DNSmasq Authoritative config
mouse 11984 · person cloud · link
Last update
2021-10-27
2021
10-27
« — »

Config and instructions

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
# ----------------------------------------------------------------------------
# Authoritative DNS config for yourdomain.tld
# Example for replacing Bind with dnsmasq
# Source: Stefan Onderka, http://www.onderka.com
# Description: https://www.onderka.com/inhalt/autoritativer-dns-server-mit-dnsmasq/
# Revision 2016-02-10
# ----------------------------------------------------------------------------
# https://www.onderka.com/inhalt/eigener-dyndns-mit-dnsmasq-apache-und-php/
# https://www.onderka.com/inhalt/eigener-dyndns-mit-bind-apache-und-php/
# http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
# http://www.thekelleys.org.uk/dnsmasq/doc.html
# http://www.thekelleys.org.uk/dnsmasq/docs/FAQ
# http://comments.gmane.org/gmane.network.dns.dnsmasq.general/7621
# https://wiki.archlinux.org/index.php/dnsmasq
# ----------------------------------------------------------------------------
# Hostname:     yourdomain.tld
# IPv4 address: 10.20.30.40
# IPv6 address: ip:v6::ad::dr:ess
# ----------------------------------------------------------------------------

# Basics
# ----------------------------------------------------------------------------
listen-address=127.0.0.1
listen-address=10.20.30.40
listen-address=ip:v6::ad::dr:ess
no-dhcp-interface=eth0
# Port
port=53
bind-interfaces
#bogus-priv
#domain-needed
# User and group
user=dnsmasq
group=root
# PID file
pid-file=/var/run/dnsmasq/dnsmasq.pid
all-servers
dns-forward-max=100
# TTL for auth replies
auth-ttl=600

# Logging
# ----------------------------------------------------------------------------
# Log to file
log-facility=/var/log/dnsmasq.log
# Log all queries
log-queries
# Query cache
cache-size=16384
# Asynchronous logging, up to 50 lines
log-async=50

# Config files and folders (DynDNS files)
# ----------------------------------------------------------------------------
# Do not read /etc/resolv.conf
no-resolv
# Do not poll /etc/resolv.conf
no-poll
# Do not read /etc/hosts
no-hosts
# Read *.conf from this folder
conf-dir=/var/www/ddns.example.com/dnsmasq/,*.conf

# Authoritative DNS on interface eth0
# ----------------------------------------------------------------------------
auth-server=yourdomain.tld,eth0

# My zones and their subnets
# ----------------------------------------------------------------------------
auth-zone=yourdomain.tld,10.20.30.40/32,ip:v6::ad::dr:ess/128
auth-zone=example.com,10.20.30.40/32,ip:v6::ad::dr:ess/128
# DDNS zone without subnet(s), contains "foreign" IPs
auth-zone=ddns.example.com
auth-zone=example.org,10.20.30.40/32,ip:v6::ad::dr:ess/128
auth-zone=example.net,10.20.30.40/32,ip:v6::ad::dr:ess/128
auth-zone=another-domain.de,10.20.30.40/32,ip:v6::ad::dr:ess/128

# Local (not forwarded in any case)
# ----------------------------------------------------------------------------
local=/example.com/10.20.30.40
domain=example.com
local=/ddns.example.com/10.20.30.40
domain=ddns.example.com
local=/example.org/10.20.30.40
domain=example.org
local=/example.net/10.20.30.40
domain=example.net
local=/another-domain.de/10.20.30.40
domain=another-domain.de

# SOA config
# ----------------------------------------------------------------------------
auth-soa=2016021014,hostmaster.example.com,1200,120,604800

# Slave NS: nameserver2.provider.com (50.60.70.80)
# ----------------------------------------------------------------------------
# Secondary NS (slave NS at provider)
auth-sec-servers=nameserver2.provider.com
# Allow zone transfers to secondary NS
auth-peer=50.60.70.80

# A/AAAA records - Only 1st address creates PTR record!
# ----------------------------------------------------------------------------
# MX: A/IPv4 only
host-record=mail.example.com,10.20.30.40
# ipv6.example.com: AAAA/IPv6 only
host-record=ipv6.example.com,ip:v6::ad::dr:ess
# All others: A/IPv4 and AAAA/IPv6
host-record=example.com,10.20.30.40,ip:v6::ad::dr:ess
host-record=ddns.example.com,10.20.30.40,ip:v6::ad::dr:ess
host-record=example.org,10.20.30.40,ip:v6::ad::dr:ess
host-record=example.net,10.20.30.40,ip:v6::ad::dr:ess
host-record=another-domain.de,10.20.30.40,ip:v6::ad::dr:ess
host-record=yourdomain.tld,10.20.30.40,ip:v6::ad::dr:ess
# Provide an A record for secondary NS
host-record=nameserver2.provider.com,50.60.70.80

# PTR & Reverse
# ----------------------------------------------------------------------------
server=/30.20.10.in-addr.arpa/10.20.30.40
ptr-record=40.30.20.10.in-addr.arpa,mail.example.com
ptr-record=40.30.20.10.in-addr.arpa,example.com
ptr-record=40.30.20.10.in-addr.arpa,ddns.example.com
ptr-record=40.30.20.10.in-addr.arpa,example.org
ptr-record=40.30.20.10.in-addr.arpa,example.net
ptr-record=40.30.20.10.in-addr.arpa,another-domain.de

# MX records
# ----------------------------------------------------------------------------
# All domains use MX mail.example.com
mx-host=yourdomain.tld,mail.example.com,10
mx-host=example.com,mail.example.com,10
mx-host=example.org,mail.example.com,10
mx-host=example.net,mail.example.com,10
mx-host=another-domain.de,mail.example.com,10

# TXT records (SPF, DKIM, fun etc.)
# ----------------------------------------------------------------------------
# A note for the MX
txt-record=mail.example.com,"No, this is not a Microsoft Exchange server..."
# SPF and DKIM records
txt-record=yourdomain.tld,"v=spf1 +a +mx -all"
txt-record=example.com,"v=spf1 +a +mx -all"
txt-record=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._domainkey.example.com,"v=DKIM1; k=rsa; p=..."
txt-record=example.org,"v=spf1 +a +mx -all"
txt-record=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._domainkey.example.org,"v=DKIM1; k=rsa; p=..."
txt-record=example.net,"v=spf1 +a +mx -all"
txt-record=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._domainkey.example.net,"v=DKIM1; k=rsa; p=..."
txt-record=another-domain.de,"v=spf1 +a +mx -all"
txt-record=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._domainkey.another-domain.de,"v=DKIM1; k=rsa; p=..."

# CAA record for certificate authority | https://sslmate.com/caa/
# ----------------------------------------------------------------------------
# CAA/257 => 0 issue "letsencrypt.org"
dns-rr=yourdomain.tld,257,000569737375656C657473656E63727970742E6F7267

# CNAME records
# ----------------------------------------------------------------------------
# Subdomains of example.com
cname=subdomain1.example.com,example.com
cname=subdomain2.example.com,example.com
cname=subdomain3.example.com,example.com
# www. and ftp. for all domains
cname=www.example.com,example.com
cname=ftp.example.com,example.com
cname=www.example.org,example.org
cname=ftp.example.org,example.org
cname=www.example.net,example.net
cname=ftp.example.net,example.net
cname=www.another-domain.de,another-domain.de
cname=ftp.another-domain.de,another-domain.de

Then set these DNS records on your registar panel:

1
2
3
4
A     yourdomain.tld     10.20.30.40
AAAA  yourdomain.tld     ip:v6::ad::dr:ess
NS    ns1.yourdomain.tld 10.20.30.40
NS    ns2.yourdomain.tld 10.20.30.40

please take note that you sould have two different dns servers in case the first goes down.

Since 2021-06 this doen't work for letsecrypt/zerossl

The CA can't reach our DNS server... try checking the configuration with:


Source: onderka.com, manpage, stackexchange, SOA record, CAA record + tool

See also: Letsencrypt setup with acme.sh post.