Thursday, September 14, 2006

Simple Tiny Network Name Services

A great way to start a religious war is to discuss domain name services. I previously documented my experiences with BIND 9 on FreeBSD, and I really didn't want to repeat the process for my small lab network.

Looking in the ports tree I found Dnsmasq, "a lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network." Wow, that sounds perfect (but I don't need DHCP).

I decided to try this on a Debian host that had a fully populated /etc/hosts file.

macmini:~# apt-get install dnsmasq
Reading Package Lists... Done
Building Dependency Tree... Done
Suggested packages:
resolvconf
The following NEW packages will be installed:
dnsmasq
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 114kB of archives.
After unpacking 303kB of additional disk space will be used.
Get:1 http://mirrors.kernel.org stable/main dnsmasq 2.22-2 [114kB]
Fetched 114kB in 1s (78.8kB/s)
Selecting previously deselected package dnsmasq.
(Reading database ... 13695 files and directories currently installed.)
Unpacking dnsmasq (from .../dnsmasq_2.22-2_powerpc.deb) ...
Setting up dnsmasq (2.22-2) ...
Starting DNS forwarder and DHCP server: dnsmasq.

macmini:/etc/init.d# netstat -natup | grep dnsmasq
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 3279/dnsmasq
tcp6 0 0 :::53 :::* LISTEN 3279/dnsmasq
udp 0 0 0.0.0.0:32770 0.0.0.0:* 3279/dnsmasq
udp 0 0 0.0.0.0:53 0.0.0.0:* 3279/dnsmasq
udp6 0 0 :::53 :::* 3279/dnsmasq

Note that by default, no DHCP server is started.

That's it. Now I point all my hosts to the IP address of this Debian box, and it resolves local and remote IPs. I made sure the Debian host had my ISP's DNS servers in its /etc/resolv.conf file. Easy.

8 comments:

Jim said...

Nice. I haven't seen this one. I configured it on a test machine in about 30 seconds. It'll be much more useful than setting up BIND in a test network. Thanks.

Anonymous said...

Talking about DNS, what is your opinion about djbdns ?

Anonymous said...

Hi!
Just started reading your blog, seems to be updated and good content on it. Congrats on it and hope you keep it like this.

Other matters... is this thing secure? Bind has some security issues.

Bye!

Anonymous said...

Rich, I noticed that you said it resolves local and remote IP addresses. Is it using your bind zone files for your local addresses?

Bammkkkk

Richard Bejtlich said...

Re: djbdns: no comment.

Re: security, I haven't done a code audit.

Bamm: Dnsmasq is only using the /etc/hosts and /etc/resolv.conf file on the box where it's running. Pretty neat.

Anonymous said...

Re: djbdns

It is generally seen as much more secure than BIND. It is also fast, relatively easy to setup, and supposedly performs quite a bit better than BIND.

On the minus side, djb is a crank, doesn't follow RFCs, and the software has a more restrictive license than GPL. The minuses will have more or less weight depending on the user.

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

I knew this sounded familiar. dnsmasq is used by m0n0wall - really convenient FreeBSD-based firewall.
http://m0n0.ch/wall/software.php

Doug