Setting up dnsmasq on FreeBSD

0 dnsmasq on FreeBSD.md

Setting up dnsmasq on FreeBSD

Summary of steps required

1. pkg install dnsmasq
2. service resolv disable
3. service resolv stop
4. service dnsmasq enable
5. service dnsmasq start
6. Edit /usr/local/etc/dnsmasq.conf to fit your life goals
7. /etc/ethers gets static MAC Address/Hostname mappings
8. /etc/hosts gets well known IP/Hostname mappings
9. Configure /etc/rc.conf to complete your life goals
10. service dnsmasq stop
11. service dnsmasq start
12. drill printer
13. drill nas.lan
14. drill www.freebsd.org
15. reboot
16. Check that it all continues to work
17. Exmaine /var/db/dnsmasq.leases for new DHCP entries
18. OPTIONAL: check syslog server or tail /var/log/messages for DHCP changes

Notes on DNSMASQ

• Once dnsmasq has been set up properly, servers connecting and requesting addresses (via DHCP) are logged into the database and their addresses may be looked up (eg. $ host www1 | $ host www1.lan).
• Make sure config has no-resolv in order to ignore /etc/resolv.conf. However, also make sure that /etc/resolvconf.conf has nameserver 127.0.0.1 so that processes that aren't dnsmasq from within the host/jail space containing dnsmasq will contact it.
• For other FreeBSD spaces (host, jail) /etc/resolv.conf and /etc/resolvconf.conf determine which nameserver they contact. In the case of DHCP, resolv.conf gets the server passed via DHCP Option 6 (DNS server). For any hardcoded inet address requiring name services, resolvconf.conf should have a proper entry.

1 dnsmasq.conf

# /usr/local/etc/dnsmasq.conf

# --------------------------------------------------------------------
# DNSMASQ General Configuration
# --------------------------------------------------------------------

except-interface=eth0  # Ignore requests on WAN if


# --------------------------------------------------------------------
# DHCP Configuration
# --------------------------------------------------------------------

# Declare address range used DHCP
dhcp-range=172.17.0.30,172.17.0.196,255.255.255.0,24h

# DHCP Options
#  - Default Gateway, this way out!
#  - DNS Server, use this machine
#  - NTP Server, use this machine
dhcp-option=3,172.17.0.1
dhcp-option=6,0.0.0.0
dhcp-option=option:ntp-server,0.0.0.0

# OPTIONAL: To advertise DHCP on a VLAN (eg. 10), use this:
dhcp-range=VLAN10,172.17.81.30,172.17.81.196,255.255.255.0,24h
dhcp-option=VLAN10,3,172.17.81.1
dhcp-option=VLAN10,6,0.0.0.0
dhcp-option=VLAN10,option:ntp-server,0.0.0.0

# OPTIONAL: To advertise DHCP on an interface, use this:
dhcp-range=interface:eth0,192.168.1.128,192.168.1.254,24h
dhcp-range=interface:eth1,192.168.2.128,192.168.2.254,24h

# OPTIONAL: track lease changes
# dhcp-script=/usr/bin/logger           # Sends to local logger
# dhcp-script=/usr/local/bin/dhcp2log   # Executable script (see file)


# --------------------------------------------------------------------
# DNS Configuration within
# --------------------------------------------------------------------

# Daemon resolv: don't use it
# Can use resolv if getting DNS from WAN DHCP (or use your own settings, see next)
no-resolv

# Nameservers
#   - This goes through name servers in strict order
server=1.1.1.1
server=8.8.8.8
strict-order

# Name Request Management
#   - Never forward plain names without a dot or domain part
#   - Never forward addresses in the non-routed address spaces
#   - Automatically append domain to simple hosts
domain-needed
bogus-priv
expand-hosts

# FQDN & Set DHCP Option Domain & Default for expand-hosts
# Converts myhost to myhost.lan
domain=lan


# --------------------------------------------------------------------
# Static DHCP and Hostname assignments
# --------------------------------------------------------------------

# Examples:
# dhcp-host=BC:24:11:DF:A3:5E,172.17.0.25,scanner,24h
# dhcp-host=BC:24:11:7B:0F:D8,mail-server,24h

# These can be moved to /etc/hosts and/or /etc/ethers
# Add items here, if required, and consider using /etc/
# as DB if other kernal programs use them, too.


# --------------------------------------------------------------------
# Prevent WPAD CERT Vulnerability
# --------------------------------------------------------------------

# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore

2 ethers.conf

# /etc/ethers

# Database containing Static DHCP and Hostname assignments
BC:24:11:28:0E:A9 nas
BC:24:11:DF:A3:5E printer
DC:A6:32:24:9A:12 rpi
BC:24:11:77:79:63 stereo

3 hosts.conf

# /etc/hosts

172.17.0.1		router
172.17.0.2		switch
172.17.0.3		bsd-dnsmasq

4 rc.conf

# /etc/rc.conf

hostname="bsd-dnsmasq"
ifconfig_eth0="DHCP"
ifconfig_eth1="172.17.0.3 netmask 255.255.255.0"
ntpd_enable="YES"

# Use "service" to configure these, although can be changed by hand
dnsmasq_enable="YES"
resolv_enable="NO"

5 dnsmasq.leases

1709653637 bc:24:11:28:0e:a9 172.17.0.102 nas bc:24:11:28:0e:a9
1709653649 bc:24:11:df:a3:5e 172.17.0.152 printer bc:24:11:df:a3:5e
1709653622 dc:a6:32:24:9a:12 172.17.0.124 rpi dc:a6:32:24:9a:12
1709653612 bc:24:11:77:79:63 172.17.0.137 stereo bc:24:11:77:79:63

6 dhcp2log

#! /bin/csh

# /usr/local/bin/dhcp2log

# This file can do a lot and even become the lease database
# replacing dnsmasq.leases. This sends input to the syslog
# server (running on the router) to track DHCP address changes.
# To see the current DHCP database signal dnsmasq to dump with
# kill -HUP <dnsmasq_pid>

/usr/bin/logger -p local3.info -h 172.17.0.1 "$argv"

7 resolv.conf

# /etc/resolve.conf

# On FreeBSD, this file is autogenerated resolvconf(8)
# If running your own DNS server, suggest you: $ service resolv disable

# If resolv is running, point it at whomever is listening on host
nameserver 127.0.0.1

8 resolvconf.conf

# /etc/resolvconf.conf 
# Entries here contribute to the autogenerated file: /etc/resolve.conf

# Prepend locahost to the dynamically generated list
name_servers=127.0.0.1