Homebrewing a Linux Router, Part 2 (dnsmasq)

Posted: 2024-04-07
Last Updated: 2024-04-07

In Part 2 of my homebrewed Debian router series I will go over how I setup DNS and DHCP services. If you don’t know or need a brief refresher, a DNS or Domain Name System server is responsible for resolving domain names (e.g. www.duckduckgo.com) to their actual IP address, or forwarding that DNS request to another upstream DNS server. A DHCP or Dynamic Host Configuration Protocal server is responsible for assigning dynamic IP addresses to new devices that connect to your LAN.

I started off using dnsmasq but now use Pi-Hole, which uses a fork of dnsmasq under the hood. I have used Pi-Hole before and really always intended to use it again, I just wanted to also have a look at the tool it uses under the hood first. First I will go over how I setup dnsmasq in my original configuration, and in the next the post I will talk about Pi-Hole.

What’s dnsmasq?

dnsmasq is a popular FOSS option for providing DNS and DHCP services to small networks (like mine).

Dnsmasq acts as forwarding DNS server, meaning it is not actually doing the DNS lookups itself but instead forwarding the requests to an upstream provider. For myself I chose Quad9, a privacy-focused DNS provider based in Switzerland.

If you want to talk to the authoritative name servers directly and not rely on a third-party provider, you need to setup a recursive DNS server like unbound. After setting up Pi-Hole I eventually did setup unbound and now use that instead of forwarding to Quad9, and will go over the setup in a future post.

Getting Started

Install dnsmasq by running sudo apt intall dnsmasq and enable the service with sudo systemctl enable dnsmasq.

My /etc/dnsmasq.d/main.conf file:

# Stop dnsmasq from reading /etc/resolv.conf for no reason
no-resolv

# Quad9 
server=9.9.9.9

cache-size=10000

# enable dhcp
dhcp-authoritative
dhcp-range=br0,172.16.0.2,172.16.0.100,12h

# This will redirect the domain `my.domain` and all subdomains to `172.16.0.22` (the local ip address of my server)
address=/.my.domain/172.16.0.22

After this my two laptops were able to receive a IP address when connected to my router directly through an Ethernet cable, and ping each other as well as the router.

Ad Blocking

I’m using StevenBlack’s list. To get started I manually downloaded the block list host file here. Dnsmasq can read from multiple host files, so I created an /etc/blocklists directory to keep files for hosts I want to block. Then move downloaded hosts file in this directory. To include these files in the dnsmasq configuration add add-hosts=/etc/blocklists/stevenblack. Now all ad-related domains on StevenBlack’s list should be blocked.