Dnsmasq is a combined DNS and DHCP server that can be used for small networks.
The goal is to create a DHCP/DNS server that allows unrestricted Internet access for some devices and restriced Internet access for others. Unrestricted Internet access will use CloudFlare’s DNS service and restricted DNS access will be controlled by OpenDNS. You can of course use an atlernate DNS provider for unrestricted access, e.g. your ISP’s DNS servers, Google DNS etc.
If a user has the ability to change the DNS servers used by their device then they can easily get around any DNS content restrictions created here.
In this example, our Raspberry Pi has been given the static IP address of 192.168.0.2 and the doman of our LAN is home.mydomain.com. Change these to match your network.
OpenDNS is free for home users. It allows you to customise which web sites your devices on your home network can access. As described above, we will send devices that require restricted Internet access (e.g. children’s tablets).
Once you have signed up for a free account, log in and add your home network under Settings.
OpenDNS needs to know what your external IP address (i.e. the IP address assigned to the WAN port on your router by your ISP).
Go to whatismyip.com to find your external IP and add it to your account with the label Home.
To automatically tell OpenDNS when your external IP address changes we can use dynamic DNS client to do this for us.
pacman -S ddclient
Add to the end of /etc/ddclient/ddclient.conf:
server=updates.opendns.com protocol=dyndns2 firstname.lastname@example.org password='YOUR_OPENDNS_PASSWORD' Home
Now start and enable the service:
systemctl start ddclient systemctl enable ddclient
Check that the service is running ok:
systemctl status ddclient
Back in your OpenDNS account, go to Settings and click the IP address of your home network. This will take you to the Web Content Filtering settings for your network.
In the screen shot below, you can see that we have restricted Internet access to several categories of web sites:
You can add exceptions also. In this case we have allowed access to Google.com and Google.co.uk but we will make sure that these get redirected to Google’s Safe Search via
dnsmasq later (see below).
bind-tools like so:
pacman -S dnsmasq bind-tools
Next we need to tell
dnsmasq to read additional configuration options from
/etc/dnsmasq.d. First create the directory:
mkdir -p /etc/dnsmasq.d
Now add to
Add static hosts on your network to
/etc/hosts. Dnsmasq will parse any hosts found in this file and add DNS entries for them automatically. In this example we have two entries: one for the router and one for the Raspberry Pi:
192.168.0.1 home.mydomain.com.router router 192.168.0.2 home.mydomain.com.rpi rpi
/etc/resolv.dnsmasq.conf file for
dnsmasq to use. This file defines which DNS servers to forward DNS requests onto by default:
nameserver 22.214.171.124 nameserver 126.96.36.199
In this case we are using CloudFlare’s DNS service but you can set them to a provider of your choice if you wish.
To force all Google domains to use Google’s Safe Search we can tell Dnsmasq to create cname entries for all of Google’s domains like so:
curl -s https://www.google.com/supported_domains| while read a; do echo "address=/www$a/188.8.131.52"; done > /etc/dnsmasq.d/google.conf
/etc/dnsmasq.d/my.conf to define the hosts etc. on our network. Hosts in the red zone will get a restricted DNS service from OpenDNS. Hosts in the green zone will get unrestricted DNS access from CloudFlare.
# listen on eth0 for DNS and DHCP requests interface=eth0 bind-interfaces # use this file for DNS forwarders (CloudFlare) resolv-file=/etc/resolv.dnsmasq.conf # domain for home LAN domain=home.mydomain.com # get static hosts from /etc/hosts expand-hosts # by default, hosts get restricted DNS via OpenDNS # hosts can be assigned addresses from 192.168.10 to 192.168.0.254 dhcp-range=set:red,192.168.0.10,192.168.0.254,12h # example reserved DHCP entries dhcp-host=70:9e:XX:XX:XX:XX,ps4,192.168.0.10,set:green dhcp-host=b8:27:XX:XX:XX:XX,pc,192.168.0.12,set:green # example restricted devices dhcp-host=AC:63:XX:XX:XX:XX,amazonfire-kids1,192.168.0.107,set:red dhcp-host=cc:9e:XX:XX:XX:XX,amazonfire-kids2,192.168.0.111,set:red
If you have a Real Time Clock for your Raspberry Pi (see Real Time Clock) then you can also enable DNSSEC like so in
Before starting the
dnsmasq service, you need to disable the DHCP service on your router.
Start and enable the service:
systemctl start dnsmasq systemctl enable dnsmasq
Finally, we need to reconfigure
eth0 to use
dnsmasq for DNS queries. Edit
/etc/systemd/network/eth0.network and set in the
If you enabled DNSSEC in your
dnsmasq config file above, then you can enale DNSSEC in the
[Network] section in
Here we have set the
DNSSEC option to support DNS servers that don’t support DNSSEC.
Then restart the
systemctl restart systemd-networkd
Now you can test if DNS lookups work by using
You can see if DHCP requests are being serviced by checking the
systemctl status dnsmasq