This is an example configuration of how to set up DNSMasq for DNS, DHCP and blocking undesired adverts. It is similar to the approach used by pi-hole, but without the requirement to run an HTTP server, and not needing insecure installation operational instructions or in a docker container requiring root and/or admin capabilities in order to execute.
DNSMasq home page is http://www.thekelleys.org.uk/dnsmasq/ and questions relating to its use should be directed to the appropriate mailing lists. On Ubuntu systems, dnsmasq can be installed with:
- apt update; apt -y install dnsmasq
The following configuration files are provided:
- DNSMasq configuration file
- Loads all configuration files in
/etc/dnsmasq.d/*.conf
- Loads all configuration files in
- Blackhole example file
- Shows how an address can be blackholed at the DNS server
- Master configuration file
- Log messages to
/var/log/dnsmasq.log(log-facility) - Log messages asynchronously (
log-async) - Only respond on the local interfaces (
local-service)
- Log messages to
- DHCP sample configuration file
- Authoratitve DHCP server (
dhcp-authoratitve) - Leases in
/var/run/dnsmasq.leases(dhcp-leasefile) - Send DNS server via IPv6 if enaled (
option6:dns-server)
- Authoratitve DHCP server (
- DNS
- Do not forward unqualified names (
domain-needed) - Do not forward requests for private networks (
bogus-priv) - Do not read the
/etc/resolv.conffile (no-resolvandno-poll) - Do not read the
/etc/hostsfile (no-hosts) - Enlarged cache size (
cache-size) - Local DHCP caches may be cached for 60s (
local-ttl)
- Do not forward unqualified names (
- DNS upstream servers (combined or individually)
- Blocking DNS over HTTP(s) where available
- DNSSEC configuration, with dnssec enabled
- Ensure signed DNSSEC entries are correct (
dnssec) - DNSSEC for unsigned entries not enabled (
dnssec-check-unsigned) - Load entries from
/usr/share/dnsmasq-base/trust-anchors.conf
- Ensure signed DNSSEC entries are correct (
- Workarounds
- Workaround for Wink2K hosts (
filterwin2k) - Delay for Raspberry Pi hosts (
dhcp-reply-delay) - Disabling WPAD hosts for proxy auto discovery (
hostname-ignore) - Disable
.corplookups for Microsoft hosts (local=/corp/)
- Workaround for Wink2K hosts (
There is a Dockerfile present which can be used to test dnsmasq
configurations. When building the docker image, it will run dnsmasq --test
to verify syntax, and when executing, it will run the daemon in foreground
mode so that results can be seen as they run.
$ docker build . -t dnsmasq
$ docker run --rm -it --name dnsmasq -v $(PWD)/dnsmasq.d:/etc/dnsmasq.d:ro dnsmasq
$ docker exec -it dnsmasq dig @localhost example.com