The first time I used this small software, I felt pretty good, because it is not as cumbersome to configure as bind, and we don't need to configure a lot of files, and the internal and external network access does not interfere with each other. |
dnsmasq first parses the hosts file, and then parses the *.conf files under /etc/dnsmasq.d/, and these files have a higher priority than dnsmasq.conf, and the DNS in our custom resolv.dnsmasq.conf also Known as the upstream DNS, which is the last to query and resolve;
If you don’t want to use the hosts file for analysis, we can add the no-hosts statement in /etc/dnsmasq.conf, so that we can directly query the upstream DNS. If we don’t want to do upstream query, we just don’t want to do normal analysis. We You can add the no-reslov statement.
The DNS of bind is too large. If a department or service scope is relatively small, we can use dnsmasq. After all, the configuration is simple and convenient. Dnsmasq is used for conflicts between our company's internal domain name and the public network domain name or our own It is better to use a special domain name, and it will not affect the normal external network resolution.
1. Use yum to install directly, and set the boot to start automatically, close SE Linux
[root@localhost ]# yum install dnsmasq* -y [root@localhost ]# chkconfig dnsmasq on
2. Modify the local network configuration file
Modify network card parameters
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 TYPE=Ethernet ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=none IPADDR=172.19.30.250 PREFIX=24 GATEWAY=172.19.30.254 DNS1=127.0.0.1 DEFROUTE=yes IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME=”System eth0″
modify hostname
[root@localhost ~]# vim /etc/sysconfig/network NETWORKING=yes HOSTNAME=ad.cloud.com GATEWAY=172.19.30.254
3. Modify iptables (just turn it off if you find it troublesome)
- Allow port 53 of this machine to be accessible externally
$ iptables -A INPUT -p udp -m udp –dport 53 -j ACCEPT $ iptables -A INPUT -p tcp -m tcp –dport 53 -j ACCEPT
- Forward DNS requests
# Enable traffic forwarding
$ echo '1' > /proc/sys/net/ipv4/ip_forward $ echo '1' > /proc/sys/net/ipv6/ip_forward # IPv6 user choice
# Add a traffic forwarding rule to map external requests to port 53 to port 53 of the Dnsmasq server
$ iptables -t nat -A PREROUTING -p udp –dport 53 -j REDIRECT –to-ports 53 $ iptables -t nat -A PREROUTING -p tcp –dport 53 -j REDIRECT –to-ports 53
# If you want to limit the request that only allows intranet, the method is as follows, if it is a network card, just replace eth1 with eth0
$ iptables -t nat -A PREROUTING -i eth1 -p upd –dport 53 -j REDIRECT –to-port 53
- Save the rules and restart
$ service iptables save $ service iptables restart
4. Modify /etc/dnsmasq.conf
[root@localhost dnsmasq.d]# vim /etc/dnsmasq.conf fill in the following no-hosts
#Do not load the local /etc/hosts file
local-ttl=3600
#Local cache time, usually not required to cache locally, so that it will take effect after changing the hosts file
cache-size=1000000
#Maximum number of cache entries
dns-forward-max=1000000 listen-address=127.0.0.1,172.19.30.250
#If you want this server to do analysis, you must fill in your own address, and fill in the address of 127.0.0.1
resolv-file=/etc/resolv.dnsmasq.conf
#This file can be customized, so I followed the trend and directly copied a copy of resolv.conf and changed the name to use it
all-servers
#The meaning of this statement is that if the query is not found locally, all DNS queries in our resolv.dnsmasq.conf file will be used, and whoever finds it will use it soon
log-queries
#Enable logging options
log-facility=/var/log/dnsmasq/dnsmasq.log log-async=100
#Asynchronous log, ease blocking and improve performance. The default is 5, the maximum is 100
conf-dir=/etc/dnsmasq.d
#This should be the last sentence, its function is to explain that all .conf files in this directory are to be parsed
Tip: If there are many different domain names in our intranet, we can add the above sentence, and we can classify the configuration files when we do the analysis
5. Add resolv analysis file
Modify the configuration file we copied just now, and specify the DNS we normally need, so that our intranet can use the network normally, instead of using the DNS built by ourselves, but not being able to access the Internet.
[root@localhost dnsmasq.d]# vim /etc/resolv.dnsmasq.conf nameserver 202.106.0.20 nameserver 192.168.59.241 nameserver 114.114.114.114 nameserver 8.8.8.8 nameserver 168.95.1.1
#The last one is Taiwan's DNS, our Apple's official appstore will download things faster, and Apple's online reinstallation system will also use this DNS faster
6. Add other domain name resolution
We switch to this directory and add the resolution of our different internal domain names
[root@localhost dnsmasq.d]#cd /etc/dnsmasq.d/
Add a parsing file
[root@localhost dnsmasq.d]#vim cloud.conf [root@localhost dnsmasq.d]# ls cloud.conf seccloud.conf
7. Configuration file syntax rules
Normally, the analysis content we add is as follows, and the syntax rules for address analysis are:
address=/domain/ip_address [root@localhost dnsmasq.d]#cat cloud.conf address=/im.cloud.top/192.168.59.12 address=/git.cloud.top/192.168.59.20 address=/crm.cloud.top/192.168.59.11 address=/ftp.cloud.top/172.19.2.253 address=/note.cloud.top/172.19.30.250
8. Start the dnsmasq service
[root@localhost ~]#service dnsmasq start
9. We conduct test verification:
Domain name access on your own laptop for testing:
localhost:~ admin$ nslookup > git.cloud.top Server:172.19.30.250 Address:172.19.30.250#53 Name:git.cloud.top Address: 192.168.59.20 > www.baidu.com Server:172.19.30.250 Address:172.19.30.250#53 Non-authoritative answer: www.baidu.comcanonical name = www.a.shifen.com. Name:www.a.shifen.com Address: 61.135.169.121 Name:www.a.shifen.com Address: 61.135.169.125
Cache Validation:
[root@ad ~]# dig www.baidu.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> www.baidu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21877 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 223 IN CNAME www.a.shifen.com. www.a.shifen.com. 549 IN A 119.75.213.61 www.a.shifen.com. 549 IN A 119.75.216.20 ;; AUTHORITY SECTION: shifen.com. 30440 IN NS ns4.baidu.com. shifen.com. 30440 IN NS dns.baidu.com. shifen.com. 30440 IN NS ns2.baidu.com. shifen.com. 30440 IN NS ns3.baidu.com. ;; ADDITIONAL SECTION: dns.baidu.com. 4938 IN A 202.108.22.220 ns2.baidu.com. 76100 IN A 61.135.165.235 ns3.baidu.com. 31611 IN A 220.181.37.10 ns4.baidu.com. 166964 IN A 220.181.38.10 ;; Query time: 59 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Jul 1 13:25:51 2017 ;; MSG SIZE rcvd: 226 [root@ad ~]# dig www.baidu.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> www.baidu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61460 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 215 IN CNAME www.a.shifen.com. www.a.shifen.com. 541 IN A 119.75.216.20 www.a.shifen.com. 541 IN A 119.75.213.61 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Jul 1 13:25:59 2017 ;; MSG SIZE rcvd: 93
We can see that the last parsing retained the cache, and this parsing directly reads the cache file.