- install dnsmasq (2.78+, cause 2.72 is bugged with certain DNS, including cloudflare)
/etc/dnsmasq.conf
:
port=53
listen-address=127.0.0.1
interface=lo
bind-interfaces
dnssec
dnssec-check-unsigned
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
resolv-file=/etc/resolv.dnsmasq.conf
cache-size=262144
dns-forward-max=4096
strict-order
anchor from https://data.iana.org/root-anchors/root-anchors.xml
/etc/resolv.dnsmasq.conf
nameserver 1.1.1.1
nameserver 8.8.8.8
nameserver 8.8.4.4
- now lock
resolv.conf
for the autoupdates (one way from below). - check is you have
/etc/NetworkManager/NetworkManager.conf
, if yes- open
/etc/NetworkManager/NetworkManager.conf
adddns=none
into[main]
section. If file is empty, just make it looks like this:
- open
[main]
dns=none
dhclient.conf
- open
/etc/dhclient.conf
or/etc/dhcp/dhclient.conf
(which one is exists) and insert this linesupersede domain-name-servers 127.0.0.1;
- open
/etc/network/interfaces
- add into
/etc/network/interfaces
this linedns-nameservers 127.0.0.1
- add into
Next:
- start
dnsmasq
withdnsmasq --conf-file=/etc/dnsmasq.conf
, but disablesystemctl disable dnsmasq
resolver 127.0.0.1;
innginx
& restart it/etc/resolv.conf
:
nameserver 127.0.0.1
- disable all IPv4 DNS for actual
username
(if notroot
) duednsmasq
will run asnobody
except127.0.0.1
iptables -A OUTPUT -p udp --destination-port 53 -m owner --uid-owner username -j DROP
iptables -I OUTPUT -p udp --destination-port 53 -d 127.0.0.1 -m owner --uid-owner username -j ACCEPT
- if you want to override some A records you should add
addn-hosts=/etc/hosts.dnsmasq.conf
into/etc/dnsmasq.conf
0.0.0.0 null.localhost
0.0.0.0 account.example.com
- to override some CNAME records you should add
cname=account.example.com,null.localhost
into/etc/dnsmasq.conf
, in such case CNAME foraccount.example.com
will benull.localhost
which points to0.0.0.0