Linux利用dnsmasq实现dns转发

云平台不允许私搭公网dns，得确保自己搞了dns服务后，公网不能访问53端口才行，因此有必要一开始就在安全组限制公网53端口，只放行内网53端口，安全组参考下图

# yum install bind-utils dnsmasq -y

# dnsmasq -v

# cat /etc/logrotate.d/dnsmasq

/var/log/dnsmasq.log {

daily

copytruncate

missingok

rotate 30

compress

notifempty

dateext

size 200M

}

# cat /etc/resolv.conf

nameserver 127.0.0.1

# cat /etc/resolv.dnsmasq.conf

nameserver 180.76.76.76

nameserver 119.29.29.29

nameserver 114.114.114.114

nameserver 9.9.9.9

nameserver 8.8.8.8

# egrep -v "^ *#|^$" /etc/dnsmasq.conf

user=dnsmasq

group=dnsmasq

conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig

resolv-file=/etc/resolv.dnsmasq.conf

strict-order

addn-hosts=/etc/dnsmasq.hosts

cache-size=100

server=/google.com/9.9.9.9

server=/google.com/8.8.8.8

server=/tencentyun.com/100.121.190.140

server=/yd.qcloud.com/100.121.190.140

server=/tencentyun.com/100.121.190.141

server=/yd.qcloud.com/100.121.190.141

log-queries

log-facility=/var/log/dnsmasq.log

上面红色的内网DNS地址以这里为准

https://cloud.tencent.com/document/product/213/5225

现在大多数CVM都是VPC机器，VPC的默认内网DNS

183.60.83.19

183.60.82.98

修改默认内网DNS会导致内网域名解析出问题，影响云监控和云安全组件正常工作，还会影响Windows激活等涉及内网域名的服务。本方案旨在实现*.tencentyun.com和*.yd.qcloud.com走内网DNS解析，其他域名走公网公共DNS解析，这样就兼容了想修改默认DNS的用户需求。

https://cloud.tencent.com/document/product/296/12236

# dnsmasq --test

# service dnsmasq start

# systemctl enable dnsmasq

# netstat -tunlp|grep 53