--- embedaddon/dnsmasq/dnsmasq.conf.example 2016/11/02 09:57:01 1.1.1.3 +++ embedaddon/dnsmasq/dnsmasq.conf.example 2021/03/17 00:56:46 1.1.1.4 @@ -90,7 +90,7 @@ # server=10.1.2.3@eth1 # and this sets the source (ie local) address used to talk to -# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that +# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that # IP on the machine, obviously). # server=10.1.2.3@192.168.1.1#55 @@ -123,12 +123,6 @@ # running another nameserver on the same machine. #bind-interfaces -# Accept DNS queries only from hosts whose address is on a local -# subnet, ie a subnet for which an interface exists on the server. -# This option only has effect if there are no --interface -# --except-interface, --listen-address or --auth-server options. -local-service - # If you don't want dnsmasq to read /etc/hosts, uncomment the # following line. #no-hosts @@ -195,7 +189,7 @@ local-service # add names to the DNS for the IPv6 address of SLAAC-configured dual-stack # hosts. Use the DHCPv4 lease to derive the name, network segment and # MAC address and assume that the host will also have an -# IPv6 address calculated using the SLAAC alogrithm. +# IPv6 address calculated using the SLAAC algorithm. #dhcp-range=1234::, ra-names # Do Router Advertisements, BUT NOT DHCP for this subnet. @@ -216,7 +210,7 @@ local-service #dhcp-range=1234::, ra-stateless, ra-names # Do router advertisements for all subnets where we're doing DHCPv6 -# Unless overriden by ra-stateless, ra-names, et al, the router +# Unless overridden by ra-stateless, ra-names, et al, the router # advertisements will have the M and O bits set, so that the clients # get addresses and configuration from DHCPv6, and the A bit reset, so the # clients don't use SLAAC addresses. @@ -257,7 +251,7 @@ local-service # the IP address 192.168.0.60 #dhcp-host=id:01:02:02:04,192.168.0.60 -# Always give the Infiniband interface with hardware address +# Always give the InfiniBand interface with hardware address # 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the # ip address 192.168.0.61. The client id is derived from the prefix # ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of @@ -294,7 +288,7 @@ local-service # Give a fixed IPv6 address and name to client with # DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 # Note the MAC addresses CANNOT be used to identify DHCPv6 clients. -# Note also the they [] around the IPv6 address are obilgatory. +# Note also that the [] around the IPv6 address are obligatory. #dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] # Ignore any clients which are not specified in dhcp-host lines @@ -360,11 +354,11 @@ local-service # Set option 58 client renewal time (T1). Defaults to half of the # lease time if not specified. (RFC2132) -#dhcp-option=option:T1:1m +#dhcp-option=option:T1,1m # Set option 59 rebinding time (T2). Defaults to 7/8 of the # lease time if not specified. (RFC2132) -#dhcp-option=option:T2:2m +#dhcp-option=option:T2,2m # Set the NTP time server address to be the same machine as # is running dnsmasq @@ -442,22 +436,22 @@ local-service #dhcp-option-force=211,30i # Set the boot filename for netboot/PXE. You will only need -# this is you want to boot machines over the network and you will need -# a TFTP server; either dnsmasq's built in TFTP server or an +# this if you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built-in TFTP server or an # external one. (See below for how to enable the TFTP server.) #dhcp-boot=pxelinux.0 # The same as above, but use custom tftp-server instead machine running dnsmasq #dhcp-boot=pxelinux,server.name,192.168.1.100 -# Boot for Etherboot gPXE. The idea is to send two different -# filenames, the first loads gPXE, and the second tells gPXE what to -# load. The dhcp-match sets the gpxe tag for requests from gPXE. -#dhcp-match=set:gpxe,175 # gPXE sends a 175 option. -#dhcp-boot=tag:!gpxe,undionly.kpxe -#dhcp-boot=mybootimage +# Boot for iPXE. The idea is to send two different +# filenames, the first loads iPXE, and the second tells iPXE what to +# load. The dhcp-match sets the ipxe tag for requests from iPXE. +#dhcp-boot=undionly.kpxe +#dhcp-match=set:ipxe,175 # iPXE sends a 175 option. +#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php -# Encapsulated options for Etherboot gPXE. All the options are +# Encapsulated options for iPXE. All the options are # encapsulated within option 175 #dhcp-option=encap:175, 1, 5b # priority code #dhcp-option=encap:175, 176, 1b # no-proxydhcp @@ -531,7 +525,7 @@ local-service # (using /etc/hosts) then that name can be specified as the # tftp_servername (the third option to dhcp-boot) and in that # case dnsmasq resolves this name and returns the resultant IP -# addresses in round robin fasion. This facility can be used to +# addresses in round robin fashion. This facility can be used to # load balance the tftp load among a set of servers. #dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name @@ -553,6 +547,14 @@ local-service # http://www.isc.org/files/auth.html #dhcp-authoritative +# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039. +# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit +# option with a DHCPACK including a Rapid Commit option and fully committed address +# and configuration information. This must only be enabled if either the server is +# the only server for the subnet, or multiple servers are present and they each +# commit a binding for all clients. +#dhcp-rapid-commit + # Run an executable when a DHCP lease is created or destroyed. # The arguments sent to the script are "add" or "del", # then the MAC address, the IP address and finally the hostname @@ -670,3 +672,8 @@ local-service # Include all files in a directory which end in .conf #conf-dir=/etc/dnsmasq.d/,*.conf + +# If a DHCP client claims that its name is "wpad", ignore that. +# This fixes a security hole. see CERT Vulnerability VU#598349 +#dhcp-name-match=set:wpad-ignore,wpad +#dhcp-ignore-names=tag:wpad-ignore