DNSmasq的一点小问题

2016 年 6 月 23 日1,4030

本站主要内容均为原创,转帖需注明出处www.alexclouds.net

       一个项目的关系,把DNSmasq当缓存用。发现一点区分

 

因此有三个选项还是比较重要:

--max-ttl=<time> Set a maximum TTL value that will be handed out to clients. The specified maximum TTL will be given to clients instead of the true TTL value if it is lower. The true TTL value is however kept in the cache to avoid flooding the upstream DNS servers.

--max-cache-ttl=<time> Set a maximum TTL value for entries in the cache.

--min-cache-ttl=<time> Extend short TTL values to the time given when caching them. Note that artificially extending TTL values is in general a bad idea, do not do it unless you have a good reason, and understand what you are doing. Dnsmasq limits the value of this option to one hour, unless recompiled.

 

          min-cache-ttl=300  是把最小缓存调到300s. 也就是5分钟。

16.04-dnsmasq-min-cache-ttl

 

          原始DNS污染的情况,可以看到fb的www记录有两个完全不同的结果,因此势必有一个是fake:

 

www.facebook.com污染

 

           A sketch map here shows what is going on with China DNS provider.

 

                                                                                              |---- Most vulnerable to modification ----|

                  client                                                                                                                                          

Laptop/workstation/phone/tablet --------> office router --------> ISP ----------> the Internet -------->  DNS Server

                                                                                         |-------------Should be -- Secured by DNSSEC ---------|

 

           DNScrypt是一个有效的手段,可以防止DNS修改,劫持等危害.

 

dnscrypt_proxy

 

           项目需要在一台服务器上运行多个dnsmasq实例。因此需要禁止默认的dnsmasq服务运行:

#sudo apt-get install sysv-rc-conf

#sudo sysv-rc-conf dnsmasq off

 

          可以参考写入 /etc/rc.local 或者 /etc/init.d/rc.local的方式启动两个dnsmasq实例:

 

/usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -p 53 -C /etc/dnsmasq.conf -7 /etc/dnsmasq.d

/usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq1.pid -u dnsmasq -p 5503 -C /etc/dnsmasq1.conf -7 /etc/dnsmasq.d

 

         5503port

 

root@DNS-xx:/etc/dnsmasq.d# dnsmasq --help
Usage: dnsmasq [options]

Valid options are:
-a, --listen-address=ipaddr             Specify local address(es) to listen on.
-A, --address=/domain/ipaddr            Return ipaddr for all hosts in specified domains.
-b, --bogus-priv                        Fake reverse lookups for RFC1918 private address ranges.
-B, --bogus-nxdomain=ipaddr             Treat ipaddr as NXDOMAIN (defeats Verisign wildcard).
-c, --cache-size=cachesize              Specify the size of the cache in entries (defaults to 150).
-C, --conf-file=path                    Specify configuration file (defaults to /etc/dnsmasq.conf).
-d, --no-daemon                         Do NOT fork into the background: run in debug mode.
-D, --domain-needed                     Do NOT forward queries with no domain part.
-e, --selfmx                            Return self-pointing MX records for local hosts.
-E, --expand-hosts                      Expand simple names in /etc/hosts with domain-suffix.
-f, --filterwin2k                       Don't forward spurious DNS requests from Windows hosts.
-F, --dhcp-range=ipaddr,ipaddr,time     Enable DHCP in the range given with lease duration.
-g, --group=groupname                   Change to this group after startup (defaults to dip).
-G, --dhcp-host=<hostspec>              Set address or hostname for a specified machine.
    --dhcp-hostsfile=<filename>         Read DHCP host specs from file.
    --dhcp-optsfile=<filename>          Read DHCP option specs from file.
    --tag-if=tag-expression             Evaluate conditional tag expression.
-h, --no-hosts                          Do NOT load /etc/hosts file.
-H, --addn-hosts=path                   Specify a hosts file to be read in addition to /etc/hosts.
-i, --interface=interface               Specify interface(s) to listen on.
-I, --except-interface=int              Specify interface(s) NOT to listen on.
-j, --dhcp-userclass=set:<tag>,<class>  Map DHCP user class to tag.
    --dhcp-circuitid=set:<tag>,<circuit>Map RFC3046 circuit-id to tag.
    --dhcp-remoteid=set:<tag>,<remote>  Map RFC3046 remote-id to tag.
    --dhcp-subscrid=set:<tag>,<remote>  Map RFC3993 subscriber-id to tag.
-J, --dhcp-ignore=tag:<tag>...          Don't do DHCP for hosts with tag set.
    --dhcp-broadcast[=tag:<tag>...]     Force broadcast replies for hosts with tag set.
-k, --keep-in-foreground                Do NOT fork into the background, do NOT run in debug mode.
-K, --dhcp-authoritative                Assume we are the only DHCP server on the local network.
-l, --dhcp-leasefile=path               Specify where to store DHCP leases (defaults to /var/lib/misc/dnsmasq.leases).
-L, --localmx                           Return MX records for local hosts.
-m, --mx-host=host_name,target,pref     Specify an MX record.
-M, --dhcp-boot=<bootp opts>            Specify BOOTP options to DHCP server.
-n, --no-poll                           Do NOT poll /etc/resolv.conf file, reload only on SIGHUP.
-N, --no-negcache                       Do NOT cache failed search results.
-o, --strict-order                      Use nameservers strictly in the order given in /etc/resolv.conf.
-O, --dhcp-option=<optspec>             Specify options to be sent to DHCP clients.
    --dhcp-option-force=<optspec>       DHCP option sent even if the client does not request it.
-p, --port=number                       Specify port to listen for DNS requests on (defaults to 53).
-P, --edns-packet-max=<size>            Maximum supported UDP packet size for EDNS.0 (defaults to 4096).
-q, --log-queries                       Log DNS queries.
-Q, --query-port=number                 Force the originating port for upstream DNS queries.
-R, --no-resolv                         Do NOT read resolv.conf.
-r, --resolv-file=path                  Specify path to resolv.conf (defaults to /etc/resolv.conf).
-S, --server=/domain/ipaddr             Specify address(es) of upstream servers with optional domains.
    --local=/domain/                    Never forward queries to specified domains.
-s, --domain=<domain>[,<range>]         Specify the domain to be assigned in DHCP leases.
-t, --mx-target=host_name               Specify default target in an MX record.
-T, --local-ttl=time                    Specify time-to-live in seconds for replies from /etc/hosts.
    --neg-ttl=time                      Specify time-to-live in seconds for negative caching.
    --max-ttl=time                      Specify time-to-live in seconds for maximum TTL to send to clients.
-u, --user=username                     Change to this user after startup. (defaults to nobody).
-U, --dhcp-vendorclass=set:<tag>,<class>Map DHCP vendor class to tag.
-v, --version                           Display dnsmasq version and copyright information.
-V, --alias=addr,addr,mask              Translate IPv4 addresses from upstream servers.
-W, --srv-host=name,target,...          Specify a SRV record.
-w, --help                              Display this message. Use --help dhcp for known DHCP options.
-x, --pid-file=path                     Specify path of PID file (defaults to /var/run/dnsmasq.pid).
-X, --dhcp-lease-max=number             Specify maximum number of DHCP leases (defaults to 1000).
-y, --localise-queries                  Answer DNS queries based on the interface a query was sent to.
-Y, --txt-record=name,txt....           Specify TXT DNS record.
    --ptr-record=name,target            Specify PTR DNS record.
    --interface-name=name,interface     Give DNS name to IPv4 address of interface.
-z, --bind-interfaces                   Bind only to interfaces in use.
-Z, --read-ethers                       Read DHCP static host information from /etc/ethers.
-1, --enable-dbus                       Enable the DBus interface for setting upstream servers, etc.
-2, --no-dhcp-interface=interface       Do not provide DHCP on this interface, only provide DNS.
-3, --bootp-dynamic[=tag:<tag>]...      Enable dynamic address allocation for bootp.
-4, --dhcp-mac=set:<tag>,<mac address>  Map MAC address (with wildcards) to option set.
    --bridge-interface=iface,alias,..   Treat DHCP requests on aliases as arriving from interface.
-5, --no-ping                           Disable ICMP echo address checking in the DHCP server.
-6, --dhcp-script=path                  Script to run on DHCP lease creation and destruction.
-7, --conf-dir=path                     Read configuration from all the files in this directory.
-8, --log-facility=<facilty>|<file>     Log to this syslog facility or file. (defaults to DAEMON)
-9, --leasefile-ro                      Do not use leasefile.
-0, --dns-forward-max=<queries>         Maximum number of concurrent DNS queries. (defaults to 150)
    --clear-on-reload                   Clear DNS cache when reloading /etc/resolv.conf.
    --dhcp-ignore-names[=tag:<tag>]...  Ignore hostnames provided by DHCP clients.
    --dhcp-no-override                  Do NOT reuse filename and server fields for extra DHCP options.
    --enable-tftp[=<interface>]         Enable integrated read-only TFTP server.
    --tftp-root=<dir>[,<iface>]         Export files by TFTP only from the specified subtree.
    --tftp-unique-root                  Add client IP address to tftp-root.
    --tftp-secure                       Allow access only to files owned by the user running dnsmasq.
    --tftp-max=<connections>            Maximum number of conncurrent TFTP transfers (defaults to 50).
    --tftp-no-blocksize                 Disable the TFTP blocksize extension.
    --tftp-port-range=<start>,<end>     Ephemeral port range for use by TFTP transfers.
    --log-dhcp                          Extra logging for DHCP.
    --log-async[=<log lines>]           Enable async. logging; optionally set queue length.
    --stop-dns-rebind                   Stop DNS rebinding. Filter private IP ranges when resolving.
    --rebind-localhost-ok               Allow rebinding of 127.0.0.0/8, for RBL servers.
    --rebind-domain-ok=/domain/         Inhibit DNS-rebind protection on this domain.
    --all-servers                       Always perform DNS queries to all servers.
    --dhcp-match=set:<tag>,<optspec>    Set tag if client includes matching option in request.
    --dhcp-alternate-port[=<ports>]     Use alternative ports for DHCP.
    --dhcp-scriptuser=<username>        Run lease-change script as this user.
    --naptr-record=<name>,<naptr>       Specify NAPTR DNS record.
    --min-port=<port>                   Specify lowest port available for DNS query transmission.
    --dhcp-fqdn                         Use only fully qualified domain names for DHCP clients.
    --dhcp-generate-names[=tag:<tag>]...Generate hostnames based on MAC address for nameless clients.
    --dhcp-proxy[=<ip_address>]...      Use these DHCP relays as full proxies.
    --cname=<alias>,<target>            Specify alias name for LOCAL DNS name.
    --pxe-prompt=<prompt>,[<timeout>]   Prompt to send to PXE clients.
    --pxe-service=<service>             Boot service for PXE menu.
    --test                              Check configuration syntax.
    --add-mac                           Add requestor's MAC address to forwarded DNS queries.
    --proxy-dnssec                      Proxy DNSSEC validation results from upstream nameservers.
    --dhcp-sequential-ip                Attempt to allocate sequential IP addresses to DHCP clients.
    --conntrack                         Copy connection-track mark from queries to upstream connections.

0 0