1: .TH DNSMASQ 8
2: .SH NAME
3: dnsmasq \- A lightweight DHCP and caching DNS server.
4: .SH SYNOPSIS
5: .B dnsmasq
6: .I [OPTION]...
7: .SH "DESCRIPTION"
8: .BR dnsmasq
9: is a lightweight DNS, TFTP, PXE, router advertisement and DHCP server. It is intended to provide
10: coupled DNS and DHCP service to a LAN.
11: .PP
12: Dnsmasq accepts DNS queries and either answers them from a small, local,
13: cache or forwards them to a real, recursive, DNS server. It loads the
14: contents of /etc/hosts so that local hostnames
15: which do not appear in the global DNS can be resolved and also answers
16: DNS queries for DHCP configured hosts. It can also act as the authoritative DNS server for one or more domains, allowing local names to appear in the global DNS.
17: .PP
18: The dnsmasq DHCP server supports static address assignments and multiple
19: networks. It automatically
20: sends a sensible default set of DHCP options, and can be configured to
21: send any desired set of DHCP options, including vendor-encapsulated
22: options. It includes a secure, read-only,
23: TFTP server to allow net/PXE boot of DHCP hosts and also supports BOOTP. The PXE support is full featured, and includes a proxy mode which supplies PXE information to clients whilst DHCP address allocation is done by another server.
24: .PP
25: The dnsmasq DHCPv6 server provides the same set of features as the
26: DHCPv4 server, and in addition, it includes router advertisements and
27: a neat feature which allows nameing for clients which use DHCPv4 and
28: stateless autoconfiguration only for IPv6 configuration. There is support for doing address allocation (both DHCPv6 and RA) from subnets which are dynamically delegated via DHCPv6 prefix delegation.
29: .PP
30: Dnsmasq is coded with small embedded systems in mind. It aims for the smallest possible memory footprint compatible with the supported functions, and allows uneeded functions to be omitted from the compiled binary.
31: .SH OPTIONS
32: Note that in general missing parameters are allowed and switch off
33: functions, for instance "--pid-file" disables writing a PID file. On
34: BSD, unless the GNU getopt library is linked, the long form of the
35: options does not work on the command line; it is still recognised in
36: the configuration file.
37: .TP
38: .B --test
39: Read and syntax check configuration file(s). Exit with code 0 if all
40: is OK, or a non-zero code otherwise. Do not start up dnsmasq.
41: .TP
42: .B \-h, --no-hosts
43: Don't read the hostnames in /etc/hosts.
44: .TP
45: .B \-H, --addn-hosts=<file>
46: Additional hosts file. Read the specified file as well as /etc/hosts. If -h is given, read
47: only the specified file. This option may be repeated for more than one
48: additional hosts file. If a directory is given, then read all the files contained in that directory.
49: .TP
50: .B \-E, --expand-hosts
51: Add the domain to simple names (without a period) in /etc/hosts
52: in the same way as for DHCP-derived names. Note that this does not
53: apply to domain names in cnames, PTR records, TXT records etc.
54: .TP
55: .B \-T, --local-ttl=<time>
56: When replying with information from /etc/hosts or the DHCP leases
57: file dnsmasq by default sets the time-to-live field to zero, meaning
58: that the requester should not itself cache the information. This is
59: the correct thing to do in almost all situations. This option allows a
60: time-to-live (in seconds) to be given for these replies. This will
61: reduce the load on the server at the expense of clients using stale
62: data under some circumstances.
63: .TP
64: .B --neg-ttl=<time>
65: Negative replies from upstream servers normally contain time-to-live
66: information in SOA records which dnsmasq uses for caching. If the
67: replies from upstream servers omit this information, dnsmasq does not
68: cache the reply. This option gives a default value for time-to-live
69: (in seconds) which dnsmasq uses to cache negative replies even in
70: the absence of an SOA record.
71: .TP
72: .B --max-ttl=<time>
73: Set a maximum TTL value that will be handed out to clients. The specified
74: maximum TTL will be given to clients instead of the true TTL value if it is
75: lower. The true TTL value is however kept in the cache to avoid flooding
76: the upstream DNS servers.
77: .TP
78: .B --max-cache-ttl=<time>
79: Set a maximum TTL value for entries in the cache.
80: .TP
81: .B --auth-ttl=<time>
82: Set the TTL value returned in answers from the authoritative server.
83: .TP
84: .B \-k, --keep-in-foreground
85: Do not go into the background at startup but otherwise run as
86: normal. This is intended for use when dnsmasq is run under daemontools
87: or launchd.
88: .TP
89: .B \-d, --no-daemon
90: Debug mode: don't fork to the background, don't write a pid file,
91: don't change user id, generate a complete cache dump on receipt on
92: SIGUSR1, log to stderr as well as syslog, don't fork new processes
93: to handle TCP queries. Note that this option is for use in debugging
94: only, to stop dnsmasq daemonising in production, use
95: .B -k.
96: .TP
97: .B \-q, --log-queries
98: Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1.
99: .TP
100: .B \-8, --log-facility=<facility>
101: Set the facility to which dnsmasq will send syslog entries, this
102: defaults to DAEMON, and to LOCAL0 when debug mode is in operation. If
103: the facility given contains at least one '/' character, it is taken to
104: be a filename, and dnsmasq logs to the given file, instead of
105: syslog. If the facility is '-' then dnsmasq logs to stderr.
106: (Errors whilst reading configuration will still go to syslog,
107: but all output from a successful startup, and all output whilst
108: running, will go exclusively to the file.) When logging to a file,
109: dnsmasq will close and reopen the file when it receives SIGUSR2. This
110: allows the log file to be rotated without stopping dnsmasq.
111: .TP
112: .B --log-async[=<lines>]
113: Enable asynchronous logging and optionally set the limit on the
114: number of lines
115: which will be queued by dnsmasq when writing to the syslog is slow.
116: Dnsmasq can log asynchronously: this
117: allows it to continue functioning without being blocked by syslog, and
118: allows syslog to use dnsmasq for DNS queries without risking deadlock.
119: If the queue of log-lines becomes full, dnsmasq will log the
120: overflow, and the number of messages lost. The default queue length is
121: 5, a sane value would be 5-25, and a maximum limit of 100 is imposed.
122: .TP
123: .B \-x, --pid-file=<path>
124: Specify an alternate path for dnsmasq to record its process-id in. Normally /var/run/dnsmasq.pid.
125: .TP
126: .B \-u, --user=<username>
127: Specify the userid to which dnsmasq will change after startup. Dnsmasq must normally be started as root, but it will drop root
128: privileges after startup by changing id to another user. Normally this user is "nobody" but that
129: can be over-ridden with this switch.
130: .TP
131: .B \-g, --group=<groupname>
132: Specify the group which dnsmasq will run
133: as. The defaults to "dip", if available, to facilitate access to
134: /etc/ppp/resolv.conf which is not normally world readable.
135: .TP
136: .B \-v, --version
137: Print the version number.
138: .TP
139: .B \-p, --port=<port>
140: Listen on <port> instead of the standard DNS port (53). Setting this
141: to zero completely disables DNS function, leaving only DHCP and/or TFTP.
142: .TP
143: .B \-P, --edns-packet-max=<size>
144: Specify the largest EDNS.0 UDP packet which is supported by the DNS
145: forwarder. Defaults to 4096, which is the RFC5625-recommended size.
146: .TP
147: .B \-Q, --query-port=<query_port>
148: Send outbound DNS queries from, and listen for their replies on, the
149: specific UDP port <query_port> instead of using random ports. NOTE
150: that using this option will make dnsmasq less secure against DNS
151: spoofing attacks but it may be faster and use less resources. Setting this option
152: to zero makes dnsmasq use a single port allocated to it by the
153: OS: this was the default behaviour in versions prior to 2.43.
154: .TP
155: .B --min-port=<port>
156: Do not use ports less than that given as source for outbound DNS
157: queries. Dnsmasq picks random ports as source for outbound queries:
158: when this option is given, the ports used will always to larger
159: than that specified. Useful for systems behind firewalls.
160: .TP
161: .B \-i, --interface=<interface name>
162: Listen only on the specified interface(s). Dnsmasq automatically adds
163: the loopback (local) interface to the list of interfaces to use when
164: the
165: .B \--interface
166: option is used. If no
167: .B \--interface
168: or
169: .B \--listen-address
170: options are given dnsmasq listens on all available interfaces except any
171: given in
172: .B \--except-interface
173: options. IP alias interfaces (eg "eth1:0") cannot be used with
174: .B --interface
175: or
176: .B --except-interface
177: options, use --listen-address instead. A simple wildcard, consisting
178: of a trailing '*', can be used in
179: .B \--interface
180: and
181: .B \--except-interface
182: options.
183: .TP
184: .B \-I, --except-interface=<interface name>
185: Do not listen on the specified interface. Note that the order of
186: .B \--listen-address
187: .B --interface
188: and
189: .B --except-interface
190: options does not matter and that
191: .B --except-interface
192: options always override the others.
193: .TP
194: .B --auth-server=<domain>,<interface>|<ip-address>
195: Enable DNS authoritative mode for queries arriving at an interface or address. Note that the interface or address
196: need not be mentioned in
197: .B --interface
198: or
199: .B --listen-address
200: configuration, indeed
201: .B --auth-server
202: will overide these and provide a different DNS service on the specified interface. The <domain> is the "glue record". It should resolve in the global DNS to a A and/or AAAA record which points to the address dnsmasq is listening on.
203: .TP
204: .B \-2, --no-dhcp-interface=<interface name>
205: Do not provide DHCP or TFTP on the specified interface, but do provide DNS service.
206: .TP
207: .B \-a, --listen-address=<ipaddr>
208: Listen on the given IP address(es). Both
209: .B \--interface
210: and
211: .B \--listen-address
212: options may be given, in which case the set of both interfaces and
213: addresses is used. Note that if no
214: .B \--interface
215: option is given, but
216: .B \--listen-address
217: is, dnsmasq will not automatically listen on the loopback
218: interface. To achieve this, its IP address, 127.0.0.1, must be
219: explicitly given as a
220: .B \--listen-address
221: option.
222: .TP
223: .B \-z, --bind-interfaces
224: On systems which support it, dnsmasq binds the wildcard address,
225: even when it is listening on only some interfaces. It then discards
226: requests that it shouldn't reply to. This has the advantage of
227: working even when interfaces come and go and change address. This
228: option forces dnsmasq to really bind only the interfaces it is
229: listening on. About the only time when this is useful is when
230: running another nameserver (or another instance of dnsmasq) on the
231: same machine. Setting this option also enables multiple instances of
232: dnsmasq which provide DHCP service to run in the same machine.
233: .TP
234: .B --bind-dynamic
235: Enable a network mode which is a hybrid between
236: .B --bind-interfaces
237: and the default. Dnsmasq binds the address of individual interfaces,
238: allowing multiple dnsmasq instances, but if new interfaces or
239: addresses appear, it automatically listens on those (subject to any
240: access-control configuration). This makes dynamically created
241: interfaces work in the same way as the default. Implementing this
242: option requires non-standard networking APIs and it is only available
243: under Linux. On other platforms it falls-back to --bind-interfaces mode.
244: .TP
245: .B \-y, --localise-queries
246: Return answers to DNS queries from /etc/hosts which depend on the interface over which the query was
247: received. If a name in /etc/hosts has more than one address associated with
248: it, and at least one of those addresses is on the same subnet as the
249: interface to which the query was sent, then return only the
250: address(es) on that subnet. This allows for a server to have multiple
251: addresses in /etc/hosts corresponding to each of its interfaces, and
252: hosts will get the correct address based on which network they are
253: attached to. Currently this facility is limited to IPv4.
254: .TP
255: .B \-b, --bogus-priv
256: Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192.168.x.x, etc)
257: which are not found in /etc/hosts or the DHCP leases file are answered
258: with "no such domain" rather than being forwarded upstream.
259: .TP
260: .B \-V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>]
261: Modify IPv4 addresses returned from upstream nameservers; old-ip is
262: replaced by new-ip. If the optional mask is given then any address
263: which matches the masked old-ip will be re-written. So, for instance
264: .B --alias=1.2.3.0,6.7.8.0,255.255.255.0
265: will map 1.2.3.56 to 6.7.8.56 and 1.2.3.67 to 6.7.8.67. This is what
266: Cisco PIX routers call "DNS doctoring". If the old IP is given as
267: range, then only addresses in the range, rather than a whole subnet,
268: are re-written. So
269: .B --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
270: maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
271: .TP
272: .B \-B, --bogus-nxdomain=<ipaddr>
273: Transform replies which contain the IP address given into "No such
274: domain" replies. This is intended to counteract a devious move made by
275: Verisign in September 2003 when they started returning the address of
276: an advertising web page in response to queries for unregistered names,
277: instead of the correct NXDOMAIN response. This option tells dnsmasq to
278: fake the correct response when it sees this behaviour. As at Sept 2003
279: the IP address being returned by Verisign is 64.94.110.11
280: .TP
281: .B \-f, --filterwin2k
282: Later versions of windows make periodic DNS requests which don't get sensible answers from
283: the public DNS and can cause problems by triggering dial-on-demand links. This flag turns on an option
284: to filter such requests. The requests blocked are for records of types SOA and SRV, and type ANY where the
285: requested name has underscores, to catch LDAP requests.
286: .TP
287: .B \-r, --resolv-file=<file>
288: Read the IP addresses of the upstream nameservers from <file>, instead of
289: /etc/resolv.conf. For the format of this file see
290: .BR resolv.conf (5).
291: The only lines relevant to dnsmasq are nameserver ones. Dnsmasq can
292: be told to poll more than one resolv.conf file, the first file name specified
293: overrides the default, subsequent ones add to the list. This is only
294: allowed when polling; the file with the currently latest modification
295: time is the one used.
296: .TP
297: .B \-R, --no-resolv
298: Don't read /etc/resolv.conf. Get upstream servers only from the command
299: line or the dnsmasq configuration file.
300: .TP
301: .B \-1, --enable-dbus[=<service-name>]
302: Allow dnsmasq configuration to be updated via DBus method calls. The
303: configuration which can be changed is upstream DNS servers (and
304: corresponding domains) and cache clear. Requires that dnsmasq has
305: been built with DBus support. If the service name is given, dnsmasq
306: provides service at that name, rather than the default which is
307: .B uk.org.thekelleys.dnsmasq
308: .TP
309: .B \-o, --strict-order
310: By default, dnsmasq will send queries to any of the upstream servers
311: it knows about and tries to favour servers that are known to
312: be up. Setting this flag forces dnsmasq to try each query with each
313: server strictly in the order they appear in /etc/resolv.conf
314: .TP
315: .B --all-servers
316: By default, when dnsmasq has more than one upstream server available,
317: it will send queries to just one server. Setting this flag forces
318: dnsmasq to send all queries to all available servers. The reply from
319: the server which answers first will be returned to the original requester.
320: .TP
321: .B --stop-dns-rebind
322: Reject (and log) addresses from upstream nameservers which are in the
323: private IP ranges. This blocks an attack where a browser behind a
324: firewall is used to probe machines on the local network.
325: .TP
326: .B --rebind-localhost-ok
327: Exempt 127.0.0.0/8 from rebinding checks. This address range is
328: returned by realtime black hole servers, so blocking it may disable
329: these services.
330: .TP
331: .B --rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
332: Do not detect and block dns-rebind on queries to these domains. The
333: argument may be either a single domain, or multiple domains surrounded
334: by '/', like the --server syntax, eg.
335: .B --rebind-domain-ok=/domain1/domain2/domain3/
336: .TP
337: .B \-n, --no-poll
338: Don't poll /etc/resolv.conf for changes.
339: .TP
340: .B --clear-on-reload
341: Whenever /etc/resolv.conf is re-read, clear the DNS cache.
342: This is useful when new nameservers may have different
343: data than that held in cache.
344: .TP
345: .B \-D, --domain-needed
346: Tells dnsmasq to never forward A or AAAA queries for plain names, without dots
347: or domain parts, to upstream nameservers. If the name is not known
348: from /etc/hosts or DHCP then a "not found" answer is returned.
349: .TP
350: .B \-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]]
351: Specify IP address of upstream servers directly. Setting this flag does
352: not suppress reading of /etc/resolv.conf, use -R to do that. If one or
353: more
354: optional domains are given, that server is used only for those domains
355: and they are queried only using the specified server. This is
356: intended for private nameservers: if you have a nameserver on your
357: network which deals with names of the form
358: xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag
359: .B -S /internal.thekelleys.org.uk/192.168.1.1
360: will send all queries for
361: internal machines to that nameserver, everything else will go to the
362: servers in /etc/resolv.conf. An empty domain specification,
363: .B //
364: has the special meaning of "unqualified names only" ie names without any
365: dots in them. A non-standard port may be specified as
366: part of the IP
367: address using a # character.
368: More than one -S flag is allowed, with
369: repeated domain or ipaddr parts as required.
370:
371: More specific domains take precendence over less specific domains, so:
372: .B --server=/google.com/1.2.3.4
373: .B --server=/www.google.com/2.3.4.5
374: will send queries for *.google.com to 1.2.3.4, except *www.google.com,
375: which will go to 2.3.4.5
376:
377: The special server address '#' means, "use the standard servers", so
378: .B --server=/google.com/1.2.3.4
379: .B --server=/www.google.com/#
380: will send queries for *.google.com to 1.2.3.4, except *www.google.com which will
381: be forwarded as usual.
382:
383: Also permitted is a -S
384: flag which gives a domain but no IP address; this tells dnsmasq that
385: a domain is local and it may answer queries from /etc/hosts or DHCP
386: but should never forward queries on that domain to any upstream
387: servers.
388: .B local
389: is a synonym for
390: .B server
391: to make configuration files clearer in this case.
392:
393: IPv6 addresses may include a %interface scope-id, eg
394: fe80::202:a412:4512:7bbf%eth0.
395:
396: The optional string after the @ character tells
397: dnsmasq how to set the source of the queries to this
398: nameserver. It should be an ip-address, which should belong to the machine on which
399: dnsmasq is running otherwise this server line will be logged and then
400: ignored, or an interface name. If an interface name is given, then
401: queries to the server will be forced via that interface; if an
402: ip-address is given then the source address of the queries will be set
403: to that address.
404: The query-port flag is ignored for any servers which have a
405: source address specified but the port may be specified directly as
406: part of the source address. Forcing queries to an interface is not
407: implemented on all platforms supported by dnsmasq.
408: .TP
409: .B \-A, --address=/<domain>/[domain/]<ipaddr>
410: Specify an IP address to return for any host in the given domains.
411: Queries in the domains are never forwarded and always replied to
412: with the specified IP address which may be IPv4 or IPv6. To give
413: both IPv4 and IPv6 addresses for a domain, use repeated -A flags.
414: Note that /etc/hosts and DHCP leases override this for individual
415: names. A common use of this is to redirect the entire doubleclick.net
416: domain to some friendly local web server to avoid banner ads. The
417: domain specification works in the same was as for --server, with the
418: additional facility that /#/ matches any domain. Thus
419: --address=/#/1.2.3.4 will always return 1.2.3.4 for any query not
420: answered from /etc/hosts or DHCP and not sent to an upstream
421: nameserver by a more specific --server directive.
422: .TP
423: .B --ipset=/<domain>/[domain/]<ipset>[,<ipset>]
424: Places the resolved IP addresses of queries for the specified domains
425: in the specified netfilter ip sets. Domains and subdomains are matched
426: in the same way as --address. These ip sets must already exist. See
427: ipset(8) for more details.
428: .TP
429: .B \-m, --mx-host=<mx name>[[,<hostname>],<preference>]
430: Return an MX record named <mx name> pointing to the given hostname (if
431: given), or
432: the host specified in the --mx-target switch
433: or, if that switch is not given, the host on which dnsmasq
434: is running. The default is useful for directing mail from systems on a LAN
435: to a central server. The preference value is optional, and defaults to
436: 1 if not given. More than one MX record may be given for a host.
437: .TP
438: .B \-t, --mx-target=<hostname>
439: Specify the default target for the MX record returned by dnsmasq. See
440: --mx-host. If --mx-target is given, but not --mx-host, then dnsmasq
441: returns a MX record containing the MX target for MX queries on the
442: hostname of the machine on which dnsmasq is running.
443: .TP
444: .B \-e, --selfmx
445: Return an MX record pointing to itself for each local
446: machine. Local machines are those in /etc/hosts or with DHCP leases.
447: .TP
448: .B \-L, --localmx
449: Return an MX record pointing to the host given by mx-target (or the
450: machine on which dnsmasq is running) for each
451: local machine. Local machines are those in /etc/hosts or with DHCP
452: leases.
453: .TP
454: .B \-W, --srv-host=<_service>.<_prot>.[<domain>],[<target>[,<port>[,<priority>[,<weight>]]]]
455: Return a SRV DNS record. See RFC2782 for details. If not supplied, the
456: domain defaults to that given by
457: .B --domain.
458: The default for the target domain is empty, and the default for port
459: is one and the defaults for
460: weight and priority are zero. Be careful if transposing data from BIND
461: zone files: the port, weight and priority numbers are in a different
462: order. More than one SRV record for a given service/domain is allowed,
463: all that match are returned.
464: .TP
465: .B --host-record=<name>[,<name>....][<IPv4-address>],[<IPv6-address>]
466: Add A, AAAA and PTR records to the DNS. This adds one or more names to
467: the DNS with associated IPv4 (A) and IPv6 (AAAA) records. A name may
468: appear in more than one
469: .B host-record
470: and therefore be assigned more than one address. Only the first
471: address creates a PTR record linking the address to the name. This is
472: the same rule as is used reading hosts-files.
473: .B host-record
474: options are considered to be read before host-files, so a name
475: appearing there inhibits PTR-record creation if it appears in
476: hosts-file also. Unlike hosts-files, names are not expanded, even when
477: .B expand-hosts
478: is in effect. Short and long names may appear in the same
479: .B host-record,
480: eg.
481: .B --host-record=laptop,laptop.thekelleys.org,192.168.0.1,1234::100
482: .TP
483: .B \-Y, --txt-record=<name>[[,<text>],<text>]
484: Return a TXT DNS record. The value of TXT record is a set of strings,
485: so any number may be included, delimited by commas; use quotes to put
486: commas into a string. Note that the maximum length of a single string
487: is 255 characters, longer strings are split into 255 character chunks.
488: .TP
489: .B --ptr-record=<name>[,<target>]
490: Return a PTR DNS record.
491: .TP
492: .B --naptr-record=<name>,<order>,<preference>,<flags>,<service>,<regexp>[,<replacement>]
493: Return an NAPTR DNS record, as specified in RFC3403.
494: .TP
495: .B --cname=<cname>,<target>
496: Return a CNAME record which indicates that <cname> is really
497: <target>. There are significant limitations on the target; it must be a
498: DNS name which is known to dnsmasq from /etc/hosts (or additional
499: hosts files), from DHCP or from another
500: .B --cname.
501: If the target does not satisfy this
502: criteria, the whole cname is ignored. The cname must be unique, but it
503: is permissable to have more than one cname pointing to the same target.
504: .TP
505: .B --dns-rr=<name>,<RR-number>,[<hex data>]
506: Return an arbitrary DNS Resource Record. The number is the type of the
507: record (which is always in the C_IN class). The value of the record is
508: given by the hex data, which may be of the form 01:23:45 or 01 23 45 or
509: 012345 or any mixture of these.
510: .TP
511: .B --interface-name=<name>,<interface>
512: Return a DNS record associating the name with the primary address on
513: the given interface. This flag specifies an A record for the given
514: name in the same way as an /etc/hosts line, except that the address is
515: not constant, but taken from the given interface. If the interface is
516: down, not configured or non-existent, an empty record is returned. The
517: matching PTR record is also created, mapping the interface address to
518: the name. More than one name may be associated with an interface
519: address by repeating the flag; in that case the first instance is used
520: for the reverse address-to-name mapping.
521: .TP
522: .B --add-mac
523: Add the MAC address of the requestor to DNS queries which are
524: forwarded upstream. This may be used to DNS filtering by the upstream
525: server. The MAC address can only be added if the requestor is on the same
526: subnet as the dnsmasq server. Note that the mechanism used to achieve this (an EDNS0 option)
527: is not yet standardised, so this should be considered
528: experimental. Also note that exposing MAC addresses in this way may
529: have security and privacy implications.
530: .TP
531: .B \-c, --cache-size=<cachesize>
532: Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching.
533: .TP
534: .B \-N, --no-negcache
535: Disable negative caching. Negative caching allows dnsmasq to remember
536: "no such domain" answers from upstream nameservers and answer
537: identical queries without forwarding them again.
538: .TP
539: .B \-0, --dns-forward-max=<queries>
540: Set the maximum number of concurrent DNS queries. The default value is
541: 150, which should be fine for most setups. The only known situation
542: where this needs to be increased is when using web-server log file
543: resolvers, which can generate large numbers of concurrent queries.
544: .TP
545: .B --proxy-dnssec
546: A resolver on a client machine can do DNSSEC validation in two ways: it
547: can perform the cryptograhic operations on the reply it receives, or
548: it can rely on the upstream recursive nameserver to do the validation
549: and set a bit in the reply if it succeeds. Dnsmasq is not a DNSSEC
550: validator, so it cannot perform the validation role of the recursive nameserver,
551: but it can pass through the validation results from its own upstream
552: nameservers. This option enables this behaviour. You should only do
553: this if you trust all the configured upstream nameservers
554: .I and the network between you and them.
555: If you use the first DNSSEC mode, validating resolvers in clients,
556: this option is not required. Dnsmasq always returns all the data
557: needed for a client to do validation itself.
558: .TP
559: .B --auth-zone=<domain>[,<subnet>[,<subnet>.....]]
560: Define a DNS zone for which dnsmasq acts as authoritative server. Locally defined DNS records which are in the domain
561: will be served, except that A and AAAA records must be in one of the
562: specified subnets, or in a subnet corresponding to a contructed DHCP
563: range. The subnet(s) are also used to define in-addr.arpa and
564: ipv6.arpa domains which are served for reverse-DNS queries. For IPv4
565: subnets, the prefix length is limited to the values 8, 16 or 24.
566: .TP
567: .B --auth-soa=<serial>[,<hostmaster>[,<refresh>[,<retry>[,<expiry>]]]]
568: Specify fields in the SOA record associated with authoritative
569: zones. Note that this is optional, all the values are set to sane defaults.
570: .TP
571: .B --auth-sec-servers=<domain>[,<domain>[,<domain>...]]
572: Specify any secondary servers for a zone for which dnsmasq is
573: authoritative. These servers must be configured to get zone data from
574: dnsmasq by zone transfer, and answer queries for the same
575: authoritative zones as dnsmasq.
576: .TP
577: .B --auth-peer=<ip-address>[,<ip-address>[,<ip-address>...]]
578: Specify the addresses of secondary servers which are allowed to
579: initiate zone transfer (AXFR) requests for zones for which dnsmasq is
580: authoritative. If this option is not given, then AXFR requests will be
581: accepted from any secondary.
582: .TP
583: .B --conntrack
584: Read the Linux connection track mark associated with incoming DNS
585: queries and set the same mark value on upstream traffic used to answer
586: those queries. This allows traffic generated by dnsmasq to be
587: associated with the queries which cause it, useful for bandwidth
588: accounting and firewalling. Dnsmasq must have conntrack support
589: compiled in and the kernel must have conntrack support
590: included and configured. This option cannot be combined with
591: --query-port.
592: .TP
593: .B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-addr>][,<mode>][,<netmask>[,<broadcast>]][,<lease time>]
594: .TP
595: .B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-IPv6addr>[,<end-IPv6addr>|constructor:<interface>][,<mode>][,<prefix-len>][,<lease time>]
596:
597: Enable the DHCP server. Addresses will be given out from the range
598: <start-addr> to <end-addr> and from statically defined addresses given
599: in
600: .B dhcp-host
601: options. If the lease time is given, then leases
602: will be given for that length of time. The lease time is in seconds,
603: or minutes (eg 45m) or hours (eg 1h) or "infinite". If not given,
604: the default lease time is one hour. The
605: minimum lease time is two minutes. For IPv6 ranges, the lease time
606: maybe "deprecated"; this sets the preferred lifetime sent in a DHCP
607: lease or router advertisement to zero, which causes clients to use
608: other addresses, if available, for new connections as a prelude to renumbering.
609:
610: This option may be repeated, with different addresses, to enable DHCP
611: service to more than one network. For directly connected networks (ie,
612: networks on which the machine running dnsmasq has an interface) the
613: netmask is optional: dnsmasq will determine it from the interface
614: configuration. For networks which receive DHCP service via a relay
615: agent, dnsmasq cannot determine the netmask itself, so it should be
616: specified, otherwise dnsmasq will have to guess, based on the class (A, B or
617: C) of the network address. The broadcast address is
618: always optional. It is always
619: allowed to have more than one dhcp-range in a single subnet.
620:
621: For IPv6, the parameters are slightly different: instead of netmask
622: and broadcast address, there is an optional prefix length. If not
623: given, this defaults to 64. Unlike the IPv4 case, the prefix length is not
624: automatically derived from the interface configuration. The mimimum
625: size of the prefix length is 64.
626:
627: IPv6 (only) supports another type of range. In this, the start address and optional end address contain only the network part (ie ::1) and they are followed by
628: .B constructor:<interface>.
629: This forms a template which describes how to create ranges, based on the addresses assigned to the interface. For instance
630:
631: .B --dhcp-range=::1,::400,constructor:eth0
632:
633: will look for addresses of the form <network>::1 on eth0 and then create a range from <network>::1 to <network>::400. If the interface is assigned more than one network, then the corresponding ranges will be automatically created, and then deprecated and finally removed again as the address is deprecated and then deleted. The interface name may have a final "*" wildcard.
634:
635: The optional
636: .B set:<tag>
637: sets an alphanumeric label which marks this network so that
638: dhcp options may be specified on a per-network basis.
639: When it is prefixed with 'tag:' instead, then its meaning changes from setting
640: a tag to matching it. Only one tag may be set, but more than one tag
641: may be matched.
642:
643: The optional <mode> keyword may be
644: .B static
645: which tells dnsmasq to enable DHCP for the network specified, but not
646: to dynamically allocate IP addresses: only hosts which have static
647: addresses given via
648: .B dhcp-host
649: or from /etc/ethers will be served. A static-only subnet with address
650: all zeros may be used as a "catch-all" address to enable replies to all
651: Information-request packets on a subnet which is provided with
652: stateless DHCPv6, ie
653: .B --dhcp=range=::,static
654:
655: For IPv4, the <mode> may be
656: .B proxy
657: in which case dnsmasq will provide proxy-DHCP on the specified
658: subnet. (See
659: .B pxe-prompt
660: and
661: .B pxe-service
662: for details.)
663:
664: For IPv6, the mode may be some combination of
665: .B ra-only, slaac, ra-names, ra-stateless.
666:
667: .B ra-only
668: tells dnsmasq to offer Router Advertisement only on this subnet,
669: and not DHCP.
670:
671: .B slaac
672: tells dnsmasq to offer Router Advertisement on this subnet and to set
673: the A bit in the router advertisement, so that the client will use
674: SLAAC addresses. When used with a DHCP range or static DHCP address
675: this results in the client having both a DHCP-assigned and a SLAAC
676: address.
677:
678: .B ra-stateless
679: sends router advertisements with the O and A bits set, and provides a
680: stateless DHCP service. The client will use a SLAAC address, and use
681: DHCP for other configuration information.
682:
683: .B ra-names
684: enables a mode
685: which gives DNS names to dual-stack hosts which do SLAAC for
686: IPv6. Dnsmasq uses the host's IPv4 lease to derive the name, network
687: segment and MAC address and assumes that the host will also have an
688: IPv6 address calculated using the SLAAC algorithm, on the same network
689: segment. The address is pinged, and if a reply is received, an AAAA
690: record is added to the DNS for this IPv6
691: address. Note that this is only happens for directly-connected
692: networks, (not one doing DHCP via a relay) and it will not work
693: if a host is using privacy extensions.
694: .B ra-names
695: can be combined with
696: .B ra-stateless
697: and
698: .B slaac.
699:
700: .TP
701: .B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
702: Specify per host parameters for the DHCP server. This allows a machine
703: with a particular hardware address to be always allocated the same
704: hostname, IP address and lease time. A hostname specified like this
705: overrides any supplied by the DHCP client on the machine. It is also
706: allowable to omit the hardware address and include the hostname, in
707: which case the IP address and lease times will apply to any machine
708: claiming that name. For example
709: .B --dhcp-host=00:20:e0:3b:13:af,wap,infinite
710: tells dnsmasq to give
711: the machine with hardware address 00:20:e0:3b:13:af the name wap, and
712: an infinite DHCP lease.
713: .B --dhcp-host=lap,192.168.0.199
714: tells
715: dnsmasq to always allocate the machine lap the IP address
716: 192.168.0.199.
717:
718: Addresses allocated like this are not constrained to be
719: in the range given by the --dhcp-range option, but they must be in
720: the same subnet as some valid dhcp-range. For
721: subnets which don't need a pool of dynamically allocated addresses,
722: use the "static" keyword in the dhcp-range declaration.
723:
724: It is allowed to use client identifiers rather than
725: hardware addresses to identify hosts by prefixing with 'id:'. Thus:
726: .B --dhcp-host=id:01:02:03:04,.....
727: refers to the host with client identifier 01:02:03:04. It is also
728: allowed to specify the client ID as text, like this:
729: .B --dhcp-host=id:clientidastext,.....
730:
731: A single
732: .B dhcp-host
733: may contain an IPv4 address or an IPv6 address, or both. IPv6 addresses must be bracketed by square brackets thus:
734: .B --dhcp-host=laptop,[1234::56]
735: IPv6 addresses may contain only the host-identifier part:
736: .B --dhcp-host=laptop,[::56]
737: in which case they act as wildcards in constructed dhcp ranges, with
738: the appropriate network part inserted.
739: Note that in IPv6 DHCP, the hardware address is not normally
740: available, so a client must be identified by client-id (called client
741: DUID in IPv6-land) or hostname.
742:
743: The special option id:* means "ignore any client-id
744: and use MAC addresses only." This is useful when a client presents a client-id sometimes
745: but not others.
746:
747: If a name appears in /etc/hosts, the associated address can be
748: allocated to a DHCP lease, but only if a
749: .B --dhcp-host
750: option specifying the name also exists. Only one hostname can be
751: given in a
752: .B dhcp-host
753: option, but aliases are possible by using CNAMEs. (See
754: .B --cname
755: ).
756:
757: The special keyword "ignore"
758: tells dnsmasq to never offer a DHCP lease to a machine. The machine
759: can be specified by hardware address, client ID or hostname, for
760: instance
761: .B --dhcp-host=00:20:e0:3b:13:af,ignore
762: This is
763: useful when there is another DHCP server on the network which should
764: be used by some machines.
765:
766: The set:<tag> contruct sets the tag
767: whenever this dhcp-host directive is in use. This can be used to
768: selectively send DHCP options just for this host. More than one tag
769: can be set in a dhcp-host directive (but not in other places where
770: "set:<tag>" is allowed). When a host matches any
771: dhcp-host directive (or one implied by /etc/ethers) then the special
772: tag "known" is set. This allows dnsmasq to be configured to
773: ignore requests from unknown machines using
774: .B --dhcp-ignore=tag:!known
775: Ethernet addresses (but not client-ids) may have
776: wildcard bytes, so for example
777: .B --dhcp-host=00:20:e0:3b:13:*,ignore
778: will cause dnsmasq to ignore a range of hardware addresses. Note that
779: the "*" will need to be escaped or quoted on a command line, but not
780: in the configuration file.
781:
782: Hardware addresses normally match any
783: network (ARP) type, but it is possible to restrict them to a single
784: ARP type by preceding them with the ARP-type (in HEX) and "-". so
785: .B --dhcp-host=06-00:20:e0:3b:13:af,1.2.3.4
786: will only match a
787: Token-Ring hardware address, since the ARP-address type for token ring
788: is 6.
789:
790: As a special case, in DHCPv4, it is possible to include more than one
791: hardware address. eg:
792: .B --dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2
793: This allows an IP address to be associated with
794: multiple hardware addresses, and gives dnsmasq permission to abandon a
795: DHCP lease to one of the hardware addresses when another one asks for
796: a lease. Beware that this is a dangerous thing to do, it will only
797: work reliably if only one of the hardware addresses is active at any
798: time and there is no way for dnsmasq to enforce this. It is, for instance,
799: useful to allocate a stable IP address to a laptop which
800: has both wired and wireless interfaces.
801: .TP
802: .B --dhcp-hostsfile=<path>
803: Read DHCP host information from the specified file. If a directory
804: is given, then read all the files contained in that directory. The file contains
805: information about one host per line. The format of a line is the same
806: as text to the right of '=' in --dhcp-host. The advantage of storing DHCP host information
807: in this file is that it can be changed without re-starting dnsmasq:
808: the file will be re-read when dnsmasq receives SIGHUP.
809: .TP
810: .B --dhcp-optsfile=<path>
811: Read DHCP option information from the specified file. If a directory
812: is given, then read all the files contained in that directory. The advantage of
813: using this option is the same as for --dhcp-hostsfile: the
814: dhcp-optsfile will be re-read when dnsmasq receives SIGHUP. Note that
815: it is possible to encode the information in a
816: .B --dhcp-boot
817: flag as DHCP options, using the options names bootfile-name,
818: server-ip-address and tftp-server. This allows these to be included
819: in a dhcp-optsfile.
820: .TP
821: .B \-Z, --read-ethers
822: Read /etc/ethers for information about hosts for the DHCP server. The
823: format of /etc/ethers is a hardware address, followed by either a
824: hostname or dotted-quad IP address. When read by dnsmasq these lines
825: have exactly the same effect as
826: .B --dhcp-host
827: options containing the same information. /etc/ethers is re-read when
828: dnsmasq receives SIGHUP. IPv6 addresses are NOT read from /etc/ethers.
829: .TP
830: .B \-O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>|option6:<opt>|option6:<opt-name>],[<value>[,<value>]]
831: Specify different or extra options to DHCP clients. By default,
832: dnsmasq sends some standard options to DHCP clients, the netmask and
833: broadcast address are set to the same as the host running dnsmasq, and
834: the DNS server and default route are set to the address of the machine
835: running dnsmasq. (Equivalent rules apply for IPv6.) If the domain name option has been set, that is sent.
836: This configuration allows these defaults to be overridden,
837: or other options specified. The option, to be sent may be given as a
838: decimal number or as "option:<option-name>" The option numbers are
839: specified in RFC2132 and subsequent RFCs. The set of option-names
840: known by dnsmasq can be discovered by running "dnsmasq --help dhcp".
841: For example, to set the default route option to
842: 192.168.4.4, do
843: .B --dhcp-option=3,192.168.4.4
844: or
845: .B --dhcp-option = option:router, 192.168.4.4
846: and to set the time-server address to 192.168.0.4, do
847: .B --dhcp-option = 42,192.168.0.4
848: or
849: .B --dhcp-option = option:ntp-server, 192.168.0.4
850: The special address 0.0.0.0 (or [::] for DHCPv6) is taken to mean "the address of the
851: machine running dnsmasq". Data types allowed are comma separated
852: dotted-quad IP addresses, a decimal number, colon-separated hex digits
853: and a text string. If the optional tags are given then
854: this option is only sent when all the tags are matched.
855:
856: Special processing is done on a text argument for option 119, to
857: conform with RFC 3397. Text or dotted-quad IP addresses as arguments
858: to option 120 are handled as per RFC 3361. Dotted-quad IP addresses
859: which are followed by a slash and then a netmask size are encoded as
860: described in RFC 3442.
861:
862: IPv6 options are specified using the
863: .B option6:
864: keyword, followed by the option number or option name. The IPv6 option
865: name space is disjoint from the IPv4 option name space. IPv6 addresses
866: in options must be bracketed with square brackets, eg.
867: .B --dhcp-option=option6:ntp-server,[1234::56]
868:
869:
870: Be careful: no checking is done that the correct type of data for the
871: option number is sent, it is quite possible to
872: persuade dnsmasq to generate illegal DHCP packets with injudicious use
873: of this flag. When the value is a decimal number, dnsmasq must determine how
874: large the data item is. It does this by examining the option number and/or the
875: value, but can be overridden by appending a single letter flag as follows:
876: b = one byte, s = two bytes, i = four bytes. This is mainly useful with
877: encapsulated vendor class options (see below) where dnsmasq cannot
878: determine data size from the option number. Option data which
879: consists solely of periods and digits will be interpreted by dnsmasq
880: as an IP address, and inserted into an option as such. To force a
881: literal string, use quotes. For instance when using option 66 to send
882: a literal IP address as TFTP server name, it is necessary to do
883: .B --dhcp-option=66,"1.2.3.4"
884:
885: Encapsulated Vendor-class options may also be specified (IPv4 only) using
886: --dhcp-option: for instance
887: .B --dhcp-option=vendor:PXEClient,1,0.0.0.0
888: sends the encapsulated vendor
889: class-specific option "mftp-address=0.0.0.0" to any client whose
890: vendor-class matches "PXEClient". The vendor-class matching is
891: substring based (see --dhcp-vendorclass for details). If a
892: vendor-class option (number 60) is sent by dnsmasq, then that is used
893: for selecting encapsulated options in preference to any sent by the
894: client. It is
895: possible to omit the vendorclass completely;
896: .B --dhcp-option=vendor:,1,0.0.0.0
897: in which case the encapsulated option is always sent.
898:
899: Options may be encapsulated (IPv4 only) within other options: for instance
900: .B --dhcp-option=encap:175, 190, "iscsi-client0"
901: will send option 175, within which is the option 190. If multiple
902: options are given which are encapsulated with the same option number
903: then they will be correctly combined into one encapsulated option.
904: encap: and vendor: are may not both be set in the same dhcp-option.
905:
906: The final variant on encapsulated options is "Vendor-Identifying
907: Vendor Options" as specified by RFC3925. These are denoted like this:
908: .B --dhcp-option=vi-encap:2, 10, "text"
909: The number in the vi-encap: section is the IANA enterprise number
910: used to identify this option. This form of encapsulation is supported
911: in IPv6.
912:
913: The address 0.0.0.0 is not treated specially in
914: encapsulated options.
915: .TP
916: .B --dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
917: This works in exactly the same way as
918: .B --dhcp-option
919: except that the option will always be sent, even if the client does
920: not ask for it in the parameter request list. This is sometimes
921: needed, for example when sending options to PXELinux.
922: .TP
923: .B --dhcp-no-override
924: (IPv4 only) Disable re-use of the DHCP servername and filename fields as extra
925: option space. If it can, dnsmasq moves the boot server and filename
926: information (from dhcp-boot) out of their dedicated fields into
927: DHCP options. This make extra space available in the DHCP packet for
928: options but can, rarely, confuse old or broken clients. This flag
929: forces "simple and safe" behaviour to avoid problems in such a case.
930: .TP
931: .B \-U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise number>,]<vendor-class>
932: Map from a vendor-class string to a tag. Most DHCP clients provide a
933: "vendor class" which represents, in some sense, the type of host. This option
934: maps vendor classes to tags, so that DHCP options may be selectively delivered
935: to different classes of hosts. For example
936: .B dhcp-vendorclass=set:printers,Hewlett-Packard JetDirect
937: will allow options to be set only for HP printers like so:
938: .B --dhcp-option=tag:printers,3,192.168.4.4
939: The vendor-class string is
940: substring matched against the vendor-class supplied by the client, to
941: allow fuzzy matching. The set: prefix is optional but allowed for
942: consistency.
943:
944: Note that in IPv6 only, vendorclasses are namespaced with an
945: IANA-allocated enterprise number. This is given with enterprise:
946: keyword and specifies that only vendorclasses matching the specified
947: number should be searched.
948: .TP
949: .B \-j, --dhcp-userclass=set:<tag>,<user-class>
950: Map from a user-class string to a tag (with substring
951: matching, like vendor classes). Most DHCP clients provide a
952: "user class" which is configurable. This option
953: maps user classes to tags, so that DHCP options may be selectively delivered
954: to different classes of hosts. It is possible, for instance to use
955: this to set a different printer server for hosts in the class
956: "accounts" than for hosts in the class "engineering".
957: .TP
958: .B \-4, --dhcp-mac=set:<tag>,<MAC address>
959: (IPv4 only) Map from a MAC address to a tag. The MAC address may include
960: wildcards. For example
961: .B --dhcp-mac=set:3com,01:34:23:*:*:*
962: will set the tag "3com" for any host whose MAC address matches the pattern.
963: .TP
964: .B --dhcp-circuitid=set:<tag>,<circuit-id>, --dhcp-remoteid=set:<tag>,<remote-id>
965: Map from RFC3046 relay agent options to tags. This data may
966: be provided by DHCP relay agents. The circuit-id or remote-id is
967: normally given as colon-separated hex, but is also allowed to be a
968: simple string. If an exact match is achieved between the circuit or
969: agent ID and one provided by a relay agent, the tag is set.
970:
971: .B dhcp-remoteid
972: (but not dhcp-circuitid) is supported in IPv6.
973: .TP
974: .B --dhcp-subscrid=set:<tag>,<subscriber-id>
975: (IPv4 and IPv6) Map from RFC3993 subscriber-id relay agent options to tags.
976: .TP
977: .B --dhcp-proxy[=<ip addr>]......
978: (IPv4 only) A normal DHCP relay agent is only used to forward the initial parts of
979: a DHCP interaction to the DHCP server. Once a client is configured, it
980: communicates directly with the server. This is undesirable if the
981: relay agent is addding extra information to the DHCP packets, such as
982: that used by
983: .B dhcp-circuitid
984: and
985: .B dhcp-remoteid.
986: A full relay implementation can use the RFC 5107 serverid-override
987: option to force the DHCP server to use the relay as a full proxy, with all
988: packets passing through it. This flag provides an alternative method
989: of doing the same thing, for relays which don't support RFC
990: 5107. Given alone, it manipulates the server-id for all interactions
991: via relays. If a list of IP addresses is given, only interactions via
992: relays at those addresses are affected.
993: .TP
994: .B --dhcp-match=set:<tag>,<option number>|option:<option name>|vi-encap:<enterprise>[,<value>]
995: Without a value, set the tag if the client sends a DHCP
996: option of the given number or name. When a value is given, set the tag only if
997: the option is sent and matches the value. The value may be of the form
998: "01:ff:*:02" in which case the value must match (apart from widcards)
999: but the option sent may have unmatched data past the end of the
1000: value. The value may also be of the same form as in
1001: .B dhcp-option
1002: in which case the option sent is treated as an array, and one element
1003: must match, so
1004:
1005: --dhcp-match=set:efi-ia32,option:client-arch,6
1006:
1007: will set the tag "efi-ia32" if the the number 6 appears in the list of
1008: architectures sent by the client in option 93. (See RFC 4578 for
1009: details.) If the value is a string, substring matching is used.
1010:
1011: The special form with vi-encap:<enterpise number> matches against
1012: vendor-identifying vendor classes for the specified enterprise. Please
1013: see RFC 3925 for more details of these rare and interesting beasts.
1014: .TP
1015: .B --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
1016: Perform boolean operations on tags. Any tag appearing as set:<tag> is set if
1017: all the tags which appear as tag:<tag> are set, (or unset when tag:!<tag> is used)
1018: If no tag:<tag> appears set:<tag> tags are set unconditionally.
1019: Any number of set: and tag: forms may appear, in any order.
1020: Tag-if lines ares executed in order, so if the tag in tag:<tag> is a
1021: tag set by another
1022: .B tag-if,
1023: the line which sets the tag must precede the one which tests it.
1024: .TP
1025: .B \-J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
1026: When all the given tags appear in the tag set ignore the host and do
1027: not allocate it a DHCP lease.
1028: .TP
1029: .B --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
1030: When all the given tags appear in the tag set, ignore any hostname
1031: provided by the host. Note that, unlike dhcp-ignore, it is permissible
1032: to supply no tags, in which case DHCP-client supplied hostnames
1033: are always ignored, and DHCP hosts are added to the DNS using only
1034: dhcp-host configuration in dnsmasq and the contents of /etc/hosts and
1035: /etc/ethers.
1036: .TP
1037: .B --dhcp-generate-names=tag:<tag>[,tag:<tag>]
1038: (IPv4 only) Generate a name for DHCP clients which do not otherwise have one,
1039: using the MAC address expressed in hex, seperated by dashes. Note that
1040: if a host provides a name, it will be used by preference to this,
1041: unless
1042: .B --dhcp-ignore-names
1043: is set.
1044: .TP
1045: .B --dhcp-broadcast[=tag:<tag>[,tag:<tag>]]
1046: (IPv4 only) When all the given tags appear in the tag set, always use broadcast to
1047: communicate with the host when it is unconfigured. It is permissible
1048: to supply no tags, in which case this is unconditional. Most DHCP clients which
1049: need broadcast replies set a flag in their requests so that this
1050: happens automatically, some old BOOTP clients do not.
1051: .TP
1052: .B \-M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server address>|<tftp_servername>]]
1053: (IPv4 only) Set BOOTP options to be returned by the DHCP server. Server name and
1054: address are optional: if not provided, the name is left empty, and the
1055: address set to the address of the machine running dnsmasq. If dnsmasq
1056: is providing a TFTP service (see
1057: .B --enable-tftp
1058: ) then only the filename is required here to enable network booting.
1059: If the optional tag(s) are given,
1060: they must match for this configuration to be sent.
1061: Instead of an IP address, the TFTP server address can be given as a domain
1062: name which is looked up in /etc/hosts. This name can be associated in
1063: /etc/hosts with multiple IP addresses, which are used round-robin.
1064: This facility can be used to load balance the tftp load among a set of servers.
1065: .TP
1066: .B --dhcp-sequential-ip
1067: Dnsmasq is designed to choose IP addresses for DHCP clients using a
1068: hash of the client's MAC address. This normally allows a client's
1069: address to remain stable long-term, even if the client sometimes allows its DHCP
1070: lease to expire. In this default mode IP addresses are distributed
1071: pseudo-randomly over the entire available address range. There are
1072: sometimes circumstances (typically server deployment) where it is more
1073: convenient to have IP
1074: addresses allocated sequentially, starting from the lowest available
1075: address, and setting this flag enables this mode. Note that in the
1076: sequential mode, clients which allow a lease to expire are much more
1077: likely to move IP address; for this reason it should not be generally used.
1078: .TP
1079: .B --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basename>|<bootservicetype>][,<server address>|<server_name>]
1080: Most uses of PXE boot-ROMS simply allow the PXE
1081: system to obtain an IP address and then download the file specified by
1082: .B dhcp-boot
1083: and execute it. However the PXE system is capable of more complex
1084: functions when supported by a suitable DHCP server.
1085:
1086: This specifies a boot option which may appear in a PXE boot menu. <CSA> is
1087: client system type, only services of the correct type will appear in a
1088: menu. The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86,
1089: Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI; an
1090: integer may be used for other types. The
1091: parameter after the menu text may be a file name, in which case dnsmasq acts as a
1092: boot server and directs the PXE client to download the file by TFTP,
1093: either from itself (
1094: .B enable-tftp
1095: must be set for this to work) or another TFTP server if the final server
1096: address/name is given.
1097: Note that the "layer"
1098: suffix (normally ".0") is supplied by PXE, and should not be added to
1099: the basename. If an integer boot service type, rather than a basename
1100: is given, then the PXE client will search for a
1101: suitable boot service for that type on the network. This search may be done
1102: by broadcast, or direct to a server if its IP address/name is provided.
1103: If no boot service type or filename is provided (or a boot service type of 0 is specified)
1104: then the menu entry will abort the net boot procedure and
1105: continue booting from local media. The server address can be given as a domain
1106: name which is looked up in /etc/hosts. This name can be associated in
1107: /etc/hosts with multiple IP addresses, which are used round-robin.
1108: .TP
1109: .B --pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>]
1110: Setting this provides a prompt to be displayed after PXE boot. If the
1111: timeout is given then after the
1112: timeout has elapsed with no keyboard input, the first available menu
1113: option will be automatically executed. If the timeout is zero then the first available menu
1114: item will be executed immediately. If
1115: .B pxe-prompt
1116: is ommitted the system will wait for user input if there are multiple
1117: items in the menu, but boot immediately if
1118: there is only one. See
1119: .B pxe-service
1120: for details of menu items.
1121:
1122: Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP server on
1123: the network is responsible for allocating IP addresses, and dnsmasq
1124: simply provides the information given in
1125: .B pxe-prompt
1126: and
1127: .B pxe-service
1128: to allow netbooting. This mode is enabled using the
1129: .B proxy
1130: keyword in
1131: .B dhcp-range.
1132: .TP
1133: .B \-X, --dhcp-lease-max=<number>
1134: Limits dnsmasq to the specified maximum number of DHCP leases. The
1135: default is 1000. This limit is to prevent DoS attacks from hosts which
1136: create thousands of leases and use lots of memory in the dnsmasq
1137: process.
1138: .TP
1139: .B \-K, --dhcp-authoritative
1140: Should be set when dnsmasq is definitely the only DHCP server on a network.
1141: For DHCPv4, it changes the behaviour from strict RFC compliance so that DHCP requests on
1142: unknown leases from unknown hosts are not ignored. This allows new hosts
1143: to get a lease without a tedious timeout under all circumstances. It also
1144: allows dnsmasq to rebuild its lease database without each client needing to
1145: reacquire a lease, if the database is lost. For DHCPv6 it sets the
1146: priority in replies to 255 (the maximum) instead of 0 (the minimum).
1147: .TP
1148: .B --dhcp-alternate-port[=<server port>[,<client port>]]
1149: (IPv4 only) Change the ports used for DHCP from the default. If this option is
1150: given alone, without arguments, it changes the ports used for DHCP
1151: from 67 and 68 to 1067 and 1068. If a single argument is given, that
1152: port number is used for the server and the port number plus one used
1153: for the client. Finally, two port numbers allows arbitrary
1154: specification of both server and client ports for DHCP.
1155: .TP
1156: .B \-3, --bootp-dynamic[=<network-id>[,<network-id>]]
1157: (IPv4 only) Enable dynamic allocation of IP addresses to BOOTP clients. Use this
1158: with care, since each address allocated to a BOOTP client is leased
1159: forever, and therefore becomes permanently unavailable for re-use by
1160: other hosts. if this is given without tags, then it unconditionally
1161: enables dynamic allocation. With tags, only when the tags are all
1162: set. It may be repeated with different tag sets.
1163: .TP
1164: .B \-5, --no-ping
1165: (IPv4 only) By default, the DHCP server will attempt to ensure that an address in
1166: not in use before allocating it to a host. It does this by sending an
1167: ICMP echo request (aka "ping") to the address in question. If it gets
1168: a reply, then the address must already be in use, and another is
1169: tried. This flag disables this check. Use with caution.
1170: .TP
1171: .B --log-dhcp
1172: Extra logging for DHCP: log all the options sent to DHCP clients and
1173: the tags used to determine them.
1174: .TP
1175: .B \-l, --dhcp-leasefile=<path>
1176: Use the specified file to store DHCP lease information.
1177: .TP
1178: .B --dhcp-duid=<enterprise-id>,<uid>
1179: (IPv6 only) Specify the server persistent UID which the DHCPv6 server
1180: will use. This option is not normally required as dnsmasq creates a
1181: DUID automatically when it is first needed. When given, this option
1182: provides dnsmasq the data required to create a DUID-EN type DUID. Note
1183: that once set, the DUID is stored in the lease database, so to change between DUID-EN and
1184: automatically created DUIDs or vice-versa, the lease database must be
1185: re-intialised. The enterprise-id is assigned by IANA, and the uid is a
1186: string of hex octets unique to a particular device.
1187: .TP
1188: .B \-6 --dhcp-script=<path>
1189: Whenever a new DHCP lease is created, or an old one destroyed, or a
1190: TFTP file transfer completes, the
1191: executable specified by this option is run. <path>
1192: must be an absolute pathname, no PATH search occurs.
1193: The arguments to the process
1194: are "add", "old" or "del", the MAC
1195: address of the host (or DUID for IPv6) , the IP address, and the hostname,
1196: if known. "add" means a lease has been created, "del" means it has
1197: been destroyed, "old" is a notification of an existing lease when
1198: dnsmasq starts or a change to MAC address or hostname of an existing
1199: lease (also, lease length or expiry and client-id, if leasefile-ro is set).
1200: If the MAC address is from a network type other than ethernet,
1201: it will have the network type prepended, eg "06-01:23:45:67:89:ab" for
1202: token ring. The process is run as root (assuming that dnsmasq was originally run as
1203: root) even if dnsmasq is configured to change UID to an unprivileged user.
1204:
1205: The environment is inherited from the invoker of dnsmasq, with some or
1206: all of the following variables added
1207:
1208: For both IPv4 and IPv6:
1209:
1210: DNSMASQ_DOMAIN if the fully-qualified domain name of the host is
1211: known, this is set to the domain part. (Note that the hostname passed
1212: to the script as an argument is never fully-qualified.)
1213:
1214: If the client provides a hostname, DNSMASQ_SUPPLIED_HOSTNAME
1215:
1216: If the client provides user-classes, DNSMASQ_USER_CLASS0..DNSMASQ_USER_CLASSn
1217:
1218: If dnsmasq was compiled with HAVE_BROKEN_RTC, then
1219: the length of the lease (in seconds) is stored in
1220: DNSMASQ_LEASE_LENGTH, otherwise the time of lease expiry is stored in
1221: DNSMASQ_LEASE_EXPIRES. The number of seconds until lease expiry is
1222: always stored in DNSMASQ_TIME_REMAINING.
1223:
1224: If a lease used to have a hostname, which is
1225: removed, an "old" event is generated with the new state of the lease,
1226: ie no name, and the former name is provided in the environment
1227: variable DNSMASQ_OLD_HOSTNAME.
1228:
1229: DNSMASQ_INTERFACE stores the name of
1230: the interface on which the request arrived; this is not set for "old"
1231: actions when dnsmasq restarts.
1232:
1233: DNSMASQ_RELAY_ADDRESS is set if the client
1234: used a DHCP relay to contact dnsmasq and the IP address of the relay
1235: is known.
1236:
1237: DNSMASQ_TAGS contains all the tags set during the
1238: DHCP transaction, separated by spaces.
1239:
1240: DNSMASQ_LOG_DHCP is set if
1241: .B --log-dhcp
1242: is in effect.
1243:
1244: For IPv4 only:
1245:
1246: DNSMASQ_CLIENT_ID if the host provided a client-id.
1247:
1248: DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID, DNSMASQ_REMOTE_ID if a
1249: DHCP relay-agent added any of these options.
1250:
1251: If the client provides vendor-class, DNSMASQ_VENDOR_CLASS.
1252:
1253: For IPv6 only:
1254:
1255: If the client provides vendor-class, DNSMASQ_VENDOR_CLASS_ID,
1256: containing the IANA enterprise id for the class, and
1257: DNSMASQ_VENDOR_CLASS0..DNSMASQ_VENDOR_CLASSn for the data.
1258:
1259: DNSMASQ_SERVER_DUID containing the DUID of the server: this is the same for
1260: every call to the script.
1261:
1262: DNSMASQ_IAID containing the IAID for the lease. If the lease is a
1263: temporary allocation, this is prefixed to 'T'.
1264:
1265:
1266:
1267: Note that the supplied hostname, vendorclass and userclass data is
1268: only supplied for
1269: "add" actions or "old" actions when a host resumes an existing lease,
1270: since these data are not held in dnsmasq's lease
1271: database.
1272:
1273:
1274:
1275: All file descriptors are
1276: closed except stdin, stdout and stderr which are open to /dev/null
1277: (except in debug mode).
1278:
1279: The script is not invoked concurrently: at most one instance
1280: of the script is ever running (dnsmasq waits for an instance of script to exit
1281: before running the next). Changes to the lease database are which
1282: require the script to be invoked are queued awaiting exit of a running instance.
1283: If this queueing allows multiple state changes occur to a single
1284: lease before the script can be run then
1285: earlier states are discarded and the current state of that lease is
1286: reflected when the script finally runs.
1287:
1288: At dnsmasq startup, the script will be invoked for
1289: all existing leases as they are read from the lease file. Expired
1290: leases will be called with "del" and others with "old". When dnsmasq
1291: receives a HUP signal, the script will be invoked for existing leases
1292: with an "old " event.
1293:
1294:
1295: There are two further actions which may appear as the first argument
1296: to the script, "init" and "tftp". More may be added in the future, so
1297: scripts should be written to ignore unknown actions. "init" is
1298: described below in
1299: .B --leasefile-ro
1300: The "tftp" action is invoked when a TFTP file transfer completes: the
1301: arguments are the file size in bytes, the address to which the file
1302: was sent, and the complete pathname of the file.
1303:
1304: .TP
1305: .B --dhcp-luascript=<path>
1306: Specify a script written in Lua, to be run when leases are created,
1307: destroyed or changed. To use this option, dnsmasq must be compiled
1308: with the correct support. The Lua interpreter is intialised once, when
1309: dnsmasq starts, so that global variables persist between lease
1310: events. The Lua code must define a
1311: .B lease
1312: function, and may provide
1313: .B init
1314: and
1315: .B shutdown
1316: functions, which are called, without arguments when dnsmasq starts up
1317: and terminates. It may also provide a
1318: .B tftp
1319: function.
1320:
1321: The
1322: .B lease
1323: function receives the information detailed in
1324: .B --dhcp-script.
1325: It gets two arguments, firstly the action, which is a string
1326: containing, "add", "old" or "del", and secondly a table of tag value
1327: pairs. The tags mostly correspond to the environment variables
1328: detailed above, for instance the tag "domain" holds the same data as
1329: the environment variable DNSMASQ_DOMAIN. There are a few extra tags
1330: which hold the data supplied as arguments to
1331: .B --dhcp-script.
1332: These are
1333: .B mac_address, ip_address
1334: and
1335: .B hostname
1336: for IPv4, and
1337: .B client_duid, ip_address
1338: and
1339: .B hostname
1340: for IPv6.
1341:
1342: The
1343: .B tftp
1344: function is called in the same way as the lease function, and the
1345: table holds the tags
1346: .B destination_address,
1347: .B file_name
1348: and
1349: .B file_size.
1350: .TP
1351: .B --dhcp-scriptuser
1352: Specify the user as which to run the lease-change script or Lua script. This defaults to root, but can be changed to another user using this flag.
1353: .TP
1354: .B \-9, --leasefile-ro
1355: Completely suppress use of the lease database file. The file will not
1356: be created, read, or written. Change the way the lease-change
1357: script (if one is provided) is called, so that the lease database may
1358: be maintained in external storage by the script. In addition to the
1359: invocations given in
1360: .B --dhcp-script
1361: the lease-change script is called once, at dnsmasq startup, with the
1362: single argument "init". When called like this the script should write
1363: the saved state of the lease database, in dnsmasq leasefile format, to
1364: stdout and exit with zero exit code. Setting this
1365: option also forces the leasechange script to be called on changes
1366: to the client-id and lease length and expiry time.
1367: .TP
1368: .B --bridge-interface=<interface>,<alias>[,<alias>]
1369: Treat DHCP request packets arriving at any of the <alias> interfaces
1370: as if they had arrived at <interface>. This option is necessary when
1371: using "old style" bridging on BSD platforms, since
1372: packets arrive at tap interfaces which don't have an IP address.
1373: .TP
1374: .B \-s, --domain=<domain>[,<address range>[,local]]
1375: Specifies DNS domains for the DHCP server. Domains may be be given
1376: unconditionally (without the IP range) or for limited IP ranges. This has two effects;
1377: firstly it causes the DHCP server to return the domain to any hosts
1378: which request it, and secondly it sets the domain which it is legal
1379: for DHCP-configured hosts to claim. The intention is to constrain
1380: hostnames so that an untrusted host on the LAN cannot advertise
1381: its name via dhcp as e.g. "microsoft.com" and capture traffic not
1382: meant for it. If no domain suffix is specified, then any DHCP
1383: hostname with a domain part (ie with a period) will be disallowed
1384: and logged. If suffix is specified, then hostnames with a domain
1385: part are allowed, provided the domain part matches the suffix. In
1386: addition, when a suffix is set then hostnames without a domain
1387: part have the suffix added as an optional domain part. Eg on my network I can set
1388: .B --domain=thekelleys.org.uk
1389: and have a machine whose DHCP hostname is "laptop". The IP address for that machine is available from
1390: .B dnsmasq
1391: both as "laptop" and "laptop.thekelleys.org.uk". If the domain is
1392: given as "#" then the domain is read from the first "search" directive
1393: in /etc/resolv.conf (or equivalent).
1394:
1395: The address range can be of the form
1396: <ip address>,<ip address> or <ip address>/<netmask> or just a single
1397: <ip address>. See
1398: .B --dhcp-fqdn
1399: which can change the behaviour of dnsmasq with domains.
1400:
1401: If the address range is given as ip-address/network-size, then a
1402: additional flag "local" may be supplied which has the effect of adding
1403: --local declarations for forward and reverse DNS queries. Eg.
1404: .B --domain=thekelleys.org.uk,192.168.0.0/24,local
1405: is identical to
1406: .B --domain=thekelleys.org.uk,192.168.0.0/24
1407: --local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/
1408: The network size must be 8, 16 or 24 for this to be legal.
1409: .TP
1410: .B --dhcp-fqdn
1411: In the default mode, dnsmasq inserts the unqualified names of
1412: DHCP clients into the DNS. For this reason, the names must be unique,
1413: even if two clients which have the same name are in different
1414: domains. If a second DHCP client appears which has the same name as an
1415: existing client, the name is transfered to the new client. If
1416: .B --dhcp-fqdn
1417: is set, this behaviour changes: the unqualified name is no longer
1418: put in the DNS, only the qualified name. Two DHCP clients with the
1419: same name may both keep the name, provided that the domain part is
1420: different (ie the fully qualified names differ.) To ensure that all
1421: names have a domain part, there must be at least
1422: .B --domain
1423: without an address specified when
1424: .B --dhcp-fqdn
1425: is set.
1426: .TP
1427: .B --dhcp-client-update
1428: Normally, when giving a DHCP lease, dnsmasq sets flags in the FQDN
1429: option to tell the client not to attempt a DDNS update with its name
1430: and IP address. This is because the name-IP pair is automatically
1431: added into dnsmasq's DNS view. This flag suppresses that behaviour,
1432: this is useful, for instance, to allow Windows clients to update
1433: Active Directory servers. See RFC 4702 for details.
1434: .TP
1435: .B --enable-ra
1436: Enable dnsmasq's IPv6 Router Advertisement feature. DHCPv6 doesn't
1437: handle complete network configuration in the same way as DHCPv4. Router
1438: discovery and (possibly) prefix discovery for autonomous address
1439: creation are handled by a different protocol. When DHCP is in use,
1440: only a subset of this is needed, and dnsmasq can handle it, using
1441: existing DHCP configuration to provide most data. When RA is enabled,
1442: dnsmasq will advertise a prefix for each dhcp-range, with default
1443: router and recursive DNS server as the relevant link-local address on
1444: the machine running dnsmasq. By default, he "managed address" bits are set, and
1445: the "use SLAAC" bit is reset. This can be changed for individual
1446: subnets with the mode keywords described in
1447: .B --dhcp-range.
1448: RFC6106 DNS parameters are included in the advertisements. By default,
1449: the relevant link-local address of the machine running dnsmasq is sent
1450: as recursive DNS server. If provided, the DHCPv6 options dns-server and
1451: domain-search are used for RDNSS and DNSSL.
1452: .TP
1453: .B --enable-tftp
1454: Enable the TFTP server function. This is deliberately limited to that
1455: needed to net-boot a client. Only reading is allowed; the tsize and
1456: blksize extensions are supported (tsize is only supported in octet
1457: mode).
1458: .TP
1459: .B --tftp-root=<directory>[,<interface>]
1460: Look for files to transfer using TFTP relative to the given
1461: directory. When this is set, TFTP paths which include ".." are
1462: rejected, to stop clients getting outside the specified root.
1463: Absolute paths (starting with /) are allowed, but they must be within
1464: the tftp-root. If the optional interface argument is given, the
1465: directory is only used for TFTP requests via that interface.
1466: .TP
1467: .B --tftp-unique-root
1468: Add the IP address of the TFTP client as a path component on the end
1469: of the TFTP-root (in standard dotted-quad format). Only valid if a
1470: tftp-root is set and the directory exists. For instance, if tftp-root is "/tftp" and client
1471: 1.2.3.4 requests file "myfile" then the effective path will be
1472: "/tftp/1.2.3.4/myfile" if /tftp/1.2.3.4 exists or /tftp/myfile otherwise.
1473: .TP
1474: .B --tftp-secure
1475: Enable TFTP secure mode: without this, any file which is readable by
1476: the dnsmasq process under normal unix access-control rules is
1477: available via TFTP. When the --tftp-secure flag is given, only files
1478: owned by the user running the dnsmasq process are accessible. If
1479: dnsmasq is being run as root, different rules apply: --tftp-secure
1480: has no effect, but only files which have the world-readable bit set
1481: are accessible. It is not recommended to run dnsmasq as root with TFTP
1482: enabled, and certainly not without specifying --tftp-root. Doing so
1483: can expose any world-readable file on the server to any host on the net.
1484: .TP
1485: .B --tftp-lowercase
1486: Convert filenames in TFTP requests to all lowercase. This is useful
1487: for requests from Windows machines, which have case-insensitive
1488: filesystems and tend to play fast-and-loose with case in filenames.
1489: Note that dnsmasq's tftp server always converts "\\" to "/" in filenames.
1490: .TP
1491: .B --tftp-max=<connections>
1492: Set the maximum number of concurrent TFTP connections allowed. This
1493: defaults to 50. When serving a large number of TFTP connections,
1494: per-process file descriptor limits may be encountered. Dnsmasq needs
1495: one file descriptor for each concurrent TFTP connection and one
1496: file descriptor per unique file (plus a few others). So serving the
1497: same file simultaneously to n clients will use require about n + 10 file
1498: descriptors, serving different files simultaneously to n clients will
1499: require about (2*n) + 10 descriptors. If
1500: .B --tftp-port-range
1501: is given, that can affect the number of concurrent connections.
1502: .TP
1503: .B --tftp-no-blocksize
1504: Stop the TFTP server from negotiating the "blocksize" option with a
1505: client. Some buggy clients request this option but then behave badly
1506: when it is granted.
1507: .TP
1508: .B --tftp-port-range=<start>,<end>
1509: A TFTP server listens on a well-known port (69) for connection initiation,
1510: but it also uses a dynamically-allocated port for each
1511: connection. Normally these are allocated by the OS, but this option
1512: specifies a range of ports for use by TFTP transfers. This can be
1513: useful when TFTP has to traverse a firewall. The start of the range
1514: cannot be lower than 1025 unless dnsmasq is running as root. The number
1515: of concurrent TFTP connections is limited by the size of the port range.
1516: .TP
1517: .B \-C, --conf-file=<file>
1518: Specify a different configuration file. The conf-file option is also allowed in
1519: configuration files, to include multiple configuration files. A
1520: filename of "-" causes dnsmasq to read configuration from stdin.
1521: .TP
1522: .B \-7, --conf-dir=<directory>[,<file-extension>......]
1523: Read all the files in the given directory as configuration
1524: files. If extension(s) are given, any files which end in those
1525: extensions are skipped. Any files whose names end in ~ or start with . or start and end
1526: with # are always skipped. This flag may be given on the command
1527: line or in a configuration file.
1528: .SH CONFIG FILE
1529: At startup, dnsmasq reads
1530: .I /etc/dnsmasq.conf,
1531: if it exists. (On
1532: FreeBSD, the file is
1533: .I /usr/local/etc/dnsmasq.conf
1534: ) (but see the
1535: .B \-C
1536: and
1537: .B \-7
1538: options.) The format of this
1539: file consists of one option per line, exactly as the long options detailed
1540: in the OPTIONS section but without the leading "--". Lines starting with # are comments and ignored. For
1541: options which may only be specified once, the configuration file overrides
1542: the command line. Quoting is allowed in a config file:
1543: between " quotes the special meanings of ,:. and # are removed and the
1544: following escapes are allowed: \\\\ \\" \\t \\e \\b \\r and \\n. The later
1545: corresponding to tab, escape, backspace, return and newline.
1546: .SH NOTES
1547: When it receives a SIGHUP,
1548: .B dnsmasq
1549: clears its cache and then re-loads
1550: .I /etc/hosts
1551: and
1552: .I /etc/ethers
1553: and any file given by --dhcp-hostsfile, --dhcp-optsfile or --addn-hosts.
1554: The dhcp lease change script is called for all
1555: existing DHCP leases. If
1556: .B
1557: --no-poll
1558: is set SIGHUP also re-reads
1559: .I /etc/resolv.conf.
1560: SIGHUP
1561: does NOT re-read the configuration file.
1562: .PP
1563: When it receives a SIGUSR1,
1564: .B dnsmasq
1565: writes statistics to the system log. It writes the cache size,
1566: the number of names which have had to removed from the cache before
1567: they expired in order to make room for new names and the total number
1568: of names that have been inserted into the cache. For each upstream
1569: server it gives the number of queries sent, and the number which
1570: resulted in an error. In
1571: .B --no-daemon
1572: mode or when full logging is enabled (-q), a complete dump of the
1573: contents of the cache is made.
1574: .PP
1575: When it receives SIGUSR2 and it is logging direct to a file (see
1576: .B --log-facility
1577: )
1578: .B dnsmasq
1579: will close and reopen the log file. Note that during this operation,
1580: dnsmasq will not be running as root. When it first creates the logfile
1581: dnsmasq changes the ownership of the file to the non-root user it will run
1582: as. Logrotate should be configured to create a new log file with
1583: the ownership which matches the existing one before sending SIGUSR2.
1584: If TCP DNS queries are in progress, the old logfile will remain open in
1585: child processes which are handling TCP queries and may continue to be
1586: written. There is a limit of 150 seconds, after which all existing TCP
1587: processes will have expired: for this reason, it is not wise to
1588: configure logfile compression for logfiles which have just been
1589: rotated. Using logrotate, the required options are
1590: .B create
1591: and
1592: .B delaycompress.
1593:
1594:
1595: .PP
1596: Dnsmasq is a DNS query forwarder: it it not capable of recursively
1597: answering arbitrary queries starting from the root servers but
1598: forwards such queries to a fully recursive upstream DNS server which is
1599: typically provided by an ISP. By default, dnsmasq reads
1600: .I /etc/resolv.conf
1601: to discover the IP
1602: addresses of the upstream nameservers it should use, since the
1603: information is typically stored there. Unless
1604: .B --no-poll
1605: is used,
1606: .B dnsmasq
1607: checks the modification time of
1608: .I /etc/resolv.conf
1609: (or equivalent if
1610: .B \--resolv-file
1611: is used) and re-reads it if it changes. This allows the DNS servers to
1612: be set dynamically by PPP or DHCP since both protocols provide the
1613: information.
1614: Absence of
1615: .I /etc/resolv.conf
1616: is not an error
1617: since it may not have been created before a PPP connection exists. Dnsmasq
1618: simply keeps checking in case
1619: .I /etc/resolv.conf
1620: is created at any
1621: time. Dnsmasq can be told to parse more than one resolv.conf
1622: file. This is useful on a laptop, where both PPP and DHCP may be used:
1623: dnsmasq can be set to poll both
1624: .I /etc/ppp/resolv.conf
1625: and
1626: .I /etc/dhcpc/resolv.conf
1627: and will use the contents of whichever changed
1628: last, giving automatic switching between DNS servers.
1629: .PP
1630: Upstream servers may also be specified on the command line or in
1631: the configuration file. These server specifications optionally take a
1632: domain name which tells dnsmasq to use that server only to find names
1633: in that particular domain.
1634: .PP
1635: In order to configure dnsmasq to act as cache for the host on which it is running, put "nameserver 127.0.0.1" in
1636: .I /etc/resolv.conf
1637: to force local processes to send queries to
1638: dnsmasq. Then either specify the upstream servers directly to dnsmasq
1639: using
1640: .B \--server
1641: options or put their addresses real in another file, say
1642: .I /etc/resolv.dnsmasq
1643: and run dnsmasq with the
1644: .B \-r /etc/resolv.dnsmasq
1645: option. This second technique allows for dynamic update of the server
1646: addresses by PPP or DHCP.
1647: .PP
1648: Addresses in /etc/hosts will "shadow" different addresses for the same
1649: names in the upstream DNS, so "mycompany.com 1.2.3.4" in /etc/hosts will ensure that
1650: queries for "mycompany.com" always return 1.2.3.4 even if queries in
1651: the upstream DNS would otherwise return a different address. There is
1652: one exception to this: if the upstream DNS contains a CNAME which
1653: points to a shadowed name, then looking up the CNAME through dnsmasq
1654: will result in the unshadowed address associated with the target of
1655: the CNAME. To work around this, add the CNAME to /etc/hosts so that
1656: the CNAME is shadowed too.
1657:
1658: .PP
1659: The tag system works as follows: For each DHCP request, dnsmasq
1660: collects a set of valid tags from active configuration lines which
1661: include set:<tag>, including one from the
1662: .B dhcp-range
1663: used to allocate the address, one from any matching
1664: .B dhcp-host
1665: (and "known" if a dhcp-host matches)
1666: The tag "bootp" is set for BOOTP requests, and a tag whose name is the
1667: name of the interface on which the request arrived is also set.
1668:
1669: Any configuration lines which includes one or more tag:<tag> contructs
1670: will only be valid if all that tags are matched in the set derived
1671: above. Typically this is dhcp-option.
1672: .B dhcp-option
1673: which has tags will be used in preference to an untagged
1674: .B dhcp-option,
1675: provided that _all_ the tags match somewhere in the
1676: set collected as described above. The prefix '!' on a tag means 'not'
1677: so --dhcp=option=tag:!purple,3,1.2.3.4 sends the option when the
1678: tag purple is not in the set of valid tags. (If using this in a
1679: command line rather than a configuration file, be sure to escape !,
1680: which is a shell metacharacter)
1681:
1682: When selecting dhcp-options, a tag from dhcp-range is second class
1683: relative to other tags, to make it easy to override options for
1684: individual hosts, so
1685: .B dhcp-range=set:interface1,......
1686: .B dhcp-host=set:myhost,.....
1687: .B dhcp-option=tag:interface1,option:nis-domain,"domain1"
1688: .B dhcp-option=tag:myhost,option:nis-domain,"domain2"
1689: will set the NIS-domain to domain1 for hosts in the range, but
1690: override that to domain2 for a particular host.
1691:
1692: .PP
1693: Note that for
1694: .B dhcp-range
1695: both tag:<tag> and set:<tag> are allowed, to both select the range in
1696: use based on (eg) dhcp-host, and to affect the options sent, based on
1697: the range selected.
1698:
1699: This system evolved from an earlier, more limited one and for backward
1700: compatibility "net:" may be used instead of "tag:" and "set:" may be
1701: omitted. (Except in
1702: .B dhcp-host,
1703: where "net:" may be used instead of "set:".) For the same reason, '#'
1704: may be used instead of '!' to indicate NOT.
1705: .PP
1706: The DHCP server in dnsmasq will function as a BOOTP server also,
1707: provided that the MAC address and IP address for clients are given,
1708: either using
1709: .B dhcp-host
1710: configurations or in
1711: .I /etc/ethers
1712: , and a
1713: .B dhcp-range
1714: configuration option is present to activate the DHCP server
1715: on a particular network. (Setting --bootp-dynamic removes the need for
1716: static address mappings.) The filename
1717: parameter in a BOOTP request is used as a tag,
1718: as is the tag "bootp", allowing some control over the options returned to
1719: different classes of hosts.
1720:
1721: .SH AUTHORITATIVE CONFIGURATION
1722: .PP
1723: Configuring dnsmasq to act as an authoritative DNS server is
1724: complicated by the fact that it involves configuration of external DNS
1725: servers to provide delegation. We will walk through three scenarios of
1726: increasing complexity. Prerequisites for all of these scenarios
1727: are a globally accessible IP address, an A or AAAA record pointing to that address,
1728: and an external DNS server capable of doing delegation of the zone in
1729: question. For the first part of this explanation, we will call the A (or AAAA) record
1730: for the globally accessible address server.example.com, and the zone
1731: for which dnsmasq is authoritative our.zone.com.
1732:
1733: The simplest configuration consists of two lines of dnsmasq configuration; something like
1734:
1735: .nf
1736: .B auth-server=server.example.com,eth0
1737: .B auth-zone=our.zone.com,1.2.3.0/24
1738: .fi
1739:
1740: and two records in the external DNS
1741:
1742: .nf
1743: server.example.com A 192.0.43.10
1744: our.zone.com NS server.example.com
1745: .fi
1746:
1747: eth0 is the external network interface on which dnsmasq is listening,
1748: and has (globally accessible) address 192.0.43.10.
1749:
1750: Note that the external IP address may well be dynamic (ie assigned
1751: from an ISP by DHCP or PPP) If so, the A record must be linked to this
1752: dynamic assignment by one of the usual dynamic-DNS systems.
1753:
1754: A more complex, but practically useful configuration has the address
1755: record for the globally accessible IP address residing in the
1756: authoritative zone which dnsmasq is serving, typically at the root. Now
1757: we have
1758:
1759: .nf
1760: .B auth-server=our.zone.com,eth0
1761: .B auth-zone=our.zone.com,1.2.3.0/24
1762: .fi
1763:
1764: .nf
1765: our.zone.com A 1.2.3.4
1766: our.zone.com NS our.zone.com
1767: .fi
1768:
1769: The A record for our.zone.com has now become a glue record, it solves
1770: the chicken-and-egg problem of finding the IP address of the
1771: nameserver for our.zone.com when the A record is within that
1772: zone. Note that this is the only role of this record: as dnsmasq is
1773: now authoritative from our.zone.com it too must provide this
1774: record. If the external address is static, this can be done with an
1775: .B /etc/hosts
1776: entry or
1777: .B --host-record.
1778:
1779: .nf
1780: .B auth-server=our.zone.com,eth0
1781: .B host-record=our.zone.com,1.2.3.4
1782: .B auth-zone=our.zone.com,1.2.3.0/24
1783: .fi
1784:
1785: If the external address is dynamic, the address
1786: associated with our.zone.com must be derived from the address of the
1787: relevant interface. This is done using
1788: .B interface-name
1789: Something like:
1790:
1791: .nf
1792: .B auth-server=our.zone.com,eth0
1793: .B interface-name=our.zone.com,eth0
1794: .B auth-zone=our.zone.com,1.2.3.0/24
1795: .fi
1796:
1797: Our final configuration builds on that above, but also adds a
1798: secondary DNS server. This is another DNS server which learns the DNS data
1799: for the zone by doing zones transfer, and acts as a backup should
1800: the primary server become inaccessible. The configuration of the
1801: secondary is beyond the scope of this man-page, but the extra
1802: configuration of dnsmasq is simple:
1803:
1804: .nf
1805: .B auth-sec-servers=secondary.myisp.com
1806: .fi
1807:
1808: and
1809:
1810: .nf
1811: our.zone.com NS secondary.myisp.com
1812: .fi
1813:
1814: Adding auth-sec-servers enables zone transfer in dnsmasq, to allow the
1815: secondary to collect the DNS data. If you wish to restrict this data
1816: to particular hosts then
1817:
1818: .nf
1819: .B auth-peer=<IP address of secondary>
1820: .fi
1821:
1822: will do so.
1823:
1824: Dnsmasq acts as an authoritative server for in-addr.arpa and
1825: ipv6.arpa domains associated with the subnets given in auth-zone
1826: declarations, so reverse (address to name) lookups can be simply
1827: configured with a suitable NS record, for instance in this example,
1828: where we allow 1.2.3.0/24 addresses.
1829:
1830: .nf
1831: 3.2.1.in-addr.arpa NS our.zone.com
1832: .fi
1833:
1834: Note that at present, reverse (in-addr.arpa and ip6.arpa) zones are
1835: not available in zone transfers, so there is no point arranging
1836: secondary servers for reverse lookups.
1837:
1838: .PP
1839: When dnsmasq is configured to act as an authoritative server, the
1840: following data is used to populate the authoritative zone.
1841: .PP
1842: .B --mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record
1843: , as long as the record names are in the authoritative domain.
1844: .PP
1845: .B --cname
1846: as long as the record name is in the authoritative domain. If the
1847: target of the CNAME is unqualified, then it is qualified with the
1848: authoritative zone name.
1849: .PP
1850: IPv4 and IPv6 addresses from /etc/hosts (and
1851: .B --addn-hosts
1852: ) and
1853: .B --host-record
1854: provided the address falls into one of the subnets specified in the
1855: .B --auth-zone.
1856: .PP
1857: Addresses specified by
1858: .B --interface-name.
1859: In this case, the address is not contrained to a subnet from
1860: .B --auth-zone.
1861:
1862: .PP
1863: Addresses of DHCP leases, provided the address falls into one of the subnets specified in the
1864: .B --auth-zone
1865: OR a constructed DHCP range. In the default mode, where a DHCP lease
1866: has an unqualified name, and possibly a qualified name constructed
1867: using
1868: .B --domain
1869: then the name in the authoritative zone is constructed from the
1870: unqualified name and the zone's domain. This may or may not equal
1871: that specified by
1872: .B --domain.
1873: If
1874: .B --dhcp-fqdn
1875: is set, then the fully qualified names associated with DHCP leases are
1876: used, and must match the zone's domain.
1877:
1878:
1879:
1880: .SH EXIT CODES
1881: .PP
1882: 0 - Dnsmasq successfully forked into the background, or terminated
1883: normally if backgrounding is not enabled.
1884: .PP
1885: 1 - A problem with configuration was detected.
1886: .PP
1887: 2 - A problem with network access occurred (address in use, attempt
1888: to use privileged ports without permission).
1889: .PP
1890: 3 - A problem occurred with a filesystem operation (missing
1891: file/directory, permissions).
1892: .PP
1893: 4 - Memory allocation failure.
1894: .PP
1895: 5 - Other miscellaneous problem.
1896: .PP
1897: 11 or greater - a non zero return code was received from the
1898: lease-script process "init" call. The exit code from dnsmasq is the
1899: script's exit code with 10 added.
1900:
1901: .SH LIMITS
1902: The default values for resource limits in dnsmasq are generally
1903: conservative, and appropriate for embedded router type devices with
1904: slow processors and limited memory. On more capable hardware, it is
1905: possible to increase the limits, and handle many more clients. The
1906: following applies to dnsmasq-2.37: earlier versions did not scale as well.
1907:
1908: .PP
1909: Dnsmasq is capable of handling DNS and DHCP for at least a thousand
1910: clients. The DHCP lease times should not be very short (less than one hour). The
1911: value of
1912: .B --dns-forward-max
1913: can be increased: start with it equal to
1914: the number of clients and increase if DNS seems slow. Note that DNS
1915: performance depends too on the performance of the upstream
1916: nameservers. The size of the DNS cache may be increased: the hard
1917: limit is 10000 names and the default (150) is very low. Sending
1918: SIGUSR1 to dnsmasq makes it log information which is useful for tuning
1919: the cache size. See the
1920: .B NOTES
1921: section for details.
1922:
1923: .PP
1924: The built-in TFTP server is capable of many simultaneous file
1925: transfers: the absolute limit is related to the number of file-handles
1926: allowed to a process and the ability of the select() system call to
1927: cope with large numbers of file handles. If the limit is set too high
1928: using
1929: .B --tftp-max
1930: it will be scaled down and the actual limit logged at
1931: start-up. Note that more transfers are possible when the same file is
1932: being sent than when each transfer sends a different file.
1933:
1934: .PP
1935: It is possible to use dnsmasq to block Web advertising by using a list
1936: of known banner-ad servers, all resolving to 127.0.0.1 or 0.0.0.0, in
1937: .B /etc/hosts
1938: or an additional hosts file. The list can be very long,
1939: dnsmasq has been tested successfully with one million names. That size
1940: file needs a 1GHz processor and about 60Mb of RAM.
1941:
1942: .SH INTERNATIONALISATION
1943: Dnsmasq can be compiled to support internationalisation. To do this,
1944: the make targets "all-i18n" and "install-i18n" should be used instead of
1945: the standard targets "all" and "install". When internationalisation
1946: is compiled in, dnsmasq will produce log messages in the local
1947: language and support internationalised domain names (IDN). Domain
1948: names in /etc/hosts, /etc/ethers and /etc/dnsmasq.conf which contain
1949: non-ASCII characters will be translated to the DNS-internal punycode
1950: representation. Note that
1951: dnsmasq determines both the language for messages and the assumed
1952: charset for configuration
1953: files from the LANG environment variable. This should be set to the system
1954: default value by the script which is responsible for starting
1955: dnsmasq. When editing the configuration files, be careful to do so
1956: using only the system-default locale and not user-specific one, since
1957: dnsmasq has no direct way of determining the charset in use, and must
1958: assume that it is the system default.
1959:
1960: .SH FILES
1961: .IR /etc/dnsmasq.conf
1962:
1963: .IR /usr/local/etc/dnsmasq.conf
1964:
1965: .IR /etc/resolv.conf
1966: .IR /var/run/dnsmasq/resolv.conf
1967: .IR /etc/ppp/resolv.conf
1968: .IR /etc/dhcpc/resolv.conf
1969:
1970: .IR /etc/hosts
1971:
1972: .IR /etc/ethers
1973:
1974: .IR /var/lib/misc/dnsmasq.leases
1975:
1976: .IR /var/db/dnsmasq.leases
1977:
1978: .IR /var/run/dnsmasq.pid
1979: .SH SEE ALSO
1980: .BR hosts (5),
1981: .BR resolver (5)
1982: .SH AUTHOR
1983: This manual page was written by Simon Kelley <simon@thekelleys.org.uk>.
1984:
1985:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to dnsmasq.8 CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq / man