"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "man/dnsmasq.8" between
dnsmasq-2.84.tar.xz and dnsmasq-2.85.tar.xz

About: Dnsmasq is a lightweight caching DNS forwarder and DHCP server.

dnsmasq.8  (dnsmasq-2.84.tar.xz):dnsmasq.8  (dnsmasq-2.85.tar.xz)
skipping to change at line 121 skipping to change at line 121
-8, --log-facility=<facility> -8, --log-facility=<facility>
Set the facility to which dnsmasq will send syslog entries, this defaults to DAEMON, and to LOCAL0 Set the facility to which dnsmasq will send syslog entries, this defaults to DAEMON, and to LOCAL0
when debug mode is in operation. If the facility given contains at least one '/' character, it is when debug mode is in operation. If the facility given contains at least one '/' character, it is
taken to be a filename, and dnsmasq logs to the given file, inst ead of syslog. If the facility is taken to be a filename, and dnsmasq logs to the given file, inst ead of syslog. If the facility is
'-' then dnsmasq logs to stderr. (Errors whilst reading configura tion will still go to syslog, but '-' then dnsmasq logs to stderr. (Errors whilst reading configura tion will still go to syslog, but
all output from a successful startup, and all output whilst ru nning, will go exclusively to the all output from a successful startup, and all output whilst ru nning, will go exclusively to the
file.) When logging to a file, dnsmasq will close and reopen the f ile when it receives SIGUSR2. file.) When logging to a file, dnsmasq will close and reopen the f ile when it receives SIGUSR2.
This allows the log file to be rotated without stopping dnsmasq. This allows the log file to be rotated without stopping dnsmasq.
--log-debug
Enable extra logging intended for debugging rather than informatio
n.
--log-async[=<lines>] --log-async[=<lines>]
Enable asynchronous logging and optionally set the limit on the number of lines which will be Enable asynchronous logging and optionally set the limit on the number of lines which will be
queued by dnsmasq when writing to the syslog is slow. Dnsmasq can log asynchronously: this allows queued by dnsmasq when writing to the syslog is slow. Dnsmasq can log asynchronously: this allows
it to continue functioning without being blocked by syslog, and allows syslog to use dnsmasq for it to continue functioning without being blocked by syslog, and allows syslog to use dnsmasq for
DNS queries without risking deadlock. If the queue of log-lines b ecomes full, dnsmasq will log the DNS queries without risking deadlock. If the queue of log-lines b ecomes full, dnsmasq will log the
overflow, and the number of messages lost. The default queue l ength is 5, a sane value would be overflow, and the number of messages lost. The default queue l ength is 5, a sane value would be
5-25, and a maximum limit of 100 is imposed. 5-25, and a maximum limit of 100 is imposed.
-x, --pid-file=<path> -x, --pid-file=<path>
Specify an alternate path for dnsmasq to record its process-id in. Normally /var/run/dnsmasq.pid. Specify an alternate path for dnsmasq to record its process-id in. Normally /var/run/dnsmasq.pid.
skipping to change at line 161 skipping to change at line 164
-Q, --query-port=<query_port> -Q, --query-port=<query_port>
Send outbound DNS queries from, and listen for their replies on, t he specific UDP port <query_port> Send outbound DNS queries from, and listen for their replies on, t he specific UDP port <query_port>
instead of using random ports. NOTE that using this option will ma ke dnsmasq less secure against instead of using random ports. NOTE that using this option will ma ke dnsmasq less secure against
DNS spoofing attacks but it may be faster and use less resour ces. Setting this option to zero DNS spoofing attacks but it may be faster and use less resour ces. Setting this option to zero
makes dnsmasq use a single port allocated to it by the OS: this wa s the default behaviour in ver- makes dnsmasq use a single port allocated to it by the OS: this wa s the default behaviour in ver-
sions prior to 2.43. sions prior to 2.43.
--min-port=<port> --min-port=<port>
Do not use ports less than that given as source for outbound DNS queries. Dnsmasq picks random Do not use ports less than that given as source for outbound DNS queries. Dnsmasq picks random
ports as source for outbound queries: when this option is given, t he ports used will always to ports as source for outbound queries: when this option is given, t he ports used will always be
larger than that specified. Useful for systems behind firewal ls. If not specified, defaults to larger than that specified. Useful for systems behind firewal ls. If not specified, defaults to
1024. 1024.
--max-port=<port> --max-port=<port>
Use ports lower than that given as source for outbound DNS queries . Dnsmasq picks random ports as Use ports lower than that given as source for outbound DNS queries . Dnsmasq picks random ports as
source for outbound queries: when this option is given, the por ts used will always be lower than source for outbound queries: when this option is given, the por ts used will always be lower than
that specified. Useful for systems behind firewalls. that specified. Useful for systems behind firewalls.
-i, --interface=<interface name> -i, --interface=<interface name>
Listen only on the specified interface(s). Dnsmasq automatically a dds the loopback (local) inter- Listen only on the specified interface(s). Dnsmasq automatically a dds the loopback (local) inter-
skipping to change at line 230 skipping to change at line 233
--bind-dynamic --bind-dynamic
Enable a network mode which is a hybrid between --bind-interfaces and the default. Dnsmasq binds Enable a network mode which is a hybrid between --bind-interfaces and the default. Dnsmasq binds
the address of individual interfaces, allowing multiple dnsmasq in stances, but if new interfaces or the address of individual interfaces, allowing multiple dnsmasq in stances, but if new interfaces or
addresses appear, it automatically listens on those (subject to an y access-control configuration). addresses appear, it automatically listens on those (subject to an y access-control configuration).
This makes dynamically created interfaces work in the same way as the default. Implementing this This makes dynamically created interfaces work in the same way as the default. Implementing this
option requires non-standard networking APIs and it is only availa ble under Linux. On other plat- option requires non-standard networking APIs and it is only availa ble under Linux. On other plat-
forms it falls-back to --bind-interfaces mode. forms it falls-back to --bind-interfaces mode.
-y, --localise-queries -y, --localise-queries
Return answers to DNS queries from /etc/hosts and --interface-n Return answers to DNS queries from /etc/hosts and --interface-nam
ame which depend on the interface e and --dynamic-host which depend
over which the query was received. If a name has more than one add on the interface over which the query was received. If a name has
ress associated with it, and at more than one address associated
least one of those addresses is on the same subnet as the inter with it, and at least one of those addresses is on the same sub
face to which the query was sent, net as the interface to which the
then return only the address(es) on that subnet. This allows fo query was sent, then return only the address(es) on that subnet. T
r a server to have multiple his allows for a server to have
addresses in /etc/hosts corresponding to each of its interface multiple addresses in /etc/hosts corresponding to each of its i
s, and hosts will get the correct nterfaces, and hosts will get the
address based on which network they are attached to. Currently thi correct address based on which network they are attached to. Curre
s facility is limited to IPv4. ntly this facility is limited to
IPv4.
-b, --bogus-priv -b, --bogus-priv
Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192.168.x.x, etc) Bogus private reverse lookups. All reverse lookups for privat e IP ranges (ie 192.168.x.x, etc)
which are not found in /etc/hosts or the DHCP leases file are answ ered with "no such domain" rather which are not found in /etc/hosts or the DHCP leases file are answ ered with "no such domain" rather
than being forwarded upstream. The set of prefixes affected is the list given in RFC6303, for IPv4 than being forwarded upstream. The set of prefixes affected is th e list given in RFC6303, for IPv4
and IPv6. and IPv6.
-V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>] -V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>]
Modify IPv4 addresses returned from upstream nameservers; old -ip is replaced by new-ip. If the Modify IPv4 addresses returned from upstream nameservers; old-ip i s replaced by new-ip. If the
optional mask is given then any address which matches the masked o ld-ip will be re-written. So, for optional mask is given then any address which matches the masked o ld-ip will be re-written. So, for
instance --alias=1.2.3.0,6.7.8.0,255.255.255.0 will map 1.2.3. instance --alias=1.2.3.0,6.7.8.0,255.255.255.0 will map 1.2.3.56
56 to 6.7.8.56 and 1.2.3.67 to to 6.7.8.56 and 1.2.3.67 to
6.7.8.67. This is what Cisco PIX routers call "DNS doctoring". If 6.7.8.67. This is what Cisco PIX routers call "DNS doctoring".
the old IP is given as range, If the old IP is given as range,
then only addresses in the range, rather than a who then only addresses in the range, rather than a whole
le subnet, are re-written. So subnet, are re-written. So
--alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 maps --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 maps
192.168.0.10->192.168.0.40 to 192.168.0.10->192.168.0.40 to
10.0.0.10->10.0.0.40 10.0.0.10->10.0.0.40
-B, --bogus-nxdomain=<ipaddr> -B, --bogus-nxdomain=<ipaddr>[/prefix]
Transform replies which contain the IP address given into Transform replies which contain the IP specified address or subnet
"No such domain" replies. This is into "No such domain" replies.
intended to counteract a devious move made by Verisign in Septembe This is intended to counteract a devious move made by Verisign in
r 2003 when they started return- September 2003 when they started
ing the address of an advertising web page in response to querie returning the address of an advertising web page in response to q
s for unregistered names, instead ueries for unregistered names,
of the correct NXDOMAIN response. This option tells dnsmasq to fak instead of the correct NXDOMAIN response. This option tells dns
e the correct response when it masq to fake the correct response
sees this behaviour. As at Sept 2003 the IP address being returned when it sees this behaviour. As at Sept 2003 the IP address
by Verisign is 64.94.110.11 being returned by Verisign is
64.94.110.11
--ignore-address=<ipaddr>
Ignore replies to A-record queries which include the specified --ignore-address=<ipaddr>[/prefix]
address. No error is generated, Ignore replies to A-record queries which include the specified add
dnsmasq simply continues to listen for another reply. This is use ress or subnet. No error is gen-
ful to defeat blocking strategies erated, dnsmasq simply continues to listen for another reply. Thi
which rely on quickly supplying a forged answer to a DNS reque s is useful to defeat blocking
st for certain domain, before the strategies which rely on quickly supplying a forged answer to
correct answer can arrive. a DNS request for certain domain,
before the correct answer can arrive.
-f, --filterwin2k -f, --filterwin2k
Later versions of windows make periodic DNS requests which don't g et sensible answers from the pub- Later versions of windows make periodic DNS requests which don't g et sensible answers from the pub-
lic DNS and can cause problems by triggering dial-on-demand links . This flag turns on an option to lic DNS and can cause problems by triggering dial-on-demand links . This flag turns on an option to
filter such requests. The requests blocked are for records of type s SOA and SRV, and type ANY where filter such requests. The requests blocked are for records of type s SOA and SRV, and type ANY where
the requested name has underscores, to catch LDAP requests. the requested name has underscores, to catch LDAP requests.
-r, --resolv-file=<file> -r, --resolv-file=<file>
Read the IP addresses of the upstream nameservers from <file>, ins tead of /etc/resolv.conf. For the Read the IP addresses of the upstream nameservers from <file>, ins tead of /etc/resolv.conf. For the
format of this file see resolv.conf(5). The only lines relevant t o dnsmasq are nameserver ones. format of this file see resolv.conf(5). The only lines relevant t o dnsmasq are nameserver ones.
skipping to change at line 340 skipping to change at line 345
--clear-on-reload --clear-on-reload
Whenever /etc/resolv.conf is re-read or the upstream servers are s et via DBus, clear the DNS cache. Whenever /etc/resolv.conf is re-read or the upstream servers are s et via DBus, clear the DNS cache.
This is useful when new nameservers may have different data than t hat held in cache. This is useful when new nameservers may have different data than t hat held in cache.
-D, --domain-needed -D, --domain-needed
Tells dnsmasq to never forward A or AAAA queries for plain names, without dots or domain parts, to Tells dnsmasq to never forward A or AAAA queries for plain names, without dots or domain parts, to
upstream nameservers. If the name is not known from /etc/hosts or DHCP then a "not found" answer is upstream nameservers. If the name is not known from /etc/hosts or DHCP then a "not found" answer is
returned. returned.
-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>]][@<source -ip>|<interface>[#<port>]] -S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>]][@<interf ace>][@<source-ip>[#<port>]]
Specify IP address of upstream servers directly. Setting this flag does not suppress reading of Specify IP address of upstream servers directly. Setting this flag does not suppress reading of
/etc/resolv.conf, use --no-resolv to do that. If one or more opt ional domains are given, that /etc/resolv.conf, use --no-resolv to do that. If one or more opt ional domains are given, that
server is used only for those domains and they are queried only us ing the specified server. This is server is used only for those domains and they are queried only us ing the specified server. This is
intended for private nameservers: if you have a nameserver on your network which deals with names intended for private nameservers: if you have a nameserver on your network which deals with names
of the form xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag --server=/inter- of the form xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag --server=/inter-
nal.thekelleys.org.uk/192.168.1.1 will send all queries for intern al machines to that nameserver, nal.thekelleys.org.uk/192.168.1.1 will send all queries for intern al machines to that nameserver,
everything else will go to the servers in /etc/resolv.conf. DN SSEC validation is turned off for everything else will go to the servers in /etc/resolv.conf. DN SSEC validation is turned off for
such private nameservers, UNLESS a --trust-anchor is specified for the domain in question. An empty such private nameservers, UNLESS a --trust-anchor is specified for the domain in question. An empty
domain specification, // has the special meaning of "unqualified names only" ie names without any domain specification, // has the special meaning of "unqualified names only" ie names without any
dots in them. A non-standard port may be specified as part of the IP address using a # character. dots in them. A non-standard port may be specified as part of the IP address using a # character.
skipping to change at line 378 skipping to change at line 383
The optional string after the @ character tells dnsmasq how to set the source of the queries to The optional string after the @ character tells dnsmasq how to set the source of the queries to
this nameserver. It can either be an ip-address, an interface na me or both. The ip-address should this nameserver. It can either be an ip-address, an interface na me or both. The ip-address should
belong to the machine on which dnsmasq is running, otherwise this server line will be logged and belong to the machine on which dnsmasq is running, otherwise this server line will be logged and
then ignored. If an interface name is given, then queries to t he server will be forced via that then ignored. If an interface name is given, then queries to t he server will be forced via that
interface; if an ip-address is given then the source address of th e queries will be set to that interface; if an ip-address is given then the source address of th e queries will be set to that
address; and if both are given then a combination of ip-address a nd interface name will be used to address; and if both are given then a combination of ip-address a nd interface name will be used to
steer requests to the server. The query-port flag is ignored for any servers which have a source steer requests to the server. The query-port flag is ignored for any servers which have a source
address specified but the port may be specified directly as pa rt of the source address. Forcing address specified but the port may be specified directly as pa rt of the source address. Forcing
queries to an interface is not implemented on all platforms suppor ted by dnsmasq. queries to an interface is not implemented on all platforms suppor ted by dnsmasq.
--rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<source-ip>|< interface>[#<port>]] --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<interface>][ @<source-ip>[#<port>]]
This is functionally the same as --server, but provides some synta ctic sugar to make specifying This is functionally the same as --server, but provides some synta ctic sugar to make specifying
address-to-name queries easier. For example --rev-server=1.2.3.0/ 24,192.168.0.1 is exactly equiva- address-to-name queries easier. For example --rev-server=1.2.3.0/ 24,192.168.0.1 is exactly equiva-
lent to --server=/3.2.1.in-addr.arpa/192.168.0.1 lent to --server=/3.2.1.in-addr.arpa/192.168.0.1
-A, --address=/<domain>[/<domain>...]/[<ipaddr>] -A, --address=/<domain>[/<domain>...]/[<ipaddr>]
Specify an IP address to return for any host in the given domains. Queries in the domains are Specify an IP address to return for any host in the given domains. Queries in the domains are
never forwarded and always replied to with the specified IP addr ess which may be IPv4 or IPv6. To never forwarded and always replied to with the specified IP addr ess which may be IPv4 or IPv6. To
give both IPv4 and IPv6 addresses for a domain, use repeated --add ress flags. To include multiple give both IPv4 and IPv6 addresses for a domain, use repeated --add ress flags. To include multiple
IP addresses for a single query, use --addn-hosts=<path> instea d. Note that /etc/hosts and DHCP IP addresses for a single query, use --addn-hosts=<path> instea d. Note that /etc/hosts and DHCP
leases override this for individual names. A common use of this is to redirect the entire dou- leases override this for individual names. A common use of this is to redirect the entire dou-
skipping to change at line 449 skipping to change at line 454
assigned more than one address. Only the first address creates a P TR record linking the address to assigned more than one address. Only the first address creates a P TR record linking the address to
the name. This is the same rule as is used reading hosts-files. --host-record options are consid- the name. This is the same rule as is used reading hosts-files. --host-record options are consid-
ered to be read before host-files, so a name appearing there inhib its PTR-record creation if it ered to be read before host-files, so a name appearing there inhib its PTR-record creation if it
appears in hosts-file also. Unlike hosts-files, names are not expa nded, even when --expand-hosts is appears in hosts-file also. Unlike hosts-files, names are not expa nded, even when --expand-hosts is
in effect. Short and long names may appear in the same --host- record, eg. --host-record=lap- in effect. Short and long names may appear in the same --host- record, eg. --host-record=lap-
top,laptop.thekelleys.org,192.168.0.1,1234::100 top,laptop.thekelleys.org,192.168.0.1,1234::100
If the time-to-live is given, it overrides the default, which is zero or the value of --local-ttl. If the time-to-live is given, it overrides the default, which is zero or the value of --local-ttl.
The value is a positive integer and gives the time-to-live in seco nds. The value is a positive integer and gives the time-to-live in seco nds.
--dynamic-host=<name>,[IPv4-address],[IPv6-address],<interface>
Add A, AAAA and PTR records to the DNS in the same subnet as the s
pecified interface. The address
is derived from the network part of each address associated with
the interface, and the host part
from the specified address. For example --dynamic-host=example.com
,0.0.0.8,eth0 will, when eth0 has
the address 192.168.78.x and netmask 255.255.255.0 give the
name example.com an A record for
192.168.78.8. The same principle applies to IPv6 addresses. Note t
hat if an interface has more than
one address, more than one A or AAAA record will be created. The T
TL of the records is always zero,
and any changes to interface addresses will be immediately reflect
ed in them.
-Y, --txt-record=<name>[[,<text>],<text>] -Y, --txt-record=<name>[[,<text>],<text>]
Return a TXT DNS record. The value of TXT record is a set of st rings, so any number may be Return a TXT DNS record. The value of TXT record is a set of st rings, so any number may be
included, delimited by commas; use quotes to put commas into a str ing. Note that the maximum length included, delimited by commas; use quotes to put commas into a str ing. Note that the maximum length
of a single string is 255 characters, longer strings are split int o 255 character chunks. of a single string is 255 characters, longer strings are split int o 255 character chunks.
--ptr-record=<name>[,<target>] --ptr-record=<name>[,<target>]
Return a PTR DNS record. Return a PTR DNS record.
--naptr-record=<name>,<order>,<preference>,<flags>,<service>,<regexp>[,<r eplacement>] --naptr-record=<name>,<order>,<preference>,<flags>,<service>,<regexp>[,<r eplacement>]
Return an NAPTR DNS record, as specified in RFC3403. Return an NAPTR DNS record, as specified in RFC3403.
skipping to change at line 817 skipping to change at line 831
Note that in IPv6 DHCP, the hardware address may not be ava ilable, though it normally is for Note that in IPv6 DHCP, the hardware address may not be ava ilable, though it normally is for
direct-connected clients, or clients using DHCP relays which suppo rt RFC 6939. direct-connected clients, or clients using DHCP relays which suppo rt RFC 6939.
For DHCPv4, the special option id:* means "ignore any client-id a nd use MAC addresses only." This For DHCPv4, the special option id:* means "ignore any client-id a nd use MAC addresses only." This
is useful when a client presents a client-id sometimes but not oth ers. is useful when a client presents a client-id sometimes but not oth ers.
If a name appears in /etc/hosts, the associated address can be al located to a DHCP lease, but only If a name appears in /etc/hosts, the associated address can be al located to a DHCP lease, but only
if a --dhcp-host option specifying the name also exists. Only one hostname can be given in a if a --dhcp-host option specifying the name also exists. Only one hostname can be given in a
--dhcp-host option, but aliases are possible by using CNAMEs. (See --cname ). --dhcp-host option, but aliases are possible by using CNAMEs. (See --cname ).
The special keyword "ignore" tells dnsmasq to never offer a DHC More than one --dhcp-host can be associated (by name, hardware a
P lease to a machine. The machine ddress or UID) with a host. Which
can be specified by hardware address, client ID or hos one is used (and therefore which address is allocated by DHCP and
tname, for instance --dhcp- appears in the DNS) depends on
the subnet on which the host last obtained a DHCP lease: the --dhc
p-host with an address within the
subnet is used. If more than one address is within the subnet, the
result is undefined. A corollary
to this is that the name associated with a host using --dhcp-host
does not appear in the DNS until
the host obtains a DHCP lease.
The special keyword "ignore" tells dnsmasq to never offer a DHCP l
ease to a machine. The machine
can be specified by hardware address, client ID or
hostname, for instance --dhcp-
host=00:20:e0:3b:13:af,ignore This is useful when there is another DHCP server on the network which host=00:20:e0:3b:13:af,ignore This is useful when there is another DHCP server on the network which
should be used by some machines. should be used by some machines.
The set:<tag> construct sets the tag whenever this --dhcp-host dir ective is in use. This can be The set:<tag> construct sets the tag whenever this --dhcp-host directive is in use. This can be
used to selectively send DHCP options just for this host. More tha n one tag can be set in a --dhcp- used to selectively send DHCP options just for this host. More tha n one tag can be set in a --dhcp-
host directive (but not in other places where "set:<tag>" is allow host directive (but not in other places where "set:<tag>" is
ed). When a host matches any allowed). When a host matches any
--dhcp-host directive (or one implied by /etc/ethers) then the --dhcp-host directive (or one implied by /etc/ethers) then the spe
special tag "known" is set. This cial tag "known" is set. This
allows dnsmasq to be configured to ignore requests from u allows dnsmasq to be configured to ignore requests from
nknown machines using --dhcp- unknown machines using --dhcp-
ignore=tag:!known If the host matches only a --dhcp-host directiv ignore=tag:!known If the host matches only a --dhcp-host directive
e which cannot be used because it which cannot be used because it
specifies an address on different subnet, the tag "known-othernet" is set. specifies an address on different subnet, the tag "known-othernet" is set.
The tag:<tag> construct filters which dhcp-host directives are use d. Tagged directives are used in The tag:<tag> construct filters which dhcp-host directives are us ed. Tagged directives are used in
preference to untagged ones. preference to untagged ones.
Ethernet addresses (but not client-ids) may have wildcard bytes, so for example --dhcp- Ethernet addresses (but not client-ids) may have wildcard bytes, so for example --dhcp-
host=00:20:e0:3b:13:*,ignore will cause dnsmasq to ignore a range of hardware addresses. Note that host=00:20:e0:3b:13:*,ignore will cause dnsmasq to ignore a range of hardware addresses. Note that
the "*" will need to be escaped or quoted on a command line, but n ot in the configuration file. the "*" will need to be escaped or quoted on a command line, but n ot in the configuration file.
Hardware addresses normally match any network (ARP) type, but it Hardware addresses normally match any network (ARP) type, but it i
is possible to restrict them to a s possible to restrict them to a
single ARP type by preceding them with the ARP-type (in single ARP type by preceding them with the ARP-type
HEX) and "-". so --dhcp- (in HEX) and "-". so --dhcp-
host=06-00:20:e0:3b:13:af,1.2.3.4 will only match a Token-Ring host=06-00:20:e0:3b:13:af,1.2.3.4 will only match a Token-Ring har
hardware address, since the ARP- dware address, since the ARP-
address type for token ring is 6. address type for token ring is 6.
As a special case, in DHCPv4, it is possible to include more than one hardware address. eg: --dhcp- As a special case, in DHCPv4, it is possible to include more than one hardware address. eg: --dhcp-
host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2 This allows host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2 This allows a
an IP address to be associated n IP address to be associated
with multiple hardware addresses, and gives dnsmasq permission to with multiple hardware addresses, and gives dnsmasq permission
abandon a DHCP lease to one of to abandon a DHCP lease to one of
the hardware addresses when another one asks for a lease. Beware the hardware addresses when another one asks for a lease. Beware t
that this is a dangerous thing to hat this is a dangerous thing to
do, it will only work reliably if only one of the hardware address do, it will only work reliably if only one of the hardware ad
es is active at any time and dresses is active at any time and
there is no way for dnsmasq to enforce this. It is, for instanc there is no way for dnsmasq to enforce this. It is, for instance,
e, useful to allocate a stable IP useful to allocate a stable IP
address to a laptop which has both wired and wireless interfaces. address to a laptop which has both wired and wireless interfaces.
--dhcp-hostsfile=<path> --dhcp-hostsfile=<path>
Read DHCP host information from the specified file. If a directory Read DHCP host information from the specified file. If a dire
is given, then read all the ctory is given, then read all the
files contained in that directory. The file contains information files contained in that directory. The file contains information a
about one host per line. The for- bout one host per line. The for-
mat of a line is the same as text to the right of '=' in --dhcp-ho st. The advantage of storing DHCP mat of a line is the same as text to the right of '=' in --dhcp-ho st. The advantage of storing DHCP
host information in this file is that it can be changed without r e-starting dnsmasq: the file will host information in this file is that it can be changed without re -starting dnsmasq: the file will
be re-read when dnsmasq receives SIGHUP. be re-read when dnsmasq receives SIGHUP.
--dhcp-optsfile=<path> --dhcp-optsfile=<path>
Read DHCP option information from the specified file. If a direct Read DHCP option information from the specified file. If a dire
ory is given, then read all the ctory is given, then read all the
files contained in that directory. The advantage of using this files contained in that directory. The advantage of using this opt
option is the same as for --dhcp- ion is the same as for --dhcp-
hostsfile: the --dhcp-optsfile will be re-read when dnsmasq receiv es SIGHUP. Note that it is possi- hostsfile: the --dhcp-optsfile will be re-read when dnsmasq receiv es SIGHUP. Note that it is possi-
ble to encode the information in a --dhcp-boot flag as DHCP optio ble to encode the information in a --dhcp-boot flag as DHCP option
ns, using the options names boot- s, using the options names boot-
file-name, server-ip-address and tftp-server. This allows these to file-name, server-ip-address and tftp-server. This allows these
be included in a --dhcp-opts- to be included in a --dhcp-opts-
file. file.
--dhcp-hostsdir=<path> --dhcp-hostsdir=<path>
This is equivalent to --dhcp-hostsfile, except for the following. The path MUST be a directory, and This is equivalent to --dhcp-hostsfile, except for the following. The path MUST be a directory, and
not an individual file. Changed or new files within the directory not an individual file. Changed or new files within the director
are read automatically, without y are read automatically, without
the need to send SIGHUP. If a file is deleted or changed after the need to send SIGHUP. If a file is deleted or changed after it
it has been read by dnsmasq, then has been read by dnsmasq, then
the host record it contained will remain until dnsmasq receives a the host record it contained will remain until dnsmasq receives a
SIGHUP, or is restarted; ie host SIGHUP, or is restarted; ie host
records are only added dynamically. records are only added dynamically.
--dhcp-optsdir=<path> --dhcp-optsdir=<path>
This is equivalent to --dhcp-optsfile, with the differences noted for --dhcp-hostsdir. This is equivalent to --dhcp-optsfile, with the differences noted for --dhcp-hostsdir.
-Z, --read-ethers -Z, --read-ethers
Read /etc/ethers for information about hosts for the DHCP serve Read /etc/ethers for information about hosts for the DHCP server.
r. The format of /etc/ethers is a The format of /etc/ethers is a
hardware address, followed by either a hostname or dotted-quad IP hardware address, followed by either a hostname or dotted-quad
address. When read by dnsmasq IP address. When read by dnsmasq
these lines have exactly the same effect as --dhcp-host options these lines have exactly the same effect as --dhcp-host options co
containing the same information. ntaining the same information.
/etc/ethers is re-read when dnsmasq receives SIGHUP. IPv6 addresse s are NOT read from /etc/ethers. /etc/ethers is re-read when dnsmasq receives SIGHUP. IPv6 addresse s are NOT read from /etc/ethers.
-O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-enca p:<enterprise>,][vendor:[<vendor- -O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-enca p:<enterprise>,][vendor:[<vendor-
class>],][<opt>|option:<opt-name>|option6:<opt>|option6:<opt-name>],[<val ue>[,<value>]] class>],][<opt>|option:<opt-name>|option6:<opt>|option6:<opt-name>],[<val ue>[,<value>]]
Specify different or extra options to DHCP clients. By default, dn smasq sends some standard options Specify different or extra options to DHCP clients. By default, dn smasq sends some standard options
to DHCP clients, the netmask and broadcast address are set to the same as the host running dnsmasq, to DHCP clients, the netmask and broadcast address are set to the same as the host running dnsmasq,
and the DNS server and default route are set to the address of the machine running dnsmasq. (Equiv- and the DNS server and default route are set to the address of the machine running dnsmasq. (Equiv-
alent rules apply for IPv6.) If the domain name option has been se t, that is sent. This configura- alent rules apply for IPv6.) If the domain name option has been se t, that is sent. This configura-
tion allows these defaults to be overridden, or other options spec ified. The option, to be sent may tion allows these defaults to be overridden, or other options spec ified. The option, to be sent may
be given as a decimal number or as "option:<option-name>" The op be given as a decimal number or as "option:<option-name>" Th
tion numbers are specified in e option numbers are specified in
RFC2132 and subsequent RFCs. The set of option-names known by dns RFC2132 and subsequent RFCs. The set of option-names known by dnsm
masq can be discovered by running asq can be discovered by running
"dnsmasq --help dhcp". For example, to set the default route opti "dnsmasq --help dhcp". For example, to set the default route
on to 192.168.4.4, do --dhcp- option to 192.168.4.4, do --dhcp-
option=3,192.168.4.4 or --dhcp-option = option:router, 192.16 option=3,192.168.4.4 or --dhcp-option = option:router, 192.168.4.
8.4.4 and to set the time-server 4 and to set the time-server
address to 192.168.0.4, do --dhcp-option = 42,192.168.0.4 or --d address to 192.168.0.4, do --dhcp-option = 42,192.168.0.4 or -
hcp-option = option:ntp-server, -dhcp-option = option:ntp-server,
192.168.0.4 The special address 0.0.0.0 is taken to mean "the ad 192.168.0.4 The special address 0.0.0.0 is taken to mean "the addr
dress of the machine running dns- ess of the machine running dns-
masq". masq".
Data types allowed are comma separated dotted-quad IPv4 addresses, Data types allowed are comma separated dotted-quad IPv4 addres
[]-wrapped IPv6 addresses, a ses, []-wrapped IPv6 addresses, a
decimal number, colon-separated hex digits and a text string. If decimal number, colon-separated hex digits and a text string. If t
the optional tags are given then he optional tags are given then
this option is only sent when all the tags are matched. this option is only sent when all the tags are matched.
Special processing is done on a text argument for option 119, to c Special processing is done on a text argument for option 119,
onform with RFC 3397. Text or to conform with RFC 3397. Text or
dotted-quad IP addresses as arguments to option 120 are handle dotted-quad IP addresses as arguments to option 120 are handled as
d as per RFC 3361. Dotted-quad IP per RFC 3361. Dotted-quad IP
addresses which are followed by a slash and then a netmask size ar addresses which are followed by a slash and then a netmask siz
e encoded as described in RFC e are encoded as described in RFC
3442. 3442.
IPv6 options are specified using the option6: keyword, follow IPv6 options are specified using the option6: keyword, followed by
ed by the option number or option the option number or option
name. The IPv6 option name space is disjoint from the IPv4 option name. The IPv6 option name space is disjoint from the IPv4 opt
name space. IPv6 addresses in ion name space. IPv6 addresses in
options must be bracketed with square brackets, eg. --dhcp-opt options must be bracketed with square brackets, eg. --dhcp-opt
ion=option6:ntp-server,[1234::56] ion=option6:ntp-server,[1234::56]
For IPv6, [::] means "the global address of the machine running For IPv6, [::] means "the global address of the machine run
dnsmasq", whilst [fd00::] is ning dnsmasq", whilst [fd00::] is
replaced with the ULA, if it exists, and [fe80::] with the link-lo cal address. replaced with the ULA, if it exists, and [fe80::] with the link-lo cal address.
Be careful: no checking is done that the correct type of data for Be careful: no checking is done that the correct type of data for
the option number is sent, it is the option number is sent, it is
quite possible to persuade dnsmasq to generate illegal DHCP packet quite possible to persuade dnsmasq to generate illegal DHCP pac
s with injudicious use of this kets with injudicious use of this
flag. When the value is a decimal number, dnsmasq must determi flag. When the value is a decimal number, dnsmasq must determine h
ne how large the data item is. It ow large the data item is. It
does this by examining the option number and/or the value, but can does this by examining the option number and/or the value, but
be overridden by appending a can be overridden by appending a
single letter flag as follows: b = one byte, s = two bytes, i = single letter flag as follows: b = one byte, s = two bytes, i = fo
four bytes. This is mainly useful ur bytes. This is mainly useful
with encapsulated vendor class options (see below) where dnsmasq c with encapsulated vendor class options (see below) where dnsmas
annot determine data size from q cannot determine data size from
the option number. Option data which consists solely of periods the option number. Option data which consists solely of periods a
and digits will be interpreted by nd digits will be interpreted by
dnsmasq as an IP address, and inserted into an option as such. To dnsmasq as an IP address, and inserted into an option as suc
force a literal string, use h. To force a literal string, use
quotes. For instance when using option 66 to send a literal IP a quotes. For instance when using option 66 to send a literal IP add
ddress as TFTP server name, it is ress as TFTP server name, it is
necessary to do --dhcp-option=66,"1.2.3.4" necessary to do --dhcp-option=66,"1.2.3.4"
Encapsulated Vendor-class options may also be specified (IPv4 Encapsulated Vendor-class options may also be specified (IP
only) using --dhcp-option: for v4 only) using --dhcp-option: for
instance --dhcp-option=vendor:PXEClient,1,0.0.0.0 sends the en instance --dhcp-option=vendor:PXEClient,1,0.0.0.0 sends the enc
capsulated vendor class-specific apsulated vendor class-specific
option "mftp-address=0.0.0.0" to any client whose vendor-class ma option "mftp-address=0.0.0.0" to any client whose vendor-class
tches "PXEClient". The vendor- matches "PXEClient". The vendor-
class matching is substring based (see --dhcp-vendorclass for d class matching is substring based (see --dhcp-vendorclass for deta
etails). If a vendor-class option ils). If a vendor-class option
(number 60) is sent by dnsmasq, then that is used for selecting en (number 60) is sent by dnsmasq, then that is used for selecting e
capsulated options in preference ncapsulated options in preference
to any sent by the client. It is possible to omit the vendorcla to any sent by the client. It is possible to omit the vendorclass
ss completely; --dhcp-option=ven- completely; --dhcp-option=ven-
dor:,1,0.0.0.0 in which case the encapsulated option is always sen t. dor:,1,0.0.0.0 in which case the encapsulated option is always sen t.
Options may be encapsulated (IPv4 only) within other options: for instance --dhcp-option=encap:175, Options may be encapsulated (IPv4 only) within other options: for instance --dhcp-option=encap:175,
190, iscsi-client0 will send option 175, within which is the op 190, iscsi-client0 will send option 175, within which is the optio
tion 190. If multiple options are n 190. If multiple options are
given which are encapsulated with the same option number then they given which are encapsulated with the same option number then the
will be correctly combined into y will be correctly combined into
one encapsulated option. encap: and vendor: are may not both be s et in the same --dhcp-option. one encapsulated option. encap: and vendor: are may not both be s et in the same --dhcp-option.
The final variant on encapsulated options is "Vendor-Identifyin The final variant on encapsulated options is "Vendor-Identifying V
g Vendor Options" as specified by endor Options" as specified by
RFC3925. These are denoted like this: --dhcp-option=vi-encap:2, 10 RFC3925. These are denoted like this: --dhcp-option=vi-encap:
, text The number in the vi- 2, 10, text The number in the vi-
encap: section is the IANA enterprise number used to identify thi encap: section is the IANA enterprise number used to identify this
s option. This form of encapsula- option. This form of encapsula-
tion is supported in IPv6. tion is supported in IPv6.
The address 0.0.0.0 is not treated specially in encapsulated optio ns. The address 0.0.0.0 is not treated specially in encapsulated optio ns.
--dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<ente rprise>,][vendor:[<vendor- --dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<ente rprise>,][vendor:[<vendor-
class>],]<opt>,[<value>[,<value>]] class>],]<opt>,[<value>[,<value>]]
This works in exactly the same way as --dhcp-option except tha t the option will always be sent, This works in exactly the same way as --dhcp-option except that th e option will always be sent,
even if the client does not ask for it in the parameter request li st. This is sometimes needed, for even if the client does not ask for it in the parameter request li st. This is sometimes needed, for
example when sending options to PXELinux. example when sending options to PXELinux.
--dhcp-no-override --dhcp-no-override
(IPv4 only) Disable re-use of the DHCP servername and filename fi (IPv4 only) Disable re-use of the DHCP servername and filename fie
elds as extra option space. If it lds as extra option space. If it
can, dnsmasq moves the boot server and filename information (from can, dnsmasq moves the boot server and filename information (fro
--dhcp-boot) out of their dedi- m --dhcp-boot) out of their dedi-
cated fields into DHCP options. This make extra space available i cated fields into DHCP options. This make extra space available in
n the DHCP packet for options but the DHCP packet for options but
can, rarely, confuse old or broken clients. This flag forces "simp can, rarely, confuse old or broken clients. This flag forces "si
le and safe" behaviour to avoid mple and safe" behaviour to avoid
problems in such a case. problems in such a case.
--dhcp-relay=<local address>,<server address>[,<interface] --dhcp-relay=<local address>,<server address>[,<interface]
Configure dnsmasq to do DHCP relay. The local address is an add Configure dnsmasq to do DHCP relay. The local address is an addres
ress allocated to an interface on s allocated to an interface on
the host running dnsmasq. All DHCP requests arriving on that inter the host running dnsmasq. All DHCP requests arriving on that inte
face will we relayed to a remote rface will we relayed to a remote
DHCP server at the server address. It is possible to relay from a DHCP server at the server address. It is possible to relay from a
single local address to multiple single local address to multiple
remote servers by using multiple --dhcp-relay configs with the sam remote servers by using multiple --dhcp-relay configs with the
e local address and different same local address and different
server addresses. A server address must be an IP literal address, not a domain name. In the case of server addresses. A server address must be an IP literal address, not a domain name. In the case of
DHCPv6, the server address may be the ALL_SERVERS multicast addres s, ff05::1:3. In this case the DHCPv6, the server address may be the ALL_SERVERS multicast add ress, ff05::1:3. In this case the
interface must be given, not be wildcard, and is used to direct th e multicast to the correct inter- interface must be given, not be wildcard, and is used to direct th e multicast to the correct inter-
face to reach the DHCP server. face to reach the DHCP server.
Access control for DHCP clients has the same rules as for the Access control for DHCP clients has the same rules as for
DHCP server, see --interface, the DHCP server, see --interface,
--except-interface, etc. The optional interface name in the -- --except-interface, etc. The optional interface name in the --dhcp
dhcp-relay config has a different -relay config has a different
function: it controls on which interface DHCP replies from the ser function: it controls on which interface DHCP replies from the
ver will be accepted. This is server will be accepted. This is
intended for configurations which have three interfaces: one bein intended for configurations which have three interfaces: one being
g relayed from, a second connect- relayed from, a second connect-
ing the DHCP server, and a third untrusted network, typically the ing the DHCP server, and a third untrusted network, typically
wider internet. It avoids the the wider internet. It avoids the
possibility of spoof replies arriving via this third interface. possibility of spoof replies arriving via this third interface.
It is allowed to have dnsmasq act as a DHCP server on one set of interfaces and relay from a dis- It is allowed to have dnsmasq act as a DHCP server on one set of i nterfaces and relay from a dis-
joint set of interfaces. Note that whilst it is quite possible to write configurations which appear joint set of interfaces. Note that whilst it is quite possible to write configurations which appear
to act as a server and a relay on the same interface, this is not supported: the relay function to act as a server and a relay on the same interface, this is not supported: the relay function
will take precedence. will take precedence.
Both DHCPv4 and DHCPv6 relay is supported. It's not possible to re lay DHCPv4 to a DHCPv6 server or Both DHCPv4 and DHCPv6 relay is supported. It's not possible to r elay DHCPv4 to a DHCPv6 server or
vice-versa. vice-versa.
-U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise number>,]<v endor-class> -U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise number>,]<v endor-class>
Map from a vendor-class string to a tag. Most DHCP clients prov Map from a vendor-class string to a tag. Most DHCP clients provide
ide a "vendor class" which repre- a "vendor class" which repre-
sents, in some sense, the type of host. This option maps vendor c sents, in some sense, the type of host. This option maps ven
lasses to tags, so that DHCP dor classes to tags, so that DHCP
options may be selectively delivered to different classes of options may be selectively delivered to different classes of hos
hosts. For example --dhcp-vendor- ts. For example --dhcp-vendor-
class=set:printers,Hewlett-Packard JetDirect will allow options to be set only for HP printers like class=set:printers,Hewlett-Packard JetDirect will allow options to be set only for HP printers like
so: --dhcp-option=tag:printers,3,192.168.4.4 The vendor-class st so: --dhcp-option=tag:printers,3,192.168.4.4 The vendor-class stri
ring is substring matched against ng is substring matched against
the vendor-class supplied by the client, to allow fuzzy matching. the vendor-class supplied by the client, to allow fuzzy matching
The set: prefix is optional but . The set: prefix is optional but
allowed for consistency. allowed for consistency.
Note that in IPv6 only, vendorclasses are namespaced with an IANA- allocated enterprise number. This Note that in IPv6 only, vendorclasses are namespaced with an IANA- allocated enterprise number. This
is given with enterprise: keyword and specifies that only vendorcl asses matching the specified num- is given with enterprise: keyword and specifies that only vendorcl asses matching the specified num-
ber should be searched. ber should be searched.
-j, --dhcp-userclass=set:<tag>,<user-class> -j, --dhcp-userclass=set:<tag>,<user-class>
Map from a user-class string to a tag (with substring matching Map from a user-class string to a tag (with substring matching, li
, like vendor classes). Most DHCP ke vendor classes). Most DHCP
clients provide a "user class" which is configurable. This option clients provide a "user class" which is configurable. This opt
maps user classes to tags, so ion maps user classes to tags, so
that DHCP options may be selectively delivered to different clas that DHCP options may be selectively delivered to different classe
ses of hosts. It is possible, for s of hosts. It is possible, for
instance to use this to set a different printer server for hosts i instance to use this to set a different printer server for hosts
n the class "accounts" than for in the class "accounts" than for
hosts in the class "engineering". hosts in the class "engineering".
-4, --dhcp-mac=set:<tag>,<MAC address> -4, --dhcp-mac=set:<tag>,<MAC address>
Map from a MAC address to a tag. The MAC address may inclu de wildcards. For example --dhcp- Map from a MAC address to a tag. The MAC address may include wildcards. For example --dhcp-
mac=set:3com,01:34:23:*:*:* will set the tag "3com" for any host w hose MAC address matches the pat- mac=set:3com,01:34:23:*:*:* will set the tag "3com" for any host w hose MAC address matches the pat-
tern. tern.
--dhcp-circuitid=set:<tag>,<circuit-id>, --dhcp-remoteid=set:<tag>,<remot e-id> --dhcp-circuitid=set:<tag>,<circuit-id>, --dhcp-remoteid=set:<tag>,<remot e-id>
Map from RFC3046 relay agent options to tags. This data may be p Map from RFC3046 relay agent options to tags. This data may be pro
rovided by DHCP relay agents. The vided by DHCP relay agents. The
circuit-id or remote-id is normally given as colon-separated hex, circuit-id or remote-id is normally given as colon-separated hex,
but is also allowed to be a sim- but is also allowed to be a sim-
ple string. If an exact match is achieved between the circuit ple string. If an exact match is achieved between the circuit or a
or agent ID and one provided by a gent ID and one provided by a
relay agent, the tag is set. relay agent, the tag is set.
--dhcp-remoteid (but not --dhcp-circuitid) is supported in IPv6. --dhcp-remoteid (but not --dhcp-circuitid) is supported in IPv6.
--dhcp-subscrid=set:<tag>,<subscriber-id> --dhcp-subscrid=set:<tag>,<subscriber-id>
(IPv4 and IPv6) Map from RFC3993 subscriber-id relay agent options to tags. (IPv4 and IPv6) Map from RFC3993 subscriber-id relay agent options to tags.
--dhcp-proxy[=<ip addr>]...... --dhcp-proxy[=<ip addr>]......
(IPv4 only) A normal DHCP relay agent is only used to forward the (IPv4 only) A normal DHCP relay agent is only used to forward the
initial parts of a DHCP interac- initial parts of a DHCP interac-
tion to the DHCP server. Once a client is configured, it commu tion to the DHCP server. Once a client is configured, it communica
nicates directly with the server. tes directly with the server.
This is undesirable if the relay agent is adding extra information This is undesirable if the relay agent is adding extra informa
to the DHCP packets, such as tion to the DHCP packets, such as
that used by --dhcp-circuitid and --dhcp-remoteid. A full rel that used by --dhcp-circuitid and --dhcp-remoteid. A full relay i
ay implementation can use the RFC mplementation can use the RFC
5107 serverid-override option to force the DHCP server to use the 5107 serverid-override option to force the DHCP server to use th
relay as a full proxy, with all e relay as a full proxy, with all
packets passing through it. This flag provides an alternative me packets passing through it. This flag provides an alternative meth
thod of doing the same thing, for od of doing the same thing, for
relays which don't support RFC 5107. Given alone, it manipulates t he server-id for all interactions relays which don't support RFC 5107. Given alone, it manipulates t he server-id for all interactions
via relays. If a list of IP addresses is given, only interactions via relays at those addresses are via relays. If a list of IP addresses is given, only interactions via relays at those addresses are
affected. affected.
--dhcp-match=set:<tag>,<option number>|option:<option name>|vi-encap:<ent erprise>[,<value>] --dhcp-match=set:<tag>,<option number>|option:<option name>|vi-encap:<ent erprise>[,<value>]
Without a value, set the tag if the client sends a DHCP option of Without a value, set the tag if the client sends a DHCP option of
the given number or name. When a the given number or name. When a
value is given, set the tag only if the option is sent and match value is given, set the tag only if the option is sent and matches
es the value. The value may be of the value. The value may be of
the form "01:ff:*:02" in which case the value must match (apart fr om wildcards) but the option sent the form "01:ff:*:02" in which case the value must match (apart fr om wildcards) but the option sent
may have unmatched data past the end of the value. The value m may have unmatched data past the end of the value. The value may a
ay also be of the same form as in lso be of the same form as in
--dhcp-option in which case the option sent is treated as an array --dhcp-option in which case the option sent is treated as an arra
, and one element must match, so y, and one element must match, so
--dhcp-match=set:efi-ia32,option:client-arch,6 will set the ta --dhcp-match=set:efi-ia32,option:client-arch,6 will set the tag "e
g "efi-ia32" if the the number 6 fi-ia32" if the the number 6
appears in the list of architectures sent by the client in option appears in the list of architectures sent by the client in optio
93. (See RFC 4578 for details.) n 93. (See RFC 4578 for details.)
If the value is a string, substring matching is used. If the value is a string, substring matching is used.
The special form with vi-encap:<enterprise number> matches against vendor-identifying vendor The special form with vi-encap:<enterprise number> matches ag ainst vendor-identifying vendor
classes for the specified enterprise. Please see RFC 3925 for more details of these rare and inter- classes for the specified enterprise. Please see RFC 3925 for more details of these rare and inter-
esting beasts. esting beasts.
--dhcp-name-match=set:<tag>,<name>[*] --dhcp-name-match=set:<tag>,<name>[*]
Set the tag if the given name is supplied by a DHCP client. There may be a single trailing wildcard Set the tag if the given name is supplied by a DHCP client. There may be a single trailing wildcard
*, which has the usual meaning. Combined with dhcp-ignore or dhcp- ignore-names this gives the abil- *, which has the usual meaning. Combined with dhcp-ignore or dhcp- ignore-names this gives the abil-
ity to ignore certain clients by name, or disallow certain hostnames from being claimed by a ity to ignore certain clients by name, or disallow certain hostn ames from being claimed by a
client. client.
--tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]] --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
Perform boolean operations on tags. Any tag appearing as set:<tag> Perform boolean operations on tags. Any tag appearing as set:<
is set if all the tags which tag> is set if all the tags which
appear as tag:<tag> are set, (or unset when tag:!<tag> is used) appear as tag:<tag> are set, (or unset when tag:!<tag> is used) If
If no tag:<tag> appears set:<tag> no tag:<tag> appears set:<tag>
tags are set unconditionally. Any number of set: and tag: forms m tags are set unconditionally. Any number of set: and tag: forms
ay appear, in any order. --tag- may appear, in any order. --tag-
if lines are executed in order, so if the tag in tag:<tag> is a if lines are executed in order, so if the tag in tag:<tag> is a ta
tag set by another --tag-if, the g set by another --tag-if, the
line which sets the tag must precede the one which tests it. line which sets the tag must precede the one which tests it.
-J, --dhcp-ignore=tag:<tag>[,tag:<tag>] -J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
When all the given tags appear in the tag set ignore the host and do not allocate it a DHCP lease. When all the given tags appear in the tag set ignore the host and do not allocate it a DHCP lease.
--dhcp-ignore-names[=tag:<tag>[,tag:<tag>]] --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
When all the given tags appear in the tag set, ignore any hostname provided by the host. Note that, When all the given tags appear in the tag set, ignore any hostname provided by the host. Note that,
unlike --dhcp-ignore, it is permissible to supply no tags, in whic h case DHCP-client supplied host- unlike --dhcp-ignore, it is permissible to supply no tags, in whic h case DHCP-client supplied host-
names are always ignored, and DHCP hosts are added to the DNS usin g only --dhcp-host configuration names are always ignored, and DHCP hosts are added to the DNS usi ng only --dhcp-host configuration
in dnsmasq and the contents of /etc/hosts and /etc/ethers. in dnsmasq and the contents of /etc/hosts and /etc/ethers.
--dhcp-generate-names=tag:<tag>[,tag:<tag>] --dhcp-generate-names=tag:<tag>[,tag:<tag>]
(IPv4 only) Generate a name for DHCP clients which do not otherwis e have one, using the MAC address (IPv4 only) Generate a name for DHCP clients which do not otherwis e have one, using the MAC address
expressed in hex, separated by dashes. Note that if a host provide s a name, it will be used by expressed in hex, separated by dashes. Note that if a host pr ovides a name, it will be used by
preference to this, unless --dhcp-ignore-names is set. preference to this, unless --dhcp-ignore-names is set.
--dhcp-broadcast[=tag:<tag>[,tag:<tag>]] --dhcp-broadcast[=tag:<tag>[,tag:<tag>]]
(IPv4 only) When all the given tags appear in the tag set, always use broadcast to communicate with (IPv4 only) When all the given tags appear in the tag set, always use broadcast to communicate with
the host when it is unconfigured. It is permissible to supply no t ags, in which case this is uncon- the host when it is unconfigured. It is permissible to supply no t ags, in which case this is uncon-
ditional. Most DHCP clients which need broadcast replies set a fl ag in their requests so that this ditional. Most DHCP clients which need broadcast replies set a fla g in their requests so that this
happens automatically, some old BOOTP clients do not. happens automatically, some old BOOTP clients do not.
-M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server address>|<t ftp_servername>]] -M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server address>|<t ftp_servername>]]
(IPv4 only) Set BOOTP options to be returned by the DHCP server. (IPv4 only) Set BOOTP options to be returned by the DHCP se
Server name and address are rver. Server name and address are
optional: if not provided, the name is left empty, and the optional: if not provided, the name is left empty, and the addres
address set to the address of the s set to the address of the
machine running dnsmasq. If dnsmasq is providing a TFTP service (s machine running dnsmasq. If dnsmasq is providing a TFTP service (
ee --enable-tftp ) then only the see --enable-tftp ) then only the
filename is required here to enable network booting. If the opt filename is required here to enable network booting. If the optio
ional tag(s) are given, they must nal tag(s) are given, they must
match for this configuration to be sent. Instead of an IP address match for this configuration to be sent. Instead of an IP addres
, the TFTP server address can be s, the TFTP server address can be
given as a domain name which is looked up in /etc/hosts. This nam given as a domain name which is looked up in /etc/hosts. This name
e can be associated in /etc/hosts can be associated in /etc/hosts
with multiple IP addresses, which are used round-robin. This faci with multiple IP addresses, which are used round-robin. This fac
lity can be used to load balance ility can be used to load balance
the tftp load among a set of servers. the tftp load among a set of servers.
--dhcp-sequential-ip --dhcp-sequential-ip
Dnsmasq is designed to choose IP addresses for DHCP clients Dnsmasq is designed to choose IP addresses for DHCP clients using
using a hash of the client's MAC a hash of the client's MAC
address. This normally allows a client's address to remain stable address. This normally allows a client's address to remain sta
long-term, even if the client ble long-term, even if the client
sometimes allows its DHCP lease to expire. In this default sometimes allows its DHCP lease to expire. In this default mode
mode IP addresses are distributed IP addresses are distributed
pseudo-randomly over the entire available address range. There are pseudo-randomly over the entire available address range. There a
sometimes circumstances (typi- re sometimes circumstances (typi-
cally server deployment) where it is more convenient to have IP cally server deployment) where it is more convenient to have IP ad
addresses allocated sequentially, dresses allocated sequentially,
starting from the lowest available address, and setting this flag starting from the lowest available address, and setting this fla
enables this mode. Note that in g enables this mode. Note that in
the sequential mode, clients which allow a lease to expire are muc h more likely to move IP address; the sequential mode, clients which allow a lease to expire are muc h more likely to move IP address;
for this reason it should not be generally used. for this reason it should not be generally used.
--dhcp-ignore-clid --dhcp-ignore-clid
Dnsmasq is reading 'client identifier' (RFC 2131) option sent by c lients (if available) to identify Dnsmasq is reading 'client identifier' (RFC 2131) option sent by c lients (if available) to identify
clients. This allow to serve same IP address for a host using se veral interfaces. Use this option clients. This allow to serve same IP address for a host using seve ral interfaces. Use this option
to disable 'client identifier' reading, i.e. to always identify a host using the MAC address. to disable 'client identifier' reading, i.e. to always identify a host using the MAC address.
--pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<base name>|<bootservicetype>][,<server --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<base name>|<bootservicetype>][,<server
address>|<server_name>] address>|<server_name>]
Most uses of PXE boot-ROMS simply allow the PXE system to obtai n an IP address and then download Most uses of PXE boot-ROMS simply allow the PXE system to obtain a n IP address and then download
the file specified by --dhcp-boot and execute it. However the PXE system is capable of more complex the file specified by --dhcp-boot and execute it. However the PXE system is capable of more complex
functions when supported by a suitable DHCP server. functions when supported by a suitable DHCP server.
This specifies a boot option which may appear in a PXE boot menu. <CSA> is client system type, only This specifies a boot option which may appear in a PXE boot menu. <CSA> is client system type, only
services of the correct type will appear in a menu. The known typ services of the correct type will appear in a menu. The known
es are x86PC, PC98, IA64_EFI, types are x86PC, PC98, IA64_EFI,
Alpha, Arc_x86, Intel_Lean_Client, IA32_EFI, X86-64_EFI, Xsc Alpha, Arc_x86, Intel_Lean_Client, IA32_EFI, x86-64_EFI, Xsc
ale_EFI, BC_EFI, ARM32_EFI and ale_EFI, BC_EFI, ARM32_EFI and
ARM64_EFI; an integer may be used for other types. The parameter a ARM64_EFI; an integer may be used for other types. The parameter
fter the menu text may be a file after the menu text may be a file
name, in which case dnsmasq acts as a boot server and directs th name, in which case dnsmasq acts as a boot server and directs the
e PXE client to download the file PXE client to download the file
by TFTP, either from itself ( --enable-tftp must be set for this t o work) or another TFTP server if by TFTP, either from itself ( --enable-tftp must be set for this t o work) or another TFTP server if
the final server address/name is given. Note that the "layer" s the final server address/name is given. Note that the "layer" suf
uffix (normally ".0") is supplied fix (normally ".0") is supplied
by PXE, and need not be added to the basename. Alternatively, the by PXE, and need not be added to the basename. Alternatively, the
basename may be a filename, com- basename may be a filename, com-
plete with suffix, in which case no layer suffix is added. If an plete with suffix, in which case no layer suffix is added. If an i
integer boot service type, rather nteger boot service type, rather
than a basename is given, then the PXE client will search for a su itable boot service for that type than a basename is given, then the PXE client will search for a su itable boot service for that type
on the network. This search may be done by broadcast, or direct t o a server if its IP address/name on the network. This search may be done by broadcast, or direct to a server if its IP address/name
is provided. If no boot service type or filename is provided (or a boot service type of 0 is spec- is provided. If no boot service type or filename is provided (or a boot service type of 0 is spec-
ified) then the menu entry will abort the net boot procedure and c ontinue booting from local media. ified) then the menu entry will abort the net boot procedure and c ontinue booting from local media.
The server address can be given as a domain name which is looked u p in /etc/hosts. This name can be The server address can be given as a domain name which is looked u p in /etc/hosts. This name can be
associated in /etc/hosts with multiple IP addresses, which are use d round-robin. associated in /etc/hosts with multiple IP addresses, which are use d round-robin.
--pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>] --pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>]
Setting this provides a prompt to be displayed after PXE boot. I Setting this provides a prompt to be displayed after PXE boot. If
f the timeout is given then after the timeout is given then after
the timeout has elapsed with no keyboard input, the first availabl the timeout has elapsed with no keyboard input, the first availa
e menu option will be automati- ble menu option will be automati-
cally executed. If the timeout is zero then the first available m cally executed. If the timeout is zero then the first available me
enu item will be executed immedi- nu item will be executed immedi-
ately. If --pxe-prompt is omitted the system will wait for user in ately. If --pxe-prompt is omitted the system will wait for user
put if there are multiple items input if there are multiple items
in the menu, but boot immediately if there is only one. See in the menu, but boot immediately if there is only one. See --px
--pxe-service for details of menu e-service for details of menu
items. items.
Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP serve Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP ser
r on the network is responsible ver on the network is responsible
for allocating IP addresses, and dnsmasq simply provides the info for allocating IP addresses, and dnsmasq simply provides the infor
rmation given in --pxe-prompt and mation given in --pxe-prompt and
--pxe-service to allow netbooting. This mode is enabled using the proxy keyword in --dhcp-range. --pxe-service to allow netbooting. This mode is enabled using the proxy keyword in --dhcp-range.
--dhcp-pxe-vendor=<vendor>[,...] --dhcp-pxe-vendor=<vendor>[,...]
According to UEFI and PXE specifications, DHCP packets between PXE According to UEFI and PXE specifications, DHCP packets between
clients and proxy PXE servers PXE clients and proxy PXE servers
should have PXEClient in their vendor-class field. However, the should have PXEClient in their vendor-class field. However, the fi
firmware of computers from a few rmware of computers from a few
vendors is customized to carry a different identifier in that fiel vendors is customized to carry a different identifier in that f
d. This option is used to con- ield. This option is used to con-
sider such identifiers valid for identifying PXE clients. For inst ance sider such identifiers valid for identifying PXE clients. For inst ance
--dhcp-pxe-vendor=PXEClient,HW-Client --dhcp-pxe-vendor=PXEClient,HW-Client
will enable dnsmasq to also provide proxy PXE service to those PXE clients with HW-Client in as will enable dnsmasq to also provide proxy PXE service to those PXE clients with HW-Client in as
their identifier. >>>>>>> 907def3... pxe: support pxe clients wit h custom vendor-class their identifier. >>>>>>> 907def3... pxe: support pxe clients wit h custom vendor-class
-X, --dhcp-lease-max=<number> -X, --dhcp-lease-max=<number>
Limits dnsmasq to the specified maximum number of DHCP leases. The Limits dnsmasq to the specified maximum number of DHCP leases. T
default is 1000. This limit is he default is 1000. This limit is
to prevent DoS attacks from hosts which create thousands of lea to prevent DoS attacks from hosts which create thousands of leases
ses and use lots of memory in the and use lots of memory in the
dnsmasq process. dnsmasq process.
-K, --dhcp-authoritative -K, --dhcp-authoritative
Should be set when dnsmasq is definitely the only DHCP server on a network. For DHCPv4, it changes Should be set when dnsmasq is definitely the only DHCP server on a network. For DHCPv4, it changes
the behaviour from strict RFC compliance so that DHCP requests on unknown leases from unknown hosts the behaviour from strict RFC compliance so that DHCP requests on unknown leases from unknown hosts
are not ignored. This allows new hosts to get a lease without a te are not ignored. This allows new hosts to get a lease without a
dious timeout under all circum- tedious timeout under all circum-
stances. It also allows dnsmasq to rebuild its lease database wit stances. It also allows dnsmasq to rebuild its lease database with
hout each client needing to reac- out each client needing to reac-
quire a lease, if the database is lost. For DHCPv6 it sets the pri ority in replies to 255 (the max- quire a lease, if the database is lost. For DHCPv6 it sets the pri ority in replies to 255 (the max-
imum) instead of 0 (the minimum). imum) instead of 0 (the minimum).
--dhcp-rapid-commit --dhcp-rapid-commit
Enable DHCPv4 Rapid Commit Option specified in RFC 4039. When e nabled, dnsmasq will respond to a Enable DHCPv4 Rapid Commit Option specified in RFC 4039. When enab led, dnsmasq will respond to a
DHCPDISCOVER message including a Rapid Commit option with a DHCPAC K including a Rapid Commit option DHCPDISCOVER message including a Rapid Commit option with a DHCPAC K including a Rapid Commit option
and fully committed address and configuration information. Sho and fully committed address and configuration information. Should
uld only be enabled if either the only be enabled if either the
server is the only server for the subnet, or multiple servers are server is the only server for the subnet, or multiple servers a
present and they each commit a re present and they each commit a
binding for all clients. binding for all clients.
--dhcp-alternate-port[=<server port>[,<client port>]] --dhcp-alternate-port[=<server port>[,<client port>]]
(IPv4 only) Change the ports used for DHCP from the default. If th is option is given alone, without (IPv4 only) Change the ports used for DHCP from the default. If th is option is given alone, without
arguments, it changes the ports used for DHCP from 67 and 68 to 10 67 and 1068. If a single argument arguments, it changes the ports used for DHCP from 67 and 68 to 10 67 and 1068. If a single argument
is given, that port number is used for the server and the port num ber plus one used for the client. is given, that port number is used for the server and the port num ber plus one used for the client.
Finally, two port numbers allows arbitrary specification of both s erver and client ports for DHCP. Finally, two port numbers allows arbitrary specification of both s erver and client ports for DHCP.
-3, --bootp-dynamic[=<network-id>[,<network-id>]] -3, --bootp-dynamic[=<network-id>[,<network-id>]]
(IPv4 only) Enable dynamic allocation of IP addresses to BOOTP cli (IPv4 only) Enable dynamic allocation of IP addresses to BOOTP c
ents. Use this with care, since lients. Use this with care, since
each address allocated to a BOOTP client is leased forever, each address allocated to a BOOTP client is leased forever, and
and therefore becomes permanently therefore becomes permanently
unavailable for re-use by other hosts. if this is given without unavailable for re-use by other hosts. if this is given with
tags, then it unconditionally out tags, then it unconditionally
enables dynamic allocation. With tags, only when the tags are all set. It may be repeated with dif- enables dynamic allocation. With tags, only when the tags are all set. It may be repeated with dif-
ferent tag sets. ferent tag sets.
-5, --no-ping -5, --no-ping
(IPv4 only) By default, the DHCP server will attempt to ensure tha t an address is not in use before (IPv4 only) By default, the DHCP server will attempt to ensure tha t an address is not in use before
allocating it to a host. It does this by sending an ICMP echo re allocating it to a host. It does this by sending an ICMP echo requ
quest (aka "ping") to the address est (aka "ping") to the address
in question. If it gets a reply, then the address must already be in question. If it gets a reply, then the address must already
in use, and another is tried. be in use, and another is tried.
This flag disables this check. Use with caution. This flag disables this check. Use with caution.
--log-dhcp --log-dhcp
Extra logging for DHCP: log all the options sent to DHCP clien ts and the tags used to determine Extra logging for DHCP: log all the options sent to DHCP clients a nd the tags used to determine
them. them.
--quiet-dhcp, --quiet-dhcp6, --quiet-ra --quiet-dhcp, --quiet-dhcp6, --quiet-ra
Suppress logging of the routine operation of these protocols. Erro rs and problems will still be Suppress logging of the routine operation of these protocols. Errors and problems will still be
logged. --quiet-dhcp and quiet-dhcp6 are over-ridden by --log-dhcp . logged. --quiet-dhcp and quiet-dhcp6 are over-ridden by --log-dhcp .
-l, --dhcp-leasefile=<path> -l, --dhcp-leasefile=<path>
Use the specified file to store DHCP lease information. Use the specified file to store DHCP lease information.
--dhcp-duid=<enterprise-id>,<uid> --dhcp-duid=<enterprise-id>,<uid>
(IPv6 only) Specify the server persistent UID which the DHCPv6 se rver will use. This option is not (IPv6 only) Specify the server persistent UID which the DHCPv6 ser ver will use. This option is not
normally required as dnsmasq creates a DUID automatically when it is first needed. When given, this normally required as dnsmasq creates a DUID automatically when it is first needed. When given, this
option provides dnsmasq the data required to create a DUID-EN t option provides dnsmasq the data required to create a DUID-EN type
ype DUID. Note that once set, the DUID. Note that once set, the
DUID is stored in the lease database, so to change between DUID-EN DUID is stored in the lease database, so to change between DUID-E
and automatically created DUIDs N and automatically created DUIDs
or vice-versa, the lease database must be re-initialised. The e or vice-versa, the lease database must be re-initialised. The ente
nterprise-id is assigned by IANA, rprise-id is assigned by IANA,
and the uid is a string of hex octets unique to a particular devic e. and the uid is a string of hex octets unique to a particular devic e.
-6 --dhcp-script=<path> -6 --dhcp-script=<path>
Whenever a new DHCP lease is created, or an old one destroyed, or Whenever a new DHCP lease is created, or an old one destroyed, o
a TFTP file transfer completes, r a TFTP file transfer completes,
the executable specified by this option is run. <path> must the executable specified by this option is run. <path> must be
be an absolute pathname, no PATH an absolute pathname, no PATH
search occurs. The arguments to the process are "add", "old" or " del", the MAC address of the host search occurs. The arguments to the process are "add", "old" or " del", the MAC address of the host
(or DUID for IPv6) , the IP address, and the hostname, if known. (or DUID for IPv6) , the IP address, and the hostname, if known. "
"add" means a lease has been cre- add" means a lease has been cre-
ated, "del" means it has been destroyed, "old" is a notification o ated, "del" means it has been destroyed, "old" is a notification
f an existing lease when dnsmasq of an existing lease when dnsmasq
starts or a change to MAC address or hostname of an existing le starts or a change to MAC address or hostname of an existing lease
ase (also, lease length or expiry (also, lease length or expiry
and client-id, if --leasefile-ro is set and lease expiry if --scri and client-id, if --leasefile-ro is set and lease expiry if --s
pt-on-renewal is set). If the cript-on-renewal is set). If the
MAC address is from a network type other than ethernet, it will ha ve the network type prepended, eg MAC address is from a network type other than ethernet, it will ha ve the network type prepended, eg
"06-01:23:45:67:89:ab" for token ring. The process is run as root (assuming that dnsmasq was origi- "06-01:23:45:67:89:ab" for token ring. The process is run as root (assuming that dnsmasq was origi-
nally run as root) even if dnsmasq is configured to change UID to an unprivileged user. nally run as root) even if dnsmasq is configured to change UID to an unprivileged user.
The environment is inherited from the invoker of dnsmasq, with s ome or all of the following vari- The environment is inherited from the invoker of dnsmasq, with som e or all of the following vari-
ables added ables added
For both IPv4 and IPv6: For both IPv4 and IPv6:
DNSMASQ_DOMAIN if the fully-qualified domain name of the host is k nown, this is set to the domain DNSMASQ_DOMAIN if the fully-qualified domain name of the host is known, this is set to the domain
part. (Note that the hostname passed to the script as an argument is never fully-qualified.) part. (Note that the hostname passed to the script as an argument is never fully-qualified.)
If the client provides a hostname, DNSMASQ_SUPPLIED_HOSTNAME If the client provides a hostname, DNSMASQ_SUPPLIED_HOSTNAME
If the client provides user-classes, DNSMASQ_USER_CLASS0..DNSMASQ_ USER_CLASSn If the client provides user-classes, DNSMASQ_USER_CLASS0..DNSMASQ_ USER_CLASSn
If dnsmasq was compiled with HAVE_BROKEN_RTC, then the length of the lease (in seconds) is stored If dnsmasq was compiled with HAVE_BROKEN_RTC, then the length of t he lease (in seconds) is stored
in DNSMASQ_LEASE_LENGTH, otherwise the time of lease expiry is sto red in DNSMASQ_LEASE_EXPIRES. The in DNSMASQ_LEASE_LENGTH, otherwise the time of lease expiry is sto red in DNSMASQ_LEASE_EXPIRES. The
number of seconds until lease expiry is always stored in DNSMASQ_T IME_REMAINING. number of seconds until lease expiry is always stored in DNSMASQ_T IME_REMAINING.
If a lease used to have a hostname, which is removed, an "old If a lease used to have a hostname, which is removed, an "old" eve
" event is generated with the new nt is generated with the new
state of the lease, ie no name, and the former name is provided in state of the lease, ie no name, and the former name is provided
the environment variable DNS- in the environment variable DNS-
MASQ_OLD_HOSTNAME. MASQ_OLD_HOSTNAME.
DNSMASQ_INTERFACE stores the name of the interface on which the request arrived; this is not set DNSMASQ_INTERFACE stores the name of the interface on which the re quest arrived; this is not set
for "old" actions when dnsmasq restarts. for "old" actions when dnsmasq restarts.
DNSMASQ_RELAY_ADDRESS is set if the client used a DHCP relay to co ntact dnsmasq and the IP address DNSMASQ_RELAY_ADDRESS is set if the client used a DHCP relay to c ontact dnsmasq and the IP address
of the relay is known. of the relay is known.
DNSMASQ_TAGS contains all the tags set during the DHCP transaction , separated by spaces. DNSMASQ_TAGS contains all the tags set during the DHCP transaction , separated by spaces.
DNSMASQ_LOG_DHCP is set if --log-dhcp is in effect. DNSMASQ_LOG_DHCP is set if --log-dhcp is in effect.
For IPv4 only: For IPv4 only:
DNSMASQ_CLIENT_ID if the host provided a client-id. DNSMASQ_CLIENT_ID if the host provided a client-id.
DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID, DNSMASQ_REMOTE_ID if a DHCP relay-agent added any of DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID, DNSMASQ_REMOTE_ID if a DHCP relay-agent added any of
these options. these options.
If the client provides vendor-class, DNSMASQ_VENDOR_CLASS. If the client provides vendor-class, DNSMASQ_VENDOR_CLASS.
DNSMASQ_REQUESTED_OPTIONS a string containing the decimal values in the Parameter Request List DNSMASQ_REQUESTED_OPTIONS a string containing the decimal val ues in the Parameter Request List
option, comma separated, if the parameter request list option is p rovided by the client. option, comma separated, if the parameter request list option is p rovided by the client.
For IPv6 only: For IPv6 only:
If the client provides vendor-class, DNSMASQ_VENDOR_CLASS_ID, cont aining the IANA enterprise id for If the client provides vendor-class, DNSMASQ_VENDOR_CLASS_ID, cont aining the IANA enterprise id for
the class, and DNSMASQ_VENDOR_CLASS0..DNSMASQ_VENDOR_CLASSn for th e data. the class, and DNSMASQ_VENDOR_CLASS0..DNSMASQ_VENDOR_CLASSn for th e data.
DNSMASQ_SERVER_DUID containing the DUID of the server: this is the same for every call to the DNSMASQ_SERVER_DUID containing the DUID of the server: this is the same for every call to the
script. script.
DNSMASQ_IAID containing the IAID for the lease. If the lease i s a temporary allocation, this is DNSMASQ_IAID containing the IAID for the lease. If the lease is a temporary allocation, this is
prefixed to 'T'. prefixed to 'T'.
DNSMASQ_MAC containing the MAC address of the client, if known. DNSMASQ_MAC containing the MAC address of the client, if known.
Note that the supplied hostname, vendorclass and userclass data is only supplied for "add" actions Note that the supplied hostname, vendorclass and userclass data is only supplied for "add" actions
or "old" actions when a host resumes an existing lease, since the se data are not held in dnsmasq's or "old" actions when a host resumes an existing lease, since thes e data are not held in dnsmasq's
lease database. lease database.
All file descriptors are closed except stdin, which is open to /de All file descriptors are closed except stdin, which is open to
v/null, and stdout and stderr /dev/null, and stdout and stderr
which capture output for logging by dnsmasq. (In debug mode, which capture output for logging by dnsmasq. (In debug mode, stdi
stdio, stdout and stderr file are o, stdout and stderr file are
left as those inherited from the invoker of dnsmasq). left as those inherited from the invoker of dnsmasq).
The script is not invoked concurrently: at most one instance of th e script is ever running (dnsmasq The script is not invoked concurrently: at most one instance of th e script is ever running (dnsmasq
waits for an instance of script to exit before running the next). Changes to the lease database are waits for an instance of script to exit before running the next). Changes to the lease database are
which require the script to be invoked are queued awaiting exit of which require the script to be invoked are queued awaiting exi
a running instance. If this t of a running instance. If this
queueing allows multiple state changes occur to a single lease queueing allows multiple state changes occur to a single lease bef
before the script can be run then ore the script can be run then
earlier states are discarded and the current state of that lease earlier states are discarded and the current state of that l
is reflected when the script ease is reflected when the script
finally runs. finally runs.
At dnsmasq startup, the script will be invoked for all existing leases as they are read from the At dnsmasq startup, the script will be invoked for all existing le ases as they are read from the
lease file. Expired leases will be called with "del" and others wi th "old". When dnsmasq receives a lease file. Expired leases will be called with "del" and others wi th "old". When dnsmasq receives a
HUP signal, the script will be invoked for existing leases with an "old" event. HUP signal, the script will be invoked for existing leases with an "old" event.
There are four further actions which may appear as the first argu ment to the script, "init", "arp- There are four further actions which may appear as the first argum ent to the script, "init", "arp-
add", "arp-del" and "tftp". More may be added in the future, so sc ripts should be written to ignore add", "arp-del" and "tftp". More may be added in the future, so sc ripts should be written to ignore
unknown actions. "init" is described below in --leasefile-ro Th unknown actions. "init" is described below in --leasefile-ro The "
e "tftp" action is invoked when a tftp" action is invoked when a
TFTP file transfer completes: the arguments are the file size in b TFTP file transfer completes: the arguments are the file size i
ytes, the address to which the n bytes, the address to which the
file was sent, and the complete pathname of the file. file was sent, and the complete pathname of the file.
The "arp-add" and "arp-del" actions are only called if enabled wi The "arp-add" and "arp-del" actions are only called if enabled wit
th --script-arp They are are sup- h --script-arp They are are sup-
plied with a MAC address and IP address as arguments. "arp-add" in plied with a MAC address and IP address as arguments. "arp-ad
dicates the arrival of a new d" indicates the arrival of a new
entry in the ARP or neighbour table, and "arp-del" indicates the d eletion of same. entry in the ARP or neighbour table, and "arp-del" indicates the d eletion of same.
--dhcp-luascript=<path> --dhcp-luascript=<path>
Specify a script written in Lua, to be run when leases are crea Specify a script written in Lua, to be run when leases are created
ted, destroyed or changed. To use , destroyed or changed. To use
this option, dnsmasq must be compiled with the correct support. Th this option, dnsmasq must be compiled with the correct support. T
e Lua interpreter is initialised he Lua interpreter is initialised
once, when dnsmasq starts, so that global variables persist betwee n lease events. The Lua code must once, when dnsmasq starts, so that global variables persist betwee n lease events. The Lua code must
define a lease function, and may provide init and shutdown functio ns, which are called, without define a lease function, and may provide init and shutdown fun ctions, which are called, without
arguments when dnsmasq starts up and terminates. It may also provi de a tftp function. arguments when dnsmasq starts up and terminates. It may also provi de a tftp function.
The lease function receives the information detailed in --dhc The lease function receives the information detailed in --dhcp-sc
p-script. It gets two arguments, ript. It gets two arguments,
firstly the action, which is a string containing, "add", "old" or firstly the action, which is a string containing, "add", "old"
"del", and secondly a table of or "del", and secondly a table of
tag value pairs. The tags mostly correspond to the environm tag value pairs. The tags mostly correspond to the environment
ent variables detailed above, for variables detailed above, for
instance the tag "domain" holds the same data as the environment v ariable DNSMASQ_DOMAIN. There are instance the tag "domain" holds the same data as the environment v ariable DNSMASQ_DOMAIN. There are
a few extra tags which hold the data supplied as argumen ts to --dhcp-script. These are a few extra tags which hold the data supplied as arguments to --dhcp-script. These are
mac_address, ip_address and hostname for IPv4, and client_duid, ip _address and hostname for IPv6. mac_address, ip_address and hostname for IPv4, and client_duid, ip _address and hostname for IPv6.
The tftp function is called in the same way as the lease function, and the table holds the tags The tftp function is called in the same way as the lease funct ion, and the table holds the tags
destination_address, file_name and file_size. destination_address, file_name and file_size.
The arp and arp-old functions are called only when enabled with -- script-arp and have a table which The arp and arp-old functions are called only when enabled with -- script-arp and have a table which
holds the tags mac_address and client_address. holds the tags mac_address and client_address.
--dhcp-scriptuser --dhcp-scriptuser
Specify the user as which to run the lease-change script or Lua sc ript. This defaults to root, but Specify the user as which to run the lease-change script or Lua s cript. This defaults to root, but
can be changed to another user using this flag. can be changed to another user using this flag.
--script-arp --script-arp
Enable the "arp" and "arp-old" functions in the --dhcp-script and --dhcp-luascript. Enable the "arp" and "arp-old" functions in the --dhcp-script and --dhcp-luascript.
-9, --leasefile-ro -9, --leasefile-ro
Completely suppress use of the lease database file. The file will not be created, read, or written. Completely suppress use of the lease database file. The file will not be created, read, or written.
Change the way the lease-change script (if one is provided) is cal Change the way the lease-change script (if one is provided) is c
led, so that the lease database alled, so that the lease database
may be maintained in external storage by the script. In addi may be maintained in external storage by the script. In addition
tion to the invocations given in to the invocations given in
--dhcp-script the lease-change script is called once, at dnsmasq s --dhcp-script the lease-change script is called once, at dnsmasq
tartup, with the single argument startup, with the single argument
"init". When called like this the script should write the save "init". When called like this the script should write the saved st
d state of the lease database, in ate of the lease database, in
dnsmasq leasefile format, to stdout and exit with zero exit code. dnsmasq leasefile format, to stdout and exit with zero exit code
Setting this option also forces . Setting this option also forces
the leasechange script to be called on changes to the client-id an d lease length and expiry time. the leasechange script to be called on changes to the client-id an d lease length and expiry time.
--script-on-renewal --script-on-renewal
Call the DHCP script when the lease expiry time changes, for insta nce when the lease is renewed. Call the DHCP script when the lease expiry time changes, for insta nce when the lease is renewed.
--bridge-interface=<interface>,<alias>[,<alias>] --bridge-interface=<interface>,<alias>[,<alias>]
Treat DHCP (v4 and v6) requests and IPv6 Router Solicit packe Treat DHCP (v4 and v6) requests and IPv6 Router Solicit packets ar
ts arriving at any of the <alias> riving at any of the <alias>
interfaces as if they had arrived at <interface>. This option all interfaces as if they had arrived at <interface>. This option a
ows dnsmasq to provide DHCP and llows dnsmasq to provide DHCP and
RA service over unaddressed and unbridged Ethernet interfaces, RA service over unaddressed and unbridged Ethernet interfaces, e.g
e.g. on an OpenStack compute host . on an OpenStack compute host
where each such interface is a TAP interface to a VM, or as in "ol where each such interface is a TAP interface to a VM, or as in
d style bridging" on BSD plat- "old style bridging" on BSD plat-
forms. A trailing '*' wildcard can be used in each <alias>. forms. A trailing '*' wildcard can be used in each <alias>.
It is permissible to add more than one alias using more than on It is permissible to add more than one alias using more than one
e --bridge-interface option since --bridge-interface option since
--bridge-interface=int1,alias1,alias2 is exactly equivalent to --bridge-interface=int1,alias1,alias2 is exactly equivalent t
--bridge-interface=int1,alias1 o --bridge-interface=int1,alias1
--bridge-interface=int1,alias2 --bridge-interface=int1,alias2
--shared-network=<interface>,<addr> --shared-network=<interface>,<addr>
--shared-network=<addr>,<addr> --shared-network=<addr>,<addr>
The DHCP server determines which DHCP ranges are useable for alloc ating an address to a DHCP client The DHCP server determines which DHCP ranges are useable for alloc ating an address to a DHCP client
based on the network from which the DHCP request arrives, and the based on the network from which the DHCP request arrives, and the
IP configuration of the server's IP configuration of the server's
interface on that network. The shared-network option extends the interface on that network. The shared-network option extends the a
available subnets (and therefore vailable subnets (and therefore
DHCP ranges) beyond the subnets configured on the arrival interfac e. DHCP ranges) beyond the subnets configured on the arrival interfac e.
The first argument is either the name of an interface, or an addre The first argument is either the name of an interface, or an addr
ss that is configured on a local ess that is configured on a local
interface, and the second argument is an address which defines interface, and the second argument is an address which defines ano
another subnet on which addresses ther subnet on which addresses
can be allocated. can be allocated.
To be useful, there must be a suitable dhcp-range which allows add ress allocation on this subnet To be useful, there must be a suitable dhcp-range which allows address allocation on this subnet
and this dhcp-range MUST include the netmask. and this dhcp-range MUST include the netmask.
Using shared-network also needs extra consideration of routing Using shared-network also needs extra consideration of routing. Dn
. Dnsmasq does not have the usual smasq does not have the usual
information that it uses to determine the default route, so the d information that it uses to determine the default route, so t
efault route option (or other he default route option (or other
routing) MUST be configured manually. The client must have a routing) MUST be configured manually. The client must have a route
route to the server: if the two- to the server: if the two-
address form of shared-network is used, this needs to be to the fi address form of shared-network is used, this needs to be to th
rst specified address. If the e first specified address. If the
interface,address form is used, there must be a route to all o interface,address form is used, there must be a route to all of th
f the addresses configured on the e addresses configured on the
interface. interface.
The two-address form of shared-network is also usable with a DHCP The two-address form of shared-network is also usable with a DHC
relay: the first address is the P relay: the first address is the
address of the relay and the second, as before, specifies an ex address of the relay and the second, as before, specifies an extra
tra subnet which addresses may be subnet which addresses may be
allocated from. allocated from.
-s, --domain=<domain>[,<address range>[,local]] -s, --domain=<domain>[,<address range>[,local]]
Specifies DNS domains for the DHCP server. Domains may be be given Specifies DNS domains for the DHCP server. Domains may be be give
unconditionally (without the IP n unconditionally (without the IP
range) or for limited IP ranges. This has two effects; firstly it range) or for limited IP ranges. This has two effects; firstly it
causes the DHCP server to return causes the DHCP server to return
the domain to any hosts which request it, and secondly it sets the the domain to any hosts which request it, and secondly it sets
domain which it is legal for the domain which it is legal for
DHCP-configured hosts to claim. The intention is to constrain ho DHCP-configured hosts to claim. The intention is to constrain host
stnames so that an untrusted host names so that an untrusted host
on the LAN cannot advertise its name via DHCP as e.g. "microsoft.c om" and capture traffic not meant on the LAN cannot advertise its name via DHCP as e.g. "microsoft.c om" and capture traffic not meant
for it. If no domain suffix is specified, then any DHCP hostn for it. If no domain suffix is specified, then any DHCP hostname w
ame with a domain part (ie with a ith a domain part (ie with a
period) will be disallowed and logged. If suffix is specified, the period) will be disallowed and logged. If suffix is specified,
n hostnames with a domain part then hostnames with a domain part
are allowed, provided the domain part matches the suffix. In ad are allowed, provided the domain part matches the suffix. In addit
dition, when a suffix is set then ion, when a suffix is set then
hostnames without a domain part have the suffix added as an option hostnames without a domain part have the suffix added as an optio
al domain part. Eg on my network nal domain part. Eg on my network
I can set --domain=thekelleys.org.uk and have a machine whose I can set --domain=thekelleys.org.uk and have a machine whose DHCP
DHCP hostname is "laptop". The IP hostname is "laptop". The IP
address for that machine is available from dnsmasq both as "laptop " and "laptop.thekelleys.org.uk". address for that machine is available from dnsmasq both as "laptop " and "laptop.thekelleys.org.uk".
If the domain is given as "#" then the domain is read fro m the first "search" directive in If the domain is given as "#" then the domain is read from th e first "search" directive in
/etc/resolv.conf (or equivalent). /etc/resolv.conf (or equivalent).
The address range can be of the form <ip address>,<ip address> or <ip address>/<netmask> or just a The address range can be of the form <ip address>,<ip address> or <ip address>/<netmask> or just a
single <ip address>. See --dhcp-fqdn which can change the behaviou r of dnsmasq with domains. single <ip address>. See --dhcp-fqdn which can change the behaviou r of dnsmasq with domains.
If the address range is given as ip-address/network-size, then If the address range is given as ip-address/network-size, then a a
a additional flag "local" may be dditional flag "local" may be
supplied which has the effect of adding --local declarations for f supplied which has the effect of adding --local declarations for
orward and reverse DNS queries. forward and reverse DNS queries.
Eg. --domain=thekelleys.org.uk,192.168.0.0/24,local is i Eg. --domain=thekelleys.org.uk,192.168.0.0/24,local is id
dentical to --domain=thekel- entical to --domain=thekel-
leys.org.uk,192.168.0.0/24 --local=/thekelleys.org.uk/ --local=/0. 168.192.in-addr.arpa/ The network leys.org.uk,192.168.0.0/24 --local=/thekelleys.org.uk/ --local=/0. 168.192.in-addr.arpa/ The network
size must be 8, 16 or 24 for this to be legal. size must be 8, 16 or 24 for this to be legal.
--dhcp-fqdn --dhcp-fqdn
In the default mode, dnsmasq inserts the unqualified names of DH In the default mode, dnsmasq inserts the unqualified names of DHCP
CP clients into the DNS. For this clients into the DNS. For this
reason, the names must be unique, even if two clients which have t reason, the names must be unique, even if two clients which ha
he same name are in different ve the same name are in different
domains. If a second DHCP client appears which has the same name a s an existing client, the name is domains. If a second DHCP client appears which has the same name a s an existing client, the name is
transferred to the new client. If --dhcp-fqdn is set, this behavio transferred to the new client. If --dhcp-fqdn is set, this behavi
ur changes: the unqualified name our changes: the unqualified name
is no longer put in the DNS, only the qualified name. Two DHCP cl is no longer put in the DNS, only the qualified name. Two DHCP cli
ients with the same name may both ents with the same name may both
keep the name, provided that the domain part is different (ie the fully qualified names differ.) To keep the name, provided that the domain part is different (ie the fully qualified names differ.) To
ensure that all names have a domain part, there must be at least - -domain without an address speci- ensure that all names have a domain part, there must be at least - -domain without an address speci-
fied when --dhcp-fqdn is set. fied when --dhcp-fqdn is set.
--dhcp-client-update --dhcp-client-update
Normally, when giving a DHCP lease, dnsmasq sets flags in the FQDN option to tell the client not to Normally, when giving a DHCP lease, dnsmasq sets flags in the FQDN option to tell the client not to
attempt a DDNS update with its name and IP address. This is beca attempt a DDNS update with its name and IP address. This is becaus
use the name-IP pair is automati- e the name-IP pair is automati-
cally added into dnsmasq's DNS view. This flag suppresses that b cally added into dnsmasq's DNS view. This flag suppresses th
ehaviour, this is useful, for at behaviour, this is useful, for
instance, to allow Windows clients to update Active Directory serv ers. See RFC 4702 for details. instance, to allow Windows clients to update Active Directory serv ers. See RFC 4702 for details.
--enable-ra --enable-ra
Enable dnsmasq's IPv6 Router Advertisement feature. DHCPv6 doesn't handle complete network configu- Enable dnsmasq's IPv6 Router Advertisement feature. DHCPv6 doesn't handle complete network configu-
ration in the same way as DHCPv4. Router discovery and (possibly) prefix discovery for autonomous ration in the same way as DHCPv4. Router discovery and (possibly ) prefix discovery for autonomous
address creation are handled by a different protocol. When DHCP is in use, only a subset of this is address creation are handled by a different protocol. When DHCP is in use, only a subset of this is
needed, and dnsmasq can handle it, using existing DHCP configurati on to provide most data. When RA needed, and dnsmasq can handle it, using existing DHCP configurat ion to provide most data. When RA
is enabled, dnsmasq will advertise a prefix for each --dhcp-range, with default router as the rel- is enabled, dnsmasq will advertise a prefix for each --dhcp-range, with default router as the rel-
evant link-local address on the machine running dnsmasq. By defaul t, the "managed address" bits are evant link-local address on the machine running dnsmasq. By defaul t, the "managed address" bits are
set, and the "use SLAAC" bit is reset. This can be changed for set, and the "use SLAAC" bit is reset. This can be changed for ind
individual subnets with the mode ividual subnets with the mode
keywords described in --dhcp-range. RFC6106 DNS parameters are in keywords described in --dhcp-range. RFC6106 DNS parameters are i
cluded in the advertisements. By ncluded in the advertisements. By
default, the relevant link-local address of the machine running default, the relevant link-local address of the machine running dn
dnsmasq is sent as recursive DNS smasq is sent as recursive DNS
server. If provided, the DHCPv6 options dns-server and domain-sear server. If provided, the DHCPv6 options dns-server and domain-s
ch are used for the DNS server earch are used for the DNS server
(RDNSS) and the domain search list (DNSSL). (RDNSS) and the domain search list (DNSSL).
--ra-param=<interface>,[mtu:<integer>|<interface>|off,][high,|low,]<ra-in terval>[,<router lifetime>] --ra-param=<interface>,[mtu:<integer>|<interface>|off,][high,|low,]<ra-in terval>[,<router lifetime>]
Set non-default values for router advertisements sent via an inte Set non-default values for router advertisements sent via an inter
rface. The priority field for the face. The priority field for the
router may be altered from the default of medium with eg --ra router may be altered from the default of medium with eg --
-param=eth0,high. The interval ra-param=eth0,high. The interval
between router advertisements may be set (in seconds) with --ra-pa ram=eth0,60. The lifetime of the between router advertisements may be set (in seconds) with --ra-pa ram=eth0,60. The lifetime of the
route may be changed or set to zero, which allows a router to adve route may be changed or set to zero, which allows a router to a
rtise prefixes but not a route dvertise prefixes but not a route
via itself. --ra-param=eth0,0,0 (A value of zero for the inter via itself. --ra-param=eth0,0,0 (A value of zero for the interval
val means the default value.) All means the default value.) All
four parameters may be set at once. --ra-param=eth0,mtu:1280,low, 60,1200 four parameters may be set at once. --ra-param=eth0,mtu:1280,low, 60,1200
The interface field may include a wildcard. The interface field may include a wildcard.
The mtu: parameter may be an arbitrary interface name, in which ca The mtu: parameter may be an arbitrary interface name, in which c
se the MTU value for that inter- ase the MTU value for that inter-
face is used. This is useful for (eg) advertising the MTU of a face is used. This is useful for (eg) advertising the MTU of a WAN
WAN interface on the other inter- interface on the other inter-
faces of a router. faces of a router.
--dhcp-reply-delay=[tag:<tag>,]<integer> --dhcp-reply-delay=[tag:<tag>,]<integer>
Delays sending DHCPOFFER and PROXYDHCP replies for at least the sp Delays sending DHCPOFFER and PROXYDHCP replies for at least the s
ecified number of seconds. This pecified number of seconds. This
can be used as workaround for bugs in PXE boot firmware tha can be used as workaround for bugs in PXE boot firmware that do
t does not function properly when es not function properly when
receiving an instant reply. This option takes into account the ti receiving an instant reply. This option takes into account the
me already spent waiting (e.g. time already spent waiting (e.g.
performing ping check) if any. performing ping check) if any.
--enable-tftp[=<interface>[,<interface>]] --enable-tftp[=<interface>[,<interface>]]
Enable the TFTP server function. This is deliberately limited to that needed to net-boot a client. Enable the TFTP server function. This is deliberately limited to t hat needed to net-boot a client.
Only reading is allowed; the tsize and blksize extensions are supp orted (tsize is only supported in Only reading is allowed; the tsize and blksize extensions are supp orted (tsize is only supported in
octet mode). Without an argument, the TFTP service is provided octet mode). Without an argument, the TFTP service is provided to
to the same set of interfaces as the same set of interfaces as
DHCP service. If the list of interfaces is provided, that defines DHCP service. If the list of interfaces is provided, that defi
which interfaces receive TFTP nes which interfaces receive TFTP
service. service.
--tftp-root=<directory>[,<interface>] --tftp-root=<directory>[,<interface>]
Look for files to transfer using TFTP relative to the given direct ory. When this is set, TFTP paths Look for files to transfer using TFTP relative to the given direct ory. When this is set, TFTP paths
which include ".." are rejected, to stop clients getting outside which include ".." are rejected, to stop clients getting outs
the specified root. Absolute ide the specified root. Absolute
paths (starting with /) are allowed, but they must be within the paths (starting with /) are allowed, but they must be within the t
tftp-root. If the optional inter- ftp-root. If the optional inter-
face argument is given, the directory is only used for TFTP reques ts via that interface. face argument is given, the directory is only used for TFTP reques ts via that interface.
--tftp-no-fail --tftp-no-fail
Do not abort startup if specified tftp root directories are inacce ssible. Do not abort startup if specified tftp root directories are inacce ssible.
--tftp-unique-root[=ip|mac] --tftp-unique-root[=ip|mac]
Add the IP or hardware address of the TFTP client as a path compon Add the IP or hardware address of the TFTP client as a path compo
ent on the end of the TFTP-root. nent on the end of the TFTP-root.
Only valid if a --tftp-root is set and the directory exists. Only valid if a --tftp-root is set and the directory exists. Defa
Defaults to adding IP address (in ults to adding IP address (in
standard dotted-quad format). For instance, if --tftp-root is "/t standard dotted-quad format). For instance, if --tftp-root is "/
ftp" and client 1.2.3.4 requests tftp" and client 1.2.3.4 requests
file "myfile" then the effective path will be "/tftp/1.2.3.4/m file "myfile" then the effective path will be "/tftp/1.2.3.4/myfil
yfile" if /tftp/1.2.3.4 exists or e" if /tftp/1.2.3.4 exists or
/tftp/myfile otherwise. When "=mac" is specified it will append t /tftp/myfile otherwise. When "=mac" is specified it will appe
he MAC address instead, using nd the MAC address instead, using
lowercase zero padded digits separated by dashes, e.g.: 01-02-03 lowercase zero padded digits separated by dashes, e.g.: 01-02-03-0
-04-aa-bb Note that resolving MAC 4-aa-bb Note that resolving MAC
addresses is only possible if the client is in the local network o r obtained a DHCP lease from us. addresses is only possible if the client is in the local network o r obtained a DHCP lease from us.
--tftp-secure --tftp-secure
Enable TFTP secure mode: without this, any file which is readable by the dnsmasq process under nor- Enable TFTP secure mode: without this, any file which is readable by the dnsmasq process under nor-
mal unix access-control rules is available via TFTP. When the mal unix access-control rules is available via TFTP. When the --tf
--tftp-secure flag is given, only tp-secure flag is given, only
files owned by the user running the dnsmasq process are accessible files owned by the user running the dnsmasq process are acces
. If dnsmasq is being run as sible. If dnsmasq is being run as
root, different rules apply: --tftp-secure has no effect, but only files which have the world-read- root, different rules apply: --tftp-secure has no effect, but only files which have the world-read-
able bit set are accessible. It is not recommended to run dnsmasq able bit set are accessible. It is not recommended to run dnsma
as root with TFTP enabled, and sq as root with TFTP enabled, and
certainly not without specifying --tftp-root. Doing so can expo certainly not without specifying --tftp-root. Doing so can expose
se any world-readable file on the any world-readable file on the
server to any host on the net. server to any host on the net.
--tftp-lowercase --tftp-lowercase
Convert filenames in TFTP requests to all lowercase. This is use Convert filenames in TFTP requests to all lowercase. This is
ful for requests from Windows useful for requests from Windows
machines, which have case-insensitive filesystems and tend to machines, which have case-insensitive filesystems and tend to pla
play fast-and-loose with case in y fast-and-loose with case in
filenames. Note that dnsmasq's tftp server always converts "\" to "/" in filenames. filenames. Note that dnsmasq's tftp server always converts "\" to "/" in filenames.
--tftp-max=<connections> --tftp-max=<connections>
Set the maximum number of concurrent TFTP connections allowed. Thi Set the maximum number of concurrent TFTP connections allowed. Th
s defaults to 50. When serving a is defaults to 50. When serving a
large number of TFTP connections, per-process file descriptor l large number of TFTP connections, per-process file descriptor limi
imits may be encountered. Dnsmasq ts may be encountered. Dnsmasq
needs one file descriptor for each concurrent TFTP connection and needs one file descriptor for each concurrent TFTP connection a
one file descriptor per unique nd one file descriptor per unique
file (plus a few others). So serving the same file simultaneou file (plus a few others). So serving the same file simultaneously
sly to n clients will use require to n clients will use require
about n + 10 file descriptors, serving different files simultaneou about n + 10 file descriptors, serving different files simulta
sly to n clients will require neously to n clients will require
about (2*n) + 10 descriptors. If --tftp-port-range is given, that about (2*n) + 10 descriptors. If --tftp-port-range is given, that
can affect the number of concur- can affect the number of concur-
rent connections. rent connections.
--tftp-mtu=<mtu size> --tftp-mtu=<mtu size>
Use size as the ceiling of the MTU supported by the intervening network when negotiating TFTP Use size as the ceiling of the MTU supported by the interven ing network when negotiating TFTP
blocksize, overriding the MTU setting of the local interface if i t is larger. blocksize, overriding the MTU setting of the local interface if i t is larger.
--tftp-no-blocksize --tftp-no-blocksize
Stop the TFTP server from negotiating the "blocksize" option with a client. Some buggy clients Stop the TFTP server from negotiating the "blocksize" option with a client. Some buggy clients
request this option but then behave badly when it is granted. request this option but then behave badly when it is granted.
--tftp-port-range=<start>,<end> --tftp-port-range=<start>,<end>
A TFTP server listens on a well-known port (69) for connection in A TFTP server listens on a well-known port (69) for connecti
itiation, but it also uses a on initiation, but it also uses a
dynamically-allocated port for each connection. Normally these dynamically-allocated port for each connection. Normally these are
are allocated by the OS, but this allocated by the OS, but this
option specifies a range of ports for use by TFTP transfers. This option specifies a range of ports for use by TFTP transfers. Th
can be useful when TFTP has to is can be useful when TFTP has to
traverse a firewall. The start of the range cannot be lower than traverse a firewall. The start of the range cannot be lower than 1
1025 unless dnsmasq is running as 025 unless dnsmasq is running as
root. The number of concurrent TFTP connections is limited by the size of the port range. root. The number of concurrent TFTP connections is limited by the size of the port range.
--tftp-single-port --tftp-single-port
Run in a mode where the TFTP server uses ONLY the well-known port Run in a mode where the TFTP server uses ONLY the well-known
(69) for its end of the TFTP port (69) for its end of the TFTP
transfer. This allows TFTP to work when there in NAT is the pat transfer. This allows TFTP to work when there in NAT is the path b
h between client and server. Note etween client and server. Note
that this is not strictly compliant with the RFCs specifying the T that this is not strictly compliant with the RFCs specifying t
FTP protocol: use at your own he TFTP protocol: use at your own
risk. risk.
-C, --conf-file=<file> -C, --conf-file=<file>
Specify a configuration file. The presence of this option stops Specify a configuration file. The presence of this option stops dn
dnsmasq from reading the default smasq from reading the default
configuration file (normally /etc/dnsmasq.conf). Multiple files ma configuration file (normally /etc/dnsmasq.conf). Multiple files
y be specified by repeating the may be specified by repeating the
option either on the command line or in configuration files. A option either on the command line or in configuration files. A fil
filename of "-" causes dnsmasq to ename of "-" causes dnsmasq to
read configuration from stdin. read configuration from stdin.
-7, --conf-dir=<directory>[,<file-extension>......], -7, --conf-dir=<directory>[,<file-extension>......],
Read all the files in the given directory as configuration files. Read all the files in the given directory as configuration file
If extension(s) are given, any s. If extension(s) are given, any
files which end in those extensions are skipped. Any files whose files which end in those extensions are skipped. Any files whose n
names end in ~ or start with . or ames end in ~ or start with . or
start and end with # are always skipped. If the extension starts w start and end with # are always skipped. If the extension starts
ith * then only files which have with * then only files which have
that extension are loaded. So --conf-dir=/path/to/dir,*.conf load that extension are loaded. So --conf-dir=/path/to/dir,*.conf loads
s all files with the suffix .conf all files with the suffix .conf
in /path/to/dir. This flag may be given on the command line or in in /path/to/dir. This flag may be given on the command line or i
a configuration file. If giving n a configuration file. If giving
it on the command line, be sure to escape * characters. Files ar it on the command line, be sure to escape * characters. Files are
e loaded in alphabetical order of loaded in alphabetical order of
filename. filename.
--servers-file=<file> --servers-file=<file>
A special case of --conf-file which differs in two respects. Firs A special case of --conf-file which differs in two respects.
tly, only --server and --rev- Firstly, only --server and --rev-
server are allowed in the configuration file included. Secondly, server are allowed in the configuration file included. Secondly, t
the file is re-read and the con- he file is re-read and the con-
figuration therein is updated when dnsmasq receives SIGHUP. figuration therein is updated when dnsmasq receives SIGHUP.
CONFIG FILE CONFIG FILE
At startup, dnsmasq reads /etc/dnsmasq.conf, if it exists. (On FreeBSD, t At startup, dnsmasq reads /etc/dnsmasq.conf, if it exists. (On FreeBSD
he file is /usr/local/etc/dns- , the file is /usr/local/etc/dns-
masq.conf ) (but see the --conf-file and --conf-dir options.) The fo masq.conf ) (but see the --conf-file and --conf-dir options.) The format
rmat of this file consists of one of this file consists of one
option per line, exactly as the long options detailed in the OPTIONS sect ion but without the leading "--". option per line, exactly as the long options detailed in the OPTIONS sect ion but without the leading "--".
Lines starting with # are comments and ignored. For options which may onl y be specified once, the configu- Lines starting with # are comments and ignored. For options which may onl y be specified once, the configu-
ration file overrides the command line. Quoting is allowed in a config f ile: between " quotes the special ration file overrides the command line. Quoting is allowed in a config f ile: between " quotes the special
meanings of ,:. and # are removed and the following escapes are allow ed: \\ \" \t \e \b \r and \n. The meanings of ,:. and # are removed and the following escapes are allowed: \\ \" \t \e \b \r and \n. The
later corresponding to tab, escape, backspace, return and newline. later corresponding to tab, escape, backspace, return and newline.
NOTES NOTES
When it receives a SIGHUP, dnsmasq clears its cache and then re-loads /et c/hosts and /etc/ethers and any When it receives a SIGHUP, dnsmasq clears its cache and then re-loads / etc/hosts and /etc/ethers and any
file given by --dhcp-hostsfile, --dhcp-hostsdir, --dhcp-optsfile, --dhcp- optsdir, --addn-hosts or --hosts- file given by --dhcp-hostsfile, --dhcp-hostsdir, --dhcp-optsfile, --dhcp- optsdir, --addn-hosts or --hosts-
dir. The DHCP lease change script is called for all existing DHCP leases . If --no-poll is set SIGHUP also dir. The DHCP lease change script is called for all existing DHCP leases . If --no-poll is set SIGHUP also
re-reads /etc/resolv.conf. SIGHUP does NOT re-read the configuration fil e. re-reads /etc/resolv.conf. SIGHUP does NOT re-read the configuration fil e.
When it receives a SIGUSR1, dnsmasq writes statistics to the system l og. It writes the cache size, the When it receives a SIGUSR1, dnsmasq writes statistics to the system log. It writes the cache size, the
number of names which have had to removed from the cache before they expi red in order to make room for new number of names which have had to removed from the cache before they expi red in order to make room for new
names and the total number of names that have been inserted into the ca names and the total number of names that have been inserted into the cach
che. The number of cache hits and e. The number of cache hits and
misses and the number of authoritative queries answered are also given. F misses and the number of authoritative queries answered are also given.
or each upstream server it gives For each upstream server it gives
the number of queries sent, and the number which resulted in an error. the number of queries sent, and the number which resulted in an error. In
In --no-daemon mode or when full --no-daemon mode or when full
logging is enabled (--log-queries), a complete dump of the contents of th e cache is made. logging is enabled (--log-queries), a complete dump of the contents of th e cache is made.
The cache statistics are also available in the DNS as answers to queries of class CHAOS and type TXT in The cache statistics are also available in the DNS as answers to queri es of class CHAOS and type TXT in
domain bind. The domain names are cachesize.bind, insertions.bind, evicti ons.bind, misses.bind, hits.bind, domain bind. The domain names are cachesize.bind, insertions.bind, evicti ons.bind, misses.bind, hits.bind,
auth.bind and servers.bind. An example command to query this, using the d ig utility would be auth.bind and servers.bind. An example command to query this, using the d ig utility would be
dig +short chaos txt cachesize.bind dig +short chaos txt cachesize.bind
When it receives SIGUSR2 and it is logging direct to a file (see --log-fa When it receives SIGUSR2 and it is logging direct to a file (see --log-
cility ) dnsmasq will close and facility ) dnsmasq will close and
reopen the log file. Note that during this operation, dnsmasq will not reopen the log file. Note that during this operation, dnsmasq will not be
be running as root. When it first running as root. When it first
creates the logfile dnsmasq changes the ownership of the file to the non- creates the logfile dnsmasq changes the ownership of the file to the non
root user it will run as. Logro- -root user it will run as. Logro-
tate should be configured to create a new log file with the ownersh tate should be configured to create a new log file with the ownership w
ip which matches the existing one hich matches the existing one
before sending SIGUSR2. If TCP DNS queries are in progress, the old logf before sending SIGUSR2. If TCP DNS queries are in progress, the old
ile will remain open in child logfile will remain open in child
processes which are handling TCP queries and may continue to be written. processes which are handling TCP queries and may continue to be written.
There is a limit of 150 seconds, There is a limit of 150 seconds,
after which all existing TCP processes will have expired: for this reason after which all existing TCP processes will have expired: for this re
, it is not wise to configure ason, it is not wise to configure
logfile compression for logfiles which have just been rotated. Using lo logfile compression for logfiles which have just been rotated. Using logr
grotate, the required options are otate, the required options are
create and delaycompress. create and delaycompress.
Dnsmasq is a DNS query forwarder: it is not capable of recursively answer Dnsmasq is a DNS query forwarder: it is not capable of recursively ans
ing arbitrary queries starting wering arbitrary queries starting
from the root servers but forwards such queries to a fully recursive u from the root servers but forwards such queries to a fully recursive upst
pstream DNS server which is typi- ream DNS server which is typi-
cally provided by an ISP. By default, dnsmasq reads /etc/resolv.conf to d cally provided by an ISP. By default, dnsmasq reads /etc/resolv.conf to
iscover the IP addresses of the discover the IP addresses of the
upstream nameservers it should use, since the information is typically upstream nameservers it should use, since the information is typically st
stored there. Unless --no-poll is ored there. Unless --no-poll is
used, dnsmasq checks the modification time of /etc/resolv.conf (or equiva used, dnsmasq checks the modification time of /etc/resolv.conf (or equ
lent if --resolv-file is used) ivalent if --resolv-file is used)
and re-reads it if it changes. This allows the DNS servers to be set dyna mically by PPP or DHCP since both and re-reads it if it changes. This allows the DNS servers to be set dyna mically by PPP or DHCP since both
protocols provide the information. Absence of /etc/resolv.conf is not an error since it may not have been protocols provide the information. Absence of /etc/resolv.conf is not an error since it may not have been
created before a PPP connection exists. Dnsmasq simply keeps checking in created before a PPP connection exists. Dnsmasq simply keeps checking in
case /etc/resolv.conf is created case /etc/resolv.conf is created
at any time. Dnsmasq can be told to parse more than one resolv.conf file. at any time. Dnsmasq can be told to parse more than one resolv.conf
This is useful on a laptop, file. This is useful on a laptop,
where both PPP and DHCP may be used: dnsmasq can be set to p where both PPP and DHCP may be used: dnsmasq can be set to poll
oll both /etc/ppp/resolv.conf and both /etc/ppp/resolv.conf and
/etc/dhcpc/resolv.conf and will use the contents of whichever changed la /etc/dhcpc/resolv.conf and will use the contents of whichever changed
st, giving automatic switching last, giving automatic switching
between DNS servers. between DNS servers.
Upstream servers may also be specified on the command line or in the Upstream servers may also be specified on the command line or in the co
configuration file. These server nfiguration file. These server
specifications optionally take a domain name which tells dnsmasq to use t specifications optionally take a domain name which tells dnsmasq to use
hat server only to find names in that server only to find names in
that particular domain. that particular domain.
In order to configure dnsmasq to act as cache for the host on whi In order to configure dnsmasq to act as cache for the host on which i
ch it is running, put "nameserver t is running, put "nameserver
127.0.0.1" in /etc/resolv.conf to force local processes to send queries t 127.0.0.1" in /etc/resolv.conf to force local processes to send querie
o dnsmasq. Then either specify s to dnsmasq. Then either specify
the upstream servers directly to dnsmasq using --server options or pu the upstream servers directly to dnsmasq using --server options or put th
t their addresses real in another eir addresses real in another
file, say /etc/resolv.dnsmasq and run dnsmasq with the --resolv-file /etc /resolv.dnsmasq option. This sec- file, say /etc/resolv.dnsmasq and run dnsmasq with the --resolv-file /etc /resolv.dnsmasq option. This sec-
ond technique allows for dynamic update of the server addresses by PPP or DHCP. ond technique allows for dynamic update of the server addresses by PPP or DHCP.
Addresses in /etc/hosts will "shadow" different addresses for the s Addresses in /etc/hosts will "shadow" different addresses for the same n
ame names in the upstream DNS, so ames in the upstream DNS, so
"mycompany.com 1.2.3.4" in /etc/hosts will ensure that queries for "mycom "mycompany.com 1.2.3.4" in /etc/hosts will ensure that queries for "myc
pany.com" always return 1.2.3.4 ompany.com" always return 1.2.3.4
even if queries in the upstream DNS would otherwise return a different a even if queries in the upstream DNS would otherwise return a different ad
ddress. There is one exception to dress. There is one exception to
this: if the upstream DNS contains a CNAME which points to a shadowed nam this: if the upstream DNS contains a CNAME which points to a shadowe
e, then looking up the CNAME d name, then looking up the CNAME
through dnsmasq will result in the unshadowed address associated with through dnsmasq will result in the unshadowed address associated with the
the target of the CNAME. To work target of the CNAME. To work
around this, add the CNAME to /etc/hosts so that the CNAME is shadowed to o. around this, add the CNAME to /etc/hosts so that the CNAME is shadowed to o.
The tag system works as follows: For each DHCP request, dnsmasq collects The tag system works as follows: For each DHCP request, dnsmasq collect
a set of valid tags from active s a set of valid tags from active
configuration lines which include set:<tag>, including one from the configuration lines which include set:<tag>, including one from the --dh
--dhcp-range used to allocate the cp-range used to allocate the
address, one from any matching --dhcp-host (and "known" or "known-otherne address, one from any matching --dhcp-host (and "known" or "known-othern
t" if a --dhcp-host matches) The et" if a --dhcp-host matches) The
tag "bootp" is set for BOOTP requests, and a tag whose name is the n tag "bootp" is set for BOOTP requests, and a tag whose name is the name o
ame of the interface on which the f the interface on which the
request arrived is also set. request arrived is also set.
Any configuration lines which include one or more tag:<tag> constructs wi ll only be valid if all that tags Any configuration lines which include one or more tag:<tag> constructs wi ll only be valid if all that tags
are matched in the set derived above. Typically this is --dhcp-option. are matched in the set derived above. Typically this is --dhcp-option. -
--dhcp-option which has tags will -dhcp-option which has tags will
be used in preference to an untagged --dhcp-option, provided that _all_ be used in preference to an untagged --dhcp-option, provided that _all
the tags match somewhere in the _ the tags match somewhere in the
set collected as described above. The prefix '!' on a tag means set collected as described above. The prefix '!' on a tag means '
'not' so --dhcp-option=tag:!pur- not' so --dhcp-option=tag:!pur-
ple,3,1.2.3.4 sends the option when the tag purple is not in the set of v ple,3,1.2.3.4 sends the option when the tag purple is not in the set o
alid tags. (If using this in a f valid tags. (If using this in a
command line rather than a configuration file, be sure to escape !, which is a shell metacharacter) command line rather than a configuration file, be sure to escape !, which is a shell metacharacter)
When selecting --dhcp-options, a tag from --dhcp-range is second class r When selecting --dhcp-options, a tag from --dhcp-range is second class re
elative to other tags, to make it lative to other tags, to make it
easy to override options for individual hosts, so --dhcp-range easy to override options for individual hosts, so --dhcp-rang
=set:interface1,...... --dhcp- e=set:interface1,...... --dhcp-
host=set:myhost,..... --dhcp-option=tag:interface1,option:nis- host=set:myhost,..... --dhcp-option=tag:interface1,option:nis-d
domain,"domain1" --dhcp- omain,"domain1" --dhcp-
option=tag:myhost,option:nis-domain,"domain2" will set the NIS-domain to option=tag:myhost,option:nis-domain,"domain2" will set the NIS-domain t
domain1 for hosts in the range, o domain1 for hosts in the range,
but override that to domain2 for a particular host. but override that to domain2 for a particular host.
Note that for --dhcp-range both tag:<tag> and set:<tag> are allowed, to b oth select the range in use based Note that for --dhcp-range both tag:<tag> and set:<tag> are allowed, to b oth select the range in use based
on (eg) --dhcp-host, and to affect the options sent, based on the range s elected. on (eg) --dhcp-host, and to affect the options sent, based on the range s elected.
This system evolved from an earlier, more limited one and for backward co This system evolved from an earlier, more limited one and for backward
mpatibility "net:" may be used compatibility "net:" may be used
instead of "tag:" and "set:" may be omitted. (Except in --dhcp-host, wh instead of "tag:" and "set:" may be omitted. (Except in --dhcp-host, wher
ere "net:" may be used instead of e "net:" may be used instead of
"set:".) For the same reason, '#' may be used instead of '!' to indicate NOT. "set:".) For the same reason, '#' may be used instead of '!' to indicate NOT.
The DHCP server in dnsmasq will function as a BOOTP server also, provided The DHCP server in dnsmasq will function as a BOOTP server also, pro
that the MAC address and IP vided that the MAC address and IP
address for clients are given, either using --dhcp-host configurations address for clients are given, either using --dhcp-host configurations or
or in /etc/ethers , and a --dhcp- in /etc/ethers , and a --dhcp-
range configuration option is present to activate the DHCP server on range configuration option is present to activate the DHCP server
a particular network. (Setting on a particular network. (Setting
--bootp-dynamic removes the need for static address mappings.) The file --bootp-dynamic removes the need for static address mappings.) The filena
name parameter in a BOOTP request me parameter in a BOOTP request
is used as a tag, as is the tag "bootp", allowing some control over the is used as a tag, as is the tag "bootp", allowing some control over
options returned to different the options returned to different
classes of hosts. classes of hosts.
AUTHORITATIVE CONFIGURATION AUTHORITATIVE CONFIGURATION
Configuring dnsmasq to act as an authoritative DNS server is complicated by the fact that it involves con- Configuring dnsmasq to act as an authoritative DNS server is complicated by the fact that it involves con-
figuration of external DNS servers to provide delegation. We will walk th rough three scenarios of increas- figuration of external DNS servers to provide delegation. We will walk th rough three scenarios of increas-
ing complexity. Prerequisites for all of these scenarios are a global ing complexity. Prerequisites for all of these scenarios are a globally a
ly accessible IP address, an A or ccessible IP address, an A or
AAAA record pointing to that address, and an external DNS server capable AAAA record pointing to that address, and an external DNS server capabl
of doing delegation of the zone e of doing delegation of the zone
in question. For the first part of this explanation, we will call the A in question. For the first part of this explanation, we will call the A (
(or AAAA) record for the globally or AAAA) record for the globally
accessible address server.example.com, and the zone for which dnsmasq is authoritative our.zone.com. accessible address server.example.com, and the zone for which dnsmasq is authoritative our.zone.com.
The simplest configuration consists of two lines of dnsmasq configuration ; something like The simplest configuration consists of two lines of dnsmasq configuration ; something like
--auth-server=server.example.com,eth0 --auth-server=server.example.com,eth0
--auth-zone=our.zone.com,1.2.3.0/24 --auth-zone=our.zone.com,1.2.3.0/24
and two records in the external DNS and two records in the external DNS
server.example.com A 192.0.43.10 server.example.com A 192.0.43.10
our.zone.com NS server.example.com our.zone.com NS server.example.com
eth0 is the external network interface on which dnsmasq is listening, and has (globally accessible) eth0 is the external network interface on which dnsmasq is listeni ng, and has (globally accessible)
address 192.0.43.10. address 192.0.43.10.
Note that the external IP address may well be dynamic (ie assigned from an ISP by DHCP or PPP) If so, the Note that the external IP address may well be dynamic (ie assigned from a n ISP by DHCP or PPP) If so, the
A record must be linked to this dynamic assignment by one of the usual dy namic-DNS systems. A record must be linked to this dynamic assignment by one of the usual dy namic-DNS systems.
A more complex, but practically useful configuration has the address reco rd for the globally accessible IP A more complex, but practically useful configuration has the address reco rd for the globally accessible IP
address residing in the authoritative zone which dnsmasq is serving, typi cally at the root. Now we have address residing in the authoritative zone which dnsmasq is serving, typi cally at the root. Now we have
--auth-server=our.zone.com,eth0 --auth-server=our.zone.com,eth0
--auth-zone=our.zone.com,1.2.3.0/24 --auth-zone=our.zone.com,1.2.3.0/24
our.zone.com A 1.2.3.4 our.zone.com A 1.2.3.4
our.zone.com NS our.zone.com our.zone.com NS our.zone.com
The A record for our.zone.com has now become a glue record, it solves the chicken-and-egg problem of find- The A record for our.zone.com has now become a glue record, it solves the chicken-and-egg problem of find-
ing the IP address of the nameserver for our.zone.com when the A record i ing the IP address of the nameserver for our.zone.com when the A reco
s within that zone. Note that rd is within that zone. Note that
this is the only role of this record: as dnsmasq is now authoritative f this is the only role of this record: as dnsmasq is now authoritative fro
rom our.zone.com it too must pro- m our.zone.com it too must pro-
vide this record. If the external address is static, this can be done wit vide this record. If the external address is static, this can be done wi
h an /etc/hosts entry or --host- th an /etc/hosts entry or --host-
record. record.
--auth-server=our.zone.com,eth0 --auth-server=our.zone.com,eth0
--host-record=our.zone.com,1.2.3.4 --host-record=our.zone.com,1.2.3.4
--auth-zone=our.zone.com,1.2.3.0/24 --auth-zone=our.zone.com,1.2.3.0/24
If the external address is dynamic, the address associated with our. zone.com must be derived from the If the external address is dynamic, the address associated with our.zone. com must be derived from the
address of the relevant interface. This is done using --interface-name So mething like: address of the relevant interface. This is done using --interface-name So mething like:
--auth-server=our.zone.com,eth0 --auth-server=our.zone.com,eth0
--interface-name=our.zone.com,eth0 --interface-name=our.zone.com,eth0
--auth-zone=our.zone.com,1.2.3.0/24,eth0 --auth-zone=our.zone.com,1.2.3.0/24,eth0
(The "eth0" argument in --auth-zone adds the subnet containing eth0's dyn amic address to the zone, so that (The "eth0" argument in --auth-zone adds the subnet containing eth0's dyn amic address to the zone, so that
the --interface-name returns the address in outside queries.) the --interface-name returns the address in outside queries.)
Our final configuration builds on that above, but also adds a secondar Our final configuration builds on that above, but also adds a secondary D
y DNS server. This is another DNS NS server. This is another DNS
server which learns the DNS data for the zone by doing zones transfer, an server which learns the DNS data for the zone by doing zones transfer
d acts as a backup should the , and acts as a backup should the
primary server become inaccessible. The configuration of the secondary primary server become inaccessible. The configuration of the secondary is
is beyond the scope of this man- beyond the scope of this man-
page, but the extra configuration of dnsmasq is simple: page, but the extra configuration of dnsmasq is simple:
--auth-sec-servers=secondary.myisp.com --auth-sec-servers=secondary.myisp.com
and and
our.zone.com NS secondary.myisp.com our.zone.com NS secondary.myisp.com
Adding auth-sec-servers enables zone transfer in dnsmasq, to allow the se condary to collect the DNS data. Adding auth-sec-servers enables zone transfer in dnsmasq, to allow the s econdary to collect the DNS data.
If you wish to restrict this data to particular hosts then If you wish to restrict this data to particular hosts then
--auth-peer=<IP address of secondary> --auth-peer=<IP address of secondary>
will do so. will do so.
Dnsmasq acts as an authoritative server for in-addr.arpa and ip6.arpa do mains associated with the subnets Dnsmasq acts as an authoritative server for in-addr.arpa and ip6.arpa do mains associated with the subnets
given in --auth-zone declarations, so reverse (address to name) lookups c an be simply configured with a given in --auth-zone declarations, so reverse (address to name) lookup s can be simply configured with a
suitable NS record, for instance in this example, where we allow 1.2.3.0/ 24 addresses. suitable NS record, for instance in this example, where we allow 1.2.3.0/ 24 addresses.
3.2.1.in-addr.arpa NS our.zone.com 3.2.1.in-addr.arpa NS our.zone.com
Note that at present, reverse (in-addr.arpa and ip6.arpa) zones are no t available in zone transfers, so Note that at present, reverse (in-addr.arpa and ip6.arpa) zones are not a vailable in zone transfers, so
there is no point arranging secondary servers for reverse lookups. there is no point arranging secondary servers for reverse lookups.
When dnsmasq is configured to act as an authoritative server, the followi ng data is used to populate the When dnsmasq is configured to act as an authoritative server, the follo wing data is used to populate the
authoritative zone. authoritative zone.
--mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record, --caa-re cord, as long as the record names --mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record, --caa-reco rd, as long as the record names
are in the authoritative domain. are in the authoritative domain.
--cname as long as the record name is in the authoritative domain. If th e target of the CNAME is unquali- --cname as long as the record name is in the authoritative domain. If th e target of the CNAME is unquali-
fied, then it is qualified with the authoritative zone name. CNAME use d in this way (only) may be wild- fied, then it is qualified with the authoritative zone name. CNAME used in this way (only) may be wild-
cards, as in cards, as in
--cname=*.example.com,default.example.com --cname=*.example.com,default.example.com
IPv4 and IPv6 addresses from /etc/hosts (and --addn-hosts ) and --host-re IPv4 and IPv6 addresses from /etc/hosts (and --addn-hosts ) and --hos
cord and --interface-name pro- t-record and --interface-name and
vided the address falls into one of the subnets specified in the --auth-z ---dynamic-host provided the address falls into one of the subnets specif
one. ied in the --auth-zone.
Addresses of DHCP leases, provided the address falls into one of the subn ets specified in the --auth-zone. Addresses of DHCP leases, provided the address falls into one of the subn ets specified in the --auth-zone.
(If constructed DHCP ranges are is use, which depend on the address dynam (If constructed DHCP ranges are is use, which depend on the address dyna
ically assigned to an interface, mically assigned to an interface,
then the form of --auth-zone which defines subnets by the dynamic addre then the form of --auth-zone which defines subnets by the dynamic address
ss of an interface should be used of an interface should be used
to ensure this condition is met.) to ensure this condition is met.)
In the default mode, where a DHCP lease has an unqualified name, and poss ibly a qualified name constructed In the default mode, where a DHCP lease has an unqualified name, and poss ibly a qualified name constructed
using --domain then the name in the authoritative zone is constructed using --domain then the name in the authoritative zone is constructed fro
from the unqualified name and the m the unqualified name and the
zone's domain. This may or may not equal that specified by --domain. If zone's domain. This may or may not equal that specified by --domain.
--dhcp-fqdn is set, then the If --dhcp-fqdn is set, then the
fully qualified names associated with DHCP leases are used, and must matc h the zone's domain. fully qualified names associated with DHCP leases are used, and must matc h the zone's domain.
EXIT CODES EXIT CODES
0 - Dnsmasq successfully forked into the background, or terminated normally if backgrounding is not 0 - Dnsmasq successfully forked into the background, or terminated nor mally if backgrounding is not
enabled. enabled.
1 - A problem with configuration was detected. 1 - A problem with configuration was detected.
2 - A problem with network access occurred (address in use, attempt to us e privileged ports without per- 2 - A problem with network access occurred (address in use, attempt to use privileged ports without per-
mission). mission).
3 - A problem occurred with a filesystem operation (missing file/director y, permissions). 3 - A problem occurred with a filesystem operation (missing file/director y, permissions).
4 - Memory allocation failure. 4 - Memory allocation failure.
5 - Other miscellaneous problem. 5 - Other miscellaneous problem.
11 or greater - a non zero return code was received from the lease-scr ipt process "init" call. The exit 11 or greater - a non zero return code was received from the lease-script process "init" call. The exit
code from dnsmasq is the script's exit code with 10 added. code from dnsmasq is the script's exit code with 10 added.
LIMITS LIMITS
The default values for resource limits in dnsmasq are generally conservat ive, and appropriate for embedded The default values for resource limits in dnsmasq are generally conservat ive, and appropriate for embedded
router type devices with slow processors and limited memory. On more ca pable hardware, it is possible to router type devices with slow processors and limited memory. On more capa ble hardware, it is possible to
increase the limits, and handle many more clients. The following applies to dnsmasq-2.37: earlier versions increase the limits, and handle many more clients. The following applies to dnsmasq-2.37: earlier versions
did not scale as well. did not scale as well.
Dnsmasq is capable of handling DNS and DHCP for at least a thousand cli Dnsmasq is capable of handling DNS and DHCP for at least a thousand clien
ents. The DHCP lease times should ts. The DHCP lease times should
not be very short (less than one hour). The value of --dns-forward-max ca not be very short (less than one hour). The value of --dns-forward-ma
n be increased: start with it x can be increased: start with it
equal to the number of clients and increase if DNS seems slow. Note th equal to the number of clients and increase if DNS seems slow. Note that
at DNS performance depends too on DNS performance depends too on
the performance of the upstream nameservers. The size of the DNS cache ma y be increased: the hard limit is the performance of the upstream nameservers. The size of the DNS cache ma y be increased: the hard limit is
10000 names and the default (150) is very low. Sending SIGUSR1 to dnsma sq makes it log information which 10000 names and the default (150) is very low. Sending SIGUSR1 to dnsmasq makes it log information which
is useful for tuning the cache size. See the NOTES section for details. is useful for tuning the cache size. See the NOTES section for details.
The built-in TFTP server is capable of many simultaneous file transfers: The built-in TFTP server is capable of many simultaneous file transfers:
the absolute limit is related to the absolute limit is related to
the number of file-handles allowed to a process and the ability of the the number of file-handles allowed to a process and the ability of the se
select() system call to cope with lect() system call to cope with
large numbers of file handles. If the limit is set too high using --tftp- large numbers of file handles. If the limit is set too high using --tf
max it will be scaled down and tp-max it will be scaled down and
the actual limit logged at start-up. Note that more transfers are pos the actual limit logged at start-up. Note that more transfers are possibl
sible when the same file is being e when the same file is being
sent than when each transfer sends a different file. sent than when each transfer sends a different file.
It is possible to use dnsmasq to block Web advertising by using a list of It is possible to use dnsmasq to block Web advertising by using a lis
known banner-ad servers, all t of known banner-ad servers, all
resolving to 127.0.0.1 or 0.0.0.0, in /etc/hosts or an additional hosts resolving to 127.0.0.1 or 0.0.0.0, in /etc/hosts or an additional hosts f
file. The list can be very long, ile. The list can be very long,
dnsmasq has been tested successfully with one million names. That size fi dnsmasq has been tested successfully with one million names. That siz
le needs a 1GHz processor and e file needs a 1GHz processor and
about 60Mb of RAM. about 60Mb of RAM.
INTERNATIONALISATION INTERNATIONALISATION
Dnsmasq can be compiled to support internationalisation. To do this Dnsmasq can be compiled to support internationalisation. To do this, th
, the make targets "all-i18n" and e make targets "all-i18n" and
"install-i18n" should be used instead of the standard targets "all" and " "install-i18n" should be used instead of the standard targets "all" and
install". When internationalisa- "install". When internationalisa-
tion is compiled in, dnsmasq will produce log messages in the local langu age and support internationalised tion is compiled in, dnsmasq will produce log messages in the local langu age and support internationalised
domain names (IDN). Domain names in /etc/hosts, /etc/ethers and /etc/dnsm domain names (IDN). Domain names in /etc/hosts, /etc/ethers and /etc/dns
asq.conf which contain non-ASCII masq.conf which contain non-ASCII
characters will be translated to the DNS-internal punycode representat characters will be translated to the DNS-internal punycode representation
ion. Note that dnsmasq determines . Note that dnsmasq determines
both the language for messages and the assumed charset for configuration both the language for messages and the assumed charset for configuratio
files from the LANG environment n files from the LANG environment
variable. This should be set to the system default value by the script variable. This should be set to the system default value by the script wh
which is responsible for starting ich is responsible for starting
dnsmasq. When editing the configuration files, be careful to do so using dnsmasq. When editing the configuration files, be careful to do so usi
only the system-default locale ng only the system-default locale
and not user-specific one, since dnsmasq has no direct way of determi and not user-specific one, since dnsmasq has no direct way of determining
ning the charset in use, and must the charset in use, and must
assume that it is the system default. assume that it is the system default.
FILES FILES
/etc/dnsmasq.conf /etc/dnsmasq.conf
/usr/local/etc/dnsmasq.conf /usr/local/etc/dnsmasq.conf
/etc/resolv.conf /var/run/dnsmasq/resolv.conf /etc/ppp/resolv.conf /etc/d hcpc/resolv.conf /etc/resolv.conf /var/run/dnsmasq/resolv.conf /etc/ppp/resolv.conf /etc/d hcpc/resolv.conf
/etc/hosts /etc/hosts
 End of changes. 180 change blocks. 
801 lines changed or deleted 835 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)