Dnsmasq is a lightweight DNS, DNS caching, DHCP and TFTP server. It is intended to provide reliable services in small networks. Dnsmasq accepts DNS queries and either answers them from a local cache or forwards them to an upstream, recursive, DNS server. Versatile! It loads the contents of /etc/hosts so that local hostnames which do not appear in the global DNS catalog can be resolved and also answers DNS queries for DHCP configured hosts. I will be using Dnsmasq to cache dnscrypt-proxy requests in my LAN while providing DNS services and resolution for all clients in the network.
Earlier, we used dnscrypt-proxy to encrypt and secure our DNS requests before leaving our network. Now we are going to give DNS resolution a good boost by caching DNS queries locally, which in turn should also give you a better browsing experience overall plus allowing you to resolve hostnames via DNS in your network. DNS resolution also impacts your Internet speeds. The Internet relies on a network of DNS servers which are used to translate certain URLs (like unlockforus.com) into IP addresses, so having a local DNS cache in your LAN is more than just a geeky thing. If you have ever used public DNS servers (Google DNS servers, OpenDNS, etc.) with the idea of speeding up your browsing, just wait until you hit your own DNS cache locally.
We want Dnsmasq to provide DNS resolution, DNS cache and DHCP services in our network. With that in mind, make sure to disable these services in your home network gear (often your home router) before running Dnsmasq, specially DHCP server services. You do not want two DHCP servers advertising and broadcasting the same network scope… it will result in collisions and catastrophe.
You’ll be offloading those services currently provided by your limited home router hardware off to a more robust box in your network.
Prepare your soon to be DNS, DHCP Server
Update /etc/hosts file configuration. Note that we already defining in that file the local domain name as unlockforus.lan and the static IP address of the server 192.168.1.6. I have commented out 127.0.1.1 because Dnsmasq will be reading this file later on and we don’t want LAN machines to resolve our server as 127.0.1.1 (loopback interface). Do not forget to use your own LAN domain name instead as well as updating IP addresses accordingly 😉
sudo vi /etc/hosts
192.168.1.6 svr-mars.unlockforus.lan svr-mars
sudo vi /etc/hostname svr-mars
# Install Dnsmasq sudo apt-get install dnsmasq # Stop Dnsmasq service sudo service dnsmasq stop # Backup default configuration sudo cp /etc/dnsmasq.conf /etc/dnsmask.bak
Now, let’s configure the network interface and verify we are using a static IP address for the server. Edit /etc/network/interfaces
sudo vi /etc/network/interfaces ... # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 # iface eth0 inet dhcp iface eth0 inet static address 192.168.1.6 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 dns-nameservers 127.0.0.1 dns-search unlockforus.lan
If you have made changes to your configurations so far, reboot your server at this point.
sudo reboot now!
sudo vi /etc/dnsmasq.conf # Configuration file for dnsmasq. # port=53 domain-needed bogus-priv no-resolv no-poll server=/unlockforus.lan/192.168.1.6 server=/1.168.192.in-addr.arpa/192.168.1.6 address=/double-click.net/127.0.0.1 listen-address=127.0.0.1,192.168.1.6 bind-interfaces expand-hosts domain=unlockforus.lan dns-forward-max=250 cache-size=5000 neg-ttl=3600 # FORWARD TO DNSCRYPT-PROXY # server=127.0.0.2#2053 # DHCP Configuration Options # dhcp-authoritative dhcp-range=192.168.1.2,192.168.1.254,255.255.255.0,12h dhcp-option=option:router,192.168.1.1 # log-dhcp # Uncomment if you wish to log dhcp # STATIC HOSTS SAMPLE # dhcp-host=88:db:96:1d:20:c9,livingroom-pc,192.168.1.10 # dhcp-host=00:15:94:85:bc:35,printer,192.168.1.15
# Stop dnscrypt-proxy sudo service dnscrypt-proxy stop sudo vi /etc/default/dnscrypt-proxy ... # local IP address the daemon will listen to local-address:127.0.0.2:2053 ...
Save your changes, restart dnscrypt-proxy and dnsmasq services and test drive your new setup.
Dnsmasq + dnscrypt-proxy should now be fully functional in your server box. DNS queries are now going to be cached locally, or they’ll be passed over to the upstream resolver if not found in the local cache as follow:
Client PC => dnsmasq port 53 => dnscrypt-proxy port 2053 => Dnscrypt upstream resolver
Dnsmasq will also resolve local DNS hostnames in your LAN, plus it won’t pass unsolvable local hostnames to upstream resolver.
Finally, let’s test our local DNS cache which is in part what we wanted all along:
In your server box:
The query should take longer to be resolved the first time… dnsmasq will check its cache and it will pass the query to dnscrypt-proxy when not found in its cache:
Once resolved, dnsmaq cache kicks in and queries are served from cache, therefore speeding up DNS resolution dramatically:
What should we do next to further improve our browsing experience? What about a Squid proxy?