Local network tool that transparently redirects all X/Twitter traffic to xcancel.com, allowing you to browse Twitter content without directly accessing X's servers.
Advanced features, performance tuning, and security considerations for dnsmasq.
For basic setup: See DNSMASQ_SETUP.md for installation, configuration, client setup, verification, and basic troubleshooting.
Configure multiple upstream DNS servers for redundancy and failover:
Edit dnsmasq/dnsmasq.conf:
# Primary upstream DNS servers
server=1.1.1.1
server=1.0.0.1
# Secondary upstream (fallback)
server=8.8.8.8
server=8.8.4.4
How it works: dnsmasq will query them in order and fall back to the next if one fails or times out.
Recommended combinations:
1.1.1.1, 8.8.8.8 (fast, reliable)9.9.9.9, 1.1.1.1 (security + privacy)192.168.1.1, 1.1.1.1 (local + fallback)Route specific domains to specific DNS servers:
# Use ISP DNS for local domains
server=/local.domain/192.168.1.1
# Use corporate DNS for company domains
server=/company.com/10.0.0.1
server=/internal.corp/10.0.0.1
# Use specific DNS for certain TLDs
server=/cn/223.5.5.5
Use cases:
dnsmasq can also function as a DHCP server to automatically assign IPs and DNS settings to devices.
Warning: Running DHCP alongside your router’s DHCP will cause conflicts. Only use if:
Basic DHCP configuration (add to dnsmasq.conf):
# Enable DHCP
dhcp-range=192.168.1.100,192.168.1.200,12h
# Gateway (your router)
dhcp-option=option:router,192.168.1.1
# DNS servers (dnsmasq itself)
dhcp-option=option:dns-server,192.168.1.101
# Domain name
dhcp-option=option:domain-name,home.local
# Static leases for specific devices
dhcp-host=aa:bb:cc:dd:ee:ff,192.168.1.150,laptop
This is advanced - see dnsmasq documentation for full DHCP features.
Add custom DNS entries beyond the Twitter/X redirect:
# Redirect additional domains
address=/example.com/192.168.1.200
address=/anothersite.com/192.168.1.201
# Host records (A records)
host-record=server.local,192.168.1.50
host-record=nas.home,192.168.1.60
# CNAME records (aliases)
cname=media.home,nas.home
cname=files.home,nas.home
# MX records (mail servers)
mx-host=example.com,mail.example.com,10
# SRV records (service discovery)
srv-host=_http._tcp.example.com,server.local,80,10,10
# TXT records
txt-record=example.com,"v=spf1 mx ~all"
Use cases:
Block entire domains and subdomains:
# Block all of facebook.com
address=/facebook.com/
# Block specific subdomain
address=/ads.example.com/
Empty address means “return NXDOMAIN” (domain doesn’t exist).
Enable DNSSEC for additional security:
# In dnsmasq.conf
dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
dnssec-check-unsigned
Warning: Can break some domains if misconfigured.
Configure IPv6 DNS if you have IPv6 on your network:
# Enable IPv6
enable-ra
# IPv6 upstream DNS
server=2606:4700:4700::1111
server=2606:4700:4700::1001
# IPv6 DHCP range
dhcp-range=::100,::1ff,constructor:eth0,12h
# IPv6 address for domains
address=/twitter.com/192.168.1.100
# Note: No IPv6 override needed if only intercepting IPv4
Increase DNS cache size for better performance:
# In dnsmasq.conf
# Default: 150
cache-size=10000
Recommendations:
1000500010000+Memory usage: ~1KB per cached entry, so 10000 entries ≈ 10MB RAM
Cache “domain doesn’t exist” responses to reduce upstream queries:
# In dnsmasq.conf
# Cache NXDOMAIN for 1 hour
neg-ttl=3600
Benefits: Reduces repeated queries for typos or non-existent domains.
Control maximum cache time:
# In dnsmasq.conf
# Maximum TTL (time-to-live) in seconds
max-cache-ttl=3600
Default: Uses TTL from authoritative server
Lower value: More frequent upstream queries, more up-to-date
Higher value: Fewer queries, staler data
Limit queries per client to prevent abuse:
# In dnsmasq.conf
# Maximum 100 queries per second per client
dns-rate-limit=100/s
Prevents: DNS amplification attacks, runaway clients
Handle multiple queries concurrently:
# In dnsmasq.conf
# Allow up to 150 concurrent queries
dns-forward-max=150
Default: 150
Increase if you see “maximum number of concurrent DNS queries reached” in logs.
Control logging verbosity:
# In dnsmasq.conf
# Log queries (verbose)
log-queries
# Log DHCP activity
log-dhcp
# Log async DNS
log-async
# Log to specific file
log-facility=/var/log/dnsmasq.log
Production: Disable log-queries to reduce I/O and log size.
Debugging: Enable temporarily, then disable.
dnsmasq is exposed to your entire LAN. Risks:
Internal threats:
Mitigation:
If accidentally exposed to internet, dnsmasq could be used for DNS amplification DDoS attacks.
Prevention:
Verify not exposed:
# From outside your network
dig @YOUR_PUBLIC_IP twitter.com
# Should timeout or be filtered by firewall
Attackers could attempt to poison DNS cache with false responses.
Mitigation:
DNS queries reveal browsing history.
Query logs contain:
Best practices:
log-queries in productionQuery logs grow quickly and contain sensitive data:
Recommendations:
# Linux logrotate example
/var/log/dnsmasq.log {
daily
missingok
rotate 7
compress
notifempty
}
Restrict DNS access to known networks:
iptables example:
# Allow DNS from LAN only
iptables -A INPUT -p udp --dport 53 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -s 192.168.1.0/24 -j ACCEPT
# Drop all other DNS queries
iptables -A INPUT -p udp --dport 53 -j DROP
iptables -A INPUT -p tcp --dport 53 -j DROP
firewalld example:
# Create zone for DNS
firewall-cmd --permanent --new-zone=dnsmasq
firewall-cmd --permanent --zone=dnsmasq --add-source=192.168.1.0/24
firewall-cmd --permanent --zone=dnsmasq --add-service=dns
firewall-cmd --reload
Symptoms: Slow DNS resolution, timeouts
Diagnosis:
# Check cache hit rate
docker compose exec dnsmasq killall -USR1 dnsmasq
docker compose logs dnsmasq | grep -i cache
# Monitor query rate
docker compose logs -f dnsmasq | grep query | wc -l
# Check system resources
docker stats xcancel-dnsmasq
Solutions:
ping 1.1.1.1Symptoms: Container restarts, OOM (Out of Memory)
Check memory usage:
docker stats xcancel-dnsmasq --no-stream
Solutions:
dnsmasq:
mem_limit: 256m
Symptoms: Some domains don’t resolve with DNSSEC enabled
Diagnosis:
# Check DNSSEC validation
dig twitter.com @192.168.1.101 +dnssec
# Look for SERVFAIL status
Solutions:
# Comment out in dnsmasq.conf:
# dnssec
Symptoms: Queries fail for devices using IPv6
Diagnosis:
# Test IPv6 connectivity
docker compose exec dnsmasq ping6 google.com
# Check IPv6 DNS
dig AAAA twitter.com @192.168.1.101
Solutions:
dnsmasq:
sysctls:
- net.ipv6.conf.all.disable_ipv6=1
Enable statistics collection:
# In dnsmasq.conf
log-queries
Then analyze:
# Top queried domains
docker compose logs dnsmasq | grep "query\[" | awk '{print $(NF-2)}' | sort | uniq -c | sort -rn | head -20
# Queries per hour
docker compose logs dnsmasq | grep "query\[" | awk '{print $1, $2}' | cut -d: -f1 | sort | uniq -c
# Cache hits vs misses
docker compose exec dnsmasq killall -USR1 dnsmasq
docker compose logs dnsmasq | grep "cache statistics"
Monitor dnsmasq health:
#!/bin/bash
# dnsmasq-health-check.sh
DNSMASQ_IP="192.168.1.101"
# Test basic resolution
if nslookup google.com $DNSMASQ_IP > /dev/null 2>&1; then
echo "✓ Basic DNS resolution working"
else
echo "✗ DNS resolution failing"
exit 1
fi
# Test our override
result=$(nslookup twitter.com $DNSMASQ_IP | grep "Address:" | tail -1 | awk '{print $2}')
if [ "$result" == "192.168.1.100" ]; then
echo "✓ DNS override working"
else
echo "✗ DNS override not working (got $result)"
exit 1
fi
# Check container running
if docker compose ps | grep -q "dnsmasq.*Up"; then
echo "✓ Container healthy"
else
echo "✗ Container not running"
exit 1
fi
echo "All health checks passed"