"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "man/dnsmasq.8" between
dnsmasq-2.81.tar.xz and dnsmasq-2.82.tar.xz

About: Dnsmasq is a lightweight caching DNS forwarder and DHCP server.

dnsmasq.8  (dnsmasq-2.81.tar.xz):dnsmasq.8  (dnsmasq-2.82.tar.xz)
skipping to change at line 345 skipping to change at line 345
--clear-on-reload --clear-on-reload
Whenever /etc/resolv.conf is re-read or the upstream servers are set via DBus, clear the DNS Whenever /etc/resolv.conf is re-read or the upstream servers are set via DBus, clear the DNS
cache. This is useful when new nameservers may have different dat a than that held in cache. cache. This is useful when new nameservers may have different dat a than that held in cache.
-D, --domain-needed -D, --domain-needed
Tells dnsmasq to never forward A or AAAA queries for plain names, without dots or domain parts, Tells dnsmasq to never forward A or AAAA queries for plain names, without dots or domain parts,
to upstream nameservers. If the name is not known from /etc/h osts or DHCP then a "not found" to upstream nameservers. If the name is not known from /etc/h osts or DHCP then a "not found"
answer is returned. answer is returned.
-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source- ip>|<interface>[#<port>]] -S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>]][@<source -ip>|<interface>[#<port>]]
Specify IP address of upstream servers directly. Setting this flag does not suppress reading of Specify IP address of upstream servers directly. Setting this flag does not suppress reading of
/etc/resolv.conf, use --no-resolv to do that. If one or more o ptional domains are given, that /etc/resolv.conf, use --no-resolv to do that. If one or more o ptional domains are given, that
server is used only for those domains and they are queried only us ing the specified server. This server is used only for those domains and they are queried only us ing the specified server. This
is intended for private nameservers: if you have a nameserver o n your network which deals with is intended for private nameservers: if you have a nameserver o n your network which deals with
names of the form xxx.internal.thekelleys.org.uk at 192.168. 1.1 then giving the flag names of the form xxx.internal.thekelleys.org.uk at 192.168. 1.1 then giving the flag
--server=/internal.thekelleys.org.uk/192.168.1.1 will send all q ueries for internal machines to --server=/internal.thekelleys.org.uk/192.168.1.1 will send all q ueries for internal machines to
that nameserver, everything else will go to the servers in /etc/re solv.conf. DNSSEC validation is that nameserver, everything else will go to the servers in /etc/re solv.conf. DNSSEC validation is
turned off for such private nameservers, UNLESS a --trust-anchor is specified for the domain in turned off for such private nameservers, UNLESS a --trust-anchor is specified for the domain in
question. An empty domain specification, // has the special meanin g of "unqualified names only" question. An empty domain specification, // has the special meanin g of "unqualified names only"
ie names without any dots in them. A non-standard port may be spec ified as part of the IP address ie names without any dots in them. A non-standard port may be spec ified as part of the IP address
skipping to change at line 705 skipping to change at line 705
-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-a ddr>[,<end-addr>|<mode>][,<net- -F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-a ddr>[,<end-addr>|<mode>][,<net-
mask>[,<broadcast>]][,<lease time>] mask>[,<broadcast>]][,<lease time>]
-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-IPv6 addr>[,<end-IPv6addr>|construc- -F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-IPv6 addr>[,<end-IPv6addr>|construc-
tor:<interface>][,<mode>][,<prefix-len>][,<lease time>] tor:<interface>][,<mode>][,<prefix-len>][,<lease time>]
Enable the DHCP server. Addresses will be given out from the range <start-addr> to <end-addr> and Enable the DHCP server. Addresses will be given out from the range <start-addr> to <end-addr> and
from statically defined addresses given in --dhcp-host options. If the lease time is given, then from statically defined addresses given in --dhcp-host options. If the lease time is given, then
leases will be given for that length of time. The lease time is in seconds, or minutes (eg 45m) leases will be given for that length of time. The lease time is in seconds, or minutes (eg 45m)
or hours (eg 1h) or "infinite". If not given, the default lease ti or hours (eg 1h) or "infinite". If not given, the default lease ti
me is one hour. The minimum me is one hour for IPv4 and one
lease time is two minutes. For IPv6 ranges, the lease time maybe " day for IPv6. The minimum lease time is two minutes. For IPv6 ran
deprecated"; this sets the pre- ges, the lease time maybe "dep-
ferred lifetime sent in a DHCP lease or router advertisement to ze recated"; this sets the preferred lifetime sent in a DHCP lease or
ro, which causes clients to use router advertisement to zero,
other addresses, if available, for new connections as a prelude to which causes clients to use other addresses, if available, for
renumbering. new connections as a prelude to
renumbering.
This option may be repeated, with different addresses, to enabl
e DHCP service to more than one This option may be repeated, with different addresses, to enable D
network. For directly connected networks (ie, networks on which th HCP service to more than one
e machine running dnsmasq has network. For directly connected networks (ie, networks on which
an interface) the netmask is optional: dnsmasq will determine i the machine running dnsmasq has
t from the interface configura- an interface) the netmask is optional: dnsmasq will determine it f
tion. For networks which receive DHCP service via a relay agent, rom the interface configura-
dnsmasq cannot determine the tion. For networks which receive DHCP service via a relay agen
netmask itself, so it should be specified, otherwise dnsmasq w t, dnsmasq cannot determine the
ill have to guess, based on the netmask itself, so it should be specified, otherwise dnsmasq will
class (A, B or C) of the network address. The broadcast address is have to guess, based on the
always optional. It is always class (A, B or C) of the network address. The broadcast address i
s always optional. It is always
allowed to have more than one --dhcp-range in a single subnet. allowed to have more than one --dhcp-range in a single subnet.
For IPv6, the parameters are slightly different: instead of netma sk and broadcast address, there For IPv6, the parameters are slightly different: instead of netmas k and broadcast address, there
is an optional prefix length which must be equal to or larger then the prefix length on the local is an optional prefix length which must be equal to or larger then the prefix length on the local
interface. If not given, this defaults to 64. Unlike the IPv4 interface. If not given, this defaults to 64. Unlike the IPv4 case
case, the prefix length is not , the prefix length is not
automatically derived from the interface configuration. The minimu automatically derived from the interface configuration. The minim
m size of the prefix length is um size of the prefix length is
64. 64.
IPv6 (only) supports another type of range. In this, the start a IPv6 (only) supports another type of range. In this, the start add
ddress and optional end address ress and optional end address
contain only the network part (ie ::1) and they are followed by contain only the network part (ie ::1) and they are followed by
constructor:<interface>. This constructor:<interface>. This
forms a template which describes how to create ranges, based o forms a template which describes how to create ranges, based on th
n the addresses assigned to the e addresses assigned to the
interface. For instance interface. For instance
--dhcp-range=::1,::400,constructor:eth0 --dhcp-range=::1,::400,constructor:eth0
will look for addresses on eth0 and then create a range from <netw will look for addresses on eth0 and then create a range from <ne
ork>::1 to <network>::400. If twork>::1 to <network>::400. If
the interface is assigned more than one network, then the corresp the interface is assigned more than one network, then the correspo
onding ranges will be automati- nding ranges will be automati-
cally created, and then deprecated and finally removed again as th cally created, and then deprecated and finally removed again a
e address is deprecated and s the address is deprecated and
then deleted. The interface name may have a final "*" wildcard then deleted. The interface name may have a final "*" wildcard. No
. Note that just any address on te that just any address on
eth0 will not do: it must not be an autoconfigured or privacy addr ess, or be deprecated. eth0 will not do: it must not be an autoconfigured or privacy addr ess, or be deprecated.
If a --dhcp-range is only being used for stateless DHCP and/or SLA AC, then the address can be If a --dhcp-range is only being used for stateless DHCP and/or SLAAC, then the address can be
simply :: simply ::
--dhcp-range=::,constructor:eth0 --dhcp-range=::,constructor:eth0
The optional set:<tag> sets an alphanumeric label which marks th is network so that DHCP options The optional set:<tag> sets an alphanumeric label which marks this network so that DHCP options
may be specified on a per-network basis. When it is prefixed with 'tag:' instead, then its mean- may be specified on a per-network basis. When it is prefixed with 'tag:' instead, then its mean-
ing changes from setting a tag to matching it. Only one tag may be set, but more than one tag may ing changes from setting a tag to matching it. Only one tag may be set, but more than one tag may
be matched. be matched.
The optional <mode> keyword may be static which tells dnsmasq to The optional <mode> keyword may be static which tells dnsmasq
enable DHCP for the network to enable DHCP for the network
specified, but not to dynamically allocate IP addresses: only ho specified, but not to dynamically allocate IP addresses: only host
sts which have static addresses s which have static addresses
given via --dhcp-host or from /etc/ethers will be served. A static given via --dhcp-host or from /etc/ethers will be served. A stat
-only subnet with address all ic-only subnet with address all
zeros may be used as a "catch-all" address to enable replies to zeros may be used as a "catch-all" address to enable replies to al
all Information-request packets l Information-request packets
on a subnet which is provided with stateless DHCPv6, ie --dhcp-ran ge=::,static on a subnet which is provided with stateless DHCPv6, ie --dhcp-ran ge=::,static
For IPv4, the <mode> may be proxy in which case dnsmasq will provi de proxy-DHCP on the specified For IPv4, the <mode> may be proxy in which case dnsmasq will prov ide proxy-DHCP on the specified
subnet. (See --pxe-prompt and --pxe-service for details.) subnet. (See --pxe-prompt and --pxe-service for details.)
For IPv6, the mode may be some combination of ra-only, sla ac, ra-names, ra-stateless, ra- For IPv6, the mode may be some combination of ra-only, slaac, ra-names, ra-stateless, ra-
advrouter, off-link. advrouter, off-link.
ra-only tells dnsmasq to offer Router Advertisement only on this s ubnet, and not DHCP. ra-only tells dnsmasq to offer Router Advertisement only on this s ubnet, and not DHCP.
slaac tells dnsmasq to offer Router Advertisement on this subnet a nd to set the A bit in the slaac tells dnsmasq to offer Router Advertisement on this sub net and to set the A bit in the
router advertisement, so that the client will use SLAAC addresses. When used with a DHCP range or router advertisement, so that the client will use SLAAC addresses. When used with a DHCP range or
static DHCP address this results in the client having both a DHCP- assigned and a SLAAC address. static DHCP address this results in the client having both a DHCP- assigned and a SLAAC address.
ra-stateless sends router advertisements with the O and A bits set , and provides a stateless DHCP ra-stateless sends router advertisements with the O and A bits set , and provides a stateless DHCP
service. The client will use a SLAAC address, and use DHCP for oth er configuration information. service. The client will use a SLAAC address, and use DHCP for oth er configuration information.
ra-names enables a mode which gives DNS names to dual-stack host ra-names enables a mode which gives DNS names to dual-stack hosts
s which do SLAAC for IPv6. Dns- which do SLAAC for IPv6. Dns-
masq uses the host's IPv4 lease to derive the name, network segmen masq uses the host's IPv4 lease to derive the name, network segm
t and MAC address and assumes ent and MAC address and assumes
that the host will also have an IPv6 address calculated using t that the host will also have an IPv6 address calculated using the
he SLAAC algorithm, on the same SLAAC algorithm, on the same
network segment. The address is pinged, and if a reply is received network segment. The address is pinged, and if a reply is recei
, an AAAA record is added to ved, an AAAA record is added to
the DNS for this IPv6 address. Note that this is only happens f the DNS for this IPv6 address. Note that this is only happens for
or directly-connected networks, directly-connected networks,
(not one doing DHCP via a relay) and it will not work if a host is using privacy extensions. ra- (not one doing DHCP via a relay) and it will not work if a host is using privacy extensions. ra-
names can be combined with ra-stateless and slaac. names can be combined with ra-stateless and slaac.
ra-advrouter enables a mode where router address(es) rather than ra-advrouter enables a mode where router address(es) rather than p
prefix(es) are included in the refix(es) are included in the
advertisements. This is described in RFC-3775 section 7.2 and is advertisements. This is described in RFC-3775 section 7.2 and
used in mobile IPv6. In this is used in mobile IPv6. In this
mode the interval option is also included, as described in RFC-377 5 section 7.3. mode the interval option is also included, as described in RFC-377 5 section 7.3.
off-link tells dnsmasq to advertise the prefix without the on-link (aka L) bit set. off-link tells dnsmasq to advertise the prefix without the on-link (aka L) bit set.
-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag> ][tag:<tag>][,<ipaddr>][,<host- -G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag> ][tag:<tag>][,<ipaddr>][,<host-
name>][,<lease_time>][,ignore] name>][,<lease_time>][,ignore]
Specify per host parameters for the DHCP server. This allows a mac hine with a particular hardware Specify per host parameters for the DHCP server. This allows a mac hine with a particular hardware
address to be always allocated the same hostname, IP address and l ease time. A hostname specified address to be always allocated the same hostname, IP address and l ease time. A hostname specified
like this overrides any supplied by the DHCP client on the machine like this overrides any supplied by the DHCP client on the machin
. It is also allowable to omit e. It is also allowable to omit
the hardware address and include the hostname, in which case the the hardware address and include the hostname, in which case the I
IP address and lease times will P address and lease times will
apply to any machine claiming that name. For example --dhcp-host apply to any machine claiming that name. For example --dhcp-host
=00:20:e0:3b:13:af,wap,infinite =00:20:e0:3b:13:af,wap,infinite
tells dnsmasq to give the machine with hardware address 00:20:e tells dnsmasq to give the machine with hardware address 00:20:e0:3
0:3b:13:af the name wap, and an b:13:af the name wap, and an
infinite DHCP lease. --dhcp-host=lap,192.168.0.199 tells dnsmasq infinite DHCP lease. --dhcp-host=lap,192.168.0.199 tells dnsmasq
to always allocate the machine to always allocate the machine
lap the IP address 192.168.0.199. lap the IP address 192.168.0.199.
Addresses allocated like this are not constrained to be in the Addresses allocated like this are not constrained to be in the ran
range given by the --dhcp-range ge given by the --dhcp-range
option, but they must be in the same subnet as some valid dhcp-ran option, but they must be in the same subnet as some valid dhcp-
ge. For subnets which don't range. For subnets which don't
need a pool of dynamically allocated addresses, use the "static" k eyword in the --dhcp-range dec- need a pool of dynamically allocated addresses, use the "static" k eyword in the --dhcp-range dec-
laration. laration.
It is allowed to use client identifiers (called client DUID in IPv It is allowed to use client identifiers (called client DUID in
6-land) rather than hardware IPv6-land) rather than hardware
addresses to identify hosts by prefixing with 'id:'. Thus: - addresses to identify hosts by prefixing with 'id:'. Thus: -
-dhcp-host=id:01:02:03:04,..... -dhcp-host=id:01:02:03:04,.....
refers to the host with client identifier 01:02:03:04. It is also refers to the host with client identifier 01:02:03:04. It is als
allowed to specify the client o allowed to specify the client
ID as text, like this: --dhcp-host=id:clientidastext,..... ID as text, like this: --dhcp-host=id:clientidastext,.....
A single --dhcp-host may contain an IPv4 address or one or mor e IPv6 addresses, or both. IPv6 A single --dhcp-host may contain an IPv4 address or one or more IP v6 addresses, or both. IPv6
addresses must be bracketed by square brackets thus: --dhcp-host=l aptop,[1234::56] IPv6 addresses addresses must be bracketed by square brackets thus: --dhcp-host=l aptop,[1234::56] IPv6 addresses
may contain only the host-identifier part: --dhcp-host=laptop,[ may contain only the host-identifier part: --dhcp-host=laptop,[::5
::56] in which case they act as 6] in which case they act as
wildcards in constructed DHCP ranges, with the appropriate network wildcards in constructed DHCP ranges, with the appropriate netw
part inserted. For IPv6, an ork part inserted. For IPv6, an
address may include a prefix length: --dhcp-host=laptop,[1234:50/1 26] which (in this case) speci- address may include a prefix length: --dhcp-host=laptop,[1234:50/1 26] which (in this case) speci-
fies four addresses, 1234::50 to 1234::53. This (an the ability to specify multiple addresses) is fies four addresses, 1234::50 to 1234::53. This (an the ability to specify multiple addresses) is
useful when a host presents either a consistent name or hardware- useful when a host presents either a consistent name or hardware-I
ID, but varying DUIDs, since it D, but varying DUIDs, since it
allows dnsmasq to honour the static address allocation but assign allows dnsmasq to honour the static address allocation but assig
a different adddress for each n a different adddress for each
DUID. This typically occurs when chain netbooting, as each stage DUID. This typically occurs when chain netbooting, as each stage o
of the chain gets in turn allo- f the chain gets in turn allo-
cates an address. cates an address.
Note that in IPv6 DHCP, the hardware address may not be available, though it normally is for Note that in IPv6 DHCP, the hardware address may not be avail able, though it normally is for
direct-connected clients, or clients using DHCP relays which suppo rt RFC 6939. direct-connected clients, or clients using DHCP relays which suppo rt RFC 6939.
For DHCPv4, the special option id:* means "ignore any client- id and use MAC addresses only." For DHCPv4, the special option id:* means "ignore any client-id a nd use MAC addresses only."
This is useful when a client presents a client-id sometimes but no t others. This is useful when a client presents a client-id sometimes but no t others.
If a name appears in /etc/hosts, the associated address can be all ocated to a DHCP lease, but If a name appears in /etc/hosts, the associated address can be allocated to a DHCP lease, but
only if a --dhcp-host option specifying the name also exists. Only one hostname can be given in a only if a --dhcp-host option specifying the name also exists. Only one hostname can be given in a
--dhcp-host option, but aliases are possible by using CNAMEs. (See --cname ). --dhcp-host option, but aliases are possible by using CNAMEs. (See --cname ).
The special keyword "ignore" tells dnsmasq to never offer a DHCP l The special keyword "ignore" tells dnsmasq to never offer a DHCP
ease to a machine. The machine lease to a machine. The machine
can be specified by hardware address, client ID or ho can be specified by hardware address, client ID or hostn
stname, for instance --dhcp- ame, for instance --dhcp-
host=00:20:e0:3b:13:af,ignore This is useful when there is another host=00:20:e0:3b:13:af,ignore This is useful when there is ano
DHCP server on the network ther DHCP server on the network
which should be used by some machines. which should be used by some machines.
The set:<tag> construct sets the tag whenever this --dhcp-host d The set:<tag> construct sets the tag whenever this --dhcp-host dir
irective is in use. This can be ective is in use. This can be
used to selectively send DHCP options just for this host. More tha used to selectively send DHCP options just for this host. Mo
n one tag can be set in a re than one tag can be set in a
--dhcp-host directive (but not in other places where "set:<tag>" i s allowed). When a host matches --dhcp-host directive (but not in other places where "set:<tag>" i s allowed). When a host matches
any --dhcp-host directive (or one implied by /etc/ethers) then the any --dhcp-host directive (or one implied by /etc/ethers) then
special tag "known" is set. the special tag "known" is set.
This allows dnsmasq to be configured to ignore requests from This allows dnsmasq to be configured to ignore requests from un
unknown machines using --dhcp- known machines using --dhcp-
ignore=tag:!known If the host matches only a --dhcp-host directive ignore=tag:!known If the host matches only a --dhcp-host directi
which cannot be used because ve which cannot be used because
it specifies an address on different subnet, the tag "known-othern et" is set. it specifies an address on different subnet, the tag "known-othern et" is set.
The tag:<tag> construct filters which dhcp-host directives are u sed. Tagged directives are used The tag:<tag> construct filters which dhcp-host directives are use d. Tagged directives are used
in preference to untagged ones. in preference to untagged ones.
Ethernet addresses (but not client-ids) may have wildcard by Ethernet addresses (but not client-ids) may have wildcard
tes, so for example --dhcp- bytes, so for example --dhcp-
host=00:20:e0:3b:13:*,ignore will cause dnsmasq to ignore a ra host=00:20:e0:3b:13:*,ignore will cause dnsmasq to ignore a range
nge of hardware addresses. Note of hardware addresses. Note
that the "*" will need to be escaped or quoted on a command line, that the "*" will need to be escaped or quoted on a command lin
but not in the configuration e, but not in the configuration
file. file.
Hardware addresses normally match any network (ARP) type, but it is possible to restrict them to Hardware addresses normally match any network (ARP) type, but it i s possible to restrict them to
a single ARP type by preceding them with the ARP-type (i n HEX) and "-". so --dhcp- a single ARP type by preceding them with the ARP-type (i n HEX) and "-". so --dhcp-
host=06-00:20:e0:3b:13:af,1.2.3.4 will only match a Token-Ring h ardware address, since the ARP- host=06-00:20:e0:3b:13:af,1.2.3.4 will only match a Token-Ring har dware address, since the ARP-
address type for token ring is 6. address type for token ring is 6.
As a special case, in DHCPv4, it is possible to include more tha n one hardware address. eg: As a special case, in DHCPv4, it is possible to include more than one hardware address. eg:
--dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2 This a llows an IP address to be asso- --dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2 This a llows an IP address to be asso-
ciated with multiple hardware addresses, and gives dnsmasq permiss ciated with multiple hardware addresses, and gives dnsmasq permis
ion to abandon a DHCP lease to sion to abandon a DHCP lease to
one of the hardware addresses when another one asks for a lease. one of the hardware addresses when another one asks for a lease. B
Beware that this is a dangerous eware that this is a dangerous
thing to do, it will only work reliably if only one of the hardwar thing to do, it will only work reliably if only one of the hard
e addresses is active at any ware addresses is active at any
time and there is no way for dnsmasq to enforce this. It is, for time and there is no way for dnsmasq to enforce this. It is, for i
instance, useful to allocate a nstance, useful to allocate a
stable IP address to a laptop which has both wired and wireless in terfaces. stable IP address to a laptop which has both wired and wireless in terfaces.
--dhcp-hostsfile=<path> --dhcp-hostsfile=<path>
Read DHCP host information from the specified file. If a directory Read DHCP host information from the specified file. If a direct
is given, then read all the ory is given, then read all the
files contained in that directory. The file contains informati files contained in that directory. The file contains information a
on about one host per line. The bout one host per line. The
format of a line is the same as text to the right of '=' in --dhcp -host. The advantage of storing format of a line is the same as text to the right of '=' in --dhcp -host. The advantage of storing
DHCP host information in this file is that it can be changed w ithout re-starting dnsmasq: the DHCP host information in this file is that it can be changed with out re-starting dnsmasq: the
file will be re-read when dnsmasq receives SIGHUP. file will be re-read when dnsmasq receives SIGHUP.
--dhcp-optsfile=<path> --dhcp-optsfile=<path>
Read DHCP option information from the specified file. If a direct ory is given, then read all the Read DHCP option information from the specified file. If a direct ory is given, then read all the
files contained in that directory. The advantage of using this op tion is the same as for --dhcp- files contained in that directory. The advantage of using this opt ion is the same as for --dhcp-
hostsfile: the --dhcp-optsfile will be re-read when dnsmasq receiv es SIGHUP. Note that it is pos- hostsfile: the --dhcp-optsfile will be re-read when dnsmasq receiv es SIGHUP. Note that it is pos-
sible to encode the information in a --dhcp-boot flag as DHCP o sible to encode the information in a --dhcp-boot flag as DHCP opti
ptions, using the options names ons, using the options names
bootfile-name, server-ip-address and tftp-server. This allows thes bootfile-name, server-ip-address and tftp-server. This allows th
e to be included in a --dhcp- ese to be included in a --dhcp-
optsfile. optsfile.
--dhcp-hostsdir=<path> --dhcp-hostsdir=<path>
This is equivalent to --dhcp-hostsfile, except for the following This is equivalent to --dhcp-hostsfile, except for the following.
. The path MUST be a directory, The path MUST be a directory,
and not an individual file. Changed or new files within the direc and not an individual file. Changed or new files within the di
tory are read automatically, rectory are read automatically,
without the need to send SIGHUP. If a file is deleted or changed without the need to send SIGHUP. If a file is deleted or changed
after it has been read by dns- after it has been read by dns-
masq, then the host record it contained will remain until dnsmas masq, then the host record it contained will remain until d
q receives a SIGHUP, or is nsmasq receives a SIGHUP, or is
restarted; ie host records are only added dynamically. restarted; ie host records are only added dynamically.
--dhcp-optsdir=<path> --dhcp-optsdir=<path>
This is equivalent to --dhcp-optsfile, with the differences noted for --dhcp-hostsdir. This is equivalent to --dhcp-optsfile, with the differences noted for --dhcp-hostsdir.
-Z, --read-ethers -Z, --read-ethers
Read /etc/ethers for information about hosts for the DHCP server. Read /etc/ethers for information about hosts for the DHCP server.
The format of /etc/ethers is a The format of /etc/ethers is a
hardware address, followed by either a hostname or dotted-quad IP hardware address, followed by either a hostname or dotted-quad I
address. When read by dnsmasq P address. When read by dnsmasq
these lines have exactly the same effect as --dhcp-host options c these lines have exactly the same effect as --dhcp-host options co
ontaining the same information. ntaining the same information.
/etc/ethers is re-read when dnsmasq receives SIGHUP. IPv6 addresses are NOT read from /etc/ethers is re-read when dnsmasq receives SIGHUP. IPv6 addresses are NOT read from
/etc/ethers. /etc/ethers.
-O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap: <enterprise>,][vendor:[<vendor- -O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap: <enterprise>,][vendor:[<vendor-
class>],][<opt>|option:<opt-name>|option6:<opt>|option6:<opt-name>],[<val ue>[,<value>]] class>],][<opt>|option:<opt-name>|option6:<opt>|option6:<opt-name>],[<val ue>[,<value>]]
Specify different or extra options to DHCP clients. By default, Specify different or extra options to DHCP clients. By defau
dnsmasq sends some standard lt, dnsmasq sends some standard
options to DHCP clients, the netmask and broadcast address are s options to DHCP clients, the netmask and broadcast address are set
et to the same as the host run- to the same as the host run-
ning dnsmasq, and the DNS server and default route are set to the ning dnsmasq, and the DNS server and default route are set to the
address of the machine running address of the machine running
dnsmasq. (Equivalent rules apply for IPv6.) If the domain name opt ion has been set, that is sent. dnsmasq. (Equivalent rules apply for IPv6.) If the domain name opt ion has been set, that is sent.
This configuration allows these defaults to be overridden, or This configuration allows these defaults to be overridden,
other options specified. The or other options specified. The
option, to be sent may be given as a decimal number or as "option option, to be sent may be given as a decimal number or as "option:
:<option-name>" The option num- <option-name>" The option num-
bers are specified in RFC2132 and subsequent RFCs. The set of opti bers are specified in RFC2132 and subsequent RFCs. The set of op
on-names known by dnsmasq can tion-names known by dnsmasq can
be discovered by running "dnsmasq --help dhcp". For example, to be discovered by running "dnsmasq --help dhcp". For example, to s
set the default route option to et the default route option to
192.168.4.4, do --dhcp-option=3,192.168.4.4 or --dhcp-option = opt 192.168.4.4, do --dhcp-option=3,192.168.4.4 or --dhcp-option = op
ion:router, 192.168.4.4 and to tion:router, 192.168.4.4 and to
set the time-server address to 192.168.0.4, do --dhcp-option = 42 set the time-server address to 192.168.0.4, do --dhcp-option = 42,
,192.168.0.4 or --dhcp-option = 192.168.0.4 or --dhcp-option =
option:ntp-server, 192.168.0.4 The special address 0.0.0.0 is take option:ntp-server, 192.168.0.4 The special address 0.0.0.0 is ta
n to mean "the address of the ken to mean "the address of the
machine running dnsmasq". machine running dnsmasq".
Data types allowed are comma separated dotted-quad IPv4 addresse s, []-wrapped IPv6 addresses, a Data types allowed are comma separated dotted-quad IPv4 addresses, []-wrapped IPv6 addresses, a
decimal number, colon-separated hex digits and a text string. If t he optional tags are given then decimal number, colon-separated hex digits and a text string. If t he optional tags are given then
this option is only sent when all the tags are matched. this option is only sent when all the tags are matched.
Special processing is done on a text argument for option 119, to Special processing is done on a text argument for option 119, to c
conform with RFC 3397. Text or onform with RFC 3397. Text or
dotted-quad IP addresses as arguments to option 120 are handled as dotted-quad IP addresses as arguments to option 120 are handled
per RFC 3361. Dotted-quad IP as per RFC 3361. Dotted-quad IP
addresses which are followed by a slash and then a netmask size addresses which are followed by a slash and then a netmask size ar
are encoded as described in RFC e encoded as described in RFC
3442. 3442.
IPv6 options are specified using the option6: keyword, followed by IPv6 options are specified using the option6: keyword, followed
the option number or option by the option number or option
name. The IPv6 option name space is disjoint from the IPv4 optio name. The IPv6 option name space is disjoint from the IPv4 option
n name space. IPv6 addresses in name space. IPv6 addresses in
options must be bracketed with square brackets, eg. --dhcp-optio options must be bracketed with square brackets, eg. --dhcp-optio
n=option6:ntp-server,[1234::56] n=option6:ntp-server,[1234::56]
For IPv6, [::] means "the global address of the machine runni For IPv6, [::] means "the global address of the machine running
ng dnsmasq", whilst [fd00::] is dnsmasq", whilst [fd00::] is
replaced with the ULA, if it exists, and [fe80::] with the link-lo cal address. replaced with the ULA, if it exists, and [fe80::] with the link-lo cal address.
Be careful: no checking is done that the correct type of data for Be careful: no checking is done that the correct type of data fo
the option number is sent, it r the option number is sent, it
is quite possible to persuade dnsmasq to generate illegal DHCP is quite possible to persuade dnsmasq to generate illegal DHCP pac
packets with injudicious use of kets with injudicious use of
this flag. When the value is a decimal number, dnsmasq must determ ine how large the data item is. this flag. When the value is a decimal number, dnsmasq must determ ine how large the data item is.
It does this by examining the option number and/or the value, but can be overridden by appending It does this by examining the option number and/or the value, but can be overridden by appending
a single letter flag as follows: b = one byte, s = two bytes, i = four bytes. This is mainly use- a single letter flag as follows: b = one byte, s = two bytes, i = four bytes. This is mainly use-
ful with encapsulated vendor class options (see below) where dns ful with encapsulated vendor class options (see below) where dnsma
masq cannot determine data size sq cannot determine data size
from the option number. Option data which consists solely of peri from the option number. Option data which consists solely of pe
ods and digits will be inter- riods and digits will be inter-
preted by dnsmasq as an IP address, and inserted into an opt preted by dnsmasq as an IP address, and inserted into an option a
ion as such. To force a literal s such. To force a literal
string, use quotes. For instance when using option 66 to send a li teral IP address as TFTP server string, use quotes. For instance when using option 66 to send a li teral IP address as TFTP server
name, it is necessary to do --dhcp-option=66,"1.2.3.4" name, it is necessary to do --dhcp-option=66,"1.2.3.4"
Encapsulated Vendor-class options may also be specified (IPv4 Encapsulated Vendor-class options may also be specified (IPv4 on
only) using --dhcp-option: for ly) using --dhcp-option: for
instance --dhcp-option=vendor:PXEClient,1,0.0.0.0 sends the encap instance --dhcp-option=vendor:PXEClient,1,0.0.0.0 sends the enc
sulated vendor class-specific apsulated vendor class-specific
option "mftp-address=0.0.0.0" to any client whose vendor-class m option "mftp-address=0.0.0.0" to any client whose vendor-class mat
atches "PXEClient". The vendor- ches "PXEClient". The vendor-
class matching is substring based (see --dhcp-vendorclass for deta class matching is substring based (see --dhcp-vendorclass for det
ils). If a vendor-class option ails). If a vendor-class option
(number 60) is sent by dnsmasq, then that is used for selecting (number 60) is sent by dnsmasq, then that is used for selecting en
encapsulated options in prefer- capsulated options in prefer-
ence to any sent by the client. It is possible to omit the ve ence to any sent by the client. It is possible to omit the
ndorclass completely; --dhcp- vendorclass completely; --dhcp-
option=vendor:,1,0.0.0.0 in which case the encapsulated option is always sent. option=vendor:,1,0.0.0.0 in which case the encapsulated option is always sent.
Options may be encapsulated (IPv4 only) within other o Options may be encapsulated (IPv4 only) within other opti
ptions: for instance --dhcp- ons: for instance --dhcp-
option=encap:175, 190, iscsi-client0 will send option 175, within option=encap:175, 190, iscsi-client0 will send option 175, wit
which is the option 190. If hin which is the option 190. If
multiple options are given which are encapsulated with the same multiple options are given which are encapsulated with the same op
option number then they will be tion number then they will be
correctly combined into one encapsulated option. encap: and vendo correctly combined into one encapsulated option. encap: and ven
r: are may not both be set in dor: are may not both be set in
the same --dhcp-option. the same --dhcp-option.
The final variant on encapsulated options is "Vendor-Identifying The final variant on encapsulated options is "Vendor-Identifying V
Vendor Options" as specified by endor Options" as specified by
RFC3925. These are denoted like this: --dhcp-option=vi-encap:2, 10 RFC3925. These are denoted like this: --dhcp-option=vi-encap:2,
, text The number in the vi- 10, text The number in the vi-
encap: section is the IANA enterprise number used to identify thi encap: section is the IANA enterprise number used to identify this
s option. This form of encapsu- option. This form of encapsu-
lation is supported in IPv6. lation is supported in IPv6.
The address 0.0.0.0 is not treated specially in encapsulated optio ns. The address 0.0.0.0 is not treated specially in encapsulated optio ns.
--dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<ente rprise>,][vendor:[<vendor- --dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<ente rprise>,][vendor:[<vendor-
class>],]<opt>,[<value>[,<value>]] class>],]<opt>,[<value>[,<value>]]
This works in exactly the same way as --dhcp-option except that This works in exactly the same way as --dhcp-option except that th
the option will always be sent, e option will always be sent,
even if the client does not ask for it in the parameter request li even if the client does not ask for it in the parameter request
st. This is sometimes needed, list. This is sometimes needed,
for example when sending options to PXELinux. for example when sending options to PXELinux.
--dhcp-no-override --dhcp-no-override
(IPv4 only) Disable re-use of the DHCP servername and filename f (IPv4 only) Disable re-use of the DHCP servername and filename fie
ields as extra option space. If lds as extra option space. If
it can, dnsmasq moves the boot server and filename information (fr it can, dnsmasq moves the boot server and filename information
om --dhcp-boot) out of their (from --dhcp-boot) out of their
dedicated fields into DHCP options. This make extra space a dedicated fields into DHCP options. This make extra space availa
vailable in the DHCP packet for ble in the DHCP packet for
options but can, rarely, confuse old or broken clients. This flag forces "simple and safe" behav- options but can, rarely, confuse old or broken clients. This flag forces "simple and safe" behav-
iour to avoid problems in such a case. iour to avoid problems in such a case.
--dhcp-relay=<local address>,<server address>[,<interface] --dhcp-relay=<local address>,<server address>[,<interface]
Configure dnsmasq to do DHCP relay. The local address is an addre Configure dnsmasq to do DHCP relay. The local address is an addres
ss allocated to an interface on s allocated to an interface on
the host running dnsmasq. All DHCP requests arriving on that inte the host running dnsmasq. All DHCP requests arriving on that
rface will we relayed to a interface will we relayed to a
remote DHCP server at the server address. It is possible to relay remote DHCP server at the server address. It is possible to relay
from a single local address to from a single local address to
multiple remote servers by using multiple --dhcp-relay configs wit multiple remote servers by using multiple --dhcp-relay configs
h the same local address and with the same local address and
different server addresses. A server address must be an IP literal address, not a domain name. In different server addresses. A server address must be an IP literal address, not a domain name. In
the case of DHCPv6, the server address may be the ALL_SERVERS mult the case of DHCPv6, the server address may be the ALL_SERVERS m
icast address, ff05::1:3. In ulticast address, ff05::1:3. In
this case the interface must be given, not be wildcard, and is this case the interface must be given, not be wildcard, and is use
used to direct the multicast to d to direct the multicast to
the correct interface to reach the DHCP server. the correct interface to reach the DHCP server.
Access control for DHCP clients has the same rules as for the D Access control for DHCP clients has the same rules as for th
HCP server, see --interface, e DHCP server, see --interface,
--except-interface, etc. The optional interface name in the --dh --except-interface, etc. The optional interface name in the --dhcp
cp-relay config has a different -relay config has a different
function: it controls on which interface DHCP replies from the ser function: it controls on which interface DHCP replies from the s
ver will be accepted. This is erver will be accepted. This is
intended for configurations which have three interfaces: one be intended for configurations which have three interfaces: one being
ing relayed from, a second con- relayed from, a second con-
necting the DHCP server, and a third untrusted network, typically necting the DHCP server, and a third untrusted network, typicall
the wider internet. It avoids y the wider internet. It avoids
the possibility of spoof replies arriving via this third interface . the possibility of spoof replies arriving via this third interface .
It is allowed to have dnsmasq act as a DHCP server on one set of i nterfaces and relay from a dis- It is allowed to have dnsmasq act as a DHCP server on one set of i nterfaces and relay from a dis-
joint set of interfaces. Note that whilst it is quite possible t joint set of interfaces. Note that whilst it is quite possibl
o write configurations which e to write configurations which
appear to act as a server and a relay on the same interface, t appear to act as a server and a relay on the same interface, this
his is not supported: the relay is not supported: the relay
function will take precedence. function will take precedence.
Both DHCPv4 and DHCPv6 relay is supported. It's not possible to re lay DHCPv4 to a DHCPv6 server Both DHCPv4 and DHCPv6 relay is supported. It's not possible to relay DHCPv4 to a DHCPv6 server
or vice-versa. or vice-versa.
-U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise number>,]<v endor-class> -U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise number>,]<v endor-class>
Map from a vendor-class string to a tag. Most DHCP clients provid Map from a vendor-class string to a tag. Most DHCP clients provide
e a "vendor class" which repre- a "vendor class" which repre-
sents, in some sense, the type of host. This option maps vendor cl sents, in some sense, the type of host. This option maps vendo
asses to tags, so that DHCP r classes to tags, so that DHCP
options may be selectively delivered to different classes of ho options may be selectively delivered to different classes of hosts
sts. For example --dhcp-vendor- . For example --dhcp-vendor-
class=set:printers,Hewlett-Packard JetDirect will allow options to class=set:printers,Hewlett-Packard JetDirect will allow options
be set only for HP printers to be set only for HP printers
like so: --dhcp-option=tag:printers,3,192.168.4.4 The vendor-cl like so: --dhcp-option=tag:printers,3,192.168.4.4 The vendor-class
ass string is substring matched string is substring matched
against the vendor-class supplied by the client, to allow fuzzy m against the vendor-class supplied by the client, to allow fuz
atching. The set: prefix is zy matching. The set: prefix is
optional but allowed for consistency. optional but allowed for consistency.
Note that in IPv6 only, vendorclasses are namespaced with an IA Note that in IPv6 only, vendorclasses are namespaced with an IANA
NA-allocated enterprise number. -allocated enterprise number.
This is given with enterprise: keyword and specifies that only ven This is given with enterprise: keyword and specifies that only ve
dorclasses matching the speci- ndorclasses matching the speci-
fied number should be searched. fied number should be searched.
-j, --dhcp-userclass=set:<tag>,<user-class> -j, --dhcp-userclass=set:<tag>,<user-class>
Map from a user-class string to a tag (with substring matching, Map from a user-class string to a tag (with substring matching, li
like vendor classes). Most DHCP ke vendor classes). Most DHCP
clients provide a "user class" which is configurable. This option clients provide a "user class" which is configurable. This optio
maps user classes to tags, so n maps user classes to tags, so
that DHCP options may be selectively delivered to different classe s of hosts. It is possible, for that DHCP options may be selectively delivered to different classe s of hosts. It is possible, for
instance to use this to set a different printer server for hosts i n the class "accounts" than for instance to use this to set a different printer server for hosts i n the class "accounts" than for
hosts in the class "engineering". hosts in the class "engineering".
-4, --dhcp-mac=set:<tag>,<MAC address> -4, --dhcp-mac=set:<tag>,<MAC address>
Map from a MAC address to a tag. The MAC address may include Map from a MAC address to a tag. The MAC address may include wi
wildcards. For example --dhcp- ldcards. For example --dhcp-
mac=set:3com,01:34:23:*:*:* will set the tag "3com" for any host w mac=set:3com,01:34:23:*:*:* will set the tag "3com" for any hos
hose MAC address matches the t whose MAC address matches the
pattern. pattern.
--dhcp-circuitid=set:<tag>,<circuit-id>, --dhcp-remoteid=set:<tag>,<remot e-id> --dhcp-circuitid=set:<tag>,<circuit-id>, --dhcp-remoteid=set:<tag>,<remot e-id>
Map from RFC3046 relay agent options to tags. This data may be pro vided by DHCP relay agents. The Map from RFC3046 relay agent options to tags. This data may be pro vided by DHCP relay agents. The
circuit-id or remote-id is normally given as colon-separated hex, circuit-id or remote-id is normally given as colon-separated h
but is also allowed to be a ex, but is also allowed to be a
simple string. If an exact match is achieved between the circuit simple string. If an exact match is achieved between the circuit o
or agent ID and one provided by r agent ID and one provided by
a relay agent, the tag is set. a relay agent, the tag is set.
--dhcp-remoteid (but not --dhcp-circuitid) is supported in IPv6. --dhcp-remoteid (but not --dhcp-circuitid) is supported in IPv6.
--dhcp-subscrid=set:<tag>,<subscriber-id> --dhcp-subscrid=set:<tag>,<subscriber-id>
(IPv4 and IPv6) Map from RFC3993 subscriber-id relay agent options to tags. (IPv4 and IPv6) Map from RFC3993 subscriber-id relay agent options to tags.
--dhcp-proxy[=<ip addr>]...... --dhcp-proxy[=<ip addr>]......
(IPv4 only) A normal DHCP relay agent is only used to forward the initial parts of a DHCP inter- (IPv4 only) A normal DHCP relay agent is only used to forward the initial parts of a DHCP inter-
action to the DHCP server. Once a client is configured, it communi cates directly with the server. action to the DHCP server. Once a client is configured, it communi cates directly with the server.
This is undesirable if the relay agent is adding extra information This is undesirable if the relay agent is adding extra informati
to the DHCP packets, such as on to the DHCP packets, such as
that used by --dhcp-circuitid and --dhcp-remoteid. A full relay that used by --dhcp-circuitid and --dhcp-remoteid. A full relay i
implementation can use the RFC mplementation can use the RFC
5107 serverid-override option to force the DHCP server to use the relay as a full proxy, with all 5107 serverid-override option to force the DHCP server to use the relay as a full proxy, with all
packets passing through it. This flag provides an alternative meth od of doing the same thing, for packets passing through it. This flag provides an alternative meth od of doing the same thing, for
relays which don't support RFC 5107. Given alone, it manipulates t relays which don't support RFC 5107. Given alone, it manipulates
he server-id for all interac- the server-id for all interac-
tions via relays. If a list of IP addresses is given, only i tions via relays. If a list of IP addresses is given, only inter
nteractions via relays at those actions via relays at those
addresses are affected. addresses are affected.
--dhcp-match=set:<tag>,<option number>|option:<option name>|vi-encap:<ent erprise>[,<value>] --dhcp-match=set:<tag>,<option number>|option:<option name>|vi-encap:<ent erprise>[,<value>]
Without a value, set the tag if the client sends a DHCP option of Without a value, set the tag if the client sends a DHCP option of
the given number or name. When the given number or name. When
a value is given, set the tag only if the option is sent and matc a value is given, set the tag only if the option is sent and match
hes the value. The value may be es the value. The value may be
of the form "01:ff:*:02" in which case the value must match (apart from wildcards) but the option of the form "01:ff:*:02" in which case the value must match (apart from wildcards) but the option
sent may have unmatched data past the end of the value. The value may also be of the same form as sent may have unmatched data past the end of the value. The value may also be of the same form as
in --dhcp-option in which case the option sent is treated as an in --dhcp-option in which case the option sent is treated as
array, and one element must an array, and one element must
match, so --dhcp-match=set:efi-ia32,option:client-arch,6 will se match, so --dhcp-match=set:efi-ia32,option:client-arch,6 will set
t the tag "efi-ia32" if the the the tag "efi-ia32" if the the
number 6 appears in the list of architectures sent by the client i number 6 appears in the list of architectures sent by the client
n option 93. (See RFC 4578 for in option 93. (See RFC 4578 for
details.) If the value is a string, substring matching is used. details.) If the value is a string, substring matching is used.
The special form with vi-encap:<enterprise number> matches ag The special form with vi-encap:<enterprise number> matches agai
ainst vendor-identifying vendor nst vendor-identifying vendor
classes for the specified enterprise. Please see RFC 3925 for more classes for the specified enterprise. Please see RFC 3925 for
details of these rare and more details of these rare and
interesting beasts. interesting beasts.
--dhcp-name-match=set:<tag>,<name>[*] --dhcp-name-match=set:<tag>,<name>[*]
Set the tag if the given name is supplied by a DHCP client. There Set the tag if the given name is supplied by a DHCP client. There
may be a single trailing wild- may be a single trailing wild-
card *, which has the usual meaning. Combined with dhcp-ignore or card *, which has the usual meaning. Combined with dhcp-ignore
dhcp-ignore-names this gives or dhcp-ignore-names this gives
the ability to ignore certain clients by name, or disallow certa the ability to ignore certain clients by name, or disallow certain
in hostnames from being claimed hostnames from being claimed
by a client. by a client.
--tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]] --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
Perform boolean operations on tags. Any tag appearing as set:<tag> is set if all the tags which Perform boolean operations on tags. Any tag appearing as set:<ta g> is set if all the tags which
appear as tag:<tag> are set, (or unset when tag:!<tag> is used) If no tag:<tag> appears set:<tag> appear as tag:<tag> are set, (or unset when tag:!<tag> is used) If no tag:<tag> appears set:<tag>
tags are set unconditionally. Any number of set: and tag: forms tags are set unconditionally. Any number of set: and tag:
may appear, in any order. forms may appear, in any order.
--tag-if lines are executed in order, so if the tag in tag:<tag> --tag-if lines are executed in order, so if the tag in tag:<tag> i
is a tag set by another --tag- s a tag set by another --tag-
if, the line which sets the tag must precede the one which tests i t. if, the line which sets the tag must precede the one which tests i t.
-J, --dhcp-ignore=tag:<tag>[,tag:<tag>] -J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
When all the given tags appear in the tag set ignore the host and do not allocate it a DHCP When all the given tags appear in the tag set ignore the hos t and do not allocate it a DHCP
lease. lease.
--dhcp-ignore-names[=tag:<tag>[,tag:<tag>]] --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
When all the given tags appear in the tag set, ignore any host When all the given tags appear in the tag set, ignore any hostname
name provided by the host. Note provided by the host. Note
that, unlike --dhcp-ignore, it is permissible to supply no tags, i that, unlike --dhcp-ignore, it is permissible to supply no tags,
n which case DHCP-client sup- in which case DHCP-client sup-
plied hostnames are always ignored, and DHCP hosts are added to plied hostnames are always ignored, and DHCP hosts are added to th
the DNS using only --dhcp-host e DNS using only --dhcp-host
configuration in dnsmasq and the contents of /etc/hosts and /etc/e thers. configuration in dnsmasq and the contents of /etc/hosts and /etc/e thers.
--dhcp-generate-names=tag:<tag>[,tag:<tag>] --dhcp-generate-names=tag:<tag>[,tag:<tag>]
(IPv4 only) Generate a name for DHCP clients which do not otherwi (IPv4 only) Generate a name for DHCP clients which do not ot
se have one, using the MAC herwise have one, using the MAC
address expressed in hex, separated by dashes. Note that if a h address expressed in hex, separated by dashes. Note that if a host
ost provides a name, it will be provides a name, it will be
used by preference to this, unless --dhcp-ignore-names is set. used by preference to this, unless --dhcp-ignore-names is set.
--dhcp-broadcast[=tag:<tag>[,tag:<tag>]] --dhcp-broadcast[=tag:<tag>[,tag:<tag>]]
(IPv4 only) When all the given tags appear in the tag set, always use broadcast to communicate (IPv4 only) When all the given tags appear in the tag set, alwa ys use broadcast to communicate
with the host when it is unconfigured. It is permissible to supply no tags, in which case this is with the host when it is unconfigured. It is permissible to supply no tags, in which case this is
unconditional. Most DHCP clients which need broadcast replies set a flag in their requests so unconditional. Most DHCP clients which need broadcast replies set a flag in their requests so
that this happens automatically, some old BOOTP clients do not. that this happens automatically, some old BOOTP clients do not.
-M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server address>|<t ftp_servername>]] -M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server address>|<t ftp_servername>]]
(IPv4 only) Set BOOTP options to be returned by the DHCP serv (IPv4 only) Set BOOTP options to be returned by the DHCP server.
er. Server name and address are Server name and address are
optional: if not provided, the name is left empty, and the address optional: if not provided, the name is left empty, and the ad
set to the address of the dress set to the address of the
machine running dnsmasq. If dnsmasq is providing a TFTP service machine running dnsmasq. If dnsmasq is providing a TFTP service (s
(see --enable-tftp ) then only ee --enable-tftp ) then only
the filename is required here to enable network booting. If the o the filename is required here to enable network booting. If the
ptional tag(s) are given, they optional tag(s) are given, they
must match for this configuration to be sent. Instead of an IP a must match for this configuration to be sent. Instead of an IP ad
ddress, the TFTP server address dress, the TFTP server address
can be given as a domain name which is looked up in /etc/hosts. Th can be given as a domain name which is looked up in /etc/hosts.
is name can be associated in This name can be associated in
/etc/hosts with multiple IP addresses, which are used round-robin /etc/hosts with multiple IP addresses, which are used round-robin.
. This facility can be used to This facility can be used to
load balance the tftp load among a set of servers. load balance the tftp load among a set of servers.
--dhcp-sequential-ip --dhcp-sequential-ip
Dnsmasq is designed to choose IP addresses for DHCP clients using Dnsmasq is designed to choose IP addresses for DHCP clients u
a hash of the client's MAC sing a hash of the client's MAC
address. This normally allows a client's address to remain stabl address. This normally allows a client's address to remain stable
e long-term, even if the client long-term, even if the client
sometimes allows its DHCP lease to expire. In this default mode sometimes allows its DHCP lease to expire. In this default mo
IP addresses are distributed de IP addresses are distributed
pseudo-randomly over the entire available address range. There are sometimes circumstances (typi- pseudo-randomly over the entire available address range. There are sometimes circumstances (typi-
cally server deployment) where it is more convenient to have IP ad dresses allocated sequentially, cally server deployment) where it is more convenient to have IP ad dresses allocated sequentially,
starting from the lowest available address, and setting this flag enables this mode. Note that in starting from the lowest available address, and setting this flag enables this mode. Note that in
the sequential mode, clients which allow a lease to expire are m uch more likely to move IP the sequential mode, clients which allow a lease to expire are much more likely to move IP
address; for this reason it should not be generally used. address; for this reason it should not be generally used.
--dhcp-ignore-clid --dhcp-ignore-clid
Dnsmasq is reading 'client identifier' (RFC 2131) option sent by Dnsmasq is reading 'client identifier' (RFC 2131) option sent by c
clients (if available) to iden- lients (if available) to iden-
tify clients. This allow to serve same IP address for a host using tify clients. This allow to serve same IP address for a host usi
several interfaces. Use this ng several interfaces. Use this
option to disable 'client identifier' reading, i.e. to alway option to disable 'client identifier' reading, i.e. to always ide
s identify a host using the MAC ntify a host using the MAC
address. address.
--pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basena me>|<bootservicetype>][,<server --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basena me>|<bootservicetype>][,<server
address>|<server_name>] address>|<server_name>]
Most uses of PXE boot-ROMS simply allow the PXE system to obtain Most uses of PXE boot-ROMS simply allow the PXE system to obtain a
an IP address and then download n IP address and then download
the file specified by --dhcp-boot and execute it. However the PXE the file specified by --dhcp-boot and execute it. However the PXE
system is capable of more com- system is capable of more com-
plex functions when supported by a suitable DHCP server. plex functions when supported by a suitable DHCP server.
This specifies a boot option which may appear in a PXE boot men This specifies a boot option which may appear in a PXE boot menu.
u. <CSA> is client system type, <CSA> is client system type,
only services of the correct type will appear in a menu. The k only services of the correct type will appear in a menu. T
nown types are x86PC, PC98, he known types are x86PC, PC98,
IA64_EFI, Alpha, Arc_x86, Intel_Lean_Client, IA32_EFI, X86-64_EFI , Xscale_EFI, BC_EFI, ARM32_EFI IA64_EFI, Alpha, Arc_x86, Intel_Lean_Client, IA32_EFI, X86-64_EFI , Xscale_EFI, BC_EFI, ARM32_EFI
and ARM64_EFI; an integer may be used for other types. The paramet er after the menu text may be a and ARM64_EFI; an integer may be used for other types. The paramet er after the menu text may be a
file name, in which case dnsmasq acts as a boot server and directs the PXE client to download the file name, in which case dnsmasq acts as a boot server and directs the PXE client to download the
file by TFTP, either from itself ( --enable-tftp must be set for t file by TFTP, either from itself ( --enable-tftp must be set fo
his to work) or another TFTP r this to work) or another TFTP
server if the final server address/name is given. Note that the server if the final server address/name is given. Note that the "
"layer" suffix (normally ".0") layer" suffix (normally ".0")
is supplied by PXE, and need not be added to the basename. Alterna is supplied by PXE, and need not be added to the basename. Alter
tively, the basename may be a natively, the basename may be a
filename, complete with suffix, in which case no layer suffix is filename, complete with suffix, in which case no layer suffix is a
added. If an integer boot ser- dded. If an integer boot ser-
vice type, rather than a basename is given, then the PXE client wi vice type, rather than a basename is given, then the PXE client
ll search for a suitable boot will search for a suitable boot
service for that type on the network. This search may be done by b roadcast, or direct to a server service for that type on the network. This search may be done by b roadcast, or direct to a server
if its IP address/name is provided. If no boot service type or fi if its IP address/name is provided. If no boot service type or
lename is provided (or a boot filename is provided (or a boot
service type of 0 is specified) then the menu entry will abort service type of 0 is specified) then the menu entry will abort the
the net boot procedure and con- net boot procedure and con-
tinue booting from local media. The server address can be given as tinue booting from local media. The server address can be given a
a domain name which is looked s a domain name which is looked
up in /etc/hosts. This name can be associated in /etc/hosts with m ultiple IP addresses, which are up in /etc/hosts. This name can be associated in /etc/hosts with m ultiple IP addresses, which are
used round-robin. used round-robin.
--pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>] --pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>]
Setting this provides a prompt to be displayed after PXE boot. If the timeout is given then after Setting this provides a prompt to be displayed after PXE boot. If the timeout is given then after
the timeout has elapsed with no keyboard input, the first availabl e menu option will be automati- the timeout has elapsed with no keyboard input, the first availabl e menu option will be automati-
cally executed. If the timeout is zero then the first available me cally executed. If the timeout is zero then the first available m
nu item will be executed imme- enu item will be executed imme-
diately. If --pxe-prompt is omitted the system will wait for u diately. If --pxe-prompt is omitted the system will wait for user
ser input if there are multiple input if there are multiple
items in the menu, but boot immediately if there is only one. See items in the menu, but boot immediately if there is only one. S
--pxe-service for details of ee --pxe-service for details of
menu items. menu items.
Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP serve r on the network is responsible Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP serve r on the network is responsible
for allocating IP addresses, and dnsmasq simply provides the infor for allocating IP addresses, and dnsmasq simply provides the in
mation given in --pxe-prompt formation given in --pxe-prompt
and --pxe-service to allow netbooting. This mode is enabled usi and --pxe-service to allow netbooting. This mode is enabled using
ng the proxy keyword in --dhcp- the proxy keyword in --dhcp-
range. range.
-X, --dhcp-lease-max=<number> -X, --dhcp-lease-max=<number>
Limits dnsmasq to the specified maximum number of DHCP leases. The default is 1000. This limit is Limits dnsmasq to the specified maximum number of DHCP leases. The default is 1000. This limit is
to prevent DoS attacks from hosts which create thousands of lease s and use lots of memory in the to prevent DoS attacks from hosts which create thousands of leases and use lots of memory in the
dnsmasq process. dnsmasq process.
-K, --dhcp-authoritative -K, --dhcp-authoritative
Should be set when dnsmasq is definitely the only DHCP server on Should be set when dnsmasq is definitely the only DHCP serve
a network. For DHCPv4, it r on a network. For DHCPv4, it
changes the behaviour from strict RFC compliance so that DHCP changes the behaviour from strict RFC compliance so that DHCP requ
requests on unknown leases from ests on unknown leases from
unknown hosts are not ignored. This allows new hosts to get a leas unknown hosts are not ignored. This allows new hosts to get a
e without a tedious timeout lease without a tedious timeout
under all circumstances. It also allows dnsmasq to rebuild its lea se database without each client under all circumstances. It also allows dnsmasq to rebuild its lea se database without each client
needing to reacquire a lease, if the database is lost. For DHCPv6 it sets the priority in replies needing to reacquire a lease, if the database is lost. For DHCPv6 it sets the priority in replies
to 255 (the maximum) instead of 0 (the minimum). to 255 (the maximum) instead of 0 (the minimum).
--dhcp-rapid-commit --dhcp-rapid-commit
Enable DHCPv4 Rapid Commit Option specified in RFC 4039. When ena Enable DHCPv4 Rapid Commit Option specified in RFC 4039. When enab
bled, dnsmasq will respond to a led, dnsmasq will respond to a
DHCPDISCOVER message including a Rapid Commit option with a DHCPA DHCPDISCOVER message including a Rapid Commit option with a D
CK including a Rapid Commit HCPACK including a Rapid Commit
option and fully committed address and configuration informa option and fully committed address and configuration information.
tion. Should only be enabled if Should only be enabled if
either the server is the only server for the subnet, or multiple either the server is the only server for the subnet, or multip
servers are present and they le servers are present and they
each commit a binding for all clients. each commit a binding for all clients.
--dhcp-alternate-port[=<server port>[,<client port>]] --dhcp-alternate-port[=<server port>[,<client port>]]
(IPv4 only) Change the ports used for DHCP from the default. If th is option is given alone, with- (IPv4 only) Change the ports used for DHCP from the default. If th is option is given alone, with-
out arguments, it changes the ports used for DHCP from 67 and 68 t out arguments, it changes the ports used for DHCP from 67 and 6
o 1067 and 1068. If a single 8 to 1067 and 1068. If a single
argument is given, that port number is used for the server and th argument is given, that port number is used for the server and the
e port number plus one used for port number plus one used for
the client. Finally, two port numbers allows arbitrary specificati the client. Finally, two port numbers allows arbitrary specific
on of both server and client ation of both server and client
ports for DHCP. ports for DHCP.
-3, --bootp-dynamic[=<network-id>[,<network-id>]] -3, --bootp-dynamic[=<network-id>[,<network-id>]]
(IPv4 only) Enable dynamic allocation of IP addresses to BOOTP cli ents. Use this with care, since (IPv4 only) Enable dynamic allocation of IP addresses to BOOTP cli ents. Use this with care, since
each address allocated to a BOOTP client is leased forever, and each address allocated to a BOOTP client is leased forever, an
therefore becomes permanently d therefore becomes permanently
unavailable for re-use by other hosts. if this is given withou unavailable for re-use by other hosts. if this is given without t
t tags, then it unconditionally ags, then it unconditionally
enables dynamic allocation. With tags, only when the tags are all enables dynamic allocation. With tags, only when the tags are a
set. It may be repeated with ll set. It may be repeated with
different tag sets. different tag sets.
-5, --no-ping -5, --no-ping
(IPv4 only) By default, the DHCP server will attempt to ensur (IPv4 only) By default, the DHCP server will attempt to ensure tha
e that an address is not in use t an address is not in use
before allocating it to a host. It does this by sending an ICMP ec before allocating it to a host. It does this by sending an ICMP e
ho request (aka "ping") to the cho request (aka "ping") to the
address in question. If it gets a reply, then the address must al address in question. If it gets a reply, then the address must alr
ready be in use, and another is eady be in use, and another is
tried. This flag disables this check. Use with caution. tried. This flag disables this check. Use with caution.
--log-dhcp --log-dhcp
Extra logging for DHCP: log all the options sent to DHCP clients a nd the tags used to determine Extra logging for DHCP: log all the options sent to DHCP clients and the tags used to determine
them. them.
--quiet-dhcp, --quiet-dhcp6, --quiet-ra --quiet-dhcp, --quiet-dhcp6, --quiet-ra
Suppress logging of the routine operation of these protocols. Er rors and problems will still be Suppress logging of the routine operation of these protocols. Erro rs and problems will still be
logged. --quiet-dhcp and quiet-dhcp6 are over-ridden by --log-dhcp . logged. --quiet-dhcp and quiet-dhcp6 are over-ridden by --log-dhcp .
-l, --dhcp-leasefile=<path> -l, --dhcp-leasefile=<path>
Use the specified file to store DHCP lease information. Use the specified file to store DHCP lease information.
--dhcp-duid=<enterprise-id>,<uid> --dhcp-duid=<enterprise-id>,<uid>
(IPv6 only) Specify the server persistent UID which the DHCPv6 ser (IPv6 only) Specify the server persistent UID which the DHCPv6
ver will use. This option is server will use. This option is
not normally required as dnsmasq creates a DUID automaticall not normally required as dnsmasq creates a DUID automatically whe
y when it is first needed. When n it is first needed. When
given, this option provides dnsmasq the data required to create a given, this option provides dnsmasq the data required to create
DUID-EN type DUID. Note that a DUID-EN type DUID. Note that
once set, the DUID is stored in the lease database, so to chang once set, the DUID is stored in the lease database, so to change b
e between DUID-EN and automati- etween DUID-EN and automati-
cally created DUIDs or vice-versa, the lease database must be re-i cally created DUIDs or vice-versa, the lease database must be re
nitialised. The enterprise-id -initialised. The enterprise-id
is assigned by IANA, and the uid is a string of hex octets unique to a particular device. is assigned by IANA, and the uid is a string of hex octets unique to a particular device.
-6 --dhcp-script=<path> -6 --dhcp-script=<path>
Whenever a new DHCP lease is created, or an old one destroyed, or a TFTP file transfer completes, Whenever a new DHCP lease is created, or an old one destroyed, or a TFTP file transfer completes,
the executable specified by this option is run. <path> must be an the executable specified by this option is run. <path> must b
absolute pathname, no PATH e an absolute pathname, no PATH
search occurs. The arguments to the process are "add", "old" o search occurs. The arguments to the process are "add", "old" or "
r "del", the MAC address of the del", the MAC address of the
host (or DUID for IPv6) , the IP address, and the hostname, if kno host (or DUID for IPv6) , the IP address, and the hostname, if
wn. "add" means a lease has known. "add" means a lease has
been created, "del" means it has been destroyed, "old" is a no been created, "del" means it has been destroyed, "old" is a notifi
tification of an existing lease cation of an existing lease
when dnsmasq starts or a change to MAC address or hostname of an when dnsmasq starts or a change to MAC address or hostname of
existing lease (also, lease an existing lease (also, lease
length or expiry and client-id, if --leasefile-ro is set and leas length or expiry and client-id, if --leasefile-ro is set and lease
e expiry if --script-on-renewal expiry if --script-on-renewal
is set). If the MAC address is from a network type other than eth ernet, it will have the network is set). If the MAC address is from a network type other than eth ernet, it will have the network
type prepended, eg "06-01:23:45:67:89:ab" for token ring. The p type prepended, eg "06-01:23:45:67:89:ab" for token ring. The proc
rocess is run as root (assuming ess is run as root (assuming
that dnsmasq was originally run as root) even if dnsmasq is conf that dnsmasq was originally run as root) even if dnsmasq is
igured to change UID to an configured to change UID to an
unprivileged user. unprivileged user.
The environment is inherited from the invoker of dnsmasq, with som e or all of the following vari- The environment is inherited from the invoker of dnsmasq, with som e or all of the following vari-
ables added ables added
For both IPv4 and IPv6: For both IPv4 and IPv6:
DNSMASQ_DOMAIN if the fully-qualified domain name of the host is DNSMASQ_DOMAIN if the fully-qualified domain name of the ho
known, this is set to the st is known, this is set to the
domain part. (Note that the hostname passed to the script as an domain part. (Note that the hostname passed to the script as an ar
argument is never fully-quali- gument is never fully-quali-
fied.) fied.)
If the client provides a hostname, DNSMASQ_SUPPLIED_HOSTNAME If the client provides a hostname, DNSMASQ_SUPPLIED_HOSTNAME
If the client provides user-classes, DNSMASQ_USER_CLASS0..DNSMASQ_ USER_CLASSn If the client provides user-classes, DNSMASQ_USER_CLASS0..DNSMASQ_ USER_CLASSn
If dnsmasq was compiled with HAVE_BROKEN_RTC, then the length of t he lease (in seconds) is stored If dnsmasq was compiled with HAVE_BROKEN_RTC, then the length of t he lease (in seconds) is stored
in DNSMASQ_LEASE_LENGTH, otherwise the time of lease expiry is s tored in DNSMASQ_LEASE_EXPIRES. in DNSMASQ_LEASE_LENGTH, otherwise the time of lease expiry is sto red in DNSMASQ_LEASE_EXPIRES.
The number of seconds until lease expiry is always stored in DNSMA SQ_TIME_REMAINING. The number of seconds until lease expiry is always stored in DNSMA SQ_TIME_REMAINING.
If a lease used to have a hostname, which is removed, an "old" eve If a lease used to have a hostname, which is removed, an "old"
nt is generated with the new event is generated with the new
state of the lease, ie no name, and the former name is provided i state of the lease, ie no name, and the former name is provided in
n the environment variable DNS- the environment variable DNS-
MASQ_OLD_HOSTNAME. MASQ_OLD_HOSTNAME.
DNSMASQ_INTERFACE stores the name of the interface on which the re quest arrived; this is not set DNSMASQ_INTERFACE stores the name of the interface on which the r equest arrived; this is not set
for "old" actions when dnsmasq restarts. for "old" actions when dnsmasq restarts.
DNSMASQ_RELAY_ADDRESS is set if the client used a DHCP rela y to contact dnsmasq and the IP DNSMASQ_RELAY_ADDRESS is set if the client used a DHCP relay to contact dnsmasq and the IP
address of the relay is known. address of the relay is known.
DNSMASQ_TAGS contains all the tags set during the DHCP transaction , separated by spaces. DNSMASQ_TAGS contains all the tags set during the DHCP transaction , separated by spaces.
DNSMASQ_LOG_DHCP is set if --log-dhcp is in effect. DNSMASQ_LOG_DHCP is set if --log-dhcp is in effect.
For IPv4 only: For IPv4 only:
DNSMASQ_CLIENT_ID if the host provided a client-id. DNSMASQ_CLIENT_ID if the host provided a client-id.
DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID, DNSMASQ_REMOTE_ID if a DHCP relay-agent added any of DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID, DNSMASQ_REMOTE_ID if a DHCP relay-agent added any of
these options. these options.
If the client provides vendor-class, DNSMASQ_VENDOR_CLASS. If the client provides vendor-class, DNSMASQ_VENDOR_CLASS.
DNSMASQ_REQUESTED_OPTIONS a string containing the decimal value s in the Parameter Request List DNSMASQ_REQUESTED_OPTIONS a string containing the decimal values i n the Parameter Request List
option, comma separated, if the parameter request list option is p rovided by the client. option, comma separated, if the parameter request list option is p rovided by the client.
For IPv6 only: For IPv6 only:
If the client provides vendor-class, DNSMASQ_VENDOR_CLASS_ID, cont aining the IANA enterprise id If the client provides vendor-class, DNSMASQ_VENDOR_CLASS_ID, co ntaining the IANA enterprise id
for the class, and DNSMASQ_VENDOR_CLASS0..DNSMASQ_VENDOR_CLASSn fo r the data. for the class, and DNSMASQ_VENDOR_CLASS0..DNSMASQ_VENDOR_CLASSn fo r the data.
DNSMASQ_SERVER_DUID containing the DUID of the server: this is the same for every call to the DNSMASQ_SERVER_DUID containing the DUID of the server: this is the same for every call to the
script. script.
DNSMASQ_IAID containing the IAID for the lease. If the lease is a temporary allocation, this is DNSMASQ_IAID containing the IAID for the lease. If the lease is a temporary allocation, this is
prefixed to 'T'. prefixed to 'T'.
DNSMASQ_MAC containing the MAC address of the client, if known. DNSMASQ_MAC containing the MAC address of the client, if known.
Note that the supplied hostname, vendorclass and userclass d Note that the supplied hostname, vendorclass and userclass data
ata is only supplied for "add" is only supplied for "add"
actions or "old" actions when a host resumes an existing lease, si actions or "old" actions when a host resumes an existing lease, s
nce these data are not held in ince these data are not held in
dnsmasq's lease database. dnsmasq's lease database.
All file descriptors are closed except stdin, which is open to / All file descriptors are closed except stdin, which is open to /de
dev/null, and stdout and stderr v/null, and stdout and stderr
which capture output for logging by dnsmasq. (In debug mode, stdi which capture output for logging by dnsmasq. (In debug mode, st
o, stdout and stderr file are dio, stdout and stderr file are
left as those inherited from the invoker of dnsmasq). left as those inherited from the invoker of dnsmasq).
The script is not invoked concurrently: at most one instance of t he script is ever running (dns- The script is not invoked concurrently: at most one instance of th e script is ever running (dns-
masq waits for an instance of script to exit before running the ne xt). Changes to the lease data- masq waits for an instance of script to exit before running the ne xt). Changes to the lease data-
base are which require the script to be invoked are queued await base are which require the script to be invoked are queued awaitin
ing exit of a running instance. g exit of a running instance.
If this queueing allows multiple state changes occur to a single l If this queueing allows multiple state changes occur to a single
ease before the script can be lease before the script can be
run then earlier states are discarded and the current state of t run then earlier states are discarded and the current state of tha
hat lease is reflected when the t lease is reflected when the
script finally runs. script finally runs.
At dnsmasq startup, the script will be invoked for all existing le ases as they are read from the At dnsmasq startup, the script will be invoked for all existing l eases as they are read from the
lease file. Expired leases will be called with "del" and others wi th "old". When dnsmasq receives lease file. Expired leases will be called with "del" and others wi th "old". When dnsmasq receives
a HUP signal, the script will be invoked for existing leases with an "old" event. a HUP signal, the script will be invoked for existing leases with an "old" event.
There are four further actions which may appear as the first argu ment to the script, "init", There are four further actions which may appear as the first argument to the script, "init",
"arp-add", "arp-del" and "tftp". More may be added in the future, so scripts should be written to "arp-add", "arp-del" and "tftp". More may be added in the future, so scripts should be written to
ignore unknown actions. "init" is described below in --leasefile-r ignore unknown actions. "init" is described below in --leasefile-
o The "tftp" action is invoked ro The "tftp" action is invoked
when a TFTP file transfer completes: the arguments are the fil when a TFTP file transfer completes: the arguments are the file si
e size in bytes, the address to ze in bytes, the address to
which the file was sent, and the complete pathname of the file. which the file was sent, and the complete pathname of the file.
The "arp-add" and "arp-del" actions are only called if enabled wit h --script-arp They are are The "arp-add" and "arp-del" actions are only called if enabled with --script-arp They are are
supplied with a MAC address and IP address as arguments. "arp-add" indicates the arrival of a new supplied with a MAC address and IP address as arguments. "arp-add" indicates the arrival of a new
entry in the ARP or neighbour table, and "arp-del" indicates the d eletion of same. entry in the ARP or neighbour table, and "arp-del" indicates the d eletion of same.
--dhcp-luascript=<path> --dhcp-luascript=<path>
Specify a script written in Lua, to be run when leases are created Specify a script written in Lua, to be run when leases are create
, destroyed or changed. To use d, destroyed or changed. To use
this option, dnsmasq must be compiled with the correct suppo this option, dnsmasq must be compiled with the correct support.
rt. The Lua interpreter is ini- The Lua interpreter is ini-
tialised once, when dnsmasq starts, so that global variables persi tialised once, when dnsmasq starts, so that global variables pe
st between lease events. The rsist between lease events. The
Lua code must define a lease function, and may provide init an Lua code must define a lease function, and may provide init and s
d shutdown functions, which are hutdown functions, which are
called, without arguments when dnsmasq starts up and terminates. I t may also provide a tftp func- called, without arguments when dnsmasq starts up and terminates. I t may also provide a tftp func-
tion. tion.
The lease function receives the information detailed in --dhcp- The lease function receives the information detailed in --dhcp-scr
script. It gets two arguments, ipt. It gets two arguments,
firstly the action, which is a string containing, "add", "old" or firstly the action, which is a string containing, "add", "old" or
"del", and secondly a table of "del", and secondly a table of
tag value pairs. The tags mostly correspond to the environmen tag value pairs. The tags mostly correspond to the environment v
t variables detailed above, for ariables detailed above, for
instance the tag "domain" holds the same data as the environment v instance the tag "domain" holds the same data as the environment
ariable DNSMASQ_DOMAIN. There variable DNSMASQ_DOMAIN. There
are a few extra tags which hold the data supplied as argumen are a few extra tags which hold the data supplied as arguments
ts to --dhcp-script. These are to --dhcp-script. These are
mac_address, ip_address and hostname for IPv4, and client_duid, ip _address and hostname for IPv6. mac_address, ip_address and hostname for IPv4, and client_duid, ip _address and hostname for IPv6.
The tftp function is called in the same way as the lease function, and the table holds the tags The tftp function is called in the same way as the lease functio n, and the table holds the tags
destination_address, file_name and file_size. destination_address, file_name and file_size.
The arp and arp-old functions are called only when enabled wit h --script-arp and have a table The arp and arp-old functions are called only when enabled with -- script-arp and have a table
which holds the tags mac_address and client_address. which holds the tags mac_address and client_address.
--dhcp-scriptuser --dhcp-scriptuser
Specify the user as which to run the lease-change script or Lua sc ript. This defaults to root, Specify the user as which to run the lease-change script or Lua script. This defaults to root,
but can be changed to another user using this flag. but can be changed to another user using this flag.
--script-arp --script-arp
Enable the "arp" and "arp-old" functions in the --dhcp-script and --dhcp-luascript. Enable the "arp" and "arp-old" functions in the --dhcp-script and --dhcp-luascript.
-9, --leasefile-ro -9, --leasefile-ro
Completely suppress use of the lease database file. The file will Completely suppress use of the lease database file. The file will
not be created, read, or writ- not be created, read, or writ-
ten. Change the way the lease-change script (if one is provided) i ten. Change the way the lease-change script (if one is provide
s called, so that the lease d) is called, so that the lease
database may be maintained in external storage by the script. database may be maintained in external storage by the script. In
In addition to the invocations addition to the invocations
given in --dhcp-script the lease-change script is called once, at given in --dhcp-script the lease-change script is called once, at
dnsmasq startup, with the sin- dnsmasq startup, with the sin-
gle argument "init". When called like this the script should wri gle argument "init". When called like this the script should write
te the saved state of the lease the saved state of the lease
database, in dnsmasq leasefile format, to stdout and exit with z database, in dnsmasq leasefile format, to stdout and exit wi
ero exit code. Setting this th zero exit code. Setting this
option also forces the leasechange script to be called on cha option also forces the leasechange script to be called on changes
nges to the client-id and lease to the client-id and lease
length and expiry time. length and expiry time.
--script-on-renewal --script-on-renewal
Call the DHCP script when the lease expiry time changes, for insta nce when the lease is renewed. Call the DHCP script when the lease expiry time changes, for insta nce when the lease is renewed.
--bridge-interface=<interface>,<alias>[,<alias>] --bridge-interface=<interface>,<alias>[,<alias>]
Treat DHCP (v4 and v6) requests and IPv6 Router Solicit packets ar riving at any of the <alias> Treat DHCP (v4 and v6) requests and IPv6 Router Solicit packets arriving at any of the <alias>
interfaces as if they had arrived at <interface>. This option all ows dnsmasq to provide DHCP and interfaces as if they had arrived at <interface>. This option all ows dnsmasq to provide DHCP and
RA service over unaddressed and unbridged Ethernet interfaces, e.g RA service over unaddressed and unbridged Ethernet interfaces, e.
. on an OpenStack compute host g. on an OpenStack compute host
where each such interface is a TAP interface to a VM, or as in "o where each such interface is a TAP interface to a VM, or as in "ol
ld style bridging" on BSD plat- d style bridging" on BSD plat-
forms. A trailing '*' wildcard can be used in each <alias>. forms. A trailing '*' wildcard can be used in each <alias>.
It is permissible to add more than one alias using more than one - It is permissible to add more than one alias using more than one
-bridge-interface option since --bridge-interface option since
--bridge-interface=int1,alias1,alias2 is exactly equivalent to --bridge-interface=int1,alias1,alias2 is exactly equivalent to
--bridge-interface=int1,alias1 --bridge-interface=int1,alias1
--bridge-interface=int1,alias2 --bridge-interface=int1,alias2
--shared-network=<interface>,<addr> --shared-network=<interface>,<addr>
--shared-network=<addr>,<addr> --shared-network=<addr>,<addr>
The DHCP server determines which DHCP ranges are useable for alloc The DHCP server determines which DHCP ranges are useable for
ating an address to a DHCP allocating an address to a DHCP
client based on the network from which the DHCP request arrives, client based on the network from which the DHCP request arrives, a
and the IP configuration of the nd the IP configuration of the
server's interface on that network. The shared-network option exte server's interface on that network. The shared-network option ext
nds the available subnets (and ends the available subnets (and
therefore DHCP ranges) beyond the subnets configured on the arriva l interface. therefore DHCP ranges) beyond the subnets configured on the arriva l interface.
The first argument is either the name of an interface, or an The first argument is either the name of an interface, or an addre
address that is configured on a ss that is configured on a
local interface, and the second argument is an address which defi local interface, and the second argument is an address which
nes another subnet on which defines another subnet on which
addresses can be allocated. addresses can be allocated.
To be useful, there must be a suitable dhcp-range which allows ad dress allocation on this subnet To be useful, there must be a suitable dhcp-range which allows add ress allocation on this subnet
and this dhcp-range MUST include the netmask. and this dhcp-range MUST include the netmask.
Using shared-network also needs extra consideration of routing. Dn Using shared-network also needs extra consideration of routing.
smasq does not have the usual Dnsmasq does not have the usual
information that it uses to determine the default route, so the information that it uses to determine the default route, so the de
default route option (or other fault route option (or other
routing) MUST be configured manually. The client must have a route routing) MUST be configured manually. The client must have a r
to the server: if the two- oute to the server: if the two-
address form of shared-network is used, this needs to be to the address form of shared-network is used, this needs to be to the fi
first specified address. If the rst specified address. If the
interface,address form is used, there must be a route to all of th interface,address form is used, there must be a route to all of
e addresses configured on the the addresses configured on the
interface. interface.
The two-address form of shared-network is also usable with a DHCP relay: the first address is the The two-address form of shared-network is also usable with a DHCP relay: the first address is the
address of the relay and the second, as before, specifies an extra subnet which addresses may be address of the relay and the second, as before, specifies an extr a subnet which addresses may be
allocated from. allocated from.
-s, --domain=<domain>[,<address range>[,local]] -s, --domain=<domain>[,<address range>[,local]]
Specifies DNS domains for the DHCP server. Domains may be be giv Specifies DNS domains for the DHCP server. Domains may be be given
en unconditionally (without the unconditionally (without the
IP range) or for limited IP ranges. This has two effects; firstly IP range) or for limited IP ranges. This has two effects; first
it causes the DHCP server to ly it causes the DHCP server to
return the domain to any hosts which request it, and secondly return the domain to any hosts which request it, and secondly it s
it sets the domain which it is ets the domain which it is
legal for DHCP-configured hosts to claim. The intention is to con legal for DHCP-configured hosts to claim. The intention is to
strain hostnames so that an constrain hostnames so that an
untrusted host on the LAN cannot advertise its name via DHCP as e untrusted host on the LAN cannot advertise its name via DHCP as e.
.g. "microsoft.com" and capture g. "microsoft.com" and capture
traffic not meant for it. If no domain suffix is specified, then a traffic not meant for it. If no domain suffix is specified, then
ny DHCP hostname with a domain any DHCP hostname with a domain
part (ie with a period) will be disallowed and logged. If suff part (ie with a period) will be disallowed and logged. If suffix
ix is specified, then hostnames is specified, then hostnames
with a domain part are allowed, provided the domain part matches t with a domain part are allowed, provided the domain part matches
he suffix. In addition, when a the suffix. In addition, when a
suffix is set then hostnames without a domain part have the suf suffix is set then hostnames without a domain part have the suffix
fix added as an optional domain added as an optional domain
part. Eg on my network I can set --domain=thekelleys.org.uk and ha part. Eg on my network I can set --domain=thekelleys.org.uk and
ve a machine whose DHCP host- have a machine whose DHCP host-
name is "laptop". The IP address for that machine is available fr name is "laptop". The IP address for that machine is available fro
om dnsmasq both as "laptop" and m dnsmasq both as "laptop" and
"laptop.thekelleys.org.uk". If the domain is given as "#" then the "laptop.thekelleys.org.uk". If the domain is given as "#" then th
domain is read from the first e domain is read from the first
"search" directive in /etc/resolv.conf (or equivalent). "search" directive in /etc/resolv.conf (or equivalent).
The address range can be of the form <ip address>,<ip address> or <ip address>/<netmask> or just The address range can be of the form <ip address>,<ip address> or <ip address>/<netmask> or just
a single <ip address>. See --dhcp-fqdn which can change the behavi our of dnsmasq with domains. a single <ip address>. See --dhcp-fqdn which can change the behavi our of dnsmasq with domains.
If the address range is given as ip-address/network-size, then a a dditional flag "local" may be If the address range is given as ip-address/network-size, then a additional flag "local" may be
supplied which has the effect of adding --local declarations for f orward and reverse DNS queries. supplied which has the effect of adding --local declarations for f orward and reverse DNS queries.
Eg. --domain=thekelleys.org.uk,192.168.0.0/24,local is iden Eg. --domain=thekelleys.org.uk,192.168.0.0/24,local is id
tical to --domain=thekel- entical to --domain=thekel-
leys.org.uk,192.168.0.0/24 --local=/thekelleys.org.uk/ --local=/0 leys.org.uk,192.168.0.0/24 --local=/thekelleys.org.uk/ --local=/0.
.168.192.in-addr.arpa/ The net- 168.192.in-addr.arpa/ The net-
work size must be 8, 16 or 24 for this to be legal. work size must be 8, 16 or 24 for this to be legal.
--dhcp-fqdn --dhcp-fqdn
In the default mode, dnsmasq inserts the unqualified names of DHCP clients into the DNS. For this In the default mode, dnsmasq inserts the unqualified names of DHCP clients into the DNS. For this
reason, the names must be unique, even if two clients which have reason, the names must be unique, even if two clients which have t
the same name are in different he same name are in different
domains. If a second DHCP client appears which has the same name a domains. If a second DHCP client appears which has the same name
s an existing client, the name as an existing client, the name
is transferred to the new client. If --dhcp-fqdn is set, this beh is transferred to the new client. If --dhcp-fqdn is set, this beha
aviour changes: the unqualified viour changes: the unqualified
name is no longer put in the DNS, only the qualified name. Two DHC name is no longer put in the DNS, only the qualified name. Two
P clients with the same name DHCP clients with the same name
may both keep the name, provided that the domain part is differen may both keep the name, provided that the domain part is different
t (ie the fully qualified names (ie the fully qualified names
differ.) To ensure that all names have a domain part, there must b differ.) To ensure that all names have a domain part, there must
e at least --domain without an be at least --domain without an
address specified when --dhcp-fqdn is set. address specified when --dhcp-fqdn is set.
--dhcp-client-update --dhcp-client-update
Normally, when giving a DHCP lease, dnsmasq sets flags in the FQD Normally, when giving a DHCP lease, dnsmasq sets flags in the FQDN
N option to tell the client not option to tell the client not
to attempt a DDNS update with its name and IP address. This is bec to attempt a DDNS update with its name and IP address. This is be
ause the name-IP pair is auto- cause the name-IP pair is auto-
matically added into dnsmasq's DNS view. This flag suppresses that behaviour, this is useful, for matically added into dnsmasq's DNS view. This flag suppresses that behaviour, this is useful, for
instance, to allow Windows clients to update Active Directory serv ers. See RFC 4702 for details. instance, to allow Windows clients to update Active Directory serv ers. See RFC 4702 for details.
--enable-ra --enable-ra
Enable dnsmasq's IPv6 Router Advertisement feature. DHCPv6 doesn't handle complete network con- Enable dnsmasq's IPv6 Router Advertisement feature. DHCPv6 doesn 't handle complete network con-
figuration in the same way as DHCPv4. Router discovery and (possib ly) prefix discovery for auton- figuration in the same way as DHCPv4. Router discovery and (possib ly) prefix discovery for auton-
omous address creation are handled by a different protocol. When D HCP is in use, only a subset of omous address creation are handled by a different protocol. When D HCP is in use, only a subset of
this is needed, and dnsmasq can handle it, using existing DHC this is needed, and dnsmasq can handle it, using existing DHCP c
P configuration to provide most onfiguration to provide most
data. When RA is enabled, dnsmasq will advertise a prefix for eac data. When RA is enabled, dnsmasq will advertise a prefix for
h --dhcp-range, with default each --dhcp-range, with default
router as the relevant link-local address on the machine running router as the relevant link-local address on the machine running
dnsmasq. By default, the "man- dnsmasq. By default, the "man-
aged address" bits are set, and the "use SLAAC" bit is reset. This aged address" bits are set, and the "use SLAAC" bit is reset. Thi
can be changed for individual s can be changed for individual
subnets with the mode keywords described in --dhcp-range. RFC6106 DNS parameters are included in subnets with the mode keywords described in --dhcp-range. RFC6106 DNS parameters are included in
the advertisements. By default, the relevant link-local address of the machine running dnsmasq is the advertisements. By default, the relevant link-local address of the machine running dnsmasq is
sent as recursive DNS server. If provided, the DHCPv6 options d ns-server and domain-search are sent as recursive DNS server. If provided, the DHCPv6 options dns- server and domain-search are
used for the DNS server (RDNSS) and the domain search list (DNSSL) . used for the DNS server (RDNSS) and the domain search list (DNSSL) .
--ra-param=<interface>,[mtu:<integer>|<interface>|off,][high,|low,]<ra-in terval>[,<router lifetime>] --ra-param=<interface>,[mtu:<integer>|<interface>|off,][high,|low,]<ra-in terval>[,<router lifetime>]
Set non-default values for router advertisements sent via an inter Set non-default values for router advertisements sent via an in
face. The priority field for terface. The priority field for
the router may be altered from the default of medium with eg --ra the router may be altered from the default of medium with eg --ra-
-param=eth0,high. The interval param=eth0,high. The interval
between router advertisements may be set (in seconds) with --ra-pa between router advertisements may be set (in seconds) with --ra-
ram=eth0,60. The lifetime of param=eth0,60. The lifetime of
the route may be changed or set to zero, which allows a router the route may be changed or set to zero, which allows a router to
to advertise prefixes but not a advertise prefixes but not a
route via itself. --ra-param=eth0,0,0 (A value of zero for the route via itself. --ra-param=eth0,0,0 (A value of zero for
interval means the default the interval means the default
value.) All four parameters may be set at once. --ra-param=eth0,m tu:1280,low,60,1200 value.) All four parameters may be set at once. --ra-param=eth0,m tu:1280,low,60,1200
The interface field may include a wildcard. The interface field may include a wildcard.
The mtu: parameter may be an arbitrary interface name, in wh The mtu: parameter may be an arbitrary interface name, in which c
ich case the MTU value for that ase the MTU value for that
interface is used. This is useful for (eg) advertising the MTU of interface is used. This is useful for (eg) advertising the MTU
a WAN interface on the other of a WAN interface on the other
interfaces of a router. interfaces of a router.
--dhcp-reply-delay=[tag:<tag>,]<integer> --dhcp-reply-delay=[tag:<tag>,]<integer>
Delays sending DHCPOFFER and PROXYDHCP replies for at least t he specified number of seconds. Delays sending DHCPOFFER and PROXYDHCP replies for at least the specified number of seconds.
This can be used as workaround for bugs in PXE boot firmware that does not function properly when This can be used as workaround for bugs in PXE boot firmware that does not function properly when
receiving an instant reply. This option takes into account the t ime already spent waiting (e.g. receiving an instant reply. This option takes into account the ti me already spent waiting (e.g.
performing ping check) if any. performing ping check) if any.
--enable-tftp[=<interface>[,<interface>]] --enable-tftp[=<interface>[,<interface>]]
Enable the TFTP server function. This is deliberately limited to Enable the TFTP server function. This is deliberately limit
that needed to net-boot a ed to that needed to net-boot a
client. Only reading is allowed; the tsize and blksize extensio client. Only reading is allowed; the tsize and blksize extensions
ns are supported (tsize is only are supported (tsize is only
supported in octet mode). Without an argument, the TFTP service is supported in octet mode). Without an argument, the TFTP service
provided to the same set of is provided to the same set of
interfaces as DHCP service. If the list of interfaces is provided , that defines which interfaces interfaces as DHCP service. If the list of interfaces is provided , that defines which interfaces
receive TFTP service. receive TFTP service.
--tftp-root=<directory>[,<interface>] --tftp-root=<directory>[,<interface>]
Look for files to transfer using TFTP relative to the given direct ory. When this is set, TFTP Look for files to transfer using TFTP relative to the given di rectory. When this is set, TFTP
paths which include ".." are rejected, to stop clients getting out side the specified root. Abso- paths which include ".." are rejected, to stop clients getting out side the specified root. Abso-
lute paths (starting with /) are allowed, but they must be within the tftp-root. If the optional lute paths (starting with /) are allowed, but they must be within the tftp-root. If the optional
interface argument is given, the directory is only used for TFTP r equests via that interface. interface argument is given, the directory is only used for TFTP r equests via that interface.
--tftp-no-fail --tftp-no-fail
Do not abort startup if specified tftp root directories are inacce ssible. Do not abort startup if specified tftp root directories are inacce ssible.
--tftp-unique-root[=ip|mac] --tftp-unique-root[=ip|mac]
Add the IP or hardware address of the TFTP client as a path co mponent on the end of the TFTP- Add the IP or hardware address of the TFTP client as a path compon ent on the end of the TFTP-
root. Only valid if a --tftp-root is set and the directory exists. Defaults to adding IP address root. Only valid if a --tftp-root is set and the directory exists. Defaults to adding IP address
(in standard dotted-quad format). For instance, if --tftp-roo (in standard dotted-quad format). For instance, if --tftp-root is
t is "/tftp" and client 1.2.3.4 "/tftp" and client 1.2.3.4
requests file "myfile" then the effective path will be "/tftp/1.2 requests file "myfile" then the effective path will be "/tftp/1
.3.4/myfile" if /tftp/1.2.3.4 .2.3.4/myfile" if /tftp/1.2.3.4
exists or /tftp/myfile otherwise. When "=mac" is specified exists or /tftp/myfile otherwise. When "=mac" is specified it
it will append the MAC address will append the MAC address
instead, using lowercase zero padded digits separated by dashes, instead, using lowercase zero padded digits separated by dashe
e.g.: 01-02-03-04-aa-bb Note s, e.g.: 01-02-03-04-aa-bb Note
that resolving MAC addresses is only possible if the client is in the local network or obtained a that resolving MAC addresses is only possible if the client is in the local network or obtained a
DHCP lease from us. DHCP lease from us.
--tftp-secure --tftp-secure
Enable TFTP secure mode: without this, any file which is readable Enable TFTP secure mode: without this, any file which is readab
by the dnsmasq process under le by the dnsmasq process under
normal unix access-control rules is available via TFTP. When t normal unix access-control rules is available via TFTP. When the
he --tftp-secure flag is given, --tftp-secure flag is given,
only files owned by the user running the dnsmasq process are acces only files owned by the user running the dnsmasq process are acce
sible. If dnsmasq is being run ssible. If dnsmasq is being run
as root, different rules apply: --tftp-secure has no effect, but o nly files which have the world- as root, different rules apply: --tftp-secure has no effect, but o nly files which have the world-
readable bit set are accessible. It is not recommended to run dnsm readable bit set are accessible. It is not recommended to run dns
asq as root with TFTP enabled, masq as root with TFTP enabled,
and certainly not without specifying --tftp-root. Doing so can ex and certainly not without specifying --tftp-root. Doing so can exp
pose any world-readable file on ose any world-readable file on
the server to any host on the net. the server to any host on the net.
--tftp-lowercase --tftp-lowercase
Convert filenames in TFTP requests to all lowercase. This is usefu Convert filenames in TFTP requests to all lowercase. This is u
l for requests from Windows seful for requests from Windows
machines, which have case-insensitive filesystems and tend to p machines, which have case-insensitive filesystems and tend to play
lay fast-and-loose with case in fast-and-loose with case in
filenames. Note that dnsmasq's tftp server always converts "\" to "/" in filenames. filenames. Note that dnsmasq's tftp server always converts "\" to "/" in filenames.
--tftp-max=<connections> --tftp-max=<connections>
Set the maximum number of concurrent TFTP connections allowed. Thi Set the maximum number of concurrent TFTP connections allowed. Th
s defaults to 50. When serving is defaults to 50. When serving
a large number of TFTP connections, per-process file descriptor a large number of TFTP connections, per-process file descriptor li
limits may be encountered. Dns- mits may be encountered. Dns-
masq needs one file descriptor for each concurrent TFTP connection masq needs one file descriptor for each concurrent TFTP connect
and one file descriptor per ion and one file descriptor per
unique file (plus a few others). So serving the same file simul unique file (plus a few others). So serving the same file simultan
taneously to n clients will use eously to n clients will use
require about n + 10 file descriptors, serving different files sim require about n + 10 file descriptors, serving different files s
ultaneously to n clients will imultaneously to n clients will
require about (2*n) + 10 descriptors. If --tftp-port-range is gi require about (2*n) + 10 descriptors. If --tftp-port-range is give
ven, that can affect the number n, that can affect the number
of concurrent connections. of concurrent connections.
--tftp-mtu=<mtu size> --tftp-mtu=<mtu size>
Use size as the ceiling of the MTU supported by the intervening n etwork when negotiating TFTP Use size as the ceiling of the MTU supported by the intervenin g network when negotiating TFTP
blocksize, overriding the MTU setting of the local interface if i t is larger. blocksize, overriding the MTU setting of the local interface if i t is larger.
--tftp-no-blocksize --tftp-no-blocksize
Stop the TFTP server from negotiating the "blocksize" option wi th a client. Some buggy clients Stop the TFTP server from negotiating the "blocksize" option with a client. Some buggy clients
request this option but then behave badly when it is granted. request this option but then behave badly when it is granted.
--tftp-port-range=<start>,<end> --tftp-port-range=<start>,<end>
A TFTP server listens on a well-known port (69) for connection ini A TFTP server listens on a well-known port (69) for connection
tiation, but it also uses a initiation, but it also uses a
dynamically-allocated port for each connection. Normally these ar dynamically-allocated port for each connection. Normally these are
e allocated by the OS, but this allocated by the OS, but this
option specifies a range of ports for use by TFTP transfers. This option specifies a range of ports for use by TFTP transfers. This
can be useful when TFTP has to can be useful when TFTP has to
traverse a firewall. The start of the range cannot be lower than traverse a firewall. The start of the range cannot be lower than 1
1025 unless dnsmasq is running 025 unless dnsmasq is running
as root. The number of concurrent TFTP connections is limited by t he size of the port range. as root. The number of concurrent TFTP connections is limited by t he size of the port range.
--tftp-single-port --tftp-single-port
Run in a mode where the TFTP server uses ONLY the well-known port Run in a mode where the TFTP server uses ONLY the well-known po
(69) for its end of the TFTP rt (69) for its end of the TFTP
transfer. This allows TFTP to work when there in NAT is the path transfer. This allows TFTP to work when there in NAT is the path b
between client and server. Note etween client and server. Note
that this is not strictly compliant with the RFCs specifying the T that this is not strictly compliant with the RFCs specifying the
FTP protocol: use at your own TFTP protocol: use at your own
risk. risk.
-C, --conf-file=<file> -C, --conf-file=<file>
Specify a configuration file. The presence of this option stops d nsmasq from reading the default Specify a configuration file. The presence of this option stops dn smasq from reading the default
configuration file (normally /etc/dnsmasq.conf). Multiple files ma y be specified by repeating the configuration file (normally /etc/dnsmasq.conf). Multiple files ma y be specified by repeating the
option either on the command line or in configuration files. A fi lename of "-" causes dnsmasq to option either on the command line or in configuration files. A fil ename of "-" causes dnsmasq to
read configuration from stdin. read configuration from stdin.
-7, --conf-dir=<directory>[,<file-extension>......], -7, --conf-dir=<directory>[,<file-extension>......],
Read all the files in the given directory as configuration files. Read all the files in the given directory as configuration files.
If extension(s) are given, any If extension(s) are given, any
files which end in those extensions are skipped. Any files whose files which end in those extensions are skipped. Any files whose n
names end in ~ or start with . ames end in ~ or start with .
or start and end with # are always skipped. If the extension start or start and end with # are always skipped. If the extension star
s with * then only files which ts with * then only files which
have that extension are loaded. So --conf-dir=/path/to/dir,*.conf loads all files with the suffix have that extension are loaded. So --conf-dir=/path/to/dir,*.conf loads all files with the suffix
.conf in /path/to/dir. This flag may be given on the command line .conf in /path/to/dir. This flag may be given on the command line
or in a configuration file. If or in a configuration file. If
giving it on the command line, be sure to escape * characters. F giving it on the command line, be sure to escape * characters. Fil
iles are loaded in alphabetical es are loaded in alphabetical
order of filename. order of filename.
--servers-file=<file> --servers-file=<file>
A special case of --conf-file which differs in two respects. First ly, only --server and --rev- A special case of --conf-file which differs in two respects. Fi rstly, only --server and --rev-
server are allowed in the configuration file included. Secondly, t he file is re-read and the con- server are allowed in the configuration file included. Secondly, t he file is re-read and the con-
figuration therein is updated when dnsmasq receives SIGHUP. figuration therein is updated when dnsmasq receives SIGHUP.
CONFIG FILE CONFIG FILE
At startup, dnsmasq reads /etc/dnsmasq.conf, if it exists. (On FreeBSD, t At startup, dnsmasq reads /etc/dnsmasq.conf, if it exists. (On FreeBSD,
he file is /usr/local/etc/dns- the file is /usr/local/etc/dns-
masq.conf ) (but see the --conf-file and --conf-dir options.) The form masq.conf ) (but see the --conf-file and --conf-dir options.) The format
at of this file consists of one of this file consists of one
option per line, exactly as the long options detailed in the OPTIONS sect option per line, exactly as the long options detailed in the OPTIONS
ion but without the leading section but without the leading
"--". Lines starting with # are comments and ignored. For options which "--". Lines starting with # are comments and ignored. For options which m
may only be specified once, the ay only be specified once, the
configuration file overrides the command line. Quoting is allowed in a c configuration file overrides the command line. Quoting is allowed in
onfig file: between " quotes a config file: between " quotes
the special meanings of ,:. and # are removed and the following escapes the special meanings of ,:. and # are removed and the following escapes a
are allowed: \\ \" \t \e \b \r re allowed: \\ \" \t \e \b \r
and \n. The later corresponding to tab, escape, backspace, return and new line. and \n. The later corresponding to tab, escape, backspace, return and new line.
NOTES NOTES
When it receives a SIGHUP, dnsmasq clears its cache and then re-loads /et c/hosts and /etc/ethers and any When it receives a SIGHUP, dnsmasq clears its cache and then re-loads /et c/hosts and /etc/ethers and any
file given by --dhcp-hostsfile, --dhcp-hostsdir, --dhcp-optsfile, - file given by --dhcp-hostsfile, --dhcp-hostsdir, --dhcp-optsfile, --
-dhcp-optsdir, --addn-hosts or dhcp-optsdir, --addn-hosts or
--hostsdir. The DHCP lease change script is called for all existing DHCP --hostsdir. The DHCP lease change script is called for all existing D
leases. If --no-poll is set HCP leases. If --no-poll is set
SIGHUP also re-reads /etc/resolv.conf. SIGHUP does NOT re-read the confi guration file. SIGHUP also re-reads /etc/resolv.conf. SIGHUP does NOT re-read the confi guration file.
When it receives a SIGUSR1, dnsmasq writes statistics to the system log When it receives a SIGUSR1, dnsmasq writes statistics to the system log.
. It writes the cache size, the It writes the cache size, the
number of names which have had to removed from the cache before they expi number of names which have had to removed from the cache before they ex
red in order to make room for pired in order to make room for
new names and the total number of names that have been inserted into the cache. The number of cache hits new names and the total number of names that have been inserted into the cache. The number of cache hits
and misses and the number of authoritative queries answered are also give n. For each upstream server it and misses and the number of authoritative queries answered are also giv en. For each upstream server it
gives the number of queries sent, and the number which resulted in an err or. In --no-daemon mode or when gives the number of queries sent, and the number which resulted in an err or. In --no-daemon mode or when
full logging is enabled (--log-queries), a complete dump of the contents of the cache is made. full logging is enabled (--log-queries), a complete dump of the contents of the cache is made.
The cache statistics are also available in the DNS as answers to queries of class CHAOS and type TXT in The cache statistics are also available in the DNS as answers to queries of class CHAOS and type TXT in
domain bind. The domain names are cachesize.bind, insertions.bind, evictions.bind, misses.bind, domain bind. The domain names are cachesize.bind, insertions.bind, evictions.bind, misses.bind,
hits.bind, auth.bind and servers.bind. An example command to query this, using the dig utility would be hits.bind, auth.bind and servers.bind. An example command to query this, using the dig utility would be
dig +short chaos txt cachesize.bind dig +short chaos txt cachesize.bind
When it receives SIGUSR2 and it is logging direct to a file (see --log-fa cility ) dnsmasq will close and When it receives SIGUSR2 and it is logging direct to a file (see --log-fa cility ) dnsmasq will close and
reopen the log file. Note that during this operation, dnsmasq will not be running as root. When it first reopen the log file. Note that during this operation, dnsmasq will not be running as root. When it first
creates the logfile dnsmasq changes the ownership of the file to the non creates the logfile dnsmasq changes the ownership of the file to th
-root user it will run as. e non-root user it will run as.
Logrotate should be configured to create a new log file with the owner Logrotate should be configured to create a new log file with the ownershi
ship which matches the existing p which matches the existing
one before sending SIGUSR2. If TCP DNS queries are in progress, the old one before sending SIGUSR2. If TCP DNS queries are in progress, the
logfile will remain open in old logfile will remain open in
child processes which are handling TCP queries and may continue to be w child processes which are handling TCP queries and may continue to be wri
ritten. There is a limit of 150 tten. There is a limit of 150
seconds, after which all existing TCP processes will have expired: for th seconds, after which all existing TCP processes will have expired: for
is reason, it is not wise to this reason, it is not wise to
configure logfile compression for logfiles which have just been rotated configure logfile compression for logfiles which have just been rotated.
. Using logrotate, the required Using logrotate, the required
options are create and delaycompress. options are create and delaycompress.
Dnsmasq is a DNS query forwarder: it is not capable of recursively answer Dnsmasq is a DNS query forwarder: it is not capable of recursively answe
ing arbitrary queries starting ring arbitrary queries starting
from the root servers but forwards such queries to a fully recursive ups from the root servers but forwards such queries to a fully recursive upst
tream DNS server which is typi- ream DNS server which is typi-
cally provided by an ISP. By default, dnsmasq reads /etc/resolv.conf to d iscover the IP addresses of the cally provided by an ISP. By default, dnsmasq reads /etc/resolv.conf to d iscover the IP addresses of the
upstream nameservers it should use, since the information is typically st ored there. Unless --no-poll is upstream nameservers it should use, since the information is typically st ored there. Unless --no-poll is
used, dnsmasq checks the modification time of /etc/resolv.conf (or equiva used, dnsmasq checks the modification time of /etc/resolv.conf (or equiv
lent if --resolv-file is used) alent if --resolv-file is used)
and re-reads it if it changes. This allows the DNS servers to be set d and re-reads it if it changes. This allows the DNS servers to be set dyna
ynamically by PPP or DHCP since mically by PPP or DHCP since
both protocols provide the information. Absence of /etc/resolv.conf is n both protocols provide the information. Absence of /etc/resolv.conf i
ot an error since it may not s not an error since it may not
have been created before a PPP connection exists. Dnsmasq simply keeps ch ecking in case /etc/resolv.conf have been created before a PPP connection exists. Dnsmasq simply keeps ch ecking in case /etc/resolv.conf
is created at any time. Dnsmasq can be told to parse more than one resolv .conf file. This is useful on a is created at any time. Dnsmasq can be told to parse more than one resolv .conf file. This is useful on a
laptop, where both PPP and DHCP may be used: dnsmasq can be set to pol laptop, where both PPP and DHCP may be used: dnsmasq can be set to poll
l both /etc/ppp/resolv.conf and both /etc/ppp/resolv.conf and
/etc/dhcpc/resolv.conf and will use the contents of whichever changed las /etc/dhcpc/resolv.conf and will use the contents of whichever changed l
t, giving automatic switching ast, giving automatic switching
between DNS servers. between DNS servers.
Upstream servers may also be specified on the command line or in the c Upstream servers may also be specified on the command line or in the conf
onfiguration file. These server iguration file. These server
specifications optionally take a domain name which tells dnsmasq to use t specifications optionally take a domain name which tells dnsmasq to use
hat server only to find names that server only to find names
in that particular domain. in that particular domain.
In order to configure dnsmasq to act as cache for the host on which In order to configure dnsmasq to act as cache for the host on which it
it is running, put "nameserver is running, put "nameserver
127.0.0.1" in /etc/resolv.conf to force local processes to send queries t 127.0.0.1" in /etc/resolv.conf to force local processes to send queries
o dnsmasq. Then either specify to dnsmasq. Then either specify
the upstream servers directly to dnsmasq using --server options or put the upstream servers directly to dnsmasq using --server options or put th
their addresses real in another eir addresses real in another
file, say /etc/resolv.dnsmasq and run dnsmasq with the --resolv-file /et file, say /etc/resolv.dnsmasq and run dnsmasq with the --resolv-file /
c/resolv.dnsmasq option. This etc/resolv.dnsmasq option. This
second technique allows for dynamic update of the server addresses by PPP or DHCP. second technique allows for dynamic update of the server addresses by PPP or DHCP.
Addresses in /etc/hosts will "shadow" different addresses for the sam e names in the upstream DNS, so Addresses in /etc/hosts will "shadow" different addresses for the same na mes in the upstream DNS, so
"mycompany.com 1.2.3.4" in /etc/hosts will ensure that queries for "mycom pany.com" always return 1.2.3.4 "mycompany.com 1.2.3.4" in /etc/hosts will ensure that queries for "mycom pany.com" always return 1.2.3.4
even if queries in the upstream DNS would otherwise return a different address. There is one exception even if queries in the upstream DNS would otherwise return a different ad dress. There is one exception
to this: if the upstream DNS contains a CNAME which points to a shadowed name, then looking up the CNAME to this: if the upstream DNS contains a CNAME which points to a shadowed name, then looking up the CNAME
through dnsmasq will result in the unshadowed address associated with t he target of the CNAME. To work through dnsmasq will result in the unshadowed address associated with the target of the CNAME. To work
around this, add the CNAME to /etc/hosts so that the CNAME is shadowed to o. around this, add the CNAME to /etc/hosts so that the CNAME is shadowed to o.
The tag system works as follows: For each DHCP request, dnsmasq collects a set of valid tags from active The tag system works as follows: For each DHCP request, dnsmasq collects a set of valid tags from active
configuration lines which include set:<tag>, including one from the -- configuration lines which include set:<tag>, including one from the --dhc
dhcp-range used to allocate the p-range used to allocate the
address, one from any matching --dhcp-host (and "known" or "known-otherne address, one from any matching --dhcp-host (and "known" or "known-othe
t" if a --dhcp-host matches) rnet" if a --dhcp-host matches)
The tag "bootp" is set for BOOTP requests, and a tag whose name is the The tag "bootp" is set for BOOTP requests, and a tag whose name is the na
name of the interface on which me of the interface on which
the request arrived is also set. the request arrived is also set.
Any configuration lines which include one or more tag:<tag> constructs wi Any configuration lines which include one or more tag:<tag> constructs
ll only be valid if all that will only be valid if all that
tags are matched in the set derived above. Typically this is --dhcp-o tags are matched in the set derived above. Typically this is --dhcp-opti
ption. --dhcp-option which has on. --dhcp-option which has
tags will be used in preference to an untagged --dhcp-option, provided t tags will be used in preference to an untagged --dhcp-option, provided
hat _all_ the tags match some- that _all_ the tags match some-
where in the set collected as described above. The prefix '!' where in the set collected as described above. The prefix '!' on a
on a tag means 'not' so --dhcp- tag means 'not' so --dhcp-
option=tag:!purple,3,1.2.3.4 sends the option when the tag purple is not option=tag:!purple,3,1.2.3.4 sends the option when the tag purple is no
in the set of valid tags. (If t in the set of valid tags. (If
using this in a command line rather than a configuration file, be sur using this in a command line rather than a configuration file, be sure to
e to escape !, which is a shell escape !, which is a shell
metacharacter) metacharacter)
When selecting --dhcp-options, a tag from --dhcp-range is second class re When selecting --dhcp-options, a tag from --dhcp-range is second class
lative to other tags, to make relative to other tags, to make
it easy to override options for individual hosts, so --dhcp-range it easy to override options for individual hosts, so --dhcp-range=
=set:interface1,...... --dhcp- set:interface1,...... --dhcp-
host=set:myhost,..... --dhcp-option=tag:interface1,option:nis-do host=set:myhost,..... --dhcp-option=tag:interface1,option:nis-d
main,"domain1" --dhcp- omain,"domain1" --dhcp-
option=tag:myhost,option:nis-domain,"domain2" will set the NIS-domain to domain1 for hosts in the range, option=tag:myhost,option:nis-domain,"domain2" will set the NIS-domain to domain1 for hosts in the range,
but override that to domain2 for a particular host. but override that to domain2 for a particular host.
Note that for --dhcp-range both tag:<tag> and set:<tag> are allowed, to b oth select the range in use Note that for --dhcp-range both tag:<tag> and set:<tag> are allowed, to both select the range in use
based on (eg) --dhcp-host, and to affect the options sent, based on the r ange selected. based on (eg) --dhcp-host, and to affect the options sent, based on the r ange selected.
This system evolved from an earlier, more limited one and for backward c ompatibility "net:" may be used This system evolved from an earlier, more limited one and for backward co mpatibility "net:" may be used
instead of "tag:" and "set:" may be omitted. (Except in --dhcp-host, wher e "net:" may be used instead of instead of "tag:" and "set:" may be omitted. (Except in --dhcp-host, wher e "net:" may be used instead of
"set:".) For the same reason, '#' may be used instead of '!' to indicate NOT. "set:".) For the same reason, '#' may be used instead of '!' to indicate NOT.
The DHCP server in dnsmasq will function as a BOOTP server also, provi ded that the MAC address and IP The DHCP server in dnsmasq will function as a BOOTP server also, provided that the MAC address and IP
address for clients are given, either using --dhcp-host configurations or in /etc/ethers , and a --dhcp- address for clients are given, either using --dhcp-host configurations or in /etc/ethers , and a --dhcp-
range configuration option is present to activate the DHCP server on a particular network. (Setting range configuration option is present to activate the DHCP server on a particular network. (Setting
--bootp-dynamic removes the need for static address mappings.) The filena me parameter in a BOOTP request --bootp-dynamic removes the need for static address mappings.) The filena me parameter in a BOOTP request
is used as a tag, as is the tag "bootp", allowing some control over th e options returned to different is used as a tag, as is the tag "bootp", allowing some control over the o ptions returned to different
classes of hosts. classes of hosts.
AUTHORITATIVE CONFIGURATION AUTHORITATIVE CONFIGURATION
Configuring dnsmasq to act as an authoritative DNS server is complicated Configuring dnsmasq to act as an authoritative DNS server is complicat
by the fact that it involves ed by the fact that it involves
configuration of external DNS servers to provide delegation. We will configuration of external DNS servers to provide delegation. We will walk
walk through three scenarios of through three scenarios of
increasing complexity. Prerequisites for all of these scenarios are a glo bally accessible IP address, an increasing complexity. Prerequisites for all of these scenarios are a glo bally accessible IP address, an
A or AAAA record pointing to that address, and an external DNS server cap able of doing delegation of the A or AAAA record pointing to that address, and an external DNS server cap able of doing delegation of the
zone in question. For the first part of this explanation, we will call th zone in question. For the first part of this explanation, we will call
e A (or AAAA) record for the the A (or AAAA) record for the
globally accessible address server.example.com, and the zone for globally accessible address server.example.com, and the zone for wh
which dnsmasq is authoritative ich dnsmasq is authoritative
our.zone.com. our.zone.com.
The simplest configuration consists of two lines of dnsmasq configuration ; something like The simplest configuration consists of two lines of dnsmasq configuration ; something like
--auth-server=server.example.com,eth0 --auth-server=server.example.com,eth0
--auth-zone=our.zone.com,1.2.3.0/24 --auth-zone=our.zone.com,1.2.3.0/24
and two records in the external DNS and two records in the external DNS
server.example.com A 192.0.43.10 server.example.com A 192.0.43.10
our.zone.com NS server.example.com our.zone.com NS server.example.com
eth0 is the external network interface on which dnsmasq is listening, a nd has (globally accessible) eth0 is the external network interface on which dnsmasq is listening , and has (globally accessible)
address 192.0.43.10. address 192.0.43.10.
Note that the external IP address may well be dynamic (ie assigned fro m an ISP by DHCP or PPP) If so, Note that the external IP address may well be dynamic (ie assigned from a n ISP by DHCP or PPP) If so,
the A record must be linked to this dynamic assignment by one of the usua l dynamic-DNS systems. the A record must be linked to this dynamic assignment by one of the usua l dynamic-DNS systems.
A more complex, but practically useful configuration has the address reco A more complex, but practically useful configuration has the address rec
rd for the globally accessible ord for the globally accessible
IP address residing in the authoritative zone which dnsmasq is serving IP address residing in the authoritative zone which dnsmasq is serving, t
, typically at the root. Now we ypically at the root. Now we
have have
--auth-server=our.zone.com,eth0 --auth-server=our.zone.com,eth0
--auth-zone=our.zone.com,1.2.3.0/24 --auth-zone=our.zone.com,1.2.3.0/24
our.zone.com A 1.2.3.4 our.zone.com A 1.2.3.4
our.zone.com NS our.zone.com our.zone.com NS our.zone.com
The A record for our.zone.com has now become a glue record, it solves th The A record for our.zone.com has now become a glue record, it solves
e chicken-and-egg problem of the chicken-and-egg problem of
finding the IP address of the nameserver for our.zone.com when the A r finding the IP address of the nameserver for our.zone.com when the A reco
ecord is within that zone. Note rd is within that zone. Note
that this is the only role of this record: as dnsmasq is now authoritativ e from our.zone.com it too must that this is the only role of this record: as dnsmasq is now authoritativ e from our.zone.com it too must
provide this record. If the external address is static, this can be d one with an /etc/hosts entry or provide this record. If the external address is static, this can be done with an /etc/hosts entry or
--host-record. --host-record.
--auth-server=our.zone.com,eth0 --auth-server=our.zone.com,eth0
--host-record=our.zone.com,1.2.3.4 --host-record=our.zone.com,1.2.3.4
--auth-zone=our.zone.com,1.2.3.0/24 --auth-zone=our.zone.com,1.2.3.0/24
If the external address is dynamic, the address associated with our.zone. com must be derived from the If the external address is dynamic, the address associated with our.zo ne.com must be derived from the
address of the relevant interface. This is done using --interface-name So mething like: address of the relevant interface. This is done using --interface-name So mething like:
--auth-server=our.zone.com,eth0 --auth-server=our.zone.com,eth0
--interface-name=our.zone.com,eth0 --interface-name=our.zone.com,eth0
--auth-zone=our.zone.com,1.2.3.0/24,eth0 --auth-zone=our.zone.com,1.2.3.0/24,eth0
(The "eth0" argument in --auth-zone adds the subnet containing eth0's dynamic address to the zone, so (The "eth0" argument in --auth-zone adds the subnet containing eth0's dyn amic address to the zone, so
that the --interface-name returns the address in outside queries.) that the --interface-name returns the address in outside queries.)
Our final configuration builds on that above, but also adds a secondary D Our final configuration builds on that above, but also adds a secondary
NS server. This is another DNS DNS server. This is another DNS
server which learns the DNS data for the zone by doing zones transfer, server which learns the DNS data for the zone by doing zones transfer, an
and acts as a backup should the d acts as a backup should the
primary server become inaccessible. The configuration of the secondary is primary server become inaccessible. The configuration of the secondary i
beyond the scope of this man- s beyond the scope of this man-
page, but the extra configuration of dnsmasq is simple: page, but the extra configuration of dnsmasq is simple:
--auth-sec-servers=secondary.myisp.com --auth-sec-servers=secondary.myisp.com
and and
our.zone.com NS secondary.myisp.com our.zone.com NS secondary.myisp.com
Adding auth-sec-servers enables zone transfer in dnsmasq, to allow t he secondary to collect the DNS Adding auth-sec-servers enables zone transfer in dnsmasq, to allow the s econdary to collect the DNS
data. If you wish to restrict this data to particular hosts then data. If you wish to restrict this data to particular hosts then
--auth-peer=<IP address of secondary> --auth-peer=<IP address of secondary>
will do so. will do so.
Dnsmasq acts as an authoritative server for in-addr.arpa and ip6.arpa do Dnsmasq acts as an authoritative server for in-addr.arpa and ip6.arpa d
mains associated with the sub- omains associated with the sub-
nets given in --auth-zone declarations, so reverse (address to name) l nets given in --auth-zone declarations, so reverse (address to name) look
ookups can be simply configured ups can be simply configured
with a suitable NS record, for instance in this example, where we allow 1 .2.3.0/24 addresses. with a suitable NS record, for instance in this example, where we allow 1 .2.3.0/24 addresses.
3.2.1.in-addr.arpa NS our.zone.com 3.2.1.in-addr.arpa NS our.zone.com
Note that at present, reverse (in-addr.arpa and ip6.arpa) zones are not a vailable in zone transfers, so Note that at present, reverse (in-addr.arpa and ip6.arpa) zones are not available in zone transfers, so
there is no point arranging secondary servers for reverse lookups. there is no point arranging secondary servers for reverse lookups.
When dnsmasq is configured to act as an authoritative server, the followi ng data is used to populate the When dnsmasq is configured to act as an authoritative server, the followi ng data is used to populate the
authoritative zone. authoritative zone.
--mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record, --caa-reco rd, as long as the record names --mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record, --caa-reco rd, as long as the record names
are in the authoritative domain. are in the authoritative domain.
--cname as long as the record name is in the authoritative domain --cname as long as the record name is in the authoritative domain. If
. If the target of the CNAME is the target of the CNAME is
unqualified, then it is qualified with the authoritative zone name. CNAM unqualified, then it is qualified with the authoritative zone name. CN
E used in this way (only) may AME used in this way (only) may
be wildcards, as in be wildcards, as in
--cname=*.example.com,default.example.com --cname=*.example.com,default.example.com
IPv4 and IPv6 addresses from /etc/hosts (and --addn-hosts ) and --host-r ecord and --interface-name pro- IPv4 and IPv6 addresses from /etc/hosts (and --addn-hosts ) and --host-re cord and --interface-name pro-
vided the address falls into one of the subnets specified in the --auth-z one. vided the address falls into one of the subnets specified in the --auth-z one.
Addresses of DHCP leases, provided the address falls into one of the subn Addresses of DHCP leases, provided the address falls into one of the s
ets specified in the --auth- ubnets specified in the --auth-
zone. (If constructed DHCP ranges are is use, which depend on the add zone. (If constructed DHCP ranges are is use, which depend on the addres
ress dynamically assigned to an s dynamically assigned to an
interface, then the form of --auth-zone which defines subnets by the dyna interface, then the form of --auth-zone which defines subnets by the
mic address of an interface dynamic address of an interface
should be used to ensure this condition is met.) should be used to ensure this condition is met.)
In the default mode, where a DHCP lease has an unqualified name, and possibly a qualified name con- In the default mode, where a DHCP lease has an unqualified name, and pos sibly a qualified name con-
structed using --domain then the name in the authoritative zone is constr ucted from the unqualified name structed using --domain then the name in the authoritative zone is constr ucted from the unqualified name
and the zone's domain. This may or may not equal that specified by -- domain. If --dhcp-fqdn is set, and the zone's domain. This may or may not equal that specified by --doma in. If --dhcp-fqdn is set,
then the fully qualified names associated with DHCP leases are used, and must match the zone's domain. then the fully qualified names associated with DHCP leases are used, and must match the zone's domain.
EXIT CODES EXIT CODES
0 - Dnsmasq successfully forked into the background, or terminated norma lly if backgrounding is not 0 - Dnsmasq successfully forked into the background, or terminated n ormally if backgrounding is not
enabled. enabled.
1 - A problem with configuration was detected. 1 - A problem with configuration was detected.
2 - A problem with network access occurred (address in use, attempt to us e privileged ports without per- 2 - A problem with network access occurred (address in use, attempt to us e privileged ports without per-
mission). mission).
3 - A problem occurred with a filesystem operation (missing file/director y, permissions). 3 - A problem occurred with a filesystem operation (missing file/director y, permissions).
4 - Memory allocation failure. 4 - Memory allocation failure.
5 - Other miscellaneous problem. 5 - Other miscellaneous problem.
11 or greater - a non zero return code was received from the lease-script process "init" call. The exit 11 or greater - a non zero return code was received from the lease-scrip t process "init" call. The exit
code from dnsmasq is the script's exit code with 10 added. code from dnsmasq is the script's exit code with 10 added.
LIMITS LIMITS
The default values for resource limits in dnsmasq are generally conservat ive, and appropriate for embed- The default values for resource limits in dnsmasq are generally conservat ive, and appropriate for embed-
ded router type devices with slow processors and limited memory. On more capable hardware, it is possi- ded router type devices with slow processors and limited memory. On more capable hardware, it is possi-
ble to increase the limits, and handle many more clients. The following a pplies to dnsmasq-2.37: earlier ble to increase the limits, and handle many more clients. The following a pplies to dnsmasq-2.37: earlier
versions did not scale as well. versions did not scale as well.
Dnsmasq is capable of handling DNS and DHCP for at least a thousand clien ts. The DHCP lease times should Dnsmasq is capable of handling DNS and DHCP for at least a thousand clien ts. The DHCP lease times should
not be very short (less than one hour). The value of --dns-forward-max not be very short (less than one hour). The value of --dns-forward-max ca
can be increased: start with it n be increased: start with it
equal to the number of clients and increase if DNS seems slow. Note that equal to the number of clients and increase if DNS seems slow. Note that
DNS performance depends too on DNS performance depends too on
the performance of the upstream nameservers. The size of the DNS cache m the performance of the upstream nameservers. The size of the DNS cache ma
ay be increased: the hard limit y be increased: the hard limit
is 10000 names and the default (150) is very low. Sending SIGUSR1 to dnsm is 10000 names and the default (150) is very low. Sending SIGUSR1 to d
asq makes it log information nsmasq makes it log information
which is useful for tuning the cache size. See the NOTES section for deta ils. which is useful for tuning the cache size. See the NOTES section for deta ils.
The built-in TFTP server is capable of many simultaneous file transfers The built-in TFTP server is capable of many simultaneous file transfers:
: the absolute limit is related the absolute limit is related
to the number of file-handles allowed to a process and the ability of the to the number of file-handles allowed to a process and the ability of t
select() system call to cope he select() system call to cope
with large numbers of file handles. If the limit is set too high using -- tftp-max it will be scaled down with large numbers of file handles. If the limit is set too high using -- tftp-max it will be scaled down
and the actual limit logged at start-up. Note that more transfers are pos sible when the same file is and the actual limit logged at start-up. Note that more transfers are possible when the same file is
being sent than when each transfer sends a different file. being sent than when each transfer sends a different file.
It is possible to use dnsmasq to block Web advertising by using a list of known banner-ad servers, all It is possible to use dnsmasq to block Web advertising by using a list of known banner-ad servers, all
resolving to 127.0.0.1 or 0.0.0.0, in /etc/hosts or an additional hosts f ile. The list can be very long, resolving to 127.0.0.1 or 0.0.0.0, in /etc/hosts or an additional hosts f ile. The list can be very long,
dnsmasq has been tested successfully with one million names. That size file needs a 1GHz processor and dnsmasq has been tested successfully with one million names. That size fi le needs a 1GHz processor and
about 60Mb of RAM. about 60Mb of RAM.
INTERNATIONALISATION INTERNATIONALISATION
Dnsmasq can be compiled to support internationalisation. To do this, the Dnsmasq can be compiled to support internationalisation. To do this,
make targets "all-i18n" and the make targets "all-i18n" and
"install-i18n" should be used instead of the standard targets "all" and "install-i18n" should be used instead of the standard targets "all" and "
"install". When internationali- install". When internationali-
sation is compiled in, dnsmasq will produce log messages in the local lan sation is compiled in, dnsmasq will produce log messages in the local la
guage and support internation- nguage and support internation-
alised domain names (IDN). Domain names in /etc/hosts, /etc/ethers and alised domain names (IDN). Domain names in /etc/hosts, /etc/ethers and /e
/etc/dnsmasq.conf which contain tc/dnsmasq.conf which contain
non-ASCII characters will be translated to the DNS-internal punycode repr non-ASCII characters will be translated to the DNS-internal punycode re
esentation. Note that dnsmasq presentation. Note that dnsmasq
determines both the language for messages and the assumed charset for co determines both the language for messages and the assumed charset for con
nfiguration files from the LANG figuration files from the LANG
environment variable. This should be set to the system default value by t environment variable. This should be set to the system default value by
he script which is responsible the script which is responsible
for starting dnsmasq. When editing the configuration files, be careful for starting dnsmasq. When editing the configuration files, be careful to
to do so using only the system- do so using only the system-
default locale and not user-specific one, since dnsmasq has no direct way default locale and not user-specific one, since dnsmasq has no direct wa
of determining the charset in y of determining the charset in
use, and must assume that it is the system default. use, and must assume that it is the system default.
FILES FILES
/etc/dnsmasq.conf /etc/dnsmasq.conf
/usr/local/etc/dnsmasq.conf /usr/local/etc/dnsmasq.conf
/etc/resolv.conf /var/run/dnsmasq/resolv.conf /etc/ppp/resolv.conf /etc/d hcpc/resolv.conf /etc/resolv.conf /var/run/dnsmasq/resolv.conf /etc/ppp/resolv.conf /etc/d hcpc/resolv.conf
/etc/hosts /etc/hosts
 End of changes. 208 change blocks. 
888 lines changed or deleted 889 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)