We effectively split up the provided /etc/dnsmasq.conf
into subsystems and configure them separately.
It contains no settings, only comments and defaults, so there is no
harm in leaving it in situ. The comments however are very useful and
it is recommended to use the full files referenced below rather than just
the settings as shown.
DNS server
graham:~sudo vi /etc/dnsmasq.d/dns.confgraham:~sudo vi /etc/dnsmasq.d/blacklist.conf # domains to filter out of queriesgraham:~sudo vi /etc/resolv.dnsmasq # upstream name serversgraham:~sudo vi /etc/resolv.conf # local name servergraham:~sudo vi /etc/hosts.dnsmasq # local domain addresses being managedgraham:~sudo vi /etc/hosts
DHCP server
graham:~sudo vi /etc/dnsmasq.d/dhcp.conf
Our DHCP server will barge in and override other servers on this LAN
segment (there shouldn't be any!).
Names handed out from the pool for non-preidentifed (by mac address)
hosts are of form
pool-nnn.home.arpa (nnn between 0 and 99)
– try digging for some.
graham:~sudo vi /etc/ethers # MAC address db
TFTP server
graham:~sudo vi /etc/dnsmasq.d/tftp.conf-OFF
Common to all subsystems
graham:~sudo vi /etc/dnsmasq.d/common.conf-OFFgraham:~dnsmasq --test # simple syntax check
Correct any reported syntax errors in dnsmasq config.
graham:~sudo vi /etc/netplan/00-installer-config.yaml # server requires static IPgraham:~sudo netplan applygraham:~sudo vi /etc/rsyslog.d/dnsmasq.conf # split out dnsmasq logginggraham:~sudo vi /etc/logrotate.d/dnsmasqgraham:~sudo systemctl restart rsyslog
Disable existing DHCP server (probably in WAN router/gateway)
before starting dnsmasq to prevent conflicting requests.
graham:~sudo systemctl restart dnsmasq # start dnsmasq
graham:~systemctl status dnsmasq
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor prese>
Active: active (running) since Tue 2022-09-20 23:10:53 AEST; 4min 11s ago
… …
graham:~sudo tail -f /var/log/dnsmasq.log
NoTracking is a publicly maintained blacklist of advertising and
malware domains. With the perfomance penalty of checking more than
¼million entries on each uncached domain lookup, these domains
can be blocked at the DNS level.