noted from https://wiki.debian.org/HowTo/dnsmasq
Basic DNS setup
apt-get update
apt-get install dnsmasq
If your goal was to set up a simple DNS server, you just succeeded.
Now, if you want to add some names for your DNS server to resolve for your clients, simply add them to your /etc/hosts
file.
Choosing your Interfaces
One you will probably want to do is tell dnsmasq which ethernet interface it can and cannot listen on, as we really don't want it listening on the internet. Around line 69 of the /etc/dnsmasq.conf file, you will see:
#interface=
Uncomment the line and specify which ethernet interface(s) you want it server IPs to. For example, if I want it to listen on eth1 (my DMZ) and eth2 (my local network), then it should look like:
interface=eth1
interface=eth2
Basic DHCP Setup
By default, DHCP is turned off. This is a good thing, as you could bring down whatever network you are connected to if you are not careful.
To enable it, there is at least one line will need to edit in the /etc/dnsmasq.conf file. Around line 143, you will see:
#dhcp-range=192.168.0.50,192.168.0.150,12h
To enable the DHCP server, you will need to give it a range of IP addresses to hand out. In the example above, this server would hand out 101 address starting at 192.168.0.50 and ending at 192.168.0.150. The last number is how long the DHCP leases are good for. In this example, they would be good for twelve hours.
Since I have two different networks that need DHCP, I'm going to change that line to:
dhcp-range=eth1,192.168.100.100,192.168.100.199,4h
dhcp-range=eth2,192.168.200.100,192.168.200.199,4h
Notice the "eth1" and "eth2" labels in the lines above? The aren't necessary, but definately help once you start playing with more advanced configurations. It also helps me remember which range is which. Now restart your dnsmasq server, connect up a few clients, and see if they autoconfigure themselves:
/etc/init.d/dnsmasq restart
dnsmasq with dnscrypt-proxy
dnsmasq combined with dnscrypt-proxy provide caching, encryption and server-side authentication. Useful to protect a laptop from potentially hostile networks.
apt-get install dnsmasq dnscrypt-proxy
## Configure /etc/resolv.conf to use dnsmasq
nameserver 127.0.0.1
## Configure /etc/dnsmasq.conf
# ignore resolv.conf
no-resolv
# Listen only on localhost
listen-address=127.0.0.1
# dnscrypt is on port 40
server=127.0.0.1#40
## Configure /etc/systemd/system/sockets.target.wants/dnscrypt-proxy.socket with the following 5 lines if you are using systemd
[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:40
ListenDatagram=127.0.0.1:40
## restart both daemons