First of all, I’m not at all a web developer and had very little interest to learn web technology. All started changing during my marrage time, I wanted to create a wedding invitation website just to invite my friends.
My invitation website got good response in office. my colleagues asked about how I managed to create it because I belongs to c/c++ croud and very few in my team have broad knowledge about web technologies to create a website.
I then created my wedding invitation site. Initially, I thought I have to spend money to host my wedding invitation site, but I came to know more about Heroku from one of the talk in Ilugc. Soon, my research about PaaS environments introduced me to OpenShift from RedHat. Openshift provides free hosting and OpenShift itself is OpenSource.
So, All I have to do is, create free account in OpenShift, Install rhc gem in my laptop, push my website into openshift through git. Thats all. My wedding invitation site is accessable anywhere and I was able to impress my friends,colleagues and finally my wife.
My wedding invitation app gave me overview of how current web development works, so I decided to have my personal website which consists of blog posts and my photos gallery. Instead of using blog framework available for node.js, I decided to use my existing wordpress blog for blog posts and my existing google drive account for storing photos so that I don’t need to use any database for my personal website.
Finally, I was able to come up with somewhat viewable personal website https://mohan43uweb-silentcrooks.rhcloud.com.
If you are viewing this Article through mohan43u.wordpress.com, checkout my personal website at https://mohan43uweb-silentcrooks.rhcloud.com and suggest me better ways to improve it.
Its been 1yr 3months since I published my last post, lot of changes happened in my life. Just a quick look at my past
I got married on 06-Dec-2013 to Deepa (A facebook addict who always wants to be in touch with her friends). Atlast, there is someone who will scold me when I don’t eat/sleep/bath properly. I got a nice traveller now to travell with me rest of my life. My stomach is not burning when I go to multiplexes and malls after marrage :)
Moved to Pune
Moved to beautiful Pune on Oct-2013. Nice city. But, I’m missing ilugc meetings very much. I have to start going to lug meeting in pune.
Node.js & Web
First started learning during my wedding to create a simple website just to show my invitation, now developed a personal website using node.js (more about this in next post).
Well, nice to be back to blogging after a long gap.
As you already know from by previous postfix article, Any mail going through drunkenmonk.org domain will have my gmail address as sender. Thats good. What about receiving mail from gmail?
In your mind, you are saying “Its damn easy right? configure your evolution/thunderbird to poing to gmail stupid?” right? yeah, thats right. I can configure any mail client to point to gmail and get mails. But, I want my postfix to play a roll.
Postfix is basically a smtp server, it can also act like smtp client. But, it cant work as a imap/pop3 client.
So, Here is the task, I need to get mails from gmail through pop3 and put it into my postfix so that all other clients connected with my postfix can get that mail. Here comes fetchmail.
Fetchmail is a beautiful program which will act like imap/pop3 client (just like evolution/thunderbird) and instead of saving it somewhere, fetchmail will put that mail into your local machine’s mail server. So, all the mail clients connected with your local mail server will get your email from gmail.
Thats enough of theory, lets get down and install fetchmail, first install the package
$ sudo equo install fetchmail $
Now time to configure fetchmail, it uses /etc/fetchmailrc as its only configuration file. But, we need to be careful with it. Because, we are saving the username/password a plain-text, so the permission for /etc/fetchmail should be (0600) for root.
If you start configuring fetchmail by reading ‘man fetchmail’, you will switchoff easily. That man page is such a damn brief and will confuse you easily. But, fetchmail config is really a easy one. It will take just three lines to configure it. Here is those three lines,
set daemon 120 set syslog poll pop.gmail.com proto pop3 user "foo" pass "bar" to "stupid" ssl sslproto "TLS1"
Here, ‘set daemon 120′ will make fetchmail to connect to gmail server every 2 minutes.
‘set syslog’ will make fetchmail to put logs into syslog.
‘poll pop.gmail.com’ instructs fetchmail to connect to pop.gmail.com server.
‘proto pop3′ instructs fetchmail to use pop3 protocol.
‘user “foo” pass “bar” to “stupid”‘ instructs fetchmail to use ‘foo’ as username and ‘bar’ as password to open gmail account in gmail server, fetch those mail from gmail server and put it into local machine’s postfix as a mail for ‘stupid’ user.
‘ssl’ instructs fetchmail to use secure connection. ‘sslproto “TLS1″‘ tells fetchmail to use STARTTLS for sercure connection.
Thats it for configuration stuff, now its time to restart fetchmail
$ sudo eselect rc restart fetchmail $
Now, you can see your mails are fetched from gmail and available to you through ‘mailx’ command.
Even though mbox have difficulties, traditional commandline mail clients like ‘mailx’ works with ‘mbox’ style mail files flawlessly. Also postfix which I setup previously by default creates single mbox mail file inside /var/spool/mail/ directory for each user. So, I need a imap+pop3 server which can operate with mbox like mail files. Dovecot is the choice.
First we need to install dovecot. I’m using sabayon, the instruction is specific to sabayon/gentoo,
$ sudo equo install net-mail/dovecot
Its time to setup dovecot. Before we do, we need to create self signed certificates to use it for imaps and pop3s. Lets first create those certificates.
$ cd /etc/ssl/dovecot $ sudo mkdir oldcerts $ sudo mv * oldcerts $ sudo openssl genrsa -out server.key.password -des3 1024 Generating RSA private key, 1024 bit long modulus ..........................................++++++ ..................................................++++++ e is 65537 (0x10001) Enter pass phrase for server.key.password: Verifying - Enter pass phrase for server.key.password: $
We have to give ‘pass phrase’ here, otherwise openssl command will not create key file. But, having pass phrase for key file is not good, because we need to provide this pass phrase everytime dovecot access this file. Here is the step to remove the pass phrase from rsa key file
$ sudo openssl rsa -in server.key.password -out server.key Enter pass phrase for server.key.password: writing RSA key $
Now generate certificate request with the rsa key file
$ sudo openssl req -out server.csr -new -key server.key You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:TamilNadu Locality Name (eg, city) :Chennai Organization Name (eg, company) [Internet Widgits Pty Ltd]:DrunkenMonk Private Limited Organizational Unit Name (eg, section) :Pattasarayam Generating Unit Common Name (e.g. server FQDN or YOUR name) :drunkenmonk.org Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : $
We should not give password when creating certificate request. Ok, know time to create self signed certificate.
$ sudo openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 365 Signature ok subject=/C=IN/ST=TamilNadu/L=Chennai/O=DrunkenMonk Private Limited/OU=Pattasarayam Generating Unit/CN=drunkenmonk.org/emailAddressemail@example.com Getting Private key $
Now we have two files /etc/ssl/dovecot/server.key and /etc/ssl/dovecot/server.crt to use it for SSL. Lets configure dovecot now, we need to modify /etc/dovecot/dovecot.conf like this,
protocols = imap pop3 listen = *, ::
Configuration not ends with /etc/dovecot/dovecot.conf, it has different conf files for different purpose inside /etc/dovecot/conf.d/, lets modify one by one, Here is /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login !include auth-system.conf.ext #!include auth-sql.conf.ext #!include auth-ldap.conf.ext #!include auth-passwdfile.conf.ext #!include auth-checkpassword.conf.ext #!include auth-vpopmail.conf.ext #!include auth-static.conf.ext
If you want to permit only current machine’s users and don’t want to use ldap or other machinisms, then make sure you comment all includes except auth-system.conf.txt.
Here is modifications inside /etc/dovecot/conf.d/10-logging.conf
log_path = syslog syslog_facility = mail
Here is modifications inside /etc/dovecot/conf.d/10-mail.conf
mail_location = mbox:~/.mail:INBOX=/var/mail/%u
ssl = yes ssl_cert = /etc/ssl/dovecot/server.crt ssl_key = /etc/ssl/dovecot/server.key
Thats all from config stuff, lets restart dovecot.
$ sudo eselect rc restart dovecot
Now, we need to test if it is working, We need to connect with dovecot through imap port with TLS encryption
$ openssl s_client -connect localhost:143 -starttls imap
Above command will show lot of SSL stuffs, and then finally dovecot will say ‘. OK’, we need to start communication with dovecot from there,
. OK Pre-login capabilities listed, post-login capabilities have more. a login mokka somepassword * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE a OK Logged in b select inbox * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted. * 0 EXISTS * 0 RECENT * OK [UIDVALIDITY 1343790396] UIDs valid * OK [UIDNEXT 320] Predicted next UID * OK [NOMODSEQ] No permanent modsequences b OK [READ-WRITE] Select completed. c list "" * * LIST (\HasNoChildren) "/" "INBOX" c OK List completed.
The above session with dovecot shows that things are ok. You can now configure your Thunderbird/Evolution to use your machine for local emails. Have a nice day!!
Most of us forget that postfix not only acts like a mail-server, but it can act like a smtp-client (like thunderbird, evolution).
This post is all about configuring postfix to work as mail-server for my local domain (drunkenmonk.org) at the same time forward any outside domain mails to smtp.google.com with my gmail account credentials. If you are curious about drunkenmonk.org, read my previous articles about dnsmasq and virtual home network. These two articles will explain how I setup my home network.
First things first, lets install postfix (Well I’m using sabayon)
$ sudo equo install mail-mta/postfix
BASIC MAIL SERVER
Postfix configuration is pretty simple and straight forward. You have to configure following parameters inside /etc/postfix/main.cf
mydomain = drunkenmonk.org myorigin = $mydomain inet_interfaces = all mydestination = localhost, localhost.$mydomain, $myhostname, $mydomain, mail.$mydomain mynetworks_style = subnet
‘mydomain’ tells postfix that it should serve as mail server for ‘drunkenmonk.org’ domain.
‘myorigin’ tells that postfix should append ‘drunkenmonk.org’ to any incoming mail’s address if the address don’t have domain part. Which means, when you do ‘mail someuser’ from commandline, postfix will append ‘drunkenmonk.org’ so that To address will become ‘firstname.lastname@example.org’.
‘inet_interfaces’ tells postfix to listen on all network interfaces.
‘mydestination’ tells postfix that it should be the final destination for ‘localhost’, ‘localhost.drunkenmonk.org’, ‘mokka.drunkenmonk.org’, ‘drunkenmonk.org’ and ‘mail.drunkenmonk.org’
‘mynetworks_style’ tells postfix that my local network is a ‘subnet’ type.
Thats all needed for postfix to get start. We can restart postfix with this configurations to send/receive mails between local users. However we want a little bit more from postfix. Lets configure it to use STARTTLS for its communication with its clients
BASIC MAIL SERVER WITH STARTTLS
If you wonder what is STARTTLS, its a simple method to establish communication in a secure way. Your server application (like Postfix listening on port 25) says “Hey client I have TLS support, If you want, we can communicate each other in TLS secure way within port 25 itself, If you don’t want, we can continue with plain-text, what you say?”, then your client (like Evolution or Thunderbird) will tell “OOh!! you offer TLS, then lets do TLS!!”. So the packets going between server and client will be encrypted using TLS.
Before STARTTLS, people used different port for secure smtp which is smtps(port 465). But nowadays it is changing, the regular smtp port itself been used for both plain-text and SSL/TLS communication.
We have to configure Postfix to talk in SSL/TLS way, for that we need Self Signed SSL certificate. Lets create one,
$ cd /etc/ssl/postfix $ sudo mkdir oldcerts $ sudo mv * oldcerts $ sudo openssl genrsa -out server.key.password -des3 1024 Generating RSA private key, 1024 bit long modulus .............................++++++ ..........................++++++ e is 65537 (0x10001) Enter pass phrase for server.key.password: Verifying - Enter pass phrase for server.key.password: $
Here you have to give a ‘pass phrase’ to generate RSA private key, but having a key with ‘pass phrase’ is asking for trouble. You have to manually type this password everytime postfix access this key. The following command will remove ‘pass phrase’ from a RSA key
$ sudo openssl rsa -in server.key.password -out server.key Enter pass phrase for server.key.password: writing RSA key $
Now you have a RSA private key file server.key without ‘pass phrase’. Its time to create certificate request,
$ sudo openssl req -out server.csr -new -key server.key You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:TamilNadu Locality Name (eg, city) :Chennai Organization Name (eg, company) [Internet Widgits Pty Ltd]:DrunkenMonk Pvt Ltd Organizational Unit Name (eg, section) : Pattasarayam Generating Unit Common Name (e.g. server FQDN or YOUR name) :MokkaPandi Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Don’t give any password when creating certificate request. Finally create a self signed ssl certificate using following command,
$ sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=IN/ST=TamilNadu/L=Chennai/O=DrunkenMonk Pvt Ltd/OU= Pattasarayam Generating Unit/CN=MokkaPandi/emailAddressfirstname.lastname@example.org Getting Private key $
Ok, thats it. You will have two files, one is /etc/ssl/postfix/server.crt and another is /etc/ssl/postfix/server.key, Now configure postfix to use these two for SSL/TLS communication, Add the following lines at the end of /etc/postfix/main.cf
# TLS Support smtpd_tls_cert_file = /etc/ssl/postfix/server.crt smtpd_tls_key_file = /etc/ssl/postfix/server.key smtpd_tls_security_level = may
Finally, start postfix
$ sudo eselect rc restart postfix
Check if postfix can operate with STARTTLS,
$ sudo openssl s_client -connect localhost:25 -starttls smtp
Above command will show the server certificate and all SSL stuffs. After this, whatever you send will be encrypted, now check if it can send mail,
250 DSN EHLO drunkenmonk.org 250-mokka.drunkenmonk.org 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from: email@example.com 250 2.1.0 Ok rcpt to: firstname.lastname@example.org 250 2.1.5 Ok data 354 End data with . Subject: test mail test mail . 250 2.0.0 Ok: queued as E0E352C0091 quit 221 2.0.0 Bye closed $
Now see if root got a test mail
$ sudo mail >N 8 root@drunkenmonk Tue Aug 7 16:50 14/533 test mail &p From email@example.com Tue Aug 7 16:50:23 2012 X-Original-To: firstname.lastname@example.org Subject: test mail Date: Tue, 7 Aug 2012 16:49:48 +0530 (IST) From: email@example.com test mail &q $
We are not done yet. There is one more part. Lets make postfix to forward mails to gmail.
Till now, postfix can send/receive mails within drunkenmonk.org domain. But if someone from your subnet want to send a mail to a person who have mail address outside drunkenmonk.org domain (let say firstname.lastname@example.org), then your current postfix will try to contact mail server of yahoo.com. But, yahoo’s mail server will reject your mail because drunkenmonk.org is not a vaild registered domain.
But, If you have a gmail account, you can forward the mail first to smtp.gmail.com with your account credentials so that gmail will send your mail to email@example.com with your gmail account credentials. The person who owns firstname.lastname@example.org will receive a mail with from address as yours irrespective of whoever send within your local network.
To make postfix to know your credentials, we need to create a credential db with gmail account credentials, For that we need to add following line at the end of /etc/postfix/saslpass file
# run following command to generate hash password db # that can be used inside postfix's main.cf # # command: # postmap hash:saslpass # # #file content format: #remotehost username:password smtp.gmail.com foouser:barpassword
Now run the following command to create saslpass.db
$ cd /etc/postfix $ sudo postmap hash:saslpass
Now you can see saslpass.db created as a Berkeley DB file. We can now use this file inside main.cf to inform postfix about your gmail account credential. Before doing that, please remove /etc/postfix/saslpass file or change its access to 0600 for root. Because your credentials are in plaintext. We need to add following lines at the end of main.cf
# gmail smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/saslpass smtp_sasl_security_options = noanonymous smtp_tls_security_level = encrypt smtp_tls_mandatory_ciphers = high smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop relayhost = smtp.gmail.com:587
Here ‘hash:/etc/postfix/saslpass’ actually makes postfix to access /etc/postfix/saslpass.db file. You can remove /etc/postfix/saslpass which have your gmail password as plaintext. It will not affect postfix and postfix doesn’t need it.
Thats it, we are done. Once you restart postfix, It becomes capable of sending mail to outside world but with your gmail account’s credentials. Thanks for reading all the way down to this line. Have a nice day!!
As I said in my previous article, this post will explain how we can use bridge interface to configure networks inside virtual hosts and much more about virtualization.
First we need to make sure our machine is capable of kvm virtualization, see if you get any output for below command
$ grep -E 'vmx|svm' /proc/cpuinfo
Most modern processers supports Hardware assisted Virtualization. If you don’t get any output for above command, It means you don’t have a processor capable of providing Hardware Assisted Virtualization. Qemu-kvm will not work, but you can use Qemu without kvm or some other virtualization applications like virtualbox etc. Also skip ‘LOADING KERNEL MODULES’ section of this article if you don’t have kvm support.
LOADING KERNEL MODULES
If your processor supports kvm, then we have to load following kernel modules and make sure they load automatically whenever we restart our system. In gentoo/sabayon, we need to modify ‘modules=’ line in /etc/conf.d/modules file as
Here ‘kvm-intel’ is the kernel module for virtualization and ‘tun’ is the kernel module for ‘TUN/TAP’ devices. For, AMD machines, we need to load ‘kvm-amd’ instead of ‘kvm-intel’. Now we need to load these modules for the current run, Here is the commands which will load ‘kvm-intel’ and ‘tun’ drivers into kernel
$ sudo modprobe kvm-intel tun $
Next is to install required packages, Here is sabayon command to install required packages
$ sudo equo install app-emulation/qemu-kvm net-misc/bridge-utilities net-dns/dnsmasq sys-apps/usermode-utilities $
‘qemu-kvm’ is for virtualization, ‘bridge-utilities’ is to get ‘brctl’ command, ‘dnsmasq’ is to handle DNS and DHCP requests from guests, ‘usermode-utilities’ is to get ‘tunctl’ command.
Its time to create interfaces, first we need to create the bridge
$ sudo brctl addbr br0
Assign IP address to the bridge,
$ sudo ifconfig br0 192.168.2.1 netmask 255.255.255.0 up
Next, create a tap0 interface, following command will create ‘tap0′ pseudo slave interface from /dev/net/tun master interface
$ sudo tunctl -t tap0
Now, we need to hook the tap0 interface with the bridge br0
$ sudo brctl addif br0 tap0
Bring up the tap0
$ sudo ifconfig tap0 up
FIREWALL RULES AND MASQUERADING
If you read my previous article, I have dnsmasq configured to serve DHCP requests coming from br0. Hooking tap0 into br0 will make the guest send DHCP requests via tap0->br0 and my host machine’s dhsmasq process will serve ip address to the guest. We have to make sure iptables dont block BROADCAST packets as well as open the port 53 and 64 so that dnsmasq will get the DHCP and BOOTP packets. Make sure your iptables contains following lines,
$ sudo iptables -t filter -L | grep -E 'BROADCAST|domain|bootp' ACCEPT all -- anywhere anywhere ADDRTYPE match src-type BROADCAST ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domainflags: FIN,SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere tcp dpt:bootpsflags: FIN,SYN,RST,ACK/SYN $
Now we need to make sure MASQUERADING is enabled and let your host system forward the packets. Also make these settings permanent so that reboot dont break the settings,
$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE $ sudo sysctl net.ipv4.ip_forward=1 $ sudo /etc/init.d/iptables save $ sudo /etc/init.d/iptables reload $ sudo sed -i 's/^.*net.ipv4.ip_forward.*$/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
Check these settings are ok,
$ sudo iptables -t nat -L Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere $ sudo sysctl -a | grep ipv4.ip_forward net.ipv4.ip_forward = 1 $
STARTING QEMU GUEST
Finally, its time to start virtual guest, first we need to create disk image, Here is the command to create a 5GB raw disk image for qemu-kvm
$ sudo qemu-img create -f raw Debian.img 5G $
Now download debian netinstall image for amd64 architecture
$ sudo wget http://ftp.nl.debian.org/debian/dists/squeeze/main/installer-amd64/current/images/netboot/gtk/mini.iso $
Atlast, start the guest with with tap0 networking
$ qemu-kvm -cpu kvm64 -drive file=Debian.img,if=virtio -cdrom mini.iso -boot order=dc -m 512 -soundhw sb16 -name "Debian" -net nic,model=virtio -net tap,ifname="tap0",script=no,downscript=no
Thats it, your qemu guest will automatically get network settings from host machine. You can also verify that dnsmasq served a DHCP request via syslog
$ sudo grep 'dnsmasq-dhcp' /var/log/messages dnsmasq-dhcp: DHCPDISCOVER(br0) 192.168.2.89 52:54:00:12:34:56 dnsmasq-dhcp: DHCPOFFER(br0) 192.168.2.89 52:54:00:12:34:56 dnsmasq-dhcp: DHCPREQUEST(br0) 192.168.2.89 52:54:00:12:34:56 dnsmasq-dhcp: DHCPACK(br0) 192.168.2.89 52:54:00:12:34:56 virt0 $
Well, if you still reading this article and not get bored, you must be a *nix admin. Have a great day!!
Every BSNL broadband subscribers know that BSNL’s default nameservers are one of the worst in response times. Even if you have connectivity exceeding 1gbps, If your nameservers are not good, then your internet experience will not be good.
So, I decided to use google’s nameservers. I could have configure NetworkManager not to get nameservers through DHCP instead ask it to use google’s nameservers, but I thought of giving ‘dnamasq’ a try.
Configuring dnsmasq is pretty simple and straight forward. We have to modify two files /etc/hosts and /etc/dnsmasq.conf. Here is my /etc/hosts file
127.0.0.1 mokka.drunkenmonk.org mokka localhost ::1 mokka.drunkenmonk.org mokka localhost 192.168.2.1 bridge.mokka.drunkenmonk.org
The first line says ’127.0.0.1 is the ip address for mokka.drunkenmonk.org and also for ‘mokka’ and ‘localhost’ hostnames. I other words, ‘mokka’, ‘localhost’ and ‘mokka.drunkenmonk.org’ will resolve to 127.0.0.1 ip address.
‘mokka.drunkenmonk.org’ is a cononical name which contains two parts, ‘mokka’ as hostname and ‘drunkenmonk.org’ as domainname. So, by putting ‘drunkenmonk.org’, I’m also setting domainname for my system.
I really don’t know the proper way to configure domainname in my sabayon (in other words gentoo). From googling, I came to know that putting ‘domain drunkenmonk.org’ into /etc/resolv.conf is the right way to set domainname in a linux system. But, /etc/resolv.conf is such dynamic nowadays, we can’t be sure who will modify it later and I never see a router providing domainname in DHCP response (Not in BSNL’s ADSL routers for sure). So I endup putting my domainname in /etc/hosts file.
The second line is same like the first one, but for ipv6.
The third line says ’192.168.2.1′ is the ip address for ‘bridge.mokka.drunkenmonk.org’. I’ll come to this later. Now, take a look at my /etc/dnsmasq.conf
domain-needed bogus-priv no-resolv server=184.108.40.206 server=220.127.116.11 local=/drunkenmonk.org/ domain=drunkenmonk.org dhcp-range=interface:br0,192.168.2.2,192.168.2.254,255.255.255.0,1d mx-host=drunkenmonk.org,mail.drunkenmonk.org,30 cname=drunkenmonk.org,bridge.mokka.drunkenmonk.org cname=www.drunkenmonk.org,bridge.mokka.drunkenmonk.org cname=mail.drunkenmonk.org,bridge.mokka.drunkenmonk.org
‘domain-needed’ instructs dnsmasq to never forward DNS queries which don’t have domain part. It means, If you query for ‘nslookup google’ dnsmasq will never forward it to upstream server (In my case, to google’s nameservers).
‘bogus-priv’ tells dnsmasq never forward reverse-lookup queries which have local subnet’s ip rage to upstream. Which means ‘nslookup 10.0.0.1′ will not be forwarded to upstream instead dnsmasq will try to resolv itself. If it doesn’t find hostname for 10.0.0.1 in /etc/hosts or its dhcp leases, then it will send back ‘no such domain’ response.
‘no-resolv’ says dnsmasq will not read /etc/resolv.conf to get upsteram nameservers. Normally dnsmasq will read /etc/resolv.conf file to get upstream nameservers.
‘server=18.104.22.168′ and ‘server=22.214.171.124′ instucts dnsmasq to use google’s 126.96.36.199 and 188.8.131.52 as primary and secondary DNS nameservers (or in other words upstream nameservers).
‘local=/drunkenmonk.org/’ says that DNS queries with hostnames like ‘mokka.drunkenmonk.org’ should not be forwarded to upstream intead dnsmasq should resolve it from /etc/hosts or from its dhcp leases.
‘domain=drunkenmonk.org’ tells dnsmasq to send ‘domain=drunkenmonk.org’ in DHCP response so that machines configured through DHCP will come under ‘drunkenmonk.org’ domain.
‘dhcp-range=interface:br0,192.168.2.2,192.168.2.254,255.255.255.0,1d’ instructs dhsmasq to allocate ip address between 192.168.2.2 and 192.168.2.254 with netmask 255.255.255.0 for 1 day only to the DHCP requests coming from br0 interface. Which means, machines connected through br0 interface and asking for DHCP response will get ip address between 192.168.2.2 and 192.168.2.254 for 1 day. dnsmasq will not send response to requests coming from interfaces other than br0.
‘mx-host=drunkenmonk.org,mail.drunkenmonk.org,30′ tells dnsmasq to send ‘mail.drunkenmonk.org’ as MX response for ‘drunkenmonk.org’ domain. Which means, when you do ‘nslookup -q=MX drunkenmonk.org’ it will give ‘mail.drunkenmonk.org’ as response.
‘cname’ lines are like aliases. means when you do ‘nslookup http://www.drunkenmonk.org’; it will resolve to ‘bridge.mokka.drunkenmonk.org’ which resolves to ’192.168.2.1′ according to /etc/hosts file. So dnsmasq will send ’192.168.2.1′ as response.
Thats all from configuration stuff. These changes will take effect once you restart dnsmasq service. But this does not means that all your DNS queries will go through your machine’s dnsmasq daemon, If you have nameserver entry in /etc/resolv.conf, your machine’s DNS queries will go to /etc/resolv.conf nameservers. So, there is no use of using dnsmasq. You have to make sure you are not creating entries in /etc/resolv.conf. If you are a home user, make sure you select ‘Automatic (DHCP) Address only’ in ‘Method’ drop-down list inside ‘ipv4 settings’ tab in NetworkManger.
You can check that you are getting response from dhsmasq with below commands,
$ dig ANY drunkenmonk.org ; <> DiG 9.9.1-P2 <> ANY drunkenmonk.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39480 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;drunkenmonk.org. IN ANY ;; ANSWER SECTION: drunkenmonk.org. 0 IN CNAME bridge.mokka.drunkenmonk.org. bridge.mokka.drunkenmonk.org. 0 IN A 192.168.2.1 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Aug 6 00:15:16 2012 ;; MSG SIZE rcvd: 99
The line contains ‘SERVER:’ tell us that our DNS query is served by ’127.0.0.1′, means our local machine. Here is the command to verify MX record,
$ dig MX drunkenmonk.org ; <> DiG 9.9.1-P2 <> MX drunkenmonk.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14301 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;drunkenmonk.org. IN MX ;; ANSWER SECTION: drunkenmonk.org. 0 IN MX 30 mail.drunkenmonk.org. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Aug 6 00:16:38 2012 ;; MSG SIZE rcvd: 71
If you are not introduced to Linux’s bridge interface, you may wonder what the hell is ‘br0′. Well , it is a virtual device in Linux which act like a physical network device (like eth0). I have particularly configured my dnsmasq to serve DHCP requests to whoever connect through my bridge interface. Howto use this ‘br0′ effectively to configure networking in my Qemu virtual machines is going to be my next article. Have a nice day!!