Red Hat has shipped a new version of its dnsmasq caching software to plug source UDP port bug. This could have made DNS spoofing attacks (CVE-2008-1447) easier. Dnsmasq is lightweight ultra fast dns cache server forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network.
One of my friend recently send me an email. It reads as follows:
“…My DSL service providers DNS server seems to be little slow, they have two servers it takes little time (some time upto 2 seconds) to resolve a domain name, once domain resolved, browsing speed remains the same, what should I do to improve DNS performance?….”
The answer is use a DNS proxy i.e. Dnsmasq. It is a a lightweight, easy to configure DNS forwarder and optional DHCP server. Dnsmasq is targeted at home networks using NAT and connected to the internet via a modem, cable-modem or ADSL connection but would be a good choice for any small network where low resource use and ease of configuration are important. The main use of the DNS proxy is to increase speed. Generally all computer send their request to ISP’s DNS servers. But with DNS proxy request are cached. It stands between your local system and firewall server. Here is our sample network setup, 192.168.1.1-3 are all desktop system, 192.168.1.254 is our Linux firewall server:
Laptop | Desktop --> Linux Server --> ADSL Modem/Router Firewall 192.168.1.1 192.168.1.254 -> Dynamic or 192.168.1.2 Static IP assign 192.168.1.3 by ISP
Login to your Linux firewall server and install Dnsmasq .
Step # 1 : Install Dnsmasq (Debian Linux)
# apt-get install dnsmasq
Fedora/Redhat/Centos user, use yum command to install dnsmasq:
# yum install dnsmasq
RedHat Linux user use rpm/up2date command to install it:
# up2date -i dnsmasq
Step # 2 Configure Dnsmasq
To be frank you don’t have to change a single line in /etc/dnsmasq.conf. However you need to setup 127.0.0.1 as dns server name in /etc/resolve.conf file:
# vi /etc/resolve.conf
Replace 22.214.171.124/126.96.36.199 with your actual ISP DNS server IPS. The dnsmasq should read the list of ISP nameservers from the automatically /etc/resolv.conf. You should list 127.0.0.1 as the first nameserver address in /etc/resolv.conf. So local desktop clients always gets cached queries.
Step # 3 Restart/start Dnsmasq
# /etc/init.d/dnsmasq start
Step # 4 Update DNS server IPS for all desktop systems
Point your windows XP or Linux Desktop client to IP of Linux firewall server i.e. 192.168.1.254 (see above network diagram)
It is easy to use Dnsmasq rather than setting up caching BIND server. But hold on it has some cool usage too. You can add domains which you want to force to specific IP address. For example, doubleclick.net displays ugly adds on many sites, just send this server it to our 127.0.0.1 (i.e. your local server ). Just open a file /etc/dnsmasq.conf and add following line to it:
Restart Dnsmasq and make sure you runs local webserver at 127.0.0.1 with some default page. Read the Dnsmasq man page and docs for more information.