Using dnsmasq on Ubuntu or Mint
This article has been updated in early 2025, the whole bit about how to disable systemd-resolved has been rewritten
For most usual uses, the DNS setup in Ubuntu or Mint works just fine and no special configuration is needed. Some of us use Ubuntu or Mint to do work stuff, where you may need to access some internal resources by name instead of trying to remember a whole bunch of IP addresses, this article is for us.
As I run Mint (let’s not get over-excited about Ubuntu versus Mint, I prefer Flatpak, you may prefer Snap, it doesn’t really matter) as my daily driver, I find myself looking for little tricks to make life a bit simpler. This is one I implemented today.
Imagine you connect to a VPN or a work LAN and need to access stuff on an internal DNS domain called work.local, like fileserver.work.local, and the DNS servers for that domain sit at 192.168.1.1 and 192.168.1.2. The simplest way to do this is to use the ability of dnsmasq to direct queries for certain domains to a different DNS server.
Getting dnsmasq installed and configured
Ubuntu and Mint use systemd-resolved for DNS stuff by default, the first thing we need to do is disable it so you can change to using dnsmasq instead. To stop using systemd-resolved, you will need to create a file named /etc/systemd/resolved.conf.d/noresolved.conf with the following contents:
[Resolve]
DNSStubListener=no
Then run:
If you were to try to reach stuff on the Internet now, you would fail because the default /etc/resolv.conf points to systemd-resolved, so first we need to get rid of this and temporarily point to a public DNS server like 1.1.1.1, like this:
|
Now your system will use the Cloudflare public DNS to resolve stuff, so you can go ahead and install dnsmasq:
Once that’s installed, edit /etc/dnsmasq.conf (sudo vi /etc/dnsmasq.conf) and insert this at the top of the file:
port=53
server=1.1.1.1
Obviously, if you don’t want to use 1.1.1.1, you can use other DNS servers (like 8.8.8.8) too.
Now you can enable (well, I do to be sure, even though it is usually enabled by default) and start dnsmasq:
Finally, let’s fix /etc/resolv.conf to use dnsmasq. At the very least, it should look like this, but you may want to add stuff like search as well:
nameserver 127.0.0.1
Adding your custom domains
Now that dnsmasq is installed, you can add your custom forwarders. Based on the example above, your /etc/dnsmasq.conf should look something like this:
port=53
clear-on-reload # I put this in so the dnsmasq cache is cleared if I reload
server=/work.local/192.168.1.1 # work.local has DNS at 192.168.1.1
server=/work.local/192.168.1.2 # work.local also has DNS at 192.168.1.2
server=1.1.1.1 # DNS server for everything else
Remember to restart dnsmasq after editing the configuration file:
And that should be it. So long as your machine is able to see 192.168.1.1 and 192.168.1.2, you can resolve work.local stuff with DNS.
As an aside, I use this trick on the Wireguard based VPN I run for my day job. The Wireguard client sets the system DNS server to a dnsmasq server on the VPN when it connects. Of course, we have 7 different internal domains with 3 DNS servers each, so I have quite a number of server= lines on that dnsmasq server.
Some other tricks
Say you find that there’s a domain (let’s call them example.com) you don’t want to resolve. You can add this line to make your machine think that anything in the example.com domain resolves to localhost:
address=/example.com/127.0.0.1
Note about this: In newer versions of dnsmasq, queries for other record types, like TXT records, will still be sent to your upstream DNS server. To avoid that, add this below the line above:
local=/example.com/
The dnsmasq manual page (man dnsmasq) has several more tricks you can play with. Interesting to me are things like alias, bogus-nxdomain and ignore-address.