On Debian I just sudo apt-get -y install dnsmasq to get it, and it is configured by /etc/dnsmasq.conf as well as the files in /etc/dnsmasq.d. I like to comment out all of the settings in the .conf file except for just a few lines that I add at the bottom:
Code: Select all
conf-dir=/etc/dnsmasq.d
conf-file=/etc/ad_hosts.txt
addn-hosts=/etc/mvp_hosts.txt
The first line tells dnsmasq to process files in the dnsmasq.d directory, the second line tells it to use /etc/ad_hosts.txt as a dnsmasq config file, and the third line tells it to treat /etc/mvp_hosts.txt as a hosts file. This allows me to put separate .conf files in /etc/dnsmasq.d which will all get processed, allowing me to separate my config in to manageable chunks.
For example, /etc/dnsmasq.d/local_dns.conf can be used to setup names for devices on your internal network like this
Code: Select all
address=/server1.network.home/192.168.1.2
address=/server2.network.home/192.168.1.3
address=/www.network.home/192.168.1.21
address=/pc1.network.home/192.168.1.101
address=/pc2.network.home/192.168.1.102
Now, to add in support for the MVPHosts file you'll want to cron a weekly task to download it weekly and restart dnsmasq.
Code: Select all
wget -O /etc/mvp_hosts.txt http://winhelp2002.mvps.org/hosts.txt
/etc/init.d/dnsmasq restart
For the ad_hosts.txt file I basically have the same cron'ed script except that it downloads my personal list of hosts I don't like. Now you can test your setup by using nslookup to connect to your dnsmasq and try some queries:
Code: Select all
nslookup www.doubleclick.net 192.168.1.2
Server: 192.168.1.2
Address: 192.168.1.2#53
Name: www.doubleclick.net
Address: 127.0.0.1
If you do the same query against the DNS server 8.8.8.8 you will likely see a very different answer. Now that your DNS server works, you need your clients to use it instead of your default DNS server (probably your router). On my dd-wrt router I just went to the "Services" page of the dd-wrt admin interface and added this to the dnsmasq section
Code: Select all
dhcp-option= option:dns-server, 192.168.1.2
Yes, it is true that my dd-wrt router is already using dnsmasq, but I chose to run a separate instance on a Debian box because the dd-wrt design makes its dnsmasq a pain to configure. I use it for DHCP but not this kind of detailed DNS config. So renew an IP address on one of your clients and try a direct DNS query:
Code: Select all
C:\>nslookup www.doubleclick.net
Server: UnKnown
Address: 192.168.1.2
Name: www.doubleclick.net
Address: 127.0.0.1
Now your clients are unable to reach the servers defined in the MVPHosts file as well as the list I maintain of crappy hosts.
Now... what if Microsoft was smart enough to design its "phone home" ware to use a special DNS server other than your default one? Well, head back in to the dd-wrt admin page and click on the "Access Restrictions" tab to setup a restriction that denies your clients from using DNS servers that are outside your network like this:
You'll need to click on the Client List button to define the IP addresses on your network that should not have access to DNS through the firewall. Of course you will need to keep your new DNS server off this list because it will still need to provide upstream queries. Your client PC's should now get this:
Code: Select all
C:\>nslookup www.doubleclick.net 8.8.8.8
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 8.8.8.8
when trying to query external DNS servers. Now your client PC's do not have the ability to resolve these "bad names" while on your network. It should be clear though that mobile devices will not be protected while on networks other than your own. If anyone has any suggestions about my list or this howto please let me know. :-)
S.