Translated: Advanced Dnsmasq Tips and Tricks

2025-01-25 23:11:02 +08:00 · 2018-02-22 20:44:01 -05:00 · 2018-02-22 20:44:01 -05:00 · a05d0781b3
commit a05d0781b3
parent b177c15ad7
2 changed files with 155 additions and 156 deletions
--- a/sources/tech/20180208
+++ b/sources/tech/20180208
@ -1,156 +0,0 @@
-yixunx translating
-Advanced Dnsmasq Tips and Tricks
-======
-
-!](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/banner_3.25.47_pm.png?itok=2YaDe86d)
-
-Many people know and love Dnsmasq and rely on it for their local name services. Today we look at advanced configuration file management, how to test your configurations, some basic security, DNS wildcards, speedy DNS configuration, and some other tips and tricks. Next week, we'll continue with a detailed look at how to configure DNS and DHCP.
-
-### Testing Configurations
-
-When you're testing new configurations, you should run Dnsmasq from the command line, rather than as a daemon. This example starts it without launching the daemon, prints command output, and logs all activity:
-```
-# dnsmasq --no-daemon --log-queries
-dnsmasq: started, version 2.75 cachesize 150
-dnsmasq: compile time options: IPv6 GNU-getopt
- DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack
- ipset auth DNSSEC loop-detect inotify
-dnsmasq: reading /etc/resolv.conf
-dnsmasq: using nameserver 192.168.0.1#53
-dnsmasq: read /etc/hosts - 9 addresses
-
-```
-
-You can see tons of useful information in this small example, including version, compiled options, system name service files, and its listening address. Ctrl+c stops it. By default, Dnsmasq does not have its own log file, so entries are dumped into multiple locations in `/var/log`. You can use good old `grep` to find Dnsmasq log entries. This example searches `/var/log` recursively, prints the line numbers after the filenames, and excludes `/var/log/dist-upgrade`:
-```
-# grep -ir --exclude-dir=dist-upgrade dnsmasq /var/log/
-
-```
-
-Note the fun grep gotcha with `--exclude-dir=`: Don't specify the full path, but just the directory name.
-
-You can give Dnsmasq its own logfile with this command-line option, using whatever file you want:
-```
-# dnsmasq --no-daemon --log-queries --log-facility=/var/log/dnsmasq.log
-
-```
-
-Or enter it in your Dnsmasq configuration file as `log-facility=/var/log/dnsmasq.log`.
-
-### Configuration Files
-
-Dnsmasq is configured in `/etc/dnsmasq.conf`. Your Linux distribution may also use `/etc/default/dnsmasq`, `/etc/dnsmasq.d/`, and `/etc/dnsmasq.d-available/`. (No, there cannot be a universal method, as that is against the will of the Linux Cat Herd Ruling Cabal.) You have a fair bit of flexibility to organize your Dnsmasq configuration in a way that pleases you.
-
-`/etc/dnsmasq.conf` is the grandmother as well as the boss. Dnsmasq reads it first at startup. `/etc/dnsmasq.conf` can call other configuration files with the `conf-file=` option, for example `conf-file=/etc/dnsmasqextrastuff.conf`, and directories with the `conf-dir=` option, e.g. `conf-dir=/etc/dnsmasq.d`.
-
-Whenever you make a change in a configuration file, you must restart Dnsmasq.
-
-You may include or exclude configuration files by extension. The asterisk means include, and the absence of the asterisk means exclude:
-```
-conf-dir=/etc/dnsmasq.d/,*.conf, *.foo
-conf-dir=/etc/dnsmasq.d,.old, .bak, .tmp
-
-```
-
-You may store your host configurations in multiple files with the `--addn-hosts=` option.
-
-Dnsmasq includes a syntax checker:
-```
-$ dnsmasq --test
-dnsmasq: syntax check OK.
-
-```
-
-### Useful Configurations
-
-Always include these lines:
-```
-domain-needed
-bogus-priv
-
-```
-
-These prevent packets with malformed domain names and packets with private IP addresses from leaving your network.
-
-This limits your name services exclusively to Dnsmasq, and it will not use `/etc/resolv.conf` or any other system name service files:
-```
-no-resolv
-
-```
-
-Reference other name servers. The first example is for a local private domain. The second and third examples are OpenDNS public servers:
-```
-server=/fooxample.com/192.168.0.1
-server=208.67.222.222
-server=208.67.220.220
-
-```
-
-Or restrict just local domains while allowing external lookups for other domains. These are answered only from `/etc/hosts` or DHCP:
-```
-local=/mehxample.com/
-local=/fooxample.com/
-
-```
-
-Restrict which network interfaces Dnsmasq listens to:
-```
-interface=eth0
-interface=wlan1
-
-```
-
-Dnsmasq, by default, reads and uses `/etc/hosts`. This is a fabulously fast way to configure a lot of hosts, and the `/etc/hosts` file only has to exist on the same computer as Dnsmasq. You can make the process even faster by entering only the hostnames in `/etc/hosts`, and use Dnsmasq to add the domain. `/etc/hosts` looks like this:
-```
-127.0.0.1 localhost
-192.168.0.1 host2
-192.168.0.2 host3
-192.168.0.3 host4
-
-```
-
-Then add these lines to `dnsmasq.conf`, using your own domain, of course:
-```
-expand-hosts
-domain=mehxample.com
-
-```
-
-Dnsmasq will automatically expand the hostnames to fully qualified domain names, for example, host2 to host2.mehxample.com.
-
-### DNS Wildcards
-
-In general, DNS wildcards are not a good practice because they invite abuse. But there are times when they are useful, such as inside the nice protected confines of your LAN. For example, Kubernetes clusters are considerably easier to manage with wildcard DNS, unless you enjoy making DNS entries for your hundreds or thousands of applications. Suppose your Kubernetes domain is mehxample.com; in Dnsmasq a wildcard that resolves all requests to mehxample.com looks like this:
-```
-address=/mehxample.com/192.168.0.5
-
-```
-
-The address to use in this case is the public IP address for your cluster. This answers requests for hosts and subdomains in mehxample.com, except for any that are already configured in DHCP or `/etc/hosts`.
-
-Next week, we'll go into more detail on managing DNS and DHCP, including different options for different subnets, and providing authoritative name services.
-
-### Additional Resources
-
-*   [DNS Spoofing with Dnsmasq][1]
-
-*   [Dnsmasq For Easy LAN Name Services][2]
-
-*   [Dnsmasq][3]
-
-
-
--------------------------------------------------------------------------------
-
-via: https://www.linux.com/learn/intro-to-linux/2018/2/advanced-dnsmasq-tips-and-tricks
-
-作者：[CARLA SCHRODER][a]
-译者：[译者ID](https://github.com/译者ID)
-校对：[校对者ID](https://github.com/校对者ID)
-
-本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
-
-[a]:https://www.linux.com/users/cschroder
-[1]:https://www.linux.com/learn/intro-to-linux/2017/7/dns-spoofing-dnsmasq
-[2]:https://www.linux.com/learn/dnsmasq-easy-lan-name-services
-[3]:http://www.thekelleys.org.uk/dnsmasq/doc.html
--- a/translated/tech/20180208
+++ b/translated/tech/20180208
@ -0,0 +1,155 @@
+Dnsmasq 进阶技巧
+======
+
+![](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/banner_3.25.47_pm.png?itok=2YaDe86d)
+
+许多人熟知和热爱 Dnsmasq，并在他们的本地域名服务上使用它。今天我们将介绍进阶配置文件管理、如何测试你的配置、一些基础的安全知识、DNS 泛域名、快速 DNS 配置，以及其他一些技巧与窍门。下个星期我们将继续详细讲解如何配置 DNS 和 DHCP。
+
+### 测试配置
+
+当你测试新的配置的时候，你应该从命令行运行 Dnsmasq，而不是使用守护进程。下面的例子演示了如何不用守护进程运行它，同时显示指令的输出并保留运行日志：
+```
+# dnsmasq --no-daemon --log-queries
+dnsmasq: started, version 2.75 cachesize 150
+dnsmasq: compile time options: IPv6 GNU-getopt
+ DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack
+ ipset auth DNSSEC loop-detect inotify
+dnsmasq: reading /etc/resolv.conf
+dnsmasq: using nameserver 192.168.0.1#53
+dnsmasq: read /etc/hosts - 9 addresses
+
+```
+
+在这个小例子中你能看到许多有用的信息，包括版本、编译参数、系统域名服务文件、以及它的监听地址。可以使用 Ctrl+C 停止进程。在默认情况下，Dnsmasq 没有自己的日志文件，所以日志会被记录到 `/var/log` 目录下的多个地方。你可以使用经典的 `grep` 来找到 Dnsmasq 的日志文件。下面这条指令会递归式地搜索 `/var/log`、在每个匹配的文件名之后显示匹配的行数，并忽略 `/var/log/dist-upgrade` 里的内容：
+```
+# grep -ir --exclude-dir=dist-upgrade dnsmasq /var/log/
+
+```
+
+使用 `grep --exclude-dir=` 时有一个有趣的小陷阱需要注意：不要使用完整路径，而应该只写目录名称。
+
+你可以使用如下的命令行参数来让 Dnsmasq 使用你指定的文件作为它专属的日志文件：
+```
+# dnsmasq --no-daemon --log-queries --log-facility=/var/log/dnsmasq.log
+
+```
+
+或者在你的 Dnsmasq 配置文件中加上 `log-facility=/var/log/dnsmasq.log`。
+
+### 配置文件
+
+Dnsmasq 的配置文件位于 `/etc/dnsmasq.conf`。你的 Linux 发行版也可能会使用 `/etc/default/dnsmasq`、`/etc/dnsmasq.d/`，或者 `/etc/dnsmasq.d-available/`（不，我们不能统一标准，因为这违反了 Linux 七嘴八舌秘密议会的旨意）。你有很多自由来随意安置你的配置文件。
+
+`/etc/dnsmasq.conf` 是德高望重的老大。Dnsmasq 在启动时会最先读取它。`/etc/dnsmasq.conf` 可以使用 `conf-file=` 选项来调用其他的配置文件，例如 `conf-file=/etc/dnsmasqextrastuff.conf`，或使用 `conf-dir=` 选项来调用目录下的所有文件，例如 `conf-dir=/etc/dnsmasq.d`。
+
+每当你对配置文件进行了修改，你都必须重启 Dnsmasq。
+
+你可以根据扩展名来包含或忽略配置文件。星号表示包含，不加星号表示忽略：
+```
+conf-dir=/etc/dnsmasq.d/,*.conf, *.foo
+conf-dir=/etc/dnsmasq.d,.old, .bak, .tmp
+
+```
+
+你可以用 `--addn-hosts=` 选项来把你的主机配置分布在多个文件中。
+
+Dnsmasq 包含了一个语法检查器：
+```
+$ dnsmasq --test
+dnsmasq: syntax check OK.
+
+```
+
+### 实用配置
+
+永远加入这几行：
+```
+domain-needed
+bogus-priv
+
+```
+
+它们可以避免含有格式出错的域名或私人 IP 地址的数据包离开你的网络。
+
+让你的域名服务只使用 Dnsmasq，而不去使用 `/etc/resolv.conf` 或任何其他的域名服务文件：
+```
+no-resolv
+
+```
+
+使用其他的域名服务器。第一个例子是只对于某一个域名使用不同的域名服务器。第二个和第三个例子是 OpenDNS 公用服务器：
+```
+server=/fooxample.com/192.168.0.1
+server=208.67.222.222
+server=208.67.220.220
+
+```
+
+你也可以将某些域名限制为只能本地解析，但不影响其他域名。这些被限制的域名只能从 `/etc/hosts` 或 DHCP 解析：
+```
+local=/mehxample.com/
+local=/fooxample.com/
+
+```
+
+限制 Dnsmasq 监听的网络接口：
+```
+interface=eth0
+interface=wlan1
+
+```
+
+Dnsmasq 在默认设置下会读取并使用 `/etc/hosts`。这是一个又快又好的配置大量域名的方法，并且 `/etc/hosts` 只需要和 Dnsmasq 在同一台电脑上。你还可以让这个过程再快一些，可以在 `/etc/hosts` 文件中只写主机名，然后用 Dnsmasq 来添加域名。`/etc/hosts` 看上去是这样的：
+```
+127.0.0.1 localhost
+192.168.0.1 host2
+192.168.0.2 host3
+192.168.0.3 host4
+
+```
+
+然后把这几行写入 `dnsmasq.conf`（当然，要换成你自己的域名）：
+```
+expand-hosts
+domain=mehxample.com
+
+```
+
+Dnsmasq 会自动把这些主机名扩展为完整的域名，比如 host2 会变为 host2.mehxample.com。
+
+### DNS 泛域名
+
+一般来说，使用 DNS 泛域名不是一个好习惯，因为它们太容易被误用了。但它们有时会很有用，比如在你的局域网的严密保护之下的时候。一个例子是使用 DNS 泛域名会让 Kubernetes 集群变得容易管理许多，除非你喜欢给你成百上千的应用写 DNS 记录。假设你的 Kubernetes 域名是 mehxample.com，那么下面这行配置可以让 Dnsmasq 解析所有对 mehxample.com 的请求：
+```
+address=/mehxample.com/192.168.0.5
+
+```
+
+这里使用的地址是你的集群的公网 IP 地址。这会响应对 mehxample.com 的所有主机名和子域名的请求，除非请求的目标地址已经在 DHCP 或者 `/etc/hosts` 中配置过。
+
+下星期我们将探索更多的管理 DNS 和 DHCP 的细节，包括对不同的子网络使用不同的设置，以及提供权威域名服务器。
+
+### 更多参考
+
+*   [使用 Dnsmasq 进行 DNS 欺骗][1]
+
+*   [使用 Dnsmasq 配置简单的局域网域名服务][2]
+
+*   [Dnsmasq][3]
+
+
+
+--------------------------------------------------------------------------------
+
+via: https://www.linux.com/learn/intro-to-linux/2018/2/advanced-dnsmasq-tips-and-tricks
+
+作者：[CARLA SCHRODER][a]
+译者：[yixunx](https://github.com/yixunx)
+校对：[校对者ID](https://github.com/校对者ID)
+
+本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
+
+[a]:https://www.linux.com/users/cschroder
+[1]:https://www.linux.com/learn/intro-to-linux/2017/7/dns-spoofing-dnsmasq
+[2]:https://www.linux.com/learn/dnsmasq-easy-lan-name-services
+[3]:http://www.thekelleys.org.uk/dnsmasq/doc.html