Skip to content

Setting up dnsmasq with secureoperator

Jump to bottom
Nathan Wittstock edited this page Jan 6, 2018 · 4 revisions

Since secureoperator does no caching of its own, it's recommended that you set up a caching DNS server like dnsmasq on your local network, which responds from its own cache and forwards uncached requests to secureoperator for lookup.

This document assumes that you:

  • are setting up dnsmasq and secureoperator on the same machine
  • have already installed the dnsmasq package as apropriate for your operating system
  • are installing on a Linux system
  • are using [systemd][]

This isn't the only way to do this (you could use Docker, for example) however these instructions should easily adapt to other environments.

Running secureoperator

  1. Download the latest release of secureoperator for your environment, and place it at /usr/local/bin/secure-operator. Ensure it is executable (chmod +x secure-operator)
  2. Create a systemd unit file to run secureoperator on startup. Save this file as /etc/systemd/system/secure-operator.service and ensure it is executable (chmod +x secure-operator.service)
[Unit]
Description=Secure Operator
After=network.target

[Service]
Type=simple
# start secureoperator on port 54, rather than the standard DNS port. dnsmasq will run on 53 and
# forward to this server.
ExecStart=/usr/local/bin/secure-operator -level warn -listen 0.0.0.0:54 -dns-servers "8.8.8.8,8.8.4.4"

[Install]
WantedBy=multi-user.target
  1. Run systemctl daemon-reload to reload the unit files
  2. Run systemctl start secure-operator.service
  3. If secureoperator starts successfully, enable the service with systemctl enable secure-operator.service; it will now run at startup.

Testing secureoperator's operation

Make a DNS request directly at secureoperator to ensure it's working; with the dig command:

dig @localhost -p 54 google.com

You should see a response which includes the A records for google.com.

Configuring dnsmasq

dnsmasq has a lot of configuration options; you should refer to its man page for information on each; however, you a minimal configuration should only require a few tweaks.

  1. Edit /etc/dnsmasq.conf, ensure the following lines are set as follows:
# stops dnsmasq from reading resolv.conf
no-resolv

# add your secureoperator server as the upstream dns server
server=127.0.0.1#54

# set how many entries you wish to have cached; you can tweak
# this setting depending on how much memory your sytem has
# available
cache-size=500
  1. Alter the dnsmasq unit file to depend on secureoperator; /etc/systemd/system/dnsmasq.service; add the following to the [Unit] section. Ensure these are new additions; don't replace any of the existing After or Requires directives:
After=secure-operator.service
Requires=secure-operator.service
  1. Start dnsmasq with systemctl start dnsmasq.service
  2. If it starts correctly, enable it at startup with systemctl enable dnsmasq.service

Testing dnsmasq's operation

Make a DNS request directly at secureoperator to ensure it's working; with the dig command:

dig @localhost google.com

You should see a response which includes the A records for google.com.

Clone this wiki locally