≡ Menu


Red Hat has shipped a new version of its dnsmasq caching software to plug source UDP port bug. This could have made DNS spoofing attacks (CVE-2008-1447) easier. Dnsmasq is lightweight ultra fast dns cache server forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network.

This update has been rated as having moderate security impact, to upgrade your software, type the following command:
# yum update

This software only available under RHEL 5 / CentOS Linux 5.x. If you are using Debian / Ubuntu Linux, enter:
# apt-get update
# apt-get upgrade

One of my friend recently send me an email. It reads as follows:

"...My DSL service providers DNS server seems to be little slow, they have two servers it takes little time (some time upto 2 seconds) to resolve a domain name, once domain resolved, browsing speed remains the same, what should I do to improve DNS performance?...."

The answer is use a DNS proxy i.e. Dnsmasq. It is a a lightweight, easy to configure DNS forwarder and optional DHCP server. Dnsmasq is targeted at home networks using NAT and connected to the internet via a modem, cable-modem or ADSL connection but would be a good choice for any small network where low resource use and ease of configuration are important. The main use of the DNS proxy is to increase speed. Generally all computer send their request to ISP's DNS servers. But with DNS proxy request are cached. It stands between your local system and firewall server. Here is our sample network setup, are all desktop system, is our Linux firewall server:

Laptop | Desktop --> Linux Server --> ADSL Modem/Router
                   Firewall -> Dynamic or                          Static IP assign                          by ISP

Login to your Linux firewall server and install Dnsmasq .

Step # 1 : Install Dnsmasq (Debian Linux)

# apt-get install dnsmasq

Fedora/Redhat/Centos user, use yum command to install dnsmasq:

# yum install dnsmasq

RedHat Linux user use rpm/up2date command to install it:

# up2date -i dnsmasq

Step # 2 Configure Dnsmasq

To be frank you don't have to change a single line in /etc/dnsmasq.conf. However you need to setup as dns server name in /etc/resolve.conf file:

# vi /etc/resolve.conf


Replace with your actual ISP DNS server IPS. The dnsmasq should read the list of ISP nameservers from the automatically /etc/resolv.conf. You should list as the first nameserver address in /etc/resolv.conf. So local desktop clients always gets cached queries.

Step # 3 Restart/start Dnsmasq

# /etc/init.d/dnsmasq start

Step # 4 Update DNS server IPS for all desktop systems

Point your windows XP or Linux Desktop client to IP of Linux firewall server i.e. (see above network diagram)

It is easy to use Dnsmasq rather than setting up caching BIND server. But hold on it has some cool usage too. You can add domains which you want to force to specific IP address. For example, doubleclick.net displays ugly adds on many sites, just send this server it to our (i.e. your local server ). Just open a file /etc/dnsmasq.conf and add following line to it:

Restart Dnsmasq and make sure you runs local webserver at with some default page. Read the Dnsmasq man page and docs for more information.