wiki:DnsMasq

Version 2 (modified by spirillen, 2 weeks ago) ( diff )

--

dnsmasq

About dnsmasq

Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It has also been widely used for tethering on smartphones and portable hotspots, and to support virtual networking in virtualisation frameworks. Supported platforms include Linux (with glibc and uclibc), Android, *BSD, and Mac OS X. Dnsmasq is included in most Linux distributions and the ports systems of FreeBSD, OpenBSD and NetBSD. Dnsmasq provides full IPv6 support.

address vs server directives

A note about why the server=/example.net/ by default always should be used over the address=/example.net/directive within BlackLists

According to the man page of dnsmasq there is a very important note for the usage of the address directive.

Thus --address=/#/1.2.3.4 will always return 1.2.3.4 for any query not answered from /etc/hosts or DHCP and not sent to an upstream nameserver by a more specific --server directive. As for --server, one or more domains with no address returns a no-such-domain answer, so --address=/example.com/ is equivalent to --server=/example.com/ and returns NXDOMAIN for example.com and all it's subdomains.

This clearly indicates that most "guides" is dead wrong in there approaches for giving the best advises, go figure...

-A, --address=/<domain>[/<domain>...]/[<ipaddr>]
Specify an IP address to return for any host in the given domains. Queries in the domains are never forwarded and always replied to with the specified IP address which may be IPv4 or IPv6. To give both IPv4 and IPv6 addresses for a domain, use repeated --address flags. To include multiple IP addresses for a single query, use --addn-hosts=<path> instead. Note that /etc/hosts and DHCP leases override this for individual names. A common use of this is to redirect the entire doubleclick.net domain to some friendly local web server to avoid banner ads. The domain specification works in the same was as for --server, with the additional facility that /#/ matches any domain. Thus --address=/#/1.2.3.4 will always return 1.2.3.4 for any query not answered from /etc/hosts or DHCP and not sent to an upstream nameserver by a more specific --server directive. As for --server, one or more domains with no address returns a no-such-domain answer, so --address=/example.com/ is equivalent to --server=/example.com/ and returns NXDOMAIN for example.com and all its subdomains. An address specified as '#' translates to the NULL address of 0.0.0.0 and its IPv6 equivalent of :: so --address=/example.com/# will return NULL addresses for example.com and its subdomains. This is partly syntactic sugar for --address=/example.com/0.0.0.0 and --address=/example.com/:: but is also more efficient than including both as separate configuration lines. Note that NULL addresses normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves.
Source: man dnsmasq

The formatting

From the above we can see that best practice to block unwanted content and at the same time be able to allow WhiteListed contents is to use the --address directive within a BlackLists as it allows to use wild-carding for blocking domains with shady purpose as ex. example.com or example.net and yet allow to actually whitelist exceptionally needed subdomains by using the --server directive.

The BlackLists file should therefore be formatted as:

Blacklist
  address=/example.org/                         # Block all domains that belongs
                                                # to example.org with NXDOMAIN 
                                                # response
  server=/www.example.org/95.216.209.53         # UnBlock and forward this 
                                                # specific DNS name to your 
                                                # DNS-recursor as usual

Dns related articles
DnsDist, DnsFirewall, DnsHosts, DnsMasq, DnsScripts, DnsSetup
Note: See TracWiki for help on using the wiki.