Replacing bind with dnsmasq on the home network

BIND has been serving up internal address information on our home network for way over a decade now. That’s changing over the next couple of days. The whys and hows follow.

This was done on Fedora 21*.

I like BIND. I really do. Learning how to configure BIND servers not only helped me become a better diagnostician of network issues, it actually helped me get through the first iteration of Microsoft’s Active Directory training (which needless to say had some rough edges in the hands-on lab department).

But configuring BIND servers has lost its lustre for me. It’s just not as much fun as it used to be. When I recently upgraded our home firewall to pfSense 2.2-RELEASE, I decided not to install BIND but instead work with the built-in DNS Forwarder (not Resolver) that uses dnsmasq under the covers. This simplified configuration and setup tremendously, and reduced our dependency on add-on packages that can create problems during upgrades of the base system.

Fortunately, dnsmasq works pretty well as a simple name server. In fact it also offers some features, like SRV records, that were only available with BIND and other full-featured name servers in the past.

To implement dnsmasq as a name server all I had to do was:

1. Shut down and disable BIND (“systemctl stop named”, “systemctl disable named”).

2. Install dnsmasq (“yum install dnsmasq”).

3. Add an /etc/banner_add_hosts file that contains all the IP to host name mappings (in addition to those for your own host already in /etc/hosts), one line per name (in the case of aliases, CNAMEs, you would have an additional line for the same IP address)**. For example:

10.0.0.1     gw.example.com gw
10.0.0.1     ns1.example.com ns1
10.0.1.1     gw2.example.com gw2
10.0.0.10    backup.example.com nas
10.0.0.10    www.example.com www
10.0.0.10    ldap.example.com ldap

4. Edit the configuration file, /etc/dnsmasq.conf. The sample file included with the Fedora install is mostly commented out. Here are the (mostly) non-defaults I uncommented:

filterwin2k
listen-address=10.0.0.3
bind-interfaces
addn-hosts=/etc/banner_add_hosts
domain=example.com
conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig

5. Start and enable dnsmasq (“systemctl start dnsmasq”, “systemctl enable dnsmasq”).

* It’s even easier to set up on FreeBSD, where you can install the plain vanilla package (“pkg install dnsmasq”). The configuration is almost identical (I left the “conf-dir” argument commented out).

** On FreeBSD and other systems whose network config isn’t controlled by FreeDesktop.org’s NetworkManager you can do this in the /etc/hosts file. That file gets overwritten by NetworkManager in systems (like Fedora and Ubuntu) that are controlled by it, necessitating the use of a supplemental file to persistently store the additional mappings.

Of course dnsmasq won’t respond to zone transfer requests the way a “real” name server would, but that’s not something most people need to do very often.

This entry was posted in System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).