If you’re looking to a DNS server for a home or small business network, a Raspberry Pi is cheap, reliable and power efficient option.
First, let’s take a look at what DNS servers are.
DNS stands for “Domain Name System”. A DNS server translates human-friendly domain names into IP addresses that computers can use.
That’s how you’re able to visit this website by typing in “deviceplus.com”, rather than our IP address of 126.96.36.199… who would even remember that?
Even better, if we move this website to a new server with a new IP address, we can just update our DNS record and nobody else has to be bothered by it.
Unless websites just don’t load for you, you’re using a DNS server already.
Your internet provider almost always lets you use theirs, and if you’re not happy with it, you can always use a public DNS server instead.
Here’s why you might want your own.
Fetching something from your local network will always be faster than pulling it from the internet. This can sometimes shave a few hundred milliseconds off a page’s loading time. This isn’t life changing, but it’s noticeable.
This really only works though if your local DNS server has the record already. Otherwise, it still has to fetch the record from the internet.
It’s wildly impractical to keep the entire DNS completely up to date on a local network. Instead, the server will cache these records until their “Time-To-Live” value (TTL) expires.
Most operating systems and web browsers will cache these same records on your computer too, so if it’s just one computer using your internet connection, having your own DNS server isn’t really adding anything.
It makes more sense when several people with multiple devices are on a local network and sharing an internet connection. Here, caching everything in the one place genuinely will reduce the number of requests that need to leave the network.
If there are some domains you want to block entirely, a DNS server is a really good and efficient place to do it. Some governments censor the web across their whole country in this way.
As a parent, you might want to stop your child from accessing particular websites in the same way. Be aware that this only works while they’re accessing the internet through that network, and it’s not beyond the ability of many children to circumvent this by configuring a different DNS server.
You might also want to block certain domains because you feel they’re intrusive or annoying.
There’s even a DNS server program for the Raspberry Pi called Pi-Hole which blocks ad networks out of the box.
You can also to give devices on your local network their own domain names, visible only to other local machines.
You can give names to printers, media centres, even fridges and coffee machines if they connect to your network.
This will save you from having to keep track of IP addresses for all your bits and pieces around your office or home.
Maybe you just want to better understand the DNS. That’s as good a reason as any.
If your Raspberry Pi DNS server has a dynamically assigned IP, it’s going to be a headache. Every so often, it will be assigned a different IP address and the other devices on the network will no longer connect to it.
That’s why you want to reserve an IP for this Raspberry Pi. You can do this by logging in to the dashboard of your router.
The exact set of steps from there will vary slightly depending on your device. If you get stuck, use a search engine to find the manual for your device.
Now that your device is nailed down on one IP, let’s install the software we’ll be using: Dnsmasq.
It’s best to start off with a fresh install of Raspberry Pi OS. You’ll likely want to change your default password and set up SSH access in raspi-config.
First, update your operating system by typing:
sudo apt update && sudo apt upgrade -y
Then install Dnsmasq.
sudo apt install dnsmasq -y
That’s it! You now have a DNS server.
You can start sending DNS requests to the Raspberry and it will work, but the default settings need tweaking to be most useful. Open the configuration file by typing:
sudo nano /etc/dnsmasq.conf
This file is well annotated with useful comments, so feel free to have a good read and get to know it. There are a few sections to pay particular attention to.
Near the top of the configuration file, you’ll find lines that say “#domain-needed” and “#bogus-priv”.
Setting the domain-needed option will stop the DNS server from looking upstream for hosts that aren’t on a domain, while the bogus-priv option stops it from looking upstream for private IP addresses.
On a corporate network, maybe you would want to look for these things on an upstream server. It makes no sense to look for them on the public internet though, so let’s use these options.
You can apply them by deleting the hash symbol at the beginning of the line.
Scroll down further and look for the line that says #no-resolv. Delete the hash character to apply this option. A few lines below this is a line that says #server=/localnet/192.168.0.1. Delete this line; we’ll enter our own settings.
I usually use Google’s DNS servers. It helps that they’re fast and reliable, but if I’m honest, it’s mostly because the IP addresses are super easy to remember.
The configuration for this is
If you’d rather not use a Google service, you can use your internet provider’s or another public DNS server, like CloudFlare.
Not much further down is a line that says “#address=/double-click.net/127.0.0.1”.
This is commonly useful for assigning domains to devices on your local network. I generally use a .lan top level domain for this, though anything that’s not in use on the public internet will do.
Copy the syntax of this line. For me, that means putting my media and retro gaming rig on retropie.lan, like this:
Don’t forget to reserve these IP addresses for the correct device in your router as well.
You can also block particular domains here, by directing them to a private IP.
If you’re more interested in blocking ad servers, then lists can be found pretty easily online.
There’s also nothing to stop you from directing domains to a public IP. This can be useful to test a website migration before it goes live.
Be aware that these domains will only work for devices using this DNS server. If you want a domain name to show up on the public DNS, you will have to buy it.
By default, Dnsmasq will cache up to 150 records. Even very light web browsing can fill this up.
This cache is kept in memory, so in theory, if it gets too large, it can affect performance.
But we’re serving a small network here, memory is more plentiful now than when Dnsmasq was authored decades ago, and these records only use 100 bytes each. We can afford to throw a few megabytes at it.
Scroll down to where is says “#cache-size=150”. This will take a bit of scrolling. Delete the hash character at the front and set it something much larger.
I just add a couple of zeroes to make it 15000, which is far more records than a DNS server for a small network will ever cache.
When you’re happy with your settings, save and exit, then restart the service by typing:
sudo systemctl restart dnsmasq
Now that your DNS server is up and running, let’s start using it.
The easiest way to configure it as the default DNS server for your whole network is in your router.
Computers and devices can usually be configured individually in the settings or control panel too.
Don’t snore on security here. A DNS server can be a juicy target for online criminals, who can redirect you to malicious sites.
The fact that we’ve set this up to only be accessible from within your local network cuts a lot of that risk. Still, it’s a good idea to apply security updates automatically too.
There’s a handy package that does this for us, called unattended upgrades. Let’s install it.
sudo apt install unattended-upgrades -y
The default configuration of this package in Raspberry Pi OS Buster is to apply security updates every day.
Don’t forget to change the default password as well, if you haven’t already! Requiring certificate based authentication for SSH access is a great idea too.