Setup DNS, DHCP and Content Filtering using DNSMASQ and HAVP in Ubuntu.

The idea here is to setup DNSMASQ and HAVP to provide DNS, DHCP and content filtering in a Windows 7/Vista/XP client environment on Ubuntu Server Edition. DNSMASQ is a light package which will provide DNS caching and DHCP to a network (amongst other things). HAVP is a proxy server which uses a third party virus scanner (usually ClamAV) to scan internet content for viruses. This assumes that you already have Ubuntu Server Edition installed on a suitable machine and have a working internet connection. In the settings “192.168.1.254” refers to this machine which is acting as a router/firewall, you could equally set it to the ip of another router on the network. “192.168.1.253” refers to the ip of a Windows server. First off install DNSMASQ:-

apt-get install dnsmasq

Edit “/etc/dnsmasq.conf”:-

nano -w /etc/dnsmasq.conf

We now need to set the relevant options:-

no-resolv

Should be set, this stops DNSMASQ from checking /etc/resolv.conf for DNS server addresses. I have found with transient internet links such as ISDN and DSL that DNSMASQ doesn’t always pick up changes in /etc/resolv.conf so it is a good idea to use this option and set your DNS servers statically.

server=208.67.222.222
server=208.67.220.220

We are using OpenDNS’s servers here to provide site filtering and some protection from nasties. You can customise how OpenDNS filters traffic by signing up with them and telling them your IP/setting up a dynamic hostname relationship. http://www.opendns.com/start/

server=/win2k.local/192.168.1.253
server=/1.168.192.in-addr.arpa/192.168.1.253

If you have an Active Directory domain within your network you need to tell DNSMASQ to forward requests for the Active Directory domain to the Windows server IP. If you don’t you will find you cannot add Windows XP machines into the domain and other DNS related services such as SQL will fail.

interface=eth0

Tells DNSMASQ which interface to listen on. If you do not set this DNSMASQ will listen on all available interfaces. Usually your LAN interface will be “eth0” unless you have an unusual setup like bridging in which case it will be “br0”.

domain=mydomain.com

Allows DNSMASQ to have a domain name and use it in DHCP, your DHCP clients will then get fully qualified domain names based on this domain and you will be able to resolv and ping them. For instance “ping mycomputer.mydomain.com”.

dhcp-range=192.168.1.50,192.168.1.100,7d

Sets the range of IP addresses for DNSMASQ to use for DHCP and also the lease time. I find setting a long lease time is a good way to minimise DHCP traffic and reduce log noise. This range has to be in the same network the IP of the “listening” interface is in.

dhcp-option=3,192.168.1.254

Sets the router/default gateway for your DHCP clients. Presumably this will be the IP of your Ubuntu box although it could also be the address of some other router. If this option isn’t set DNSMASQ will use the primary address of the DNSMASQ machine. Still I think it is a good idea to set this explicitly so you can’t blame DNSMASQ if it sends out the wrong address.

# The following DHCP options set up dnsmasq in the same way as is specified
# for the ISC dhcpcd in
# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
# adapted for a typical dnsmasq installation where the host running
# dnsmasq is also the host running samba.
# you may want to uncomment some or all of them if you use
# Windows clients and Samba.
#dhcp-option=19,0           # option ip-forwarding off
#dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
#dhcp-option=45,0.0.0.0     # netbios datagram distribution server
#dhcp-option=46,8           # netbios node type
dhcp-option=19,0
dhcp-option=44,192.168.1.253
dhcp-option=45,192.168.1.253
dhcp-option=46,8

Are options for inter-operation with Samba and Windows servers. I’m assuming here, that there is another machine on the network acting as a WINS/datagram server, could be running Samba or Windows server. You could equally be running Samba on this machine, in which case, either leave options 45 and 46 defined as “0.0.0.0” or specify the ip of this machine. Both will have the same effect.

Option 46 refers to the NETBIOS node type you want your clients to have, “0x8” being “hybrid”, meaning your clients will first try the WINS server to resolve a NETBIOS name and then broadcast if the WINS server can’t resolve it. This helps to keep broadcast traffic on the network to a minimum.

dhcp-option=vendor:MSFT,2,1i

Tells Microsoft clients to release their DHCP lease when they shutdown. According to the config file Microsoft wants this, it is handy so you can tell which clients are up just by looking at “/var/lib/misc/dnsmasq.leases”. You can then start DNSMASQ by issuing:-

service dnsmasq restart

Check syslog for errors by typing:-

tail -f /var/log/syslog

Now to install and configure HAVP:-

apt-get install havp

Edit the HAVP config file:-

nano /etc/havp/havp.config

Uncomment and change the “TRANSPARENT” option to read:-

TRANSPARENT true

Then start HAVP:-

service havp restart

Finally tell the firewall to redirect traffic on port 80 to HAVP on the Ubuntu server so that HAVP scans web traffic for viruses. In iptables running on the same machine this would be done like so:-

iptables -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

Which would also need to be added to the firewall rules file minus the “iptables” so that the configuration is restored upon server restart.

Join the conversation

6 Comments

  1. I know this article is one year old, but you don’t describe properly why you use .253 and then .254, after reading back a few times, I realised you meant that you had a domain controller on .253 and your gateway ubuntu box was .254, perhaps you should make that obvious.

    also, you don’t describe why you are adding dhcp-option 47, however looking at dnsmasq –help dhcp, I found option 47 means “netbios-scope” although I’m not sure why you need that option.

    could be good to correct those little mistakes, otherwise, was great!! thanks!

    1. Many thanks for your feedback. The article is actually at least 3 years old, to my knowledge, despite me having changed the date ;). I can understand why you would want those things explained. I will update it when I get chance.

      I didn’t realise I had defined NETBIOS scope, and there was certainly no intention to, that is probably a default setting. I will see if Dnsmasq can live without it.

      If there are any other articles which require expansion, please let me know.

    2. And then again I look at my dnsmasq.conf and option 47 isn’t even there, sheesh! Please file option 47 under safely ignore.

  2. Also I found a bug with havp, when you do “sudo service havp start” it complains “etc/init.d/havp: 128: +: not found”

    The reason is the file /etc/init.d/havp has a bug, I found the details here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628612

    What you need to do is open /etc/init.d/havp and find two lines that begin with “+” and delete the “+” character, you can find the patch to the file here, http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=initd_corrected.patch;att=1;bug=628612

    what it does is the same, so if you want to manually edit the script and then try to restart it, it’ll work as it just did for me

    1. Thanks for that.

      Might leave that one in the comments in the hope that the package maintainers sort it out sooner rather than later.

Leave a comment