 Recent Entries
QuicksearchLinks |
RSS Feeds    
Stumbleupon This Site! 
 Save to del.icio.us
CategoriesLinoleum |
Run a local DNS resolver with OpenWRT
Monday, August 29. 2011
OpenWRT is a fantastic open source distribution for embedded devices, such as the Linksys WRT-54G series of wireless routers. One of its many features is the use of dnsmasq, a combined DNS and DHCP server, useful on small networks that are sitting behind a NAT connection.
The downside of dnsmasq on OpenWRT, however, is that the default configuration uses your ISP's DNS servers, which can be problematic, if your ISP, like many others, is adopting bad habits of redirecting non-existent domains to their servers, or is blacklisting / censoring websites without asking you.
For this, and for so many other reasons, it's a much better idea to run your own local DNS resolver. Unfortunately, dnsmasq isn't cable of doing this, so it's necessary to install a DNS server that can do this on its own. In this article, I describe how to do this.
The downside of dnsmasq on OpenWRT, however, is that the default configuration uses your ISP's DNS servers, which can be problematic, if your ISP, like many others, is adopting bad habits of redirecting non-existent domains to their servers, or is blacklisting / censoring websites without asking you.
For this, and for so many other reasons, it's a much better idea to run your own local DNS resolver. Unfortunately, dnsmasq isn't cable of doing this, so it's necessary to install a DNS server that can do this on its own. In this article, I describe how to do this.
I chose to use MaraDNS, because of its small size and good security history, but because it doesn't have dnsmasq's built-in DHCP server and /etc/hosts integration, I decided that I would run both of them simultaneously. This presented a few problems, because dnsmasq binds to all interfaces by default.
My network address is 10.4.0.0/255.255.255.0; the router's IP address is on 10.4.0.1. I decided to give it a second address of 10.4.0.2, where maradns would listen - I could just have easily given it a dummy internal address instead. djbdns would be restricted to listening only on 127.0.0.1,
the loopback address, and 10.4.0.1.
Step one, add a virtual address of 10.4.0.2. Add these lines to your /etc/config/network file:
...and then run /etc/init.d/network restart.
If all goes well, running ifconfig -a will show you all your interfaces, including your new virtual interface:
Step two, configure dnsmasq to listen only on 127.0.0.1 and 10.4.0.1. OpenWRT's configuration files don't provide any method to access the --listen-address option, so it will be necessary to add it to the startup line in the /etc/init.d/dnsmasq script:
Also add option nonwildcard 1 to the dnsmasq section of your /etc/config/dhcp file, and then restart dnsmasq with /etc/init.d/dnsmasq restart.
If you now run netstat -lutpn | grep 53, you'll see that dnsmasq is only bound to those IP addresses:
Step three, install MaraDNS on your router:
Then configure it to listen only on 10.4.0.2 and to listen to requests only from your router, by putting the following in /etc/mararc
Set MaraDNS to start up on boot with ln -s /etc/init.d/maradns /etc/rc.d/S50maradns and then start it, using /etc/init.d/maradns start
Now run netstat -lutpn | egrep "maradns|zoneserver" and you should see it running on 10.4.0.2:
Step four, finally, is to configure dnsmasq to pass all non-local DNS requests to MaraDNS. First, add a file called /etc/resolv.maradns with the following contents:
Then add the following to /etc/dnsmasq.conf to make it read resolvers from that file, instead of using your ISP's resolvers:
And that's it! If you run tcpdump on your router's external interface, you'll now see lots of DNS traffic going to nameservers around the world, instead of your ISP's DNS server.
My network address is 10.4.0.0/255.255.255.0; the router's IP address is on 10.4.0.1. I decided to give it a second address of 10.4.0.2, where maradns would listen - I could just have easily given it a dummy internal address instead. djbdns would be restricted to listening only on 127.0.0.1,
the loopback address, and 10.4.0.1.
Step one, add a virtual address of 10.4.0.2. Add these lines to your /etc/config/network file:
config 'alias'
option 'interface' 'lan'
option 'proto' 'static'
option 'netmask' '255.255.255.0'
option 'ipaddr' 10.4.0.2
...and then run /etc/init.d/network restart.
If all goes well, running ifconfig -a will show you all your interfaces, including your new virtual interface:
br-lan:1 Link encap:Ethernet HWaddr 00:43:60:72:45:AB
inet addr:10.4.0.2 Bcast:10.4.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Step two, configure dnsmasq to listen only on 127.0.0.1 and 10.4.0.1. OpenWRT's configuration files don't provide any method to access the --listen-address option, so it will be necessary to add it to the startup line in the /etc/init.d/dnsmasq script:
/usr/sbin/dnsmasq --listen-address=127.0.0.1 --listen-address=10.4.0.1 $args && {
Also add option nonwildcard 1 to the dnsmasq section of your /etc/config/dhcp file, and then restart dnsmasq with /etc/init.d/dnsmasq restart.
If you now run netstat -lutpn | grep 53, you'll see that dnsmasq is only bound to those IP addresses:
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1915/dnsmasq
tcp 0 0 10.4.0.1:53 0.0.0.0:* LISTEN 1915/dnsmasq
udp 0 0 127.0.0.1:53 0.0.0.0:* 1915/dnsmasq
udp 0 0 10.4.0.1:53 0.0.0.0:* 1915/dnsmasq
Step three, install MaraDNS on your router:
opkg update
opkg install maradns
Then configure it to listen only on 10.4.0.2 and to listen to requests only from your router, by putting the following in /etc/mararc
hide_disclaimer="YES"
chroot_dir="/etc/maradns"
bind_address="10.4.0.2"
maradns_uid=65534
dns_port=53
maxprocs=10
random_seed_file="/dev/urandom"
recursive_acl="127.0.0.1,10.4.0.1"
root_servers={}
root_servers["."]="198.41.0.4,128.9.0.107,192.33.4.12,128.8.10.90,192.203.230.10,
192.5.5.241,192.112.36.4,128.63.2.53,192.36.148.17,
192.58.128.30,193.0.14.129,198.32.64.12,202.12.27.33"
Set MaraDNS to start up on boot with ln -s /etc/init.d/maradns /etc/rc.d/S50maradns and then start it, using /etc/init.d/maradns start
Now run netstat -lutpn | egrep "maradns|zoneserver" and you should see it running on 10.4.0.2:
tcp 0 0 10.4.0.2:53 0.0.0.0:* LISTEN 1889/zoneserver
udp 0 0 10.4.0.2:53 0.0.0.0:* 1883/maradns
Step four, finally, is to configure dnsmasq to pass all non-local DNS requests to MaraDNS. First, add a file called /etc/resolv.maradns with the following contents:
nameserver 10.4.0.2
Then add the following to /etc/dnsmasq.conf to make it read resolvers from that file, instead of using your ISP's resolvers:
resolv-file=/etc/resolv.maradns
And that's it! If you run tcpdump on your router's external interface, you'll now see lots of DNS traffic going to nameservers around the world, instead of your ISP's DNS server.
Comments
Display comments as
(Linear | Threaded)
Thanks for the nice post 
. As someone who has just set up OpenWRT + dnsmasq (and I'm not a network guru), I'm wondering how this is different than instructing dnsmasq to forward requests to a different DNS server?
In DNS parlance I think this is technically a forwarder, yeah?
I'm running OpenWRT snapshots from trunk... if that makes any difference.
. As someone who has just set up OpenWRT + dnsmasq (and I'm not a network guru), I'm wondering how this is different than instructing dnsmasq to forward requests to a different DNS server?In DNS parlance I think this is technically a forwarder, yeah?
I'm running OpenWRT snapshots from trunk... if that makes any difference.
Hi Alan,
Thanks for the comment. This differs from a forwarder in that MaraDNS will do all of the DNS lookups itself, whereas a forwarder will ask another DNS server to do the lookups on its behalf.
For example, if I ask MaraDNS to lookup the address "www.linux.co.uk", it will first talk to the root nameservers and ask who runs the domain for ".uk". Then it will talk to the .uk nameservers and ask who is authoritative for ".co.uk". And then so on, until it has resolved the name completely.
dnsmasq doesn't have the ability to do this itself - instead, by setting a forwarder, you're asking another DNS server to do it for you. So instead, in the article above, we're forwarding dnsmasq's requests to our own server (MaraDNS).
The advantage of running your own resolver is that you no longer have to worry about whether or not your ISP (or other upstream DNS server) is trustworthy. They could easily be replacing a valid DNS entry with some false information, and you might never know.
Sure, there are still other security issues inherent in DNS, but running your own resolver eliminates one potential problem. (Though, note, it also means slower lookups)
Thanks for the comment. This differs from a forwarder in that MaraDNS will do all of the DNS lookups itself, whereas a forwarder will ask another DNS server to do the lookups on its behalf.
For example, if I ask MaraDNS to lookup the address "www.linux.co.uk", it will first talk to the root nameservers and ask who runs the domain for ".uk". Then it will talk to the .uk nameservers and ask who is authoritative for ".co.uk". And then so on, until it has resolved the name completely.
dnsmasq doesn't have the ability to do this itself - instead, by setting a forwarder, you're asking another DNS server to do it for you. So instead, in the article above, we're forwarding dnsmasq's requests to our own server (MaraDNS).
The advantage of running your own resolver is that you no longer have to worry about whether or not your ISP (or other upstream DNS server) is trustworthy. They could easily be replacing a valid DNS entry with some false information, and you might never know.
Sure, there are still other security issues inherent in DNS, but running your own resolver eliminates one potential problem. (Though, note, it also means slower lookups)
when i run the command
netstat -lutpn | egrep "maradns|zoneserver"
I get this output
netstat: showing only processes with your user ID
netstat: /proc/net/tcp6: No such file or directory
netstat: /proc/net/udp6: No such file or directory
netstat -lutpn | egrep "maradns|zoneserver"
I get this output
netstat: showing only processes with your user ID
netstat: /proc/net/tcp6: No such file or directory
netstat: /proc/net/udp6: No such file or directory
Hi Fred,
Are you running netstat as root? It looks to me like you're running it as an unprivileged user.
Are you running netstat as root? It looks to me like you're running it as an unprivileged user.
Got it working there was a space in the line, after copying and pasting the code below
root_servers["."]="198.41.0.4,128.9.0.107,192.33.4.12,128.8.10.90,192.203.230.10,192.5.5.241,192.112.36.4,128.63.2.53,192.36.148.17,192.58.128.30,193.0.14.129,198.32.64.12,202.12.27.33"
uploading the /etc/init.d/dnsmasq script would be a great help it's very hard to work out where that line has to be inserted, nice work this is a great feature for the router be nice if this was put as an option in the gui
root_servers["."]="198.41.0.4,128.9.0.107,192.33.4.12,128.8.10.90,192.203.230.10,192.5.5.241,192.112.36.4,128.63.2.53,192.36.148.17,192.58.128.30,193.0.14.129,198.32.64.12,202.12.27.33"
uploading the /etc/init.d/dnsmasq script would be a great help it's very hard to work out where that line has to be inserted, nice work this is a great feature for the router be nice if this was put as an option in the gui
Tracked: Aug 30, 10:39
Tracked: Aug 30, 15:41
Tracked: Aug 30, 21:04
Tracked: Aug 31, 01:34
Tracked: Aug 31, 01:34