DNS lookups can slow down any system they aren’t quick enough. Or if you have a server that’s doing reverse lookups.
So instead of your computer or server making hundreds or thousands of unneeded dns requests.
Setting up
The config for dnsmasq is in /etc/dnsmasq.conf
Here’s some of the configurations I like to use.
This is where we set the file that will have the actual dns servers
resolv-file=/etc/resolv.dnsmasq.conf
Never forward plain names (without a dot or domain part)
domain-needed
Never forward addresses in the non-routed address spaces.
bogus-priv
If you use OpenDNS servers, set this do use servers in order.
strict-order
Also, if you use OpenDNS, you’ll need this line so it doesn’t redirect google queries
server=/www.google.com/8.8.8.8
If you have your dns on a remote server, using something like OpenVPN or ssh to route your traffic, you’ll need to bind it
interface=tun0
no-dhcp-interface=tun0
Now put your actual dns servers in /etc/resolv.dnsmasq.conf
# OpenDNS IPv4 nameservers
nameserver 208.67.222.222
nameserver 208.67.220.220
# OpenDNS IPv6 nameservers
nameserver 2620:0:ccc::2
nameserver 2620:0:ccd::2
And change your /etc/resolv.conf to be 127.0.0.1
You may also have to disable NetworkManager from changing the dns: In /etc/NetworkManager/NetworkManager.conf
[main]
#dns=default
dns=none
DNSSEC
Domain Name System Security Extensions (DNSSEC) is a set of additions to the dns protocol to make it more secure. It uses the domain’s signed requests to make sure they are actually valid.
In the /etc/dnsmasq.conf add or uncomment these lines to enable DNSSEC.
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
Now some replies are not DNSSEC signed but may still be may be legitimate, because the domain is unsigned, or may be forgeries. This setting will have dnsmasq do some various checks to see if it’s still looks valid. Now this will take a few more dns lookups, but it’s good for security.
dnssec-check-unsigned
The above trust-anchors.conf file is from the main trust using the values from https://data.iana.org/root-anchors/root-anchors.xml
The current one I have is (which you can verify at the above url:
# The root DNSSEC trust anchor, valid as at 18/03/2016
# Note that this is a DS record (ie a hash of the root Zone Signing Key)
# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
To verify if the DNSSEC is working, got to https://www.dnssec-tools.org/