Dnsmasq is an opensource light-weight,easy to configure and administer DNS and a DHCP Server. Dnsmasq is ideally suitable for smaller networks like Small Office and Home Office networks (SOHO) and branch office networks. Dnsmasq can be run on old PC and is very easy to configure and administer. Dnsmasq is seen to support upto 1000 nodes on a network.

In essence, Dnsmasq is a Caching nameserver and a DNS forwarder with DHCP enabled on it. Dnsmasq can provide nameservice for local hosts while forwarding the queries for global public resources to a Public DNS Server (like an ISP DNS server). So, small networks which are behind a DSL/ADSL router or even a modem link and share a single internet connection can make the best use of Dnsmasq.

Dnsmasq is included in most of the opensource firewalls and opensource router firmware and in the most common Linux distributions. Some of them include:

Opensource Firewalls:

IPCop / Smoothwall / floppyfw / Firebox / LEAF / m0n0wall / PfSense / Endian Firewall / ClarkConnect

Opensource router firmware:

dd-wrt / openwrt / stock firmware / fli4l

Linux Distributions:

Debian / Gentoo / Slackware / Suse / Fedora / Coyote Linux

*BSD

FreeBSD / OpenBSD / NetBSD

Some of the highlighting features of Dnsmasq are as follows:

• Automatically update the Public DNS Servers through PPP or DHCP connections. So, change in a Public DNS server of an ISP that the network is connected to will be picked up by Dnsmasq
• Caching Nameserver to reduce network traffic and improve performance
• Forwarding to Private DNS servers for specific Domains can be configured
• Nameservice for the localhosts using the /etc/hosts file and for DHCP Client hosts
• Static and Dynamic client leases on DHCP
• Multiple Network and IP Ranges on the DHCP server
• BOOTP support for network booting using a secure read-only TFTP server
• Simple global configuration using the /etc/dnsmasq.conf file
• Supports BOOTP and DHCP Relays
• Caches A records for IPv4 and AAAA records for IPv6 and PTR records
• Supports IPv4 and IPv6 protocols and even can act as a IPv4 toIPv6 and IPv6 to IPv4 forwarder
• Support MX records and SRV records for local machines
• Block DNS redirect websites (like some websites which forward to a link for a website that doesn't exist)

Dnsmasq does the name lookup from its /etc/hosts file and hence its all about maintaining a /etc/hosts file on one computer as against multiple PCs on the LAN. If the host is a DHCP client then even if there isn't an entry for the host in the "hosts" file it can still provide name resolution for the host.

Effectively, all hosts in the LAN will have the dnsmasq server as the nameserver in /etc/resolv.conf file (In windows under network connection) and you dont have to worry about the "hosts" file on the local system.

The /etc/hosts file on the Dnsmasq server can have only the hostname without the domain name (example: host1 instead of host1.mynetwork.com) as the domain name can be appended globally using configurations in the /etc/dnsmasq.conf file.

It's got .deb and rpm packages for Debian, Fedora and other distributions and also can be built from the Source files. For more information and download, click here for dnsmasq home page.

ICMP Redirects Send and Accept are by default enabled on most of the linux flavours including Debian, Ubuntu, Redhat Enterprise Linux, Suse Linux.

While ICMP Redirects are not the very efficient way to update a hosts Routing table of an optimal route to a target destination, it can cause serious security concerns where a hacker or attacker can send malicously crafted ICMP redirect messages and cause a Denial of Service attack on the network.

If ICMP Redirects are not used in the network for route updates and if the server is not acting as a Router or a Gateway (ICMP Redirect send only) then ICMP Redirect send and accepts should be disabled on the server.

In most of the Linux flavors (tested on Debian,Ubuntu,Redhat Enterprise linux,Suse) ICMP Redirects can be dynamically disabled on the host by using

1. /sbin/sysctl utility which can modify Kernel paramters at runtime

Login as root and run the following command to disable ICMP Redirects Send and Accept

Server# /sbin/sysctl -w net.ipv4.conf.all.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv4.conf.all.send_redirects = 0

Server# /sbin/sysctl -w net.ipv6.conf.all.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv6.conf.all.send_redirects = 0

The above disables ICMP Redirects globally on the server. However, if you want to disable on a per interface basis then in the above command, instead of using "all" use the inerface name (say "eth0")

Server# /sbin/sysctl -w net.ipv4.conf.eth0.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv4.conf.eth0.send_redirects = 0

Server# /sbin/sysctl -w net.ipv6.conf.eth0.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv6.conf.eth0.send_redirects = 0

This will disable ICMP Redirects immediatly.

or even a simpler option would be to

2. Passing appropriate value (0 or 1) to the above kernel variables as follows:

Server# echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects [for IPv4]
Server# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects [for IPv4]

Server# echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects [for IPv6]
Server# echo 0 > /proc/sys/net/ipv6/conf/all/send_redirects [for IPv6]

Again this can be used on a per interface basis as

Server# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects [for IPv4]
Server# echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects [for IPv4]

Server# echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_redirects [for IPv6]
Server# echo 0 > /proc/sys/net/ipv6/conf/eth0/send_redirects [for IPv6]

However, these kernel changes made at runtime will be lost when the system reboots. So it is important that these are applied at boot time as well to ensure that the server is secure.

ICMP REDIRECT DISABLE AT BOOT TIME

In order to disable ICMP Redirects at boot time,

1. Edit the /etc/sysctl.conf file

Edit the /etc/sysctl.conf file and add the following lines:

In Debian and Ubuntu Linux:

net/ipv4/conf/all/accept_redirects = 0 [for IPv4]
net/ipv4/conf/all/send_redirects = 0 [for IPv4]

net/ipv6/conf/all/accept_redirects = 0 [for IPv6]
net/ipv6/conf/all/send_redirects = 0 [for IPv6]
 
Again, if you want to control ICMP redirects on a per interface basis then add the following lines (say for eth0):

net/ipv4/conf/eth0/accept_redirects = 0 [for IPv4]
net/ipv4/conf/eth0/send_redirects = 0 [for IPv4]

net/ipv6/conf/eth0/accept_redirects = 0 [for IPv6]
net/ipv6/conf/eth0/send_redirects = 0 [for IPv6]

In Redhat Enterprise Linux and Suse:

net.ipv4.conf.all.accept_redirects = 0 [for IPv4]
net.ipv4.conf.all.send_redirects = 0 [for IPv4]

net.ipv6.conf.all.accept_redirects = 0 [for IPv6]
net.ipv6.conf.all.send_redirects = 0 [for IPv6]
 
Again, if you want to control ICMP redirects on a per interface basis then add the following lines (say for eth0):

net.ipv4.conf.eth0.accept_redirects = 0 [for IPv4]
net.ipv4.conf.eth0.send_redirects = 0 [for IPv4]

net.ipv6.conf.eth0.accept_redirects = 0 [for IPv6]
net.ipv6.conf.eth0.send_redirects = 0 [for IPv6]

This will allow the /etc/sysctl.conf be read by the /sbin/sysctl utility at the startup.

NOTE: In Debian and Ubuntu, this will be overiden by any options set in /etc/network/options as the /etc/init.d/networking script which sets the /etc/network/options file kernel paramters at boot time runs after the /etc/init.d/procps script which sets the kernel variable values specified in /etc/sysctl.conf file. It is advisable to make all change to /etc/sysctl.conf file instead of /etc/network/options file as this is being depreciated.