Dnsmasq is an opensource light-weight,easy to configure and administer DNS and a DHCP Server. Dnsmasq is ideally suitable for smaller networks like Small Office and Home Office networks (SOHO) and branch office networks. Dnsmasq can be run on old PC and is very easy to configure and administer. Dnsmasq is seen to support upto 1000 nodes on a network.

In essence, Dnsmasq is a Caching nameserver and a DNS forwarder with DHCP enabled on it. Dnsmasq can provide nameservice for local hosts while forwarding the queries for global public resources to a Public DNS Server (like an ISP DNS server). So, small networks which are behind a DSL/ADSL router or even a modem link and share a single internet connection can make the best use of Dnsmasq.

Dnsmasq is included in most of the opensource firewalls and opensource router firmware and in the most common Linux distributions. Some of them include:

Opensource Firewalls:

IPCop / Smoothwall / floppyfw / Firebox / LEAF / m0n0wall / PfSense / Endian Firewall / ClarkConnect

Opensource router firmware:

dd-wrt / openwrt / stock firmware / fli4l

Linux Distributions:

Debian / Gentoo / Slackware / Suse / Fedora / Coyote Linux

*BSD

FreeBSD / OpenBSD / NetBSD

Some of the highlighting features of Dnsmasq are as follows:

• Automatically update the Public DNS Servers through PPP or DHCP connections. So, change in a Public DNS server of an ISP that the network is connected to will be picked up by Dnsmasq
• Caching Nameserver to reduce network traffic and improve performance
• Forwarding to Private DNS servers for specific Domains can be configured
• Nameservice for the localhosts using the /etc/hosts file and for DHCP Client hosts
• Static and Dynamic client leases on DHCP
• Multiple Network and IP Ranges on the DHCP server
• BOOTP support for network booting using a secure read-only TFTP server
• Simple global configuration using the /etc/dnsmasq.conf file
• Supports BOOTP and DHCP Relays
• Caches A records for IPv4 and AAAA records for IPv6 and PTR records
• Supports IPv4 and IPv6 protocols and even can act as a IPv4 toIPv6 and IPv6 to IPv4 forwarder
• Support MX records and SRV records for local machines
• Block DNS redirect websites (like some websites which forward to a link for a website that doesn't exist)

Dnsmasq does the name lookup from its /etc/hosts file and hence its all about maintaining a /etc/hosts file on one computer as against multiple PCs on the LAN. If the host is a DHCP client then even if there isn't an entry for the host in the "hosts" file it can still provide name resolution for the host.

Effectively, all hosts in the LAN will have the dnsmasq server as the nameserver in /etc/resolv.conf file (In windows under network connection) and you dont have to worry about the "hosts" file on the local system.

The /etc/hosts file on the Dnsmasq server can have only the hostname without the domain name (example: host1 instead of host1.mynetwork.com) as the domain name can be appended globally using configurations in the /etc/dnsmasq.conf file.

It's got .deb and rpm packages for Debian, Fedora and other distributions and also can be built from the Source files. For more information and download, click here for dnsmasq home page.

ICMP Redirects Send and Accept are by default enabled on most of the linux flavours including Debian, Ubuntu, Redhat Enterprise Linux, Suse Linux.

While ICMP Redirects are not the very efficient way to update a hosts Routing table of an optimal route to a target destination, it can cause serious security concerns where a hacker or attacker can send malicously crafted ICMP redirect messages and cause a Denial of Service attack on the network.

If ICMP Redirects are not used in the network for route updates and if the server is not acting as a Router or a Gateway (ICMP Redirect send only) then ICMP Redirect send and accepts should be disabled on the server.

In most of the Linux flavors (tested on Debian,Ubuntu,Redhat Enterprise linux,Suse) ICMP Redirects can be dynamically disabled on the host by using

1. /sbin/sysctl utility which can modify Kernel paramters at runtime

Login as root and run the following command to disable ICMP Redirects Send and Accept

Server# /sbin/sysctl -w net.ipv4.conf.all.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv4.conf.all.send_redirects = 0

Server# /sbin/sysctl -w net.ipv6.conf.all.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv6.conf.all.send_redirects = 0

The above disables ICMP Redirects globally on the server. However, if you want to disable on a per interface basis then in the above command, instead of using "all" use the inerface name (say "eth0")

Server# /sbin/sysctl -w net.ipv4.conf.eth0.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv4.conf.eth0.send_redirects = 0

Server# /sbin/sysctl -w net.ipv6.conf.eth0.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv6.conf.eth0.send_redirects = 0

This will disable ICMP Redirects immediatly.

or even a simpler option would be to

2. Passing appropriate value (0 or 1) to the above kernel variables as follows:

Server# echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects [for IPv4]
Server# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects [for IPv4]

Server# echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects [for IPv6]
Server# echo 0 > /proc/sys/net/ipv6/conf/all/send_redirects [for IPv6]

Again this can be used on a per interface basis as

Server# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects [for IPv4]
Server# echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects [for IPv4]

Server# echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_redirects [for IPv6]
Server# echo 0 > /proc/sys/net/ipv6/conf/eth0/send_redirects [for IPv6]

However, these kernel changes made at runtime will be lost when the system reboots. So it is important that these are applied at boot time as well to ensure that the server is secure.

ICMP REDIRECT DISABLE AT BOOT TIME

In order to disable ICMP Redirects at boot time,

1. Edit the /etc/sysctl.conf file

Edit the /etc/sysctl.conf file and add the following lines:

In Debian and Ubuntu Linux:

net/ipv4/conf/all/accept_redirects = 0 [for IPv4]
net/ipv4/conf/all/send_redirects = 0 [for IPv4]

net/ipv6/conf/all/accept_redirects = 0 [for IPv6]
net/ipv6/conf/all/send_redirects = 0 [for IPv6]
 
Again, if you want to control ICMP redirects on a per interface basis then add the following lines (say for eth0):

net/ipv4/conf/eth0/accept_redirects = 0 [for IPv4]
net/ipv4/conf/eth0/send_redirects = 0 [for IPv4]

net/ipv6/conf/eth0/accept_redirects = 0 [for IPv6]
net/ipv6/conf/eth0/send_redirects = 0 [for IPv6]

In Redhat Enterprise Linux and Suse:

net.ipv4.conf.all.accept_redirects = 0 [for IPv4]
net.ipv4.conf.all.send_redirects = 0 [for IPv4]

net.ipv6.conf.all.accept_redirects = 0 [for IPv6]
net.ipv6.conf.all.send_redirects = 0 [for IPv6]
 
Again, if you want to control ICMP redirects on a per interface basis then add the following lines (say for eth0):

net.ipv4.conf.eth0.accept_redirects = 0 [for IPv4]
net.ipv4.conf.eth0.send_redirects = 0 [for IPv4]

net.ipv6.conf.eth0.accept_redirects = 0 [for IPv6]
net.ipv6.conf.eth0.send_redirects = 0 [for IPv6]

This will allow the /etc/sysctl.conf be read by the /sbin/sysctl utility at the startup.

NOTE: In Debian and Ubuntu, this will be overiden by any options set in /etc/network/options as the /etc/init.d/networking script which sets the /etc/network/options file kernel paramters at boot time runs after the /etc/init.d/procps script which sets the kernel variable values specified in /etc/sysctl.conf file. It is advisable to make all change to /etc/sysctl.conf file instead of /etc/network/options file as this is being depreciated.

As in any Network device or a server, there will be times when you need to add a persistent static route to a target destination in your Debain Linux Server.

Adding a Static route in Debain Linux can be done using the "route" command and editing the network script files.

Advantage of using the route command is that it alters the Kernel IP Routing table dynamically and the static route becomes available as soon as it is been added. However, a reboot of the server looses this static route. This is where it becomes essential to add the static route in the network script files.

Add a Static route using "route" command:

# route add [-net|-host] <IP/Net> netmask <Mask> gw <Gateway IP> dev <Int>X

Example:

# route add -net 10.10.10.0 netmask 255.255.255.0 gw 192.168.1.1 dev eth0
# route add -host 10.10.1.1 netmask 255.255.255.0 gw 192.168.1.1 dev eth0

This adds the route immediatly to the Kernel IP routing table. To confirm the route has been successfully, simply type the "route" command with no arguements:

DEBIAN:~# route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.254   *               255.255.255.0   U     0      0        0 eth0
localnet        *               255.255.255.0   U     0      0        0 eth0
10.10.10.0      *               255.255.255.0   U     0      0        0 eth0
10.10.1.1       *               255.255.255.0   U     0      0        0 eth0
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

Use

# netstat -rn

to print the Kernel IP Routing table.

To keep the Static Route persistent or you want to add the route entries to the network script files (not using the route command) then all you need to do is to edit the file

/etc/network/interfaces

and the static routes in the following format:

up route add [-net|-host] <host/net>/<mask> gw <host/IP> dev <Interface>

Example:

up route add -net 172.20.11.0/16 gw 172.20.10.254 dev eth1

And the file will like the following:

#cat /etc/network/interfaces

The output should show something like this

# cat /etc/network/interfaces

The output should show something like this

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0 eth1

iface eth0 inet static
        address 192.168.1.2
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.254
        # dns-* options are implemented by the resolvconf package, if installed
       

iface eth1 inet static
        address 172.20.10.1
        netmask 255.255.255.0
        broadcast 172.20.10.255
        gateway 172.20.10.254
       
        # static route
       up route add -net 172.20.11.0/16 gw 172.20.10.254 dev eth1

The above has 2 Ethernet interfaces and the static route is added to the interface eth1.

For the change to /etc/network/interface to take effect. please restart the "networking" service as follows:

/etc/init.d/networking restart

NOTE: If you added the route already using the "route" then there is no need to restart the networking service because, the next time server is restarted this takes effect.