dnsmasq 可以用作本地 DNS 服务器吗？并让 dnsmasq 将查询转发到本地 systemd-resolved 服务？

您没有指定正在使用的 Ubuntu 版本。以下内容基于 Ubuntu 24.04 Server。

如果我理解正确，您需要在本地主机上将Dnsmasqsystemd-resolved设置为主要 DNS 解析器，并将其用作转发服务器，而不是任何上行链路服务器。因此，您需要systemd-resolved转发到任何上行链路服务器，但不缓存任何查询。您最终希望将缓存留给Dnsmasq。

因此，需要做以下几件事：

1. 配置Dnsmasq：
   • 监听127.0.0.1端口 53
   • 不要查看/etc/resolv.conf任何名称服务器
   • 用作systemd-resolved其转发服务器，进而使用通过 DHCP 提供的任何上行链路服务器。
2. 配置/etc/resolv.conf：
   • 定义127.0.0.1为名称服务器。虽然Dnsmasq不会引用此文件，但许多应用程序在执行 DNS 查询时都会引用它。例如，dig和ping。因此您希望这些应用程序通过查询Dnsmasq127.0.0.1。
3. 配置systemd-resolved：
   • 127.0.0.53禁用端口上的 Stub 解析器53
   • 监听127.0.0.1端口5353
   • 不缓存任何查询

假设Dnsmasq已经安装，首先停止systemd-resolved和dnsmasq：

sudo systemctl stop systemd-resolved
sudo systemctl stop dnsmasq

1.配置dnsmasq

• 编辑/etc/default/dnsmasq并定义以下内容：

  # If the resolvconf package is installed, dnsmasq will use its output
  # rather than the contents of /etc/resolv.conf to find upstream
  # nameservers. Uncommenting this line inhibits this behaviour.
  # Note that including a "resolv-file=<filename>" line in
  # /etc/dnsmasq.conf is not enough to override resolvconf if it is
  # installed: the line below must be uncommented.
  IGNORE_RESOLVCONF=yes
  
  # If the resolvconf package is installed, dnsmasq will tell resolvconf
  # to use dnsmasq under 127.0.0.1 as the system's default resolver.
  # Uncommenting this line inhibits this behaviour.
  DNSMASQ_EXCEPT="lo"
  
  

  尽管该应用程序未默认安装在 Ubuntu 24.04 Server 上，但这两个都需要定义resolvconf。这是因为/sbin/resolvconf它是 的符号链接/bin/resolvectl。有关更多信息，请参阅下面的注释。

• 编辑/etc/dnsmasq.conf并定义以下内容：

  # If you don't want dnsmasq to read /etc/resolv.conf or any other
  # file, getting its servers from this file instead (see below), then
  # uncomment this.
  no-resolv
  
  # If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
  # files for changes and re-read them then uncomment this.
  no-poll
  
  # Add other name servers here, with domain specs if they are for
  # non-public domains.
  server=127.0.0.1#5353
  
  # Or which to listen on by address (remember to include 127.0.0.1 if
  # you use this.)
  listen-address=127.0.0.1
  
  # On systems which support it, dnsmasq binds the wildcard address,
  # even when it is listening on only some interfaces. It then discards
  # requests that it shouldn't reply to. This has the advantage of
  # working even when interfaces come and go and change address. If you
  # want dnsmasq to really bind only the interfaces it is listening on,
  # uncomment this option. About the only time you may need this is when
  # running another nameserver on the same machine.
  bind-interfaces
  

  bind-interfaces被定义为服务不监听所有接口上的所有地址。此设置用于服务仅监听环回接口而不监听外部接口。此外，服务仅监听127.0.0.1:53而不是0.0.0.0:53。

  来自Dnsmasq手册页：

  -z, --bind 接口

  在支持它的系统上，dnsmasq 会绑定通配符地址，即使它只监听某些接口。然后它会丢弃它不应该回复的请求。这样做的好处是，即使接口来来去去并更改地址，它也能正常工作。此选项强制 dnsmasq 真正绑定它正在监听的接口。这唯一有用的时间是在同一台机器上运行另一个名称服务器（或 dnsmasq 的另一个实例）。设置此选项还会启用提供 DHCP 服务的多个 dnsmasq 实例在同一台机器上运行。

• 启动dnsmasq服务并检查其状态：

  $ sudo systemctl start dnsmasq
  $ systemctl status dnsmasq
  
  ● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
       Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; preset: enabled)
       Active: active (running) since Thu 2024-11-07 04:12:28 UTC; 7min ago
      Process: 5741 ExecStartPre=/usr/share/dnsmasq/systemd-helper checkconfig (code=exited, status=0/SUCCESS)
      Process: 5746 ExecStart=/usr/share/dnsmasq/systemd-helper exec (code=exited, status=0/SUCCESS)
      Process: 5753 ExecStartPost=/usr/share/dnsmasq/systemd-helper start-resolvconf (code=exited, status=0/SUCCESS)
     Main PID: 5752 (dnsmasq)
        Tasks: 1 (limit: 9327)
       Memory: 740.0K (peak: 2.5M)
          CPU: 20ms
       CGroup: /system.slice/dnsmasq.service
               └─5752 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -I lo -r /run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,20326,8,2,>
  
  Nov 07 04:12:28 ubuntu24server systemd[1]: Starting dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server...
  Nov 07 04:12:28 ubuntu24server dnsmasq[5752]: started, version 2.90 cachesize 150
  Nov 07 04:12:28 ubuntu24server dnsmasq[5752]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC loop-detect inotify dumpfi>
  Nov 07 04:12:28 ubuntu24server dnsmasq[5752]: warning: ignoring resolv-file flag because no-resolv is set
  Nov 07 04:12:28 ubuntu24server dnsmasq[5752]: using nameserver 127.0.0.1#5353
  Nov 07 04:12:28 ubuntu24server dnsmasq[5752]: read /etc/hosts - 8 names
  Nov 07 04:12:28 ubuntu24server systemd[1]: Started dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server.
  

• 检查它是否正在监听53端口127.0.0.1：

  $ sudo netstat -tlpn
  Active Internet connections (only servers)
  Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
  tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      5752/dnsmasq        
  tcp6       0      0 :::22                   :::*  
  

2. 创建新的/etc/resolv.conf

• 消除/etc/resolv.conf

  sudo rm /etc/resolv.conf
  

• /etc/resolv.conf使用Dnsmasq创建一个新的名称服务器：

  echo "nameservers 127.0.0.1" | sudo tee /etc/resolv.conf
  

3.配置systemd-resolved

• 编辑/etc/systemd/resolved.conf并定义以下内容：

  DNSStubListener=no
  DNSStubListenerExtra=127.0.0.1:5353
  Cache=no
  

  systemd-resolved这将禁用at的 Stub 监听器127.0.0.53:53并允许其监听地址127.0.0.1:5353。

  来自solved.conf(5) 手册页：

  DNSStubListenerExtra=
     Takes an IPv4 or IPv6 address to listen on. The address may be optionally prefixed with a protocol name ("udp" or "tcp") separated with ":". If the protocol is not specified, the service
     will listen on both UDP and TCP. It may be also optionally suffixed by a numeric port number with separator ":". When an IPv6 address is specified with a port number, then the address
     must be in the square brackets. If the port is not specified, then the service uses port 53. Note that this is independent of the primary DNS stub configured with DNSStubListener=, and
     only configures additional sockets to listen on. This option can be specified multiple times. If an empty string is assigned, then the all previous assignments are cleared. Defaults to
     unset.
  

• 启动systemd-resolved服务并检查其状态：

  $ sudo systemctl start systemd-resolved
  $ systemctl status systemd-resolved
  ● systemd-resolved.service - Network Name Resolution
       Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; enabled; preset: enabled)
       Active: active (running) since Thu 2024-11-07 05:10:31 UTC; 22s ago
         Docs: man:systemd-resolved.service(8)
               man:org.freedesktop.resolve1(5)
               https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
               https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
     Main PID: 6093 (systemd-resolve)
       Status: "Processing requests..."
        Tasks: 1 (limit: 9327)
       Memory: 2.6M (peak: 3.0M)
          CPU: 33ms
       CGroup: /system.slice/systemd-resolved.service
               └─6093 /usr/lib/systemd/systemd-resolved
  
  Nov 07 05:10:31 ubuntu24server systemd[1]: Starting systemd-resolved.service - Network Name Resolution...
  Nov 07 05:10:31 ubuntu24server systemd-resolved[6093]: Positive Trust Anchors:
  Nov 07 05:10:31 ubuntu24server systemd-resolved[6093]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
  Nov 07 05:10:31 ubuntu24server systemd-resolved[6093]: Negative trust anchors: home.arpa 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arp>
  Nov 07 05:10:31 ubuntu24server systemd-resolved[6093]: Using system hostname 'ubuntu24server'.
  Nov 07 05:10:31 ubuntu24server systemd[1]: Started systemd-resolved.service - Network Name Resolution.
  

• 检查它是否正在监听5353端口127.0.0.1：

  $ sudo netstat -tlpn
  Active Internet connections (only servers)
  Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
  tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      5752/dnsmasq        
  tcp        0      0 127.0.0.1:5353          0.0.0.0:*               LISTEN      6093/systemd-resolv 
  tcp6       0      0 :::22                   :::*  
  

测试

运行查询。如果配置正确，查询应该可以解决。

$ dig -4 google.com

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> -4 google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23611
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.            IN  A

;; ANSWER SECTION:
google.com.     266 IN  A   142.250.68.14

;; AUTHORITY SECTION:
google.com.     266 IN  NS  ns4.google.com.
google.com.     266 IN  NS  ns1.google.com.
google.com.     266 IN  NS  ns2.google.com.
google.com.     266 IN  NS  ns3.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.     266 IN  AAAA    2001:4860:4802:32::a
ns1.google.com.     266 IN  A   216.239.32.10
ns2.google.com.     266 IN  AAAA    2001:4860:4802:34::a
ns3.google.com.     266 IN  AAAA    2001:4860:4802:36::a
ns4.google.com.     266 IN  AAAA    2001:4860:4802:38::a
ns4.google.com.     266 IN  A   216.239.38.10
ns3.google.com.     266 IN  A   216.239.36.10
ns2.google.com.     266 IN  A   216.239.34.10

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Nov 07 06:36:05 UTC 2024
;; MSG SIZE  rcvd: 303

为了测试它是否顺利进行，systemd-resolved您需要重新启动Dnsmasq以清除缓存，然后systemd-resolved在重新运行查询之前停止。

我强调这一点，因为它会在Dnsmasq重新启动systemd-resolved时启动。请参阅下面的注释。

所以：

• 重新启动Dnsmasq以清除缓存

  • sudo systemctl restart dnsmasq

• 停止systemd-resolved

  • sudo systemctl stop systemd-resolved

• 检查systemd-resolved没有运行

  • systemctl status systemd-resolved或者ps -aux | grep systemd-resolved

• 重新运行查询。它应该超时。

  $ dig -4 google.com
  ;; communications error to 127.0.0.1#53: timed out
  ;; communications error to 127.0.0.1#53: timed out
  ;; communications error to 127.0.0.1#53: timed out
  
  ; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> -4 google.com
  ;; global options: +cmd
  ;; no servers could be reached
  

缓存

最初的问题是要求禁用 中的缓存systemd-resolved，并将其专门留给Dnsmasq。虽然可以做到这一点，但反过来切换可能会有好处。正如@kos 在评论中指出的那样，systemd-resolved也是通过 D-Bus 查询的，如果 启用了 ，它将能够利用缓存systemd-resolved。

因此，配置这一点非常容易，以便为Dnsmasqsystemd-resolved启用缓存和禁用缓存。

• 编辑/etc/dnsmasq.conf并定义以下内容以禁用Dnsmasq的缓存：

  cache-size=0
  

  根据Dnsmasq手册页：

   -c, --cache-size=<cachesize>
   Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching. Note: huge cache size impacts performance.
  

• 编辑/etc/systemd/resolved.conf并注释掉以下内容以重新启用缓存systemd-resolved，这是默认设置：

   #Cache=no
  

笔记

每当Dnsmasq服务停止和启动时，该服务都会调用辅助脚本。/usr/share/dnsmasq/systemd-helper这会引用另一个文件。/usr/share/dnsmasq/init-system-common每当Dnsmasq停止时，/sbin/resolvconf都会使用以下命令调用：

stop_resolvconf()
{
    if [ -x /sbin/resolvconf ] ; then
        /sbin/resolvconf -d lo.${NAME}${INSTANCE:+.${INSTANCE}}
    fi
    return 0
}

请注意，/sbin/resolvconf被调用，并且正如我之前提到的，/sbin/resolvconf是的符号链接/bin/resolvctl。

$ ls -l /sbin/resolvconf
lrwxrwxrwx 1 root root 17 Aug  8 14:51 /sbin/resolvconf -> ../bin/resolvectl

因此，由于resolvectl是 的组件systemd-resolved，它将启动。更多信息可在此处systemd-resolved找到。

我提到这一点，是因为在测试时，您会发现它systemd-resolved会在您不知情的情况下自动启动。

有趣的是，在启动Dnsmasq服务/sbin/resolvconf时也会被调用。

start_resolvconf()
{
# If interface "lo" is explicitly disabled in /etc/default/dnsmasq
# Then dnsmasq won't be providing local DNS, so don't add it to
# the resolvconf server set.
    for interface in ${DNSMASQ_EXCEPT}; do
        [ ${interface} = lo ] && return
    done

    # Also skip this if DNS functionality is disabled in /etc/dnsmasq.conf
    if grep -qs '^port=0' /etc/dnsmasq.conf; then
        return
    fi

    if [ -x /sbin/resolvconf ] ; then
        echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.${NAME}${INSTANCE:+.${INSTANCE}}
    fi
    return 0
}

但如果你还记得的话，我们DNSMASQ_EXCEPT="lo"在 中定义过/etc/default/dnsmasq。因此，在启动Dnsmasq/sbin/resolvconf时不会被调用，但如果没有定义，则会被调用。

如果您在查看输出时看到以下错误systemctl status dnsmasq，这是因为DNSMASQ_EXCEPT="lo"未定义（注释掉）并且它试图注册与环回设备相关的 DNS 设置，但它无法执行此操作。

Nov 07 05:40:23 ubuntu24server resolvconf[6445]: Dropped protocol specifier '.dnsmasq' from 'lo.dnsmasq'. Using 'lo' (ifindex=1).
Nov 07 05:40:23 ubuntu24server resolvconf[6445]: Failed to set DNS configuration: Link lo is loopback device.

直接运行命令就可以看到这个错误：

$ echo "nameserver 127.0.0.1" | sudo /sbin/resolvconf -a lo
Failed to set DNS configuration: Link lo is loopback device.

编辑：上面给出了一个更为详尽的答案， 原始答案如下

是的，它似乎有效。

即我这样做了：

在 /etc/systemd/resolved.conf.d/dnsmasqcompatibility.conf：

[Resolve]
DNSStubListener=no
DNSStubListenerExtra=127.0.0.1:5053

在 /etc/dnsmasq.conf 中：

server=127.0.0.1#5053

通过在终端中输入此内容 host www.google.com 127.0.0.1，我得到了以下信息：

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

www.google.com has address .......
www.google.com has IPv6 address ......

这是 /var/log/dnsmasq.log：

 query[A] www.google.com from 127.0.0.1
 forwarded www.google.com to 127.0.0.1#5053
 reply www.google.com is .....

（等等）

我还可以通过停止服务来确认systemd-resolvedDNS 查找超时了。

我可能还应该添加no-resolv到/etc/dnsmasq.conf，以强制将所有查询传递到端口 5053，但我不知道这是否会产生任何区别，因为它将使用已知的 DNS 服务器systemd-resolved，无论 IP 地址是取自文件还是取自第二个 DNS 服务器（通过转发查询）。

让 systemd-resolved 处理 DHCP 服务器并在 Dnsmasq 中使用 server=127.0.0.53。让 /etc/resolv.conf 指向 Dnsmasq 正在监听的 127.0.0.1。但您会遇到 systemd-resolved 的问题，例如有缺陷的 DNSSec 验证。您已收到警告。