conf.

Making the nameserver machine use dnsmasq.

In the simple configuration described above,

processes local to the machine will not use dnsmasq, since they get their information about which nameservers to use from /etc/resolv.conf, which is set to the upstream nameservers.

To fix this, simply replace the nameserver in /etc/resolv.conf with the local address 127.0.0.1 and give the address(es) of the upstream nameserver(s) to dnsmasq directly.

You can do this using either the server option, or by putting them into another file, and telling dnsmasq about its location with the resolv-file option.

Automatic nameserver configuration.

The two protocols most used for automatic IP network configuration (PPP and DHCP) can determine the IP addresses for nameservers automatically.

The daemons can be made to write out a file in the resolv.conf format with the nameservers in which is perfect for dnsmasq to use.

When the nameservers change, for instance on dialling into a new ISP using PPP, dnsmasq will automatically re-read this file and begin using the new nameserver(s) completely transparently.

Automatic DNS server configuration with PPP.

Later versions of pppd have an option "usepeerdns" which instructs it to write a file containing the address(es) of the DNS severs in /etc/ppp/resolv.conf.

Configure dnsmasq as above with "nameserver 127.0.0.1" in /etc/resolv.conf and run dnsmasq with to option resolv-file=/etc/ppp/resolv.conf.

On Redhat (at least versions 7.1, 7.2 and 7.3) you can set pppd options by adding "PPPOPTIONS=usepeerdns" to /etc/sysconfig/network-scripts/ifcfg-ippp0.

In the same file, make sure that "PEERDNS=no" to stop RedHat's network initscripts from copying /etc/ppp/resolv.conf into/etc/resolv.conf.
On SuSE (at least version 8.1, and 8.2) you should use YaST to activate 
[x] Modify DNS when connected then stop SuSEs network initscripts from copying /etc/ppp/resolv.conf into /etc/resolv.conf by modifying MODIFY_RESOLV_CONF_DYNAMICALLY="no" in/etc/sysconfig/network/config.

Automatic DNS server configuration with DHCP.

You need to get your DHCP client to write the addresse(s) of the DNS servers to a file other than /etc/resolv.conf.

For dhcpcd, the dhcpcd.exe script gets run with the addresses of the nameserver(s) in the shell variable $DNS.

The following bit of shell script uses that to write a file suitable for dnsmasq.

 

echo -n >|/etc/dhcpc/resolv.conf
dnsservs=${DNS//,/ }
for serv in $dnsservs; do
    echo "nameserver $serv" >>/etc/dhcpc/resolv.conf
done

 

Remember to give dhcpcd the -R flag to stop it overwriting /etc/resolv.conf.

For other DHCP clients it should be possible to achieve the same effect.

DHCP and PPP.

On a laptop which may potentially connect via a modem and PPP or ethernet and DHCP it is possible to combine both of the above configurations. Running dnsmasq with the flags resolv-file=/etc/ppp/resolv.conf resolv-file=/etc/dhcpc/resolv.conf makes it poll both files and use whichever was updated last. The result is automatic switching between DNS servers.

Integration with DHCP.

Dnsmasq reads /etc/hosts so that the names of local machines are available in DNS. This is fine when you give all your local machines static IP addresses which can go in /etc/hosts, but it doesn't work when local machines are configured via DHCP, since the IP address allocated to machine is not fixed. Dnsmasq comes with an integrated DHCP daemon to solve this problem.

The dnsmasq DHCP daemon allocates addresses to hosts on the network and tries to determine their names. If it succeeds it add the name and address pair to the DNS. There are basically two ways to associate a name with a DHCP-configured machine; either the machine knows its name which it gets a DHCP lease, or dnsmasq gives it a name, based on the MAC address of its ethernet card. For the former to work, a machine needs to know its name when it requests a DHCP lease. For dhcpcd, the -h option specifies this. The names may be anything as far as DHCP is concerned, but dnsmasq adds some limitations. By default the names must no have a domain part, ie they must just be a alphanumeric name, without any dots. This is a security feature to stop a machine on your network telling DHCP that its name is "www.microsoft.com" and thereby grabbing traffic which shouldn't go to it. A domain part is only allowed by dnsmasq in DHCP machine names if the domain-suffix option is set, the domain part must match the suffix.

As an aside, make sure not to tell DHCP to set the hostname when it obtains a lease (in dhcpcd that's the -H flag.) This is not reliable since the DHCP server gets the hostname from DNS which in this case is dnsmasq. There is a race condition because the host's name in the DNS may change as a result of it getting a DHCP lease, but this does not propagate before the name is looked up. The net effect may be that the host believes it is called something different to its name in the DNS. To be safe, set the hostname on a machine locally, and pass the same name to DHCP when requesting a lease.

Setting up a mailhub.

If you generate mail on the machines attached to your private network, you may be interested in the MX record feature of dnsmasq. This allows you to have all the machines on your network use your firewall or another machine as a "smarthost" and deliver mail to it. The details of how to set this up are highly dependent on your mailer, system and distribution. The only thing that's relevant to dnsmasq is that the mailer needs to be able to interrogate the DNS and find an MX record for your mailhub.

By giving dnsmasq the mx-host option you instruct dnsmasq to serve an MX record for the specified address. By default the MX record points to the machine on which dnsmasq is running, so mail delivered to that name will get sent to the mailer on your firewall machine. You can have the MX record point to another machine by using the mx-target option.

In some cases it's useful for all local machines to see an MX record pointing at themselves: this allows mailers which insist on an MX record and don't fall back to A records to deliver mail within the machine. These MX records are enabled using the selfmx option.

Using special servers.

Dnsmasq has the ability to direct DNS queries for certain domains to specific upstream nameservers.

This feature was added for use with VPNs but it is fully general.

The scenario is this:

you have a standard internet connection via an ISP, and dnsmasq is configured to forward queries to the ISP's nameservers, then you make a VPN connection into your companies network, giving access to hosts inside the company firewall.

You have access, but since many of the internal hosts aren't visible on the public internet, your company doesn't publish them to the public DNS and you can't get their IP address from the ISP nameservers.

The solution is to use the companies nameserver for private domains within the company, and dnsmasq allows this.

Assuming that internal company machines are all in the domain internal.myco.com

and the companies nameserver is at 192.168.10.1

then the option server=/internal.myco.com/192.168.10.1 will direct all queries in the internal domain to the correct nameserver.

You can specify more than one domain in each server option.

If there is more than one nameserver just include as many server options as is needed to specify them all.

Local domains.

Sometimes people have local domains which they do not want forwarded to upstream servers.

This is accomodated by using server options without the server IP address.

To make things clearer local is a synonym for server.

For example

the option local=/localnet/ ensures that

any domain name query which ends in .localnet will be answered if possible from /etc/hosts or DHCP, but never sent to an upstream server.

Defeating wildcards in top level domains.

In September 2003 Verisign installed a wildcard record in the .com and .net top level domains.

The effect of this is that queries for unregistered .com and .net names now return the address of Verisign's sitefinder service, rather than a "no such domain" response.

To restore the correct behaviour, you can tell dnsmasq the address of the sitefinder host and have it substitute an NXDOMAIN reply when it sees that address. The sitefinder address is currently 64.94.110.11, so giving the option bogus-nxdomain=64.94.110.11 will enable this facility for Verisign. If other TLDs do that same thing you can add the correct addresses for them too. See the dnsmasq FAQ for more details on the bogus-nxdomain option.

Other configuration details.

By default dnsmasq offers DNS service on all the configured interfaces of a host.

It's likely that you don't (for instance) want to offer a DNS service to the world via an interface connected to ADSL or cable-modem

so dnsmasq allows you to specify which interfaces it will listen on.

Use either the interface or address options to do this.

The filterwin2k option makes dnsmasq ignore certain DNS requests which are made by Windows boxen every few minutes.

The requests generally don't get sensible answers in the global DNS and cause trouble by triggering dial-on-demand internet links.

Sending SIGHUP to the dnsmasq process will cause it to empty its cache and then re-load /etc/hosts and /etc/resolv.conf.

Sending SIGUSR1 (killall -10 dnsmasq) to the dnsmasq process will cause to write cache usage statisticss to the log, typically /var/log/syslog or /var/log/messages.

The log-queries option tells dnsmasq to verbosely log the queries it is handling and causes SIGUSR1 to trigger a complete dump of the contents of the cache to the syslog.

For a complete listing of options please take a look at the manpage dnsmasq(8).

 

 

=======================

Automating dnsmasq and resolvconf

Posted on 07 November 2013

I've been working a lot with dnsmasq for DNS forwarding recently, and have hit enough problems that I thought it would be worth writing about them.

On my current project, we're using Ubuntu 12.04, which uses dnsmasq as a local DNS cacher and forwarder, and resolvconf (the service as opposed to the resolv.conf file) to manage DNS server configuration.

dnsmasq

Dnsmasq is a simple DNS forwarder.

It proxies multiple upstream DNS servers, add caching, and can even serve up A records from an /etc/hosts-style configuration file.

Dnsmasq is configured by giving it an /etc/resolv.conf-style file with a list of nameservers.

It will regularly poll this file for changes, and change its forwarding behaviour accordingly. 会定期轮询该文件的改变,相应更改转发行为

Dnsmasq can also be configured to direct requests for particular domains to particular servers; 还可以配置,把特定域的请求转发到特定的名字服务器

for example, if you want everything in mycompany.com to go to your internal office server, but everything else to go to public DNS servers, dnsmasq can do that for you.

Dnsmasq does NOT perform recursive DNS lookups;

you will still need some form of recursive DNS server in order to achieve full DNS functionality.

resolvconf

resolvconf is part of the ubuntu-minimal install, which means that it's considered a pretty core part of the distribution these days. It's an evolution from the traditional /etc/resolv.conf file, which lists nameservers and search domains to use when resolving DNS names to IP addresses.

You associate a nameserver with a particular network interface with a line such as:

echo nameserver 192.0.2.6 | resolvconf -a IFACE.PROGNAME

where IFACE is an interface, and PROGNAME is the name of an associated program.

For example, dnsmasq itself registers itself with resolvconf by associating with the lo.dnsmasq entry.

You can remove entries with resolvconf -d.

Generally, you don't call resolvconf directly;

instead, it is called automatically as part of bringing up a network interface, or starting a DNS service, or similar.

Each time an interface is added or removed, resolvconf updates associated configuration files by running scripts in the/etc/resolvconf/update.d directory; one of these, libc, updates the traditional /etc/resolv.conf file.

The problem

This is where I get to the problem I was facing.

I was trying to install and configure dnsmasq in a puppet run.

However, immediately after dnsmasq was installed, I would start getting name resolution errors, and the rest of the puppet run would fail.

But by the time I had logged onto the box to investigate, name resolution was working again! What was going on?

It turns out there's a bit of a race condition when starting dnsmasq, particularly for the first time. What happens is this:

  1. /etc/init.d/dnsmasq starts the dnsmasq daemon.

Dnsmasq, in its default configuration on ubuntu, looks for upstream nameservers in /var/run/dnsmasq/resolv.conf.

Dnsmasq checks for the file, finds it missing, and gives up for the moment. It will poll again later.

  1. Once dnsmasq has started and returned, the init.d script registers 127.0.0.1 with lo.dnsmasq in resolvconf.
  2. resolvconf runs its updates, generating configuration for dnsmasq in /var/run/dnsmasq/resolv.conf and also changing the standard libc resolver file /etc/resolv.conf to only refer to 127.0.0.1, the dnsmasq process
  3. At this point, the dnsmasq service is the sole DNS server that the local resolver can see, but dnsmasq itself hasn't yet seen any upstream nameservers. Therefore it can't give any useful answers. At this point, my puppet run starts failing.
  4. After a few seconds, dnsmasq polls the /var/run/dnsmasq/resolv.conf file again and finally finds the upstream nameservers left for it by resolvconf in step #3 above.
  5. I log into the machine, try to resolve a name, and everything works.
posted @ 2015-07-29 20:07  asnjudy  阅读(5434)  评论(0编辑  收藏  举报