Concurrent Dnsmasq and Named

Named and bind9 are a good way to provide DNS service to a port open to the wider internet (WAN). Dnsmasq provides a much easier and more orderly way to support a smaller local network (LAN), since it allows names to be tied to HW-NIC ids, and is very easy to configure

DNS name services are usually provided via UDP port 53. The difficulty with running named on one interface (the one connected to the internet) and dnsmasq connected to another (the one connected to the local network) is that port 53 is tied to a system wide socket ,and cannot be shared.

One way to allow concurrent name servers is to use different ports. The major disadvantage of simply doing this is that port 53 is the standard, and every pc using name service must be reconfigured to any non standard port.

Ideally the dns service on the internet (wan) port should be served by bind on port 53, and any local interfaces should be served by dnsmasq, also via port 53.
The method that worked for me was to restrict bind service to the external interfaces only by putting a "listen-on: option line in /etc/bind/named.conf.options. E.G. :

listen-on { ip1;ip2; };

where ip1 and ip2 are any ip addresses via which external DNS is to be offered to the WAN. It is not possible to directly specify an interface or NIC.

Next put the line:


in /etc/dnsmasq.conf to allow dnsmasq to have its own socket, and then use iptables to remap this socket back to port 53 on the net interface (NIC) for the local network using iptables.
Only the UDP packets need remapping, but remapping both TCP and UDP makes sense. The following lines included in the iptables firewall script do this:

INTIF="eth0" # interface to localnet
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 53 -j REDIRECT --to-port 5353
$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp --dport 53 -j REDIRECT --to-port 5353

Once these changes are made it is necessary to run the firewall script, and restart bind and dnsmasq:

/etc/init.d/bind9 restart
/etc/init.d/dnsmasq restart

Nmap can be used to verify that the remapping is correct for both UDP and TCP packets.