How to Configure dnsmasq as Pure DNS Forwarder with DHCP Disabled


3 views

When using dnsmasq specifically for DNS forwarding while disabling DHCP services, we need to modify its configuration file carefully. The primary file is typically located at /etc/dnsmasq.conf or sometimes /etc/dnsmasq/dnsmasq.conf depending on your Linux distribution.

Here's the minimal configuration needed to achieve DNS-only operation:


# Disable DHCP completely
no-dhcp-interface

# Set upstream DNS servers (Google DNS as requested)
server=8.8.8.8
server=8.8.4.4

# Optional: Increase cache size for better performance
cache-size=10000

After making changes, always verify your configuration:


# Check syntax
dnsmasq --test

# For systemd systems:
sudo systemctl restart dnsmasq
sudo systemctl status dnsmasq

For production environments, consider these additional settings:


# Prevent DNS rebinding attacks
stop-dns-rebind

# Log DNS queries (useful for debugging)
log-queries

# Bind to specific interfaces only
interface=eth0
listen-address=127.0.0.1

If DNS forwarding isn't working as expected:

  1. Check firewall rules (UDP port 53 must be open)
  2. Verify network connectivity to upstream DNS servers
  3. Inspect logs with journalctl -u dnsmasq -f

For high-traffic environments, consider these tweaks:


# Increase number of concurrent DNS queries
dns-forward-max=500

# Enable EDNS0 for better DNS performance
edns-packet-max=4096

# Disable negative caching if needed
no-negcache

When using dnsmasq, you might want to disable its DHCP functionality and only use it as a DNS forwarder. This is common in scenarios where you need local DNS caching but want to handle DHCP through another service (like ISC DHCP server) or simply don't need it.

The main configuration file for dnsmasq is typically located at /etc/dnsmasq.conf. To disable DHCP and set up DNS forwarding, you'll need to modify this file.

# Disable DHCP completely
dhcp-range=no

# Set upstream DNS servers (Google Public DNS)
server=8.8.8.8
server=8.8.4.4

# Optional: Increase cache size
cache-size=1000

After making changes, restart dnsmasq and verify it's working correctly:

sudo systemctl restart dnsmasq
sudo systemctl status dnsmasq

Check that DHCP is truly disabled by trying to get an IP address from the server. You can also test DNS forwarding:

dig example.com @localhost

For more control over DNS forwarding, consider these additional options:

# Disable DNS except for specific interfaces
interface=lo
bind-interfaces

# Log DNS queries for debugging
log-queries
log-facility=/var/log/dnsmasq.log

When running dnsmasq as a pure DNS forwarder, you should:

  • Bind it only to necessary interfaces
  • Consider rate limiting if exposed to untrusted networks
  • Monitor logs for unusual activity

If you encounter problems:

# Check for syntax errors
sudo dnsmasq --test

# Verify no other service is using port 53
sudo netstat -tulnp | grep 53