1: .TH DNSMASQ 8
2: .SH NAME
3: dnsmasq \- A lightweight DHCP and caching DNS server.
4: .SH SYNOPSIS
5: .B dnsmasq
6: .I [OPTION]...
7: .SH "DESCRIPTION"
8: .BR dnsmasq
9: is a lightweight DNS, TFTP, PXE, router advertisement and DHCP server. It is intended to provide
10: coupled DNS and DHCP service to a LAN.
11: .PP
12: Dnsmasq accepts DNS queries and either answers them from a small, local,
13: cache or forwards them to a real, recursive, DNS server. It loads the
14: contents of /etc/hosts so that local hostnames
15: which do not appear in the global DNS can be resolved and also answers
16: DNS queries for DHCP configured hosts. It can also act as the
17: authoritative DNS server for one or more domains, allowing local names
18: to appear in the global DNS. It can be configured to do DNSSEC
19: validation.
20: .PP
21: The dnsmasq DHCP server supports static address assignments and multiple
22: networks. It automatically
23: sends a sensible default set of DHCP options, and can be configured to
24: send any desired set of DHCP options, including vendor-encapsulated
25: options. It includes a secure, read-only,
26: TFTP server to allow net/PXE boot of DHCP hosts and also supports BOOTP. The PXE support is full featured, and includes a proxy mode which supplies PXE information to clients whilst DHCP address allocation is done by another server.
27: .PP
28: The dnsmasq DHCPv6 server provides the same set of features as the
29: DHCPv4 server, and in addition, it includes router advertisements and
30: a neat feature which allows nameing for clients which use DHCPv4 and
31: stateless autoconfiguration only for IPv6 configuration. There is support for doing address allocation (both DHCPv6 and RA) from subnets which are dynamically delegated via DHCPv6 prefix delegation.
32: .PP
33: Dnsmasq is coded with small embedded systems in mind. It aims for the smallest possible memory footprint compatible with the supported functions, and allows uneeded functions to be omitted from the compiled binary.
34: .SH OPTIONS
35: Note that in general missing parameters are allowed and switch off
36: functions, for instance "--pid-file" disables writing a PID file. On
37: BSD, unless the GNU getopt library is linked, the long form of the
38: options does not work on the command line; it is still recognised in
39: the configuration file.
40: .TP
41: .B --test
42: Read and syntax check configuration file(s). Exit with code 0 if all
43: is OK, or a non-zero code otherwise. Do not start up dnsmasq.
44: .TP
45: .B \-w, --help
46: Display all command-line options.
47: .B --help dhcp
48: will display known DHCPv4 configuration options, and
49: .B --help dhcp6
50: will display DHCPv6 options.
51: .TP
52: .B \-h, --no-hosts
53: Don't read the hostnames in /etc/hosts.
54: .TP
55: .B \-H, --addn-hosts=<file>
56: Additional hosts file. Read the specified file as well as /etc/hosts. If -h is given, read
57: only the specified file. This option may be repeated for more than one
58: additional hosts file. If a directory is given, then read all the files contained in that directory.
59: .TP
60: .B --hostsdir=<path>
61: Read all the hosts files contained in the directory. New or changed files
62: are read automatically. See --dhcp-hostsdir for details.
63: .TP
64: .B \-E, --expand-hosts
65: Add the domain to simple names (without a period) in /etc/hosts
66: in the same way as for DHCP-derived names. Note that this does not
67: apply to domain names in cnames, PTR records, TXT records etc.
68: .TP
69: .B \-T, --local-ttl=<time>
70: When replying with information from /etc/hosts or configuration or the DHCP leases
71: file dnsmasq by default sets the time-to-live field to zero, meaning
72: that the requester should not itself cache the information. This is
73: the correct thing to do in almost all situations. This option allows a
74: time-to-live (in seconds) to be given for these replies. This will
75: reduce the load on the server at the expense of clients using stale
76: data under some circumstances.
77: .TP
78: .B --dhcp-ttl=<time>
79: As for --local-ttl, but affects only replies with information from DHCP leases. If both are given, --dhcp-ttl applies for DHCP information, and --local-ttl for others. Setting this to zero eliminates the effect of --local-ttl for DHCP.
80: .TP
81: .B --neg-ttl=<time>
82: Negative replies from upstream servers normally contain time-to-live
83: information in SOA records which dnsmasq uses for caching. If the
84: replies from upstream servers omit this information, dnsmasq does not
85: cache the reply. This option gives a default value for time-to-live
86: (in seconds) which dnsmasq uses to cache negative replies even in
87: the absence of an SOA record.
88: .TP
89: .B --max-ttl=<time>
90: Set a maximum TTL value that will be handed out to clients. The specified
91: maximum TTL will be given to clients instead of the true TTL value if it is
92: lower. The true TTL value is however kept in the cache to avoid flooding
93: the upstream DNS servers.
94: .TP
95: .B --max-cache-ttl=<time>
96: Set a maximum TTL value for entries in the cache.
97: .TP
98: .B --min-cache-ttl=<time>
99: Extend short TTL values to the time given when caching them. Note that
100: artificially extending TTL values is in general a bad idea, do not do it
101: unless you have a good reason, and understand what you are doing.
102: Dnsmasq limits the value of this option to one hour, unless recompiled.
103: .TP
104: .B --auth-ttl=<time>
105: Set the TTL value returned in answers from the authoritative server.
106: .TP
107: .B \-k, --keep-in-foreground
108: Do not go into the background at startup but otherwise run as
109: normal. This is intended for use when dnsmasq is run under daemontools
110: or launchd.
111: .TP
112: .B \-d, --no-daemon
113: Debug mode: don't fork to the background, don't write a pid file,
114: don't change user id, generate a complete cache dump on receipt on
115: SIGUSR1, log to stderr as well as syslog, don't fork new processes
116: to handle TCP queries. Note that this option is for use in debugging
117: only, to stop dnsmasq daemonising in production, use
118: .B -k.
119: .TP
120: .B \-q, --log-queries
121: Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1. If the argument "extra" is supplied, ie
122: .B --log-queries=extra
123: then the log has extra information at the start of each line.
124: This consists of a serial number which ties together the log lines associated with an individual query, and the IP address of the requestor.
125: .TP
126: .B \-8, --log-facility=<facility>
127: Set the facility to which dnsmasq will send syslog entries, this
128: defaults to DAEMON, and to LOCAL0 when debug mode is in operation. If
129: the facility given contains at least one '/' character, it is taken to
130: be a filename, and dnsmasq logs to the given file, instead of
131: syslog. If the facility is '-' then dnsmasq logs to stderr.
132: (Errors whilst reading configuration will still go to syslog,
133: but all output from a successful startup, and all output whilst
134: running, will go exclusively to the file.) When logging to a file,
135: dnsmasq will close and reopen the file when it receives SIGUSR2. This
136: allows the log file to be rotated without stopping dnsmasq.
137: .TP
138: .B --log-async[=<lines>]
139: Enable asynchronous logging and optionally set the limit on the
140: number of lines
141: which will be queued by dnsmasq when writing to the syslog is slow.
142: Dnsmasq can log asynchronously: this
143: allows it to continue functioning without being blocked by syslog, and
144: allows syslog to use dnsmasq for DNS queries without risking deadlock.
145: If the queue of log-lines becomes full, dnsmasq will log the
146: overflow, and the number of messages lost. The default queue length is
147: 5, a sane value would be 5-25, and a maximum limit of 100 is imposed.
148: .TP
149: .B \-x, --pid-file=<path>
150: Specify an alternate path for dnsmasq to record its process-id in. Normally /var/run/dnsmasq.pid.
151: .TP
152: .B \-u, --user=<username>
153: Specify the userid to which dnsmasq will change after startup. Dnsmasq must normally be started as root, but it will drop root
154: privileges after startup by changing id to another user. Normally this user is "nobody" but that
155: can be over-ridden with this switch.
156: .TP
157: .B \-g, --group=<groupname>
158: Specify the group which dnsmasq will run
159: as. The defaults to "dip", if available, to facilitate access to
160: /etc/ppp/resolv.conf which is not normally world readable.
161: .TP
162: .B \-v, --version
163: Print the version number.
164: .TP
165: .B \-p, --port=<port>
166: Listen on <port> instead of the standard DNS port (53). Setting this
167: to zero completely disables DNS function, leaving only DHCP and/or TFTP.
168: .TP
169: .B \-P, --edns-packet-max=<size>
170: Specify the largest EDNS.0 UDP packet which is supported by the DNS
171: forwarder. Defaults to 4096, which is the RFC5625-recommended size.
172: .TP
173: .B \-Q, --query-port=<query_port>
174: Send outbound DNS queries from, and listen for their replies on, the
175: specific UDP port <query_port> instead of using random ports. NOTE
176: that using this option will make dnsmasq less secure against DNS
177: spoofing attacks but it may be faster and use less resources. Setting this option
178: to zero makes dnsmasq use a single port allocated to it by the
179: OS: this was the default behaviour in versions prior to 2.43.
180: .TP
181: .B --min-port=<port>
182: Do not use ports less than that given as source for outbound DNS
183: queries. Dnsmasq picks random ports as source for outbound queries:
184: when this option is given, the ports used will always to larger
185: than that specified. Useful for systems behind firewalls.
186: .TP
187: .B --max-port=<port>
188: Use ports lower than that given as source for outbound DNS queries.
189: Dnsmasq picks random ports as source for outbound queries:
190: when this option is given, the ports used will always be lower
191: than that specified. Useful for systems behind firewalls.
192: .TP
193:
194: .B \-i, --interface=<interface name>
195: Listen only on the specified interface(s). Dnsmasq automatically adds
196: the loopback (local) interface to the list of interfaces to use when
197: the
198: .B \--interface
199: option is used. If no
200: .B \--interface
201: or
202: .B \--listen-address
203: options are given dnsmasq listens on all available interfaces except any
204: given in
205: .B \--except-interface
206: options. IP alias interfaces (eg "eth1:0") cannot be used with
207: .B --interface
208: or
209: .B --except-interface
210: options, use --listen-address instead. A simple wildcard, consisting
211: of a trailing '*', can be used in
212: .B \--interface
213: and
214: .B \--except-interface
215: options.
216: .TP
217: .B \-I, --except-interface=<interface name>
218: Do not listen on the specified interface. Note that the order of
219: .B \--listen-address
220: .B --interface
221: and
222: .B --except-interface
223: options does not matter and that
224: .B --except-interface
225: options always override the others.
226: .TP
227: .B --auth-server=<domain>,<interface>|<ip-address>
228: Enable DNS authoritative mode for queries arriving at an interface or address. Note that the interface or address
229: need not be mentioned in
230: .B --interface
231: or
232: .B --listen-address
233: configuration, indeed
234: .B --auth-server
235: will overide these and provide a different DNS service on the
236: specified interface. The <domain> is the "glue record". It should
237: resolve in the global DNS to a A and/or AAAA record which points to
238: the address dnsmasq is listening on. When an interface is specified,
239: it may be qualified with "/4" or "/6" to specify only the IPv4 or IPv6
240: addresses associated with the interface.
241: .TP
242: .B --local-service
243: Accept DNS queries only from hosts whose address is on a local subnet,
244: ie a subnet for which an interface exists on the server. This option
245: only has effect is there are no --interface --except-interface,
246: --listen-address or --auth-server options. It is intended to be set as
247: a default on installation, to allow unconfigured installations to be
248: useful but also safe from being used for DNS amplification attacks.
249: .TP
250: .B \-2, --no-dhcp-interface=<interface name>
251: Do not provide DHCP or TFTP on the specified interface, but do provide DNS service.
252: .TP
253: .B \-a, --listen-address=<ipaddr>
254: Listen on the given IP address(es). Both
255: .B \--interface
256: and
257: .B \--listen-address
258: options may be given, in which case the set of both interfaces and
259: addresses is used. Note that if no
260: .B \--interface
261: option is given, but
262: .B \--listen-address
263: is, dnsmasq will not automatically listen on the loopback
264: interface. To achieve this, its IP address, 127.0.0.1, must be
265: explicitly given as a
266: .B \--listen-address
267: option.
268: .TP
269: .B \-z, --bind-interfaces
270: On systems which support it, dnsmasq binds the wildcard address,
271: even when it is listening on only some interfaces. It then discards
272: requests that it shouldn't reply to. This has the advantage of
273: working even when interfaces come and go and change address. This
274: option forces dnsmasq to really bind only the interfaces it is
275: listening on. About the only time when this is useful is when
276: running another nameserver (or another instance of dnsmasq) on the
277: same machine. Setting this option also enables multiple instances of
278: dnsmasq which provide DHCP service to run in the same machine.
279: .TP
280: .B --bind-dynamic
281: Enable a network mode which is a hybrid between
282: .B --bind-interfaces
283: and the default. Dnsmasq binds the address of individual interfaces,
284: allowing multiple dnsmasq instances, but if new interfaces or
285: addresses appear, it automatically listens on those (subject to any
286: access-control configuration). This makes dynamically created
287: interfaces work in the same way as the default. Implementing this
288: option requires non-standard networking APIs and it is only available
289: under Linux. On other platforms it falls-back to --bind-interfaces mode.
290: .TP
291: .B \-y, --localise-queries
292: Return answers to DNS queries from /etc/hosts which depend on the interface over which the query was
293: received. If a name in /etc/hosts has more than one address associated with
294: it, and at least one of those addresses is on the same subnet as the
295: interface to which the query was sent, then return only the
296: address(es) on that subnet. This allows for a server to have multiple
297: addresses in /etc/hosts corresponding to each of its interfaces, and
298: hosts will get the correct address based on which network they are
299: attached to. Currently this facility is limited to IPv4.
300: .TP
301: .B \-b, --bogus-priv
302: Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192.168.x.x, etc)
303: which are not found in /etc/hosts or the DHCP leases file are answered
304: with "no such domain" rather than being forwarded upstream.
305: .TP
306: .B \-V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>]
307: Modify IPv4 addresses returned from upstream nameservers; old-ip is
308: replaced by new-ip. If the optional mask is given then any address
309: which matches the masked old-ip will be re-written. So, for instance
310: .B --alias=1.2.3.0,6.7.8.0,255.255.255.0
311: will map 1.2.3.56 to 6.7.8.56 and 1.2.3.67 to 6.7.8.67. This is what
312: Cisco PIX routers call "DNS doctoring". If the old IP is given as
313: range, then only addresses in the range, rather than a whole subnet,
314: are re-written. So
315: .B --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
316: maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
317: .TP
318: .B \-B, --bogus-nxdomain=<ipaddr>
319: Transform replies which contain the IP address given into "No such
320: domain" replies. This is intended to counteract a devious move made by
321: Verisign in September 2003 when they started returning the address of
322: an advertising web page in response to queries for unregistered names,
323: instead of the correct NXDOMAIN response. This option tells dnsmasq to
324: fake the correct response when it sees this behaviour. As at Sept 2003
325: the IP address being returned by Verisign is 64.94.110.11
326: .TP
327: .B --ignore-address=<ipaddr>
328: Ignore replies to A-record queries which include the specified address.
329: No error is generated, dnsmasq simply continues to listen for another reply.
330: This is useful to defeat blocking strategies which rely on quickly supplying a
331: forged answer to a DNS request for certain domain, before the correct answer can arrive.
332: .TP
333: .B \-f, --filterwin2k
334: Later versions of windows make periodic DNS requests which don't get sensible answers from
335: the public DNS and can cause problems by triggering dial-on-demand links. This flag turns on an option
336: to filter such requests. The requests blocked are for records of types SOA and SRV, and type ANY where the
337: requested name has underscores, to catch LDAP requests.
338: .TP
339: .B \-r, --resolv-file=<file>
340: Read the IP addresses of the upstream nameservers from <file>, instead of
341: /etc/resolv.conf. For the format of this file see
342: .BR resolv.conf (5).
343: The only lines relevant to dnsmasq are nameserver ones. Dnsmasq can
344: be told to poll more than one resolv.conf file, the first file name specified
345: overrides the default, subsequent ones add to the list. This is only
346: allowed when polling; the file with the currently latest modification
347: time is the one used.
348: .TP
349: .B \-R, --no-resolv
350: Don't read /etc/resolv.conf. Get upstream servers only from the command
351: line or the dnsmasq configuration file.
352: .TP
353: .B \-1, --enable-dbus[=<service-name>]
354: Allow dnsmasq configuration to be updated via DBus method calls. The
355: configuration which can be changed is upstream DNS servers (and
356: corresponding domains) and cache clear. Requires that dnsmasq has
357: been built with DBus support. If the service name is given, dnsmasq
358: provides service at that name, rather than the default which is
359: .B uk.org.thekelleys.dnsmasq
360: .TP
361: .B \-o, --strict-order
362: By default, dnsmasq will send queries to any of the upstream servers
363: it knows about and tries to favour servers that are known to
364: be up. Setting this flag forces dnsmasq to try each query with each
365: server strictly in the order they appear in /etc/resolv.conf
366: .TP
367: .B --all-servers
368: By default, when dnsmasq has more than one upstream server available,
369: it will send queries to just one server. Setting this flag forces
370: dnsmasq to send all queries to all available servers. The reply from
371: the server which answers first will be returned to the original requester.
372: .TP
373: .B --dns-loop-detect
374: Enable code to detect DNS forwarding loops; ie the situation where a query sent to one
375: of the upstream server eventually returns as a new query to the dnsmasq instance. The
376: process works by generating TXT queries of the form <hex>.test and sending them to
377: each upstream server. The hex is a UID which encodes the instance of dnsmasq sending the query
378: and the upstream server to which it was sent. If the query returns to the server which sent it, then
379: the upstream server through which it was sent is disabled and this event is logged. Each time the
380: set of upstream servers changes, the test is re-run on all of them, including ones which
381: were previously disabled.
382: .TP
383: .B --stop-dns-rebind
384: Reject (and log) addresses from upstream nameservers which are in the
385: private IP ranges. This blocks an attack where a browser behind a
386: firewall is used to probe machines on the local network.
387: .TP
388: .B --rebind-localhost-ok
389: Exempt 127.0.0.0/8 from rebinding checks. This address range is
390: returned by realtime black hole servers, so blocking it may disable
391: these services.
392: .TP
393: .B --rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
394: Do not detect and block dns-rebind on queries to these domains. The
395: argument may be either a single domain, or multiple domains surrounded
396: by '/', like the --server syntax, eg.
397: .B --rebind-domain-ok=/domain1/domain2/domain3/
398: .TP
399: .B \-n, --no-poll
400: Don't poll /etc/resolv.conf for changes.
401: .TP
402: .B --clear-on-reload
403: Whenever /etc/resolv.conf is re-read or the upstream servers are set
404: via DBus, clear the DNS cache.
405: This is useful when new nameservers may have different
406: data than that held in cache.
407: .TP
408: .B \-D, --domain-needed
409: Tells dnsmasq to never forward A or AAAA queries for plain names, without dots
410: or domain parts, to upstream nameservers. If the name is not known
411: from /etc/hosts or DHCP then a "not found" answer is returned.
412: .TP
413: .B \-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]]
414: Specify IP address of upstream servers directly. Setting this flag does
415: not suppress reading of /etc/resolv.conf, use -R to do that. If one or
416: more
417: optional domains are given, that server is used only for those domains
418: and they are queried only using the specified server. This is
419: intended for private nameservers: if you have a nameserver on your
420: network which deals with names of the form
421: xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag
422: .B -S /internal.thekelleys.org.uk/192.168.1.1
423: will send all queries for
424: internal machines to that nameserver, everything else will go to the
425: servers in /etc/resolv.conf. DNSSEC validation is turned off for such
426: private nameservers, UNLESS a
427: .B --trust-anchor
428: is specified for the domain in question. An empty domain specification,
429: .B //
430: has the special meaning of "unqualified names only" ie names without any
431: dots in them. A non-standard port may be specified as
432: part of the IP
433: address using a # character.
434: More than one -S flag is allowed, with
435: repeated domain or ipaddr parts as required.
436:
437: More specific domains take precendence over less specific domains, so:
438: .B --server=/google.com/1.2.3.4
439: .B --server=/www.google.com/2.3.4.5
440: will send queries for *.google.com to 1.2.3.4, except *www.google.com,
441: which will go to 2.3.4.5
442:
443: The special server address '#' means, "use the standard servers", so
444: .B --server=/google.com/1.2.3.4
445: .B --server=/www.google.com/#
446: will send queries for *.google.com to 1.2.3.4, except *www.google.com which will
447: be forwarded as usual.
448:
449: Also permitted is a -S
450: flag which gives a domain but no IP address; this tells dnsmasq that
451: a domain is local and it may answer queries from /etc/hosts or DHCP
452: but should never forward queries on that domain to any upstream
453: servers.
454: .B local
455: is a synonym for
456: .B server
457: to make configuration files clearer in this case.
458:
459: IPv6 addresses may include a %interface scope-id, eg
460: fe80::202:a412:4512:7bbf%eth0.
461:
462: The optional string after the @ character tells
463: dnsmasq how to set the source of the queries to this
464: nameserver. It should be an ip-address, which should belong to the machine on which
465: dnsmasq is running otherwise this server line will be logged and then
466: ignored, or an interface name. If an interface name is given, then
467: queries to the server will be forced via that interface; if an
468: ip-address is given then the source address of the queries will be set
469: to that address.
470: The query-port flag is ignored for any servers which have a
471: source address specified but the port may be specified directly as
472: part of the source address. Forcing queries to an interface is not
473: implemented on all platforms supported by dnsmasq.
474: .TP
475: .B --rev-server=<ip-address>/<prefix-len>,<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]]
476: This is functionally the same as
477: .B --server,
478: but provides some syntactic sugar to make specifying address-to-name queries easier. For example
479: .B --rev-server=1.2.3.0/24,192.168.0.1
480: is exactly equivalent to
481: .B --server=/3.2.1.in-addr.arpa/192.168.0.1
482: .TP
483: .B \-A, --address=/<domain>/[domain/][<ipaddr>]
484: Specify an IP address to return for any host in the given domains.
485: Queries in the domains are never forwarded and always replied to
486: with the specified IP address which may be IPv4 or IPv6. To give
487: both IPv4 and IPv6 addresses for a domain, use repeated -A flags.
488: Note that /etc/hosts and DHCP leases override this for individual
489: names. A common use of this is to redirect the entire doubleclick.net
490: domain to some friendly local web server to avoid banner ads. The
491: domain specification works in the same was as for --server, with the
492: additional facility that /#/ matches any domain. Thus
493: --address=/#/1.2.3.4 will always return 1.2.3.4 for any query not
494: answered from /etc/hosts or DHCP and not sent to an upstream
495: nameserver by a more specific --server directive. As for --server,
496: one or more domains with no address returns a no-such-domain answer, so
497: --address=/example.com/ is equivalent to --server=/example.com/ and returns
498: NXDOMAIN for example.com and all its subdomains.
499: .TP
500: .B --ipset=/<domain>/[domain/]<ipset>[,<ipset>]
501: Places the resolved IP addresses of queries for the specified domains
502: in the specified netfilter ip sets. Domains and subdomains are matched
503: in the same way as --address. These ip sets must already exist. See
504: ipset(8) for more details.
505: .TP
506: .B \-m, --mx-host=<mx name>[[,<hostname>],<preference>]
507: Return an MX record named <mx name> pointing to the given hostname (if
508: given), or
509: the host specified in the --mx-target switch
510: or, if that switch is not given, the host on which dnsmasq
511: is running. The default is useful for directing mail from systems on a LAN
512: to a central server. The preference value is optional, and defaults to
513: 1 if not given. More than one MX record may be given for a host.
514: .TP
515: .B \-t, --mx-target=<hostname>
516: Specify the default target for the MX record returned by dnsmasq. See
517: --mx-host. If --mx-target is given, but not --mx-host, then dnsmasq
518: returns a MX record containing the MX target for MX queries on the
519: hostname of the machine on which dnsmasq is running.
520: .TP
521: .B \-e, --selfmx
522: Return an MX record pointing to itself for each local
523: machine. Local machines are those in /etc/hosts or with DHCP leases.
524: .TP
525: .B \-L, --localmx
526: Return an MX record pointing to the host given by mx-target (or the
527: machine on which dnsmasq is running) for each
528: local machine. Local machines are those in /etc/hosts or with DHCP
529: leases.
530: .TP
531: .B \-W, --srv-host=<_service>.<_prot>.[<domain>],[<target>[,<port>[,<priority>[,<weight>]]]]
532: Return a SRV DNS record. See RFC2782 for details. If not supplied, the
533: domain defaults to that given by
534: .B --domain.
535: The default for the target domain is empty, and the default for port
536: is one and the defaults for
537: weight and priority are zero. Be careful if transposing data from BIND
538: zone files: the port, weight and priority numbers are in a different
539: order. More than one SRV record for a given service/domain is allowed,
540: all that match are returned.
541: .TP
542: .B --host-record=<name>[,<name>....],[<IPv4-address>],[<IPv6-address>][,<TTL>]
543: Add A, AAAA and PTR records to the DNS. This adds one or more names to
544: the DNS with associated IPv4 (A) and IPv6 (AAAA) records. A name may
545: appear in more than one
546: .B host-record
547: and therefore be assigned more than one address. Only the first
548: address creates a PTR record linking the address to the name. This is
549: the same rule as is used reading hosts-files.
550: .B host-record
551: options are considered to be read before host-files, so a name
552: appearing there inhibits PTR-record creation if it appears in
553: hosts-file also. Unlike hosts-files, names are not expanded, even when
554: .B expand-hosts
555: is in effect. Short and long names may appear in the same
556: .B host-record,
557: eg.
558: .B --host-record=laptop,laptop.thekelleys.org,192.168.0.1,1234::100
559:
560: If the time-to-live is given, it overrides the default, which is zero
561: or the value of --local-ttl. The value is a positive integer and gives
562: the time-to-live in seconds.
563: .TP
564: .B \-Y, --txt-record=<name>[[,<text>],<text>]
565: Return a TXT DNS record. The value of TXT record is a set of strings,
566: so any number may be included, delimited by commas; use quotes to put
567: commas into a string. Note that the maximum length of a single string
568: is 255 characters, longer strings are split into 255 character chunks.
569: .TP
570: .B --ptr-record=<name>[,<target>]
571: Return a PTR DNS record.
572: .TP
573: .B --naptr-record=<name>,<order>,<preference>,<flags>,<service>,<regexp>[,<replacement>]
574: Return an NAPTR DNS record, as specified in RFC3403.
575: .TP
576: .B --cname=<cname>,<target>[,<TTL>]
577: Return a CNAME record which indicates that <cname> is really
578: <target>. There are significant limitations on the target; it must be a
579: DNS name which is known to dnsmasq from /etc/hosts (or additional
580: hosts files), from DHCP, from --interface-name or from another
581: .B --cname.
582: If the target does not satisfy this
583: criteria, the whole cname is ignored. The cname must be unique, but it
584: is permissable to have more than one cname pointing to the same target.
585:
586: If the time-to-live is given, it overrides the default, which is zero
587: or the value of -local-ttl. The value is a positive integer and gives
588: the time-to-live in seconds.
589: .TP
590: .B --dns-rr=<name>,<RR-number>,[<hex data>]
591: Return an arbitrary DNS Resource Record. The number is the type of the
592: record (which is always in the C_IN class). The value of the record is
593: given by the hex data, which may be of the form 01:23:45 or 01 23 45 or
594: 012345 or any mixture of these.
595: .TP
596: .B --interface-name=<name>,<interface>[/4|/6]
597: Return a DNS record associating the name with the primary address on
598: the given interface. This flag specifies an A or AAAA record for the given
599: name in the same way as an /etc/hosts line, except that the address is
600: not constant, but taken from the given interface. The interface may be
601: followed by "/4" or "/6" to specify that only IPv4 or IPv6 addresses
602: of the interface should be used. If the interface is
603: down, not configured or non-existent, an empty record is returned. The
604: matching PTR record is also created, mapping the interface address to
605: the name. More than one name may be associated with an interface
606: address by repeating the flag; in that case the first instance is used
607: for the reverse address-to-name mapping.
608: .TP
609: .B --synth-domain=<domain>,<address range>[,<prefix>]
610: Create artificial A/AAAA and PTR records for an address range. The
611: records use the address, with periods (or colons for IPv6) replaced
612: with dashes.
613:
614: An example should make this clearer.
615: .B --synth-domain=thekelleys.org.uk,192.168.0.0/24,internal-
616: will result in a query for internal-192-168-0-56.thekelleys.org.uk returning
617: 192.168.0.56 and a reverse query vice versa. The same applies to IPv6,
618: but IPv6 addresses may start with '::'
619: but DNS labels may not start with '-' so in this case if no prefix is
620: configured a zero is added in front of the label. ::1 becomes 0--1.
621:
622: The address range can be of the form
623: <ip address>,<ip address> or <ip address>/<netmask>
624: .TP
625: .B --add-mac[=base64|text]
626: Add the MAC address of the requestor to DNS queries which are
627: forwarded upstream. This may be used to DNS filtering by the upstream
628: server. The MAC address can only be added if the requestor is on the same
629: subnet as the dnsmasq server. Note that the mechanism used to achieve this (an EDNS0 option)
630: is not yet standardised, so this should be considered
631: experimental. Also note that exposing MAC addresses in this way may
632: have security and privacy implications. The warning about caching
633: given for --add-subnet applies to --add-mac too. An alternative encoding of the
634: MAC, as base64, is enabled by adding the "base64" parameter and a human-readable encoding of hex-and-colons is enabled by added the "text" parameter.
635: .TP
636: .B --add-cpe-id=<string>
637: Add a arbitrary identifying string to o DNS queries which are
638: forwarded upstream.
639: .TP
640: .B --add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 address>/]<IPv6 prefix length>]]
641: Add a subnet address to the DNS queries which are forwarded
642: upstream. If an address is specified in the flag, it will be used,
643: otherwise, the address of the requestor will be used. The amount of
644: the address forwarded depends on the prefix length parameter: 32 (128
645: for IPv6) forwards the whole address, zero forwards none of it but
646: still marks the request so that no upstream nameserver will add client
647: address information either. The default is zero for both IPv4 and
648: IPv6. Note that upstream nameservers may be configured to return
649: different results based on this information, but the dnsmasq cache
650: does not take account. If a dnsmasq instance is configured such that
651: different results may be encountered, caching should be disabled.
652:
653: For example,
654: .B --add-subnet=24,96
655: will add the /24 and /96 subnets of the requestor for IPv4 and IPv6 requestors, respectively.
656: .B --add-subnet=1.2.3.4/24
657: will add 1.2.3.0/24 for IPv4 requestors and ::/0 for IPv6 requestors.
658: .B --add-subnet=1.2.3.4/24,1.2.3.4/24
659: will add 1.2.3.0/24 for both IPv4 and IPv6 requestors.
660:
661: .TP
662: .B \-c, --cache-size=<cachesize>
663: Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching.
664: .TP
665: .B \-N, --no-negcache
666: Disable negative caching. Negative caching allows dnsmasq to remember
667: "no such domain" answers from upstream nameservers and answer
668: identical queries without forwarding them again.
669: .TP
670: .B \-0, --dns-forward-max=<queries>
671: Set the maximum number of concurrent DNS queries. The default value is
672: 150, which should be fine for most setups. The only known situation
673: where this needs to be increased is when using web-server log file
674: resolvers, which can generate large numbers of concurrent queries.
675: .TP
676: .B --dnssec
677: Validate DNS replies and cache DNSSEC data. When forwarding DNS queries, dnsmasq requests the
678: DNSSEC records needed to validate the replies. The replies are validated and the result returned as
679: the Authenticated Data bit in the DNS packet. In addition the DNSSEC records are stored in the cache, making
680: validation by clients more efficient. Note that validation by clients is the most secure DNSSEC mode, but for
681: clients unable to do validation, use of the AD bit set by dnsmasq is useful, provided that the network between
682: the dnsmasq server and the client is trusted. Dnsmasq must be compiled with HAVE_DNSSEC enabled, and DNSSEC
683: trust anchors provided, see
684: .B --trust-anchor.
685: Because the DNSSEC validation process uses the cache, it is not
686: permitted to reduce the cache size below the default when DNSSEC is
687: enabled. The nameservers upstream of dnsmasq must be DNSSEC-capable,
688: ie capable of returning DNSSEC records with data. If they are not,
689: then dnsmasq will not be able to determine the trusted status of
690: answers. In the default mode, this menas that all replies will be
691: marked as untrusted. If
692: .B --dnssec-check-unsigned
693: is set and the upstream servers don't support DNSSEC, then DNS service will be entirely broken.
694: .TP
695: .B --trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-type>,<digest>
696: Provide DS records to act a trust anchors for DNSSEC
697: validation. Typically these will be the DS record(s) for Zone Signing
698: key(s) of the root zone,
699: but trust anchors for limited domains are also possible. The current
700: root-zone trust anchors may be downloaded from https://data.iana.org/root-anchors/root-anchors.xml
701: .TP
702: .B --dnssec-check-unsigned
703: As a default, dnsmasq does not check that unsigned DNS replies are
704: legitimate: they are assumed to be valid and passed on (without the
705: "authentic data" bit set, of course). This does not protect against an
706: attacker forging unsigned replies for signed DNS zones, but it is
707: fast. If this flag is set, dnsmasq will check the zones of unsigned
708: replies, to ensure that unsigned replies are allowed in those
709: zones. The cost of this is more upstream queries and slower
710: performance. See also the warning about upstream servers in the
711: section on
712: .B --dnssec
713: .TP
714: .B --dnssec-no-timecheck
715: DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an
716: interesting chicken-and-egg problem for machines which don't have a hardware real time clock. For these machines to determine the correct
717: time typically requires use of NTP and therefore DNS, but validating DNS requires that the correct time is already known. Setting this flag
718: removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGHUP. The intention is
719: that dnsmasq should be started with this flag when the platform determines that reliable time is not currently available. As soon as
720: reliable time is established, a SIGHUP should be sent to dnsmasq, which enables time checking, and purges the cache of DNS records
721: which have not been throughly checked.
722: .TP
723: .B --dnssec-timestamp=<path>
724: Enables an alternative way of checking the validity of the system time for DNSSEC (see --dnssec-no-timecheck). In this case, the
725: system time is considered to be valid once it becomes later than the timestamp on the specified file. The file is created and
726: its timestamp set automatically by dnsmasq. The file must be stored on a persistent filesystem, so that it and its mtime are carried
727: over system restarts. The timestamp file is created after dnsmasq has dropped root, so it must be in a location writable by the
728: unprivileged user that dnsmasq runs as.
729: .TP
730: .B --proxy-dnssec
731: Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an
732: alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between
733: dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.
734: .TP
735: .B --dnssec-debug
736: Set debugging mode for the DNSSEC validation, set the Checking Disabled bit on upstream queries,
737: and don't convert replies which do not validate to responses with
738: a return code of SERVFAIL. Note that
739: setting this may affect DNS behaviour in bad ways, it is not an
740: extra-logging flag and should not be set in production.
741: .TP
742: .B --auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix length>].....]]
743: Define a DNS zone for which dnsmasq acts as authoritative server. Locally defined DNS records which are in the domain
744: will be served. If subnet(s) are given, A and AAAA records must be in one of the
745: specified subnets.
746:
747: As alternative to directly specifying the subnets, it's possible to
748: give the name of an interface, in which case the subnets implied by
749: that interface's configured addresses and netmask/prefix-length are
750: used; this is useful when using constructed DHCP ranges as the actual
751: address is dynamic and not known when configuring dnsmasq. The
752: interface addresses may be confined to only IPv6 addresses using
753: <interface>/6 or to only IPv4 using <interface>/4. This is useful when
754: an interface has dynamically determined global IPv6 addresses which should
755: appear in the zone, but RFC1918 IPv4 addresses which should not.
756: Interface-name and address-literal subnet specifications may be used
757: freely in the same --auth-zone declaration.
758:
759: The subnet(s) are also used to define in-addr.arpa and
760: ip6.arpa domains which are served for reverse-DNS queries. If not
761: specified, the prefix length defaults to 24 for IPv4 and 64 for IPv6.
762: For IPv4 subnets, the prefix length should be have the value 8, 16 or 24
763: unless you are familiar with RFC 2317 and have arranged the
764: in-addr.arpa delegation accordingly. Note that if no subnets are
765: specified, then no reverse queries are answered.
766: .TP
767: .B --auth-soa=<serial>[,<hostmaster>[,<refresh>[,<retry>[,<expiry>]]]]
768: Specify fields in the SOA record associated with authoritative
769: zones. Note that this is optional, all the values are set to sane defaults.
770: .TP
771: .B --auth-sec-servers=<domain>[,<domain>[,<domain>...]]
772: Specify any secondary servers for a zone for which dnsmasq is
773: authoritative. These servers must be configured to get zone data from
774: dnsmasq by zone transfer, and answer queries for the same
775: authoritative zones as dnsmasq.
776: .TP
777: .B --auth-peer=<ip-address>[,<ip-address>[,<ip-address>...]]
778: Specify the addresses of secondary servers which are allowed to
779: initiate zone transfer (AXFR) requests for zones for which dnsmasq is
780: authoritative. If this option is not given, then AXFR requests will be
781: accepted from any secondary.
782: .TP
783: .B --conntrack
784: Read the Linux connection track mark associated with incoming DNS
785: queries and set the same mark value on upstream traffic used to answer
786: those queries. This allows traffic generated by dnsmasq to be
787: associated with the queries which cause it, useful for bandwidth
788: accounting and firewalling. Dnsmasq must have conntrack support
789: compiled in and the kernel must have conntrack support
790: included and configured. This option cannot be combined with
791: --query-port.
792: .TP
793: .B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-addr>|<mode>][,<netmask>[,<broadcast>]][,<lease time>]
794: .TP
795: .B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-IPv6addr>[,<end-IPv6addr>|constructor:<interface>][,<mode>][,<prefix-len>][,<lease time>]
796:
797: Enable the DHCP server. Addresses will be given out from the range
798: <start-addr> to <end-addr> and from statically defined addresses given
799: in
800: .B dhcp-host
801: options. If the lease time is given, then leases
802: will be given for that length of time. The lease time is in seconds,
803: or minutes (eg 45m) or hours (eg 1h) or "infinite". If not given,
804: the default lease time is one hour. The
805: minimum lease time is two minutes. For IPv6 ranges, the lease time
806: maybe "deprecated"; this sets the preferred lifetime sent in a DHCP
807: lease or router advertisement to zero, which causes clients to use
808: other addresses, if available, for new connections as a prelude to renumbering.
809:
810: This option may be repeated, with different addresses, to enable DHCP
811: service to more than one network. For directly connected networks (ie,
812: networks on which the machine running dnsmasq has an interface) the
813: netmask is optional: dnsmasq will determine it from the interface
814: configuration. For networks which receive DHCP service via a relay
815: agent, dnsmasq cannot determine the netmask itself, so it should be
816: specified, otherwise dnsmasq will have to guess, based on the class (A, B or
817: C) of the network address. The broadcast address is
818: always optional. It is always
819: allowed to have more than one dhcp-range in a single subnet.
820:
821: For IPv6, the parameters are slightly different: instead of netmask
822: and broadcast address, there is an optional prefix length which must
823: be equal to or larger then the prefix length on the local interface. If not
824: given, this defaults to 64. Unlike the IPv4 case, the prefix length is not
825: automatically derived from the interface configuration. The mimimum
826: size of the prefix length is 64.
827:
828: IPv6 (only) supports another type of range. In this, the start address and optional end address contain only the network part (ie ::1) and they are followed by
829: .B constructor:<interface>.
830: This forms a template which describes how to create ranges, based on the addresses assigned to the interface. For instance
831:
832: .B --dhcp-range=::1,::400,constructor:eth0
833:
834: will look for addresses on
835: eth0 and then create a range from <network>::1 to <network>::400. If
836: the interface is assigned more than one network, then the
837: corresponding ranges will be automatically created, and then
838: deprecated and finally removed again as the address is deprecated and
839: then deleted. The interface name may have a final "*" wildcard. Note
840: that just any address on eth0 will not do: it must not be an
841: autoconfigured or privacy address, or be deprecated.
842:
843: If a dhcp-range is only being used for stateless DHCP and/or SLAAC,
844: then the address can be simply ::
845:
846: .B --dhcp-range=::,constructor:eth0
847:
848:
849: The optional
850: .B set:<tag>
851: sets an alphanumeric label which marks this network so that
852: dhcp options may be specified on a per-network basis.
853: When it is prefixed with 'tag:' instead, then its meaning changes from setting
854: a tag to matching it. Only one tag may be set, but more than one tag
855: may be matched.
856:
857: The optional <mode> keyword may be
858: .B static
859: which tells dnsmasq to enable DHCP for the network specified, but not
860: to dynamically allocate IP addresses: only hosts which have static
861: addresses given via
862: .B dhcp-host
863: or from /etc/ethers will be served. A static-only subnet with address
864: all zeros may be used as a "catch-all" address to enable replies to all
865: Information-request packets on a subnet which is provided with
866: stateless DHCPv6, ie
867: .B --dhcp-range=::,static
868:
869: For IPv4, the <mode> may be
870: .B proxy
871: in which case dnsmasq will provide proxy-DHCP on the specified
872: subnet. (See
873: .B pxe-prompt
874: and
875: .B pxe-service
876: for details.)
877:
878: For IPv6, the mode may be some combination of
879: .B ra-only, slaac, ra-names, ra-stateless, ra-advrouter, off-link.
880:
881: .B ra-only
882: tells dnsmasq to offer Router Advertisement only on this subnet,
883: and not DHCP.
884:
885: .B slaac
886: tells dnsmasq to offer Router Advertisement on this subnet and to set
887: the A bit in the router advertisement, so that the client will use
888: SLAAC addresses. When used with a DHCP range or static DHCP address
889: this results in the client having both a DHCP-assigned and a SLAAC
890: address.
891:
892: .B ra-stateless
893: sends router advertisements with the O and A bits set, and provides a
894: stateless DHCP service. The client will use a SLAAC address, and use
895: DHCP for other configuration information.
896:
897: .B ra-names
898: enables a mode
899: which gives DNS names to dual-stack hosts which do SLAAC for
900: IPv6. Dnsmasq uses the host's IPv4 lease to derive the name, network
901: segment and MAC address and assumes that the host will also have an
902: IPv6 address calculated using the SLAAC algorithm, on the same network
903: segment. The address is pinged, and if a reply is received, an AAAA
904: record is added to the DNS for this IPv6
905: address. Note that this is only happens for directly-connected
906: networks, (not one doing DHCP via a relay) and it will not work
907: if a host is using privacy extensions.
908: .B ra-names
909: can be combined with
910: .B ra-stateless
911: and
912: .B slaac.
913:
914: .B ra-advrouter
915: enables a mode where router address(es) rather than prefix(es) are included in the advertisements.
916: This is described in RFC-3775 section 7.2 and is used in mobile IPv6. In this mode the interval option
917: is also included, as described in RFC-3775 section 7.3.
918:
919: .B off-link
920: tells dnsmasq to advertise the prefix without the on-link (aka L) bit set.
921:
922: .TP
923: .B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
924: Specify per host parameters for the DHCP server. This allows a machine
925: with a particular hardware address to be always allocated the same
926: hostname, IP address and lease time. A hostname specified like this
927: overrides any supplied by the DHCP client on the machine. It is also
928: allowable to omit the hardware address and include the hostname, in
929: which case the IP address and lease times will apply to any machine
930: claiming that name. For example
931: .B --dhcp-host=00:20:e0:3b:13:af,wap,infinite
932: tells dnsmasq to give
933: the machine with hardware address 00:20:e0:3b:13:af the name wap, and
934: an infinite DHCP lease.
935: .B --dhcp-host=lap,192.168.0.199
936: tells
937: dnsmasq to always allocate the machine lap the IP address
938: 192.168.0.199.
939:
940: Addresses allocated like this are not constrained to be
941: in the range given by the --dhcp-range option, but they must be in
942: the same subnet as some valid dhcp-range. For
943: subnets which don't need a pool of dynamically allocated addresses,
944: use the "static" keyword in the dhcp-range declaration.
945:
946: It is allowed to use client identifiers (called client
947: DUID in IPv6-land rather than
948: hardware addresses to identify hosts by prefixing with 'id:'. Thus:
949: .B --dhcp-host=id:01:02:03:04,.....
950: refers to the host with client identifier 01:02:03:04. It is also
951: allowed to specify the client ID as text, like this:
952: .B --dhcp-host=id:clientidastext,.....
953:
954: A single
955: .B dhcp-host
956: may contain an IPv4 address or an IPv6 address, or both. IPv6 addresses must be bracketed by square brackets thus:
957: .B --dhcp-host=laptop,[1234::56]
958: IPv6 addresses may contain only the host-identifier part:
959: .B --dhcp-host=laptop,[::56]
960: in which case they act as wildcards in constructed dhcp ranges, with
961: the appropriate network part inserted.
962: Note that in IPv6 DHCP, the hardware address may not be
963: available, though it normally is for direct-connected clients, or
964: clients using DHCP relays which support RFC 6939.
965:
966:
967: For DHCPv4, the special option id:* means "ignore any client-id
968: and use MAC addresses only." This is useful when a client presents a client-id sometimes
969: but not others.
970:
971: If a name appears in /etc/hosts, the associated address can be
972: allocated to a DHCP lease, but only if a
973: .B --dhcp-host
974: option specifying the name also exists. Only one hostname can be
975: given in a
976: .B dhcp-host
977: option, but aliases are possible by using CNAMEs. (See
978: .B --cname
979: ).
980:
981: The special keyword "ignore"
982: tells dnsmasq to never offer a DHCP lease to a machine. The machine
983: can be specified by hardware address, client ID or hostname, for
984: instance
985: .B --dhcp-host=00:20:e0:3b:13:af,ignore
986: This is
987: useful when there is another DHCP server on the network which should
988: be used by some machines.
989:
990: The set:<tag> construct sets the tag
991: whenever this dhcp-host directive is in use. This can be used to
992: selectively send DHCP options just for this host. More than one tag
993: can be set in a dhcp-host directive (but not in other places where
994: "set:<tag>" is allowed). When a host matches any
995: dhcp-host directive (or one implied by /etc/ethers) then the special
996: tag "known" is set. This allows dnsmasq to be configured to
997: ignore requests from unknown machines using
998: .B --dhcp-ignore=tag:!known
999: Ethernet addresses (but not client-ids) may have
1000: wildcard bytes, so for example
1001: .B --dhcp-host=00:20:e0:3b:13:*,ignore
1002: will cause dnsmasq to ignore a range of hardware addresses. Note that
1003: the "*" will need to be escaped or quoted on a command line, but not
1004: in the configuration file.
1005:
1006: Hardware addresses normally match any
1007: network (ARP) type, but it is possible to restrict them to a single
1008: ARP type by preceding them with the ARP-type (in HEX) and "-". so
1009: .B --dhcp-host=06-00:20:e0:3b:13:af,1.2.3.4
1010: will only match a
1011: Token-Ring hardware address, since the ARP-address type for token ring
1012: is 6.
1013:
1014: As a special case, in DHCPv4, it is possible to include more than one
1015: hardware address. eg:
1016: .B --dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2
1017: This allows an IP address to be associated with
1018: multiple hardware addresses, and gives dnsmasq permission to abandon a
1019: DHCP lease to one of the hardware addresses when another one asks for
1020: a lease. Beware that this is a dangerous thing to do, it will only
1021: work reliably if only one of the hardware addresses is active at any
1022: time and there is no way for dnsmasq to enforce this. It is, for instance,
1023: useful to allocate a stable IP address to a laptop which
1024: has both wired and wireless interfaces.
1025: .TP
1026: .B --dhcp-hostsfile=<path>
1027: Read DHCP host information from the specified file. If a directory
1028: is given, then read all the files contained in that directory. The file contains
1029: information about one host per line. The format of a line is the same
1030: as text to the right of '=' in --dhcp-host. The advantage of storing DHCP host information
1031: in this file is that it can be changed without re-starting dnsmasq:
1032: the file will be re-read when dnsmasq receives SIGHUP.
1033: .TP
1034: .B --dhcp-optsfile=<path>
1035: Read DHCP option information from the specified file. If a directory
1036: is given, then read all the files contained in that directory. The advantage of
1037: using this option is the same as for --dhcp-hostsfile: the
1038: dhcp-optsfile will be re-read when dnsmasq receives SIGHUP. Note that
1039: it is possible to encode the information in a
1040: .TP
1041: .B --dhcp-hostsdir=<path>
1042: This is equivalent to dhcp-hostsfile, except for the following. The path MUST be a
1043: directory, and not an individual file. Changed or new files within
1044: the directory are read automatically, without the need to send SIGHUP.
1045: If a file is deleted for changed after it has been read by dnsmasq, then the
1046: host record it contained will remain until dnsmasq recieves a SIGHUP, or
1047: is restarted; ie host records are only added dynamically.
1048: .TP
1049: .B --dhcp-optsdir=<path>
1050: This is equivalent to dhcp-optsfile, with the differences noted for --dhcp-hostsdir.
1051: .TP
1052: .B --dhcp-boot
1053: flag as DHCP options, using the options names bootfile-name,
1054: server-ip-address and tftp-server. This allows these to be included
1055: in a dhcp-optsfile.
1056: .TP
1057: .B \-Z, --read-ethers
1058: Read /etc/ethers for information about hosts for the DHCP server. The
1059: format of /etc/ethers is a hardware address, followed by either a
1060: hostname or dotted-quad IP address. When read by dnsmasq these lines
1061: have exactly the same effect as
1062: .B --dhcp-host
1063: options containing the same information. /etc/ethers is re-read when
1064: dnsmasq receives SIGHUP. IPv6 addresses are NOT read from /etc/ethers.
1065: .TP
1066: .B \-O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>|option6:<opt>|option6:<opt-name>],[<value>[,<value>]]
1067: Specify different or extra options to DHCP clients. By default,
1068: dnsmasq sends some standard options to DHCP clients, the netmask and
1069: broadcast address are set to the same as the host running dnsmasq, and
1070: the DNS server and default route are set to the address of the machine
1071: running dnsmasq. (Equivalent rules apply for IPv6.) If the domain name option has been set, that is sent.
1072: This configuration allows these defaults to be overridden,
1073: or other options specified. The option, to be sent may be given as a
1074: decimal number or as "option:<option-name>" The option numbers are
1075: specified in RFC2132 and subsequent RFCs. The set of option-names
1076: known by dnsmasq can be discovered by running "dnsmasq --help dhcp".
1077: For example, to set the default route option to
1078: 192.168.4.4, do
1079: .B --dhcp-option=3,192.168.4.4
1080: or
1081: .B --dhcp-option = option:router, 192.168.4.4
1082: and to set the time-server address to 192.168.0.4, do
1083: .B --dhcp-option = 42,192.168.0.4
1084: or
1085: .B --dhcp-option = option:ntp-server, 192.168.0.4
1086: The special address 0.0.0.0 is taken to mean "the address of the
1087: machine running dnsmasq".
1088:
1089: Data types allowed are comma separated
1090: dotted-quad IPv4 addresses, []-wrapped IPv6 addresses, a decimal number, colon-separated hex digits
1091: and a text string. If the optional tags are given then
1092: this option is only sent when all the tags are matched.
1093:
1094: Special processing is done on a text argument for option 119, to
1095: conform with RFC 3397. Text or dotted-quad IP addresses as arguments
1096: to option 120 are handled as per RFC 3361. Dotted-quad IP addresses
1097: which are followed by a slash and then a netmask size are encoded as
1098: described in RFC 3442.
1099:
1100: IPv6 options are specified using the
1101: .B option6:
1102: keyword, followed by the option number or option name. The IPv6 option
1103: name space is disjoint from the IPv4 option name space. IPv6 addresses
1104: in options must be bracketed with square brackets, eg.
1105: .B --dhcp-option=option6:ntp-server,[1234::56]
1106: For IPv6, [::] means "the global address of
1107: the machine running dnsmasq", whilst [fd00::] is replaced with the
1108: ULA, if it exists, and [fe80::] with the link-local address.
1109:
1110: Be careful: no checking is done that the correct type of data for the
1111: option number is sent, it is quite possible to
1112: persuade dnsmasq to generate illegal DHCP packets with injudicious use
1113: of this flag. When the value is a decimal number, dnsmasq must determine how
1114: large the data item is. It does this by examining the option number and/or the
1115: value, but can be overridden by appending a single letter flag as follows:
1116: b = one byte, s = two bytes, i = four bytes. This is mainly useful with
1117: encapsulated vendor class options (see below) where dnsmasq cannot
1118: determine data size from the option number. Option data which
1119: consists solely of periods and digits will be interpreted by dnsmasq
1120: as an IP address, and inserted into an option as such. To force a
1121: literal string, use quotes. For instance when using option 66 to send
1122: a literal IP address as TFTP server name, it is necessary to do
1123: .B --dhcp-option=66,"1.2.3.4"
1124:
1125: Encapsulated Vendor-class options may also be specified (IPv4 only) using
1126: --dhcp-option: for instance
1127: .B --dhcp-option=vendor:PXEClient,1,0.0.0.0
1128: sends the encapsulated vendor
1129: class-specific option "mftp-address=0.0.0.0" to any client whose
1130: vendor-class matches "PXEClient". The vendor-class matching is
1131: substring based (see --dhcp-vendorclass for details). If a
1132: vendor-class option (number 60) is sent by dnsmasq, then that is used
1133: for selecting encapsulated options in preference to any sent by the
1134: client. It is
1135: possible to omit the vendorclass completely;
1136: .B --dhcp-option=vendor:,1,0.0.0.0
1137: in which case the encapsulated option is always sent.
1138:
1139: Options may be encapsulated (IPv4 only) within other options: for instance
1140: .B --dhcp-option=encap:175, 190, "iscsi-client0"
1141: will send option 175, within which is the option 190. If multiple
1142: options are given which are encapsulated with the same option number
1143: then they will be correctly combined into one encapsulated option.
1144: encap: and vendor: are may not both be set in the same dhcp-option.
1145:
1146: The final variant on encapsulated options is "Vendor-Identifying
1147: Vendor Options" as specified by RFC3925. These are denoted like this:
1148: .B --dhcp-option=vi-encap:2, 10, "text"
1149: The number in the vi-encap: section is the IANA enterprise number
1150: used to identify this option. This form of encapsulation is supported
1151: in IPv6.
1152:
1153: The address 0.0.0.0 is not treated specially in
1154: encapsulated options.
1155: .TP
1156: .B --dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
1157: This works in exactly the same way as
1158: .B --dhcp-option
1159: except that the option will always be sent, even if the client does
1160: not ask for it in the parameter request list. This is sometimes
1161: needed, for example when sending options to PXELinux.
1162: .TP
1163: .B --dhcp-no-override
1164: (IPv4 only) Disable re-use of the DHCP servername and filename fields as extra
1165: option space. If it can, dnsmasq moves the boot server and filename
1166: information (from dhcp-boot) out of their dedicated fields into
1167: DHCP options. This make extra space available in the DHCP packet for
1168: options but can, rarely, confuse old or broken clients. This flag
1169: forces "simple and safe" behaviour to avoid problems in such a case.
1170: .TP
1171: .B --dhcp-relay=<local address>,<server address>[,<interface]
1172: Configure dnsmasq to do DHCP relay. The local address is an address
1173: allocated to an interface on the host running dnsmasq. All DHCP
1174: requests arriving on that interface will we relayed to a remote DHCP
1175: server at the server address. It is possible to relay from a single local
1176: address to multiple remote servers by using multiple dhcp-relay
1177: configs with the same local address and different server
1178: addresses. A server address must be an IP literal address, not a
1179: domain name. In the case of DHCPv6, the server address may be the
1180: ALL_SERVERS multicast address, ff05::1:3. In this case the interface
1181: must be given, not be wildcard, and is used to direct the multicast to the
1182: correct interface to reach the DHCP server.
1183:
1184: Access control for DHCP clients has the same rules as for the DHCP
1185: server, see --interface, --except-interface, etc. The optional
1186: interface name in the dhcp-relay config has a different function: it
1187: controls on which interface DHCP replies from the server will be
1188: accepted. This is intended for configurations which have three
1189: interfaces: one being relayed from, a second connecting the DHCP
1190: server, and a third untrusted network, typically the wider
1191: internet. It avoids the possibility of spoof replies arriving via this
1192: third interface.
1193:
1194: It is allowed to have dnsmasq act as a DHCP server on one set of
1195: interfaces and relay from a disjoint set of interfaces. Note that
1196: whilst it is quite possible to write configurations which appear to
1197: act as a server and a relay on the same interface, this is not
1198: supported: the relay function will take precedence.
1199:
1200: Both DHCPv4 and DHCPv6 relay is supported. It's not possible to relay
1201: DHCPv4 to a DHCPv6 server or vice-versa.
1202: .TP
1203: .B \-U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise number>,]<vendor-class>
1204: Map from a vendor-class string to a tag. Most DHCP clients provide a
1205: "vendor class" which represents, in some sense, the type of host. This option
1206: maps vendor classes to tags, so that DHCP options may be selectively delivered
1207: to different classes of hosts. For example
1208: .B dhcp-vendorclass=set:printers,Hewlett-Packard JetDirect
1209: will allow options to be set only for HP printers like so:
1210: .B --dhcp-option=tag:printers,3,192.168.4.4
1211: The vendor-class string is
1212: substring matched against the vendor-class supplied by the client, to
1213: allow fuzzy matching. The set: prefix is optional but allowed for
1214: consistency.
1215:
1216: Note that in IPv6 only, vendorclasses are namespaced with an
1217: IANA-allocated enterprise number. This is given with enterprise:
1218: keyword and specifies that only vendorclasses matching the specified
1219: number should be searched.
1220: .TP
1221: .B \-j, --dhcp-userclass=set:<tag>,<user-class>
1222: Map from a user-class string to a tag (with substring
1223: matching, like vendor classes). Most DHCP clients provide a
1224: "user class" which is configurable. This option
1225: maps user classes to tags, so that DHCP options may be selectively delivered
1226: to different classes of hosts. It is possible, for instance to use
1227: this to set a different printer server for hosts in the class
1228: "accounts" than for hosts in the class "engineering".
1229: .TP
1230: .B \-4, --dhcp-mac=set:<tag>,<MAC address>
1231: Map from a MAC address to a tag. The MAC address may include
1232: wildcards. For example
1233: .B --dhcp-mac=set:3com,01:34:23:*:*:*
1234: will set the tag "3com" for any host whose MAC address matches the pattern.
1235: .TP
1236: .B --dhcp-circuitid=set:<tag>,<circuit-id>, --dhcp-remoteid=set:<tag>,<remote-id>
1237: Map from RFC3046 relay agent options to tags. This data may
1238: be provided by DHCP relay agents. The circuit-id or remote-id is
1239: normally given as colon-separated hex, but is also allowed to be a
1240: simple string. If an exact match is achieved between the circuit or
1241: agent ID and one provided by a relay agent, the tag is set.
1242:
1243: .B dhcp-remoteid
1244: (but not dhcp-circuitid) is supported in IPv6.
1245: .TP
1246: .B --dhcp-subscrid=set:<tag>,<subscriber-id>
1247: (IPv4 and IPv6) Map from RFC3993 subscriber-id relay agent options to tags.
1248: .TP
1249: .B --dhcp-proxy[=<ip addr>]......
1250: (IPv4 only) A normal DHCP relay agent is only used to forward the initial parts of
1251: a DHCP interaction to the DHCP server. Once a client is configured, it
1252: communicates directly with the server. This is undesirable if the
1253: relay agent is adding extra information to the DHCP packets, such as
1254: that used by
1255: .B dhcp-circuitid
1256: and
1257: .B dhcp-remoteid.
1258: A full relay implementation can use the RFC 5107 serverid-override
1259: option to force the DHCP server to use the relay as a full proxy, with all
1260: packets passing through it. This flag provides an alternative method
1261: of doing the same thing, for relays which don't support RFC
1262: 5107. Given alone, it manipulates the server-id for all interactions
1263: via relays. If a list of IP addresses is given, only interactions via
1264: relays at those addresses are affected.
1265: .TP
1266: .B --dhcp-match=set:<tag>,<option number>|option:<option name>|vi-encap:<enterprise>[,<value>]
1267: Without a value, set the tag if the client sends a DHCP
1268: option of the given number or name. When a value is given, set the tag only if
1269: the option is sent and matches the value. The value may be of the form
1270: "01:ff:*:02" in which case the value must match (apart from wildcards)
1271: but the option sent may have unmatched data past the end of the
1272: value. The value may also be of the same form as in
1273: .B dhcp-option
1274: in which case the option sent is treated as an array, and one element
1275: must match, so
1276:
1277: --dhcp-match=set:efi-ia32,option:client-arch,6
1278:
1279: will set the tag "efi-ia32" if the the number 6 appears in the list of
1280: architectures sent by the client in option 93. (See RFC 4578 for
1281: details.) If the value is a string, substring matching is used.
1282:
1283: The special form with vi-encap:<enterprise number> matches against
1284: vendor-identifying vendor classes for the specified enterprise. Please
1285: see RFC 3925 for more details of these rare and interesting beasts.
1286: .TP
1287: .B --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
1288: Perform boolean operations on tags. Any tag appearing as set:<tag> is set if
1289: all the tags which appear as tag:<tag> are set, (or unset when tag:!<tag> is used)
1290: If no tag:<tag> appears set:<tag> tags are set unconditionally.
1291: Any number of set: and tag: forms may appear, in any order.
1292: Tag-if lines ares executed in order, so if the tag in tag:<tag> is a
1293: tag set by another
1294: .B tag-if,
1295: the line which sets the tag must precede the one which tests it.
1296: .TP
1297: .B \-J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
1298: When all the given tags appear in the tag set ignore the host and do
1299: not allocate it a DHCP lease.
1300: .TP
1301: .B --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
1302: When all the given tags appear in the tag set, ignore any hostname
1303: provided by the host. Note that, unlike dhcp-ignore, it is permissible
1304: to supply no tags, in which case DHCP-client supplied hostnames
1305: are always ignored, and DHCP hosts are added to the DNS using only
1306: dhcp-host configuration in dnsmasq and the contents of /etc/hosts and
1307: /etc/ethers.
1308: .TP
1309: .B --dhcp-generate-names=tag:<tag>[,tag:<tag>]
1310: (IPv4 only) Generate a name for DHCP clients which do not otherwise have one,
1311: using the MAC address expressed in hex, separated by dashes. Note that
1312: if a host provides a name, it will be used by preference to this,
1313: unless
1314: .B --dhcp-ignore-names
1315: is set.
1316: .TP
1317: .B --dhcp-broadcast[=tag:<tag>[,tag:<tag>]]
1318: (IPv4 only) When all the given tags appear in the tag set, always use broadcast to
1319: communicate with the host when it is unconfigured. It is permissible
1320: to supply no tags, in which case this is unconditional. Most DHCP clients which
1321: need broadcast replies set a flag in their requests so that this
1322: happens automatically, some old BOOTP clients do not.
1323: .TP
1324: .B \-M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server address>|<tftp_servername>]]
1325: (IPv4 only) Set BOOTP options to be returned by the DHCP server. Server name and
1326: address are optional: if not provided, the name is left empty, and the
1327: address set to the address of the machine running dnsmasq. If dnsmasq
1328: is providing a TFTP service (see
1329: .B --enable-tftp
1330: ) then only the filename is required here to enable network booting.
1331: If the optional tag(s) are given,
1332: they must match for this configuration to be sent.
1333: Instead of an IP address, the TFTP server address can be given as a domain
1334: name which is looked up in /etc/hosts. This name can be associated in
1335: /etc/hosts with multiple IP addresses, which are used round-robin.
1336: This facility can be used to load balance the tftp load among a set of servers.
1337: .TP
1338: .B --dhcp-sequential-ip
1339: Dnsmasq is designed to choose IP addresses for DHCP clients using a
1340: hash of the client's MAC address. This normally allows a client's
1341: address to remain stable long-term, even if the client sometimes allows its DHCP
1342: lease to expire. In this default mode IP addresses are distributed
1343: pseudo-randomly over the entire available address range. There are
1344: sometimes circumstances (typically server deployment) where it is more
1345: convenient to have IP
1346: addresses allocated sequentially, starting from the lowest available
1347: address, and setting this flag enables this mode. Note that in the
1348: sequential mode, clients which allow a lease to expire are much more
1349: likely to move IP address; for this reason it should not be generally used.
1350: .TP
1351: .B --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basename>|<bootservicetype>][,<server address>|<server_name>]
1352: Most uses of PXE boot-ROMS simply allow the PXE
1353: system to obtain an IP address and then download the file specified by
1354: .B dhcp-boot
1355: and execute it. However the PXE system is capable of more complex
1356: functions when supported by a suitable DHCP server.
1357:
1358: This specifies a boot option which may appear in a PXE boot menu. <CSA> is
1359: client system type, only services of the correct type will appear in a
1360: menu. The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86,
1361: Intel_Lean_Client, IA32_EFI, X86-64_EFI, Xscale_EFI, BC_EFI, ARM32_EFI and ARM64_EFI; an
1362: integer may be used for other types. The
1363: parameter after the menu text may be a file name, in which case dnsmasq acts as a
1364: boot server and directs the PXE client to download the file by TFTP,
1365: either from itself (
1366: .B enable-tftp
1367: must be set for this to work) or another TFTP server if the final server
1368: address/name is given.
1369: Note that the "layer"
1370: suffix (normally ".0") is supplied by PXE, and need not be added to
1371: the basename. Alternatively, the basename may be a filename, complete with suffix, in which case
1372: no layer suffix is added. If an integer boot service type, rather than a basename
1373: is given, then the PXE client will search for a
1374: suitable boot service for that type on the network. This search may be done
1375: by broadcast, or direct to a server if its IP address/name is provided.
1376: If no boot service type or filename is provided (or a boot service type of 0 is specified)
1377: then the menu entry will abort the net boot procedure and
1378: continue booting from local media. The server address can be given as a domain
1379: name which is looked up in /etc/hosts. This name can be associated in
1380: /etc/hosts with multiple IP addresses, which are used round-robin.
1381: .TP
1382: .B --pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>]
1383: Setting this provides a prompt to be displayed after PXE boot. If the
1384: timeout is given then after the
1385: timeout has elapsed with no keyboard input, the first available menu
1386: option will be automatically executed. If the timeout is zero then the first available menu
1387: item will be executed immediately. If
1388: .B pxe-prompt
1389: is omitted the system will wait for user input if there are multiple
1390: items in the menu, but boot immediately if
1391: there is only one. See
1392: .B pxe-service
1393: for details of menu items.
1394:
1395: Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP server on
1396: the network is responsible for allocating IP addresses, and dnsmasq
1397: simply provides the information given in
1398: .B pxe-prompt
1399: and
1400: .B pxe-service
1401: to allow netbooting. This mode is enabled using the
1402: .B proxy
1403: keyword in
1404: .B dhcp-range.
1405: .TP
1406: .B \-X, --dhcp-lease-max=<number>
1407: Limits dnsmasq to the specified maximum number of DHCP leases. The
1408: default is 1000. This limit is to prevent DoS attacks from hosts which
1409: create thousands of leases and use lots of memory in the dnsmasq
1410: process.
1411: .TP
1412: .B \-K, --dhcp-authoritative
1413: Should be set when dnsmasq is definitely the only DHCP server on a network.
1414: For DHCPv4, it changes the behaviour from strict RFC compliance so that DHCP requests on
1415: unknown leases from unknown hosts are not ignored. This allows new hosts
1416: to get a lease without a tedious timeout under all circumstances. It also
1417: allows dnsmasq to rebuild its lease database without each client needing to
1418: reacquire a lease, if the database is lost. For DHCPv6 it sets the
1419: priority in replies to 255 (the maximum) instead of 0 (the minimum).
1420: .TP
1421: .B --dhcp-alternate-port[=<server port>[,<client port>]]
1422: (IPv4 only) Change the ports used for DHCP from the default. If this option is
1423: given alone, without arguments, it changes the ports used for DHCP
1424: from 67 and 68 to 1067 and 1068. If a single argument is given, that
1425: port number is used for the server and the port number plus one used
1426: for the client. Finally, two port numbers allows arbitrary
1427: specification of both server and client ports for DHCP.
1428: .TP
1429: .B \-3, --bootp-dynamic[=<network-id>[,<network-id>]]
1430: (IPv4 only) Enable dynamic allocation of IP addresses to BOOTP clients. Use this
1431: with care, since each address allocated to a BOOTP client is leased
1432: forever, and therefore becomes permanently unavailable for re-use by
1433: other hosts. if this is given without tags, then it unconditionally
1434: enables dynamic allocation. With tags, only when the tags are all
1435: set. It may be repeated with different tag sets.
1436: .TP
1437: .B \-5, --no-ping
1438: (IPv4 only) By default, the DHCP server will attempt to ensure that an address is
1439: not in use before allocating it to a host. It does this by sending an
1440: ICMP echo request (aka "ping") to the address in question. If it gets
1441: a reply, then the address must already be in use, and another is
1442: tried. This flag disables this check. Use with caution.
1443: .TP
1444: .B --log-dhcp
1445: Extra logging for DHCP: log all the options sent to DHCP clients and
1446: the tags used to determine them.
1447: .TP
1448: .B --quiet-dhcp, --quiet-dhcp6, --quiet-ra
1449: Suppress logging of the routine operation of these protocols. Errors and
1450: problems will still be logged. --quiet-dhcp and quiet-dhcp6 are
1451: over-ridden by --log-dhcp.
1452: .TP
1453: .B \-l, --dhcp-leasefile=<path>
1454: Use the specified file to store DHCP lease information.
1455: .TP
1456: .B --dhcp-duid=<enterprise-id>,<uid>
1457: (IPv6 only) Specify the server persistent UID which the DHCPv6 server
1458: will use. This option is not normally required as dnsmasq creates a
1459: DUID automatically when it is first needed. When given, this option
1460: provides dnsmasq the data required to create a DUID-EN type DUID. Note
1461: that once set, the DUID is stored in the lease database, so to change between DUID-EN and
1462: automatically created DUIDs or vice-versa, the lease database must be
1463: re-intialised. The enterprise-id is assigned by IANA, and the uid is a
1464: string of hex octets unique to a particular device.
1465: .TP
1466: .B \-6 --dhcp-script=<path>
1467: Whenever a new DHCP lease is created, or an old one destroyed, or a
1468: TFTP file transfer completes, the
1469: executable specified by this option is run. <path>
1470: must be an absolute pathname, no PATH search occurs.
1471: The arguments to the process
1472: are "add", "old" or "del", the MAC
1473: address of the host (or DUID for IPv6) , the IP address, and the hostname,
1474: if known. "add" means a lease has been created, "del" means it has
1475: been destroyed, "old" is a notification of an existing lease when
1476: dnsmasq starts or a change to MAC address or hostname of an existing
1477: lease (also, lease length or expiry and client-id, if leasefile-ro is set).
1478: If the MAC address is from a network type other than ethernet,
1479: it will have the network type prepended, eg "06-01:23:45:67:89:ab" for
1480: token ring. The process is run as root (assuming that dnsmasq was originally run as
1481: root) even if dnsmasq is configured to change UID to an unprivileged user.
1482:
1483: The environment is inherited from the invoker of dnsmasq, with some or
1484: all of the following variables added
1485:
1486: For both IPv4 and IPv6:
1487:
1488: DNSMASQ_DOMAIN if the fully-qualified domain name of the host is
1489: known, this is set to the domain part. (Note that the hostname passed
1490: to the script as an argument is never fully-qualified.)
1491:
1492: If the client provides a hostname, DNSMASQ_SUPPLIED_HOSTNAME
1493:
1494: If the client provides user-classes, DNSMASQ_USER_CLASS0..DNSMASQ_USER_CLASSn
1495:
1496: If dnsmasq was compiled with HAVE_BROKEN_RTC, then
1497: the length of the lease (in seconds) is stored in
1498: DNSMASQ_LEASE_LENGTH, otherwise the time of lease expiry is stored in
1499: DNSMASQ_LEASE_EXPIRES. The number of seconds until lease expiry is
1500: always stored in DNSMASQ_TIME_REMAINING.
1501:
1502: If a lease used to have a hostname, which is
1503: removed, an "old" event is generated with the new state of the lease,
1504: ie no name, and the former name is provided in the environment
1505: variable DNSMASQ_OLD_HOSTNAME.
1506:
1507: DNSMASQ_INTERFACE stores the name of
1508: the interface on which the request arrived; this is not set for "old"
1509: actions when dnsmasq restarts.
1510:
1511: DNSMASQ_RELAY_ADDRESS is set if the client
1512: used a DHCP relay to contact dnsmasq and the IP address of the relay
1513: is known.
1514:
1515: DNSMASQ_TAGS contains all the tags set during the
1516: DHCP transaction, separated by spaces.
1517:
1518: DNSMASQ_LOG_DHCP is set if
1519: .B --log-dhcp
1520: is in effect.
1521:
1522: For IPv4 only:
1523:
1524: DNSMASQ_CLIENT_ID if the host provided a client-id.
1525:
1526: DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID, DNSMASQ_REMOTE_ID if a
1527: DHCP relay-agent added any of these options.
1528:
1529: If the client provides vendor-class, DNSMASQ_VENDOR_CLASS.
1530:
1531: For IPv6 only:
1532:
1533: If the client provides vendor-class, DNSMASQ_VENDOR_CLASS_ID,
1534: containing the IANA enterprise id for the class, and
1535: DNSMASQ_VENDOR_CLASS0..DNSMASQ_VENDOR_CLASSn for the data.
1536:
1537: DNSMASQ_SERVER_DUID containing the DUID of the server: this is the same for
1538: every call to the script.
1539:
1540: DNSMASQ_IAID containing the IAID for the lease. If the lease is a
1541: temporary allocation, this is prefixed to 'T'.
1542:
1543: DNSMASQ_MAC containing the MAC address of the client, if known.
1544:
1545: Note that the supplied hostname, vendorclass and userclass data is
1546: only supplied for
1547: "add" actions or "old" actions when a host resumes an existing lease,
1548: since these data are not held in dnsmasq's lease
1549: database.
1550:
1551:
1552:
1553: All file descriptors are
1554: closed except stdin, stdout and stderr which are open to /dev/null
1555: (except in debug mode).
1556:
1557: The script is not invoked concurrently: at most one instance
1558: of the script is ever running (dnsmasq waits for an instance of script to exit
1559: before running the next). Changes to the lease database are which
1560: require the script to be invoked are queued awaiting exit of a running instance.
1561: If this queueing allows multiple state changes occur to a single
1562: lease before the script can be run then
1563: earlier states are discarded and the current state of that lease is
1564: reflected when the script finally runs.
1565:
1566: At dnsmasq startup, the script will be invoked for
1567: all existing leases as they are read from the lease file. Expired
1568: leases will be called with "del" and others with "old". When dnsmasq
1569: receives a HUP signal, the script will be invoked for existing leases
1570: with an "old" event.
1571:
1572:
1573: There are four further actions which may appear as the first argument
1574: to the script, "init", "arp-add", "arp-del" and "tftp". More may be added in the future, so
1575: scripts should be written to ignore unknown actions. "init" is
1576: described below in
1577: .B --leasefile-ro
1578: The "tftp" action is invoked when a TFTP file transfer completes: the
1579: arguments are the file size in bytes, the address to which the file
1580: was sent, and the complete pathname of the file.
1581:
1582: The "arp-add" and "arp-del" actions are only called if enabled with
1583: .B --script-arp
1584: They are are supplied with a MAC address and IP address as arguments. "arp-add" indicates
1585: the arrival of a new entry in the ARP or neighbour table, and "arp-del" indicates the deletion of same.
1586:
1587: .TP
1588: .B --dhcp-luascript=<path>
1589: Specify a script written in Lua, to be run when leases are created,
1590: destroyed or changed. To use this option, dnsmasq must be compiled
1591: with the correct support. The Lua interpreter is intialised once, when
1592: dnsmasq starts, so that global variables persist between lease
1593: events. The Lua code must define a
1594: .B lease
1595: function, and may provide
1596: .B init
1597: and
1598: .B shutdown
1599: functions, which are called, without arguments when dnsmasq starts up
1600: and terminates. It may also provide a
1601: .B tftp
1602: function.
1603:
1604: The
1605: .B lease
1606: function receives the information detailed in
1607: .B --dhcp-script.
1608: It gets two arguments, firstly the action, which is a string
1609: containing, "add", "old" or "del", and secondly a table of tag value
1610: pairs. The tags mostly correspond to the environment variables
1611: detailed above, for instance the tag "domain" holds the same data as
1612: the environment variable DNSMASQ_DOMAIN. There are a few extra tags
1613: which hold the data supplied as arguments to
1614: .B --dhcp-script.
1615: These are
1616: .B mac_address, ip_address
1617: and
1618: .B hostname
1619: for IPv4, and
1620: .B client_duid, ip_address
1621: and
1622: .B hostname
1623: for IPv6.
1624:
1625: The
1626: .B tftp
1627: function is called in the same way as the lease function, and the
1628: table holds the tags
1629: .B destination_address,
1630: .B file_name
1631: and
1632: .B file_size.
1633:
1634: The
1635: .B arp
1636: and
1637: .B arp-old
1638: functions are called only when enabled with
1639: .B --script-arp
1640: and have a table which holds the tags
1641: .B mac_addres
1642: and
1643: .B client_address.
1644: .TP
1645: .B --dhcp-scriptuser
1646: Specify the user as which to run the lease-change script or Lua script. This defaults to root, but can be changed to another user using this flag.
1647: .TP
1648: .B --script-arp
1649: Enable the "arp" and "arp-old" functions in the dhcp-script and dhcp-luascript.
1650: .TP
1651: .B \-9, --leasefile-ro
1652: Completely suppress use of the lease database file. The file will not
1653: be created, read, or written. Change the way the lease-change
1654: script (if one is provided) is called, so that the lease database may
1655: be maintained in external storage by the script. In addition to the
1656: invocations given in
1657: .B --dhcp-script
1658: the lease-change script is called once, at dnsmasq startup, with the
1659: single argument "init". When called like this the script should write
1660: the saved state of the lease database, in dnsmasq leasefile format, to
1661: stdout and exit with zero exit code. Setting this
1662: option also forces the leasechange script to be called on changes
1663: to the client-id and lease length and expiry time.
1664: .TP
1665: .B --bridge-interface=<interface>,<alias>[,<alias>]
1666: Treat DHCP (v4 and v6) request and IPv6 Router Solicit packets
1667: arriving at any of the <alias> interfaces as if they had arrived at
1668: <interface>. This option allows dnsmasq to provide DHCP and RA
1669: service over unaddressed and unbridged Ethernet interfaces, e.g. on an
1670: OpenStack compute host where each such interface is a TAP interface to
1671: a VM, or as in "old style bridging" on BSD platforms. A trailing '*'
1672: wildcard can be used in each <alias>.
1673: .TP
1674: .B \-s, --domain=<domain>[,<address range>[,local]]
1675: Specifies DNS domains for the DHCP server. Domains may be be given
1676: unconditionally (without the IP range) or for limited IP ranges. This has two effects;
1677: firstly it causes the DHCP server to return the domain to any hosts
1678: which request it, and secondly it sets the domain which it is legal
1679: for DHCP-configured hosts to claim. The intention is to constrain
1680: hostnames so that an untrusted host on the LAN cannot advertise
1681: its name via dhcp as e.g. "microsoft.com" and capture traffic not
1682: meant for it. If no domain suffix is specified, then any DHCP
1683: hostname with a domain part (ie with a period) will be disallowed
1684: and logged. If suffix is specified, then hostnames with a domain
1685: part are allowed, provided the domain part matches the suffix. In
1686: addition, when a suffix is set then hostnames without a domain
1687: part have the suffix added as an optional domain part. Eg on my network I can set
1688: .B --domain=thekelleys.org.uk
1689: and have a machine whose DHCP hostname is "laptop". The IP address for that machine is available from
1690: .B dnsmasq
1691: both as "laptop" and "laptop.thekelleys.org.uk". If the domain is
1692: given as "#" then the domain is read from the first "search" directive
1693: in /etc/resolv.conf (or equivalent).
1694:
1695: The address range can be of the form
1696: <ip address>,<ip address> or <ip address>/<netmask> or just a single
1697: <ip address>. See
1698: .B --dhcp-fqdn
1699: which can change the behaviour of dnsmasq with domains.
1700:
1701: If the address range is given as ip-address/network-size, then a
1702: additional flag "local" may be supplied which has the effect of adding
1703: --local declarations for forward and reverse DNS queries. Eg.
1704: .B --domain=thekelleys.org.uk,192.168.0.0/24,local
1705: is identical to
1706: .B --domain=thekelleys.org.uk,192.168.0.0/24
1707: --local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/
1708: The network size must be 8, 16 or 24 for this to be legal.
1709: .TP
1710: .B --dhcp-fqdn
1711: In the default mode, dnsmasq inserts the unqualified names of
1712: DHCP clients into the DNS. For this reason, the names must be unique,
1713: even if two clients which have the same name are in different
1714: domains. If a second DHCP client appears which has the same name as an
1715: existing client, the name is transferred to the new client. If
1716: .B --dhcp-fqdn
1717: is set, this behaviour changes: the unqualified name is no longer
1718: put in the DNS, only the qualified name. Two DHCP clients with the
1719: same name may both keep the name, provided that the domain part is
1720: different (ie the fully qualified names differ.) To ensure that all
1721: names have a domain part, there must be at least
1722: .B --domain
1723: without an address specified when
1724: .B --dhcp-fqdn
1725: is set.
1726: .TP
1727: .B --dhcp-client-update
1728: Normally, when giving a DHCP lease, dnsmasq sets flags in the FQDN
1729: option to tell the client not to attempt a DDNS update with its name
1730: and IP address. This is because the name-IP pair is automatically
1731: added into dnsmasq's DNS view. This flag suppresses that behaviour,
1732: this is useful, for instance, to allow Windows clients to update
1733: Active Directory servers. See RFC 4702 for details.
1734: .TP
1735: .B --enable-ra
1736: Enable dnsmasq's IPv6 Router Advertisement feature. DHCPv6 doesn't
1737: handle complete network configuration in the same way as DHCPv4. Router
1738: discovery and (possibly) prefix discovery for autonomous address
1739: creation are handled by a different protocol. When DHCP is in use,
1740: only a subset of this is needed, and dnsmasq can handle it, using
1741: existing DHCP configuration to provide most data. When RA is enabled,
1742: dnsmasq will advertise a prefix for each dhcp-range, with default
1743: router as the relevant link-local address on
1744: the machine running dnsmasq. By default, the "managed address" bits are set, and
1745: the "use SLAAC" bit is reset. This can be changed for individual
1746: subnets with the mode keywords described in
1747: .B --dhcp-range.
1748: RFC6106 DNS parameters are included in the advertisements. By default,
1749: the relevant link-local address of the machine running dnsmasq is sent
1750: as recursive DNS server. If provided, the DHCPv6 options dns-server and
1751: domain-search are used for the DNS server (RDNSS) and the domain serach list (DNSSL).
1752: .TP
1753: .B --ra-param=<interface>,[high|low],[[<ra-interval>],<router lifetime>]
1754: Set non-default values for router advertisements sent via an
1755: interface. The priority field for the router may be altered from the
1756: default of medium with eg
1757: .B --ra-param=eth0,high.
1758: The interval between router advertisements may be set (in seconds) with
1759: .B --ra-param=eth0,60.
1760: The lifetime of the route may be changed or set to zero, which allows
1761: a router to advertise prefixes but not a route via itself.
1762: .B --ra-parm=eth0,0,0
1763: (A value of zero for the interval means the default value.) All three parameters may be set at once.
1764: .B --ra-param=low,60,1200
1765: The interface field may include a wildcard.
1766: .TP
1767: .B --enable-tftp[=<interface>[,<interface>]]
1768: Enable the TFTP server function. This is deliberately limited to that
1769: needed to net-boot a client. Only reading is allowed; the tsize and
1770: blksize extensions are supported (tsize is only supported in octet
1771: mode). Without an argument, the TFTP service is provided to the same set of interfaces as DHCP service.
1772: If the list of interfaces is provided, that defines which interfaces recieve TFTP service.
1773: .TP
1774: .B --tftp-root=<directory>[,<interface>]
1775: Look for files to transfer using TFTP relative to the given
1776: directory. When this is set, TFTP paths which include ".." are
1777: rejected, to stop clients getting outside the specified root.
1778: Absolute paths (starting with /) are allowed, but they must be within
1779: the tftp-root. If the optional interface argument is given, the
1780: directory is only used for TFTP requests via that interface.
1781: .TP
1782: .B --tftp-no-fail
1783: Do not abort startup if specified tftp root directories are inaccessible.
1784: .TP
1785: .B --tftp-unique-root
1786: Add the IP address of the TFTP client as a path component on the end
1787: of the TFTP-root (in standard dotted-quad format). Only valid if a
1788: tftp-root is set and the directory exists. For instance, if tftp-root is "/tftp" and client
1789: 1.2.3.4 requests file "myfile" then the effective path will be
1790: "/tftp/1.2.3.4/myfile" if /tftp/1.2.3.4 exists or /tftp/myfile otherwise.
1791: .TP
1792: .B --tftp-secure
1793: Enable TFTP secure mode: without this, any file which is readable by
1794: the dnsmasq process under normal unix access-control rules is
1795: available via TFTP. When the --tftp-secure flag is given, only files
1796: owned by the user running the dnsmasq process are accessible. If
1797: dnsmasq is being run as root, different rules apply: --tftp-secure
1798: has no effect, but only files which have the world-readable bit set
1799: are accessible. It is not recommended to run dnsmasq as root with TFTP
1800: enabled, and certainly not without specifying --tftp-root. Doing so
1801: can expose any world-readable file on the server to any host on the net.
1802: .TP
1803: .B --tftp-lowercase
1804: Convert filenames in TFTP requests to all lowercase. This is useful
1805: for requests from Windows machines, which have case-insensitive
1806: filesystems and tend to play fast-and-loose with case in filenames.
1807: Note that dnsmasq's tftp server always converts "\\" to "/" in filenames.
1808: .TP
1809: .B --tftp-max=<connections>
1810: Set the maximum number of concurrent TFTP connections allowed. This
1811: defaults to 50. When serving a large number of TFTP connections,
1812: per-process file descriptor limits may be encountered. Dnsmasq needs
1813: one file descriptor for each concurrent TFTP connection and one
1814: file descriptor per unique file (plus a few others). So serving the
1815: same file simultaneously to n clients will use require about n + 10 file
1816: descriptors, serving different files simultaneously to n clients will
1817: require about (2*n) + 10 descriptors. If
1818: .B --tftp-port-range
1819: is given, that can affect the number of concurrent connections.
1820: .TP
1821: .B --tftp-mtu=<mtu size>
1822: Use size as the ceiling of the MTU supported by the intervening network when
1823: negotiating TFTP blocksize, overriding the MTU setting of the local interface if it is larger.
1824: .TP
1825: .B --tftp-no-blocksize
1826: Stop the TFTP server from negotiating the "blocksize" option with a
1827: client. Some buggy clients request this option but then behave badly
1828: when it is granted.
1829: .TP
1830: .B --tftp-port-range=<start>,<end>
1831: A TFTP server listens on a well-known port (69) for connection initiation,
1832: but it also uses a dynamically-allocated port for each
1833: connection. Normally these are allocated by the OS, but this option
1834: specifies a range of ports for use by TFTP transfers. This can be
1835: useful when TFTP has to traverse a firewall. The start of the range
1836: cannot be lower than 1025 unless dnsmasq is running as root. The number
1837: of concurrent TFTP connections is limited by the size of the port range.
1838: .TP
1839: .B \-C, --conf-file=<file>
1840: Specify a different configuration file. The conf-file option is also allowed in
1841: configuration files, to include multiple configuration files. A
1842: filename of "-" causes dnsmasq to read configuration from stdin.
1843: .TP
1844: .B \-7, --conf-dir=<directory>[,<file-extension>......],
1845: Read all the files in the given directory as configuration
1846: files. If extension(s) are given, any files which end in those
1847: extensions are skipped. Any files whose names end in ~ or start with . or start and end
1848: with # are always skipped. If the extension starts with * then only files
1849: which have that extension are loaded. So
1850: .B --conf-dir=/path/to/dir,*.conf
1851: loads all files with the suffix .conf in /path/to/dir. This flag may be given on the command
1852: line or in a configuration file. If giving it on the command line, be sure to
1853: escape * characters.
1854: .TP
1855: .B --servers-file=<file>
1856: A special case of
1857: .B --conf-file
1858: which differs in two respects. Firstly, only --server and --rev-server are allowed
1859: in the configuration file included. Secondly, the file is re-read and the configuration
1860: therein is updated when dnsmasq recieves SIGHUP.
1861: .SH CONFIG FILE
1862: At startup, dnsmasq reads
1863: .I /etc/dnsmasq.conf,
1864: if it exists. (On
1865: FreeBSD, the file is
1866: .I /usr/local/etc/dnsmasq.conf
1867: ) (but see the
1868: .B \-C
1869: and
1870: .B \-7
1871: options.) The format of this
1872: file consists of one option per line, exactly as the long options detailed
1873: in the OPTIONS section but without the leading "--". Lines starting with # are comments and ignored. For
1874: options which may only be specified once, the configuration file overrides
1875: the command line. Quoting is allowed in a config file:
1876: between " quotes the special meanings of ,:. and # are removed and the
1877: following escapes are allowed: \\\\ \\" \\t \\e \\b \\r and \\n. The later
1878: corresponding to tab, escape, backspace, return and newline.
1879: .SH NOTES
1880: When it receives a SIGHUP,
1881: .B dnsmasq
1882: clears its cache and then re-loads
1883: .I /etc/hosts
1884: and
1885: .I /etc/ethers
1886: and any file given by --dhcp-hostsfile, --dhcp-hostsdir, --dhcp-optsfile,
1887: --dhcp-optsdir, --addn-hosts or --hostsdir.
1888: The dhcp lease change script is called for all
1889: existing DHCP leases. If
1890: .B
1891: --no-poll
1892: is set SIGHUP also re-reads
1893: .I /etc/resolv.conf.
1894: SIGHUP
1895: does NOT re-read the configuration file.
1896: .PP
1897: When it receives a SIGUSR1,
1898: .B dnsmasq
1899: writes statistics to the system log. It writes the cache size,
1900: the number of names which have had to removed from the cache before
1901: they expired in order to make room for new names and the total number
1902: of names that have been inserted into the cache. The number of cache hits and
1903: misses and the number of authoritative queries answered are also given. For each upstream
1904: server it gives the number of queries sent, and the number which
1905: resulted in an error. In
1906: .B --no-daemon
1907: mode or when full logging is enabled (-q), a complete dump of the
1908: contents of the cache is made.
1909:
1910: The cache statistics are also available in the DNS as answers to
1911: queries of class CHAOS and type TXT in domain bind. The domain names are cachesize.bind, insertions.bind, evictions.bind,
1912: misses.bind, hits.bind, auth.bind and servers.bind. An example command to query this, using the
1913: .B dig
1914: utility would be
1915:
1916: dig +short chaos txt cachesize.bind
1917:
1918: .PP
1919: When it receives SIGUSR2 and it is logging direct to a file (see
1920: .B --log-facility
1921: )
1922: .B dnsmasq
1923: will close and reopen the log file. Note that during this operation,
1924: dnsmasq will not be running as root. When it first creates the logfile
1925: dnsmasq changes the ownership of the file to the non-root user it will run
1926: as. Logrotate should be configured to create a new log file with
1927: the ownership which matches the existing one before sending SIGUSR2.
1928: If TCP DNS queries are in progress, the old logfile will remain open in
1929: child processes which are handling TCP queries and may continue to be
1930: written. There is a limit of 150 seconds, after which all existing TCP
1931: processes will have expired: for this reason, it is not wise to
1932: configure logfile compression for logfiles which have just been
1933: rotated. Using logrotate, the required options are
1934: .B create
1935: and
1936: .B delaycompress.
1937:
1938:
1939: .PP
1940: Dnsmasq is a DNS query forwarder: it it not capable of recursively
1941: answering arbitrary queries starting from the root servers but
1942: forwards such queries to a fully recursive upstream DNS server which is
1943: typically provided by an ISP. By default, dnsmasq reads
1944: .I /etc/resolv.conf
1945: to discover the IP
1946: addresses of the upstream nameservers it should use, since the
1947: information is typically stored there. Unless
1948: .B --no-poll
1949: is used,
1950: .B dnsmasq
1951: checks the modification time of
1952: .I /etc/resolv.conf
1953: (or equivalent if
1954: .B \--resolv-file
1955: is used) and re-reads it if it changes. This allows the DNS servers to
1956: be set dynamically by PPP or DHCP since both protocols provide the
1957: information.
1958: Absence of
1959: .I /etc/resolv.conf
1960: is not an error
1961: since it may not have been created before a PPP connection exists. Dnsmasq
1962: simply keeps checking in case
1963: .I /etc/resolv.conf
1964: is created at any
1965: time. Dnsmasq can be told to parse more than one resolv.conf
1966: file. This is useful on a laptop, where both PPP and DHCP may be used:
1967: dnsmasq can be set to poll both
1968: .I /etc/ppp/resolv.conf
1969: and
1970: .I /etc/dhcpc/resolv.conf
1971: and will use the contents of whichever changed
1972: last, giving automatic switching between DNS servers.
1973: .PP
1974: Upstream servers may also be specified on the command line or in
1975: the configuration file. These server specifications optionally take a
1976: domain name which tells dnsmasq to use that server only to find names
1977: in that particular domain.
1978: .PP
1979: In order to configure dnsmasq to act as cache for the host on which it is running, put "nameserver 127.0.0.1" in
1980: .I /etc/resolv.conf
1981: to force local processes to send queries to
1982: dnsmasq. Then either specify the upstream servers directly to dnsmasq
1983: using
1984: .B \--server
1985: options or put their addresses real in another file, say
1986: .I /etc/resolv.dnsmasq
1987: and run dnsmasq with the
1988: .B \-r /etc/resolv.dnsmasq
1989: option. This second technique allows for dynamic update of the server
1990: addresses by PPP or DHCP.
1991: .PP
1992: Addresses in /etc/hosts will "shadow" different addresses for the same
1993: names in the upstream DNS, so "mycompany.com 1.2.3.4" in /etc/hosts will ensure that
1994: queries for "mycompany.com" always return 1.2.3.4 even if queries in
1995: the upstream DNS would otherwise return a different address. There is
1996: one exception to this: if the upstream DNS contains a CNAME which
1997: points to a shadowed name, then looking up the CNAME through dnsmasq
1998: will result in the unshadowed address associated with the target of
1999: the CNAME. To work around this, add the CNAME to /etc/hosts so that
2000: the CNAME is shadowed too.
2001:
2002: .PP
2003: The tag system works as follows: For each DHCP request, dnsmasq
2004: collects a set of valid tags from active configuration lines which
2005: include set:<tag>, including one from the
2006: .B dhcp-range
2007: used to allocate the address, one from any matching
2008: .B dhcp-host
2009: (and "known" if a dhcp-host matches)
2010: The tag "bootp" is set for BOOTP requests, and a tag whose name is the
2011: name of the interface on which the request arrived is also set.
2012:
2013: Any configuration lines which include one or more tag:<tag> constructs
2014: will only be valid if all that tags are matched in the set derived
2015: above. Typically this is dhcp-option.
2016: .B dhcp-option
2017: which has tags will be used in preference to an untagged
2018: .B dhcp-option,
2019: provided that _all_ the tags match somewhere in the
2020: set collected as described above. The prefix '!' on a tag means 'not'
2021: so --dhcp-option=tag:!purple,3,1.2.3.4 sends the option when the
2022: tag purple is not in the set of valid tags. (If using this in a
2023: command line rather than a configuration file, be sure to escape !,
2024: which is a shell metacharacter)
2025:
2026: When selecting dhcp-options, a tag from dhcp-range is second class
2027: relative to other tags, to make it easy to override options for
2028: individual hosts, so
2029: .B dhcp-range=set:interface1,......
2030: .B dhcp-host=set:myhost,.....
2031: .B dhcp-option=tag:interface1,option:nis-domain,"domain1"
2032: .B dhcp-option=tag:myhost,option:nis-domain,"domain2"
2033: will set the NIS-domain to domain1 for hosts in the range, but
2034: override that to domain2 for a particular host.
2035:
2036: .PP
2037: Note that for
2038: .B dhcp-range
2039: both tag:<tag> and set:<tag> are allowed, to both select the range in
2040: use based on (eg) dhcp-host, and to affect the options sent, based on
2041: the range selected.
2042:
2043: This system evolved from an earlier, more limited one and for backward
2044: compatibility "net:" may be used instead of "tag:" and "set:" may be
2045: omitted. (Except in
2046: .B dhcp-host,
2047: where "net:" may be used instead of "set:".) For the same reason, '#'
2048: may be used instead of '!' to indicate NOT.
2049: .PP
2050: The DHCP server in dnsmasq will function as a BOOTP server also,
2051: provided that the MAC address and IP address for clients are given,
2052: either using
2053: .B dhcp-host
2054: configurations or in
2055: .I /etc/ethers
2056: , and a
2057: .B dhcp-range
2058: configuration option is present to activate the DHCP server
2059: on a particular network. (Setting --bootp-dynamic removes the need for
2060: static address mappings.) The filename
2061: parameter in a BOOTP request is used as a tag,
2062: as is the tag "bootp", allowing some control over the options returned to
2063: different classes of hosts.
2064:
2065: .SH AUTHORITATIVE CONFIGURATION
2066: .PP
2067: Configuring dnsmasq to act as an authoritative DNS server is
2068: complicated by the fact that it involves configuration of external DNS
2069: servers to provide delegation. We will walk through three scenarios of
2070: increasing complexity. Prerequisites for all of these scenarios
2071: are a globally accessible IP address, an A or AAAA record pointing to that address,
2072: and an external DNS server capable of doing delegation of the zone in
2073: question. For the first part of this explanation, we will call the A (or AAAA) record
2074: for the globally accessible address server.example.com, and the zone
2075: for which dnsmasq is authoritative our.zone.com.
2076:
2077: The simplest configuration consists of two lines of dnsmasq configuration; something like
2078:
2079: .nf
2080: .B auth-server=server.example.com,eth0
2081: .B auth-zone=our.zone.com,1.2.3.0/24
2082: .fi
2083:
2084: and two records in the external DNS
2085:
2086: .nf
2087: server.example.com A 192.0.43.10
2088: our.zone.com NS server.example.com
2089: .fi
2090:
2091: eth0 is the external network interface on which dnsmasq is listening,
2092: and has (globally accessible) address 192.0.43.10.
2093:
2094: Note that the external IP address may well be dynamic (ie assigned
2095: from an ISP by DHCP or PPP) If so, the A record must be linked to this
2096: dynamic assignment by one of the usual dynamic-DNS systems.
2097:
2098: A more complex, but practically useful configuration has the address
2099: record for the globally accessible IP address residing in the
2100: authoritative zone which dnsmasq is serving, typically at the root. Now
2101: we have
2102:
2103: .nf
2104: .B auth-server=our.zone.com,eth0
2105: .B auth-zone=our.zone.com,1.2.3.0/24
2106: .fi
2107:
2108: .nf
2109: our.zone.com A 1.2.3.4
2110: our.zone.com NS our.zone.com
2111: .fi
2112:
2113: The A record for our.zone.com has now become a glue record, it solves
2114: the chicken-and-egg problem of finding the IP address of the
2115: nameserver for our.zone.com when the A record is within that
2116: zone. Note that this is the only role of this record: as dnsmasq is
2117: now authoritative from our.zone.com it too must provide this
2118: record. If the external address is static, this can be done with an
2119: .B /etc/hosts
2120: entry or
2121: .B --host-record.
2122:
2123: .nf
2124: .B auth-server=our.zone.com,eth0
2125: .B host-record=our.zone.com,1.2.3.4
2126: .B auth-zone=our.zone.com,1.2.3.0/24
2127: .fi
2128:
2129: If the external address is dynamic, the address
2130: associated with our.zone.com must be derived from the address of the
2131: relevant interface. This is done using
2132: .B interface-name
2133: Something like:
2134:
2135: .nf
2136: .B auth-server=our.zone.com,eth0
2137: .B interface-name=our.zone.com,eth0
2138: .B auth-zone=our.zone.com,1.2.3.0/24,eth0
2139: .fi
2140:
2141: (The "eth0" argument in auth-zone adds the subnet containing eth0's
2142: dynamic address to the zone, so that the interface-name returns the
2143: address in outside queries.)
2144:
2145: Our final configuration builds on that above, but also adds a
2146: secondary DNS server. This is another DNS server which learns the DNS data
2147: for the zone by doing zones transfer, and acts as a backup should
2148: the primary server become inaccessible. The configuration of the
2149: secondary is beyond the scope of this man-page, but the extra
2150: configuration of dnsmasq is simple:
2151:
2152: .nf
2153: .B auth-sec-servers=secondary.myisp.com
2154: .fi
2155:
2156: and
2157:
2158: .nf
2159: our.zone.com NS secondary.myisp.com
2160: .fi
2161:
2162: Adding auth-sec-servers enables zone transfer in dnsmasq, to allow the
2163: secondary to collect the DNS data. If you wish to restrict this data
2164: to particular hosts then
2165:
2166: .nf
2167: .B auth-peer=<IP address of secondary>
2168: .fi
2169:
2170: will do so.
2171:
2172: Dnsmasq acts as an authoritative server for in-addr.arpa and
2173: ip6.arpa domains associated with the subnets given in auth-zone
2174: declarations, so reverse (address to name) lookups can be simply
2175: configured with a suitable NS record, for instance in this example,
2176: where we allow 1.2.3.0/24 addresses.
2177:
2178: .nf
2179: 3.2.1.in-addr.arpa NS our.zone.com
2180: .fi
2181:
2182: Note that at present, reverse (in-addr.arpa and ip6.arpa) zones are
2183: not available in zone transfers, so there is no point arranging
2184: secondary servers for reverse lookups.
2185:
2186: .PP
2187: When dnsmasq is configured to act as an authoritative server, the
2188: following data is used to populate the authoritative zone.
2189: .PP
2190: .B --mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record
2191: , as long as the record names are in the authoritative domain.
2192: .PP
2193: .B --cname
2194: as long as the record name is in the authoritative domain. If the
2195: target of the CNAME is unqualified, then it is qualified with the
2196: authoritative zone name.
2197: .PP
2198: IPv4 and IPv6 addresses from /etc/hosts (and
2199: .B --addn-hosts
2200: ) and
2201: .B --host-record
2202: and
2203: .B --interface-name
2204: provided the address falls into one of the subnets specified in the
2205: .B --auth-zone.
2206: .PP
2207: Addresses of DHCP leases, provided the address falls into one of the subnets specified in the
2208: .B --auth-zone.
2209: (If contructed DHCP ranges are is use, which depend on the address dynamically
2210: assigned to an interface, then the form of
2211: .B --auth-zone
2212: which defines subnets by the dynamic address of an interface should
2213: be used to ensure this condition is met.)
2214: .PP
2215: In the default mode, where a DHCP lease
2216: has an unqualified name, and possibly a qualified name constructed
2217: using
2218: .B --domain
2219: then the name in the authoritative zone is constructed from the
2220: unqualified name and the zone's domain. This may or may not equal
2221: that specified by
2222: .B --domain.
2223: If
2224: .B --dhcp-fqdn
2225: is set, then the fully qualified names associated with DHCP leases are
2226: used, and must match the zone's domain.
2227:
2228:
2229:
2230: .SH EXIT CODES
2231: .PP
2232: 0 - Dnsmasq successfully forked into the background, or terminated
2233: normally if backgrounding is not enabled.
2234: .PP
2235: 1 - A problem with configuration was detected.
2236: .PP
2237: 2 - A problem with network access occurred (address in use, attempt
2238: to use privileged ports without permission).
2239: .PP
2240: 3 - A problem occurred with a filesystem operation (missing
2241: file/directory, permissions).
2242: .PP
2243: 4 - Memory allocation failure.
2244: .PP
2245: 5 - Other miscellaneous problem.
2246: .PP
2247: 11 or greater - a non zero return code was received from the
2248: lease-script process "init" call. The exit code from dnsmasq is the
2249: script's exit code with 10 added.
2250:
2251: .SH LIMITS
2252: The default values for resource limits in dnsmasq are generally
2253: conservative, and appropriate for embedded router type devices with
2254: slow processors and limited memory. On more capable hardware, it is
2255: possible to increase the limits, and handle many more clients. The
2256: following applies to dnsmasq-2.37: earlier versions did not scale as well.
2257:
2258: .PP
2259: Dnsmasq is capable of handling DNS and DHCP for at least a thousand
2260: clients. The DHCP lease times should not be very short (less than one hour). The
2261: value of
2262: .B --dns-forward-max
2263: can be increased: start with it equal to
2264: the number of clients and increase if DNS seems slow. Note that DNS
2265: performance depends too on the performance of the upstream
2266: nameservers. The size of the DNS cache may be increased: the hard
2267: limit is 10000 names and the default (150) is very low. Sending
2268: SIGUSR1 to dnsmasq makes it log information which is useful for tuning
2269: the cache size. See the
2270: .B NOTES
2271: section for details.
2272:
2273: .PP
2274: The built-in TFTP server is capable of many simultaneous file
2275: transfers: the absolute limit is related to the number of file-handles
2276: allowed to a process and the ability of the select() system call to
2277: cope with large numbers of file handles. If the limit is set too high
2278: using
2279: .B --tftp-max
2280: it will be scaled down and the actual limit logged at
2281: start-up. Note that more transfers are possible when the same file is
2282: being sent than when each transfer sends a different file.
2283:
2284: .PP
2285: It is possible to use dnsmasq to block Web advertising by using a list
2286: of known banner-ad servers, all resolving to 127.0.0.1 or 0.0.0.0, in
2287: .B /etc/hosts
2288: or an additional hosts file. The list can be very long,
2289: dnsmasq has been tested successfully with one million names. That size
2290: file needs a 1GHz processor and about 60Mb of RAM.
2291:
2292: .SH INTERNATIONALISATION
2293: Dnsmasq can be compiled to support internationalisation. To do this,
2294: the make targets "all-i18n" and "install-i18n" should be used instead of
2295: the standard targets "all" and "install". When internationalisation
2296: is compiled in, dnsmasq will produce log messages in the local
2297: language and support internationalised domain names (IDN). Domain
2298: names in /etc/hosts, /etc/ethers and /etc/dnsmasq.conf which contain
2299: non-ASCII characters will be translated to the DNS-internal punycode
2300: representation. Note that
2301: dnsmasq determines both the language for messages and the assumed
2302: charset for configuration
2303: files from the LANG environment variable. This should be set to the system
2304: default value by the script which is responsible for starting
2305: dnsmasq. When editing the configuration files, be careful to do so
2306: using only the system-default locale and not user-specific one, since
2307: dnsmasq has no direct way of determining the charset in use, and must
2308: assume that it is the system default.
2309:
2310: .SH FILES
2311: .IR /etc/dnsmasq.conf
2312:
2313: .IR /usr/local/etc/dnsmasq.conf
2314:
2315: .IR /etc/resolv.conf
2316: .IR /var/run/dnsmasq/resolv.conf
2317: .IR /etc/ppp/resolv.conf
2318: .IR /etc/dhcpc/resolv.conf
2319:
2320: .IR /etc/hosts
2321:
2322: .IR /etc/ethers
2323:
2324: .IR /var/lib/misc/dnsmasq.leases
2325:
2326: .IR /var/db/dnsmasq.leases
2327:
2328: .IR /var/run/dnsmasq.pid
2329: .SH SEE ALSO
2330: .BR hosts (5),
2331: .BR resolver (5)
2332: .SH AUTHOR
2333: This manual page was written by Simon Kelley <simon@thekelleys.org.uk>.
2334:
2335:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to dnsmasq.8 CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq / man