Stop DNSMasq From Forwarding Local Hostnames

September 25, 2010

My ISP, and likely yours, has found it convenient to setup their DNS servers to resolve bogus hostnames to a valid address hoping you're using a web browser so they can give you junk. One way to solve this is to just use google DNS servers or some other DNS servers besides your ISP. However, if you use DNSMasq (or dd-wrt), by default, when you ping "badhostname" it actually works even though that host does not exist. That's because DNSMasq decides it doesn't know who that host is, so it forwards the lookup to your ISP's DNS server. This is extremely annoying and frankly a security risk when using things like ftp.

To get around it, make sure your dnsmasq.conf contains the following with the rest of your config:

# Never forward plain names (without a dot or domain part)
domain-needed
 
# Never forward addresses in the non-routed address spaces.
bogus-priv
 
# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
local=/local.lan/

In dd-wrt you can add these into the additional DNSMasq options.

Related Posts

1 Comment

Comment January 8, 2012 by Andrew
this kills my router and no websites work, seems to be because of the domain-needed line