version 1.1.1.1, 2013/07/29 19:37:40
|
version 1.1.1.3, 2023/09/27 11:02:07
|
Line 9 A: The high ports that dnsmasq opens are for replies f
|
Line 9 A: The high ports that dnsmasq opens are for replies f
|
from port 53 the replies would be _to_ port 53 and get blocked. |
from port 53 the replies would be _to_ port 53 and get blocked. |
|
|
This is not a security hole since dnsmasq will only accept replies to that |
This is not a security hole since dnsmasq will only accept replies to that |
port: queries are dropped. The replies must be to oustanding queries | port: queries are dropped. The replies must be to outstanding queries |
which dnsmasq has forwarded, otherwise they are dropped too. |
which dnsmasq has forwarded, otherwise they are dropped too. |
|
|
Addendum: dnsmasq now has the option "query-port" (-Q), which allows |
Addendum: dnsmasq now has the option "query-port" (-Q), which allows |
Line 59 A: Yes, there is explicit support for *BSD and MacOS X
|
Line 59 A: Yes, there is explicit support for *BSD and MacOS X
|
|
|
Q: My company's nameserver knows about some names which aren't in the |
Q: My company's nameserver knows about some names which aren't in the |
public DNS. Even though I put it first in /etc/resolv.conf, it |
public DNS. Even though I put it first in /etc/resolv.conf, it |
dosen't work: dnsmasq seems not to use the nameservers in the order | doesn't work: dnsmasq seems not to use the nameservers in the order |
given. What am I doing wrong? |
given. What am I doing wrong? |
|
|
A: By default, dnsmasq treats all the nameservers it knows about as |
A: By default, dnsmasq treats all the nameservers it knows about as |
Line 144 Q: Who are Verisign, what do they have to do with the
|
Line 144 Q: Who are Verisign, what do they have to do with the
|
option in dnsmasq and why should I wory about it? |
option in dnsmasq and why should I wory about it? |
|
|
A: [note: this was written in September 2003, things may well change.] |
A: [note: this was written in September 2003, things may well change.] |
Versign run the .com and .net top-level-domains. They have just | Verisign run the .com and .net top-level-domains. They have just |
changed the configuration of their servers so that unknown .com and |
changed the configuration of their servers so that unknown .com and |
.net domains, instead of returning an error code NXDOMAIN, (no such |
.net domains, instead of returning an error code NXDOMAIN, (no such |
domain) return the address of a host at Versign which runs a web | domain) return the address of a host at Verisign which runs a web |
server showing a search page. Most right-thinking people regard |
server showing a search page. Most right-thinking people regard |
this new behaviour as broken :-). You can test to see if you are |
this new behaviour as broken :-). You can test to see if you are |
suffering Versign brokeness by run a command like | suffering Verisign brokenness by run a command like |
|
|
host jlsdajkdalld.com |
host jlsdajkdalld.com |
|
|
If you get "jlsdajkdalld.com" does not exist, then all is fine, if |
If you get "jlsdajkdalld.com" does not exist, then all is fine, if |
host returns an IP address, then the DNS is broken. (Try a few |
host returns an IP address, then the DNS is broken. (Try a few |
different unlikely domains, just in case you picked a wierd one | different unlikely domains, just in case you picked a weird one |
which really _is_ registered.) |
which really _is_ registered.) |
|
|
Assuming that your DNS is broken, and you want to fix it, simply |
Assuming that your DNS is broken, and you want to fix it, simply |
Line 180 A: There are a couple of configuration gotchas which h
|
Line 180 A: There are a couple of configuration gotchas which h
|
whilst the ISC one works. |
whilst the ISC one works. |
|
|
The first thing to check is the broadcast address set for the |
The first thing to check is the broadcast address set for the |
ethernet interface. This is normally the adddress on the connected | ethernet interface. This is normally the address on the connected |
network with all ones in the host part. For instance if the |
network with all ones in the host part. For instance if the |
address of the ethernet interface is 192.168.55.7 and the netmask |
address of the ethernet interface is 192.168.55.7 and the netmask |
is 255.255.255.0 then the broadcast address should be |
is 255.255.255.0 then the broadcast address should be |
Line 205 A: By default, none of the DHCP clients send the host-
|
Line 205 A: By default, none of the DHCP clients send the host-
|
send with the "hostname" keyword in /etc/network/interfaces. (See |
send with the "hostname" keyword in /etc/network/interfaces. (See |
"man interfaces" for details.) That doesn't work for dhclient, were |
"man interfaces" for details.) That doesn't work for dhclient, were |
you have to add something like "send host-name daisy" to |
you have to add something like "send host-name daisy" to |
/etc/dhclient.conf [Update: the lastest dhcpcd packages _do_ send | /etc/dhclient.conf [Update: the latest dhcpcd packages _do_ send |
the hostname by default. |
the hostname by default. |
|
|
Q: I'm network booting my machines, and trying to give them static |
Q: I'm network booting my machines, and trying to give them static |
Line 236 Q: What network types are supported by the DHCP server
|
Line 236 Q: What network types are supported by the DHCP server
|
A: Ethernet (and 802.11 wireless) are supported on all platforms. On |
A: Ethernet (and 802.11 wireless) are supported on all platforms. On |
Linux all network types (including FireWire) are supported. |
Linux all network types (including FireWire) are supported. |
|
|
Q: What are these strange "bind-interface" and "bind-dynamic" options? | Q: What are these strange "bind-interfaces" and "bind-dynamic" options? |
|
|
A: Dnsmasq from v2.63 can operate in one of three different "networking |
A: Dnsmasq from v2.63 can operate in one of three different "networking |
modes". This is unfortunate as it requires users configuring dnsmasq |
modes". This is unfortunate as it requires users configuring dnsmasq |
to take into account some rather bizzare contraints and select the | to take into account some rather bizarre constraints and select the |
mode which best fits the requirements of a particular installation. |
mode which best fits the requirements of a particular installation. |
The origin of these are deficiencies in the Unix networking |
The origin of these are deficiencies in the Unix networking |
model and APIs and each mode has different advantages and |
model and APIs and each mode has different advantages and |
Line 252 A: Dnsmasq from v2.63 can operate in one of three diff
|
Line 252 A: Dnsmasq from v2.63 can operate in one of three diff
|
The three modes are "wildcard", "bind-interfaces" and "bind-dynamic". |
The three modes are "wildcard", "bind-interfaces" and "bind-dynamic". |
|
|
In "wildcard" mode, dnsmasq binds the wildcard IP address (0.0.0.0 or |
In "wildcard" mode, dnsmasq binds the wildcard IP address (0.0.0.0 or |
::). This allows it to recieve all the packets sent to the server on | ::). This allows it to receive all the packets sent to the server on |
the relevant port. Access control (--interface, --except-interface, |
the relevant port. Access control (--interface, --except-interface, |
--listen-address, etc) is implemented by dnsmasq: it queries the |
--listen-address, etc) is implemented by dnsmasq: it queries the |
kernel to determine the interface on which a packet was recieved and | kernel to determine the interface on which a packet was received and |
the address to which it was sent, and applies the configured |
the address to which it was sent, and applies the configured |
rules. Wildcard mode is the default if neither of the other modes are |
rules. Wildcard mode is the default if neither of the other modes are |
specified. |
specified. |
Line 276 A: Dnsmasq from v2.63 can operate in one of three diff
|
Line 276 A: Dnsmasq from v2.63 can operate in one of three diff
|
The mode chosen has four different effects: co-existence with other |
The mode chosen has four different effects: co-existence with other |
servers, semantics of --interface access control, effect of new |
servers, semantics of --interface access control, effect of new |
interfaces, and legality of --interface specifications for |
interfaces, and legality of --interface specifications for |
non-existent inferfaces. We will deal with these in order. | non-existent interfaces. We will deal with these in order. |
|
|
A dnsmasq instance running in wildcard mode precludes a machine from |
A dnsmasq instance running in wildcard mode precludes a machine from |
running a second instance of dnsmasq or any other DNS, TFTP or DHCP |
running a second instance of dnsmasq or any other DNS, TFTP or DHCP |
Line 297 A: Dnsmasq from v2.63 can operate in one of three diff
|
Line 297 A: Dnsmasq from v2.63 can operate in one of three diff
|
by dnsmasq when in --bind-interfaces mode. In wildcard or bind-dynamic |
by dnsmasq when in --bind-interfaces mode. In wildcard or bind-dynamic |
mode, such interfaces are handled normally. |
mode, such interfaces are handled normally. |
|
|
A --interface specification for a non-existent interface is a fatal | An --interface specification for a non-existent interface is a fatal |
error at start-up when in --bind-interfaces mode, by just generates a |
error at start-up when in --bind-interfaces mode, by just generates a |
warning in wildcard or bind-dynamic mode. |
warning in wildcard or bind-dynamic mode. |
|
|
Line 313 Q: Can I get email notification when a new version of
|
Line 313 Q: Can I get email notification when a new version of
|
released? |
released? |
|
|
A: Yes, new releases of dnsmasq are always announced through |
A: Yes, new releases of dnsmasq are always announced through |
freshmeat.net, and they allow you to subcribe to email alerts when | freshmeat.net, and they allow you to subscribe to email alerts when |
new versions of particular projects are released. New releases are |
new versions of particular projects are released. New releases are |
also announced in the dnsmasq-discuss mailing list, subscribe at |
also announced in the dnsmasq-discuss mailing list, subscribe at |
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss |
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss |
|
|
Q: What does the dhcp-authoritative option do? |
Q: What does the dhcp-authoritative option do? |
|
|
A: See http://www.isc.org/files/auth.html - that's | A: The DHCP spec says that when a DHCP server receives a renewal request |
for the ISC daemon, but the same applies to dnsmasq. | from a client it has no knowledge of, it should just ignore it. |
| This is because it's supported to have more than one DHCP server |
| on a network, and another DHCP server may be dealing with the client. |
| This has the unfortunate effect that when _no_ DHCP replies to |
| the client, it takes some time for the client to time-out and start |
| to get a new lease. Setting this option makes dnsmasq violate the |
| standard to the extent that it will send a NAK reply to the client, |
| causing it to immediately start to get a new lease. This improves |
| behaviour when machines move networks, and in the case that the DHCP |
| lease database is lost. As long as there are not more tha one DHCP |
| server on the network, it's safe to enable the option. |
|
|
Q: Why does my Gentoo box pause for a minute before getting a new |
Q: Why does my Gentoo box pause for a minute before getting a new |
lease? |
lease? |
Line 349 A: By default, the identity of a machine is determined
|
Line 359 A: By default, the identity of a machine is determined
|
method for setting the client-id varies with DHCP client software, |
method for setting the client-id varies with DHCP client software, |
dhcpcd uses the "-I" flag. Windows uses a registry setting, |
dhcpcd uses the "-I" flag. Windows uses a registry setting, |
see http://www.jsiinc.com/SUBF/TIP2800/rh2845.htm |
see http://www.jsiinc.com/SUBF/TIP2800/rh2845.htm |
|
|
Addendum: |
Addendum: |
From version 2.46, dnsmasq has a solution to this which doesn't |
From version 2.46, dnsmasq has a solution to this which doesn't |
involve setting client-IDs. It's possible to put more than one MAC |
involve setting client-IDs. It's possible to put more than one MAC |
address in a --dhcp-host configuration. This tells dnsmasq that it |
address in a --dhcp-host configuration. This tells dnsmasq that it |
should use the specified IP for any of the specified MAC addresses, |
should use the specified IP for any of the specified MAC addresses, |
and furthermore it gives dnsmasq permission to sumarily abandon a | and furthermore it gives dnsmasq permission to summarily abandon a |
lease to one of the MAC addresses if another one comes along. Note |
lease to one of the MAC addresses if another one comes along. Note |
that this will work fine only as longer as only one interface is |
that this will work fine only as longer as only one interface is |
up at any time. There is no way for dnsmasq to enforce this |
up at any time. There is no way for dnsmasq to enforce this |
constraint: if you configure multiple MAC addresses and violate |
constraint: if you configure multiple MAC addresses and violate |
this rule, bad things will happen. |
this rule, bad things will happen. |
|
|
|
Addendum-II: The link above is dead, the former contents of the link are: |
|
|
|
------------------------------------------------------------------------------ |
|
How can I keep the same DHCP client reservation, if the MAC address changes? |
|
|
|
When you reserve an IP address for a DHCP client, you provide the |
|
MAC address of the client's NIC. |
|
|
|
It is possible to use a custom identifier, which is sent as |
|
option 61 in the client's DHCP Discover and Request packet. |
|
|
|
The DhcpClientIdentifier is a REG_DWORD value that is located at: |
|
|
|
Windows NT 4.0 SP2+ |
|
|
|
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<Adapter Name>'X'\Parameters\Tcpip |
|
|
|
where <Adapter Name> is the NIC driver name and 'X' is the number of the NIC. |
|
|
|
Windows 2000 |
|
|
|
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TcpIp\Parameters\Interfaces\<NIC GUID> |
|
|
|
where <NIC GUID> is the GUID of the NIC. |
|
|
|
The valid range of data is 0x0 - 0xFFFFFFFF. The custom identifier is send as 4 bytes, |
|
8 hexadecimal character, in groups of 2 hexadecimal characters, with the groups being |
|
sent in reverse order. If the custom identifier is less than 8 hexadeciaml characters, |
|
it is zero padded at the end. Examples: |
|
|
|
Custom Client Client Reservation |
|
Identifier on DHCP Server |
|
12345678 78563412 |
|
123456 56341200 |
|
1234 34120000 |
|
1234567 67452301 |
|
12345 45230100 |
|
123 23010000 |
|
A18F42 428FA100 |
|
CF432 32F40C00 |
|
C32D1BE BED1320C |
|
|
|
------------------------------------------------------------------------------------------------------- |
|
|
|
|
Q: Can dnsmasq do DHCP on IP-alias interfaces? |
Q: Can dnsmasq do DHCP on IP-alias interfaces? |
|
|
A: Yes, from version-2.21. The support is only available running under |
A: Yes, from version-2.21. The support is only available running under |
Line 488 Q: DHCP doesn't work with windows 7 but everything els
|
Line 544 Q: DHCP doesn't work with windows 7 but everything els
|
|
|
A: There seems to be a problem if Windows 7 doesn't get a value for |
A: There seems to be a problem if Windows 7 doesn't get a value for |
DHCP option 252 in DHCP packets it gets from the server. The |
DHCP option 252 in DHCP packets it gets from the server. The |
symtoms have beeen variously reported as continual DHCPINFORM | symptoms have been variously reported as continual DHCPINFORM |
requests in an attempt to get an option-252, or even ignoring DHCP |
requests in an attempt to get an option-252, or even ignoring DHCP |
offers completely (and failing to get an IP address) if there is no |
offers completely (and failing to get an IP address) if there is no |
option-252 supplied. DHCP option 252 is for WPAD, WWW Proxy |
option-252 supplied. DHCP option 252 is for WPAD, WWW Proxy |