1DNSMASQ(8) System Manager's Manual DNSMASQ(8)
2
3
4
6 dnsmasq - A lightweight DHCP and caching DNS server.
7
9 dnsmasq [OPTION]...
10
12 dnsmasq is a lightweight DNS, TFTP and DHCP server. It is intended to
13 provide coupled DNS and DHCP service to a LAN.
14
15 Dnsmasq accepts DNS queries and either answers them from a small,
16 local, cache or forwards them to a real, recursive, DNS server. It
17 loads the contents of /etc/hosts so that local hostnames which do not
18 appear in the global DNS can be resolved and also answers DNS queries
19 for DHCP configured hosts.
20
21 The dnsmasq DHCP server supports static address assignments and multi‐
22 ple networks. It automatically sends a sensible default set of DHCP
23 options, and can be configured to send any desired set of DHCP options,
24 including vendor-encapsulated options. It includes a secure, read-only,
25 TFTP server to allow net/PXE boot of DHCP hosts and also supports
26 BOOTP.
27
28 Dnsmasq supports IPv6 for DNS, but not DHCP.
29
31 Note that in general missing parameters are allowed and switch off
32 functions, for instance "--pid-file" disables writing a PID file. On
33 BSD, unless the GNU getopt library is linked, the long form of the
34 options does not work on the command line; it is still recognised in
35 the configuration file.
36
37 --test Read and syntax check configuration file(s). Exit with code 0 if
38 all is OK, or a non-zero code otherwise. Do not start up dns‐
39 masq.
40
41 -h, --no-hosts
42 Don't read the hostnames in /etc/hosts.
43
44 -H, --addn-hosts=<file>
45 Additional hosts file. Read the specified file as well as
46 /etc/hosts. If -h is given, read only the specified file. This
47 option may be repeated for more than one additional hosts file.
48 If a directory is given, then read all the files contained in
49 that directory.
50
51 -E, --expand-hosts
52 Add the domain to simple names (without a period) in /etc/hosts
53 in the same way as for DHCP-derived names.
54
55 -T, --local-ttl=<time>
56 When replying with information from /etc/hosts or the DHCP
57 leases file dnsmasq by default sets the time-to-live field to
58 zero, meaning that the requestor should not itself cache the
59 information. This is the correct thing to do in almost all situ‐
60 ations. This option allows a time-to-live (in seconds) to be
61 given for these replies. This will reduce the load on the server
62 at the expense of clients using stale data under some circum‐
63 stances.
64
65 --neg-ttl=<time>
66 Negative replies from upstream servers normally contain time-to-
67 live information in SOA records which dnsmasq uses for caching.
68 If the replies from upstream servers omit this information, dns‐
69 masq does not cache the reply. This option gives a default value
70 for time-to-live (in seconds) which dnsmasq uses to cache nega‐
71 tive replies even in the absence of an SOA record.
72
73 -k, --keep-in-foreground
74 Do not go into the background at startup but otherwise run as
75 normal. This is intended for use when dnsmasq is run under dae‐
76 montools or launchd.
77
78 -d, --no-daemon
79 Debug mode: don't fork to the background, don't write a pid
80 file, don't change user id, generate a complete cache dump on
81 receipt on SIGUSR1, log to stderr as well as syslog, don't fork
82 new processes to handle TCP queries.
83
84 -q, --log-queries
85 Log the results of DNS queries handled by dnsmasq. Enable a full
86 cache dump on receipt of SIGUSR1.
87
88 -8, --log-facility=<facility>
89 Set the facility to which dnsmasq will send syslog entries, this
90 defaults to DAEMON, and to LOCAL0 when debug mode is in opera‐
91 tion. If the facility given contains at least one '/' character,
92 it is taken to be a filename, and dnsmasq logs to the given
93 file, instead of syslog. (Errors whilst reading configuration
94 will still go to syslog, but all output from a successful
95 startup, and all output whilst running, will go exclusively to
96 the file.) When logging to a file, dnsmasq will close and reopen
97 the file when it receives SIGUSR2. This allows the log file to
98 be rotated without stopping dnsmasq.
99
100 --log-async[=<lines>]
101 Enable asynchronous logging and optionally set the limit on the
102 number of lines which will be queued by dnsmasq when writing to
103 the syslog is slow. Dnsmasq can log asynchronously: this allows
104 it to continue functioning without being blocked by syslog, and
105 allows syslog to use dnsmasq for DNS queries without risking
106 deadlock. If the queue of log-lines becomes full, dnsmasq will
107 log the overflow, and the number of messages lost. The default
108 queue length is 5, a sane value would be 5-25, and a maximum
109 limit of 100 is imposed.
110
111 -x, --pid-file=<path>
112 Specify an alternate path for dnsmasq to record its process-id
113 in. Normally /var/run/dnsmasq.pid.
114
115 -u, --user=<username>
116 Specify the userid to which dnsmasq will change after startup.
117 Dnsmasq must normally be started as root, but it will drop root
118 privileges after startup by changing id to another user. Nor‐
119 mally this user is "nobody" but that can be over-ridden with
120 this switch.
121
122 -g, --group=<groupname>
123 Specify the group which dnsmasq will run as. The defaults to
124 "dip", if available, to facilitate access to
125 /etc/ppp/resolv.conf which is not normally world readable.
126
127 -v, --version
128 Print the version number.
129
130 -p, --port=<port>
131 Listen on <port> instead of the standard DNS port (53). Setting
132 this to zero completely disables DNS function, leaving only DHCP
133 and/or TFTP.
134
135 -P, --edns-packet-max=<size>
136 Specify the largest EDNS.0 UDP packet which is supported by the
137 DNS forwarder. Defaults to 1280, which is the RFC2671-recom‐
138 mended maximum for ethernet.
139
140 -Q, --query-port=<query_port>
141 Send outbound DNS queries from, and listen for their replies on,
142 the specific UDP port <query_port> instead of using random
143 ports. NOTE that using this option will make dnsmasq less secure
144 against DNS spoofing attacks but it may be faster and use less
145 resources. Setting this option to zero makes dnsmasq use a sin‐
146 gle port allocated to it by the OS: this was the default behav‐
147 iour in versions prior to 2.43.
148
149 --min-port=<port>
150 Do not use ports less than that given as source for outbound DNS
151 queries. Dnsmasq picks random ports as source for outbound
152 queries: when this option is given, the ports used will always
153 to larger than that specified. Useful for systems behind fire‐
154 walls.
155
156 -i, --interface=<interface name>
157 Listen only on the specified interface(s). Dnsmasq automatically
158 adds the loopback (local) interface to the list of interfaces to
159 use when the --interface option is used. If no --interface or
160 --listen-address options are given dnsmasq listens on all avail‐
161 able interfaces except any given in --except-interface options.
162 IP alias interfaces (eg "eth1:0") cannot be used with --inter‐
163 face or --except-interface options, use --listen-address
164 instead.
165
166 -I, --except-interface=<interface name>
167 Do not listen on the specified interface. Note that the order of
168 --listen-address --interface and --except-interface options does
169 not matter and that --except-interface options always override
170 the others.
171
172 -2, --no-dhcp-interface=<interface name>
173 Do not provide DHCP or TFTP on the specified interface, but do
174 provide DNS service.
175
176 -a, --listen-address=<ipaddr>
177 Listen on the given IP address(es). Both --interface and --lis‐
178 ten-address options may be given, in which case the set of both
179 interfaces and addresses is used. Note that if no --interface
180 option is given, but --listen-address is, dnsmasq will not auto‐
181 matically listen on the loopback interface. To achieve this, its
182 IP address, 127.0.0.1, must be explicitly given as a --listen-
183 address option.
184
185 -z, --bind-interfaces
186 On systems which support it, dnsmasq binds the wildcard address,
187 even when it is listening on only some interfaces. It then dis‐
188 cards requests that it shouldn't reply to. This has the advan‐
189 tage of working even when interfaces come and go and change
190 address. This option forces dnsmasq to really bind only the
191 interfaces it is listening on. About the only time when this is
192 useful is when running another nameserver (or another instance
193 of dnsmasq) on the same machine. Setting this option also
194 enables multiple instances of dnsmasq which provide DHCP service
195 to run in the same machine.
196
197 This option has been patched to always use SO_BINDTODEVICE
198 socket option when binding to interfaces. As consequence, dns‐
199 masq WILL NOT ANSWER to any DNS Queries that come to the socket
200 with the correct destination IP address, but originally on dif‐
201 ferent interface. This behavior differs from the original dns‐
202 masq upstream version and is used for security reasons.
203
204 -y, --localise-queries
205 Return answers to DNS queries from /etc/hosts which depend on
206 the interface over which the query was received. If a name in
207 /etc/hosts has more than one address associated with it, and at
208 least one of those addresses is on the same subnet as the inter‐
209 face to which the query was sent, then return only the
210 address(es) on that subnet. This allows for a server to have
211 multiple addresses in /etc/hosts corresponding to each of its
212 interfaces, and hosts will get the correct address based on
213 which network they are attached to. Currently this facility is
214 limited to IPv4.
215
216 -b, --bogus-priv
217 Bogus private reverse lookups. All reverse lookups for private
218 IP ranges (ie 192.168.x.x, etc) which are not found in
219 /etc/hosts or the DHCP leases file are answered with "no such
220 domain" rather than being forwarded upstream.
221
222 -V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>]
223 Modify IPv4 addresses returned from upstream nameservers; old-ip
224 is replaced by new-ip. If the optional mask is given then any
225 address which matches the masked old-ip will be re-written. So,
226 for instance --alias=1.2.3.0,6.7.8.0,255.255.255.0 will map
227 1.2.3.56 to 6.7.8.56 and 1.2.3.67 to 6.7.8.67. This is what
228 Cisco PIX routers call "DNS doctoring". If the old IP is given
229 as range, then only addresses in the range, rather than a whole
230 subnet, are re-written. So
231 --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 maps
232 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
233
234 -B, --bogus-nxdomain=<ipaddr>
235 Transform replies which contain the IP address given into "No
236 such domain" replies. This is intended to counteract a devious
237 move made by Verisign in September 2003 when they started
238 returning the address of an advertising web page in response to
239 queries for unregistered names, instead of the correct NXDOMAIN
240 response. This option tells dnsmasq to fake the correct response
241 when it sees this behaviour. As at Sept 2003 the IP address
242 being returned by Verisign is 64.94.110.11
243
244 -f, --filterwin2k
245 Later versions of windows make periodic DNS requests which don't
246 get sensible answers from the public DNS and can cause problems
247 by triggering dial-on-demand links. This flag turns on an option
248 to filter such requests. The requests blocked are for records of
249 types SOA and SRV, and type ANY where the requested name has
250 underscores, to catch LDAP requests.
251
252 -r, --resolv-file=<file>
253 Read the IP addresses of the upstream nameservers from <file>,
254 instead of /etc/resolv.conf. For the format of this file see
255 resolv.conf(5) the only lines relevant to dnsmasq are nameserver
256 ones. Dnsmasq can be told to poll more than one resolv.conf
257 file, the first file name specified overrides the default, sub‐
258 sequent ones add to the list. This is only allowed when polling;
259 the file with the currently latest modification time is the one
260 used.
261
262 -R, --no-resolv
263 Don't read /etc/resolv.conf. Get upstream servers only from the
264 command line or the dnsmasq configuration file.
265
266 -1, --enable-dbus
267 Allow dnsmasq configuration to be updated via DBus method calls.
268 The configuration which can be changed is upstream DNS servers
269 (and corresponding domains) and cache clear. Requires that dns‐
270 masq has been built with DBus support.
271
272 -o, --strict-order
273 By default, dnsmasq will send queries to any of the upstream
274 servers it knows about and tries to favour servers that are
275 known to be up. Setting this flag forces dnsmasq to try each
276 query with each server strictly in the order they appear in
277 /etc/resolv.conf
278
279 --all-servers
280 By default, when dnsmasq has more than one upstream server
281 available, it will send queries to just one server. Setting this
282 flag forces dnsmasq to send all queries to all available
283 servers. The reply from the server which answers first will be
284 returned to the original requestor.
285
286 --stop-dns-rebind
287 Reject (and log) addresses from upstream nameservers which are
288 in the private IP ranges. This blocks an attack where a browser
289 behind a firewall is used to probe machines on the local net‐
290 work.
291
292 -n, --no-poll
293 Don't poll /etc/resolv.conf for changes.
294
295 --clear-on-reload
296 Whenever /etc/resolv.conf is re-read, clear the DNS cache. This
297 is useful when new nameservers may have different data than that
298 held in cache.
299
300 -D, --domain-needed
301 Tells dnsmasq to never forward queries for plain names, without
302 dots or domain parts, to upstream nameservers. If the name is
303 not known from /etc/hosts or DHCP then a "not found" answer is
304 returned.
305
306 -S, --local,
307 --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source-ip>|<inter‐
308 face>[#<port>]]
309 Specify IP address of upstream servers directly. Setting this
310 flag does not suppress reading of /etc/resolv.conf, use -R to do
311 that. If one or more optional domains are given, that server is
312 used only for those domains and they are queried only using the
313 specified server. This is intended for private nameservers: if
314 you have a nameserver on your network which deals with names of
315 the form xxx.internal.thekelleys.org.uk at 192.168.1.1 then giv‐
316 ing the flag -S /internal.thekelleys.org.uk/192.168.1.1 will
317 send all queries for internal machines to that nameserver,
318 everything else will go to the servers in /etc/resolv.conf. An
319 empty domain specification, // has the special meaning of
320 "unqualified names only" ie names without any dots in them. A
321 non-standard port may be specified as part of the IP address
322 using a # character. More than one -S flag is allowed, with
323 repeated domain or ipaddr parts as required.
324
325 Also permitted is a -S flag which gives a domain but no IP
326 address; this tells dnsmasq that a domain is local and it may
327 answer queries from /etc/hosts or DHCP but should never forward
328 queries on that domain to any upstream servers. local is a syn‐
329 onym for server to make configuration files clearer in this
330 case.
331
332 The optional string after the @ character tells dnsmasq how to
333 set the source of the queries to this nameserver. It should be
334 an ip-address, which should belong to the machine on which dns‐
335 masq is running otherwise this server line will be logged and
336 then ignored, or an interface name. If an interface name is
337 given, then queries to the server will be forced via that inter‐
338 face; if an ip-address is given then the source address of the
339 queries will be set to that address. The query-port flag is
340 ignored for any servers which have a source address specified
341 but the port may be specified directly as part of the source
342 address. Forcing queries to an interface is not implemented on
343 all platforms supported by dnsmasq.
344
345 -A, --address=/<domain>/[domain/]<ipaddr>
346 Specify an IP address to return for any host in the given
347 domains. Queries in the domains are never forwarded and always
348 replied to with the specified IP address which may be IPv4 or
349 IPv6. To give both IPv4 and IPv6 addresses for a domain, use
350 repeated -A flags. Note that /etc/hosts and DHCP leases over‐
351 ride this for individual names. A common use of this is to redi‐
352 rect the entire doubleclick.net domain to some friendly local
353 web server to avoid banner ads. The domain specification works
354 in the same was as for --server, with the additional facility
355 that /#/ matches any domain. Thus --address=/#/1.2.3.4 will
356 always return 1.2.3.4 for any query not answered from /etc/hosts
357 or DHCP and not sent to an upstream nameserver by a more spe‐
358 cific --server directive.
359
360 -m, --mx-host=<mx name>[[,<hostname>],<preference>]
361 Return an MX record named <mx name> pointing to the given host‐
362 name (if given), or the host specified in the --mx-target switch
363 or, if that switch is not given, the host on which dnsmasq is
364 running. The default is useful for directing mail from systems
365 on a LAN to a central server. The preference value is optional,
366 and defaults to 1 if not given. More than one MX record may be
367 given for a host.
368
369 -t, --mx-target=<hostname>
370 Specify the default target for the MX record returned by dns‐
371 masq. See --mx-host. If --mx-target is given, but not --mx-
372 host, then dnsmasq returns a MX record containing the MX target
373 for MX queries on the hostname of the machine on which dnsmasq
374 is running.
375
376 -e, --selfmx
377 Return an MX record pointing to itself for each local machine.
378 Local machines are those in /etc/hosts or with DHCP leases.
379
380 -L, --localmx
381 Return an MX record pointing to the host given by mx-target (or
382 the machine on which dnsmasq is running) for each local machine.
383 Local machines are those in /etc/hosts or with DHCP leases.
384
385 -W, --srv-host=<_service>.<_prot>.[<domain>],[<target>[,<port>[,<prior‐
386 ity>[,<weight>]]]]
387 Return a SRV DNS record. See RFC2782 for details. If not sup‐
388 plied, the domain defaults to that given by --domain. The
389 default for the target domain is empty, and the default for port
390 is one and the defaults for weight and priority are zero. Be
391 careful if transposing data from BIND zone files: the port,
392 weight and priority numbers are in a different order. More than
393 one SRV record for a given service/domain is allowed, all that
394 match are returned.
395
396 -Y, --txt-record=<name>[[,<text>],<text>]
397 Return a TXT DNS record. The value of TXT record is a set of
398 strings, so any number may be included, split by commas.
399
400 --ptr-record=<name>[,<target>]
401 Return a PTR DNS record.
402
403 --naptr-record=<name>,<order>,<preference>,<flags>,<service>,<reg‐
404 exp>[,<replacement>]
405 Return an NAPTR DNS record, as specified in RFC3403.
406
407 --cname=<cname>,<target>
408 Return a CNAME record which indicates that <cname> is really
409 <target>. There are significant limitations on the target; it
410 must be a DNS name which is known to dnsmasq from /etc/hosts (or
411 additional hosts files) or from DHCP. If the target does not
412 satisfy this criteria, the whole cname is ignored. The cname
413 must be unique, but it is permissable to have more than one
414 cname pointing to the same target.
415
416 --interface-name=<name>,<interface>
417 Return a DNS record associating the name with the primary
418 address on the given interface. This flag specifies an A record
419 for the given name in the same way as an /etc/hosts line, except
420 that the address is not constant, but taken from the given
421 interface. If the interface is down, not configured or non-exis‐
422 tent, an empty record is returned. The matching PTR record is
423 also created, mapping the interface address to the name. More
424 than one name may be associated with an interface address by
425 repeating the flag; in that case the first instance is used for
426 the reverse address-to-name mapping.
427
428 -c, --cache-size=<cachesize>
429 Set the size of dnsmasq's cache. The default is 150 names. Set‐
430 ting the cache size to zero disables caching.
431
432 -N, --no-negcache
433 Disable negative caching. Negative caching allows dnsmasq to
434 remember "no such domain" answers from upstream nameservers and
435 answer identical queries without forwarding them again.
436
437 -0, --dns-forward-max=<queries>
438 Set the maximum number of concurrent DNS queries. The default
439 value is 150, which should be fine for most setups. The only
440 known situation where this needs to be increased is when using
441 web-server log file resolvers, which can generate large numbers
442 of concurrent queries.
443
444 -F, --dhcp-range=[[net:]network-id,]<start-addr>,<end-addr>[[,<net‐
445 mask>],<broadcast>][,<lease time>]
446 Enable the DHCP server. Addresses will be given out from the
447 range <start-addr> to <end-addr> and from statically defined
448 addresses given in dhcp-host options. If the lease time is
449 given, then leases will be given for that length of time. The
450 lease time is in seconds, or minutes (eg 45m) or hours (eg 1h)
451 or "infinite". If not given, the default lease time is one hour.
452 The minimum lease time is two minutes. This option may be
453 repeated, with different addresses, to enable DHCP service to
454 more than one network. For directly connected networks (ie, net‐
455 works on which the machine running dnsmasq has an interface) the
456 netmask is optional. It is, however, required for networks which
457 receive DHCP service via a relay agent. The broadcast address is
458 always optional. It is always allowed to have more than one
459 dhcp-range in a single subnet. The optional network-id is a
460 alphanumeric label which marks this network so that dhcp options
461 may be specified on a per-network basis. When it is prefixed
462 with 'net:' then its meaning changes from setting a tag to
463 matching it. Only one tag may be set, but more than one tag may
464 be matched. The end address may be replaced by the keyword
465 static which tells dnsmasq to enable DHCP for the network speci‐
466 fied, but not to dynamically allocate IP addresses: only hosts
467 which have static addresses given via dhcp-host or from
468 /etc/ethers will be served. The end address may be replaced by
469 the keyword proxy in which case dnsmasq will provide proxy-DHCP
470 on the specified subnet. (See pxe-prompt and pxe-service for
471 details.)
472
473 -G, --dhcp-
474 host=[<hwaddr>][,id:<client_id>|*][,net:<netid>][,<ipaddr>][,<host‐
475 name>][,<lease_time>][,ignore]
476 Specify per host parameters for the DHCP server. This allows a
477 machine with a particular hardware address to be always allo‐
478 cated the same hostname, IP address and lease time. A hostname
479 specified like this overrides any supplied by the DHCP client on
480 the machine. It is also allowable to ommit the hardware address
481 and include the hostname, in which case the IP address and lease
482 times will apply to any machine claiming that name. For example
483 --dhcp-host=00:20:e0:3b:13:af,wap,infinite tells dnsmasq to give
484 the machine with hardware address 00:20:e0:3b:13:af the name
485 wap, and an infinite DHCP lease. --dhcp-host=lap,192.168.0.199
486 tells dnsmasq to always allocate the machine lap the IP address
487 192.168.0.199. Addresses allocated like this are not constrained
488 to be in the range given by the --dhcp-range option, but they
489 must be on the network being served by the DHCP server. It is
490 allowed to use client identifiers rather than hardware addresses
491 to identify hosts by prefixing with 'id:'. Thus: --dhcp-
492 host=id:01:02:03:04,..... refers to the host with client iden‐
493 tifier 01:02:03:04. It is also allowed to specify the client ID
494 as text, like this: --dhcp-host=id:clientidastext,.....
495
496 The special option id:* means "ignore any client-id and use MAC
497 addresses only." This is useful when a client presents a client-
498 id sometimes but not others.
499
500 If a name appears in /etc/hosts, the associated address can be
501 allocated to a DHCP lease, but only if a --dhcp-host option
502 specifying the name also exists. The special keyword "ignore"
503 tells dnsmasq to never offer a DHCP lease to a machine. The
504 machine can be specified by hardware address, client ID or host‐
505 name, for instance --dhcp-host=00:20:e0:3b:13:af,ignore This is
506 useful when there is another DHCP server on the network which
507 should be used by some machines.
508
509 The net:<network-id> sets the network-id tag whenever this dhcp-
510 host directive is in use. This can be used to selectively send
511 DHCP options just for this host. When a host matches any dhcp-
512 host directive (or one implied by /etc/ethers) then the special
513 network-id tag "known" is set. This allows dnsmasq to be config‐
514 ured to ignore requests from unknown machines using --dhcp-
515 ignore=#known Ethernet addresses (but not client-ids) may have
516 wildcard bytes, so for example --dhcp-
517 host=00:20:e0:3b:13:*,ignore will cause dnsmasq to ignore a
518 range of hardware addresses. Note that the "*" will need to be
519 escaped or quoted on a command line, but not in the configura‐
520 tion file.
521
522 Hardware addresses normally match any network (ARP) type, but it
523 is possible to restrict them to a single ARP type by preceding
524 them with the ARP-type (in HEX) and "-". so --dhcp-
525 host=06-00:20:e0:3b:13:af,1.2.3.4 will only match a Token-Ring
526 hardware address, since the ARP-address type for token ring is
527 6.
528
529 As a special case, it is possible to include more than one hard‐
530 ware address. eg: --dhcp-
531 host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2 This allows
532 an IP address to be associated with multiple hardware addresses,
533 and gives dnsmasq permission to abandon a DHCP lease to one of
534 the hardware addresses when another one asks for a lease. Beware
535 that this is a dangerous thing to do, it will only work reliably
536 if only one of the hardware addresses is active at any time and
537 there is no way for dnsmasq to enforce this. It is, for
538 instance, useful to allocate a stable IP address to a laptop
539 which has both wired and wireless interfaces.
540
541 --dhcp-hostsfile=<file>
542 Read DHCP host information from the specified file. The file
543 contains information about one host per line. The format of a
544 line is the same as text to the right of '=' in --dhcp-host. The
545 advantage of storing DHCP host information in this file is that
546 it can be changed without re-starting dnsmasq: the file will be
547 re-read when dnsmasq receives SIGHUP.
548
549 --dhcp-optsfile=<file>
550 Read DHCP option information from the specified file. The advan‐
551 tage of using this option is the same as for --dhcp-hostsfile:
552 the dhcp-optsfile will be re-read when dnsmasq receives SIGHUP.
553
554 -Z, --read-ethers
555 Read /etc/ethers for information about hosts for the DHCP
556 server. The format of /etc/ethers is a hardware address, fol‐
557 lowed by either a hostname or dotted-quad IP address. When read
558 by dnsmasq these lines have exactly the same effect as --dhcp-
559 host options containing the same information. /etc/ethers is re-
560 read when dnsmasq receives SIGHUP.
561
562 -O, --dhcp-option=[<network-id>,[<network-id>,]][encap:<opt>,][ven‐
563 dor:[<vendor-class>],][<opt>|option:<opt-name>],[<value>[,<value>]]
564 Specify different or extra options to DHCP clients. By default,
565 dnsmasq sends some standard options to DHCP clients, the netmask
566 and broadcast address are set to the same as the host running
567 dnsmasq, and the DNS server and default route are set to the
568 address of the machine running dnsmasq. If the domain name
569 option has been set, that is sent. This configuration allows
570 these defaults to be overridden, or other options specified. The
571 option, to be sent may be given as a decimal number or as
572 "option:<option-name>" The option numbers are specified in
573 RFC2132 and subsequent RFCs. The set of option-names known by
574 dnsmasq can be discovered by running "dnsmasq --help dhcp". For
575 example, to set the default route option to 192.168.4.4, do
576 --dhcp-option=3,192.168.4.4 or --dhcp-option = option:router,
577 192.168.4.4 and to set the time-server address to 192.168.0.4,
578 do --dhcp-option = 42,192.168.0.4 or --dhcp-option = option:ntp-
579 server, 192.168.0.4 The special address 0.0.0.0 is taken to mean
580 "the address of the machine running dnsmasq". Data types allowed
581 are comma separated dotted-quad IP addresses, a decimal number,
582 colon-separated hex digits and a text string. If the optional
583 network-ids are given then this option is only sent when all the
584 network-ids are matched.
585
586 Special processing is done on a text argument for option 119, to
587 conform with RFC 3397. Text or dotted-quad IP addresses as argu‐
588 ments to option 120 are handled as per RFC 3361. Dotted-quad IP
589 addresses which are followed by a slash and then a netmask size
590 are encoded as described in RFC 3442.
591
592 Be careful: no checking is done that the correct type of data
593 for the option number is sent, it is quite possible to persuade
594 dnsmasq to generate illegal DHCP packets with injudicious use of
595 this flag. When the value is a decimal number, dnsmasq must
596 determine how large the data item is. It does this by examining
597 the option number and/or the value, but can be overridden by
598 appending a single letter flag as follows: b = one byte, s = two
599 bytes, i = four bytes. This is mainly useful with encapsulated
600 vendor class options (see below) where dnsmasq cannot determine
601 data size from the option number. Option data which consists
602 solely of periods and digits will be interpreted by dnsmasq as
603 an IP address, and inserted into an option as such. To force a
604 literal string, use quotes. For instance when using option 66 to
605 send a literal IP address as TFTP server name, it is necessary
606 to do --dhcp-option=66,"1.2.3.4"
607
608 Encapsulated Vendor-class options may also be specified using
609 --dhcp-option: for instance --dhcp-option=vendor:PXE‐
610 Client,1,0.0.0.0 sends the encapsulated vendor class-specific
611 option "mftp-address=0.0.0.0" to any client whose vendor-class
612 matches "PXEClient". The vendor-class matching is substring
613 based (see --dhcp-vendorclass for details). If a vendor-class
614 option (number 60) is sent by dnsmasq, then that is used for
615 selecting encapsulated options in preference to any sent by the
616 client. It is possible to omit the vendorclass completely;
617 --dhcp-option=vendor:,1,0.0.0.0 in which case the encapsulated
618 option is always sent.
619
620 Options may be encapsulated within other options: for instance
621 --dhcp-option=encap:175, 190, iscsi-client0 will send option
622 175, within which is the option 190. If multiple options are
623 given which are encapsulated with the same option number then
624 they will be correctly combined into one encapsulated option.
625 encap: and vendor: are may not both be set in the same dhcp-
626 option.
627
628 The address 0.0.0.0 is not treated specially in encapsulated
629 options.
630
631 --dhcp-option-force=[<network-id>,[<network-id>,]][encap:<opt>,][ven‐
632 dor:[<vendor-class>],]<opt>,[<value>[,<value>]]
633 This works in exactly the same way as --dhcp-option except that
634 the option will always be sent, even if the client does not ask
635 for it in the parameter request list. This is sometimes needed,
636 for example when sending options to PXELinux.
637
638 --dhcp-no-override
639 Disable re-use of the DHCP servername and filename fields as
640 extra option space. If it can, dnsmasq moves the boot server and
641 filename information (from dhcp-boot) out of their dedicated
642 fields into DHCP options. This make extra space available in the
643 DHCP packet for options but can, rarely, confuse old or broken
644 clients. This flag forces "simple and safe" behaviour to avoid
645 problems in such a case.
646
647 -U, --dhcp-vendorclass=<network-id>,<vendor-class>
648 Map from a vendor-class string to a network id tag. Most DHCP
649 clients provide a "vendor class" which represents, in some
650 sense, the type of host. This option maps vendor classes to
651 tags, so that DHCP options may be selectively delivered to dif‐
652 ferent classes of hosts. For example dhcp-vendorclass=print‐
653 ers,Hewlett-Packard JetDirect will allow options to be set only
654 for HP printers like so: --dhcp-option=printers,3,192.168.4.4
655 The vendor-class string is substring matched against the vendor-
656 class supplied by the client, to allow fuzzy matching.
657
658 -j, --dhcp-userclass=<network-id>,<user-class>
659 Map from a user-class string to a network id tag (with substring
660 matching, like vendor classes). Most DHCP clients provide a
661 "user class" which is configurable. This option maps user
662 classes to tags, so that DHCP options may be selectively deliv‐
663 ered to different classes of hosts. It is possible, for instance
664 to use this to set a different printer server for hosts in the
665 class "accounts" than for hosts in the class "engineering".
666
667 -4, --dhcp-mac=<network-id>,<MAC address>
668 Map from a MAC address to a network-id tag. The MAC address may
669 include wildcards. For example --dhcp-mac=3com,01:34:23:*:*:*
670 will set the tag "3com" for any host whose MAC address matches
671 the pattern.
672
673 --dhcp-circuitid=<network-id>,<circuit-id>, --dhcp-remoteid=<network-
674 id>,<remote-id>
675 Map from RFC3046 relay agent options to network-id tags. This
676 data may be provided by DHCP relay agents. The circuit-id or
677 remote-id is normally given as colon-separated hex, but is also
678 allowed to be a simple string. If an exact match is achieved
679 between the circuit or agent ID and one provided by a relay
680 agent, the network-id tag is set.
681
682 --dhcp-subscrid=<network-id>,<subscriber-id>
683 Map from RFC3993 subscriber-id relay agent options to network-id
684 tags.
685
686 --dhcp-match=<network-id>,<option number>|option:<option
687 name>[,<value>]
688 Without a value, set the network-id tag if the client sends a
689 DHCP option of the given number or name. When a value is given,
690 set the tag only if the option is sent and matches the value.
691 The value may be of the form "01:ff:*:02" in which case the
692 value must match (apart from widcards) but the option sent may
693 have unmatched data past the end of the value. The value may
694 also be of the same form as in dhcp-option in which case the
695 option sent is treated as an array, and one element must match,
696 so
697
698 --dhcp-match=efi-ia32,option:client-arch,6
699
700 will set the tag "efi-ia32" if the the number 6 appears in the
701 list of architectures sent by the client in option 93. (See RFC
702 4578 for details.) If the value is a string, substring matching
703 is used.
704
705 -J, --dhcp-ignore=<network-id>[,<network-id>]
706 When all the given network-ids match the set of network-ids
707 derived from the net, host, vendor and user classes, ignore the
708 host and do not allocate it a DHCP lease.
709
710 --dhcp-ignore-names[=<network-id>[,<network-id>]]
711 When all the given network-ids match the set of network-ids
712 derived from the net, host, vendor and user classes, ignore any
713 hostname provided by the host. Note that, unlike dhcp-ignore, it
714 is permissible to supply no netid tags, in which case DHCP-
715 client supplied hostnames are always ignored, and DHCP hosts are
716 added to the DNS using only dhcp-host configuration in dnsmasq
717 and the contents of /etc/hosts and /etc/ethers.
718
719 --dhcp-broadcast=<network-id>[,<network-id>]
720 When all the given network-ids match the set of network-ids
721 derived from the net, host, vendor and user classes, always use
722 broadcast to communicate with the host when it is unconfigured.
723 Most DHCP clients which need broadcast replies set a flag in
724 their requests so that this happens automatically, some old
725 BOOTP clients do not.
726
727 -M, --dhcp-boot=[net:<network-id>,]<filename>,[<servername>[,<server
728 address>]]
729 Set BOOTP options to be returned by the DHCP server. Server name
730 and address are optional: if not provided, the name is left
731 empty, and the address set to the address of the machine running
732 dnsmasq. If dnsmasq is providing a TFTP service (see --enable-
733 tftp ) then only the filename is required here to enable network
734 booting. If the optional network-id(s) are given, they must
735 match for this configuration to be sent. Note that network-ids
736 are prefixed by "net:" to distinguish them.
737
738 --pxe-service=[net:<network-id>,]<CSA>,<menu text>,<basename>|<bootser‐
739 vicetype>[,<server address>]
740 Most uses of PXE boot-ROMS simply allow the PXE system to obtain
741 an IP address and then download the file specified by dhcp-boot
742 and execute it. However the PXE system is capable of more com‐
743 plex functions when supported by a suitable DHCP server.
744
745 This specifies a boot option which may appear in a PXE boot
746 menu. <CSA> is client system type, only services of the correct
747 type will appear in a menu. The known types are x86PC, PC98,
748 IA64_EFI, Alpha, Arc_x86, Intel_Lean_Client, IA32_EFI, BC_EFI,
749 Xscale_EFI and X86-64_EFI; an integer may be used for other
750 types. The parameter after the menu text may be a file name, in
751 which case dnsmasq acts as a boot server and directs the PXE
752 client to download the file by TFTP, either from itself (
753 enable-tftp must be set for this to work) or another TFTP server
754 if the final IP address is given. Note that the "layer" suffix
755 (normally ".0") is supplied by PXE, and should not be added to
756 the basename. If an integer boot service type, rather than a
757 basename is given, then the PXE client will search for a suit‐
758 able boot service for that type on the network. This search may
759 be done by multicast or broadcast, or direct to a server if its
760 IP address is provided. A boot service type of 0 is special,
761 and will abort the net boot procedure and continue booting from
762 local media.
763
764 --pxe-prompt=[net:<network-id>,]<prompt>[,<timeout>]
765 Setting this provides a prompt to be displayed after PXE boot.
766 If the timeout is given then after the timeout has elapsed with
767 no keyboard input, the first available menu option will be auto‐
768 matically executed. If the timeout is zero then the first avail‐
769 able menu item will be executed immediately. If pxe-prompt is
770 ommitted the system will wait for user input if there are multi‐
771 ple items in the menu, but boot immediately if there is only
772 one. See pxe-service for details of menu items.
773
774 Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP
775 server on the network is responsible for allocating IP
776 addresses, and dnsmasq simply provides the information given in
777 pxe-prompt and pxe-service to allow netbooting. This mode is
778 enabled using the proxy keyword in dhcp-range.
779
780 -X, --dhcp-lease-max=<number>
781 Limits dnsmasq to the specified maximum number of DHCP leases.
782 The default is 150. This limit is to prevent DoS attacks from
783 hosts which create thousands of leases and use lots of memory in
784 the dnsmasq process.
785
786 -K, --dhcp-authoritative
787 Should be set when dnsmasq is definitely the only DHCP server on
788 a network. It changes the behaviour from strict RFC compliance
789 so that DHCP requests on unknown leases from unknown hosts are
790 not ignored. This allows new hosts to get a lease without a
791 tedious timeout under all circumstances. It also allows dnsmasq
792 to rebuild its lease database without each client needing to
793 reacquire a lease, if the database is lost.
794
795 --dhcp-alternate-port[=<server port>[,<client port>]]
796 Change the ports used for DHCP from the default. If this option
797 is given alone, without arguments, it changes the ports used for
798 DHCP from 67 and 68 to 1067 and 1068. If a single argument is
799 given, that port number is used for the server and the port num‐
800 ber plus one used for the client. Finally, two port numbers
801 allows arbitrary specification of both server and client ports
802 for DHCP.
803
804 -3, --bootp-dynamic[=<network-id>[,<network-id>]]
805 Enable dynamic allocation of IP addresses to BOOTP clients. Use
806 this with care, since each address allocated to a BOOTP client
807 is leased forever, and therefore becomes permanently unavailable
808 for re-use by other hosts. if this is given without tags, then
809 it unconditionally enables dynamic allocation. With tags, only
810 when the tags are all set. It may be repeated with different tag
811 sets.
812
813 -5, --no-ping
814 By default, the DHCP server will attempt to ensure that an
815 address in not in use before allocating it to a host. It does
816 this by sending an ICMP echo request (aka "ping") to the address
817 in question. If it gets a reply, then the address must already
818 be in use, and another is tried. This flag disables this check.
819 Use with caution.
820
821 --log-dhcp
822 Extra logging for DHCP: log all the options sent to DHCP clients
823 and the netid tags used to determine them.
824
825 -l, --dhcp-leasefile=<path>
826 Use the specified file to store DHCP lease information.
827
828 -6 --dhcp-script=<path>
829 Whenever a new DHCP lease is created, or an old one destroyed,
830 the executable specified by this option is run. The arguments to
831 the process are "add", "old" or "del", the MAC address of the
832 host, the IP address, and the hostname, if known. "add" means a
833 lease has been created, "del" means it has been destroyed, "old"
834 is a notification of an existing lease when dnsmasq starts or a
835 change to MAC address or hostname of an existing lease (also,
836 lease length or expiry and client-id, if leasefile-ro is set).
837 If the MAC address is from a network type other than ethernet,
838 it will have the network type prepended, eg
839 "06-01:23:45:67:89:ab" for token ring. The process is run as
840 root (assuming that dnsmasq was originally run as root) even if
841 dnsmasq is configured to change UID to an unprivileged user.
842 The environment is inherited from the invoker of dnsmasq, and if
843 the host provided a client-id, this is stored in the environment
844 variable DNSMASQ_CLIENT_ID. If the fully-qualified domain name
845 of the host is known, the domain part is stored in DNS‐
846 MASQ_DOMAIN. If the client provides vendor-class or user-class
847 information, these are provided in DNSMASQ_VENDOR_CLASS and DNS‐
848 MASQ_USER_CLASS0..DNSMASQ_USER_CLASSn variables, but only for
849 "add" actions or "old" actions when a host resumes an existing
850 lease, since these data are not held in dnsmasq's lease data‐
851 base. If dnsmasq was compiled with HAVE_BROKEN_RTC, then the
852 length of the lease (in seconds) is stored in DNS‐
853 MASQ_LEASE_LENGTH, otherwise the time of lease expiry is stored
854 in DNSMASQ_LEASE_EXPIRES. The number of seconds until lease
855 expiry is always stored in DNSMASQ_TIME_REMAINING. If a lease
856 used to have a hostname, which is removed, an "old" event is
857 generated with the new state of the lease, ie no name, and the
858 former name is provided in the environment variable DNS‐
859 MASQ_OLD_HOSTNAME. DNSMASQ_INTERFACE stores the name of the
860 interface on which the request arrived; this is not set for
861 "old" actions when dnsmasq restarts. All file descriptors are
862 closed except stdin, stdout and stderr which are open to
863 /dev/null (except in debug mode). The script is not invoked
864 concurrently: if subsequent lease changes occur, the script is
865 not invoked again until any existing invocation exits. At dns‐
866 masq startup, the script will be invoked for all existing leases
867 as they are read from the lease file. Expired leases will be
868 called with "del" and others with "old". <path> must be an abso‐
869 lute pathname, no PATH search occurs. When dnsmasq receives a
870 HUP signal, the script will be invoked for existing leases with
871 an "old " event.
872
873 --dhcp-scriptuser
874 Specify the user as which to run the lease-change script. This
875 defaults to root, but can be changed to another user using this
876 flag.
877
878 -9, --leasefile-ro
879 Completely suppress use of the lease database file. The file
880 will not be created, read, or written. Change the way the lease-
881 change script (if one is provided) is called, so that the lease
882 database may be maintained in external storage by the script. In
883 addition to the invocations given in --dhcp-script the lease-
884 change script is called once, at dnsmasq startup, with the sin‐
885 gle argument "init". When called like this the script should
886 write the saved state of the lease database, in dnsmasq lease‐
887 file format, to stdout and exit with zero exit code. Setting
888 this option also forces the leasechange script to be called on
889 changes to the client-id and lease length and expiry time.
890
891 --bridge-interface=<interface>,<alias>[,<alias>]
892 Treat DHCP request packets arriving at any of the <alias> inter‐
893 faces as if they had arrived at <interface>. This option is nec‐
894 essary when using "old style" bridging on BSD platforms, since
895 packets arrive at tap interfaces which don't have an IP address.
896
897 -s, --domain=<domain>[,<address range>]
898 Specifies DNS domains for the DHCP server. Domains may be be
899 given unconditionally (without the IP range) or for limited IP
900 ranges. This has two effects; firstly it causes the DHCP server
901 to return the domain to any hosts which request it, and secondly
902 it sets the domain which it is legal for DHCP-configured hosts
903 to claim. The intention is to constrain hostnames so that an
904 untrusted host on the LAN cannot advertise its name via dhcp as
905 e.g. "microsoft.com" and capture traffic not meant for it. If no
906 domain suffix is specified, then any DHCP hostname with a domain
907 part (ie with a period) will be disallowed and logged. If suffix
908 is specified, then hostnames with a domain part are allowed,
909 provided the domain part matches the suffix. In addition, when a
910 suffix is set then hostnames without a domain part have the suf‐
911 fix added as an optional domain part. Eg on my network I can set
912 --domain=thekelleys.org.uk and have a machine whose DHCP host‐
913 name is "laptop". The IP address for that machine is available
914 from dnsmasq both as "laptop" and "laptop.thekelleys.org.uk". If
915 the domain is given as "#" then the domain is read from the
916 first "search" directive in /etc/resolv.conf (or equivalent).
917 The address range can be of the form <ip address>,<ip address>
918 or <ip address>/<netmask> or just a single <ip address>. See
919 --dhcp-fqdn which can change the behaviour of dnsmasq with
920 domains.
921
922 --dhcp-fqdn
923 In the default mode, dnsmasq inserts the unqualified names of
924 DHCP clients into the DNS. For this reason, the names must be
925 unique, even if two clients which have the same name are in dif‐
926 ferent domains. If a second DHCP client appears which has the
927 same name as an existing client, the name is transfered to the
928 new client. If --dhcp-fqdn is set, this behaviour changes: the
929 unqualified name is no longer put in the DNS, only the qualified
930 name. Two DHCP clients with the same name may both keep the
931 name, provided that the domain part is different (ie the fully
932 qualified names differ.) To ensure that all names have a domain
933 part, there must be at least --domain without an address speci‐
934 fied when --dhcp-fqdn is set.
935
936 --enable-tftp
937 Enable the TFTP server function. This is deliberately limited to
938 that needed to net-boot a client. Only reading is allowed; the
939 tsize and blksize extensions are supported (tsize is only sup‐
940 ported in octet mode).
941
942 --tftp-root=<directory>
943 Look for files to transfer using TFTP relative to the given
944 directory. When this is set, TFTP paths which include ".." are
945 rejected, to stop clients getting outside the specified root.
946 Absolute paths (starting with /) are allowed, but they must be
947 within the tftp-root.
948
949 --tftp-unique-root
950 Add the IP address of the TFTP client as a path component on the
951 end of the TFTP-root (in standard dotted-quad format). Only
952 valid if a tftp-root is set and the directory exists. For
953 instance, if tftp-root is "/tftp" and client 1.2.3.4 requests
954 file "myfile" then the effective path will be
955 "/tftp/1.2.3.4/myfile" if /tftp/1.2.3.4 exists or /tftp/myfile
956 otherwise.
957
958 --tftp-secure
959 Enable TFTP secure mode: without this, any file which is read‐
960 able by the dnsmasq process under normal unix access-control
961 rules is available via TFTP. When the --tftp-secure flag is
962 given, only files owned by the user running the dnsmasq process
963 are accessible. If dnsmasq is being run as root, different rules
964 apply: --tftp-secure has no effect, but only files which have
965 the world-readable bit set are accessible. It is not recommended
966 to run dnsmasq as root with TFTP enabled, and certainly not
967 without specifying --tftp-root. Doing so can expose any world-
968 readable file on the server to any host on the net.
969
970 --tftp-max=<connections>
971 Set the maximum number of concurrent TFTP connections allowed.
972 This defaults to 50. When serving a large number of TFTP connec‐
973 tions, per-process file descriptor limits may be encountered.
974 Dnsmasq needs one file descriptor for each concurrent TFTP con‐
975 nection and one file descriptor per unique file (plus a few oth‐
976 ers). So serving the same file simultaneously to n clients will
977 use require about n + 10 file descriptors, serving different
978 files simultaneously to n clients will require about (2*n) + 10
979 descriptors. If --tftp-port-range is given, that can affect the
980 number of concurrent connections.
981
982 --tftp-no-blocksize
983 Stop the TFTP server from negotiating the "blocksize" option
984 with a client. Some buggy clients request this option but then
985 behave badly when it is granted.
986
987 --tftp-port-range=<start>,<end>
988 A TFTP server listens on a well-known port (69) for connection
989 initiation, but it also uses a dynamically-allocated port for
990 each connection. Normally these are allocated by the OS, but
991 this option specifies a range of ports for use by TFTP trans‐
992 fers. This can be useful when TFTP has to traverse a firewall.
993 The start of the range cannot be lower than 1025 unless dnsmasq
994 is running as root. The number of concurrent TFTP connections is
995 limited by the size of the port range.
996
997 -C, --conf-file=<file>
998 Specify a different configuration file. The conf-file option is
999 also allowed in configuration files, to include multiple config‐
1000 uration files.
1001
1002 -7, --conf-dir=<directory>
1003 Read all the files in the given directory as configuration
1004 files. Files whose names end in ~ or start with . or start and
1005 end with # are skipped. This flag may be given on the command
1006 line or in a configuration file.
1007
1009 At startup, dnsmasq reads /etc/dnsmasq.conf, if it exists. (On FreeBSD,
1010 the file is /usr/local/etc/dnsmasq.conf ) (but see the -C and -7
1011 options.) The format of this file consists of one option per line,
1012 exactly as the long options detailed in the OPTIONS section but without
1013 the leading "--". Lines starting with # are comments and ignored. For
1014 options which may only be specified once, the configuration file over‐
1015 rides the command line. Quoting is allowed in a config file: between "
1016 quotes the special meanings of ,:. and # are removed and the following
1017 escapes are allowed: \\ \" \t \e \b \r and \n. The later corresponding
1018 to tab, escape, backspace, return and newline.
1019
1021 When it receives a SIGHUP, dnsmasq clears its cache and then re-loads
1022 /etc/hosts and /etc/ethers and any file given by --dhcp-hostsfile,
1023 --dhcp-optsfile or --addn-hosts. The dhcp lease change script is
1024 called for all existing DHCP leases. If --no-poll is set SIGHUP also
1025 re-reads /etc/resolv.conf. SIGHUP does NOT re-read the configuration
1026 file.
1027
1028 When it receives a SIGUSR1, dnsmasq writes statistics to the system
1029 log. It writes the cache size, the number of names which have had to
1030 removed from the cache before they expired in order to make room for
1031 new names and the total number of names that have been inserted into
1032 the cache. For each upstream server it gives the number of queries
1033 sent, and the number which resulted in an error. In --no-daemon mode or
1034 when full logging is enabled (-q), a complete dump of the contents of
1035 the cache is made.
1036
1037 When it receives SIGUSR2 and it is logging direct to a file (see --log-
1038 facility ) dnsmasq will close and reopen the log file. Note that during
1039 this operation, dnsmasq will not be running as root. When it first cre‐
1040 ates the logfile dnsmasq changes the ownership of the file to the non-
1041 root user it will run as. Logrotate should be configured to create a
1042 new log file with the ownership which matches the existing one before
1043 sending SIGUSR2. If TCP DNS queries are in progress, the old logfile
1044 will remain open in child processes which are handling TCP queries and
1045 may continue to be written. There is a limit of 150 seconds, after
1046 which all existing TCP processes will have expired: for this reason, it
1047 is not wise to configure logfile compression for logfiles which have
1048 just been rotated. Using logrotate, the required options are create and
1049 delaycompress.
1050
1051
1052
1053 Dnsmasq is a DNS query forwarder: it it not capable of recursively
1054 answering arbitrary queries starting from the root servers but forwards
1055 such queries to a fully recursive upstream DNS server which is typi‐
1056 cally provided by an ISP. By default, dnsmasq reads /etc/resolv.conf to
1057 discover the IP addresses of the upstream nameservers it should use,
1058 since the information is typically stored there. Unless --no-poll is
1059 used, dnsmasq checks the modification time of /etc/resolv.conf (or
1060 equivalent if --resolv-file is used) and re-reads it if it changes.
1061 This allows the DNS servers to be set dynamically by PPP or DHCP since
1062 both protocols provide the information. Absence of /etc/resolv.conf is
1063 not an error since it may not have been created before a PPP connection
1064 exists. Dnsmasq simply keeps checking in case /etc/resolv.conf is cre‐
1065 ated at any time. Dnsmasq can be told to parse more than one
1066 resolv.conf file. This is useful on a laptop, where both PPP and DHCP
1067 may be used: dnsmasq can be set to poll both /etc/ppp/resolv.conf and
1068 /etc/dhcpc/resolv.conf and will use the contents of whichever changed
1069 last, giving automatic switching between DNS servers.
1070
1071 Upstream servers may also be specified on the command line or in the
1072 configuration file. These server specifications optionally take a
1073 domain name which tells dnsmasq to use that server only to find names
1074 in that particular domain.
1075
1076 In order to configure dnsmasq to act as cache for the host on which it
1077 is running, put "nameserver 127.0.0.1" in /etc/resolv.conf to force
1078 local processes to send queries to dnsmasq. Then either specify the
1079 upstream servers directly to dnsmasq using --server options or put
1080 their addresses real in another file, say /etc/resolv.dnsmasq and run
1081 dnsmasq with the -r /etc/resolv.dnsmasq option. This second technique
1082 allows for dynamic update of the server addresses by PPP or DHCP.
1083
1084 Addresses in /etc/hosts will "shadow" different addresses for the same
1085 names in the upstream DNS, so "mycompany.com 1.2.3.4" in /etc/hosts
1086 will ensure that queries for "mycompany.com" always return 1.2.3.4 even
1087 if queries in the upstream DNS would otherwise return a different
1088 address. There is one exception to this: if the upstream DNS contains a
1089 CNAME which points to a shadowed name, then looking up the CNAME
1090 through dnsmasq will result in the unshadowed address associated with
1091 the target of the CNAME. To work around this, add the CNAME to
1092 /etc/hosts so that the CNAME is shadowed too.
1093
1094
1095 The network-id system works as follows: For each DHCP request, dnsmasq
1096 collects a set of valid network-id tags, one from the dhcp-range used
1097 to allocate the address, one from any matching dhcp-host (and "known"
1098 if a dhcp-host matches) the tag "bootp" for BOOTP requests, a tag whose
1099 name is the name if the interface on which the request arrived, and
1100 possibly many from matching vendor classes and user classes sent by the
1101 DHCP client. Any dhcp-option which has network-id tags will be used in
1102 preference to an untagged dhcp-option, provided that _all_ the tags
1103 match somewhere in the set collected as described above. The prefix '#'
1104 on a tag means 'not' so --dhcp=option=#purple,3,1.2.3.4 sends the
1105 option when the network-id tag purple is not in the set of valid tags.
1106
1107 If the network-id in a dhcp-range is prefixed with 'net:' then its
1108 meaning changes from setting a tag to matching it. Thus if there is
1109 more than dhcp-range on a subnet, and one is tagged with a network-id
1110 which is set (for instance from a vendorclass option) then hosts which
1111 set the netid tag will be allocated addresses in the tagged range.
1112
1113 The DHCP server in dnsmasq will function as a BOOTP server also, pro‐
1114 vided that the MAC address and IP address for clients are given, either
1115 using dhcp-host configurations or in /etc/ethers , and a dhcp-range
1116 configuration option is present to activate the DHCP server on a par‐
1117 ticular network. (Setting --bootp-dynamic removes the need for static
1118 address mappings.) The filename parameter in a BOOTP request is matched
1119 against netids in dhcp-option configurations, as is the tag "bootp",
1120 allowing some control over the options returned to different classes of
1121 hosts.
1122
1123
1125 0 - Dnsmasq successfully forked into the background, or terminated nor‐
1126 mally if backgrounding is not enabled.
1127
1128 1 - A problem with configuration was detected.
1129
1130 2 - A problem with network access occurred (address in use, attempt to
1131 use privileged ports without permission).
1132
1133 3 - A problem occurred with a filesystem operation (missing file/direc‐
1134 tory, permissions).
1135
1136 4 - Memory allocation failure.
1137
1138 5 - Other miscellaneous problem.
1139
1140 11 or greater - a non zero return code was received from the lease-
1141 script process "init" call. The exit code from dnsmasq is the script's
1142 exit code with 10 added.
1143
1144
1146 The default values for resource limits in dnsmasq are generally conser‐
1147 vative, and appropriate for embedded router type devices with slow pro‐
1148 cessors and limited memory. On more capable hardware, it is possible to
1149 increase the limits, and handle many more clients. The following
1150 applies to dnsmasq-2.37: earlier versions did not scale as well.
1151
1152
1153 Dnsmasq is capable of handling DNS and DHCP for at least a thousand
1154 clients. Clearly to do this the value of --dhcp-lease-max must be
1155 increased, and lease times should not be very short (less than one
1156 hour). The value of --dns-forward-max can be increased: start with it
1157 equal to the number of clients and increase if DNS seems slow. Note
1158 that DNS performance depends too on the performance of the upstream
1159 nameservers. The size of the DNS cache may be increased: the hard limit
1160 is 10000 names and the default (150) is very low. Sending SIGUSR1 to
1161 dnsmasq makes it log information which is useful for tuning the cache
1162 size. See the NOTES section for details.
1163
1164
1165 The built-in TFTP server is capable of many simultaneous file trans‐
1166 fers: the absolute limit is related to the number of file-handles
1167 allowed to a process and the ability of the select() system call to
1168 cope with large numbers of file handles. If the limit is set too high
1169 using --tftp-max it will be scaled down and the actual limit logged at
1170 start-up. Note that more transfers are possible when the same file is
1171 being sent than when each transfer sends a different file.
1172
1173
1174 It is possible to use dnsmasq to block Web advertising by using a list
1175 of known banner-ad servers, all resolving to 127.0.0.1 or 0.0.0.0, in
1176 /etc/hosts or an additional hosts file. The list can be very long, dns‐
1177 masq has been tested successfully with one million names. That size
1178 file needs a 1GHz processor and about 60Mb of RAM.
1179
1180
1182 /etc/dnsmasq.conf
1183
1184 /usr/local/etc/dnsmasq.conf
1185
1186 /etc/resolv.conf
1187
1188 /etc/hosts
1189
1190 /etc/ethers
1191
1192 /var/lib/dnsmasq/dnsmasq.leases
1193
1194 /var/db/dnsmasq.leases
1195
1196 /var/run/dnsmasq.pid
1197
1199 hosts(5), resolver(5)
1200
1202 This manual page was written by Simon Kelley <simon@thekelleys.org.uk>.
1203
1204
1205
1206
1207
1208 DNSMASQ(8)