Published on

dnsmasq

Authors
  • Name
    Jackson Chen

Reference

https://github.com/imp/dnsmasq/blob/master/dnsmasq.conf.example

https://www.teknynja.com/2009/06/to-protect-and-surf-dnsmasq-and.html

I went ahead and installed it on my file server (running Ubuntu, of course) using sudo apt-get install dnsmasq. Looking at all the options in the man page and in the /etc/dnsmasq.conf file was overwhelming at first, but it didn't take too long to figure things out. One of the things I discovered was that you can assign specific outside DNS servers for specific domains. I realized that if I blocked off any other way for it to resolve domain names except for this feature, I could use it like a whitelist! A little experimenting proved that it did indeed work. Here is the dnsmask.conf that I am using right now:

domain-needed
bogus-priv
log-queries
log-facility=/var/log/dnsmasq.log
no-resolv
interface=eth0

# Add other name servers here, with domain specs if they are for
# non-public domains.
#server=/localnet/192.168.0.1
server=/google.com/192.168.0.1
server=/dan-dare.org/192.168.0.1
server=/dan-dare.net/192.168.0.1
server=/pbskids.org/192.168.0.1
server=/playhousedisney.com/192.168.0.1
server=/disney.go.com/192.168.0.1
server=/starfall.com/192.168.0.1

The first few lines do the actual configuration of dnsmasq, domain-needed & bogus-priv block Windows machines from passing noise traffic, log-queries & log-facility tell dnsmasq to log all DNS requests to the /var/log/dnsmasq.log file (useful for determining the domains required by websites, but this can be turned off to save space), no-resolv tells it to ignore the resolv.conf file which usually lists the outside DNS servers to use, and finally interface tells the service which network interface to bind to.

The rest of the “server” lines implement the whitelist, telling dnsmasq to look for the specified domain's IP address using the specified DNS server. In this case, I simply pointed to the DNS server in my local network's router (192.168.0.1). Any other domains are simply returned as being invalid. To populate this list, I simply attempted to browse to the sites that are blocked and requried, and then looked in the /var/log/dnsmasq.log file to see what domains were being requested, then entered them into the dnsmasq.conf file. After each update to the configuration file, I needed to sudo /etc/init.d/dnsmasq restart to get the service to re-read the file.

https://github.com/dave-kennedy/whitelist

It is better to categorize the dns entries

#[Options]
bogus-priv
domain-needed
no-resolv

#[Category: Forums]
server=/stackauth.com/8.8.8.8
server=/stackexchange.com/8.8.8.8
server=/stackoverflow.com/8.8.8.8

#[Category: Games]
server=/steampowered.com/8.8.8.8
server=/teamfortress.com/8.8.8.8 #This is a comment
server=/valvesoftware.com/8.8.8.8

#Games are awesome
server=/gog.com/8.8.8.8

#[Category: Search Engines]
server=/bing.com/8.8.8.8
server=/duckduckgo.com/8.8.8.8
server=/google.com/8.8.8.8
Discuss on TwitterView on GitHub