Want Faster, Easier-to-Manage DNS? Use Dnsmasq

By: Steven J. Vaughan-Nichols

Sure, you can use BIND (Berkeley Internet Name Domain) for your Domain Name Server (DNS). BIND is almost everyone’s favorite domain name server software and I’ve installed and managed it before. But, and it’s a big but, full-scale BIND can be a pain to run. So, unless I really need BIND’s full power, I use another program: Dnsmasq.

Dnsmasq is an easy-to-use and -setup caching DNS server. Stop laughing! It really is easy!

As a refresher, DNS is the Internet’s master phone book. It turns machine-usable IP addresses into human-readable domain names. Linode provides good documentation on its DNS manager; how to set up a reverse DNS server, which resolves an IP address to a domain name; and common DNS configurations.

Dnsmasq is a small, open-source application that’s designed to provide DNS and, optionally, Dynamic Host Configuration Protocol (DHCP), addressing to a small network. It also supports IPv4 and IPv6 static and dynamic DHCP leases, tftp, and BOOTP and PXE for network booting of diskless systems. For our purposes, I’m sticking with DNS.

The program also supports Domain Name System Security Extensions (DNSSEC) upstream. With today’s seemingly endless DNS-based Distributed Denial of Service (DDoS) attacks, you MUST use DNSSEC.

Dnsmasq is a lightweight program. In the past, I’ve run it in my home-office on a Hewlett-Packard 521n mini-tower PC with an AMD Athlon XP 1.4 GHz processor, 256MBs of RAM and a 60GB hard drive. In short, no matter how small your server or VM, you can run Dnsmasq.

The program is also widely available. It’s included in almost all Linux distributions.

Presuming you’re using Debian or Ubuntu, you’ll take the following steps to get Dnsmasq up and running. If you’re using another operating system, just use its default package installation routines.

apt-get update

apt-get install dnsmasq

That’s it. Dnsmasq should now be running.

To test it out run

dig linode.com localhost

This forces your server to use Dnsmasq for looking up the DNS record. You should put up the record in single milliseconds. That’s the big advantage of using Dnsmasq. It makes looking up frequently used domains — FAST!

Dig is a DNS utility program. It gives you information about a site’s address and how long it took to get its IP address from the DNS server.

By default, Dnsmasq will use the DNS servers setup in your /etc/resolv.conf file. On Linode, this will include Linode’s default DNS servers.

I like to add additional DNS servers, so if the default DNS servers go south, it will keep working. Don’t go hog-wild with setting up DNS servers. Dnsmasq will only access the first three sites listed in the resolv.conf file. I usually add one of the Google Public DNS servers, or and one of Cisco’s OpenDNS servers, or, to the default DNS site. You do this by adding them to resolv.conf with your favorite text editor. That’s vi for me.

While, you’re in the resolv.conf file, go ahead and add localhost as the first line. This enables Dnsmasq to cache DNS queries for queries from the local machine.

By default, Dnsmasq treats all nameservers as equals. It picks the one to use by using an algorithm designed to avoid nameservers which aren’t responding. If you want to use the servers in the order you have them in the resolv.conf file, run dnsmasq with the -o flag.

Next, I need to start it up to make sure that it works. Like most Linux/Unix utilities, you can do this with an init script. So, from the shell, I start it as root with:

# /etc/init.d/dnsmasq start

But, how do I know if it’s actually done anything? For that, you run the dig command. For example:

dig google.com

Dnsmasq is configured in /etc/dnsmasq.conf. I recommend copying the original to keep as a reference. For example, dnsmasq.conf-master. Every time you make a change to dnsmasq.conf you have to restart Dnsmasq.

The easiest way to do that is with the command:

/etc/init.d/dnsmasq restart

There are several changes you might want to make in Dnsmasq.conf. The important one is to upgrade the cache size. By default, it’s 1,000, but I prefer 2,048. Look for the line:

cache-size=1000 and change it accordingly.

Once you have it running properly, your next step is to set up dnsmasq so it runs automatically. The easiest way to do this is to run it with cron.

Why did I mention upgrading the cache? That’s because I’ve found Dnsmasq’s biggest advantage is the way it speeds up your DNS queries… a lot.

For example, one Linode customer from a few years back who was doing millions of DNS lookups got 50 percent hits from the Dnsmasq cache and that dropped their average DNS lookup time by 30 to 50 percent

Now, that’s the kind of DNS performance I want!

Please feel free to share below any comments or insights about your experience with DNS, BIND or Dnsmasq. And if you found this blog useful, please consider sharing it through social media.

About the blogger: Steven J. Vaughan-Nichols is a veteran IT journalist whose estimable work can be found on a host of channels, including ZDNet.com, PC Magazine, InfoWorld, ComputerWorld, Linux Today and eWEEK. Steven’s IT expertise comes without parallel — he has even been a Jeopardy! clue. And while his views and cloud situations are solely his and don’t necessarily reflect those of Linode, we are grateful for his contributions. He can be followed on Twitter (@sjvn).