2

Consider a private network over several sites, each one having its own DNS server(s) for resolution of internal private IP/hosts. No DHCP needed.

Any server has dnsmasq running, 127.0.0.1 set as DNS (within resolv.conf) and dnsmasq configuration points to local DNS server(s). Basically seems like dnsmasq acts only as DNS proxy.

What's the benefit of this configuration compared to the usual configuration of having each server directly pointing to local DNS server(s)? I expect that hostnames/IPs are cached in this case as well, isn't it?

kuma
  • 158
  • 9

2 Answers2

2

dnsmasq could be an option. You may get some performance if you enable cache, you can add some custom configurations (e.g. send "local" queries to your site DNS and "public" to google's 8.8.8.8) and better monitoring of the DNS activities. But I personally would evaluate other alternatives like Power DNS Recursor ( https://www.powerdns.com/recursor.html ) or Knot Resolver ( https://www.knot-resolver.cz/ )

Those DNS resolvers have more features than dnsmasq (e.g. support for RPZ) so you should evaluate them if you are interesting in having local resolvers.

Pablo Martinez
  • 2,406
  • 17
  • 13
1

Many recent Linux distributions rely on dnsmasq for their name resolution, see this explanation. The main reason being:

This was done to better support split DNS for VPN users and to better handle DNS failures and fallbacks. This dnsmasq server isn’t a caching server for security reason to avoid risks related to local cache poisoning and users eavesdropping on other’s DNS queries on a multi-user system.

I also find it rather annoying as I feel I lose some control on my DNS management and do not find it as convenient as it is supposed to be, more caching, more debugging in case of complex setups and so on.

Fortunately it is rather simple to get rid of this behavior by commenting out the following line:

dns=dnsmasq

In /etc/NetworkManager/NetworkManager.conf and restart the Network Manager:

systemd-enabled OS

# sudo systemctl restart network-manager

SysV / upstart

# sudo service network-manager restart
iMil
  • 251
  • 1
  • 9
  • I don't understand your complaint: dnsmasq gives you a lot _more_ control than you had before! – Michael Hampton Aug 07 '16 at 08:31
  • Thanks for the useful link. Since in my environment there's no VPN, I guess the benefit would only be _to better handle DNS failures and fallbacks._ So is it best practice (I mean, is it a real benefit) to rely on dnsmasq in such case? – kuma Aug 07 '16 at 12:03