How to Configure Multiple Upstream DNS Servers for Specific Domains in dnsmasq


2 views

When working with dnsmasq as a local DNS resolver, a common requirement is to specify multiple upstream DNS servers for particular domains. The standard configuration syntax:

server=/example.com/1.2.3.4

only allows one server per domain, which doesn't provide redundancy when that upstream server becomes unavailable.

While dnsmasq doesn't natively support multiple server= entries for the same domain, we can implement a workaround using these methods:

Configure primary and secondary servers with strict order flag:

strict-order
server=/facebook.com/1.2.3.4
server=2.3.4.5

This makes dnsmasq try the domain-specific server first, then fall back to the general server list.

In newer dnsmasq versions (2.86+), you can use server groups:

server=/facebook.com/1.2.3.4#53
server=/facebook.com/2.3.4.5#53
server=/facebook.com/3.4.5.6#53

Dnsmasq will automatically load-balance between these servers.

For advanced setups, you can configure SRV records pointing to multiple servers:

srv-host=_dns._udp.facebook.com,ns1.facebook.com,53
srv-host=_dns._udp.facebook.com,ns2.facebook.com,53

After making changes, verify with:

dig @localhost facebook.com

Check the SERVER: line in the output to see which upstream responded.

When using multiple upstream servers:

  • Enable query logging with log-queries to monitor resolution paths
  • Set reasonable timeouts with dns-forward-max and query-timeout
  • Consider TTL values with local-ttl and neg-ttl

When working with dnsmasq, a common requirement is to forward DNS queries for specific domains to multiple upstream DNS servers. The goal is to achieve redundancy and failover, similar to how resolv.conf handles multiple nameservers. However, dnsmasq's default behavior with server=/domain/ip directives might not immediately support this.

By default, if you specify multiple server entries for the same domain:

server=/facebook.com/1.2.3.4
server=/facebook.com/2.3.4.5

dnsmasq will only use the last entry in the configuration file. This behavior is documented in the man page, but there are workarounds.

The key to making this work is the --all-servers flag. When enabled, dnsmasq will send queries to all configured servers and use the first response it receives.

# dnsmasq configuration
all-servers
server=/facebook.com/1.2.3.4
server=/facebook.com/2.3.4.5

For more advanced scenarios, you can use server groups with different priorities:

# Primary and backup servers
server=/facebook.com/1.2.3.4
server=/facebook.com/2.3.4.5@1

The @1 suffix makes the second server a backup that's only used if the primary fails.

After making changes, verify with:

dig facebook.com @localhost

Check dnsmasq logs to see which server was actually used:

tail -f /var/log/dnsmasq.log

When using multiple servers:

  • Response times may vary depending on which server answers first
  • Some DNS servers might block frequent queries from the same IP
  • Consider rate limiting with --dns-forward-max

Here's a full example demonstrating these concepts:

# /etc/dnsmasq.conf
no-resolv
all-servers
server=8.8.8.8
server=8.8.4.4
server=/facebook.com/1.2.3.4
server=/facebook.com/2.3.4.5
server=/google.com/8.8.8.8@1
log-queries
log-facility=/var/log/dnsmasq.log