DNS Server Solution for FB Router/Shared Connection

I am looking for a DNS resolver to run on my FB which local clients may use to resolve internet hosts names via DNS. BIND is supported by FB but is incompatible with a shared mode network interface. I have DNS resolution today using somebody else’s service, but I’d like to place this all under my control which I could do with BIND but not while using a shared interface. Also, I am terrified of NetworkManager and am afraid I will jack up my production environment if I just pull any DNS server alternative off of apt.

  • I want local clients to use my FB as their DNS server. Check! FB as router w/ shared connection
  • I do not want to forward DNS requests to my ISP or other party. Check! (using bind) (I know, ROOT-SERVERS.NET, yeah, yeah.)
  • I want to use a shared network interface. ← CAN’T DO THAT
  • When my FB cannot satisfy a DNS request itself it contacts root servers itself to resolve the address. Check! (using bind)

QUESTION 1: If I add a third network interface of type Static or DHCP am I then compatible with BIND? Are there any considerations to be aware of?

QUESTION 2: Are there other programs that you’ve used on such an FB configuration to provide this service?

BAD ALTERNATIVE: You can’t use a cloud server connected to FB by OpenVPN to do your DNS for you, apparently.

BAD ALTERNATIVE: just try bind with shared interface and see how it goes. That resulted in reinstallation for me, but I was new to this at the time. Would not recommend on production environment.

BAD ALTERNATIVE: add a dedicated DNS server to your network. Sadly I don’t have budget for new hardware, and am finding that my old hardware isn’t working.

I’ll be happy to hear any ideas that can get this done while keeping my production environment stable. I’m sure there’s an answer and hope that you’ll share it with me.

1 Like

Hi! I had the same need and what I did was to install dnsmasq via command line. Do you have any experience with it? I can give you some hints and depending of what you get of it I get more into details:

  1. Disable bind via web interface
  2. Check if there’s any service listening at the dns port: sudo ss -tlnp | grep 53 (read last column right, the p for process). If nothing appears, the port is available for us. You may need to check /etc/resolv.conf (uses no port) and /etc/resolvconf.conf (systemd service config file that listens at localhost:53)
  3. Install dnsmasq sudo apt install dnsmasq and enable its service sudo systemctl enable dnsmasq so that it starts automatically after any reboot
  4. Now, by default, anything you write in /etc/hosts, is read by dnsmasq and already acts as a dns query forwarder. So you can try echo 'doubleclick.com' | sudo tee -a /etc/hosts and then try to resolve this domain from the freedombox with host doubleclick.com. If some not zero IP appears, bad. However, host reads too /etc/hosts. Know, to test dnsmasq (you need to reload/restart it for every update on /etc/hosts) you can do dig doubleclick.com @localhost). The best test though, is from your laptop. Same dig command.
  5. If you were trying the bind way, you may already have done this, but it’s essential. Go to your router admin page, and wherever it lets you (if even) to edit the DNS server pair the DHCP server tells its clients to set, there, input your FB private ip address. The second one can be the privacy firendly dns provider (like njal.la 's) or that other external one you are using now.) 's) or that other external one you are using now. Apply/save.
  6. from your laptop, check the dns servers you are using. In most linuxes I’ve used, it’s either cat /etc/resolv.conf or it it says localhost, then cat /etc/resolvconf.conf. In windows, it’s under wifi connection properties or something like that. Probably ipconfig at the cmd works too.
  7. disconnect and reconnect to the wifi from your laptop. Thus we force a dhcp request and a dns server list update. Ensure that the first nameserver configured is your FB’s local IP address.
  8. From your laptop, go to https://doubleclick.com. What do you see?

I know it’s a long list and my midnight english is not great. I hope it works for you at least for inspiration ^^

PS: there are interesting dnsmasq config tweaks like

  • reading another file instead of /etc/hosts, so you can just use some public ad-banning list.. With no-hosts and addn-hosts=/etc/hosts_dnsmasq
  • don’t use dnsmasq format of servers. Stick to the etc-host way. I tried the first and each query was 10x slower :confused:
  • set the nameserver to use with no-resolv and server= or your favorite private dns public server.
1 Like

Thanks for the fast reply!

So I didn’t know those details about dnsmasq - and dnsmasq is already running in FreedomBox. That’s a good start.

Is step 4 a test to confirm that dnsmasq is the resolver?

I think on step 5 we are starting to talk about different things.

  • I don’t have bind and can’t use that with my configuration.
  • my clients are using the freedombox as their DNS host and it works
  • freedombox is my router - I do not have an ISP issued router. I think this is the key difference.

So for step 5 the details would be:

  • I put the freedombox internal (shared connection) IP address into the DNS server field in the plinth Networks page for the shared connection.
  • freedombox continues to give DHCP clients the freedombox address for DNS server
  • freedombox will resolve a DNS request from the client using dnsmasq and query root servers ( not ISP DNS server, not GoogleDNS, etc. ) ?

Do I understand correctly?

Actually, I’m afraid I was too fast and misunderstood your goal. I only figured it out at your last question, sorry. I’ll leave my previous answers. If I understand well now, you want to have your own full DNS resolver querying the root servers, you explain that pretty well.

You don’t mention that you want to do that to filter ads-malware-dangerous sites. That’s my goal in my setup and the one I describe. I terribly assumed you wanted to do something I acommplished wishfully thinking to be of help. Sorry. It’s not as important for me now whether FB contacts root servers or just uses another server. I can’t help you.

I apologize if my reply has confused you. It probably has. I hope the @moderators may find some use for that how-to I wrote and move it somewhere else.

Yes. The dig ad.domain.com @localhost one.

Whoah, that’s great. I envy you. You can totally skip next steps, yes.

  • Yes
  • Yes
  • Not exactly

Bind is much more powerful than dnsmasq. ISPs or DNS providers can use Bind for their service. It’s a complete DNS server. Dnsmasq is not. It can do DHCP too, so go figure. I guess we can say it’s LAN-oriented.

I don’t remember any dnsmasq setting (they are all commented and well explained in the same config file) for querying directly the root servers. I’m afraid that you will need still to use some external DNS servers for that.

1 Like

That’s probably what FB is using as a dhcp server. If that’s the case, it should not be listening to dns queries by default. It is probably running with another config file (like dnsmasq -c /.../dhcp-server.conf

For my FB, I use DNS server from my pi-hole + unbound (recursive dns server) configuration…
Set up Pi-hole as truly self-contained DNS resolver.
Into the Pi-Hole you should go - 8 months later

1 Like

Thanks, @zippy99, I like this idea.

I’m not a dnsmasq expert yet, but I see I need to bone up on this. Do you happen to know if you can just direct dnsmasq to use the unbound service as configured in first link you shared?

Assuming the answer to that question is no, then I’d need to work through:

  1. unbound configuration document is using port 5335 and would need to be changed to port 53 to serve client DNS requests
  2. unbound configuration document is using interface, but the FreedomBox would need to listen with unbound on the local LAN interface instead in order to serve clients (internal firewall zone only)
  3. port 53 is occupied by dnsmasq DNS service at the moment - that function will need to be turned off before listening on port 53 with unbound, but the rest of dnsmasq functionality would continue as before

I’ll try this. It looks to be feasible and would do exactly what I’m looking for. Thanks!