How to enforce dnsmasq to use an upstream dns server only for some specified domain names?

linux domain-name-system dnsmasq

43,937

You can do this by using the server= directive e.g.

server=/ajax.googleapis.com/8.8.8.8

would query the google public DNS server for the ajax.googleapis.com domain, similarly

server=/amazonaws.com/209.244.0.3

would query Level3's public DNS server for the amazonaws.com domain.

You can group multiple domains together

server=/co.uk/com/8.8.4.4

Would send the .co.uk and .com domains to the DNS server at 8.8.4.4

You can have multiple server= directives too

−S, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source>[#<port>]]]

Specify IP address of upstream severs directly. Setting this flag does not suppress reading of /etc/resolv.conf, use -R to do that. If one or more optional domains are given, that server is used only for those domains and they are queried only using the specified server. This is intended for private nameservers: if you have a nameserver on your network which deals with names of the form xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag -S /internal.thekelleys.org.uk/192.168.1.1 will send all queries for internal machines to that nameserver, everything else will go to the servers in /etc/resolv.conf. An empty domain specification, // has the special meaning of "unqualified names only" ie names without any dots in them. A non-standard port may be specified as part of the IP address using a # character. More than one -S flag is allowed, with repeated domain or ipaddr parts as required.

Also permitted is a -S flag which gives a domain but no IP address; this tells dnsmasq that a domain is local and it may answer queries from /etc/hosts or DHCP but should never forward queries on that domain to any upstream servers. local is a synonym for server to make configuration files clearer in this case.

The optional second IP address after the @ character tells dnsmasq how to set the source address of the queries to this nameserver. It should be an address belonging to the machine on which dnsmasq is running otherwise this server line will be logged and then ignored. The query-port flag is ignored for any servers which have a source address specified but the port may be specified directly as part of the source address.

43,937

nrph

Updated on September 18, 2022

Comments

nrph almost 2 years
Right now I've got the following line in dnsmasq.conf, which handles well all requests (/#/ matches any domain; this is required):
```
address=/#/127.0.0.1
```
Yet, there are some domains which require to be resolved to IP addresses other than 127.0.0.1.

As temporary solution they have been added to /etc/hosts:
```
209.85.148.95   ajax.googleapis.com
207.97.227.245  underscorejs.org
72.21.194.31    s3.amazonaws.com
```
Unfortunately this is a very temporary solution: it will stop working as soon the IP address of any target domain changes.

My question is: how to enforce dnsmasq to use an upstream dns server for resolving the IP addresses of some (specified) domain names?
gravyface almost 12 years

I don't think he needs multiple server lines: whatever addresses he wants to fail to resolve (127.0.0.1), he can add them in with address lines; anything else, DNSMasq will query the server. Pretty sure that's how mine's setup.
user9517 almost 12 years

@gravyace: I read the question as wanting to make everything resolve to 127.0.0.1 with some exceptions which he wants to use DNS to resolve in case they change address.As I see it the way to do this is to use server directives.
gravyface almost 12 years

Oh maybe. Who knows. Either way, that should get him going.