centos 安装dns解析服务dnsmasq
简介
默认情况下在大陆上网都是使用pppoe拨号的,即使现在用上了光钎,比如我的是500M的下行,20M的上行(可怜)还是用的PPPOE拨号来上网的。在拨号成功后,电信运营商会默认返回两个DNS地址,这样我们在浏览器输入的域名解析就有会有这两个DNS地址来负责将域名解析为IP。
当然我们也可以使用阿里云的DNS223.5.5.5和223.6.6.6,114DNS 114.114.114.114,百度180.76.76.76,中国互联网络信息中心(CNNIC)1.2.4.8和202.98.0.68,DNSPod的119.29.29.29和182.254.116.116。可以配置在自己的路由器中,也可以配置在自己的电脑中。
自己搭建DNS服务对于小型企业非常方便,可以防止DNS劫持。
安装
下载安装
[root@centos-vpn ~]# yum install -y dnsmasq
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
dnsmasq-2.76-2.el7_4.2.x86_64.rpm | 277 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在更新 : dnsmasq-2.76-2.el7_4.2.x86_64 1/2
清理 : dnsmasq-2.66-21.el7.x86_64 2/2
验证中 : dnsmasq-2.76-2.el7_4.2.x86_64 1/2
验证中 : dnsmasq-2.66-21.el7.x86_64 2/2
更新完毕:
dnsmasq.x86_64 0:2.76-2.el7_4.2
完毕!
相关配置
配置文件路径在 /etc/dnsmasq.conf
这里我们修改如下几个配置
# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
resolv-file=/etc/resolv.dnsmasq.conf
# By default, dnsmasq will send queries to any of the upstream
# servers it knows about and tries to favour servers to are known
# to be up. Uncommenting this forces dnsmasq to try each query
# with each server strictly in the order they appear in
# /etc/resolv.conf
strict-order
# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
log-queries
# Log lots of extra information about DHCP transactions.
log-dhcp
# new add
log-facility=/var/log/dnsmasq/dnsmasq.log
新建日志目录
[root@centos-vpn ~]# mkdir -p /var/log/dnsmasq/
修改listen-address让其监听本地,局域网的请求
listen-address=127.0.0.1,10.10.51.214
新建一个 /etc/resolv.dnsmasq.conf文件,并写入阿里的DNS进行测试
nameserver 223.5.5.5
启动
[root@centos-vpn ~]# systemctl status dnsmasq
● dnsmasq.service - DNS caching server.
Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@centos-vpn ~]# systemctl enable dnsmasq
Created symlink from /etc/systemd/system/multi-user.target.wants/dnsmasq.service to /usr/lib/systemd/system/dnsmasq.service.
[root@centos-vpn ~]# systemctl start dnsmasq
[root@centos-vpn ~]# netstat -antp | grep LISTEN
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 2282/dnsmasq
tcp6 0 0 :::53 :::* LISTEN 2282/dnsmasq
测试
第一次解析时间是60ms,第二次由于缓存是0ms。
[root@centos-vpn ~]# dig izhong.me @127.0.0.1
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> izhong.me @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60107
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;izhong.me. IN A
;; AUTHORITY SECTION:
izhong.me. 600 IN SOA f1g1ns1.dnspod.net. freednsadmin.dnspod.com. 1521381610 3600 180 1209600 180
;; Query time: 60 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 日 3月 18 22:31:39 CST 2018
;; MSG SIZE rcvd: 104
[root@centos-vpn ~]# dig izhong.me @127.0.0.1
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> izhong.me @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50208
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;izhong.me. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 日 3月 18 22:31:42 CST 2018
;; MSG SIZE rcvd: 38
日志中也可以看到解析步骤,第一次转发给223.5.5.5解析,第二次从cache返回
Mar 18 22:31:39 dnsmasq[2700]: query[A] izhong.me from 127.0.0.1
Mar 18 22:31:39 dnsmasq[2700]: forwarded izhong.me to 223.5.5.5
Mar 18 22:31:39 dnsmasq[2700]: reply izhong.me is NODATA-IPv4
Mar 18 22:31:42 dnsmasq[2700]: query[A] izhong.me from 127.0.0.1
Mar 18 22:31:42 dnsmasq[2700]: cached izhong.me is NODATA-IPv4
如果我们将上游dns设置为chinadns解析,即有缓存,又加快了解析速度,又没有劫持和污染。