DNSmasq的一点小问题
本站主要内容均为原创,转帖需注明出处www.alexclouds.net
一个项目的关系,把DNSmasq当缓存用。发现一点区分
因此有三个选项还是比较重要:
--max-ttl=<time> Set a maximum TTL value that will be handed out to clients. The specified maximum TTL will be given to clients instead of the true TTL value if it is lower. The true TTL value is however kept in the cache to avoid flooding the upstream DNS servers.
--max-cache-ttl=<time> Set a maximum TTL value for entries in the cache.
--min-cache-ttl=<time> Extend short TTL values to the time given when caching them. Note that artificially extending TTL values is in general a bad idea, do not do it unless you have a good reason, and understand what you are doing. Dnsmasq limits the value of this option to one hour, unless recompiled.
min-cache-ttl=300 是把最小缓存调到300s. 也就是5分钟。
原始DNS污染的情况,可以看到fb的www记录有两个完全不同的结果,因此势必有一个是fake:
A sketch map here shows what is going on with China DNS provider.
|---- Most vulnerable to modification ----|
client
Laptop/workstation/phone/tablet --------> office router --------> ISP ----------> the Internet --------> DNS Server
|-------------Should be -- Secured by DNSSEC ---------|
DNScrypt是一个有效的手段,可以防止DNS修改,劫持等危害.
项目需要在一台服务器上运行多个dnsmasq实例。因此需要禁止默认的dnsmasq服务运行:
#sudo apt-get install sysv-rc-conf
#sudo sysv-rc-conf dnsmasq off
可以参考写入 /etc/rc.local 或者 /etc/init.d/rc.local的方式启动两个dnsmasq实例:
/usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -p 53 -C /etc/dnsmasq.conf -7 /etc/dnsmasq.d
/usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq1.pid -u dnsmasq -p 5503 -C /etc/dnsmasq1.conf -7 /etc/dnsmasq.d
root@DNS-xx:/etc/dnsmasq.d# dnsmasq --help
Usage: dnsmasq [options]
Valid options are:
-a, --listen-address=ipaddr Specify local address(es) to listen on.
-A, --address=/domain/ipaddr Return ipaddr for all hosts in specified domains.
-b, --bogus-priv Fake reverse lookups for RFC1918 private address ranges.
-B, --bogus-nxdomain=ipaddr Treat ipaddr as NXDOMAIN (defeats Verisign wildcard).
-c, --cache-size=cachesize Specify the size of the cache in entries (defaults to 150).
-C, --conf-file=path Specify configuration file (defaults to /etc/dnsmasq.conf).
-d, --no-daemon Do NOT fork into the background: run in debug mode.
-D, --domain-needed Do NOT forward queries with no domain part.
-e, --selfmx Return self-pointing MX records for local hosts.
-E, --expand-hosts Expand simple names in /etc/hosts with domain-suffix.
-f, --filterwin2k Don't forward spurious DNS requests from Windows hosts.
-F, --dhcp-range=ipaddr,ipaddr,time Enable DHCP in the range given with lease duration.
-g, --group=groupname Change to this group after startup (defaults to dip).
-G, --dhcp-host=<hostspec> Set address or hostname for a specified machine.
--dhcp-hostsfile=<filename> Read DHCP host specs from file.
--dhcp-optsfile=<filename> Read DHCP option specs from file.
--tag-if=tag-expression Evaluate conditional tag expression.
-h, --no-hosts Do NOT load /etc/hosts file.
-H, --addn-hosts=path Specify a hosts file to be read in addition to /etc/hosts.
-i, --interface=interface Specify interface(s) to listen on.
-I, --except-interface=int Specify interface(s) NOT to listen on.
-j, --dhcp-userclass=set:<tag>,<class> Map DHCP user class to tag.
--dhcp-circuitid=set:<tag>,<circuit>Map RFC3046 circuit-id to tag.
--dhcp-remoteid=set:<tag>,<remote> Map RFC3046 remote-id to tag.
--dhcp-subscrid=set:<tag>,<remote> Map RFC3993 subscriber-id to tag.
-J, --dhcp-ignore=tag:<tag>... Don't do DHCP for hosts with tag set.
--dhcp-broadcast[=tag:<tag>...] Force broadcast replies for hosts with tag set.
-k, --keep-in-foreground Do NOT fork into the background, do NOT run in debug mode.
-K, --dhcp-authoritative Assume we are the only DHCP server on the local network.
-l, --dhcp-leasefile=path Specify where to store DHCP leases (defaults to /var/lib/misc/dnsmasq.leases).
-L, --localmx Return MX records for local hosts.
-m, --mx-host=host_name,target,pref Specify an MX record.
-M, --dhcp-boot=<bootp opts> Specify BOOTP options to DHCP server.
-n, --no-poll Do NOT poll /etc/resolv.conf file, reload only on SIGHUP.
-N, --no-negcache Do NOT cache failed search results.
-o, --strict-order Use nameservers strictly in the order given in /etc/resolv.conf.
-O, --dhcp-option=<optspec> Specify options to be sent to DHCP clients.
--dhcp-option-force=<optspec> DHCP option sent even if the client does not request it.
-p, --port=number Specify port to listen for DNS requests on (defaults to 53).
-P, --edns-packet-max=<size> Maximum supported UDP packet size for EDNS.0 (defaults to 4096).
-q, --log-queries Log DNS queries.
-Q, --query-port=number Force the originating port for upstream DNS queries.
-R, --no-resolv Do NOT read resolv.conf.
-r, --resolv-file=path Specify path to resolv.conf (defaults to /etc/resolv.conf).
-S, --server=/domain/ipaddr Specify address(es) of upstream servers with optional domains.
--local=/domain/ Never forward queries to specified domains.
-s, --domain=<domain>[,<range>] Specify the domain to be assigned in DHCP leases.
-t, --mx-target=host_name Specify default target in an MX record.
-T, --local-ttl=time Specify time-to-live in seconds for replies from /etc/hosts.
--neg-ttl=time Specify time-to-live in seconds for negative caching.
--max-ttl=time Specify time-to-live in seconds for maximum TTL to send to clients.
-u, --user=username Change to this user after startup. (defaults to nobody).
-U, --dhcp-vendorclass=set:<tag>,<class>Map DHCP vendor class to tag.
-v, --version Display dnsmasq version and copyright information.
-V, --alias=addr,addr,mask Translate IPv4 addresses from upstream servers.
-W, --srv-host=name,target,... Specify a SRV record.
-w, --help Display this message. Use --help dhcp for known DHCP options.
-x, --pid-file=path Specify path of PID file (defaults to /var/run/dnsmasq.pid).
-X, --dhcp-lease-max=number Specify maximum number of DHCP leases (defaults to 1000).
-y, --localise-queries Answer DNS queries based on the interface a query was sent to.
-Y, --txt-record=name,txt.... Specify TXT DNS record.
--ptr-record=name,target Specify PTR DNS record.
--interface-name=name,interface Give DNS name to IPv4 address of interface.
-z, --bind-interfaces Bind only to interfaces in use.
-Z, --read-ethers Read DHCP static host information from /etc/ethers.
-1, --enable-dbus Enable the DBus interface for setting upstream servers, etc.
-2, --no-dhcp-interface=interface Do not provide DHCP on this interface, only provide DNS.
-3, --bootp-dynamic[=tag:<tag>]... Enable dynamic address allocation for bootp.
-4, --dhcp-mac=set:<tag>,<mac address> Map MAC address (with wildcards) to option set.
--bridge-interface=iface,alias,.. Treat DHCP requests on aliases as arriving from interface.
-5, --no-ping Disable ICMP echo address checking in the DHCP server.
-6, --dhcp-script=path Script to run on DHCP lease creation and destruction.
-7, --conf-dir=path Read configuration from all the files in this directory.
-8, --log-facility=<facilty>|<file> Log to this syslog facility or file. (defaults to DAEMON)
-9, --leasefile-ro Do not use leasefile.
-0, --dns-forward-max=<queries> Maximum number of concurrent DNS queries. (defaults to 150)
--clear-on-reload Clear DNS cache when reloading /etc/resolv.conf.
--dhcp-ignore-names[=tag:<tag>]... Ignore hostnames provided by DHCP clients.
--dhcp-no-override Do NOT reuse filename and server fields for extra DHCP options.
--enable-tftp[=<interface>] Enable integrated read-only TFTP server.
--tftp-root=<dir>[,<iface>] Export files by TFTP only from the specified subtree.
--tftp-unique-root Add client IP address to tftp-root.
--tftp-secure Allow access only to files owned by the user running dnsmasq.
--tftp-max=<connections> Maximum number of conncurrent TFTP transfers (defaults to 50).
--tftp-no-blocksize Disable the TFTP blocksize extension.
--tftp-port-range=<start>,<end> Ephemeral port range for use by TFTP transfers.
--log-dhcp Extra logging for DHCP.
--log-async[=<log lines>] Enable async. logging; optionally set queue length.
--stop-dns-rebind Stop DNS rebinding. Filter private IP ranges when resolving.
--rebind-localhost-ok Allow rebinding of 127.0.0.0/8, for RBL servers.
--rebind-domain-ok=/domain/ Inhibit DNS-rebind protection on this domain.
--all-servers Always perform DNS queries to all servers.
--dhcp-match=set:<tag>,<optspec> Set tag if client includes matching option in request.
--dhcp-alternate-port[=<ports>] Use alternative ports for DHCP.
--dhcp-scriptuser=<username> Run lease-change script as this user.
--naptr-record=<name>,<naptr> Specify NAPTR DNS record.
--min-port=<port> Specify lowest port available for DNS query transmission.
--dhcp-fqdn Use only fully qualified domain names for DHCP clients.
--dhcp-generate-names[=tag:<tag>]...Generate hostnames based on MAC address for nameless clients.
--dhcp-proxy[=<ip_address>]... Use these DHCP relays as full proxies.
--cname=<alias>,<target> Specify alias name for LOCAL DNS name.
--pxe-prompt=<prompt>,[<timeout>] Prompt to send to PXE clients.
--pxe-service=<service> Boot service for PXE menu.
--test Check configuration syntax.
--add-mac Add requestor's MAC address to forwarded DNS queries.
--proxy-dnssec Proxy DNSSEC validation results from upstream nameservers.
--dhcp-sequential-ip Attempt to allocate sequential IP addresses to DHCP clients.
--conntrack Copy connection-track mark from queries to upstream connections.