|
version 1.1.1.4, 2021/03/17 00:56:46
|
version 1.1.1.5, 2023/09/27 11:02:08
|
|
Line 1
|
Line 1
|
| .TH DNSMASQ 8 2020-04-05 | .TH DNSMASQ 8 2021-08-16 |
| .SH NAME |
.SH NAME |
| dnsmasq \- A lightweight DHCP and caching DNS server. |
dnsmasq \- A lightweight DHCP and caching DNS server. |
| .SH SYNOPSIS |
.SH SYNOPSIS |
|
Line 55 Don't read the hostnames in /etc/hosts.
|
Line 55 Don't read the hostnames in /etc/hosts.
|
| .B \-H, --addn-hosts=<file> |
.B \-H, --addn-hosts=<file> |
| Additional hosts file. Read the specified file as well as /etc/hosts. If \fB--no-hosts\fP is given, read |
Additional hosts file. Read the specified file as well as /etc/hosts. If \fB--no-hosts\fP is given, read |
| only the specified file. This option may be repeated for more than one |
only the specified file. This option may be repeated for more than one |
| additional hosts file. If a directory is given, then read all the files contained in that directory. | additional hosts file. If a directory is given, then read all the files contained in that directory |
| | in alphabetical order. |
| .TP |
.TP |
| .B --hostsdir=<path> |
.B --hostsdir=<path> |
| Read all the hosts files contained in the directory. New or changed files |
Read all the hosts files contained in the directory. New or changed files |
| are read automatically. See \fB--dhcp-hostsdir\fP for details. | are read automatically and modified and deleted files have removed records |
| | automatically deleted. |
| .TP |
.TP |
| .B \-E, --expand-hosts |
.B \-E, --expand-hosts |
| Add the domain to simple names (without a period) in /etc/hosts |
Add the domain to simple names (without a period) in /etc/hosts |
|
Line 104 Dnsmasq limits the value of this option to one hour, u
|
Line 106 Dnsmasq limits the value of this option to one hour, u
|
| .B --auth-ttl=<time> |
.B --auth-ttl=<time> |
| Set the TTL value returned in answers from the authoritative server. |
Set the TTL value returned in answers from the authoritative server. |
| .TP |
.TP |
| |
.B --fast-dns-retry=[<initial retry delay in ms>[,<time to continue retries in ms>]] |
| |
Under normal circumstances, dnsmasq relies on DNS clients to do retries; it |
| |
does not generate timeouts itself. Setting this option |
| |
instructs dnsmasq to generate its own retries starting after a delay |
| |
which defaults to 1000ms. If the second parameter is given this controls |
| |
how long the retries will continue for |
| |
otherwise this defaults to 10000ms. Retries are repeated with exponential |
| |
backoff. Using this option increases memory usage and |
| |
network bandwidth. |
| |
.TP |
| .B \-k, --keep-in-foreground |
.B \-k, --keep-in-foreground |
| Do not go into the background at startup but otherwise run as |
Do not go into the background at startup but otherwise run as |
| normal. This is intended for use when dnsmasq is run under daemontools |
normal. This is intended for use when dnsmasq is run under daemontools |
|
Line 135 running, will go exclusively to the file.) When loggin
|
Line 147 running, will go exclusively to the file.) When loggin
|
| dnsmasq will close and reopen the file when it receives SIGUSR2. This |
dnsmasq will close and reopen the file when it receives SIGUSR2. This |
| allows the log file to be rotated without stopping dnsmasq. |
allows the log file to be rotated without stopping dnsmasq. |
| .TP |
.TP |
| |
.B --log-debug |
| |
Enable extra logging intended for debugging rather than information. |
| |
.TP |
| .B --log-async[=<lines>] |
.B --log-async[=<lines>] |
| Enable asynchronous logging and optionally set the limit on the |
Enable asynchronous logging and optionally set the limit on the |
| number of lines |
number of lines |
|
Line 168 to zero completely disables DNS function, leaving only
|
Line 183 to zero completely disables DNS function, leaving only
|
| .TP |
.TP |
| .B \-P, --edns-packet-max=<size> |
.B \-P, --edns-packet-max=<size> |
| Specify the largest EDNS.0 UDP packet which is supported by the DNS |
Specify the largest EDNS.0 UDP packet which is supported by the DNS |
| forwarder. Defaults to 4096, which is the RFC5625-recommended size. | forwarder. Defaults to 1232, which is the recommended size following the |
| | DNS flag day in 2020. Only increase if you know what you are doing. |
| .TP |
.TP |
| .B \-Q, --query-port=<query_port> |
.B \-Q, --query-port=<query_port> |
| Send outbound DNS queries from, and listen for their replies on, the |
Send outbound DNS queries from, and listen for their replies on, the |
|
Line 176 specific UDP port <query_port> instead of using random
|
Line 192 specific UDP port <query_port> instead of using random
|
| that using this option will make dnsmasq less secure against DNS |
that using this option will make dnsmasq less secure against DNS |
| spoofing attacks but it may be faster and use less resources. Setting this option |
spoofing attacks but it may be faster and use less resources. Setting this option |
| to zero makes dnsmasq use a single port allocated to it by the |
to zero makes dnsmasq use a single port allocated to it by the |
| OS: this was the default behaviour in versions prior to 2.43. | OS: this was the default behaviour in versions prior to 2.43. |
| .TP |
.TP |
| |
.B --port-limit=<#ports> |
| |
By default, when sending a query via random ports to multiple upstream servers or |
| |
retrying a query dnsmasq will use a single random port for all the tries/retries. |
| |
This option allows a larger number of ports to be used, which can increase robustness |
| |
in certain network configurations. Note that increasing this to more than |
| |
two or three can have security and resource implications and should only |
| |
be done with understanding of those. |
| |
.TP |
| .B --min-port=<port> |
.B --min-port=<port> |
| Do not use ports less than that given as source for outbound DNS |
Do not use ports less than that given as source for outbound DNS |
| queries. Dnsmasq picks random ports as source for outbound queries: |
queries. Dnsmasq picks random ports as source for outbound queries: |
| when this option is given, the ports used will always to larger | when this option is given, the ports used will always be larger |
| than that specified. Useful for systems behind firewalls. If not specified, |
than that specified. Useful for systems behind firewalls. If not specified, |
| defaults to 1024. |
defaults to 1024. |
| .TP |
.TP |
|
Line 296 option requires non-standard networking APIs and it is
|
Line 320 option requires non-standard networking APIs and it is
|
| under Linux. On other platforms it falls-back to \fB--bind-interfaces\fP mode. |
under Linux. On other platforms it falls-back to \fB--bind-interfaces\fP mode. |
| .TP |
.TP |
| .B \-y, --localise-queries |
.B \-y, --localise-queries |
| Return answers to DNS queries from /etc/hosts and \fB--interface-name\fP which depend on the interface over which the query was | Return answers to DNS queries from /etc/hosts and \fB--interface-name\fP and \fB--dynamic-host\fP which depend on the interface over which the query was |
| received. If a name has more than one address associated with |
received. If a name has more than one address associated with |
| it, and at least one of those addresses is on the same subnet as the |
it, and at least one of those addresses is on the same subnet as the |
| interface to which the query was sent, then return only the |
interface to which the query was sent, then return only the |
| address(es) on that subnet. This allows for a server to have multiple | address(es) on that subnet and return all the available addresses otherwise. |
| | This allows for a server to have multiple |
| addresses in /etc/hosts corresponding to each of its interfaces, and |
addresses in /etc/hosts corresponding to each of its interfaces, and |
| hosts will get the correct address based on which network they are |
hosts will get the correct address based on which network they are |
| attached to. Currently this facility is limited to IPv4. |
attached to. Currently this facility is limited to IPv4. |
|
Line 323 are re-written. So
|
Line 348 are re-written. So
|
| .B --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 |
.B --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 |
| maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 |
maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 |
| .TP |
.TP |
| .B \-B, --bogus-nxdomain=<ipaddr> | .B \-B, --bogus-nxdomain=<ipaddr>[/prefix] |
| Transform replies which contain the IP address given into "No such | Transform replies which contain the specified address or subnet into "No such |
| domain" replies. This is intended to counteract a devious move made by | domain" replies. IPv4 and IPv6 are supported. This is intended to counteract a devious move made by |
| Verisign in September 2003 when they started returning the address of |
Verisign in September 2003 when they started returning the address of |
| an advertising web page in response to queries for unregistered names, |
an advertising web page in response to queries for unregistered names, |
| instead of the correct NXDOMAIN response. This option tells dnsmasq to |
instead of the correct NXDOMAIN response. This option tells dnsmasq to |
| fake the correct response when it sees this behaviour. As at Sept 2003 |
fake the correct response when it sees this behaviour. As at Sept 2003 |
| the IP address being returned by Verisign is 64.94.110.11 |
the IP address being returned by Verisign is 64.94.110.11 |
| .TP |
.TP |
| .B --ignore-address=<ipaddr> | .B --ignore-address=<ipaddr>[/prefix] |
| Ignore replies to A-record queries which include the specified address. | Ignore replies to A or AAAA queries which include the specified address or subnet. |
| No error is generated, dnsmasq simply continues to listen for another reply. |
No error is generated, dnsmasq simply continues to listen for another reply. |
| This is useful to defeat blocking strategies which rely on quickly supplying a |
This is useful to defeat blocking strategies which rely on quickly supplying a |
| forged answer to a DNS request for certain domain, before the correct answer can arrive. |
forged answer to a DNS request for certain domain, before the correct answer can arrive. |
|
Line 341 forged answer to a DNS request for certain domain, bef
|
Line 366 forged answer to a DNS request for certain domain, bef
|
| .B \-f, --filterwin2k |
.B \-f, --filterwin2k |
| Later versions of windows make periodic DNS requests which don't get sensible answers from |
Later versions of windows make periodic DNS requests which don't get sensible answers from |
| the public DNS and can cause problems by triggering dial-on-demand links. This flag turns on an option |
the public DNS and can cause problems by triggering dial-on-demand links. This flag turns on an option |
| to filter such requests. The requests blocked are for records of types SOA and SRV, and type ANY where the | to filter such requests. The requests blocked are for records of type ANY |
| requested name has underscores, to catch LDAP requests. | where the requested name has underscores, to catch LDAP requests, and for |
| | \fBall\fP records of types SOA and SRV. |
| .TP |
.TP |
| |
.B --filter-A |
| |
Remove A records from answers. No IPv4 addresses will be returned. |
| |
.TP |
| |
.B --filter-AAAA |
| |
Remove AAAA records from answers. No IPv6 addresses will be returned. |
| |
.TP |
| .B \-r, --resolv-file=<file> |
.B \-r, --resolv-file=<file> |
| Read the IP addresses of the upstream nameservers from <file>, instead of |
Read the IP addresses of the upstream nameservers from <file>, instead of |
| /etc/resolv.conf. For the format of this file see |
/etc/resolv.conf. For the format of this file see |
|
Line 368 provides service at that name, rather than the default
|
Line 400 provides service at that name, rather than the default
|
| .TP |
.TP |
| .B --enable-ubus[=<service-name>] |
.B --enable-ubus[=<service-name>] |
| Enable dnsmasq UBus interface. It sends notifications via UBus on |
Enable dnsmasq UBus interface. It sends notifications via UBus on |
| DHCPACK and DHCPRELEASE events. Furthermore it offers metrics. | DHCPACK and DHCPRELEASE events. Furthermore it offers metrics |
| | and allows configuration of Linux connection track mark based filtering. |
| | When DNS query filtering based on Linux connection track marks is enabled |
| | UBus notifications are generated for each resolved or filtered DNS query. |
| Requires that dnsmasq has been built with UBus support. If the service |
Requires that dnsmasq has been built with UBus support. If the service |
| name is given, dnsmasq provides service at that namespace, rather than |
name is given, dnsmasq provides service at that namespace, rather than |
| the default which is |
the default which is |
|
Line 428 Tells dnsmasq to never forward A or AAAA queries for p
|
Line 463 Tells dnsmasq to never forward A or AAAA queries for p
|
| or domain parts, to upstream nameservers. If the name is not known |
or domain parts, to upstream nameservers. If the name is not known |
| from /etc/hosts or DHCP then a "not found" answer is returned. |
from /etc/hosts or DHCP then a "not found" answer is returned. |
| .TP |
.TP |
| .B \-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>]][@<source-ip>|<interface>[#<port>]] | .B \-S, --local, --server=[/[<domain>]/[domain/]][<server>[#<port>]][@<interface>][@<source-ip>[#<port>]] |
| Specify IP address of upstream servers directly. Setting this flag does | Specify upstream servers directly. Setting this flag does |
| not suppress reading of /etc/resolv.conf, use \fB--no-resolv\fP to do that. If one or more |
not suppress reading of /etc/resolv.conf, use \fB--no-resolv\fP to do that. If one or more |
| optional domains are given, that server is used only for those domains |
optional domains are given, that server is used only for those domains |
| and they are queried only using the specified server. This is |
and they are queried only using the specified server. This is |
|
Line 454 repeated domain or ipaddr parts as required.
|
Line 489 repeated domain or ipaddr parts as required.
|
| More specific domains take precedence over less specific domains, so: |
More specific domains take precedence over less specific domains, so: |
| .B --server=/google.com/1.2.3.4 |
.B --server=/google.com/1.2.3.4 |
| .B --server=/www.google.com/2.3.4.5 |
.B --server=/www.google.com/2.3.4.5 |
| will send queries for *.google.com to 1.2.3.4, except *www.google.com, | will send queries for google.com and gmail.google.com to 1.2.3.4, but www.google.com |
| which will go to 2.3.4.5 | will go to 2.3.4.5 |
| |
|
| |
Matching of domains is normally done on complete labels, so /google.com/ matches google.com and www.google.com |
| |
but NOT supergoogle.com. This can be overridden with a * at the start of a pattern only: /*google.com/ |
| |
will match google.com and www.google.com AND supergoogle.com. The non-wildcard form has priority, so |
| |
if /google.com/ and /*google.com/ are both specified then google.com and www.google.com will match /google.com/ |
| |
and /*google.com/ will only match supergoogle.com. |
| |
|
| |
For historical reasons, the pattern /.google.com/ is equivalent to /google.com/ if you wish to match any subdomain |
| |
of google.com but NOT google.com itself, use /*.google.com/ |
| |
|
| The special server address '#' means, "use the standard servers", so |
The special server address '#' means, "use the standard servers", so |
| .B --server=/google.com/1.2.3.4 |
.B --server=/google.com/1.2.3.4 |
| .B --server=/www.google.com/# |
.B --server=/www.google.com/# |
| will send queries for *.google.com to 1.2.3.4, except *www.google.com which will | will send queries for google.com and its subdomains to 1.2.3.4, except www.google.com (and its subdomains) which will |
| be forwarded as usual. |
be forwarded as usual. |
| |
|
| Also permitted is a -S |
Also permitted is a -S |
|
Line 488 The query-port flag is ignored for any servers which h
|
Line 532 The query-port flag is ignored for any servers which h
|
| source address specified but the port may be specified directly as |
source address specified but the port may be specified directly as |
| part of the source address. Forcing queries to an interface is not |
part of the source address. Forcing queries to an interface is not |
| implemented on all platforms supported by dnsmasq. |
implemented on all platforms supported by dnsmasq. |
| |
|
| |
Upstream servers may be specified with a hostname rather than an IP address. |
| |
In this case, dnsmasq will try to use the system resolver to get the IP address |
| |
of a server during startup. If name resolution fails, starting dnsmasq fails, too. |
| |
If the system's configuration is such that the system resolver sends DNS queries |
| |
through the dnsmasq instance which is starting up then this will time-out and fail. |
| .TP |
.TP |
| .B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<source-ip>|<interface>[#<port>]] | .B --rev-server=<ip-address>[/<prefix-len>][,<server>][#<port>][@<interface>][@<source-ip>[#<port>]] |
| This is functionally the same as |
This is functionally the same as |
| .B --server, |
.B --server, |
| but provides some syntactic sugar to make specifying address-to-name queries easier. For example |
but provides some syntactic sugar to make specifying address-to-name queries easier. For example |
| .B --rev-server=1.2.3.0/24,192.168.0.1 |
.B --rev-server=1.2.3.0/24,192.168.0.1 |
| is exactly equivalent to |
is exactly equivalent to |
| .B --server=/3.2.1.in-addr.arpa/192.168.0.1 |
.B --server=/3.2.1.in-addr.arpa/192.168.0.1 |
| |
Allowed prefix lengths are 1-32 (IPv4) and 1-128 (IPv6). If the prefix length is omitted, dnsmasq substitutes either 32 (IPv4) or 128 (IPv6). |
| .TP |
.TP |
| .B \-A, --address=/<domain>[/<domain>...]/[<ipaddr>] |
.B \-A, --address=/<domain>[/<domain>...]/[<ipaddr>] |
| Specify an IP address to return for any host in the given domains. |
Specify an IP address to return for any host in the given domains. |
| Queries in the domains are never forwarded and always replied to | A (or AAAA) queries in the domains are never forwarded and always replied to |
| with the specified IP address which may be IPv4 or IPv6. To give |
with the specified IP address which may be IPv4 or IPv6. To give |
| both IPv4 and IPv6 addresses for a domain, use repeated \fB--address\fP flags. | multiple addresses or both IPv4 and IPv6 addresses for a domain, use repeated \fB--address\fP flags. |
| To include multiple IP addresses for a single query, use | |
| \fB--addn-hosts=<path>\fP instead. | |
| Note that /etc/hosts and DHCP leases override this for individual |
Note that /etc/hosts and DHCP leases override this for individual |
| names. A common use of this is to redirect the entire doubleclick.net |
names. A common use of this is to redirect the entire doubleclick.net |
| domain to some friendly local web server to avoid banner ads. The |
domain to some friendly local web server to avoid banner ads. The |
| domain specification works in the same was as for \fB--server\fP, with | domain specification works in the same way as for \fB--server\fP, with |
| the additional facility that \fB/#/\fP matches any domain. Thus |
the additional facility that \fB/#/\fP matches any domain. Thus |
| \fB--address=/#/1.2.3.4\fP will always return \fB1.2.3.4\fP for any |
\fB--address=/#/1.2.3.4\fP will always return \fB1.2.3.4\fP for any |
| query not answered from \fB/etc/hosts\fP or DHCP and not sent to an |
query not answered from \fB/etc/hosts\fP or DHCP and not sent to an |
|
Line 521 address of 0.0.0.0 and its IPv6 equivalent of :: so
|
Line 570 address of 0.0.0.0 and its IPv6 equivalent of :: so
|
| its subdomains. This is partly syntactic sugar for \fB--address=/example.com/0.0.0.0\fP |
its subdomains. This is partly syntactic sugar for \fB--address=/example.com/0.0.0.0\fP |
| and \fB--address=/example.com/::\fP but is also more efficient than including both |
and \fB--address=/example.com/::\fP but is also more efficient than including both |
| as separate configuration lines. Note that NULL addresses normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves. |
as separate configuration lines. Note that NULL addresses normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves. |
| |
|
| |
Note that the behaviour for queries which don't match the specified address literal changed in version 2.86. |
| |
Previous versions, configured with (eg) --address=/example.com/1.2.3.4 and then queried for a RR type other than |
| |
A would return a NoData answer. From 2.86, the query is sent upstream. To restore the pre-2.86 behaviour, |
| |
use the configuration --address=/example.com/1.2.3.4 --local=/example.com/ |
| .TP |
.TP |
| .B --ipset=/<domain>[/<domain>...]/<ipset>[,<ipset>...] |
.B --ipset=/<domain>[/<domain>...]/<ipset>[,<ipset>...] |
| Places the resolved IP addresses of queries for one or more domains in |
Places the resolved IP addresses of queries for one or more domains in |
|
Line 533 These IP sets must already exist. See
|
Line 587 These IP sets must already exist. See
|
| .BR ipset (8) |
.BR ipset (8) |
| for more details. |
for more details. |
| .TP |
.TP |
| |
.B --nftset=/<domain>[/<domain>...]/[(6|4)#[<family>#]<table>#<set>[,[(6|4)#[<family>#]<table>#<set>]...] |
| |
Similar to the \fB--ipset\fP option, but accepts one or more nftables |
| |
sets to add IP addresses into. |
| |
These sets must already exist. See |
| |
.BR nft (8) |
| |
for more details. The family, table and set are passed directly to the nft. If the spec starts with 4# or 6# then |
| |
only A or AAAA records respectively are added to the set. Since an nftset can hold only IPv4 or IPv6 addresses, this |
| |
avoids errors being logged for addresses of the wrong type. |
| |
.TP |
| |
.B --connmark-allowlist-enable[=<mask>] |
| |
Enables filtering of incoming DNS queries with associated Linux connection track marks |
| |
according to individual allowlists configured via a series of \fB--connmark-allowlist\fP |
| |
options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code. |
| |
DNS queries are only allowed if they do not have an associated Linux connection |
| |
track mark, or if the queried domains match the configured DNS patterns for the |
| |
associated Linux connection track mark. If no allowlist is configured for a |
| |
Linux connection track mark, all DNS queries associated with that mark are rejected. |
| |
If a mask is specified, Linux connection track marks are first bitwise ANDed |
| |
with the given mask before being processed. |
| |
.TP |
| |
.B --connmark-allowlist=<connmark>[/<mask>][,<pattern>[/<pattern>...]] |
| |
Configures the DNS patterns that are allowed in DNS queries associated with |
| |
the given Linux connection track mark. |
| |
If a mask is specified, Linux connection track marks are first bitwise ANDed |
| |
with the given mask before they are compared to the given connection track mark. |
| |
Patterns follow the syntax of DNS names, but additionally allow the wildcard |
| |
character "*" to be used up to twice per label to match 0 or more characters |
| |
within that label. Note that the wildcard never matches a dot (e.g., "*.example.com" |
| |
matches "api.example.com" but not "api.us.example.com"). Patterns must be |
| |
fully qualified, i.e., consist of at least two labels. The final label must not be |
| |
fully numeric, and must not be the "local" pseudo-TLD. A pattern must end with at least |
| |
two literal (non-wildcard) labels. |
| |
Instead of a pattern, "*" can be specified to disable allowlist filtering |
| |
for a given Linux connection track mark entirely. |
| |
.TP |
| .B \-m, --mx-host=<mx name>[[,<hostname>],<preference>] |
.B \-m, --mx-host=<mx name>[[,<hostname>],<preference>] |
| Return an MX record named <mx name> pointing to the given hostname (if |
Return an MX record named <mx name> pointing to the given hostname (if |
| given), or |
given), or |
|
Line 591 If the time-to-live is given, it overrides the default
|
Line 680 If the time-to-live is given, it overrides the default
|
| or the value of \fB--local-ttl\fP. The value is a positive integer and gives |
or the value of \fB--local-ttl\fP. The value is a positive integer and gives |
| the time-to-live in seconds. |
the time-to-live in seconds. |
| .TP |
.TP |
| |
.B --dynamic-host=<name>,[IPv4-address],[IPv6-address],<interface> |
| |
Add A, AAAA and PTR records to the DNS in the same subnet as the specified interface. The address is derived from the network part of each address associated with the interface, and the host part from the specified address. For example |
| |
.B --dynamic-host=example.com,0.0.0.8,eth0 |
| |
will, when eth0 has the address 192.168.78.x and netmask 255.255.255.0 give the |
| |
name example.com an A record for 192.168.78.8. The same principle applies to IPv6 addresses. Note that if an interface has more than one address, more than one A or AAAA record will be created. The TTL of the records is always zero, and any changes to interface addresses will be immediately reflected in them. |
| |
.TP |
| .B \-Y, --txt-record=<name>[[,<text>],<text>] |
.B \-Y, --txt-record=<name>[[,<text>],<text>] |
| Return a TXT DNS record. The value of TXT record is a set of strings, |
Return a TXT DNS record. The value of TXT record is a set of strings, |
| so any number may be included, delimited by commas; use quotes to put |
so any number may be included, delimited by commas; use quotes to put |
|
Line 658 configured a zero is added in front of the label. ::1
|
Line 753 configured a zero is added in front of the label. ::1
|
| V4 mapped IPv6 addresses, which have a representation like ::ffff:1.2.3.4 are handled specially, and become like 0--ffff-1-2-3-4 |
V4 mapped IPv6 addresses, which have a representation like ::ffff:1.2.3.4 are handled specially, and become like 0--ffff-1-2-3-4 |
| |
|
| The address range can be of the form |
The address range can be of the form |
| <ip address>,<ip address> or <ip address>/<netmask> in both forms of the option. | <start address>,<end address> or <ip address>/<prefix-length> in both forms of the option. For IPv6 the start and end addresses |
| | must fall in the same /64 network, or prefix-length must be greater than or equal to 64 except that shorter prefix lengths than 64 are allowed only if non-sequential names are in use. |
| .TP |
.TP |
| .B --dumpfile=<path/to/file> |
.B --dumpfile=<path/to/file> |
| Specify the location of a pcap-format file which dnsmasq uses to dump copies of network packets for debugging purposes. If the file exists when dnsmasq starts, it is not deleted; new packets are added to the end. |
Specify the location of a pcap-format file which dnsmasq uses to dump copies of network packets for debugging purposes. If the file exists when dnsmasq starts, it is not deleted; new packets are added to the end. |
| .TP |
.TP |
| .B --dumpmask=<mask> |
.B --dumpmask=<mask> |
| Specify which types of packets should be added to the dumpfile. The argument should be the OR of the bitmasks for each type of packet to be dumped: it can be specified in hex by preceding the number with 0x in the normal way. Each time a packet is written to the dumpfile, dnsmasq logs the packet sequence and the mask |
Specify which types of packets should be added to the dumpfile. The argument should be the OR of the bitmasks for each type of packet to be dumped: it can be specified in hex by preceding the number with 0x in the normal way. Each time a packet is written to the dumpfile, dnsmasq logs the packet sequence and the mask |
| representing its type. The current types are: 0x0001 - DNS queries from clients 0x0002 DNS replies to clients 0x0004 - DNS queries to upstream 0x0008 - DNS replies from upstream 0x0010 - queries send upstream for DNSSEC validation 0x0020 - replies to queries for DNSSEC validation 0x0040 - replies to client queries which fail DNSSEC validation 0x0080 replies to queries for DNSSEC validation which fail validation. | representing its type. The current types are: 0x0001 - DNS queries from clients, 0x0002 DNS replies to clients, 0x0004 - DNS queries to upstream, 0x0008 - DNS replies from upstream, 0x0010 - queries send upstream for DNSSEC validation, 0x0020 - replies to queries for DNSSEC validation, 0x0040 - replies to client queries which fail DNSSEC validation, 0x0080 replies to queries for DNSSEC validation which fail validation, 0x1000 - DHCPv4, 0x2000 - DHCPv6, 0x4000 - Router advertisement, 0x8000 - TFTP. |
| .TP |
.TP |
| .B --add-mac[=base64|text] |
.B --add-mac[=base64|text] |
| Add the MAC address of the requestor to DNS queries which are |
Add the MAC address of the requestor to DNS queries which are |
|
Line 678 have security and privacy implications. The warning ab
|
Line 774 have security and privacy implications. The warning ab
|
| given for \fB--add-subnet\fP applies to \fB--add-mac\fP too. An alternative encoding of the |
given for \fB--add-subnet\fP applies to \fB--add-mac\fP too. An alternative encoding of the |
| MAC, as base64, is enabled by adding the "base64" parameter and a human-readable encoding of hex-and-colons is enabled by added the "text" parameter. |
MAC, as base64, is enabled by adding the "base64" parameter and a human-readable encoding of hex-and-colons is enabled by added the "text" parameter. |
| .TP |
.TP |
| |
.B --strip-mac |
| |
Remove any MAC address information already in downstream queries before forwarding upstream. |
| |
.TP |
| .B --add-cpe-id=<string> |
.B --add-cpe-id=<string> |
| Add an arbitrary identifying string to DNS queries which are |
Add an arbitrary identifying string to DNS queries which are |
| forwarded upstream. |
forwarded upstream. |
|
Line 702 will add the /24 and /96 subnets of the requestor for
|
Line 801 will add the /24 and /96 subnets of the requestor for
|
| will add 1.2.3.0/24 for IPv4 requestors and ::/0 for IPv6 requestors. |
will add 1.2.3.0/24 for IPv4 requestors and ::/0 for IPv6 requestors. |
| .B --add-subnet=1.2.3.4/24,1.2.3.4/24 |
.B --add-subnet=1.2.3.4/24,1.2.3.4/24 |
| will add 1.2.3.0/24 for both IPv4 and IPv6 requestors. |
will add 1.2.3.0/24 for both IPv4 and IPv6 requestors. |
| |
|
| .TP |
.TP |
| |
.B --strip-subnet |
| |
Remove any subnet address already present in a downstream query before forwarding it upstream. If --add-subnet is set this also |
| |
ensures that any downstream-provided subnet is replaced by the one added by dnsmasq. Otherwise, dnsmasq will NOT replace an |
| |
existing subnet in the query. |
| |
.TP |
| |
.B --umbrella[=[deviceid:<deviceid>][,orgid:<orgid>][,assetid:<id>]] |
| |
Embeds the requestor's IP address in DNS queries forwarded upstream. |
| |
If device id or, asset id or organization id are specified, the information is |
| |
included in the forwarded queries and may be able to be used in |
| |
filtering policies and reporting. The order of the id |
| |
attributes is irrelevant, but they must be separated by a comma. Deviceid is |
| |
a sixteen digit hexadecimal number, org and asset ids are decimal numbers. |
| |
.TP |
| .B \-c, --cache-size=<cachesize> |
.B \-c, --cache-size=<cachesize> |
| Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching. Note: huge cache size impacts performance. |
Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching. Note: huge cache size impacts performance. |
| .TP |
.TP |
|
Line 712 Disable negative caching. Negative caching allows dnsm
|
Line 823 Disable negative caching. Negative caching allows dnsm
|
| "no such domain" answers from upstream nameservers and answer |
"no such domain" answers from upstream nameservers and answer |
| identical queries without forwarding them again. |
identical queries without forwarding them again. |
| .TP |
.TP |
| |
.B --no-round-robin |
| |
Dnsmasq normally permutes the order of A or AAAA records for the same |
| |
name on successive queries, for load-balancing. This turns off that |
| |
behaviour, so that the records are always returned in the order |
| |
that they are received from upstream. |
| |
.TP |
| |
.B --use-stale-cache[=<max TTL excess in s>] |
| |
When set, if a DNS name exists in the cache, but its time-to-live has expired, dnsmasq will return the data anyway. (It attempts to refresh the |
| |
data with an upstream query after returning the stale data.) This can improve speed and reliability. It comes at the expense |
| |
of sometimes returning out-of-date data and less efficient cache utilisation, since old data cannot be flushed when its TTL expires, so the cache becomes |
| |
mostly least-recently-used. To mitigate issues caused by massively outdated DNS replies, the maximum overaging of cached records can be specified in seconds |
| |
(defaulting to not serve anything older than one day). Setting the TTL excess time to zero will serve stale cache data regardless how long it has expired. |
| |
.TP |
| .B \-0, --dns-forward-max=<queries> |
.B \-0, --dns-forward-max=<queries> |
| Set the maximum number of concurrent DNS queries. The default value is |
Set the maximum number of concurrent DNS queries. The default value is |
| 150, which should be fine for most setups. The only known situation |
150, which should be fine for most setups. The only known situation |
| where this needs to be increased is when using web-server log file |
where this needs to be increased is when using web-server log file |
| resolvers, which can generate large numbers of concurrent queries. | resolvers, which can generate large numbers of concurrent queries. This |
| | parameter actually controls the number of concurrent queries per server group, where a server group is the set of server(s) associated with a single domain. So if a domain has it's own server via --server=/example.com/1.2.3.4 and 1.2.3.4 is not responding, but queries for *.example.com cannot go elsewhere, then other queries will not be affected. On configurations with many such server groups and tight resources, this value may need to be reduced. |
| .TP |
.TP |
| .B --dnssec |
.B --dnssec |
| Validate DNS replies and cache DNSSEC data. When forwarding DNS queries, dnsmasq requests the |
Validate DNS replies and cache DNSSEC data. When forwarding DNS queries, dnsmasq requests the |
|
Line 850 compiled in and the kernel must have conntrack support
|
Line 975 compiled in and the kernel must have conntrack support
|
| included and configured. This option cannot be combined with |
included and configured. This option cannot be combined with |
| .B --query-port. |
.B --query-port. |
| .TP |
.TP |
| .B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-addr>|<mode>][,<netmask>[,<broadcast>]][,<lease time>] | .B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-addr>|<mode>[,<netmask>[,<broadcast>]]][,<lease time>] |
| .TP |
.TP |
| .B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-IPv6addr>[,<end-IPv6addr>|constructor:<interface>][,<mode>][,<prefix-len>][,<lease time>] |
.B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-IPv6addr>[,<end-IPv6addr>|constructor:<interface>][,<mode>][,<prefix-len>][,<lease time>] |
| |
|
|
Line 860 in
|
Line 985 in
|
| .B --dhcp-host |
.B --dhcp-host |
| options. If the lease time is given, then leases |
options. If the lease time is given, then leases |
| will be given for that length of time. The lease time is in seconds, |
will be given for that length of time. The lease time is in seconds, |
| or minutes (eg 45m) or hours (eg 1h) or "infinite". If not given, | or minutes (eg 45m) or hours (eg 1h) or days (2d) or weeks (1w) or "infinite". If not given, |
| the default lease time is one hour for IPv4 and one day for IPv6. The |
the default lease time is one hour for IPv4 and one day for IPv6. The |
| minimum lease time is two minutes. For IPv6 ranges, the lease time |
minimum lease time is two minutes. For IPv6 ranges, the lease time |
| maybe "deprecated"; this sets the preferred lifetime sent in a DHCP |
maybe "deprecated"; this sets the preferred lifetime sent in a DHCP |
|
Line 980 is also included, as described in RFC-3775 section 7.3
|
Line 1105 is also included, as described in RFC-3775 section 7.3
|
| tells dnsmasq to advertise the prefix without the on-link (aka L) bit set. |
tells dnsmasq to advertise the prefix without the on-link (aka L) bit set. |
| |
|
| .TP |
.TP |
| .B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][tag:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore] | .B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,tag:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore] |
| Specify per host parameters for the DHCP server. This allows a machine |
Specify per host parameters for the DHCP server. This allows a machine |
| with a particular hardware address to be always allocated the same |
with a particular hardware address to be always allocated the same |
| hostname, IP address and lease time. A hostname specified like this |
hostname, IP address and lease time. A hostname specified like this |
|
Line 1043 given in a
|
Line 1168 given in a
|
| .B --dhcp-host |
.B --dhcp-host |
| option, but aliases are possible by using CNAMEs. (See |
option, but aliases are possible by using CNAMEs. (See |
| .B --cname |
.B --cname |
| ). | ). Note that /etc/hosts is NOT used when the DNS server side of dnsmasq |
| | is disabled by setting the DNS server port to zero. |
| |
|
| |
More than one |
| |
.B --dhcp-host |
| |
can be associated (by name, hardware address or UID) with a host. Which one is used |
| |
(and therefore which address is allocated by DHCP and appears in the DNS) depends |
| |
on the subnet on which the host last obtained a DHCP lease: |
| |
the |
| |
.B --dhcp-host |
| |
with an address within the subnet is used. If more than one address is within the subnet, |
| |
the result is undefined. A corollary to this is that the name associated with a host using |
| |
.B --dhcp-host |
| |
does not appear in the DNS until the host obtains a DHCP lease. |
| |
|
| |
|
| The special keyword "ignore" |
The special keyword "ignore" |
| tells dnsmasq to never offer a DHCP lease to a machine. The machine |
tells dnsmasq to never offer a DHCP lease to a machine. The machine |
| can be specified by hardware address, client ID or hostname, for |
can be specified by hardware address, client ID or hostname, for |
|
Line 1066 ignore requests from unknown machines using
|
Line 1205 ignore requests from unknown machines using
|
| If the host matches only a \fB--dhcp-host\fP directive which cannot |
If the host matches only a \fB--dhcp-host\fP directive which cannot |
| be used because it specifies an address on different subnet, the tag "known-othernet" is set. |
be used because it specifies an address on different subnet, the tag "known-othernet" is set. |
| |
|
| The tag:<tag> construct filters which dhcp-host directives are used. Tagged directives are used in preference to untagged ones. | The tag:<tag> construct filters which dhcp-host directives are used; more than |
| | one can be provided, in this case the request must match all of them. Tagged |
| | directives are used in preference to untagged ones. Note that one of <hwaddr>, |
| | <client_id> or <hostname> still needs to be specified (can be a wildcard). |
| |
|
| Ethernet addresses (but not client-ids) may have |
Ethernet addresses (but not client-ids) may have |
| wildcard bytes, so for example |
wildcard bytes, so for example |
|
Line 1097 has both wired and wireless interfaces.
|
Line 1239 has both wired and wireless interfaces.
|
| .TP |
.TP |
| .B --dhcp-hostsfile=<path> |
.B --dhcp-hostsfile=<path> |
| Read DHCP host information from the specified file. If a directory |
Read DHCP host information from the specified file. If a directory |
| is given, then read all the files contained in that directory. The file contains | is given, then read all the files contained in that directory in alphabetical order. The file contains |
| information about one host per line. The format of a line is the same |
information about one host per line. The format of a line is the same |
| as text to the right of '=' in \fB--dhcp-host\fP. The advantage of storing DHCP host information |
as text to the right of '=' in \fB--dhcp-host\fP. The advantage of storing DHCP host information |
| in this file is that it can be changed without re-starting dnsmasq: |
in this file is that it can be changed without re-starting dnsmasq: |
|
Line 1105 the file will be re-read when dnsmasq receives SIGHUP.
|
Line 1247 the file will be re-read when dnsmasq receives SIGHUP.
|
| .TP |
.TP |
| .B --dhcp-optsfile=<path> |
.B --dhcp-optsfile=<path> |
| Read DHCP option information from the specified file. If a directory |
Read DHCP option information from the specified file. If a directory |
| is given, then read all the files contained in that directory. The advantage of | is given, then read all the files contained in that directory in alphabetical order. The advantage of |
| using this option is the same as for \fB--dhcp-hostsfile\fP: the |
using this option is the same as for \fB--dhcp-hostsfile\fP: the |
| \fB--dhcp-optsfile\fP will be re-read when dnsmasq receives SIGHUP. Note that |
\fB--dhcp-optsfile\fP will be re-read when dnsmasq receives SIGHUP. Note that |
| it is possible to encode the information in a |
it is possible to encode the information in a |
|
Line 1120 directory, and not an individual file. Changed or new
|
Line 1262 directory, and not an individual file. Changed or new
|
| the directory are read automatically, without the need to send SIGHUP. |
the directory are read automatically, without the need to send SIGHUP. |
| If a file is deleted or changed after it has been read by dnsmasq, then the |
If a file is deleted or changed after it has been read by dnsmasq, then the |
| host record it contained will remain until dnsmasq receives a SIGHUP, or |
host record it contained will remain until dnsmasq receives a SIGHUP, or |
| is restarted; ie host records are only added dynamically. | is restarted; ie host records are only added dynamically. The order in which the |
| | files in a directory are read is not defined. |
| .TP |
.TP |
| .B --dhcp-optsdir=<path> |
.B --dhcp-optsdir=<path> |
| This is equivalent to \fB--dhcp-optsfile\fP, with the differences noted for \fB--dhcp-hostsdir\fP. |
This is equivalent to \fB--dhcp-optsfile\fP, with the differences noted for \fB--dhcp-hostsdir\fP. |
|
Line 1155 and to set the time-server address to 192.168.0.4, do
|
Line 1298 and to set the time-server address to 192.168.0.4, do
|
| or |
or |
| .B --dhcp-option = option:ntp-server, 192.168.0.4 |
.B --dhcp-option = option:ntp-server, 192.168.0.4 |
| The special address 0.0.0.0 is taken to mean "the address of the |
The special address 0.0.0.0 is taken to mean "the address of the |
| machine running dnsmasq". | machine running dnsmasq". |
| |
|
| |
An option without data is valid, and includes just the option without data. |
| |
(There is only one option with a zero length data field currently defined for DHCPv4, 80:rapid commit, so this feature is not very useful in practice). Options for which dnsmasq normally |
| |
provides default values can be ommitted by defining the option with no data. These are |
| |
netmask, broadcast, router, DNS server, domainname and hostname. Thus, for DHCPv4 |
| |
.B --dhcp-option = option:router |
| |
will result in no router option being sent, rather than the default of the host on which dnsmasq is running. For DHCPv6, the same is true of the options DNS server and refresh time. |
| |
|
| |
|
| Data types allowed are comma separated |
Data types allowed are comma separated |
| dotted-quad IPv4 addresses, []-wrapped IPv6 addresses, a decimal number, colon-separated hex digits |
dotted-quad IPv4 addresses, []-wrapped IPv6 addresses, a decimal number, colon-separated hex digits |
| and a text string. If the optional tags are given then |
and a text string. If the optional tags are given then |
|
Line 1239 DHCP options. This make extra space available in the D
|
Line 1390 DHCP options. This make extra space available in the D
|
| options but can, rarely, confuse old or broken clients. This flag |
options but can, rarely, confuse old or broken clients. This flag |
| forces "simple and safe" behaviour to avoid problems in such a case. |
forces "simple and safe" behaviour to avoid problems in such a case. |
| .TP |
.TP |
| .B --dhcp-relay=<local address>,<server address>[,<interface] | .B --dhcp-relay=<local address>[,<server address>[#<server port>]][,<interface] |
| Configure dnsmasq to do DHCP relay. The local address is an address |
Configure dnsmasq to do DHCP relay. The local address is an address |
| allocated to an interface on the host running dnsmasq. All DHCP |
allocated to an interface on the host running dnsmasq. All DHCP |
| requests arriving on that interface will we relayed to a remote DHCP |
requests arriving on that interface will we relayed to a remote DHCP |
|
Line 1247 server at the server address. It is possible to relay
|
Line 1398 server at the server address. It is possible to relay
|
| address to multiple remote servers by using multiple \fB--dhcp-relay\fP |
address to multiple remote servers by using multiple \fB--dhcp-relay\fP |
| configs with the same local address and different server |
configs with the same local address and different server |
| addresses. A server address must be an IP literal address, not a |
addresses. A server address must be an IP literal address, not a |
| domain name. In the case of DHCPv6, the server address may be the | domain name. If the server address is omitted, the request will be |
| ALL_SERVERS multicast address, ff05::1:3. In this case the interface | forwarded by broadcast (IPv4) or multicast (IPv6). In this case the interface |
| must be given, not be wildcard, and is used to direct the multicast to the | must be given and not be wildcard. The server address may specify a non-standard |
| correct interface to reach the DHCP server. | port to relay to. If this is used then \fB--dhcp-proxy\fP should likely also be set, |
| | otherwise parts of the DHCP conversation which do not pass through the relay |
| | will be delivered to the wrong port. |
| |
|
| Access control for DHCP clients has the same rules as for the DHCP |
Access control for DHCP clients has the same rules as for the DHCP |
| server, see \fB--interface\fP, \fB--except-interface\fP, etc. The optional |
server, see \fB--interface\fP, \fB--except-interface\fP, etc. The optional |
|
Line 1270 supported: the relay function will take precedence.
|
Line 1423 supported: the relay function will take precedence.
|
| |
|
| Both DHCPv4 and DHCPv6 relay is supported. It's not possible to relay |
Both DHCPv4 and DHCPv6 relay is supported. It's not possible to relay |
| DHCPv4 to a DHCPv6 server or vice-versa. |
DHCPv4 to a DHCPv6 server or vice-versa. |
| |
|
| |
The DHCP relay function for IPv6 includes the ability to snoop |
| |
prefix-delegation from relayed DHCP transactions. See |
| |
.B --dhcp-script |
| |
for details. |
| .TP |
.TP |
| .B \-U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise number>,]<vendor-class> |
.B \-U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise number>,]<vendor-class> |
| Map from a vendor-class string to a tag. Most DHCP clients provide a |
Map from a vendor-class string to a tag. Most DHCP clients provide a |
|
Line 1365 Any number of set: and tag: forms may appear, in any o
|
Line 1523 Any number of set: and tag: forms may appear, in any o
|
| tag set by another |
tag set by another |
| .B --tag-if, |
.B --tag-if, |
| the line which sets the tag must precede the one which tests it. |
the line which sets the tag must precede the one which tests it. |
| |
|
| |
As an extension, the tag:<tag> clauses support limited wildcard matching, |
| |
similar to the matching in the \fB--interface\fP directive. This allows, for |
| |
example, using \fB--tag-if=set:ppp,tag:ppp*\fP to set the tag 'ppp' for all requests |
| |
received on any matching interface (ppp0, ppp1, etc). This can be used in conjunction |
| |
with the tag:!<tag> format meaning that no tag matching the wildcard may be set. |
| .TP |
.TP |
| .B \-J, --dhcp-ignore=tag:<tag>[,tag:<tag>] |
.B \-J, --dhcp-ignore=tag:<tag>[,tag:<tag>] |
| When all the given tags appear in the tag set ignore the host and do |
When all the given tags appear in the tag set ignore the host and do |
|
Line 1436 functions when supported by a suitable DHCP server.
|
Line 1600 functions when supported by a suitable DHCP server.
|
| This specifies a boot option which may appear in a PXE boot menu. <CSA> is |
This specifies a boot option which may appear in a PXE boot menu. <CSA> is |
| client system type, only services of the correct type will appear in a |
client system type, only services of the correct type will appear in a |
| menu. The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86, |
menu. The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86, |
| Intel_Lean_Client, IA32_EFI, X86-64_EFI, Xscale_EFI, BC_EFI, ARM32_EFI and ARM64_EFI; an | Intel_Lean_Client, IA32_EFI, x86-64_EFI, Xscale_EFI, BC_EFI, ARM32_EFI and ARM64_EFI; an |
| integer may be used for other types. The |
integer may be used for other types. The |
| parameter after the menu text may be a file name, in which case dnsmasq acts as a |
parameter after the menu text may be a file name, in which case dnsmasq acts as a |
| boot server and directs the PXE client to download the file by TFTP, |
boot server and directs the PXE client to download the file by TFTP, |
|
Line 1495 instance
|
Line 1659 instance
|
| will enable dnsmasq to also provide proxy PXE service to those PXE clients with |
will enable dnsmasq to also provide proxy PXE service to those PXE clients with |
| .I HW-Client |
.I HW-Client |
| in as their identifier. |
in as their identifier. |
| >>>>>>> 907def3... pxe: support pxe clients with custom vendor-class |
|
| .TP |
.TP |
| .B \-X, --dhcp-lease-max=<number> |
.B \-X, --dhcp-lease-max=<number> |
| Limits dnsmasq to the specified maximum number of DHCP leases. The |
Limits dnsmasq to the specified maximum number of DHCP leases. The |
|
Line 1546 tried. This flag disables this check. Use with caution
|
Line 1709 tried. This flag disables this check. Use with caution
|
| Extra logging for DHCP: log all the options sent to DHCP clients and |
Extra logging for DHCP: log all the options sent to DHCP clients and |
| the tags used to determine them. |
the tags used to determine them. |
| .TP |
.TP |
| .B --quiet-dhcp, --quiet-dhcp6, --quiet-ra | .B --quiet-dhcp, --quiet-dhcp6, --quiet-ra, --quiet-tftp |
| Suppress logging of the routine operation of these protocols. Errors and |
Suppress logging of the routine operation of these protocols. Errors and |
| problems will still be logged. \fB--quiet-dhcp\fP and quiet-dhcp6 are | problems will still be logged. \fB--quiet-tftp\fP does not consider file not |
| over-ridden by \fB--log-dhcp\fP. | found to be an error. \fB--quiet-dhcp\fP and quiet-dhcp6 are over-ridden by |
| | \fB--log-dhcp\fP. |
| .TP |
.TP |
| .B \-l, --dhcp-leasefile=<path> |
.B \-l, --dhcp-leasefile=<path> |
| Use the specified file to store DHCP lease information. |
Use the specified file to store DHCP lease information. |
|
Line 1599 If dnsmasq was compiled with HAVE_BROKEN_RTC, then
|
Line 1763 If dnsmasq was compiled with HAVE_BROKEN_RTC, then
|
| the length of the lease (in seconds) is stored in |
the length of the lease (in seconds) is stored in |
| DNSMASQ_LEASE_LENGTH, otherwise the time of lease expiry is stored in |
DNSMASQ_LEASE_LENGTH, otherwise the time of lease expiry is stored in |
| DNSMASQ_LEASE_EXPIRES. The number of seconds until lease expiry is |
DNSMASQ_LEASE_EXPIRES. The number of seconds until lease expiry is |
| always stored in DNSMASQ_TIME_REMAINING. | always stored in DNSMASQ_TIME_REMAINING. |
| |
|
| |
DNSMASQ_DATA_MISSING is set to "1" during "old" events for existing |
| |
leases generated at startup to indicate that data not stored in the |
| |
persistent lease database will not be present. This comprises everything |
| |
other than IP address, hostname, MAC address, DUID, IAID and lease length |
| |
or expiry time. |
| |
|
| If a lease used to have a hostname, which is |
If a lease used to have a hostname, which is |
| removed, an "old" event is generated with the new state of the lease, |
removed, an "old" event is generated with the new state of the lease, |
| ie no name, and the former name is provided in the environment |
ie no name, and the former name is provided in the environment |
|
Line 1621 DNSMASQ_LOG_DHCP is set if
|
Line 1791 DNSMASQ_LOG_DHCP is set if
|
| .B --log-dhcp |
.B --log-dhcp |
| is in effect. |
is in effect. |
| |
|
| |
DNSMASQ_REQUESTED_OPTIONS a string containing the decimal values in the Parameter Request List option, comma separated, if the parameter request list option is provided by the client. |
| |
|
| |
DNSMASQ_MUD_URL the Manufacturer Usage Description URL if provided by the client. (See RFC8520 for details.) |
| |
|
| |
|
| For IPv4 only: |
For IPv4 only: |
| |
|
| DNSMASQ_CLIENT_ID if the host provided a client-id. |
DNSMASQ_CLIENT_ID if the host provided a client-id. |
|
Line 1630 DHCP relay-agent added any of these options.
|
Line 1805 DHCP relay-agent added any of these options.
|
| |
|
| If the client provides vendor-class, DNSMASQ_VENDOR_CLASS. |
If the client provides vendor-class, DNSMASQ_VENDOR_CLASS. |
| |
|
| DNSMASQ_REQUESTED_OPTIONS a string containing the decimal values in the Parameter Request List option, comma separated, if the parameter request list option is provided by the client. |
|
| |
|
| For IPv6 only: |
For IPv6 only: |
| |
|
| If the client provides vendor-class, DNSMASQ_VENDOR_CLASS_ID, |
If the client provides vendor-class, DNSMASQ_VENDOR_CLASS_ID, |
|
Line 1674 receives a HUP signal, the script will be invoked for
|
Line 1847 receives a HUP signal, the script will be invoked for
|
| with an "old" event. |
with an "old" event. |
| |
|
| |
|
| There are four further actions which may appear as the first argument | There are five further actions which may appear as the first argument |
| to the script, "init", "arp-add", "arp-del" and "tftp". More may be added in the future, so | to the script, "init", "arp-add", "arp-del", "relay-snoop" and "tftp". |
| | More may be added in the future, so |
| scripts should be written to ignore unknown actions. "init" is |
scripts should be written to ignore unknown actions. "init" is |
| described below in |
described below in |
| .B --leasefile-ro |
.B --leasefile-ro |
| |
|
| The "tftp" action is invoked when a TFTP file transfer completes: the |
The "tftp" action is invoked when a TFTP file transfer completes: the |
| arguments are the file size in bytes, the address to which the file |
arguments are the file size in bytes, the address to which the file |
| was sent, and the complete pathname of the file. |
was sent, and the complete pathname of the file. |
| | |
| | The "relay-snoop" action is invoked when dnsmasq is configured as a DHCP |
| | relay for DHCPv6 and it relays a prefx delegation to a client. The arguments |
| | are the name of the interface where the client is conected, its (link-local) |
| | address on that interface and the delegated prefix. This information is |
| | sufficient to install routes to the delegated prefix of a router. See |
| | .B --dhcp-relay |
| | for more details on configuring DHCP relay. |
| | |
| The "arp-add" and "arp-del" actions are only called if enabled with |
The "arp-add" and "arp-del" actions are only called if enabled with |
| .B --script-arp |
.B --script-arp |
| They are are supplied with a MAC address and IP address as arguments. "arp-add" indicates |
They are are supplied with a MAC address and IP address as arguments. "arp-add" indicates |
|
Line 1813 is the address of the relay and the second, as before,
|
Line 1996 is the address of the relay and the second, as before,
|
| addresses may be allocated from. |
addresses may be allocated from. |
| |
|
| .TP |
.TP |
| .B \-s, --domain=<domain>[,<address range>[,local]] | .B \-s, --domain=<domain>[[,<address range>[,local]]|<interface>] |
| Specifies DNS domains for the DHCP server. Domains may be be given |
Specifies DNS domains for the DHCP server. Domains may be be given |
| unconditionally (without the IP range) or for limited IP ranges. This has two effects; |
unconditionally (without the IP range) or for limited IP ranges. This has two effects; |
| firstly it causes the DHCP server to return the domain to any hosts |
firstly it causes the DHCP server to return the domain to any hosts |
|
Line 1847 additional flag "local" may be supplied which has the
|
Line 2030 additional flag "local" may be supplied which has the
|
| is identical to |
is identical to |
| .B --domain=thekelleys.org.uk,192.168.0.0/24 |
.B --domain=thekelleys.org.uk,192.168.0.0/24 |
| .B --local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/ |
.B --local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/ |
| The network size must be 8, 16 or 24 for this to be legal. | |
| | The address range can also be given as a network interface name, in which case |
| | all of the subnets currently assigned to the interface are used in matching the |
| | address. This allows hosts on different physical subnets to be given different |
| | domains in a way which updates automatically as the interface addresses change. |
| .TP |
.TP |
| .B --dhcp-fqdn |
.B --dhcp-fqdn |
| In the default mode, dnsmasq inserts the unqualified names of |
In the default mode, dnsmasq inserts the unqualified names of |
|
Line 2020 A special case of
|
Line 2207 A special case of
|
| which differs in two respects. Firstly, only \fB--server\fP and \fB--rev-server\fP are allowed |
which differs in two respects. Firstly, only \fB--server\fP and \fB--rev-server\fP are allowed |
| in the configuration file included. Secondly, the file is re-read and the configuration |
in the configuration file included. Secondly, the file is re-read and the configuration |
| therein is updated when dnsmasq receives SIGHUP. |
therein is updated when dnsmasq receives SIGHUP. |
| |
.TP |
| |
.B \--conf-script=<file>[ <arg] |
| |
Execute <file>, and treat what it emits to stdout as the contents of a configuration file. |
| |
If the script exits with a non-zero exit code, dnsmasq treats this as a fatal error. |
| |
The script can be passed arguments, space seperated from the filename and each other so, for instance |
| |
.B --conf-dir="/etc/dnsmasq-uncompress-ads /share/ads-domains.gz" |
| |
|
| |
with /etc/dnsmasq-uncompress-ads containing |
| |
|
| |
set -e |
| |
|
| |
zcat ${1} | sed -e "s:^:address=/:" -e "s:$:/:" |
| |
|
| |
exit 0 |
| |
|
| |
and /share/ads-domains.gz containing a compressed |
| |
list of ad server domains will save disk space with large ad-server blocklists. |
| |
.TP |
| |
.B --no-ident |
| |
Do not respond to class CHAOS and type TXT in domain bind queries. |
| |
|
| |
Without this option being set, the cache statistics are also available in the |
| |
DNS as answers to queries of class CHAOS and type TXT in domain bind. The domain |
| |
names are cachesize.bind, insertions.bind, evictions.bind, misses.bind, |
| |
hits.bind, auth.bind and servers.bind unless disabled at compile-time. An |
| |
example command to query this, using the |
| |
.B dig |
| |
utility would be |
| |
|
| |
dig +short chaos txt cachesize.bind |
| |
|
| .SH CONFIG FILE |
.SH CONFIG FILE |
| At startup, dnsmasq reads |
At startup, dnsmasq reads |
| .I /etc/dnsmasq.conf, |
.I /etc/dnsmasq.conf, |
|
Line 2069 resulted in an error. In
|
Line 2287 resulted in an error. In
|
| mode or when full logging is enabled (\fB--log-queries\fP), a complete dump of the |
mode or when full logging is enabled (\fB--log-queries\fP), a complete dump of the |
| contents of the cache is made. |
contents of the cache is made. |
| |
|
| The cache statistics are also available in the DNS as answers to |
|
| queries of class CHAOS and type TXT in domain bind. The domain names are cachesize.bind, insertions.bind, evictions.bind, |
|
| misses.bind, hits.bind, auth.bind and servers.bind. An example command to query this, using the |
|
| .B dig |
|
| utility would be |
|
| |
|
| dig +short chaos txt cachesize.bind |
|
| |
|
| .PP |
|
| When it receives SIGUSR2 and it is logging direct to a file (see |
When it receives SIGUSR2 and it is logging direct to a file (see |
| .B --log-facility |
.B --log-facility |
| ) |
) |
|
Line 2351 following data is used to populate the authoritative z
|
Line 2560 following data is used to populate the authoritative z
|
| .B --mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record, --caa-record, |
.B --mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record, --caa-record, |
| as long as the record names are in the authoritative domain. |
as long as the record names are in the authoritative domain. |
| .PP |
.PP |
| |
.B --synth-domain |
| |
as long as the domain is in the authoritative zone and, for |
| |
reverse (PTR) queries, the address is in the relevant subnet. |
| |
.PP |
| .B --cname |
.B --cname |
| as long as the record name is in the authoritative domain. If the |
as long as the record name is in the authoritative domain. If the |
| target of the CNAME is unqualified, then it is qualified with the |
target of the CNAME is unqualified, then it is qualified with the |
|
Line 2367 IPv4 and IPv6 addresses from /etc/hosts (and
|
Line 2580 IPv4 and IPv6 addresses from /etc/hosts (and
|
| .B --host-record |
.B --host-record |
| and |
and |
| .B --interface-name |
.B --interface-name |
| |
and |
| |
.B ---dynamic-host |
| provided the address falls into one of the subnets specified in the |
provided the address falls into one of the subnets specified in the |
| .B --auth-zone. |
.B --auth-zone. |
| .PP |
.PP |
|
Line 2410 file/directory, permissions).
|
Line 2625 file/directory, permissions).
|
| 5 - Other miscellaneous problem. |
5 - Other miscellaneous problem. |
| .PP |
.PP |
| 11 or greater - a non zero return code was received from the |
11 or greater - a non zero return code was received from the |
| lease-script process "init" call. The exit code from dnsmasq is the | lease-script process "init" call or a |
| | .B \--conf-script |
| | file. The exit code from dnsmasq is the |
| script's exit code with 10 added. |
script's exit code with 10 added. |
| |
|
| .SH LIMITS |
.SH LIMITS |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to dnsmasq.8 CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq / man