OS 13.2 - DNSMASQ - Need confirmation for running config

jcdole · April 9, 2015, 1:15pm

Hello.
Is that someone just draw my attention to any potential incongruities, redundancy, lack or error on the following config that seems to work.

For example, the domain is set in the network card config, in dnsmasq.conf and in hosts.

yast2 Network setting

yast2 Network setting
    Global Options
        General Network setting
            Network setup methode : **Wicked service**
        DHCP Client Options
            Hostname to send : **Auto**
    Overview
        General
            Activate : **At boot time**
            Firewall : **external zone**
        Address
            checked : **Statically assign**
            IP : **192.168.130.123**
            Subnet : **/24**
            Hostname :** hostname-1.my-dom-test.nwk**
        Hardware
            Device Name : **srv_eth0**

    Hostname/DNS
        Hostname and domain name
            ***everey things are unchecked but*** :
                Hostname : **hostname-1**
                Domain name : **my-dom-test.nwk**
        Modify dns policy
            **Use default policy**
        Name server and domain search list
            Name server 1 : **127.0.0.1**
        Domain search
            **my-dom-test.nwk**

    Routing
        Default gateway : **192.168.130.230**
        Routing table
            Destination : **192.168.2.200**
            Gateway : **192.168.130.230**
            Genmasq : **-**-**-******
            Device : **srv_eth0**

#—

File : /etc/hosts


#/etc/hosts
# hosts         This file describes a number of hostname-to-address
#               mappings for the TCP/IP subsystem.  It is mostly
#               used at boot time, when no name servers are running.
#               On small systems, this file can be used instead of a
#               "named" name server.
# Syntax:
#
# IP-Address  Full-Qualified-Hostname  Short-Hostname
#
127.0.0.1       localhost.localdomain    localhost
192.168.130.123 hostname-1.my-dom-test.nwk hostname-1
######## every things relative to dhcp v6 have been removed

#—

File : /etc/resolv.conf


### /etc/resolv.conf file autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
#     NETCONFIG_DNS_STATIC_SEARCHLIST
#     NETCONFIG_DNS_STATIC_SERVERS
#     NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
#     NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
# Note: Manual change of this file disables netconfig too, but
# may get lost when this file contains comments or empty lines
# only, the netconfig settings are same with settings in this
# file and in case of a "netconfig update -f" call.
#

nameserver 127.0.0.1

#—

File : /etc/dnsmasq.conf


#    /etc/dnsmasq.conf
#

# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv

# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
resolv-file="/etc/resolv.dnsmasq.conf"

# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
local=/my-dom-test.nwk/192.168.130.123

# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
address=/my-dom-test.nwk/192.168.130.123

#
# SPAM ADDRESS
conf-file=/etc/dnsmasq.conf.banned

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
#interface=
interface=srv_eth0

# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
expand-hosts

# Set a different domain for a particular subnet
#domain=wireless.thekelleys.org.uk,192.168.2.0/24
domain=my-dom-test.nwk,192.168.130.0/24

# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
#dhcp-range=192.168.0.50,192.168.0.150,12h
dhcp-range=192.168.130.165,192.168.130.199,16h

# COMPUTER
# Always set the name of the host with hardware address
# 11:22:33:44:55:66 to be "fred"
#dhcp-host=11:22:33:44:55:66,fred
dhcp-host=00-26-2D-62-64-90,192.168.130.70,PORTABLE-ACER-COCO
#dhcp-host=00-26-2D-62-64-90,PORTABLE-ACER-COCO
dhcp-host=60:a4:4c:7d:b9:28,192.168.130.80,PORTABLE-ASUS-JC
#dhcp-host=60:a4:4c:7d:b9:28,PORTABLE-ASUSJC
dhcp-host=00:1B:24:56:F1:36,192.168.130.90,PORTABLE-HP-SECOUR
#dhcp-host=00:1B:24:56:F1:36,PORTABLE-HP
#
# PRINTER
#
dhcp-host=00:1b:a9:3c:be:76,192.168.130.102,BROTHER-HL2150N
dhcp-host=30:05:5c:3a:e3:af,192.168.130.103,BROTHER-HL2250DN
dhcp-host=00:15:99:8a:a0:19,192.168.130.104,SAMSUNG-CLP325W
dhcp-host=00:24:be:f4:6d:4c,192.168.130.105,SONY-TV-BRAVIA-32EX500

# Do the same thing, but using the option name
#dhcp-option=option:router,1.2.3.4
# set the gateway to 192.168.130.230
dhcp-option=option:router,192.168.130.230

# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
dhcp-leasefile=/var/lib/misc/dnsmasq.leases

# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slightest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses
# the same option, and this URL provides more information:
# http://www.isc.org/files/auth.html
dhcp-authoritative

# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
#log-queries

# Log lots of extra information about DHCP transactions.
log-dhcp

# Include another lot of configuration options.
## done #conf-file=/etc/dnsmasq.more.conf
## done #conf-dir=/etc/dnsmasq.d

#—

File : /etc/dnsmasq.conf.banned


#    /etc/dnsmasq.conf.banned
#
#    BANNED DNS SERVER
address="/101com.com/127.0.0.127"
address="/101order.com/127.0.0.127"
address="/123found.com/127.0.0.127"
address="/123pagerank.com/127.0.0.127"
address="/180hits.de/127.0.0.127"
address="/180searchassistant.com/127.0.0.127"
address="/1x1rank.com/127.0.0.127"
address="/207.net/127.0.0.127"
.........
.........
.........
address="/zintext.com/127.0.0.127"
address="/zmedia.com/127.0.0.127"

#—

File : /etc/resolv.dnsmasq.conf


#    /etc/resolv.dnsmasq.conf
#
# PUBLIC DNS
#
nameserver 8.8.8.8
nameserver 8.8.4.4
#

Any comment is welcome

jcdole · April 13, 2015, 4:53pm

hello.
It would provide to me a great service if somebody could express me an opinion.

Obscurant · April 13, 2015, 11:28pm

jcdole:

Hello.
Is that someone just draw my attention to any potential incongruities, redundancy, lack or error on the following config that seems to work.

For example, the domain is set in the network card config, in dnsmasq.conf and in hosts.

yast2 Network setting

yast2 Network setting
    Global Options
        General Network setting
            Network setup methode : **Wicked service**
        DHCP Client Options
            Hostname to send : **Auto**
    Overview
        General
            Activate : **At boot time**
            Firewall : **external zone**
        Address
            checked : **Statically assign**
            IP : **192.168.130.123**
            Subnet : **/24**
            Hostname :** hostname-1.my-dom-test.nwk**
        Hardware
            Device Name : **srv_eth0**

    Hostname/DNS
        Hostname and domain name
            ***everey things are unchecked but*** :
                Hostname : **hostname-1**
                Domain name : **my-dom-test.nwk**
        Modify dns policy
            **Use default policy**
        Name server and domain search list
            Name server 1 : **127.0.0.1**
        Domain search
            **my-dom-test.nwk**

    Routing
        Default gateway : **192.168.130.230**
        Routing table
            Destination : **192.168.2.200**
            Gateway : **192.168.130.230**
            Genmasq : **-**-**-******
            Device : **srv_eth0**

#—

File : /etc/hosts


#/etc/hosts
# hosts         This file describes a number of hostname-to-address
#               mappings for the TCP/IP subsystem.  It is mostly
#               used at boot time, when no name servers are running.
#               On small systems, this file can be used instead of a
#               "named" name server.
# Syntax:
#
# IP-Address  Full-Qualified-Hostname  Short-Hostname
#
127.0.0.1       localhost.localdomain    localhost
192.168.130.123 hostname-1.my-dom-test.nwk hostname-1
######## every things relative to dhcp v6 have been removed

#—

File : /etc/resolv.conf


### /etc/resolv.conf file autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
#     NETCONFIG_DNS_STATIC_SEARCHLIST
#     NETCONFIG_DNS_STATIC_SERVERS
#     NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
#     NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
# Note: Manual change of this file disables netconfig too, but
# may get lost when this file contains comments or empty lines
# only, the netconfig settings are same with settings in this
# file and in case of a "netconfig update -f" call.
#

nameserver 127.0.0.1

#—

File : /etc/dnsmasq.conf


#    /etc/dnsmasq.conf
#

# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv

# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
resolv-file="/etc/resolv.dnsmasq.conf"

# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
local=/my-dom-test.nwk/192.168.130.123

# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
address=/my-dom-test.nwk/192.168.130.123

#
# SPAM ADDRESS
conf-file=/etc/dnsmasq.conf.banned

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
#interface=
interface=srv_eth0

# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
expand-hosts

# Set a different domain for a particular subnet
#domain=wireless.thekelleys.org.uk,192.168.2.0/24
domain=my-dom-test.nwk,192.168.130.0/24

# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
#dhcp-range=192.168.0.50,192.168.0.150,12h
dhcp-range=192.168.130.165,192.168.130.199,16h

# COMPUTER
# Always set the name of the host with hardware address
# 11:22:33:44:55:66 to be "fred"
#dhcp-host=11:22:33:44:55:66,fred
dhcp-host=00-26-2D-62-64-90,192.168.130.70,PORTABLE-ACER-COCO
#dhcp-host=00-26-2D-62-64-90,PORTABLE-ACER-COCO
dhcp-host=60:a4:4c:7d:b9:28,192.168.130.80,PORTABLE-ASUS-JC
#dhcp-host=60:a4:4c:7d:b9:28,PORTABLE-ASUSJC
dhcp-host=00:1B:24:56:F1:36,192.168.130.90,PORTABLE-HP-SECOUR
#dhcp-host=00:1B:24:56:F1:36,PORTABLE-HP
#
# PRINTER
#
dhcp-host=00:1b:a9:3c:be:76,192.168.130.102,BROTHER-HL2150N
dhcp-host=30:05:5c:3a:e3:af,192.168.130.103,BROTHER-HL2250DN
dhcp-host=00:15:99:8a:a0:19,192.168.130.104,SAMSUNG-CLP325W
dhcp-host=00:24:be:f4:6d:4c,192.168.130.105,SONY-TV-BRAVIA-32EX500

# Do the same thing, but using the option name
#dhcp-option=option:router,1.2.3.4
# set the gateway to 192.168.130.230
dhcp-option=option:router,192.168.130.230

# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
dhcp-leasefile=/var/lib/misc/dnsmasq.leases

# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slightest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses
# the same option, and this URL provides more information:
# http://www.isc.org/files/auth.html
dhcp-authoritative

# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
#log-queries

# Log lots of extra information about DHCP transactions.
log-dhcp

# Include another lot of configuration options.
## done #conf-file=/etc/dnsmasq.more.conf
## done #conf-dir=/etc/dnsmasq.d

#—

File : /etc/dnsmasq.conf.banned


#    /etc/dnsmasq.conf.banned
#
#    BANNED DNS SERVER
address="/101com.com/127.0.0.127"
address="/101order.com/127.0.0.127"
address="/123found.com/127.0.0.127"
address="/123pagerank.com/127.0.0.127"
address="/180hits.de/127.0.0.127"
address="/180searchassistant.com/127.0.0.127"
address="/1x1rank.com/127.0.0.127"
address="/207.net/127.0.0.127"
.........
.........
.........
address="/zintext.com/127.0.0.127"
address="/zmedia.com/127.0.0.127"

#—

File : /etc/resolv.dnsmasq.conf


#    /etc/resolv.dnsmasq.conf
#
# PUBLIC DNS
#
nameserver 8.8.8.8
nameserver 8.8.4.4
#

Any comment is welcome

]It would provide to me a great service if somebody could express me an opinion.

OK, well here’s an opinion. It probably isn’t the best or most informed opinion, but it is an opinion. (I went through it backwards!)

You don’t say what this is supposed to be doing and it does do something, so that is good, but it may not be what you intended. To comment on that, you’d have to know what was intended.

You seem to be using two Google namesevers as your upstream. There is an argument for not doing that (they are among the faster ones, but probably not the absolute fastest, usually, and there is the issue of what Google could do with the data, but you’ve probably decided that you are happy with that.).

You are not logging queries: this is probably the right decision, long term, but you might want to enable this for this for some testing/.initial checking/occasional verification. On the other hand, you are doing DHCP logging; it will probably be worth having a look at that log, and turning that off.

You set dhcp-authoritative. Where this probably can be useful is of you have, eg, a router which does dhcp, you don’t want it to do dhcp and you can’t it off (possibly because it can’t quite be configured exactly as you want). For most people it will either be true that they can turn off their router’s dhcp (that’s usual) or they can live with the router doing DHCP, so it seems probable that most people won’t need that setting (but you would have to know something about the network and how you are trying to set it up to offer anything other than speculation).

192.168.130.230 seems to be an odd choice of address for your router; nothing wrong with that, but it isn’t what most people choose.

interface=srv_eth0; I thought that the names for interfaces had changed recently, and that the traditional (eth0) was no longer in use. But, if it works…

I thought that there was some setting, somewhere, to use DNS upstreams that used some security enhancement (DNSSEC/DNSCURVE), and probably anything to improve DNS security is a good idea. You probably don’t want to be opening up DNS services to anyone off-site, unless you really have to (although, maybe iptables might be your friend here).

Anyway, that was what jumped out at me, for whatever that is worth.

jcdole · May 4, 2015, 4:54pm

Act as DNS and DHCP server on a small subnet with no fixed IP nor domain name until I decide to bought one.

You seem to be using two Google namesevers as your upstream. There is an argument for not doing that (they are among the faster ones, but probably not the absolute fastest, usually, and there is the issue of what Google could do with the data, but you’ve probably decided that you are happy with that.).

I don’t mind to change if you give me some names.

You are not logging queries: this is probably the right decision, long term, but you might want to enable this for this for some testing/.initial checking/occasional verification. On the other hand, you are doing DHCP logging; it will probably be worth having a look at that log, and turning that off.

It is just running for a few days. I plan to turn log off at end of may.

You set dhcp-authoritative. Where this probably can be useful is of you have, eg, a router which does dhcp, you don’t want it to do dhcp and you can’t it off (possibly because it can’t quite be configured exactly as you want). For most people it will either be true that they can turn off their router’s dhcp (that’s usual) or they can live with the router doing DHCP, so it seems probable that most people won’t need that setting (but you would have to know something about the network and how you are trying to set it up to offer anything other than speculation).

The main router, is my ISP router.
I can’t switch it off. And I can’t manage it. So I leave it alone and try to configure my own network ( dns, dhcp, samba, postfix, mysql, and more if possible ).

I thought that there was some setting, somewhere, to use DNS upstreams that used some security enhancement (DNSSEC/DNSCURVE), and probably anything to improve DNS security is a good idea.

Next step

You probably don’t want to be opening up DNS services to anyone off-site

Yes I don’t.