How to Configure dnsmasq to Use Upstream DNS Only for Specific Domains


1 views

When using dnsmasq with a wildcard redirect like address=/#/127.0.0.1, all DNS queries get redirected to localhost. This creates challenges when certain domains need proper DNS resolution while maintaining the wildcard behavior for others.

While adding entries to /etc/hosts works temporarily:

209.85.148.95   ajax.googleapis.com
207.97.227.245  underscorejs.org
72.21.194.31    s3.amazonaws.com

This approach has significant drawbacks:

  • IP addresses change over time
  • Manual maintenance is required
  • Doesn't scale well

Here's how to configure dnsmasq to use upstream DNS servers only for specific domains:

# Redirect all domains to localhost by default
address=/#/127.0.0.1

# Use upstream DNS for specific domains
server=/ajax.googleapis.com/8.8.8.8
server=/underscorejs.org/8.8.8.8
server=/s3.amazonaws.com/8.8.8.8

For more complex scenarios, consider these additional configurations:

# Multiple upstream DNS servers with failover
server=/ajax.googleapis.com/8.8.8.8
server=/ajax.googleapis.com/8.8.4.4

# Domain pattern matching
server=/*.googleapis.com/8.8.8.8
server=/*.amazonaws.com/8.8.8.8

After making changes, test with:

sudo systemctl restart dnsmasq
dig ajax.googleapis.com @127.0.0.1

You should see the actual IP address rather than 127.0.0.1 for the specified domains.

Remember that dnsmasq caches responses. To clear the cache:

sudo systemctl restart dnsmasq
# or
sudo killall -HUP dnsmasq

When using dnsmasq with a wildcard address directive like:

address=/#/127.0.0.1

it effectively captures all DNS queries and returns 127.0.0.1. While this works for many use cases, it becomes problematic when you need certain domains to resolve to their actual IP addresses.

Hardcoding IP addresses in /etc/hosts:

209.85.148.95   ajax.googleapis.com
207.97.227.245  underscorejs.org
72.21.194.31    s3.amazonaws.com

creates maintenance headaches as IP addresses can change, breaking connectivity.

Here's how to configure dnsmasq to selectively use upstream DNS servers:

Step 1: Define Server Sections

In your dnsmasq.conf, specify upstream servers for specific domains:

# General upstream server for all domains
server=8.8.8.8
server=8.8.4.4

# Override for specific domains
server=/ajax.googleapis.com/1.1.1.1
server=/underscorejs.org/1.1.1.1
server=/s3.amazonaws.com/1.1.1.1

# Wildcard catch-all
address=/#/127.0.0.1

Step 2: Prioritize Domain-Specific Rules

Ensure domain-specific rules appear before the wildcard catch-all to maintain proper precedence.

Alternative: Using conf-dir

For better organization, create separate files in /etc/dnsmasq.d/:

# /etc/dnsmasq.d/upstream.conf
server=/ajax.googleapis.com/1.1.1.1
server=/underscorejs.org/1.1.1.1

# /etc/dnsmasq.d/catchall.conf
address=/#/127.0.0.1

After making changes, test with:

sudo systemctl restart dnsmasq
dig ajax.googleapis.com
dig nonexistent.test

The first should return real IPs, while the second should show 127.0.0.1.

For redundancy, specify multiple upstream servers:

server=/ajax.googleapis.com/1.1.1.1
server=/ajax.googleapis.com/9.9.9.9
server=/ajax.googleapis.com/8.8.8.8
  • Check logs: journalctl -u dnsmasq -f
  • Verify config: dnsmasq --test
  • Clear cache: sudo systemctl restart dnsmasq