1: .TH DNSMASQ 8 2021-08-16
2: .SH NAME
3: dnsmasq \- A lightweight DHCP and caching DNS server.
4: .SH SYNOPSIS
5: .B dnsmasq
6: .I [OPTION]...
7: .SH "DESCRIPTION"
8: .BR dnsmasq
9: is a lightweight DNS, TFTP, PXE, router advertisement and DHCP server. It is intended to provide
10: coupled DNS and DHCP service to a LAN.
11: .PP
12: Dnsmasq accepts DNS queries and either answers them from a small, local,
13: cache or forwards them to a real, recursive, DNS server. It loads the
14: contents of /etc/hosts so that local hostnames
15: which do not appear in the global DNS can be resolved and also answers
16: DNS queries for DHCP configured hosts. It can also act as the
17: authoritative DNS server for one or more domains, allowing local names
18: to appear in the global DNS. It can be configured to do DNSSEC
19: validation.
20: .PP
21: The dnsmasq DHCP server supports static address assignments and multiple
22: networks. It automatically
23: sends a sensible default set of DHCP options, and can be configured to
24: send any desired set of DHCP options, including vendor-encapsulated
25: options. It includes a secure, read-only,
26: TFTP server to allow net/PXE boot of DHCP hosts and also supports BOOTP. The PXE support is full featured, and includes a proxy mode which supplies PXE information to clients whilst DHCP address allocation is done by another server.
27: .PP
28: The dnsmasq DHCPv6 server provides the same set of features as the
29: DHCPv4 server, and in addition, it includes router advertisements and
30: a neat feature which allows naming for clients which use DHCPv4 and
31: stateless autoconfiguration only for IPv6 configuration. There is support for doing address allocation (both DHCPv6 and RA) from subnets which are dynamically delegated via DHCPv6 prefix delegation.
32: .PP
33: Dnsmasq is coded with small embedded systems in mind. It aims for the smallest possible memory footprint compatible with the supported functions, and allows unneeded functions to be omitted from the compiled binary.
34: .SH OPTIONS
35: Note that in general missing parameters are allowed and switch off
36: functions, for instance "--pid-file" disables writing a PID file. On
37: BSD, unless the GNU getopt library is linked, the long form of the
38: options does not work on the command line; it is still recognised in
39: the configuration file.
40: .TP
41: .B --test
42: Read and syntax check configuration file(s). Exit with code 0 if all
43: is OK, or a non-zero code otherwise. Do not start up dnsmasq.
44: .TP
45: .B \-w, --help
46: Display all command-line options.
47: .B --help dhcp
48: will display known DHCPv4 configuration options, and
49: .B --help dhcp6
50: will display DHCPv6 options.
51: .TP
52: .B \-h, --no-hosts
53: Don't read the hostnames in /etc/hosts.
54: .TP
55: .B \-H, --addn-hosts=<file>
56: Additional hosts file. Read the specified file as well as /etc/hosts. If \fB--no-hosts\fP is given, read
57: only the specified file. This option may be repeated for more than one
58: additional hosts file. If a directory is given, then read all the files contained in that directory
59: in alphabetical order.
60: .TP
61: .B --hostsdir=<path>
62: Read all the hosts files contained in the directory. New or changed files
63: are read automatically and modified and deleted files have removed records
64: automatically deleted.
65: .TP
66: .B \-E, --expand-hosts
67: Add the domain to simple names (without a period) in /etc/hosts
68: in the same way as for DHCP-derived names. Note that this does not
69: apply to domain names in cnames, PTR records, TXT records etc.
70: .TP
71: .B \-T, --local-ttl=<time>
72: When replying with information from /etc/hosts or configuration or the DHCP leases
73: file dnsmasq by default sets the time-to-live field to zero, meaning
74: that the requester should not itself cache the information. This is
75: the correct thing to do in almost all situations. This option allows a
76: time-to-live (in seconds) to be given for these replies. This will
77: reduce the load on the server at the expense of clients using stale
78: data under some circumstances.
79: .TP
80: .B --dhcp-ttl=<time>
81: As for \fB--local-ttl\fP, but affects only replies with information from DHCP leases. If both are given, \fB--dhcp-ttl\fP applies for DHCP information, and \fB--local-ttl\fP for others. Setting this to zero eliminates the effect of \fB--local-ttl\fP for DHCP.
82: .TP
83: .B --neg-ttl=<time>
84: Negative replies from upstream servers normally contain time-to-live
85: information in SOA records which dnsmasq uses for caching. If the
86: replies from upstream servers omit this information, dnsmasq does not
87: cache the reply. This option gives a default value for time-to-live
88: (in seconds) which dnsmasq uses to cache negative replies even in
89: the absence of an SOA record.
90: .TP
91: .B --max-ttl=<time>
92: Set a maximum TTL value that will be handed out to clients. The specified
93: maximum TTL will be given to clients instead of the true TTL value if it is
94: lower. The true TTL value is however kept in the cache to avoid flooding
95: the upstream DNS servers.
96: .TP
97: .B --max-cache-ttl=<time>
98: Set a maximum TTL value for entries in the cache.
99: .TP
100: .B --min-cache-ttl=<time>
101: Extend short TTL values to the time given when caching them. Note that
102: artificially extending TTL values is in general a bad idea, do not do it
103: unless you have a good reason, and understand what you are doing.
104: Dnsmasq limits the value of this option to one hour, unless recompiled.
105: .TP
106: .B --auth-ttl=<time>
107: Set the TTL value returned in answers from the authoritative server.
108: .TP
109: .B --fast-dns-retry=[<initial retry delay in ms>[,<time to continue retries in ms>]]
110: Under normal circumstances, dnsmasq relies on DNS clients to do retries; it
111: does not generate timeouts itself. Setting this option
112: instructs dnsmasq to generate its own retries starting after a delay
113: which defaults to 1000ms. If the second parameter is given this controls
114: how long the retries will continue for
115: otherwise this defaults to 10000ms. Retries are repeated with exponential
116: backoff. Using this option increases memory usage and
117: network bandwidth.
118: .TP
119: .B \-k, --keep-in-foreground
120: Do not go into the background at startup but otherwise run as
121: normal. This is intended for use when dnsmasq is run under daemontools
122: or launchd.
123: .TP
124: .B \-d, --no-daemon
125: Debug mode: don't fork to the background, don't write a pid file,
126: don't change user id, generate a complete cache dump on receipt on
127: SIGUSR1, log to stderr as well as syslog, don't fork new processes
128: to handle TCP queries. Note that this option is for use in debugging
129: only, to stop dnsmasq daemonising in production, use
130: .B --keep-in-foreground.
131: .TP
132: .B \-q, --log-queries
133: Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1. If the argument "extra" is supplied, ie
134: .B --log-queries=extra
135: then the log has extra information at the start of each line.
136: This consists of a serial number which ties together the log lines associated with an individual query, and the IP address of the requestor.
137: .TP
138: .B \-8, --log-facility=<facility>
139: Set the facility to which dnsmasq will send syslog entries, this
140: defaults to DAEMON, and to LOCAL0 when debug mode is in operation. If
141: the facility given contains at least one '/' character, it is taken to
142: be a filename, and dnsmasq logs to the given file, instead of
143: syslog. If the facility is '-' then dnsmasq logs to stderr.
144: (Errors whilst reading configuration will still go to syslog,
145: but all output from a successful startup, and all output whilst
146: running, will go exclusively to the file.) When logging to a file,
147: dnsmasq will close and reopen the file when it receives SIGUSR2. This
148: allows the log file to be rotated without stopping dnsmasq.
149: .TP
150: .B --log-debug
151: Enable extra logging intended for debugging rather than information.
152: .TP
153: .B --log-async[=<lines>]
154: Enable asynchronous logging and optionally set the limit on the
155: number of lines
156: which will be queued by dnsmasq when writing to the syslog is slow.
157: Dnsmasq can log asynchronously: this
158: allows it to continue functioning without being blocked by syslog, and
159: allows syslog to use dnsmasq for DNS queries without risking deadlock.
160: If the queue of log-lines becomes full, dnsmasq will log the
161: overflow, and the number of messages lost. The default queue length is
162: 5, a sane value would be 5-25, and a maximum limit of 100 is imposed.
163: .TP
164: .B \-x, --pid-file=<path>
165: Specify an alternate path for dnsmasq to record its process-id in. Normally /var/run/dnsmasq.pid.
166: .TP
167: .B \-u, --user=<username>
168: Specify the userid to which dnsmasq will change after startup. Dnsmasq must normally be started as root, but it will drop root
169: privileges after startup by changing id to another user. Normally this user is "nobody" but that
170: can be over-ridden with this switch.
171: .TP
172: .B \-g, --group=<groupname>
173: Specify the group which dnsmasq will run
174: as. The default is "dip", if available, to facilitate access to
175: /etc/ppp/resolv.conf which is not normally world readable.
176: .TP
177: .B \-v, --version
178: Print the version number.
179: .TP
180: .B \-p, --port=<port>
181: Listen on <port> instead of the standard DNS port (53). Setting this
182: to zero completely disables DNS function, leaving only DHCP and/or TFTP.
183: .TP
184: .B \-P, --edns-packet-max=<size>
185: Specify the largest EDNS.0 UDP packet which is supported by the DNS
186: forwarder. Defaults to 1232, which is the recommended size following the
187: DNS flag day in 2020. Only increase if you know what you are doing.
188: .TP
189: .B \-Q, --query-port=<query_port>
190: Send outbound DNS queries from, and listen for their replies on, the
191: specific UDP port <query_port> instead of using random ports. NOTE
192: that using this option will make dnsmasq less secure against DNS
193: spoofing attacks but it may be faster and use less resources. Setting this option
194: to zero makes dnsmasq use a single port allocated to it by the
195: OS: this was the default behaviour in versions prior to 2.43.
196: .TP
197: .B --port-limit=<#ports>
198: By default, when sending a query via random ports to multiple upstream servers or
199: retrying a query dnsmasq will use a single random port for all the tries/retries.
200: This option allows a larger number of ports to be used, which can increase robustness
201: in certain network configurations. Note that increasing this to more than
202: two or three can have security and resource implications and should only
203: be done with understanding of those.
204: .TP
205: .B --min-port=<port>
206: Do not use ports less than that given as source for outbound DNS
207: queries. Dnsmasq picks random ports as source for outbound queries:
208: when this option is given, the ports used will always be larger
209: than that specified. Useful for systems behind firewalls. If not specified,
210: defaults to 1024.
211: .TP
212: .B --max-port=<port>
213: Use ports lower than that given as source for outbound DNS queries.
214: Dnsmasq picks random ports as source for outbound queries:
215: when this option is given, the ports used will always be lower
216: than that specified. Useful for systems behind firewalls.
217: .TP
218: .B \-i, --interface=<interface name>
219: Listen only on the specified interface(s). Dnsmasq automatically adds
220: the loopback (local) interface to the list of interfaces to use when
221: the
222: .B \--interface
223: option is used. If no
224: .B \--interface
225: or
226: .B \--listen-address
227: options are given dnsmasq listens on all available interfaces except any
228: given in
229: .B \--except-interface
230: options. On Linux, when
231: .B \--bind-interfaces
232: or
233: .B \--bind-dynamic
234: are in effect, IP alias interface labels (eg "eth1:0") are checked, rather than
235: interface names. In the degenerate case when an interface has one address, this amounts to the same thing but when an interface has multiple addresses it
236: allows control over which of those addresses are accepted.
237: The same effect is achievable in default mode by using
238: .B \--listen-address.
239: A simple wildcard, consisting of a trailing '*',
240: can be used in
241: .B \--interface
242: and
243: .B \--except-interface
244: options.
245: .TP
246: .B \-I, --except-interface=<interface name>
247: Do not listen on the specified interface. Note that the order of
248: .B \--listen-address
249: .B --interface
250: and
251: .B --except-interface
252: options does not matter and that
253: .B --except-interface
254: options always override the others. The comments about interface labels for
255: .B --listen-address
256: apply here.
257: .TP
258: .B --auth-server=<domain>,[<interface>|<ip-address>...]
259: Enable DNS authoritative mode for queries arriving at an interface or address. Note that the interface or address
260: need not be mentioned in
261: .B --interface
262: or
263: .B --listen-address
264: configuration, indeed
265: .B --auth-server
266: will override these and provide a different DNS service on the
267: specified interface. The <domain> is the "glue record". It should
268: resolve in the global DNS to an A and/or AAAA record which points to
269: the address dnsmasq is listening on. When an interface is specified,
270: it may be qualified with "/4" or "/6" to specify only the IPv4 or IPv6
271: addresses associated with the interface. Since any defined authoritative zones are also available as part of the normal recusive DNS service supplied by dnsmasq, it can make sense to have an --auth-server declaration with no interfaces or address, but simply specifying the primary external nameserver.
272: .TP
273: .B --local-service
274: Accept DNS queries only from hosts whose address is on a local subnet,
275: ie a subnet for which an interface exists on the server. This option
276: only has effect if there are no \fB--interface\fP, \fB--except-interface\fP,
277: \fB--listen-address\fP or \fB--auth-server\fP options. It is intended to be set as
278: a default on installation, to allow unconfigured installations to be
279: useful but also safe from being used for DNS amplification attacks.
280: .TP
281: .B \-2, --no-dhcp-interface=<interface name>
282: Do not provide DHCP or TFTP on the specified interface, but do provide DNS service.
283: .TP
284: .B \-a, --listen-address=<ipaddr>
285: Listen on the given IP address(es). Both
286: .B \--interface
287: and
288: .B \--listen-address
289: options may be given, in which case the set of both interfaces and
290: addresses is used. Note that if no
291: .B \--interface
292: option is given, but
293: .B \--listen-address
294: is, dnsmasq will not automatically listen on the loopback
295: interface. To achieve this, its IP address, 127.0.0.1, must be
296: explicitly given as a
297: .B \--listen-address
298: option.
299: .TP
300: .B \-z, --bind-interfaces
301: On systems which support it, dnsmasq binds the wildcard address,
302: even when it is listening on only some interfaces. It then discards
303: requests that it shouldn't reply to. This has the advantage of
304: working even when interfaces come and go and change address. This
305: option forces dnsmasq to really bind only the interfaces it is
306: listening on. About the only time when this is useful is when
307: running another nameserver (or another instance of dnsmasq) on the
308: same machine. Setting this option also enables multiple instances of
309: dnsmasq which provide DHCP service to run in the same machine.
310: .TP
311: .B --bind-dynamic
312: Enable a network mode which is a hybrid between
313: .B --bind-interfaces
314: and the default. Dnsmasq binds the address of individual interfaces,
315: allowing multiple dnsmasq instances, but if new interfaces or
316: addresses appear, it automatically listens on those (subject to any
317: access-control configuration). This makes dynamically created
318: interfaces work in the same way as the default. Implementing this
319: option requires non-standard networking APIs and it is only available
320: under Linux. On other platforms it falls-back to \fB--bind-interfaces\fP mode.
321: .TP
322: .B \-y, --localise-queries
323: Return answers to DNS queries from /etc/hosts and \fB--interface-name\fP and \fB--dynamic-host\fP which depend on the interface over which the query was
324: received. If a name has more than one address associated with
325: it, and at least one of those addresses is on the same subnet as the
326: interface to which the query was sent, then return only the
327: address(es) on that subnet and return all the available addresses otherwise.
328: This allows for a server to have multiple
329: addresses in /etc/hosts corresponding to each of its interfaces, and
330: hosts will get the correct address based on which network they are
331: attached to. Currently this facility is limited to IPv4.
332: .TP
333: .B \-b, --bogus-priv
334: Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192.168.x.x, etc)
335: which are not found in /etc/hosts or the DHCP leases file are answered
336: with "no such domain" rather than being forwarded upstream. The
337: set of prefixes affected is the list given in RFC6303, for IPv4 and IPv6.
338: .TP
339: .B \-V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>]
340: Modify IPv4 addresses returned from upstream nameservers; old-ip is
341: replaced by new-ip. If the optional mask is given then any address
342: which matches the masked old-ip will be re-written. So, for instance
343: .B --alias=1.2.3.0,6.7.8.0,255.255.255.0
344: will map 1.2.3.56 to 6.7.8.56 and 1.2.3.67 to 6.7.8.67. This is what
345: Cisco PIX routers call "DNS doctoring". If the old IP is given as
346: range, then only addresses in the range, rather than a whole subnet,
347: are re-written. So
348: .B --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
349: maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
350: .TP
351: .B \-B, --bogus-nxdomain=<ipaddr>[/prefix]
352: Transform replies which contain the specified address or subnet into "No such
353: domain" replies. IPv4 and IPv6 are supported. This is intended to counteract a devious move made by
354: Verisign in September 2003 when they started returning the address of
355: an advertising web page in response to queries for unregistered names,
356: instead of the correct NXDOMAIN response. This option tells dnsmasq to
357: fake the correct response when it sees this behaviour. As at Sept 2003
358: the IP address being returned by Verisign is 64.94.110.11
359: .TP
360: .B --ignore-address=<ipaddr>[/prefix]
361: Ignore replies to A or AAAA queries which include the specified address or subnet.
362: No error is generated, dnsmasq simply continues to listen for another reply.
363: This is useful to defeat blocking strategies which rely on quickly supplying a
364: forged answer to a DNS request for certain domain, before the correct answer can arrive.
365: .TP
366: .B \-f, --filterwin2k
367: Later versions of windows make periodic DNS requests which don't get sensible answers from
368: the public DNS and can cause problems by triggering dial-on-demand links. This flag turns on an option
369: to filter such requests. The requests blocked are for records of type ANY
370: where the requested name has underscores, to catch LDAP requests, and for
371: \fBall\fP records of types SOA and SRV.
372: .TP
373: .B --filter-A
374: Remove A records from answers. No IPv4 addresses will be returned.
375: .TP
376: .B --filter-AAAA
377: Remove AAAA records from answers. No IPv6 addresses will be returned.
378: .TP
379: .B \-r, --resolv-file=<file>
380: Read the IP addresses of the upstream nameservers from <file>, instead of
381: /etc/resolv.conf. For the format of this file see
382: .BR resolv.conf (5).
383: The only lines relevant to dnsmasq are nameserver ones. Dnsmasq can
384: be told to poll more than one resolv.conf file, the first file name specified
385: overrides the default, subsequent ones add to the list. This is only
386: allowed when polling; the file with the currently latest modification
387: time is the one used.
388: .TP
389: .B \-R, --no-resolv
390: Don't read /etc/resolv.conf. Get upstream servers only from the command
391: line or the dnsmasq configuration file.
392: .TP
393: .B \-1, --enable-dbus[=<service-name>]
394: Allow dnsmasq configuration to be updated via DBus method calls. The
395: configuration which can be changed is upstream DNS servers (and
396: corresponding domains) and cache clear. Requires that dnsmasq has
397: been built with DBus support. If the service name is given, dnsmasq
398: provides service at that name, rather than the default which is
399: .B uk.org.thekelleys.dnsmasq
400: .TP
401: .B --enable-ubus[=<service-name>]
402: Enable dnsmasq UBus interface. It sends notifications via UBus on
403: DHCPACK and DHCPRELEASE events. Furthermore it offers metrics
404: and allows configuration of Linux connection track mark based filtering.
405: When DNS query filtering based on Linux connection track marks is enabled
406: UBus notifications are generated for each resolved or filtered DNS query.
407: Requires that dnsmasq has been built with UBus support. If the service
408: name is given, dnsmasq provides service at that namespace, rather than
409: the default which is
410: .B dnsmasq
411: .TP
412: .B \-o, --strict-order
413: By default, dnsmasq will send queries to any of the upstream servers
414: it knows about and tries to favour servers that are known to
415: be up. Setting this flag forces dnsmasq to try each query with each
416: server strictly in the order they appear in /etc/resolv.conf
417: .TP
418: .B --all-servers
419: By default, when dnsmasq has more than one upstream server available,
420: it will send queries to just one server. Setting this flag forces
421: dnsmasq to send all queries to all available servers. The reply from
422: the server which answers first will be returned to the original requester.
423: .TP
424: .B --dns-loop-detect
425: Enable code to detect DNS forwarding loops; ie the situation where a query sent to one
426: of the upstream server eventually returns as a new query to the dnsmasq instance. The
427: process works by generating TXT queries of the form <hex>.test and sending them to
428: each upstream server. The hex is a UID which encodes the instance of dnsmasq sending the query
429: and the upstream server to which it was sent. If the query returns to the server which sent it, then
430: the upstream server through which it was sent is disabled and this event is logged. Each time the
431: set of upstream servers changes, the test is re-run on all of them, including ones which
432: were previously disabled.
433: .TP
434: .B --stop-dns-rebind
435: Reject (and log) addresses from upstream nameservers which are in the
436: private ranges. This blocks an attack where a browser behind a
437: firewall is used to probe machines on the local network. For IPv6, the
438: private range covers the IPv4-mapped addresses in private space plus
439: all link-local (LL) and site-local (ULA) addresses.
440: .TP
441: .B --rebind-localhost-ok
442: Exempt 127.0.0.0/8 and ::1 from rebinding checks. This address range is
443: returned by realtime black hole servers, so blocking it may disable
444: these services.
445: .TP
446: .B --rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
447: Do not detect and block dns-rebind on queries to these domains. The
448: argument may be either a single domain, or multiple domains surrounded
449: by '/', like the \fB--server\fP syntax, eg.
450: .B --rebind-domain-ok=/domain1/domain2/domain3/
451: .TP
452: .B \-n, --no-poll
453: Don't poll /etc/resolv.conf for changes.
454: .TP
455: .B --clear-on-reload
456: Whenever /etc/resolv.conf is re-read or the upstream servers are set
457: via DBus, clear the DNS cache.
458: This is useful when new nameservers may have different
459: data than that held in cache.
460: .TP
461: .B \-D, --domain-needed
462: Tells dnsmasq to never forward A or AAAA queries for plain names, without dots
463: or domain parts, to upstream nameservers. If the name is not known
464: from /etc/hosts or DHCP then a "not found" answer is returned.
465: .TP
466: .B \-S, --local, --server=[/[<domain>]/[domain/]][<server>[#<port>]][@<interface>][@<source-ip>[#<port>]]
467: Specify upstream servers directly. Setting this flag does
468: not suppress reading of /etc/resolv.conf, use \fB--no-resolv\fP to do that. If one or more
469: optional domains are given, that server is used only for those domains
470: and they are queried only using the specified server. This is
471: intended for private nameservers: if you have a nameserver on your
472: network which deals with names of the form
473: xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag
474: .B --server=/internal.thekelleys.org.uk/192.168.1.1
475: will send all queries for
476: internal machines to that nameserver, everything else will go to the
477: servers in /etc/resolv.conf. DNSSEC validation is turned off for such
478: private nameservers, UNLESS a
479: .B --trust-anchor
480: is specified for the domain in question. An empty domain specification,
481: .B //
482: has the special meaning of "unqualified names only" ie names without any
483: dots in them. A non-standard port may be specified as
484: part of the IP
485: address using a # character.
486: More than one \fB--server\fP flag is allowed, with
487: repeated domain or ipaddr parts as required.
488:
489: More specific domains take precedence over less specific domains, so:
490: .B --server=/google.com/1.2.3.4
491: .B --server=/www.google.com/2.3.4.5
492: will send queries for google.com and gmail.google.com to 1.2.3.4, but www.google.com
493: will go to 2.3.4.5
494:
495: Matching of domains is normally done on complete labels, so /google.com/ matches google.com and www.google.com
496: but NOT supergoogle.com. This can be overridden with a * at the start of a pattern only: /*google.com/
497: will match google.com and www.google.com AND supergoogle.com. The non-wildcard form has priority, so
498: if /google.com/ and /*google.com/ are both specified then google.com and www.google.com will match /google.com/
499: and /*google.com/ will only match supergoogle.com.
500:
501: For historical reasons, the pattern /.google.com/ is equivalent to /google.com/ if you wish to match any subdomain
502: of google.com but NOT google.com itself, use /*.google.com/
503:
504: The special server address '#' means, "use the standard servers", so
505: .B --server=/google.com/1.2.3.4
506: .B --server=/www.google.com/#
507: will send queries for google.com and its subdomains to 1.2.3.4, except www.google.com (and its subdomains) which will
508: be forwarded as usual.
509:
510: Also permitted is a -S
511: flag which gives a domain but no IP address; this tells dnsmasq that
512: a domain is local and it may answer queries from /etc/hosts or DHCP
513: but should never forward queries on that domain to any upstream
514: servers.
515: .B --local
516: is a synonym for
517: .B --server
518: to make configuration files clearer in this case.
519:
520: IPv6 addresses may include an %interface scope-id, eg
521: fe80::202:a412:4512:7bbf%eth0.
522:
523: The optional string after the @ character tells dnsmasq how to set the source of
524: the queries to this nameserver. It can either be an ip-address, an interface
525: name or both. The ip-address should belong to the machine on which dnsmasq is
526: running, otherwise this server line will be logged and then ignored. If an
527: interface name is given, then queries to the server will be forced via that
528: interface; if an ip-address is given then the source address of the queries will
529: be set to that address; and if both are given then a combination of ip-address
530: and interface name will be used to steer requests to the server.
531: The query-port flag is ignored for any servers which have a
532: source address specified but the port may be specified directly as
533: part of the source address. Forcing queries to an interface is not
534: implemented on all platforms supported by dnsmasq.
535:
536: Upstream servers may be specified with a hostname rather than an IP address.
537: In this case, dnsmasq will try to use the system resolver to get the IP address
538: of a server during startup. If name resolution fails, starting dnsmasq fails, too.
539: If the system's configuration is such that the system resolver sends DNS queries
540: through the dnsmasq instance which is starting up then this will time-out and fail.
541: .TP
542: .B --rev-server=<ip-address>[/<prefix-len>][,<server>][#<port>][@<interface>][@<source-ip>[#<port>]]
543: This is functionally the same as
544: .B --server,
545: but provides some syntactic sugar to make specifying address-to-name queries easier. For example
546: .B --rev-server=1.2.3.0/24,192.168.0.1
547: is exactly equivalent to
548: .B --server=/3.2.1.in-addr.arpa/192.168.0.1
549: Allowed prefix lengths are 1-32 (IPv4) and 1-128 (IPv6). If the prefix length is omitted, dnsmasq substitutes either 32 (IPv4) or 128 (IPv6).
550: .TP
551: .B \-A, --address=/<domain>[/<domain>...]/[<ipaddr>]
552: Specify an IP address to return for any host in the given domains.
553: A (or AAAA) queries in the domains are never forwarded and always replied to
554: with the specified IP address which may be IPv4 or IPv6. To give
555: multiple addresses or both IPv4 and IPv6 addresses for a domain, use repeated \fB--address\fP flags.
556: Note that /etc/hosts and DHCP leases override this for individual
557: names. A common use of this is to redirect the entire doubleclick.net
558: domain to some friendly local web server to avoid banner ads. The
559: domain specification works in the same way as for \fB--server\fP, with
560: the additional facility that \fB/#/\fP matches any domain. Thus
561: \fB--address=/#/1.2.3.4\fP will always return \fB1.2.3.4\fP for any
562: query not answered from \fB/etc/hosts\fP or DHCP and not sent to an
563: upstream nameserver by a more specific \fB--server\fP directive. As for
564: \fB--server\fP, one or more domains with no address returns a
565: no-such-domain answer, so \fB--address=/example.com/\fP is equivalent to
566: \fB--server=/example.com/\fP and returns NXDOMAIN for example.com and
567: all its subdomains. An address specified as '#' translates to the NULL
568: address of 0.0.0.0 and its IPv6 equivalent of :: so
569: \fB--address=/example.com/#\fP will return NULL addresses for example.com and
570: its subdomains. This is partly syntactic sugar for \fB--address=/example.com/0.0.0.0\fP
571: and \fB--address=/example.com/::\fP but is also more efficient than including both
572: as separate configuration lines. Note that NULL addresses normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves.
573:
574: Note that the behaviour for queries which don't match the specified address literal changed in version 2.86.
575: Previous versions, configured with (eg) --address=/example.com/1.2.3.4 and then queried for a RR type other than
576: A would return a NoData answer. From 2.86, the query is sent upstream. To restore the pre-2.86 behaviour,
577: use the configuration --address=/example.com/1.2.3.4 --local=/example.com/
578: .TP
579: .B --ipset=/<domain>[/<domain>...]/<ipset>[,<ipset>...]
580: Places the resolved IP addresses of queries for one or more domains in
581: the specified Netfilter IP set. If multiple setnames are given, then the
582: addresses are placed in each of them, subject to the limitations of an
583: IP set (IPv4 addresses cannot be stored in an IPv6 IP set and vice
584: versa). Domains and subdomains are matched in the same way as
585: \fB--address\fP.
586: These IP sets must already exist. See
587: .BR ipset (8)
588: for more details.
589: .TP
590: .B --nftset=/<domain>[/<domain>...]/[(6|4)#[<family>#]<table>#<set>[,[(6|4)#[<family>#]<table>#<set>]...]
591: Similar to the \fB--ipset\fP option, but accepts one or more nftables
592: sets to add IP addresses into.
593: These sets must already exist. See
594: .BR nft (8)
595: for more details. The family, table and set are passed directly to the nft. If the spec starts with 4# or 6# then
596: only A or AAAA records respectively are added to the set. Since an nftset can hold only IPv4 or IPv6 addresses, this
597: avoids errors being logged for addresses of the wrong type.
598: .TP
599: .B --connmark-allowlist-enable[=<mask>]
600: Enables filtering of incoming DNS queries with associated Linux connection track marks
601: according to individual allowlists configured via a series of \fB--connmark-allowlist\fP
602: options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code.
603: DNS queries are only allowed if they do not have an associated Linux connection
604: track mark, or if the queried domains match the configured DNS patterns for the
605: associated Linux connection track mark. If no allowlist is configured for a
606: Linux connection track mark, all DNS queries associated with that mark are rejected.
607: If a mask is specified, Linux connection track marks are first bitwise ANDed
608: with the given mask before being processed.
609: .TP
610: .B --connmark-allowlist=<connmark>[/<mask>][,<pattern>[/<pattern>...]]
611: Configures the DNS patterns that are allowed in DNS queries associated with
612: the given Linux connection track mark.
613: If a mask is specified, Linux connection track marks are first bitwise ANDed
614: with the given mask before they are compared to the given connection track mark.
615: Patterns follow the syntax of DNS names, but additionally allow the wildcard
616: character "*" to be used up to twice per label to match 0 or more characters
617: within that label. Note that the wildcard never matches a dot (e.g., "*.example.com"
618: matches "api.example.com" but not "api.us.example.com"). Patterns must be
619: fully qualified, i.e., consist of at least two labels. The final label must not be
620: fully numeric, and must not be the "local" pseudo-TLD. A pattern must end with at least
621: two literal (non-wildcard) labels.
622: Instead of a pattern, "*" can be specified to disable allowlist filtering
623: for a given Linux connection track mark entirely.
624: .TP
625: .B \-m, --mx-host=<mx name>[[,<hostname>],<preference>]
626: Return an MX record named <mx name> pointing to the given hostname (if
627: given), or
628: the host specified in the \fB--mx-target\fP switch
629: or, if that switch is not given, the host on which dnsmasq
630: is running. The default is useful for directing mail from systems on a LAN
631: to a central server. The preference value is optional, and defaults to
632: 1 if not given. More than one MX record may be given for a host.
633: .TP
634: .B \-t, --mx-target=<hostname>
635: Specify the default target for the MX record returned by dnsmasq. See
636: \fB--mx-host\fP. If \fB--mx-target\fP is given, but not \fB--mx-host\fP, then dnsmasq
637: returns a MX record containing the MX target for MX queries on the
638: hostname of the machine on which dnsmasq is running.
639: .TP
640: .B \-e, --selfmx
641: Return an MX record pointing to itself for each local
642: machine. Local machines are those in /etc/hosts or with DHCP leases.
643: .TP
644: .B \-L, --localmx
645: Return an MX record pointing to the host given by \fB--mx-target\fP (or the
646: machine on which dnsmasq is running) for each
647: local machine. Local machines are those in /etc/hosts or with DHCP
648: leases.
649: .TP
650: .B \-W, --srv-host=<_service>.<_prot>.[<domain>],[<target>[,<port>[,<priority>[,<weight>]]]]
651: Return a SRV DNS record. See RFC2782 for details. If not supplied, the
652: domain defaults to that given by
653: .B --domain.
654: The default for the target domain is empty, and the default for port
655: is one and the defaults for
656: weight and priority are zero. Be careful if transposing data from BIND
657: zone files: the port, weight and priority numbers are in a different
658: order. More than one SRV record for a given service/domain is allowed,
659: all that match are returned.
660: .TP
661: .B --host-record=<name>[,<name>....],[<IPv4-address>],[<IPv6-address>][,<TTL>]
662: Add A, AAAA and PTR records to the DNS. This adds one or more names to
663: the DNS with associated IPv4 (A) and IPv6 (AAAA) records. A name may
664: appear in more than one
665: .B --host-record
666: and therefore be assigned more than one address. Only the first
667: address creates a PTR record linking the address to the name. This is
668: the same rule as is used reading hosts-files.
669: .B --host-record
670: options are considered to be read before host-files, so a name
671: appearing there inhibits PTR-record creation if it appears in
672: hosts-file also. Unlike hosts-files, names are not expanded, even when
673: .B --expand-hosts
674: is in effect. Short and long names may appear in the same
675: .B --host-record,
676: eg.
677: .B --host-record=laptop,laptop.thekelleys.org,192.168.0.1,1234::100
678:
679: If the time-to-live is given, it overrides the default, which is zero
680: or the value of \fB--local-ttl\fP. The value is a positive integer and gives
681: the time-to-live in seconds.
682: .TP
683: .B --dynamic-host=<name>,[IPv4-address],[IPv6-address],<interface>
684: Add A, AAAA and PTR records to the DNS in the same subnet as the specified interface. The address is derived from the network part of each address associated with the interface, and the host part from the specified address. For example
685: .B --dynamic-host=example.com,0.0.0.8,eth0
686: will, when eth0 has the address 192.168.78.x and netmask 255.255.255.0 give the
687: name example.com an A record for 192.168.78.8. The same principle applies to IPv6 addresses. Note that if an interface has more than one address, more than one A or AAAA record will be created. The TTL of the records is always zero, and any changes to interface addresses will be immediately reflected in them.
688: .TP
689: .B \-Y, --txt-record=<name>[[,<text>],<text>]
690: Return a TXT DNS record. The value of TXT record is a set of strings,
691: so any number may be included, delimited by commas; use quotes to put
692: commas into a string. Note that the maximum length of a single string
693: is 255 characters, longer strings are split into 255 character chunks.
694: .TP
695: .B --ptr-record=<name>[,<target>]
696: Return a PTR DNS record.
697: .TP
698: .B --naptr-record=<name>,<order>,<preference>,<flags>,<service>,<regexp>[,<replacement>]
699: Return an NAPTR DNS record, as specified in RFC3403.
700: .TP
701: .B --caa-record=<name>,<flags>,<tag>,<value>
702: Return a CAA DNS record, as specified in RFC6844.
703: .TP
704: .B --cname=<cname>,[<cname>,]<target>[,<TTL>]
705: Return a CNAME record which indicates that <cname> is really
706: <target>. There is a significant limitation on the target; it must be a
707: DNS record which is known to dnsmasq and NOT a DNS record which comes from
708: an upstream server. The cname must be unique, but it
709: is permissible to have more than one cname pointing to the same target. Indeed
710: it's possible to declare multiple cnames to a target in a single line, like so:
711: .B --cname=cname1,cname2,target
712:
713: If the time-to-live is given, it overrides the default, which is zero
714: or the value of \fB--local-ttl\fP. The value is a positive integer and gives
715: the time-to-live in seconds.
716: .TP
717: .B --dns-rr=<name>,<RR-number>,[<hex data>]
718: Return an arbitrary DNS Resource Record. The number is the type of the
719: record (which is always in the C_IN class). The value of the record is
720: given by the hex data, which may be of the form 01:23:45 or 01 23 45 or
721: 012345 or any mixture of these.
722: .TP
723: .B --interface-name=<name>,<interface>[/4|/6]
724: Return DNS records associating the name with the address(es) of
725: the given interface. This flag specifies an A or AAAA record for the given
726: name in the same way as an /etc/hosts line, except that the address is
727: not constant, but taken from the given interface. The interface may be
728: followed by "/4" or "/6" to specify that only IPv4 or IPv6 addresses
729: of the interface should be used. If the interface is
730: down, not configured or non-existent, an empty record is returned. The
731: matching PTR record is also created, mapping the interface address to
732: the name. More than one name may be associated with an interface
733: address by repeating the flag; in that case the first instance is used
734: for the reverse address-to-name mapping. Note that a name used in
735: \fB--interface-name\fP may not appear in /etc/hosts.
736: .TP
737: .B --synth-domain=<domain>,<address range>[,<prefix>[*]]
738: Create artificial A/AAAA and PTR records for an address range. The
739: records either seqential numbers or the address, with periods (or colons for IPv6) replaced with dashes.
740:
741: An examples should make this clearer. First sequential numbers.
742: .B --synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
743: results in the name internal-0.thekelleys.org.uk. returning 192.168.0.50, internal-1.thekelleys.org.uk returning 192.168.0.51 and so on. (note the *) The same principle applies to IPv6 addresses (where the numbers may be very large). Reverse lookups from address to name behave as expected.
744:
745: Second,
746: .B --synth-domain=thekelleys.org.uk,192.168.0.0/24,internal- (no *)
747: will result in a query for internal-192-168-0-56.thekelleys.org.uk returning
748: 192.168.0.56 and a reverse query vice versa. The same applies to IPv6,
749: but IPv6 addresses may start with '::'
750: but DNS labels may not start with '-' so in this case if no prefix is
751: configured a zero is added in front of the label. ::1 becomes 0--1.
752:
753: V4 mapped IPv6 addresses, which have a representation like ::ffff:1.2.3.4 are handled specially, and become like 0--ffff-1-2-3-4
754:
755: The address range can be of the form
756: <start address>,<end address> or <ip address>/<prefix-length> in both forms of the option. For IPv6 the start and end addresses
757: must fall in the same /64 network, or prefix-length must be greater than or equal to 64 except that shorter prefix lengths than 64 are allowed only if non-sequential names are in use.
758: .TP
759: .B --dumpfile=<path/to/file>
760: Specify the location of a pcap-format file which dnsmasq uses to dump copies of network packets for debugging purposes. If the file exists when dnsmasq starts, it is not deleted; new packets are added to the end.
761: .TP
762: .B --dumpmask=<mask>
763: Specify which types of packets should be added to the dumpfile. The argument should be the OR of the bitmasks for each type of packet to be dumped: it can be specified in hex by preceding the number with 0x in the normal way. Each time a packet is written to the dumpfile, dnsmasq logs the packet sequence and the mask
764: representing its type. The current types are: 0x0001 - DNS queries from clients, 0x0002 DNS replies to clients, 0x0004 - DNS queries to upstream, 0x0008 - DNS replies from upstream, 0x0010 - queries send upstream for DNSSEC validation, 0x0020 - replies to queries for DNSSEC validation, 0x0040 - replies to client queries which fail DNSSEC validation, 0x0080 replies to queries for DNSSEC validation which fail validation, 0x1000 - DHCPv4, 0x2000 - DHCPv6, 0x4000 - Router advertisement, 0x8000 - TFTP.
765: .TP
766: .B --add-mac[=base64|text]
767: Add the MAC address of the requestor to DNS queries which are
768: forwarded upstream. This may be used to DNS filtering by the upstream
769: server. The MAC address can only be added if the requestor is on the same
770: subnet as the dnsmasq server. Note that the mechanism used to achieve this (an EDNS0 option)
771: is not yet standardised, so this should be considered
772: experimental. Also note that exposing MAC addresses in this way may
773: have security and privacy implications. The warning about caching
774: given for \fB--add-subnet\fP applies to \fB--add-mac\fP too. An alternative encoding of the
775: MAC, as base64, is enabled by adding the "base64" parameter and a human-readable encoding of hex-and-colons is enabled by added the "text" parameter.
776: .TP
777: .B --strip-mac
778: Remove any MAC address information already in downstream queries before forwarding upstream.
779: .TP
780: .B --add-cpe-id=<string>
781: Add an arbitrary identifying string to DNS queries which are
782: forwarded upstream.
783: .TP
784: .B --add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 address>/]<IPv6 prefix length>]]
785: Add a subnet address to the DNS queries which are forwarded
786: upstream. If an address is specified in the flag, it will be used,
787: otherwise, the address of the requestor will be used. The amount of
788: the address forwarded depends on the prefix length parameter: 32 (128
789: for IPv6) forwards the whole address, zero forwards none of it but
790: still marks the request so that no upstream nameserver will add client
791: address information either. The default is zero for both IPv4 and
792: IPv6. Note that upstream nameservers may be configured to return
793: different results based on this information, but the dnsmasq cache
794: does not take account. Caching is therefore disabled for such replies,
795: unless the subnet address being added is constant.
796:
797: For example,
798: .B --add-subnet=24,96
799: will add the /24 and /96 subnets of the requestor for IPv4 and IPv6 requestors, respectively.
800: .B --add-subnet=1.2.3.4/24
801: will add 1.2.3.0/24 for IPv4 requestors and ::/0 for IPv6 requestors.
802: .B --add-subnet=1.2.3.4/24,1.2.3.4/24
803: will add 1.2.3.0/24 for both IPv4 and IPv6 requestors.
804: .TP
805: .B --strip-subnet
806: Remove any subnet address already present in a downstream query before forwarding it upstream. If --add-subnet is set this also
807: ensures that any downstream-provided subnet is replaced by the one added by dnsmasq. Otherwise, dnsmasq will NOT replace an
808: existing subnet in the query.
809: .TP
810: .B --umbrella[=[deviceid:<deviceid>][,orgid:<orgid>][,assetid:<id>]]
811: Embeds the requestor's IP address in DNS queries forwarded upstream.
812: If device id or, asset id or organization id are specified, the information is
813: included in the forwarded queries and may be able to be used in
814: filtering policies and reporting. The order of the id
815: attributes is irrelevant, but they must be separated by a comma. Deviceid is
816: a sixteen digit hexadecimal number, org and asset ids are decimal numbers.
817: .TP
818: .B \-c, --cache-size=<cachesize>
819: Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching. Note: huge cache size impacts performance.
820: .TP
821: .B \-N, --no-negcache
822: Disable negative caching. Negative caching allows dnsmasq to remember
823: "no such domain" answers from upstream nameservers and answer
824: identical queries without forwarding them again.
825: .TP
826: .B --no-round-robin
827: Dnsmasq normally permutes the order of A or AAAA records for the same
828: name on successive queries, for load-balancing. This turns off that
829: behaviour, so that the records are always returned in the order
830: that they are received from upstream.
831: .TP
832: .B --use-stale-cache[=<max TTL excess in s>]
833: When set, if a DNS name exists in the cache, but its time-to-live has expired, dnsmasq will return the data anyway. (It attempts to refresh the
834: data with an upstream query after returning the stale data.) This can improve speed and reliability. It comes at the expense
835: of sometimes returning out-of-date data and less efficient cache utilisation, since old data cannot be flushed when its TTL expires, so the cache becomes
836: mostly least-recently-used. To mitigate issues caused by massively outdated DNS replies, the maximum overaging of cached records can be specified in seconds
837: (defaulting to not serve anything older than one day). Setting the TTL excess time to zero will serve stale cache data regardless how long it has expired.
838: .TP
839: .B \-0, --dns-forward-max=<queries>
840: Set the maximum number of concurrent DNS queries. The default value is
841: 150, which should be fine for most setups. The only known situation
842: where this needs to be increased is when using web-server log file
843: resolvers, which can generate large numbers of concurrent queries. This
844: parameter actually controls the number of concurrent queries per server group, where a server group is the set of server(s) associated with a single domain. So if a domain has it's own server via --server=/example.com/1.2.3.4 and 1.2.3.4 is not responding, but queries for *.example.com cannot go elsewhere, then other queries will not be affected. On configurations with many such server groups and tight resources, this value may need to be reduced.
845: .TP
846: .B --dnssec
847: Validate DNS replies and cache DNSSEC data. When forwarding DNS queries, dnsmasq requests the
848: DNSSEC records needed to validate the replies. The replies are validated and the result returned as
849: the Authenticated Data bit in the DNS packet. In addition the DNSSEC records are stored in the cache, making
850: validation by clients more efficient. Note that validation by clients is the most secure DNSSEC mode, but for
851: clients unable to do validation, use of the AD bit set by dnsmasq is useful, provided that the network between
852: the dnsmasq server and the client is trusted. Dnsmasq must be compiled with HAVE_DNSSEC enabled, and DNSSEC
853: trust anchors provided, see
854: .B --trust-anchor.
855: Because the DNSSEC validation process uses the cache, it is not
856: permitted to reduce the cache size below the default when DNSSEC is
857: enabled. The nameservers upstream of dnsmasq must be DNSSEC-capable,
858: ie capable of returning DNSSEC records with data. If they are not,
859: then dnsmasq will not be able to determine the trusted status of
860: answers and this means that DNS service will be entirely broken.
861: .TP
862: .B --trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-type>,<digest>
863: Provide DS records to act a trust anchors for DNSSEC
864: validation. Typically these will be the DS record(s) for Key Signing
865: key(s) (KSK) of the root zone,
866: but trust anchors for limited domains are also possible. The current
867: root-zone trust anchors may be downloaded from https://data.iana.org/root-anchors/root-anchors.xml
868: .TP
869: .B --dnssec-check-unsigned[=no]
870: As a default, dnsmasq checks that unsigned DNS replies are
871: legitimate: this entails possible extra queries even for the majority of DNS
872: zones which are not, at the moment, signed. If
873: .B --dnssec-check-unsigned=no
874: appears in the configuration, then such replies they are assumed to be valid and passed on (without the
875: "authentic data" bit set, of course). This does not protect against an
876: attacker forging unsigned replies for signed DNS zones, but it is
877: fast.
878:
879: Versions of dnsmasq prior to 2.80 defaulted to not checking unsigned replies, and used
880: .B --dnssec-check-unsigned
881: to switch this on. Such configurations will continue to work as before, but those which used the default of no checking will need to be altered to explicitly select no checking. The new default is because switching off checking for unsigned replies is inherently dangerous. Not only does it open the possiblity of forged replies, but it allows everything to appear to be working even when the upstream namesevers do not support DNSSEC, and in this case no DNSSEC validation at all is occurring.
882: .TP
883: .B --dnssec-no-timecheck
884: DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an
885: interesting chicken-and-egg problem for machines which don't have a hardware real time clock. For these machines to determine the correct
886: time typically requires use of NTP and therefore DNS, but validating DNS requires that the correct time is already known. Setting this flag
887: removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGINT. The intention is
888: that dnsmasq should be started with this flag when the platform determines that reliable time is not currently available. As soon as
889: reliable time is established, a SIGINT should be sent to dnsmasq, which enables time checking, and purges the cache of DNS records
890: which have not been thoroughly checked.
891:
892: Earlier versions of dnsmasq overloaded SIGHUP (which re-reads much configuration) to also enable time validation.
893:
894: If dnsmasq is run in debug mode (\fB--no-daemon\fP flag) then SIGINT retains its usual meaning of terminating the dnsmasq process.
895: .TP
896: .B --dnssec-timestamp=<path>
897: Enables an alternative way of checking the validity of the system time for DNSSEC (see \fB--dnssec-no-timecheck\fP). In this case, the
898: system time is considered to be valid once it becomes later than the timestamp on the specified file. The file is created and
899: its timestamp set automatically by dnsmasq. The file must be stored on a persistent filesystem, so that it and its mtime are carried
900: over system restarts. The timestamp file is created after dnsmasq has dropped root, so it must be in a location writable by the
901: unprivileged user that dnsmasq runs as.
902: .TP
903: .B --proxy-dnssec
904: Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients. This is an
905: alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between
906: dnsmasq and the upstream servers, and the trustworthiness of the upstream servers. Note that caching the
907: Authenticated Data bit correctly in all cases is not technically possible. If the AD bit is to be relied upon
908: when using this option, then the cache should be disabled using --cache-size=0. In most cases, enabling DNSSEC validation
909: within dnsmasq is a better option. See --dnssec for details.
910: .TP
911: .B --dnssec-debug
912: Set debugging mode for the DNSSEC validation, set the Checking Disabled bit on upstream queries,
913: and don't convert replies which do not validate to responses with
914: a return code of SERVFAIL. Note that
915: setting this may affect DNS behaviour in bad ways, it is not an
916: extra-logging flag and should not be set in production.
917: .TP
918: .B --auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix length>].....][,exclude:<subnet>[/<prefix length>]].....]
919: Define a DNS zone for which dnsmasq acts as authoritative server. Locally defined DNS records which are in the domain
920: will be served. If subnet(s) are given, A and AAAA records must be in one of the
921: specified subnets.
922:
923: As alternative to directly specifying the subnets, it's possible to
924: give the name of an interface, in which case the subnets implied by
925: that interface's configured addresses and netmask/prefix-length are
926: used; this is useful when using constructed DHCP ranges as the actual
927: address is dynamic and not known when configuring dnsmasq. The
928: interface addresses may be confined to only IPv6 addresses using
929: <interface>/6 or to only IPv4 using <interface>/4. This is useful when
930: an interface has dynamically determined global IPv6 addresses which should
931: appear in the zone, but RFC1918 IPv4 addresses which should not.
932: Interface-name and address-literal subnet specifications may be used
933: freely in the same \fB--auth-zone\fP declaration.
934:
935: It's possible to exclude certain IP addresses from responses. It can be
936: used, to make sure that answers contain only global routeable IP
937: addresses (by excluding loopback, RFC1918 and ULA addresses).
938:
939: The subnet(s) are also used to define in-addr.arpa and
940: ip6.arpa domains which are served for reverse-DNS queries. If not
941: specified, the prefix length defaults to 24 for IPv4 and 64 for IPv6.
942: For IPv4 subnets, the prefix length should be have the value 8, 16 or 24
943: unless you are familiar with RFC 2317 and have arranged the
944: in-addr.arpa delegation accordingly. Note that if no subnets are
945: specified, then no reverse queries are answered.
946: .TP
947: .B --auth-soa=<serial>[,<hostmaster>[,<refresh>[,<retry>[,<expiry>]]]]
948: Specify fields in the SOA record associated with authoritative
949: zones. Note that this is optional, all the values are set to sane defaults.
950: .TP
951: .B --auth-sec-servers=<domain>[,<domain>[,<domain>...]]
952: Specify any secondary servers for a zone for which dnsmasq is
953: authoritative. These servers must be configured to get zone data from
954: dnsmasq by zone transfer, and answer queries for the same
955: authoritative zones as dnsmasq.
956: .TP
957: .B --auth-peer=<ip-address>[,<ip-address>[,<ip-address>...]]
958: Specify the addresses of secondary servers which are allowed to
959: initiate zone transfer (AXFR) requests for zones for which dnsmasq is
960: authoritative. If this option is not given but --auth-sec-servers is,
961: then AXFR requests will be
962: accepted from any secondary. Specifying
963: .B --auth-peer
964: without
965: .B --auth-sec-servers
966: enables zone transfer but does not advertise the secondary in NS records returned by dnsmasq.
967: .TP
968: .B --conntrack
969: Read the Linux connection track mark associated with incoming DNS
970: queries and set the same mark value on upstream traffic used to answer
971: those queries. This allows traffic generated by dnsmasq to be
972: associated with the queries which cause it, useful for bandwidth
973: accounting and firewalling. Dnsmasq must have conntrack support
974: compiled in and the kernel must have conntrack support
975: included and configured. This option cannot be combined with
976: .B --query-port.
977: .TP
978: .B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-addr>|<mode>[,<netmask>[,<broadcast>]]][,<lease time>]
979: .TP
980: .B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-IPv6addr>[,<end-IPv6addr>|constructor:<interface>][,<mode>][,<prefix-len>][,<lease time>]
981:
982: Enable the DHCP server. Addresses will be given out from the range
983: <start-addr> to <end-addr> and from statically defined addresses given
984: in
985: .B --dhcp-host
986: options. If the lease time is given, then leases
987: will be given for that length of time. The lease time is in seconds,
988: or minutes (eg 45m) or hours (eg 1h) or days (2d) or weeks (1w) or "infinite". If not given,
989: the default lease time is one hour for IPv4 and one day for IPv6. The
990: minimum lease time is two minutes. For IPv6 ranges, the lease time
991: maybe "deprecated"; this sets the preferred lifetime sent in a DHCP
992: lease or router advertisement to zero, which causes clients to use
993: other addresses, if available, for new connections as a prelude to renumbering.
994:
995: This option may be repeated, with different addresses, to enable DHCP
996: service to more than one network. For directly connected networks (ie,
997: networks on which the machine running dnsmasq has an interface) the
998: netmask is optional: dnsmasq will determine it from the interface
999: configuration. For networks which receive DHCP service via a relay
1000: agent, dnsmasq cannot determine the netmask itself, so it should be
1001: specified, otherwise dnsmasq will have to guess, based on the class (A, B or
1002: C) of the network address. The broadcast address is
1003: always optional. It is always
1004: allowed to have more than one \fB--dhcp-range\fP in a single subnet.
1005:
1006: For IPv6, the parameters are slightly different: instead of netmask
1007: and broadcast address, there is an optional prefix length which must
1008: be equal to or larger then the prefix length on the local interface. If not
1009: given, this defaults to 64. Unlike the IPv4 case, the prefix length is not
1010: automatically derived from the interface configuration. The minimum
1011: size of the prefix length is 64.
1012:
1013: IPv6 (only) supports another type of range. In this, the start address and optional end address contain only the network part (ie ::1) and they are followed by
1014: .B constructor:<interface>.
1015: This forms a template which describes how to create ranges, based on the addresses assigned to the interface. For instance
1016:
1017: .B --dhcp-range=::1,::400,constructor:eth0
1018:
1019: will look for addresses on
1020: eth0 and then create a range from <network>::1 to <network>::400. If
1021: the interface is assigned more than one network, then the
1022: corresponding ranges will be automatically created, and then
1023: deprecated and finally removed again as the address is deprecated and
1024: then deleted. The interface name may have a final "*" wildcard. Note
1025: that just any address on eth0 will not do: it must not be an
1026: autoconfigured or privacy address, or be deprecated.
1027:
1028: If a \fB--dhcp-range\fP is only being used for stateless DHCP and/or SLAAC,
1029: then the address can be simply ::
1030:
1031: .B --dhcp-range=::,constructor:eth0
1032:
1033:
1034: The optional
1035: .B set:<tag>
1036: sets an alphanumeric label which marks this network so that
1037: DHCP options may be specified on a per-network basis.
1038: When it is prefixed with 'tag:' instead, then its meaning changes from setting
1039: a tag to matching it. Only one tag may be set, but more than one tag
1040: may be matched.
1041:
1042: The optional <mode> keyword may be
1043: .B static
1044: which tells dnsmasq to enable DHCP for the network specified, but not
1045: to dynamically allocate IP addresses: only hosts which have static
1046: addresses given via
1047: .B --dhcp-host
1048: or from /etc/ethers will be served. A static-only subnet with address
1049: all zeros may be used as a "catch-all" address to enable replies to all
1050: Information-request packets on a subnet which is provided with
1051: stateless DHCPv6, ie
1052: .B --dhcp-range=::,static
1053:
1054: For IPv4, the <mode> may be
1055: .B proxy
1056: in which case dnsmasq will provide proxy-DHCP on the specified
1057: subnet. (See
1058: .B --pxe-prompt
1059: and
1060: .B --pxe-service
1061: for details.)
1062:
1063: For IPv6, the mode may be some combination of
1064: .B ra-only, slaac, ra-names, ra-stateless, ra-advrouter, off-link.
1065:
1066: .B ra-only
1067: tells dnsmasq to offer Router Advertisement only on this subnet,
1068: and not DHCP.
1069:
1070: .B slaac
1071: tells dnsmasq to offer Router Advertisement on this subnet and to set
1072: the A bit in the router advertisement, so that the client will use
1073: SLAAC addresses. When used with a DHCP range or static DHCP address
1074: this results in the client having both a DHCP-assigned and a SLAAC
1075: address.
1076:
1077: .B ra-stateless
1078: sends router advertisements with the O and A bits set, and provides a
1079: stateless DHCP service. The client will use a SLAAC address, and use
1080: DHCP for other configuration information.
1081:
1082: .B ra-names
1083: enables a mode
1084: which gives DNS names to dual-stack hosts which do SLAAC for
1085: IPv6. Dnsmasq uses the host's IPv4 lease to derive the name, network
1086: segment and MAC address and assumes that the host will also have an
1087: IPv6 address calculated using the SLAAC algorithm, on the same network
1088: segment. The address is pinged, and if a reply is received, an AAAA
1089: record is added to the DNS for this IPv6
1090: address. Note that this is only happens for directly-connected
1091: networks, (not one doing DHCP via a relay) and it will not work
1092: if a host is using privacy extensions.
1093: .B ra-names
1094: can be combined with
1095: .B ra-stateless
1096: and
1097: .B slaac.
1098:
1099: .B ra-advrouter
1100: enables a mode where router address(es) rather than prefix(es) are included in the advertisements.
1101: This is described in RFC-3775 section 7.2 and is used in mobile IPv6. In this mode the interval option
1102: is also included, as described in RFC-3775 section 7.3.
1103:
1104: .B off-link
1105: tells dnsmasq to advertise the prefix without the on-link (aka L) bit set.
1106:
1107: .TP
1108: .B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,tag:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
1109: Specify per host parameters for the DHCP server. This allows a machine
1110: with a particular hardware address to be always allocated the same
1111: hostname, IP address and lease time. A hostname specified like this
1112: overrides any supplied by the DHCP client on the machine. It is also
1113: allowable to omit the hardware address and include the hostname, in
1114: which case the IP address and lease times will apply to any machine
1115: claiming that name. For example
1116: .B --dhcp-host=00:20:e0:3b:13:af,wap,infinite
1117: tells dnsmasq to give
1118: the machine with hardware address 00:20:e0:3b:13:af the name wap, and
1119: an infinite DHCP lease.
1120: .B --dhcp-host=lap,192.168.0.199
1121: tells
1122: dnsmasq to always allocate the machine lap the IP address
1123: 192.168.0.199.
1124:
1125: Addresses allocated like this are not constrained to be
1126: in the range given by the \fB--dhcp-range\fP option, but they must be in
1127: the same subnet as some valid dhcp-range. For
1128: subnets which don't need a pool of dynamically allocated addresses,
1129: use the "static" keyword in the \fB--dhcp-range\fP declaration.
1130:
1131: It is allowed to use client identifiers (called client
1132: DUID in IPv6-land) rather than
1133: hardware addresses to identify hosts by prefixing with 'id:'. Thus:
1134: .B --dhcp-host=id:01:02:03:04,.....
1135: refers to the host with client identifier 01:02:03:04. It is also
1136: allowed to specify the client ID as text, like this:
1137: .B --dhcp-host=id:clientidastext,.....
1138:
1139: A single
1140: .B --dhcp-host
1141: may contain an IPv4 address or one or more IPv6 addresses, or both. IPv6 addresses must be bracketed by square brackets thus:
1142: .B --dhcp-host=laptop,[1234::56]
1143: IPv6 addresses may contain only the host-identifier part:
1144: .B --dhcp-host=laptop,[::56]
1145: in which case they act as wildcards in constructed DHCP ranges, with
1146: the appropriate network part inserted. For IPv6, an address may include a prefix length:
1147: .B --dhcp-host=laptop,[1234:50/126]
1148: which (in this case) specifies four addresses, 1234::50 to 1234::53. This (an the ability
1149: to specify multiple addresses) is useful
1150: when a host presents either a consistent name or hardware-ID, but varying DUIDs, since it allows
1151: dnsmasq to honour the static address allocation but assign a different adddress for each DUID. This
1152: typically occurs when chain netbooting, as each stage of the chain gets in turn allocates an address.
1153:
1154: Note that in IPv6 DHCP, the hardware address may not be
1155: available, though it normally is for direct-connected clients, or
1156: clients using DHCP relays which support RFC 6939.
1157:
1158:
1159: For DHCPv4, the special option id:* means "ignore any client-id
1160: and use MAC addresses only." This is useful when a client presents a client-id sometimes
1161: but not others.
1162:
1163: If a name appears in /etc/hosts, the associated address can be
1164: allocated to a DHCP lease, but only if a
1165: .B --dhcp-host
1166: option specifying the name also exists. Only one hostname can be
1167: given in a
1168: .B --dhcp-host
1169: option, but aliases are possible by using CNAMEs. (See
1170: .B --cname
1171: ). Note that /etc/hosts is NOT used when the DNS server side of dnsmasq
1172: is disabled by setting the DNS server port to zero.
1173:
1174: More than one
1175: .B --dhcp-host
1176: can be associated (by name, hardware address or UID) with a host. Which one is used
1177: (and therefore which address is allocated by DHCP and appears in the DNS) depends
1178: on the subnet on which the host last obtained a DHCP lease:
1179: the
1180: .B --dhcp-host
1181: with an address within the subnet is used. If more than one address is within the subnet,
1182: the result is undefined. A corollary to this is that the name associated with a host using
1183: .B --dhcp-host
1184: does not appear in the DNS until the host obtains a DHCP lease.
1185:
1186:
1187: The special keyword "ignore"
1188: tells dnsmasq to never offer a DHCP lease to a machine. The machine
1189: can be specified by hardware address, client ID or hostname, for
1190: instance
1191: .B --dhcp-host=00:20:e0:3b:13:af,ignore
1192: This is
1193: useful when there is another DHCP server on the network which should
1194: be used by some machines.
1195:
1196: The set:<tag> construct sets the tag
1197: whenever this \fB--dhcp-host\fP directive is in use. This can be used to
1198: selectively send DHCP options just for this host. More than one tag
1199: can be set in a \fB--dhcp-host\fP directive (but not in other places where
1200: "set:<tag>" is allowed). When a host matches any
1201: \fB--dhcp-host\fP directive (or one implied by /etc/ethers) then the special
1202: tag "known" is set. This allows dnsmasq to be configured to
1203: ignore requests from unknown machines using
1204: .B --dhcp-ignore=tag:!known
1205: If the host matches only a \fB--dhcp-host\fP directive which cannot
1206: be used because it specifies an address on different subnet, the tag "known-othernet" is set.
1207:
1208: The tag:<tag> construct filters which dhcp-host directives are used; more than
1209: one can be provided, in this case the request must match all of them. Tagged
1210: directives are used in preference to untagged ones. Note that one of <hwaddr>,
1211: <client_id> or <hostname> still needs to be specified (can be a wildcard).
1212:
1213: Ethernet addresses (but not client-ids) may have
1214: wildcard bytes, so for example
1215: .B --dhcp-host=00:20:e0:3b:13:*,ignore
1216: will cause dnsmasq to ignore a range of hardware addresses. Note that
1217: the "*" will need to be escaped or quoted on a command line, but not
1218: in the configuration file.
1219:
1220: Hardware addresses normally match any
1221: network (ARP) type, but it is possible to restrict them to a single
1222: ARP type by preceding them with the ARP-type (in HEX) and "-". so
1223: .B --dhcp-host=06-00:20:e0:3b:13:af,1.2.3.4
1224: will only match a
1225: Token-Ring hardware address, since the ARP-address type for token ring
1226: is 6.
1227:
1228: As a special case, in DHCPv4, it is possible to include more than one
1229: hardware address. eg:
1230: .B --dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2
1231: This allows an IP address to be associated with
1232: multiple hardware addresses, and gives dnsmasq permission to abandon a
1233: DHCP lease to one of the hardware addresses when another one asks for
1234: a lease. Beware that this is a dangerous thing to do, it will only
1235: work reliably if only one of the hardware addresses is active at any
1236: time and there is no way for dnsmasq to enforce this. It is, for instance,
1237: useful to allocate a stable IP address to a laptop which
1238: has both wired and wireless interfaces.
1239: .TP
1240: .B --dhcp-hostsfile=<path>
1241: Read DHCP host information from the specified file. If a directory
1242: is given, then read all the files contained in that directory in alphabetical order. The file contains
1243: information about one host per line. The format of a line is the same
1244: as text to the right of '=' in \fB--dhcp-host\fP. The advantage of storing DHCP host information
1245: in this file is that it can be changed without re-starting dnsmasq:
1246: the file will be re-read when dnsmasq receives SIGHUP.
1247: .TP
1248: .B --dhcp-optsfile=<path>
1249: Read DHCP option information from the specified file. If a directory
1250: is given, then read all the files contained in that directory in alphabetical order. The advantage of
1251: using this option is the same as for \fB--dhcp-hostsfile\fP: the
1252: \fB--dhcp-optsfile\fP will be re-read when dnsmasq receives SIGHUP. Note that
1253: it is possible to encode the information in a
1254: .B --dhcp-boot
1255: flag as DHCP options, using the options names bootfile-name,
1256: server-ip-address and tftp-server. This allows these to be included
1257: in a \fB--dhcp-optsfile\fP.
1258: .TP
1259: .B --dhcp-hostsdir=<path>
1260: This is equivalent to \fB--dhcp-hostsfile\fP, except for the following. The path MUST be a
1261: directory, and not an individual file. Changed or new files within
1262: the directory are read automatically, without the need to send SIGHUP.
1263: If a file is deleted or changed after it has been read by dnsmasq, then the
1264: host record it contained will remain until dnsmasq receives a SIGHUP, or
1265: is restarted; ie host records are only added dynamically. The order in which the
1266: files in a directory are read is not defined.
1267: .TP
1268: .B --dhcp-optsdir=<path>
1269: This is equivalent to \fB--dhcp-optsfile\fP, with the differences noted for \fB--dhcp-hostsdir\fP.
1270: .TP
1271: .B \-Z, --read-ethers
1272: Read /etc/ethers for information about hosts for the DHCP server. The
1273: format of /etc/ethers is a hardware address, followed by either a
1274: hostname or dotted-quad IP address. When read by dnsmasq these lines
1275: have exactly the same effect as
1276: .B --dhcp-host
1277: options containing the same information. /etc/ethers is re-read when
1278: dnsmasq receives SIGHUP. IPv6 addresses are NOT read from /etc/ethers.
1279: .TP
1280: .B \-O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>|option6:<opt>|option6:<opt-name>],[<value>[,<value>]]
1281: Specify different or extra options to DHCP clients. By default,
1282: dnsmasq sends some standard options to DHCP clients, the netmask and
1283: broadcast address are set to the same as the host running dnsmasq, and
1284: the DNS server and default route are set to the address of the machine
1285: running dnsmasq. (Equivalent rules apply for IPv6.) If the domain name option has been set, that is sent.
1286: This configuration allows these defaults to be overridden,
1287: or other options specified. The option, to be sent may be given as a
1288: decimal number or as "option:<option-name>" The option numbers are
1289: specified in RFC2132 and subsequent RFCs. The set of option-names
1290: known by dnsmasq can be discovered by running "dnsmasq --help dhcp".
1291: For example, to set the default route option to
1292: 192.168.4.4, do
1293: .B --dhcp-option=3,192.168.4.4
1294: or
1295: .B --dhcp-option = option:router, 192.168.4.4
1296: and to set the time-server address to 192.168.0.4, do
1297: .B --dhcp-option = 42,192.168.0.4
1298: or
1299: .B --dhcp-option = option:ntp-server, 192.168.0.4
1300: The special address 0.0.0.0 is taken to mean "the address of the
1301: machine running dnsmasq".
1302:
1303: An option without data is valid, and includes just the option without data.
1304: (There is only one option with a zero length data field currently defined for DHCPv4, 80:rapid commit, so this feature is not very useful in practice). Options for which dnsmasq normally
1305: provides default values can be ommitted by defining the option with no data. These are
1306: netmask, broadcast, router, DNS server, domainname and hostname. Thus, for DHCPv4
1307: .B --dhcp-option = option:router
1308: will result in no router option being sent, rather than the default of the host on which dnsmasq is running. For DHCPv6, the same is true of the options DNS server and refresh time.
1309:
1310:
1311: Data types allowed are comma separated
1312: dotted-quad IPv4 addresses, []-wrapped IPv6 addresses, a decimal number, colon-separated hex digits
1313: and a text string. If the optional tags are given then
1314: this option is only sent when all the tags are matched.
1315:
1316: Special processing is done on a text argument for option 119, to
1317: conform with RFC 3397. Text or dotted-quad IP addresses as arguments
1318: to option 120 are handled as per RFC 3361. Dotted-quad IP addresses
1319: which are followed by a slash and then a netmask size are encoded as
1320: described in RFC 3442.
1321:
1322: IPv6 options are specified using the
1323: .B option6:
1324: keyword, followed by the option number or option name. The IPv6 option
1325: name space is disjoint from the IPv4 option name space. IPv6 addresses
1326: in options must be bracketed with square brackets, eg.
1327: .B --dhcp-option=option6:ntp-server,[1234::56]
1328: For IPv6, [::] means "the global address of
1329: the machine running dnsmasq", whilst [fd00::] is replaced with the
1330: ULA, if it exists, and [fe80::] with the link-local address.
1331:
1332: Be careful: no checking is done that the correct type of data for the
1333: option number is sent, it is quite possible to
1334: persuade dnsmasq to generate illegal DHCP packets with injudicious use
1335: of this flag. When the value is a decimal number, dnsmasq must determine how
1336: large the data item is. It does this by examining the option number and/or the
1337: value, but can be overridden by appending a single letter flag as follows:
1338: b = one byte, s = two bytes, i = four bytes. This is mainly useful with
1339: encapsulated vendor class options (see below) where dnsmasq cannot
1340: determine data size from the option number. Option data which
1341: consists solely of periods and digits will be interpreted by dnsmasq
1342: as an IP address, and inserted into an option as such. To force a
1343: literal string, use quotes. For instance when using option 66 to send
1344: a literal IP address as TFTP server name, it is necessary to do
1345: .B --dhcp-option=66,"1.2.3.4"
1346:
1347: Encapsulated Vendor-class options may also be specified (IPv4 only) using
1348: \fB--dhcp-option\fP: for instance
1349: .B --dhcp-option=vendor:PXEClient,1,0.0.0.0
1350: sends the encapsulated vendor
1351: class-specific option "mftp-address=0.0.0.0" to any client whose
1352: vendor-class matches "PXEClient". The vendor-class matching is
1353: substring based (see \fB--dhcp-vendorclass\fP for details). If a
1354: vendor-class option (number 60) is sent by dnsmasq, then that is used
1355: for selecting encapsulated options in preference to any sent by the
1356: client. It is
1357: possible to omit the vendorclass completely;
1358: .B --dhcp-option=vendor:,1,0.0.0.0
1359: in which case the encapsulated option is always sent.
1360:
1361: Options may be encapsulated (IPv4 only) within other options: for instance
1362: .B --dhcp-option=encap:175, 190, "iscsi-client0"
1363: will send option 175, within which is the option 190. If multiple
1364: options are given which are encapsulated with the same option number
1365: then they will be correctly combined into one encapsulated option.
1366: encap: and vendor: are may not both be set in the same \fB--dhcp-option\fP.
1367:
1368: The final variant on encapsulated options is "Vendor-Identifying
1369: Vendor Options" as specified by RFC3925. These are denoted like this:
1370: .B --dhcp-option=vi-encap:2, 10, "text"
1371: The number in the vi-encap: section is the IANA enterprise number
1372: used to identify this option. This form of encapsulation is supported
1373: in IPv6.
1374:
1375: The address 0.0.0.0 is not treated specially in
1376: encapsulated options.
1377: .TP
1378: .B --dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
1379: This works in exactly the same way as
1380: .B --dhcp-option
1381: except that the option will always be sent, even if the client does
1382: not ask for it in the parameter request list. This is sometimes
1383: needed, for example when sending options to PXELinux.
1384: .TP
1385: .B --dhcp-no-override
1386: (IPv4 only) Disable re-use of the DHCP servername and filename fields as extra
1387: option space. If it can, dnsmasq moves the boot server and filename
1388: information (from \fB--dhcp-boot\fP) out of their dedicated fields into
1389: DHCP options. This make extra space available in the DHCP packet for
1390: options but can, rarely, confuse old or broken clients. This flag
1391: forces "simple and safe" behaviour to avoid problems in such a case.
1392: .TP
1393: .B --dhcp-relay=<local address>[,<server address>[#<server port>]][,<interface]
1394: Configure dnsmasq to do DHCP relay. The local address is an address
1395: allocated to an interface on the host running dnsmasq. All DHCP
1396: requests arriving on that interface will we relayed to a remote DHCP
1397: server at the server address. It is possible to relay from a single local
1398: address to multiple remote servers by using multiple \fB--dhcp-relay\fP
1399: configs with the same local address and different server
1400: addresses. A server address must be an IP literal address, not a
1401: domain name. If the server address is omitted, the request will be
1402: forwarded by broadcast (IPv4) or multicast (IPv6). In this case the interface
1403: must be given and not be wildcard. The server address may specify a non-standard
1404: port to relay to. If this is used then \fB--dhcp-proxy\fP should likely also be set,
1405: otherwise parts of the DHCP conversation which do not pass through the relay
1406: will be delivered to the wrong port.
1407:
1408: Access control for DHCP clients has the same rules as for the DHCP
1409: server, see \fB--interface\fP, \fB--except-interface\fP, etc. The optional
1410: interface name in the \fB--dhcp-relay\fP config has a different function: it
1411: controls on which interface DHCP replies from the server will be
1412: accepted. This is intended for configurations which have three
1413: interfaces: one being relayed from, a second connecting the DHCP
1414: server, and a third untrusted network, typically the wider
1415: internet. It avoids the possibility of spoof replies arriving via this
1416: third interface.
1417:
1418: It is allowed to have dnsmasq act as a DHCP server on one set of
1419: interfaces and relay from a disjoint set of interfaces. Note that
1420: whilst it is quite possible to write configurations which appear to
1421: act as a server and a relay on the same interface, this is not
1422: supported: the relay function will take precedence.
1423:
1424: Both DHCPv4 and DHCPv6 relay is supported. It's not possible to relay
1425: DHCPv4 to a DHCPv6 server or vice-versa.
1426:
1427: The DHCP relay function for IPv6 includes the ability to snoop
1428: prefix-delegation from relayed DHCP transactions. See
1429: .B --dhcp-script
1430: for details.
1431: .TP
1432: .B \-U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise number>,]<vendor-class>
1433: Map from a vendor-class string to a tag. Most DHCP clients provide a
1434: "vendor class" which represents, in some sense, the type of host. This option
1435: maps vendor classes to tags, so that DHCP options may be selectively delivered
1436: to different classes of hosts. For example
1437: .B --dhcp-vendorclass=set:printers,Hewlett-Packard JetDirect
1438: will allow options to be set only for HP printers like so:
1439: .B --dhcp-option=tag:printers,3,192.168.4.4
1440: The vendor-class string is
1441: substring matched against the vendor-class supplied by the client, to
1442: allow fuzzy matching. The set: prefix is optional but allowed for
1443: consistency.
1444:
1445: Note that in IPv6 only, vendorclasses are namespaced with an
1446: IANA-allocated enterprise number. This is given with enterprise:
1447: keyword and specifies that only vendorclasses matching the specified
1448: number should be searched.
1449: .TP
1450: .B \-j, --dhcp-userclass=set:<tag>,<user-class>
1451: Map from a user-class string to a tag (with substring
1452: matching, like vendor classes). Most DHCP clients provide a
1453: "user class" which is configurable. This option
1454: maps user classes to tags, so that DHCP options may be selectively delivered
1455: to different classes of hosts. It is possible, for instance to use
1456: this to set a different printer server for hosts in the class
1457: "accounts" than for hosts in the class "engineering".
1458: .TP
1459: .B \-4, --dhcp-mac=set:<tag>,<MAC address>
1460: Map from a MAC address to a tag. The MAC address may include
1461: wildcards. For example
1462: .B --dhcp-mac=set:3com,01:34:23:*:*:*
1463: will set the tag "3com" for any host whose MAC address matches the pattern.
1464: .TP
1465: .B --dhcp-circuitid=set:<tag>,<circuit-id>, --dhcp-remoteid=set:<tag>,<remote-id>
1466: Map from RFC3046 relay agent options to tags. This data may
1467: be provided by DHCP relay agents. The circuit-id or remote-id is
1468: normally given as colon-separated hex, but is also allowed to be a
1469: simple string. If an exact match is achieved between the circuit or
1470: agent ID and one provided by a relay agent, the tag is set.
1471:
1472: .B --dhcp-remoteid
1473: (but not \fB--dhcp-circuitid\fP) is supported in IPv6.
1474: .TP
1475: .B --dhcp-subscrid=set:<tag>,<subscriber-id>
1476: (IPv4 and IPv6) Map from RFC3993 subscriber-id relay agent options to tags.
1477: .TP
1478: .B --dhcp-proxy[=<ip addr>]......
1479: (IPv4 only) A normal DHCP relay agent is only used to forward the initial parts of
1480: a DHCP interaction to the DHCP server. Once a client is configured, it
1481: communicates directly with the server. This is undesirable if the
1482: relay agent is adding extra information to the DHCP packets, such as
1483: that used by
1484: .B --dhcp-circuitid
1485: and
1486: .B --dhcp-remoteid.
1487: A full relay implementation can use the RFC 5107 serverid-override
1488: option to force the DHCP server to use the relay as a full proxy, with all
1489: packets passing through it. This flag provides an alternative method
1490: of doing the same thing, for relays which don't support RFC
1491: 5107. Given alone, it manipulates the server-id for all interactions
1492: via relays. If a list of IP addresses is given, only interactions via
1493: relays at those addresses are affected.
1494: .TP
1495: .B --dhcp-match=set:<tag>,<option number>|option:<option name>|vi-encap:<enterprise>[,<value>]
1496: Without a value, set the tag if the client sends a DHCP
1497: option of the given number or name. When a value is given, set the tag only if
1498: the option is sent and matches the value. The value may be of the form
1499: "01:ff:*:02" in which case the value must match (apart from wildcards)
1500: but the option sent may have unmatched data past the end of the
1501: value. The value may also be of the same form as in
1502: .B --dhcp-option
1503: in which case the option sent is treated as an array, and one element
1504: must match, so
1505: .B --dhcp-match=set:efi-ia32,option:client-arch,6
1506: will set the tag "efi-ia32" if the the number 6 appears in the list of
1507: architectures sent by the client in option 93. (See RFC 4578 for
1508: details.) If the value is a string, substring matching is used.
1509:
1510: The special form with vi-encap:<enterprise number> matches against
1511: vendor-identifying vendor classes for the specified enterprise. Please
1512: see RFC 3925 for more details of these rare and interesting beasts.
1513: .TP
1514: .B --dhcp-name-match=set:<tag>,<name>[*]
1515: Set the tag if the given name is supplied by a DHCP client. There may be a single trailing wildcard *, which has the usual meaning. Combined with dhcp-ignore or dhcp-ignore-names this gives the ability to ignore certain clients by name, or disallow certain hostnames from being claimed by a client.
1516: .TP
1517: .B --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
1518: Perform boolean operations on tags. Any tag appearing as set:<tag> is set if
1519: all the tags which appear as tag:<tag> are set, (or unset when tag:!<tag> is used)
1520: If no tag:<tag> appears set:<tag> tags are set unconditionally.
1521: Any number of set: and tag: forms may appear, in any order.
1522: \fB--tag-if\fP lines are executed in order, so if the tag in tag:<tag> is a
1523: tag set by another
1524: .B --tag-if,
1525: the line which sets the tag must precede the one which tests it.
1526:
1527: As an extension, the tag:<tag> clauses support limited wildcard matching,
1528: similar to the matching in the \fB--interface\fP directive. This allows, for
1529: example, using \fB--tag-if=set:ppp,tag:ppp*\fP to set the tag 'ppp' for all requests
1530: received on any matching interface (ppp0, ppp1, etc). This can be used in conjunction
1531: with the tag:!<tag> format meaning that no tag matching the wildcard may be set.
1532: .TP
1533: .B \-J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
1534: When all the given tags appear in the tag set ignore the host and do
1535: not allocate it a DHCP lease.
1536: .TP
1537: .B --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
1538: When all the given tags appear in the tag set, ignore any hostname
1539: provided by the host. Note that, unlike \fB--dhcp-ignore\fP, it is permissible
1540: to supply no tags, in which case DHCP-client supplied hostnames
1541: are always ignored, and DHCP hosts are added to the DNS using only
1542: \fB--dhcp-host\fP configuration in dnsmasq and the contents of /etc/hosts and
1543: /etc/ethers.
1544: .TP
1545: .B --dhcp-generate-names=tag:<tag>[,tag:<tag>]
1546: (IPv4 only) Generate a name for DHCP clients which do not otherwise have one,
1547: using the MAC address expressed in hex, separated by dashes. Note that
1548: if a host provides a name, it will be used by preference to this,
1549: unless
1550: .B --dhcp-ignore-names
1551: is set.
1552: .TP
1553: .B --dhcp-broadcast[=tag:<tag>[,tag:<tag>]]
1554: (IPv4 only) When all the given tags appear in the tag set, always use broadcast to
1555: communicate with the host when it is unconfigured. It is permissible
1556: to supply no tags, in which case this is unconditional. Most DHCP clients which
1557: need broadcast replies set a flag in their requests so that this
1558: happens automatically, some old BOOTP clients do not.
1559: .TP
1560: .B \-M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server address>|<tftp_servername>]]
1561: (IPv4 only) Set BOOTP options to be returned by the DHCP server. Server name and
1562: address are optional: if not provided, the name is left empty, and the
1563: address set to the address of the machine running dnsmasq. If dnsmasq
1564: is providing a TFTP service (see
1565: .B --enable-tftp
1566: ) then only the filename is required here to enable network booting.
1567: If the optional tag(s) are given,
1568: they must match for this configuration to be sent.
1569: Instead of an IP address, the TFTP server address can be given as a domain
1570: name which is looked up in /etc/hosts. This name can be associated in
1571: /etc/hosts with multiple IP addresses, which are used round-robin.
1572: This facility can be used to load balance the tftp load among a set of servers.
1573: .TP
1574: .B --dhcp-sequential-ip
1575: Dnsmasq is designed to choose IP addresses for DHCP clients using a
1576: hash of the client's MAC address. This normally allows a client's
1577: address to remain stable long-term, even if the client sometimes allows its DHCP
1578: lease to expire. In this default mode IP addresses are distributed
1579: pseudo-randomly over the entire available address range. There are
1580: sometimes circumstances (typically server deployment) where it is more
1581: convenient to have IP
1582: addresses allocated sequentially, starting from the lowest available
1583: address, and setting this flag enables this mode. Note that in the
1584: sequential mode, clients which allow a lease to expire are much more
1585: likely to move IP address; for this reason it should not be generally used.
1586: .TP
1587: .B --dhcp-ignore-clid
1588: Dnsmasq is reading 'client identifier' (RFC 2131) option sent by clients
1589: (if available) to identify clients. This allow to serve same IP address
1590: for a host using several interfaces. Use this option to disable 'client identifier'
1591: reading, i.e. to always identify a host using the MAC address.
1592: .TP
1593: .B --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basename>|<bootservicetype>][,<server address>|<server_name>]
1594: Most uses of PXE boot-ROMS simply allow the PXE
1595: system to obtain an IP address and then download the file specified by
1596: .B --dhcp-boot
1597: and execute it. However the PXE system is capable of more complex
1598: functions when supported by a suitable DHCP server.
1599:
1600: This specifies a boot option which may appear in a PXE boot menu. <CSA> is
1601: client system type, only services of the correct type will appear in a
1602: menu. The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86,
1603: Intel_Lean_Client, IA32_EFI, x86-64_EFI, Xscale_EFI, BC_EFI, ARM32_EFI and ARM64_EFI; an
1604: integer may be used for other types. The
1605: parameter after the menu text may be a file name, in which case dnsmasq acts as a
1606: boot server and directs the PXE client to download the file by TFTP,
1607: either from itself (
1608: .B --enable-tftp
1609: must be set for this to work) or another TFTP server if the final server
1610: address/name is given.
1611: Note that the "layer"
1612: suffix (normally ".0") is supplied by PXE, and need not be added to
1613: the basename. Alternatively, the basename may be a filename, complete with suffix, in which case
1614: no layer suffix is added. If an integer boot service type, rather than a basename
1615: is given, then the PXE client will search for a
1616: suitable boot service for that type on the network. This search may be done
1617: by broadcast, or direct to a server if its IP address/name is provided.
1618: If no boot service type or filename is provided (or a boot service type of 0 is specified)
1619: then the menu entry will abort the net boot procedure and
1620: continue booting from local media. The server address can be given as a domain
1621: name which is looked up in /etc/hosts. This name can be associated in
1622: /etc/hosts with multiple IP addresses, which are used round-robin.
1623: .TP
1624: .B --pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>]
1625: Setting this provides a prompt to be displayed after PXE boot. If the
1626: timeout is given then after the
1627: timeout has elapsed with no keyboard input, the first available menu
1628: option will be automatically executed. If the timeout is zero then the first available menu
1629: item will be executed immediately. If
1630: .B --pxe-prompt
1631: is omitted the system will wait for user input if there are multiple
1632: items in the menu, but boot immediately if
1633: there is only one. See
1634: .B --pxe-service
1635: for details of menu items.
1636:
1637: Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP server on
1638: the network is responsible for allocating IP addresses, and dnsmasq
1639: simply provides the information given in
1640: .B --pxe-prompt
1641: and
1642: .B --pxe-service
1643: to allow netbooting. This mode is enabled using the
1644: .B proxy
1645: keyword in
1646: .B --dhcp-range.
1647: .TP
1648: .B --dhcp-pxe-vendor=<vendor>[,...]
1649: According to UEFI and PXE specifications, DHCP packets between PXE clients and
1650: proxy PXE servers should have
1651: .I PXEClient
1652: in their vendor-class field. However, the firmware of computers from a few
1653: vendors is customized to carry a different identifier in that field. This option
1654: is used to consider such identifiers valid for identifying PXE clients. For
1655: instance
1656:
1657: .B --dhcp-pxe-vendor=PXEClient,HW-Client
1658:
1659: will enable dnsmasq to also provide proxy PXE service to those PXE clients with
1660: .I HW-Client
1661: in as their identifier.
1662: .TP
1663: .B \-X, --dhcp-lease-max=<number>
1664: Limits dnsmasq to the specified maximum number of DHCP leases. The
1665: default is 1000. This limit is to prevent DoS attacks from hosts which
1666: create thousands of leases and use lots of memory in the dnsmasq
1667: process.
1668: .TP
1669: .B \-K, --dhcp-authoritative
1670: Should be set when dnsmasq is definitely the only DHCP server on a network.
1671: For DHCPv4, it changes the behaviour from strict RFC compliance so that DHCP requests on
1672: unknown leases from unknown hosts are not ignored. This allows new hosts
1673: to get a lease without a tedious timeout under all circumstances. It also
1674: allows dnsmasq to rebuild its lease database without each client needing to
1675: reacquire a lease, if the database is lost. For DHCPv6 it sets the
1676: priority in replies to 255 (the maximum) instead of 0 (the minimum).
1677: .TP
1678: .B --dhcp-rapid-commit
1679: Enable DHCPv4 Rapid Commit Option specified in RFC 4039. When enabled, dnsmasq
1680: will respond to a DHCPDISCOVER message including a Rapid Commit
1681: option with a DHCPACK including a Rapid Commit option and fully committed
1682: address and configuration information. Should only be enabled if either the
1683: server is the only server for the subnet, or multiple servers are present and they each commit a binding for all clients.
1684: .TP
1685: .B --dhcp-alternate-port[=<server port>[,<client port>]]
1686: (IPv4 only) Change the ports used for DHCP from the default. If this option is
1687: given alone, without arguments, it changes the ports used for DHCP
1688: from 67 and 68 to 1067 and 1068. If a single argument is given, that
1689: port number is used for the server and the port number plus one used
1690: for the client. Finally, two port numbers allows arbitrary
1691: specification of both server and client ports for DHCP.
1692: .TP
1693: .B \-3, --bootp-dynamic[=<network-id>[,<network-id>]]
1694: (IPv4 only) Enable dynamic allocation of IP addresses to BOOTP clients. Use this
1695: with care, since each address allocated to a BOOTP client is leased
1696: forever, and therefore becomes permanently unavailable for re-use by
1697: other hosts. if this is given without tags, then it unconditionally
1698: enables dynamic allocation. With tags, only when the tags are all
1699: set. It may be repeated with different tag sets.
1700: .TP
1701: .B \-5, --no-ping
1702: (IPv4 only) By default, the DHCP server will attempt to ensure that an address is
1703: not in use before allocating it to a host. It does this by sending an
1704: ICMP echo request (aka "ping") to the address in question. If it gets
1705: a reply, then the address must already be in use, and another is
1706: tried. This flag disables this check. Use with caution.
1707: .TP
1708: .B --log-dhcp
1709: Extra logging for DHCP: log all the options sent to DHCP clients and
1710: the tags used to determine them.
1711: .TP
1712: .B --quiet-dhcp, --quiet-dhcp6, --quiet-ra, --quiet-tftp
1713: Suppress logging of the routine operation of these protocols. Errors and
1714: problems will still be logged. \fB--quiet-tftp\fP does not consider file not
1715: found to be an error. \fB--quiet-dhcp\fP and quiet-dhcp6 are over-ridden by
1716: \fB--log-dhcp\fP.
1717: .TP
1718: .B \-l, --dhcp-leasefile=<path>
1719: Use the specified file to store DHCP lease information.
1720: .TP
1721: .B --dhcp-duid=<enterprise-id>,<uid>
1722: (IPv6 only) Specify the server persistent UID which the DHCPv6 server
1723: will use. This option is not normally required as dnsmasq creates a
1724: DUID automatically when it is first needed. When given, this option
1725: provides dnsmasq the data required to create a DUID-EN type DUID. Note
1726: that once set, the DUID is stored in the lease database, so to change between DUID-EN and
1727: automatically created DUIDs or vice-versa, the lease database must be
1728: re-initialised. The enterprise-id is assigned by IANA, and the uid is a
1729: string of hex octets unique to a particular device.
1730: .TP
1731: .B \-6 --dhcp-script=<path>
1732: Whenever a new DHCP lease is created, or an old one destroyed, or a
1733: TFTP file transfer completes, the
1734: executable specified by this option is run. <path>
1735: must be an absolute pathname, no PATH search occurs.
1736: The arguments to the process
1737: are "add", "old" or "del", the MAC
1738: address of the host (or DUID for IPv6) , the IP address, and the hostname,
1739: if known. "add" means a lease has been created, "del" means it has
1740: been destroyed, "old" is a notification of an existing lease when
1741: dnsmasq starts or a change to MAC address or hostname of an existing
1742: lease (also, lease length or expiry and client-id, if \fB--leasefile-ro\fP is set
1743: and lease expiry if \fB--script-on-renewal\fP is set).
1744: If the MAC address is from a network type other than ethernet,
1745: it will have the network type prepended, eg "06-01:23:45:67:89:ab" for
1746: token ring. The process is run as root (assuming that dnsmasq was originally run as
1747: root) even if dnsmasq is configured to change UID to an unprivileged user.
1748:
1749: The environment is inherited from the invoker of dnsmasq, with some or
1750: all of the following variables added
1751:
1752: For both IPv4 and IPv6:
1753:
1754: DNSMASQ_DOMAIN if the fully-qualified domain name of the host is
1755: known, this is set to the domain part. (Note that the hostname passed
1756: to the script as an argument is never fully-qualified.)
1757:
1758: If the client provides a hostname, DNSMASQ_SUPPLIED_HOSTNAME
1759:
1760: If the client provides user-classes, DNSMASQ_USER_CLASS0..DNSMASQ_USER_CLASSn
1761:
1762: If dnsmasq was compiled with HAVE_BROKEN_RTC, then
1763: the length of the lease (in seconds) is stored in
1764: DNSMASQ_LEASE_LENGTH, otherwise the time of lease expiry is stored in
1765: DNSMASQ_LEASE_EXPIRES. The number of seconds until lease expiry is
1766: always stored in DNSMASQ_TIME_REMAINING.
1767:
1768: DNSMASQ_DATA_MISSING is set to "1" during "old" events for existing
1769: leases generated at startup to indicate that data not stored in the
1770: persistent lease database will not be present. This comprises everything
1771: other than IP address, hostname, MAC address, DUID, IAID and lease length
1772: or expiry time.
1773:
1774: If a lease used to have a hostname, which is
1775: removed, an "old" event is generated with the new state of the lease,
1776: ie no name, and the former name is provided in the environment
1777: variable DNSMASQ_OLD_HOSTNAME.
1778:
1779: DNSMASQ_INTERFACE stores the name of
1780: the interface on which the request arrived; this is not set for "old"
1781: actions when dnsmasq restarts.
1782:
1783: DNSMASQ_RELAY_ADDRESS is set if the client
1784: used a DHCP relay to contact dnsmasq and the IP address of the relay
1785: is known.
1786:
1787: DNSMASQ_TAGS contains all the tags set during the
1788: DHCP transaction, separated by spaces.
1789:
1790: DNSMASQ_LOG_DHCP is set if
1791: .B --log-dhcp
1792: is in effect.
1793:
1794: DNSMASQ_REQUESTED_OPTIONS a string containing the decimal values in the Parameter Request List option, comma separated, if the parameter request list option is provided by the client.
1795:
1796: DNSMASQ_MUD_URL the Manufacturer Usage Description URL if provided by the client. (See RFC8520 for details.)
1797:
1798:
1799: For IPv4 only:
1800:
1801: DNSMASQ_CLIENT_ID if the host provided a client-id.
1802:
1803: DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID, DNSMASQ_REMOTE_ID if a
1804: DHCP relay-agent added any of these options.
1805:
1806: If the client provides vendor-class, DNSMASQ_VENDOR_CLASS.
1807:
1808: For IPv6 only:
1809:
1810: If the client provides vendor-class, DNSMASQ_VENDOR_CLASS_ID,
1811: containing the IANA enterprise id for the class, and
1812: DNSMASQ_VENDOR_CLASS0..DNSMASQ_VENDOR_CLASSn for the data.
1813:
1814: DNSMASQ_SERVER_DUID containing the DUID of the server: this is the same for
1815: every call to the script.
1816:
1817: DNSMASQ_IAID containing the IAID for the lease. If the lease is a
1818: temporary allocation, this is prefixed to 'T'.
1819:
1820: DNSMASQ_MAC containing the MAC address of the client, if known.
1821:
1822: Note that the supplied hostname, vendorclass and userclass data is
1823: only supplied for
1824: "add" actions or "old" actions when a host resumes an existing lease,
1825: since these data are not held in dnsmasq's lease
1826: database.
1827:
1828:
1829:
1830: All file descriptors are
1831: closed except stdin, which is open to /dev/null, and stdout and stderr which capture output for logging by dnsmasq.
1832: (In debug mode, stdio, stdout and stderr file are left as those inherited from the invoker of dnsmasq).
1833:
1834: The script is not invoked concurrently: at most one instance
1835: of the script is ever running (dnsmasq waits for an instance of script to exit
1836: before running the next). Changes to the lease database are which
1837: require the script to be invoked are queued awaiting exit of a running instance.
1838: If this queueing allows multiple state changes occur to a single
1839: lease before the script can be run then
1840: earlier states are discarded and the current state of that lease is
1841: reflected when the script finally runs.
1842:
1843: At dnsmasq startup, the script will be invoked for
1844: all existing leases as they are read from the lease file. Expired
1845: leases will be called with "del" and others with "old". When dnsmasq
1846: receives a HUP signal, the script will be invoked for existing leases
1847: with an "old" event.
1848:
1849:
1850: There are five further actions which may appear as the first argument
1851: to the script, "init", "arp-add", "arp-del", "relay-snoop" and "tftp".
1852: More may be added in the future, so
1853: scripts should be written to ignore unknown actions. "init" is
1854: described below in
1855: .B --leasefile-ro
1856:
1857: The "tftp" action is invoked when a TFTP file transfer completes: the
1858: arguments are the file size in bytes, the address to which the file
1859: was sent, and the complete pathname of the file.
1860:
1861: The "relay-snoop" action is invoked when dnsmasq is configured as a DHCP
1862: relay for DHCPv6 and it relays a prefx delegation to a client. The arguments
1863: are the name of the interface where the client is conected, its (link-local)
1864: address on that interface and the delegated prefix. This information is
1865: sufficient to install routes to the delegated prefix of a router. See
1866: .B --dhcp-relay
1867: for more details on configuring DHCP relay.
1868:
1869: The "arp-add" and "arp-del" actions are only called if enabled with
1870: .B --script-arp
1871: They are are supplied with a MAC address and IP address as arguments. "arp-add" indicates
1872: the arrival of a new entry in the ARP or neighbour table, and "arp-del" indicates the deletion of same.
1873:
1874: .TP
1875: .B --dhcp-luascript=<path>
1876: Specify a script written in Lua, to be run when leases are created,
1877: destroyed or changed. To use this option, dnsmasq must be compiled
1878: with the correct support. The Lua interpreter is initialised once, when
1879: dnsmasq starts, so that global variables persist between lease
1880: events. The Lua code must define a
1881: .B lease
1882: function, and may provide
1883: .B init
1884: and
1885: .B shutdown
1886: functions, which are called, without arguments when dnsmasq starts up
1887: and terminates. It may also provide a
1888: .B tftp
1889: function.
1890:
1891: The
1892: .B lease
1893: function receives the information detailed in
1894: .B --dhcp-script.
1895: It gets two arguments, firstly the action, which is a string
1896: containing, "add", "old" or "del", and secondly a table of tag value
1897: pairs. The tags mostly correspond to the environment variables
1898: detailed above, for instance the tag "domain" holds the same data as
1899: the environment variable DNSMASQ_DOMAIN. There are a few extra tags
1900: which hold the data supplied as arguments to
1901: .B --dhcp-script.
1902: These are
1903: .B mac_address, ip_address
1904: and
1905: .B hostname
1906: for IPv4, and
1907: .B client_duid, ip_address
1908: and
1909: .B hostname
1910: for IPv6.
1911:
1912: The
1913: .B tftp
1914: function is called in the same way as the lease function, and the
1915: table holds the tags
1916: .B destination_address,
1917: .B file_name
1918: and
1919: .B file_size.
1920:
1921: The
1922: .B arp
1923: and
1924: .B arp-old
1925: functions are called only when enabled with
1926: .B --script-arp
1927: and have a table which holds the tags
1928: .B mac_address
1929: and
1930: .B client_address.
1931: .TP
1932: .B --dhcp-scriptuser
1933: Specify the user as which to run the lease-change script or Lua script. This defaults to root, but can be changed to another user using this flag.
1934: .TP
1935: .B --script-arp
1936: Enable the "arp" and "arp-old" functions in the \fB--dhcp-script\fP and \fB--dhcp-luascript\fP.
1937: .TP
1938: .B \-9, --leasefile-ro
1939: Completely suppress use of the lease database file. The file will not
1940: be created, read, or written. Change the way the lease-change
1941: script (if one is provided) is called, so that the lease database may
1942: be maintained in external storage by the script. In addition to the
1943: invocations given in
1944: .B --dhcp-script
1945: the lease-change script is called once, at dnsmasq startup, with the
1946: single argument "init". When called like this the script should write
1947: the saved state of the lease database, in dnsmasq leasefile format, to
1948: stdout and exit with zero exit code. Setting this
1949: option also forces the leasechange script to be called on changes
1950: to the client-id and lease length and expiry time.
1951: .TP
1952: .B --script-on-renewal
1953: Call the DHCP script when the lease expiry time changes, for instance when the
1954: lease is renewed.
1955: .TP
1956: .B --bridge-interface=<interface>,<alias>[,<alias>]
1957: Treat DHCP (v4 and v6) requests and IPv6 Router Solicit packets
1958: arriving at any of the <alias> interfaces as if they had arrived at
1959: <interface>. This option allows dnsmasq to provide DHCP and RA
1960: service over unaddressed and unbridged Ethernet interfaces, e.g. on an
1961: OpenStack compute host where each such interface is a TAP interface to
1962: a VM, or as in "old style bridging" on BSD platforms. A trailing '*'
1963: wildcard can be used in each <alias>.
1964:
1965: It is permissible to add more than one alias using more than one \fB--bridge-interface\fP option since
1966: \fB--bridge-interface=int1,alias1,alias2\fP is exactly equivalent to
1967: \fB--bridge-interface=int1,alias1 --bridge-interface=int1,alias2\fP
1968: .TP
1969: .B --shared-network=<interface>,<addr>
1970: .PD 0
1971: .TP
1972: .B --shared-network=<addr>,<addr>
1973: .PD 1v
1974: The DHCP server determines which DHCP ranges are useable for allocating an
1975: address to a DHCP client based on the network from which the DHCP request arrives,
1976: and the IP configuration of the server's interface on that network. The shared-network
1977: option extends the available subnets (and therefore DHCP ranges) beyond the
1978: subnets configured on the arrival interface.
1979:
1980: The first argument is either the
1981: name of an interface, or an address that is configured on a local interface, and the
1982: second argument is an address which defines another subnet on which addresses can be allocated.
1983:
1984: To be useful, there must be a suitable dhcp-range which allows address allocation on this subnet
1985: and this dhcp-range MUST include the netmask.
1986:
1987: Using shared-network also needs extra
1988: consideration of routing. Dnsmasq does not have the usual information that it uses to
1989: determine the default route, so the default route option (or other routing) MUST be
1990: configured manually. The client must have a route to the server: if the two-address form
1991: of shared-network is used, this needs to be to the first specified address. If the interface,address
1992: form is used, there must be a route to all of the addresses configured on the interface.
1993:
1994: The two-address form of shared-network is also usable with a DHCP relay: the first address
1995: is the address of the relay and the second, as before, specifies an extra subnet which
1996: addresses may be allocated from.
1997:
1998: .TP
1999: .B \-s, --domain=<domain>[[,<address range>[,local]]|<interface>]
2000: Specifies DNS domains for the DHCP server. Domains may be be given
2001: unconditionally (without the IP range) or for limited IP ranges. This has two effects;
2002: firstly it causes the DHCP server to return the domain to any hosts
2003: which request it, and secondly it sets the domain which it is legal
2004: for DHCP-configured hosts to claim. The intention is to constrain
2005: hostnames so that an untrusted host on the LAN cannot advertise
2006: its name via DHCP as e.g. "microsoft.com" and capture traffic not
2007: meant for it. If no domain suffix is specified, then any DHCP
2008: hostname with a domain part (ie with a period) will be disallowed
2009: and logged. If suffix is specified, then hostnames with a domain
2010: part are allowed, provided the domain part matches the suffix. In
2011: addition, when a suffix is set then hostnames without a domain
2012: part have the suffix added as an optional domain part. Eg on my network I can set
2013: .B --domain=thekelleys.org.uk
2014: and have a machine whose DHCP hostname is "laptop". The IP address for that machine is available from
2015: .B dnsmasq
2016: both as "laptop" and "laptop.thekelleys.org.uk". If the domain is
2017: given as "#" then the domain is read from the first "search" directive
2018: in /etc/resolv.conf (or equivalent).
2019:
2020: The address range can be of the form
2021: <ip address>,<ip address> or <ip address>/<netmask> or just a single
2022: <ip address>. See
2023: .B --dhcp-fqdn
2024: which can change the behaviour of dnsmasq with domains.
2025:
2026: If the address range is given as ip-address/network-size, then a
2027: additional flag "local" may be supplied which has the effect of adding
2028: \fB--local\fP declarations for forward and reverse DNS queries. Eg.
2029: .B --domain=thekelleys.org.uk,192.168.0.0/24,local
2030: is identical to
2031: .B --domain=thekelleys.org.uk,192.168.0.0/24
2032: .B --local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/
2033:
2034: The address range can also be given as a network interface name, in which case
2035: all of the subnets currently assigned to the interface are used in matching the
2036: address. This allows hosts on different physical subnets to be given different
2037: domains in a way which updates automatically as the interface addresses change.
2038: .TP
2039: .B --dhcp-fqdn
2040: In the default mode, dnsmasq inserts the unqualified names of
2041: DHCP clients into the DNS. For this reason, the names must be unique,
2042: even if two clients which have the same name are in different
2043: domains. If a second DHCP client appears which has the same name as an
2044: existing client, the name is transferred to the new client. If
2045: .B --dhcp-fqdn
2046: is set, this behaviour changes: the unqualified name is no longer
2047: put in the DNS, only the qualified name. Two DHCP clients with the
2048: same name may both keep the name, provided that the domain part is
2049: different (ie the fully qualified names differ.) To ensure that all
2050: names have a domain part, there must be at least
2051: .B --domain
2052: without an address specified when
2053: .B --dhcp-fqdn
2054: is set.
2055: .TP
2056: .B --dhcp-client-update
2057: Normally, when giving a DHCP lease, dnsmasq sets flags in the FQDN
2058: option to tell the client not to attempt a DDNS update with its name
2059: and IP address. This is because the name-IP pair is automatically
2060: added into dnsmasq's DNS view. This flag suppresses that behaviour,
2061: this is useful, for instance, to allow Windows clients to update
2062: Active Directory servers. See RFC 4702 for details.
2063: .TP
2064: .B --enable-ra
2065: Enable dnsmasq's IPv6 Router Advertisement feature. DHCPv6 doesn't
2066: handle complete network configuration in the same way as DHCPv4. Router
2067: discovery and (possibly) prefix discovery for autonomous address
2068: creation are handled by a different protocol. When DHCP is in use,
2069: only a subset of this is needed, and dnsmasq can handle it, using
2070: existing DHCP configuration to provide most data. When RA is enabled,
2071: dnsmasq will advertise a prefix for each \fB--dhcp-range\fP, with default
2072: router as the relevant link-local address on
2073: the machine running dnsmasq. By default, the "managed address" bits are set, and
2074: the "use SLAAC" bit is reset. This can be changed for individual
2075: subnets with the mode keywords described in
2076: .B --dhcp-range.
2077: RFC6106 DNS parameters are included in the advertisements. By default,
2078: the relevant link-local address of the machine running dnsmasq is sent
2079: as recursive DNS server. If provided, the DHCPv6 options dns-server and
2080: domain-search are used for the DNS server (RDNSS) and the domain search list (DNSSL).
2081: .TP
2082: .B --ra-param=<interface>,[mtu:<integer>|<interface>|off,][high,|low,]<ra-interval>[,<router lifetime>]
2083: Set non-default values for router advertisements sent via an
2084: interface. The priority field for the router may be altered from the
2085: default of medium with eg
2086: .B --ra-param=eth0,high.
2087: The interval between router advertisements may be set (in seconds) with
2088: .B --ra-param=eth0,60.
2089: The lifetime of the route may be changed or set to zero, which allows
2090: a router to advertise prefixes but not a route via itself.
2091: .B --ra-param=eth0,0,0
2092: (A value of zero for the interval means the default value.) All four parameters may be set at once.
2093: .B --ra-param=eth0,mtu:1280,low,60,1200
2094:
2095: The interface field may include a wildcard.
2096:
2097: The mtu: parameter may be an arbitrary interface name, in which case the MTU value for that interface is used. This is useful
2098: for (eg) advertising the MTU of a WAN interface on the other interfaces of a router.
2099: .TP
2100: .B --dhcp-reply-delay=[tag:<tag>,]<integer>
2101: Delays sending DHCPOFFER and PROXYDHCP replies for at least the specified number of seconds.
2102: This can be used as workaround for bugs in PXE boot firmware that does not function properly when
2103: receiving an instant reply.
2104: This option takes into account the time already spent waiting (e.g. performing ping check) if any.
2105: .TP
2106: .B --enable-tftp[=<interface>[,<interface>]]
2107: Enable the TFTP server function. This is deliberately limited to that
2108: needed to net-boot a client. Only reading is allowed; the tsize and
2109: blksize extensions are supported (tsize is only supported in octet
2110: mode). Without an argument, the TFTP service is provided to the same set of interfaces as DHCP service.
2111: If the list of interfaces is provided, that defines which interfaces receive TFTP service.
2112: .TP
2113: .B --tftp-root=<directory>[,<interface>]
2114: Look for files to transfer using TFTP relative to the given
2115: directory. When this is set, TFTP paths which include ".." are
2116: rejected, to stop clients getting outside the specified root.
2117: Absolute paths (starting with /) are allowed, but they must be within
2118: the tftp-root. If the optional interface argument is given, the
2119: directory is only used for TFTP requests via that interface.
2120: .TP
2121: .B --tftp-no-fail
2122: Do not abort startup if specified tftp root directories are inaccessible.
2123: .TP
2124: .B --tftp-unique-root[=ip|mac]
2125: Add the IP or hardware address of the TFTP client as a path component on the end
2126: of the TFTP-root. Only valid if a \fB--tftp-root\fP is set and the directory exists.
2127: Defaults to adding IP address (in standard dotted-quad format).
2128: For instance, if \fB--tftp-root\fP is "/tftp" and client 1.2.3.4 requests file "myfile"
2129: then the effective path will be "/tftp/1.2.3.4/myfile" if /tftp/1.2.3.4 exists or /tftp/myfile otherwise.
2130: When "=mac" is specified it will append the MAC address instead, using lowercase zero padded digits
2131: separated by dashes, e.g.: 01-02-03-04-aa-bb
2132: Note that resolving MAC addresses is only possible if the client is in the local network or obtained
2133: a DHCP lease from us.
2134: .TP
2135: .B --tftp-secure
2136: Enable TFTP secure mode: without this, any file which is readable by
2137: the dnsmasq process under normal unix access-control rules is
2138: available via TFTP. When the \fB--tftp-secure\fP flag is given, only files
2139: owned by the user running the dnsmasq process are accessible. If
2140: dnsmasq is being run as root, different rules apply: \fB--tftp-secure\fP
2141: has no effect, but only files which have the world-readable bit set
2142: are accessible. It is not recommended to run dnsmasq as root with TFTP
2143: enabled, and certainly not without specifying \fB--tftp-root\fP. Doing so
2144: can expose any world-readable file on the server to any host on the net.
2145: .TP
2146: .B --tftp-lowercase
2147: Convert filenames in TFTP requests to all lowercase. This is useful
2148: for requests from Windows machines, which have case-insensitive
2149: filesystems and tend to play fast-and-loose with case in filenames.
2150: Note that dnsmasq's tftp server always converts "\\" to "/" in filenames.
2151: .TP
2152: .B --tftp-max=<connections>
2153: Set the maximum number of concurrent TFTP connections allowed. This
2154: defaults to 50. When serving a large number of TFTP connections,
2155: per-process file descriptor limits may be encountered. Dnsmasq needs
2156: one file descriptor for each concurrent TFTP connection and one
2157: file descriptor per unique file (plus a few others). So serving the
2158: same file simultaneously to n clients will use require about n + 10 file
2159: descriptors, serving different files simultaneously to n clients will
2160: require about (2*n) + 10 descriptors. If
2161: .B --tftp-port-range
2162: is given, that can affect the number of concurrent connections.
2163: .TP
2164: .B --tftp-mtu=<mtu size>
2165: Use size as the ceiling of the MTU supported by the intervening network when
2166: negotiating TFTP blocksize, overriding the MTU setting of the local interface if it is larger.
2167: .TP
2168: .B --tftp-no-blocksize
2169: Stop the TFTP server from negotiating the "blocksize" option with a
2170: client. Some buggy clients request this option but then behave badly
2171: when it is granted.
2172: .TP
2173: .B --tftp-port-range=<start>,<end>
2174: A TFTP server listens on a well-known port (69) for connection initiation,
2175: but it also uses a dynamically-allocated port for each
2176: connection. Normally these are allocated by the OS, but this option
2177: specifies a range of ports for use by TFTP transfers. This can be
2178: useful when TFTP has to traverse a firewall. The start of the range
2179: cannot be lower than 1025 unless dnsmasq is running as root. The number
2180: of concurrent TFTP connections is limited by the size of the port range.
2181: .TP
2182: .B --tftp-single-port
2183: Run in a mode where the TFTP server uses ONLY the well-known port (69) for its end
2184: of the TFTP transfer. This allows TFTP to work when there in NAT is the path between client and server. Note that
2185: this is not strictly compliant with the RFCs specifying the TFTP protocol: use at your own risk.
2186: .TP
2187: .B \-C, --conf-file=<file>
2188: Specify a configuration file. The presence of this option stops dnsmasq from reading the default configuration
2189: file (normally /etc/dnsmasq.conf). Multiple files may be specified by repeating the option
2190: either on the command line or in configuration files. A
2191: filename of "-" causes dnsmasq to read configuration from stdin.
2192: .TP
2193: .B \-7, --conf-dir=<directory>[,<file-extension>......],
2194: Read all the files in the given directory as configuration
2195: files. If extension(s) are given, any files which end in those
2196: extensions are skipped. Any files whose names end in ~ or start with . or start and end
2197: with # are always skipped. If the extension starts with * then only files
2198: which have that extension are loaded. So
2199: .B --conf-dir=/path/to/dir,*.conf
2200: loads all files with the suffix .conf in /path/to/dir. This flag may be given on the command
2201: line or in a configuration file. If giving it on the command line, be sure to
2202: escape * characters. Files are loaded in alphabetical order of filename.
2203: .TP
2204: .B --servers-file=<file>
2205: A special case of
2206: .B --conf-file
2207: which differs in two respects. Firstly, only \fB--server\fP and \fB--rev-server\fP are allowed
2208: in the configuration file included. Secondly, the file is re-read and the configuration
2209: therein is updated when dnsmasq receives SIGHUP.
2210: .TP
2211: .B \--conf-script=<file>[ <arg]
2212: Execute <file>, and treat what it emits to stdout as the contents of a configuration file.
2213: If the script exits with a non-zero exit code, dnsmasq treats this as a fatal error.
2214: The script can be passed arguments, space seperated from the filename and each other so, for instance
2215: .B --conf-dir="/etc/dnsmasq-uncompress-ads /share/ads-domains.gz"
2216:
2217: with /etc/dnsmasq-uncompress-ads containing
2218:
2219: set -e
2220:
2221: zcat ${1} | sed -e "s:^:address=/:" -e "s:$:/:"
2222:
2223: exit 0
2224:
2225: and /share/ads-domains.gz containing a compressed
2226: list of ad server domains will save disk space with large ad-server blocklists.
2227: .TP
2228: .B --no-ident
2229: Do not respond to class CHAOS and type TXT in domain bind queries.
2230:
2231: Without this option being set, the cache statistics are also available in the
2232: DNS as answers to queries of class CHAOS and type TXT in domain bind. The domain
2233: names are cachesize.bind, insertions.bind, evictions.bind, misses.bind,
2234: hits.bind, auth.bind and servers.bind unless disabled at compile-time. An
2235: example command to query this, using the
2236: .B dig
2237: utility would be
2238:
2239: dig +short chaos txt cachesize.bind
2240:
2241: .SH CONFIG FILE
2242: At startup, dnsmasq reads
2243: .I /etc/dnsmasq.conf,
2244: if it exists. (On
2245: FreeBSD, the file is
2246: .I /usr/local/etc/dnsmasq.conf
2247: ) (but see the
2248: .B \--conf-file
2249: and
2250: .B \--conf-dir
2251: options.) The format of this
2252: file consists of one option per line, exactly as the long options detailed
2253: in the OPTIONS section but without the leading "--". Lines starting with # are comments and ignored. For
2254: options which may only be specified once, the configuration file overrides
2255: the command line. Quoting is allowed in a config file:
2256: between " quotes the special meanings of ,:. and # are removed and the
2257: following escapes are allowed: \\\\ \\" \\t \\e \\b \\r and \\n. The later
2258: corresponding to tab, escape, backspace, return and newline.
2259: .SH NOTES
2260: When it receives a SIGHUP,
2261: .B dnsmasq
2262: clears its cache and then re-loads
2263: .I /etc/hosts
2264: and
2265: .I /etc/ethers
2266: and any file given by \fB--dhcp-hostsfile\fP, \fB--dhcp-hostsdir\fP, \fB--dhcp-optsfile\fP,
2267: \fB--dhcp-optsdir\fP, \fB--addn-hosts\fP or \fB--hostsdir\fP.
2268: The DHCP lease change script is called for all
2269: existing DHCP leases. If
2270: .B
2271: --no-poll
2272: is set SIGHUP also re-reads
2273: .I /etc/resolv.conf.
2274: SIGHUP
2275: does NOT re-read the configuration file.
2276: .PP
2277: When it receives a SIGUSR1,
2278: .B dnsmasq
2279: writes statistics to the system log. It writes the cache size,
2280: the number of names which have had to removed from the cache before
2281: they expired in order to make room for new names and the total number
2282: of names that have been inserted into the cache. The number of cache hits and
2283: misses and the number of authoritative queries answered are also given. For each upstream
2284: server it gives the number of queries sent, and the number which
2285: resulted in an error. In
2286: .B --no-daemon
2287: mode or when full logging is enabled (\fB--log-queries\fP), a complete dump of the
2288: contents of the cache is made.
2289:
2290: When it receives SIGUSR2 and it is logging direct to a file (see
2291: .B --log-facility
2292: )
2293: .B dnsmasq
2294: will close and reopen the log file. Note that during this operation,
2295: dnsmasq will not be running as root. When it first creates the logfile
2296: dnsmasq changes the ownership of the file to the non-root user it will run
2297: as. Logrotate should be configured to create a new log file with
2298: the ownership which matches the existing one before sending SIGUSR2.
2299: If TCP DNS queries are in progress, the old logfile will remain open in
2300: child processes which are handling TCP queries and may continue to be
2301: written. There is a limit of 150 seconds, after which all existing TCP
2302: processes will have expired: for this reason, it is not wise to
2303: configure logfile compression for logfiles which have just been
2304: rotated. Using logrotate, the required options are
2305: .B create
2306: and
2307: .B delaycompress.
2308:
2309:
2310: .PP
2311: Dnsmasq is a DNS query forwarder: it is not capable of recursively
2312: answering arbitrary queries starting from the root servers but
2313: forwards such queries to a fully recursive upstream DNS server which is
2314: typically provided by an ISP. By default, dnsmasq reads
2315: .I /etc/resolv.conf
2316: to discover the IP
2317: addresses of the upstream nameservers it should use, since the
2318: information is typically stored there. Unless
2319: .B --no-poll
2320: is used,
2321: .B dnsmasq
2322: checks the modification time of
2323: .I /etc/resolv.conf
2324: (or equivalent if
2325: .B \--resolv-file
2326: is used) and re-reads it if it changes. This allows the DNS servers to
2327: be set dynamically by PPP or DHCP since both protocols provide the
2328: information.
2329: Absence of
2330: .I /etc/resolv.conf
2331: is not an error
2332: since it may not have been created before a PPP connection exists. Dnsmasq
2333: simply keeps checking in case
2334: .I /etc/resolv.conf
2335: is created at any
2336: time. Dnsmasq can be told to parse more than one resolv.conf
2337: file. This is useful on a laptop, where both PPP and DHCP may be used:
2338: dnsmasq can be set to poll both
2339: .I /etc/ppp/resolv.conf
2340: and
2341: .I /etc/dhcpc/resolv.conf
2342: and will use the contents of whichever changed
2343: last, giving automatic switching between DNS servers.
2344: .PP
2345: Upstream servers may also be specified on the command line or in
2346: the configuration file. These server specifications optionally take a
2347: domain name which tells dnsmasq to use that server only to find names
2348: in that particular domain.
2349: .PP
2350: In order to configure dnsmasq to act as cache for the host on which it is running, put "nameserver 127.0.0.1" in
2351: .I /etc/resolv.conf
2352: to force local processes to send queries to
2353: dnsmasq. Then either specify the upstream servers directly to dnsmasq
2354: using
2355: .B \--server
2356: options or put their addresses real in another file, say
2357: .I /etc/resolv.dnsmasq
2358: and run dnsmasq with the
2359: .B \--resolv-file /etc/resolv.dnsmasq
2360: option. This second technique allows for dynamic update of the server
2361: addresses by PPP or DHCP.
2362: .PP
2363: Addresses in /etc/hosts will "shadow" different addresses for the same
2364: names in the upstream DNS, so "mycompany.com 1.2.3.4" in /etc/hosts will ensure that
2365: queries for "mycompany.com" always return 1.2.3.4 even if queries in
2366: the upstream DNS would otherwise return a different address. There is
2367: one exception to this: if the upstream DNS contains a CNAME which
2368: points to a shadowed name, then looking up the CNAME through dnsmasq
2369: will result in the unshadowed address associated with the target of
2370: the CNAME. To work around this, add the CNAME to /etc/hosts so that
2371: the CNAME is shadowed too.
2372:
2373: .PP
2374: The tag system works as follows: For each DHCP request, dnsmasq
2375: collects a set of valid tags from active configuration lines which
2376: include set:<tag>, including one from the
2377: .B --dhcp-range
2378: used to allocate the address, one from any matching
2379: .B --dhcp-host
2380: (and "known" or "known-othernet" if a \fB--dhcp-host\fP matches)
2381: The tag "bootp" is set for BOOTP requests, and a tag whose name is the
2382: name of the interface on which the request arrived is also set.
2383:
2384: Any configuration lines which include one or more tag:<tag> constructs
2385: will only be valid if all that tags are matched in the set derived
2386: above. Typically this is \fB--dhcp-option\fP.
2387: .B --dhcp-option
2388: which has tags will be used in preference to an untagged
2389: .B --dhcp-option,
2390: provided that _all_ the tags match somewhere in the
2391: set collected as described above. The prefix '!' on a tag means 'not'
2392: so \fB--dhcp-option=tag:!purple,3,1.2.3.4\fP sends the option when the
2393: tag purple is not in the set of valid tags. (If using this in a
2394: command line rather than a configuration file, be sure to escape !,
2395: which is a shell metacharacter)
2396:
2397: When selecting \fB--dhcp-options\fP, a tag from \fB--dhcp-range\fP is second class
2398: relative to other tags, to make it easy to override options for
2399: individual hosts, so
2400: .B --dhcp-range=set:interface1,......
2401: .B --dhcp-host=set:myhost,.....
2402: .B --dhcp-option=tag:interface1,option:nis-domain,"domain1"
2403: .B --dhcp-option=tag:myhost,option:nis-domain,"domain2"
2404: will set the NIS-domain to domain1 for hosts in the range, but
2405: override that to domain2 for a particular host.
2406:
2407: .PP
2408: Note that for
2409: .B --dhcp-range
2410: both tag:<tag> and set:<tag> are allowed, to both select the range in
2411: use based on (eg) \fB--dhcp-host\fP, and to affect the options sent, based on
2412: the range selected.
2413:
2414: This system evolved from an earlier, more limited one and for backward
2415: compatibility "net:" may be used instead of "tag:" and "set:" may be
2416: omitted. (Except in
2417: .B --dhcp-host,
2418: where "net:" may be used instead of "set:".) For the same reason, '#'
2419: may be used instead of '!' to indicate NOT.
2420: .PP
2421: The DHCP server in dnsmasq will function as a BOOTP server also,
2422: provided that the MAC address and IP address for clients are given,
2423: either using
2424: .B --dhcp-host
2425: configurations or in
2426: .I /etc/ethers
2427: , and a
2428: .B --dhcp-range
2429: configuration option is present to activate the DHCP server
2430: on a particular network. (Setting \fB--bootp-dynamic\fP removes the need for
2431: static address mappings.) The filename
2432: parameter in a BOOTP request is used as a tag,
2433: as is the tag "bootp", allowing some control over the options returned to
2434: different classes of hosts.
2435:
2436: .SH AUTHORITATIVE CONFIGURATION
2437: Configuring dnsmasq to act as an authoritative DNS server is
2438: complicated by the fact that it involves configuration of external DNS
2439: servers to provide delegation. We will walk through three scenarios of
2440: increasing complexity. Prerequisites for all of these scenarios
2441: are a globally accessible IP address, an A or AAAA record pointing to that address,
2442: and an external DNS server capable of doing delegation of the zone in
2443: question. For the first part of this explanation, we will call the A (or AAAA) record
2444: for the globally accessible address server.example.com, and the zone
2445: for which dnsmasq is authoritative our.zone.com.
2446:
2447: The simplest configuration consists of two lines of dnsmasq configuration; something like
2448:
2449: .nf
2450: .B --auth-server=server.example.com,eth0
2451: .B --auth-zone=our.zone.com,1.2.3.0/24
2452: .fi
2453:
2454: and two records in the external DNS
2455:
2456: .nf
2457: server.example.com A 192.0.43.10
2458: our.zone.com NS server.example.com
2459: .fi
2460:
2461: eth0 is the external network interface on which dnsmasq is listening,
2462: and has (globally accessible) address 192.0.43.10.
2463:
2464: Note that the external IP address may well be dynamic (ie assigned
2465: from an ISP by DHCP or PPP) If so, the A record must be linked to this
2466: dynamic assignment by one of the usual dynamic-DNS systems.
2467:
2468: A more complex, but practically useful configuration has the address
2469: record for the globally accessible IP address residing in the
2470: authoritative zone which dnsmasq is serving, typically at the root. Now
2471: we have
2472:
2473: .nf
2474: .B --auth-server=our.zone.com,eth0
2475: .B --auth-zone=our.zone.com,1.2.3.0/24
2476: .fi
2477:
2478: .nf
2479: our.zone.com A 1.2.3.4
2480: our.zone.com NS our.zone.com
2481: .fi
2482:
2483: The A record for our.zone.com has now become a glue record, it solves
2484: the chicken-and-egg problem of finding the IP address of the
2485: nameserver for our.zone.com when the A record is within that
2486: zone. Note that this is the only role of this record: as dnsmasq is
2487: now authoritative from our.zone.com it too must provide this
2488: record. If the external address is static, this can be done with an
2489: .B /etc/hosts
2490: entry or
2491: .B --host-record.
2492:
2493: .nf
2494: .B --auth-server=our.zone.com,eth0
2495: .B --host-record=our.zone.com,1.2.3.4
2496: .B --auth-zone=our.zone.com,1.2.3.0/24
2497: .fi
2498:
2499: If the external address is dynamic, the address
2500: associated with our.zone.com must be derived from the address of the
2501: relevant interface. This is done using
2502: .B --interface-name
2503: Something like:
2504:
2505: .nf
2506: .B --auth-server=our.zone.com,eth0
2507: .B --interface-name=our.zone.com,eth0
2508: .B --auth-zone=our.zone.com,1.2.3.0/24,eth0
2509: .fi
2510:
2511: (The "eth0" argument in \fB--auth-zone\fP adds the subnet containing eth0's
2512: dynamic address to the zone, so that the \fB--interface-name\fP returns the
2513: address in outside queries.)
2514:
2515: Our final configuration builds on that above, but also adds a
2516: secondary DNS server. This is another DNS server which learns the DNS data
2517: for the zone by doing zones transfer, and acts as a backup should
2518: the primary server become inaccessible. The configuration of the
2519: secondary is beyond the scope of this man-page, but the extra
2520: configuration of dnsmasq is simple:
2521:
2522: .nf
2523: .B --auth-sec-servers=secondary.myisp.com
2524: .fi
2525:
2526: and
2527:
2528: .nf
2529: our.zone.com NS secondary.myisp.com
2530: .fi
2531:
2532: Adding auth-sec-servers enables zone transfer in dnsmasq, to allow the
2533: secondary to collect the DNS data. If you wish to restrict this data
2534: to particular hosts then
2535:
2536: .nf
2537: .B --auth-peer=<IP address of secondary>
2538: .fi
2539:
2540: will do so.
2541:
2542: Dnsmasq acts as an authoritative server for in-addr.arpa and
2543: ip6.arpa domains associated with the subnets given in \fB--auth-zone\fP
2544: declarations, so reverse (address to name) lookups can be simply
2545: configured with a suitable NS record, for instance in this example,
2546: where we allow 1.2.3.0/24 addresses.
2547:
2548: .nf
2549: 3.2.1.in-addr.arpa NS our.zone.com
2550: .fi
2551:
2552: Note that at present, reverse (in-addr.arpa and ip6.arpa) zones are
2553: not available in zone transfers, so there is no point arranging
2554: secondary servers for reverse lookups.
2555:
2556: .PP
2557: When dnsmasq is configured to act as an authoritative server, the
2558: following data is used to populate the authoritative zone.
2559: .PP
2560: .B --mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record, --caa-record,
2561: as long as the record names are in the authoritative domain.
2562: .PP
2563: .B --synth-domain
2564: as long as the domain is in the authoritative zone and, for
2565: reverse (PTR) queries, the address is in the relevant subnet.
2566: .PP
2567: .B --cname
2568: as long as the record name is in the authoritative domain. If the
2569: target of the CNAME is unqualified, then it is qualified with the
2570: authoritative zone name. CNAME used in this way (only) may be wildcards, as in
2571:
2572: .nf
2573: .B --cname=*.example.com,default.example.com
2574: .fi
2575:
2576: .PP
2577: IPv4 and IPv6 addresses from /etc/hosts (and
2578: .B --addn-hosts
2579: ) and
2580: .B --host-record
2581: and
2582: .B --interface-name
2583: and
2584: .B ---dynamic-host
2585: provided the address falls into one of the subnets specified in the
2586: .B --auth-zone.
2587: .PP
2588: Addresses of DHCP leases, provided the address falls into one of the subnets specified in the
2589: .B --auth-zone.
2590: (If constructed DHCP ranges are is use, which depend on the address dynamically
2591: assigned to an interface, then the form of
2592: .B --auth-zone
2593: which defines subnets by the dynamic address of an interface should
2594: be used to ensure this condition is met.)
2595: .PP
2596: In the default mode, where a DHCP lease
2597: has an unqualified name, and possibly a qualified name constructed
2598: using
2599: .B --domain
2600: then the name in the authoritative zone is constructed from the
2601: unqualified name and the zone's domain. This may or may not equal
2602: that specified by
2603: .B --domain.
2604: If
2605: .B --dhcp-fqdn
2606: is set, then the fully qualified names associated with DHCP leases are
2607: used, and must match the zone's domain.
2608:
2609:
2610:
2611: .SH EXIT CODES
2612: 0 - Dnsmasq successfully forked into the background, or terminated
2613: normally if backgrounding is not enabled.
2614: .PP
2615: 1 - A problem with configuration was detected.
2616: .PP
2617: 2 - A problem with network access occurred (address in use, attempt
2618: to use privileged ports without permission).
2619: .PP
2620: 3 - A problem occurred with a filesystem operation (missing
2621: file/directory, permissions).
2622: .PP
2623: 4 - Memory allocation failure.
2624: .PP
2625: 5 - Other miscellaneous problem.
2626: .PP
2627: 11 or greater - a non zero return code was received from the
2628: lease-script process "init" call or a
2629: .B \--conf-script
2630: file. The exit code from dnsmasq is the
2631: script's exit code with 10 added.
2632:
2633: .SH LIMITS
2634: The default values for resource limits in dnsmasq are generally
2635: conservative, and appropriate for embedded router type devices with
2636: slow processors and limited memory. On more capable hardware, it is
2637: possible to increase the limits, and handle many more clients. The
2638: following applies to dnsmasq-2.37: earlier versions did not scale as well.
2639:
2640: .PP
2641: Dnsmasq is capable of handling DNS and DHCP for at least a thousand
2642: clients. The DHCP lease times should not be very short (less than one hour). The
2643: value of
2644: .B --dns-forward-max
2645: can be increased: start with it equal to
2646: the number of clients and increase if DNS seems slow. Note that DNS
2647: performance depends too on the performance of the upstream
2648: nameservers. The size of the DNS cache may be increased: the hard
2649: limit is 10000 names and the default (150) is very low. Sending
2650: SIGUSR1 to dnsmasq makes it log information which is useful for tuning
2651: the cache size. See the
2652: .B NOTES
2653: section for details.
2654:
2655: .PP
2656: The built-in TFTP server is capable of many simultaneous file
2657: transfers: the absolute limit is related to the number of file-handles
2658: allowed to a process and the ability of the select() system call to
2659: cope with large numbers of file handles. If the limit is set too high
2660: using
2661: .B --tftp-max
2662: it will be scaled down and the actual limit logged at
2663: start-up. Note that more transfers are possible when the same file is
2664: being sent than when each transfer sends a different file.
2665:
2666: .PP
2667: It is possible to use dnsmasq to block Web advertising by using a list
2668: of known banner-ad servers, all resolving to 127.0.0.1 or 0.0.0.0, in
2669: .B /etc/hosts
2670: or an additional hosts file. The list can be very long,
2671: dnsmasq has been tested successfully with one million names. That size
2672: file needs a 1GHz processor and about 60Mb of RAM.
2673:
2674: .SH INTERNATIONALISATION
2675: Dnsmasq can be compiled to support internationalisation. To do this,
2676: the make targets "all-i18n" and "install-i18n" should be used instead of
2677: the standard targets "all" and "install". When internationalisation
2678: is compiled in, dnsmasq will produce log messages in the local
2679: language and support internationalised domain names (IDN). Domain
2680: names in /etc/hosts, /etc/ethers and /etc/dnsmasq.conf which contain
2681: non-ASCII characters will be translated to the DNS-internal punycode
2682: representation. Note that
2683: dnsmasq determines both the language for messages and the assumed
2684: charset for configuration
2685: files from the LANG environment variable. This should be set to the system
2686: default value by the script which is responsible for starting
2687: dnsmasq. When editing the configuration files, be careful to do so
2688: using only the system-default locale and not user-specific one, since
2689: dnsmasq has no direct way of determining the charset in use, and must
2690: assume that it is the system default.
2691:
2692: .SH FILES
2693: .IR /etc/dnsmasq.conf
2694:
2695: .IR /usr/local/etc/dnsmasq.conf
2696:
2697: .IR /etc/resolv.conf
2698: .IR /var/run/dnsmasq/resolv.conf
2699: .IR /etc/ppp/resolv.conf
2700: .IR /etc/dhcpc/resolv.conf
2701:
2702: .IR /etc/hosts
2703:
2704: .IR /etc/ethers
2705:
2706: .IR /var/lib/misc/dnsmasq.leases
2707:
2708: .IR /var/db/dnsmasq.leases
2709:
2710: .IR /var/run/dnsmasq.pid
2711: .SH SEE ALSO
2712: .BR hosts (5),
2713: .BR resolver (5)
2714: .SH AUTHOR
2715: This manual page was written by Simon Kelley <simon@thekelleys.org.uk>.
2716:
2717:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to dnsmasq.8 CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq / man