1DNSMASQ(8) System Manager's Manual DNSMASQ(8)
2
6 dnsmasq - A lightweight DHCP and caching DNS server.
7
9 dnsmasq [OPTION]...
10
12 dnsmasq is a lightweight DNS, TFTP, PXE, router advertisement and DHCP
13 server. It is intended to provide coupled DNS and DHCP service to a
14 LAN.
15 Dnsmasq accepts DNS queries and either answers them from a small,
17 local, cache or forwards them to a real, recursive, DNS server. It
18 loads the contents of /etc/hosts so that local hostnames which do not
19 appear in the global DNS can be resolved and also answers DNS queries
20 for DHCP configured hosts. It can also act as the authoritative DNS
21 server for one or more domains, allowing local names to appear in the
22 global DNS. It can be configured to do DNSSEC validation.
23 The dnsmasq DHCP server supports static address assignments and multi‐
25 ple networks. It automatically sends a sensible default set of DHCP
26 options, and can be configured to send any desired set of DHCP options,
27 including vendor-encapsulated options. It includes a secure, read-only,
28 TFTP server to allow net/PXE boot of DHCP hosts and also supports
29 BOOTP. The PXE support is full featured, and includes a proxy mode
30 which supplies PXE information to clients whilst DHCP address alloca‐
31 tion is done by another server.
32 The dnsmasq DHCPv6 server provides the same set of features as the
34 DHCPv4 server, and in addition, it includes router advertisements and a
35 neat feature which allows nameing for clients which use DHCPv4 and
36 stateless autoconfiguration only for IPv6 configuration. There is sup‐
37 port for doing address allocation (both DHCPv6 and RA) from subnets
38 which are dynamically delegated via DHCPv6 prefix delegation.
39 Dnsmasq is coded with small embedded systems in mind. It aims for the
41 smallest possible memory footprint compatible with the supported func‐
42 tions, and allows uneeded functions to be omitted from the compiled
43 binary.
44
46 Note that in general missing parameters are allowed and switch off
47 functions, for instance "--pid-file" disables writing a PID file. On
48 BSD, unless the GNU getopt library is linked, the long form of the
49 options does not work on the command line; it is still recognised in
50 the configuration file.
51 --test Read and syntax check configuration file(s). Exit with code 0 if
53 all is OK, or a non-zero code otherwise. Do not start up dns‐
54 masq.
55 -w, --help
57 Display all command-line options. --help dhcp will display
58 known DHCPv4 configuration options, and --help dhcp6 will dis‐
59 play DHCPv6 options.
60 -h, --no-hosts
62 Don't read the hostnames in /etc/hosts.
63 -H, --addn-hosts=<file>
65 Additional hosts file. Read the specified file as well as
66 /etc/hosts. If -h is given, read only the specified file. This
67 option may be repeated for more than one additional hosts file.
68 If a directory is given, then read all the files contained in
69 that directory.
70 --hostsdir=<path>
72 Read all the hosts files contained in the directory. New or
73 changed files are read automatically. See --dhcp-hostsdir for
74 details.
75 -E, --expand-hosts
77 Add the domain to simple names (without a period) in /etc/hosts
78 in the same way as for DHCP-derived names. Note that this does
79 not apply to domain names in cnames, PTR records, TXT records
80 etc.
81 -T, --local-ttl=<time>
83 When replying with information from /etc/hosts or configuration
84 or the DHCP leases file dnsmasq by default sets the time-to-live
85 field to zero, meaning that the requester should not itself
86 cache the information. This is the correct thing to do in almost
87 all situations. This option allows a time-to-live (in seconds)
88 to be given for these replies. This will reduce the load on the
89 server at the expense of clients using stale data under some
90 circumstances.
91 --dhcp-ttl=<time>
93 As for --local-ttl, but affects only replies with information
94 from DHCP leases. If both are given, --dhcp-ttl applies for DHCP
95 information, and --local-ttl for others. Setting this to zero
96 eliminates the effect of --local-ttl for DHCP.
97 --neg-ttl=<time>
99 Negative replies from upstream servers normally contain time-to-
100 live information in SOA records which dnsmasq uses for caching.
101 If the replies from upstream servers omit this information, dns‐
102 masq does not cache the reply. This option gives a default value
103 for time-to-live (in seconds) which dnsmasq uses to cache nega‐
104 tive replies even in the absence of an SOA record.
105 --max-ttl=<time>
107 Set a maximum TTL value that will be handed out to clients. The
108 specified maximum TTL will be given to clients instead of the
109 true TTL value if it is lower. The true TTL value is however
110 kept in the cache to avoid flooding the upstream DNS servers.
111 --max-cache-ttl=<time>
113 Set a maximum TTL value for entries in the cache.
114 --min-cache-ttl=<time>
116 Extend short TTL values to the time given when caching them.
117 Note that artificially extending TTL values is in general a bad
118 idea, do not do it unless you have a good reason, and understand
119 what you are doing. Dnsmasq limits the value of this option to
120 one hour, unless recompiled.
121 --auth-ttl=<time>
123 Set the TTL value returned in answers from the authoritative
124 server.
125 -k, --keep-in-foreground
127 Do not go into the background at startup but otherwise run as
128 normal. This is intended for use when dnsmasq is run under dae‐
129 montools or launchd.
130 -d, --no-daemon
132 Debug mode: don't fork to the background, don't write a pid
133 file, don't change user id, generate a complete cache dump on
134 receipt on SIGUSR1, log to stderr as well as syslog, don't fork
135 new processes to handle TCP queries. Note that this option is
136 for use in debugging only, to stop dnsmasq daemonising in pro‐
137 duction, use -k.
138 -q, --log-queries
140 Log the results of DNS queries handled by dnsmasq. Enable a full
141 cache dump on receipt of SIGUSR1. If the argument "extra" is
142 supplied, ie --log-queries=extra then the log has extra informa‐
143 tion at the start of each line. This consists of a serial num‐
144 ber which ties together the log lines associated with an indi‐
145 vidual query, and the IP address of the requestor.
146 -8, --log-facility=<facility>
148 Set the facility to which dnsmasq will send syslog entries, this
149 defaults to DAEMON, and to LOCAL0 when debug mode is in opera‐
150 tion. If the facility given contains at least one '/' character,
151 it is taken to be a filename, and dnsmasq logs to the given
152 file, instead of syslog. If the facility is '-' then dnsmasq
153 logs to stderr. (Errors whilst reading configuration will still
154 go to syslog, but all output from a successful startup, and all
155 output whilst running, will go exclusively to the file.) When
156 logging to a file, dnsmasq will close and reopen the file when
157 it receives SIGUSR2. This allows the log file to be rotated
158 without stopping dnsmasq.
159 --log-async[=<lines>]
161 Enable asynchronous logging and optionally set the limit on the
162 number of lines which will be queued by dnsmasq when writing to
163 the syslog is slow. Dnsmasq can log asynchronously: this allows
164 it to continue functioning without being blocked by syslog, and
165 allows syslog to use dnsmasq for DNS queries without risking
166 deadlock. If the queue of log-lines becomes full, dnsmasq will
167 log the overflow, and the number of messages lost. The default
168 queue length is 5, a sane value would be 5-25, and a maximum
169 limit of 100 is imposed.
170 -x, --pid-file=<path>
172 Specify an alternate path for dnsmasq to record its process-id
173 in. Normally /var/run/dnsmasq.pid.
174 -u, --user=<username>
176 Specify the userid to which dnsmasq will change after startup.
177 Dnsmasq must normally be started as root, but it will drop root
178 privileges after startup by changing id to another user. Nor‐
179 mally this user is "nobody" but that can be over-ridden with
180 this switch.
181 -g, --group=<groupname>
183 Specify the group which dnsmasq will run as. The defaults to
184 "dip", if available, to facilitate access to
185 /etc/ppp/resolv.conf which is not normally world readable.
186 -v, --version
188 Print the version number.
189 -p, --port=<port>
191 Listen on <port> instead of the standard DNS port (53). Setting
192 this to zero completely disables DNS function, leaving only DHCP
193 and/or TFTP.
194 -P, --edns-packet-max=<size>
196 Specify the largest EDNS.0 UDP packet which is supported by the
197 DNS forwarder. Defaults to 4096, which is the RFC5625-recom‐
198 mended size.
199 -Q, --query-port=<query_port>
201 Send outbound DNS queries from, and listen for their replies on,
202 the specific UDP port <query_port> instead of using random
203 ports. NOTE that using this option will make dnsmasq less secure
204 against DNS spoofing attacks but it may be faster and use less
205 resources. Setting this option to zero makes dnsmasq use a sin‐
206 gle port allocated to it by the OS: this was the default behav‐
207 iour in versions prior to 2.43.
208 --min-port=<port>
210 Do not use ports less than that given as source for outbound DNS
211 queries. Dnsmasq picks random ports as source for outbound
212 queries: when this option is given, the ports used will always
213 to larger than that specified. Useful for systems behind fire‐
214 walls.
215 --max-port=<port>
217 Use ports lower than that given as source for outbound DNS
218 queries. Dnsmasq picks random ports as source for outbound
219 queries: when this option is given, the ports used will always
220 be lower than that specified. Useful for systems behind fire‐
221 walls.
222 -i, --interface=<interface name>
225 Listen only on the specified interface(s). Dnsmasq automatically
226 adds the loopback (local) interface to the list of interfaces to
227 use when the --interface option is used. If no --interface or
228 --listen-address options are given dnsmasq listens on all avail‐
229 able interfaces except any given in --except-interface options.
230 IP alias interface names (eg "eth1:0") can be used only in
231 --bind-interfaces or --bind-dynamic mode. Use --listen-address
232 in the default mode instead. A simple wildcard, consisting of a
233 trailing '*', can be used in --interface and --except-interface
234 options.
235 -I, --except-interface=<interface name>
237 Do not listen on the specified interface. Note that the order of
238 --listen-address --interface and --except-interface options does
239 not matter and that --except-interface options always override
240 the others.
241 --auth-server=<domain>,<interface>|<ip-address>
243 Enable DNS authoritative mode for queries arriving at an inter‐
244 face or address. Note that the interface or address need not be
245 mentioned in --interface or --listen-address configuration,
246 indeed --auth-server will overide these and provide a different
247 DNS service on the specified interface. The <domain> is the
248 "glue record". It should resolve in the global DNS to a A and/or
249 AAAA record which points to the address dnsmasq is listening on.
250 When an interface is specified, it may be qualified with "/4" or
251 "/6" to specify only the IPv4 or IPv6 addresses associated with
252 the interface.
253 --local-service
255 Accept DNS queries only from hosts whose address is on a local
256 subnet, ie a subnet for which an interface exists on the server.
257 This option only has effect is there are no --interface
258 --except-interface, --listen-address or --auth-server options.
259 It is intended to be set as a default on installation, to allow
260 unconfigured installations to be useful but also safe from being
261 used for DNS amplification attacks.
262 -2, --no-dhcp-interface=<interface name>
264 Do not provide DHCP or TFTP on the specified interface, but do
265 provide DNS service.
266 -a, --listen-address=<ipaddr>
268 Listen on the given IP address(es). Both --interface and --lis‐
269 ten-address options may be given, in which case the set of both
270 interfaces and addresses is used. Note that if no --interface
271 option is given, but --listen-address is, dnsmasq will not auto‐
272 matically listen on the loopback interface. To achieve this, its
273 IP address, 127.0.0.1, must be explicitly given as a --listen-
274 address option.
275 -z, --bind-interfaces
277 On systems which support it, dnsmasq binds the wildcard address,
278 even when it is listening on only some interfaces. It then dis‐
279 cards requests that it shouldn't reply to. This has the advan‐
280 tage of working even when interfaces come and go and change
281 address. This option forces dnsmasq to really bind only the
282 interfaces it is listening on. About the only time when this is
283 useful is when running another nameserver (or another instance
284 of dnsmasq) on the same machine. Setting this option also
285 enables multiple instances of dnsmasq which provide DHCP service
286 to run in the same machine.
287 --bind-dynamic
289 Enable a network mode which is a hybrid between --bind-inter‐
290 faces and the default. Dnsmasq binds the address of individual
291 interfaces, allowing multiple dnsmasq instances, but if new
292 interfaces or addresses appear, it automatically listens on
293 those (subject to any access-control configuration). This makes
294 dynamically created interfaces work in the same way as the
295 default. Implementing this option requires non-standard network‐
296 ing APIs and it is only available under Linux. On other plat‐
297 forms it falls-back to --bind-interfaces mode.
298 -y, --localise-queries
300 Return answers to DNS queries from /etc/hosts which depend on
301 the interface over which the query was received. If a name in
302 /etc/hosts has more than one address associated with it, and at
303 least one of those addresses is on the same subnet as the inter‐
304 face to which the query was sent, then return only the
305 address(es) on that subnet. This allows for a server to have
306 multiple addresses in /etc/hosts corresponding to each of its
307 interfaces, and hosts will get the correct address based on
308 which network they are attached to. Currently this facility is
309 limited to IPv4.
310 -b, --bogus-priv
312 Bogus private reverse lookups. All reverse lookups for private
313 IP ranges (ie 192.168.x.x, etc) which are not found in
314 /etc/hosts or the DHCP leases file are answered with "no such
315 domain" rather than being forwarded upstream.
316 -V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>]
318 Modify IPv4 addresses returned from upstream nameservers; old-ip
319 is replaced by new-ip. If the optional mask is given then any
320 address which matches the masked old-ip will be re-written. So,
321 for instance --alias=1.2.3.0,6.7.8.0,255.255.255.0 will map
322 1.2.3.56 to 6.7.8.56 and 1.2.3.67 to 6.7.8.67. This is what
323 Cisco PIX routers call "DNS doctoring". If the old IP is given
324 as range, then only addresses in the range, rather than a whole
325 subnet, are re-written. So
326 --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 maps
327 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
328 -B, --bogus-nxdomain=<ipaddr>
330 Transform replies which contain the IP address given into "No
331 such domain" replies. This is intended to counteract a devious
332 move made by Verisign in September 2003 when they started
333 returning the address of an advertising web page in response to
334 queries for unregistered names, instead of the correct NXDOMAIN
335 response. This option tells dnsmasq to fake the correct response
336 when it sees this behaviour. As at Sept 2003 the IP address
337 being returned by Verisign is 64.94.110.11
338 --ignore-address=<ipaddr>
340 Ignore replies to A-record queries which include the specified
341 address. No error is generated, dnsmasq simply continues to
342 listen for another reply. This is useful to defeat blocking
343 strategies which rely on quickly supplying a forged answer to a
344 DNS request for certain domain, before the correct answer can
345 arrive.
346 -f, --filterwin2k
348 Later versions of windows make periodic DNS requests which don't
349 get sensible answers from the public DNS and can cause problems
350 by triggering dial-on-demand links. This flag turns on an option
351 to filter such requests. The requests blocked are for records of
352 types SOA and SRV, and type ANY where the requested name has
353 underscores, to catch LDAP requests.
354 -r, --resolv-file=<file>
356 Read the IP addresses of the upstream nameservers from <file>,
357 instead of /etc/resolv.conf. For the format of this file see
358 resolv.conf(5). The only lines relevant to dnsmasq are name‐
359 server ones. Dnsmasq can be told to poll more than one
360 resolv.conf file, the first file name specified overrides the
361 default, subsequent ones add to the list. This is only allowed
362 when polling; the file with the currently latest modification
363 time is the one used.
364 -R, --no-resolv
366 Don't read /etc/resolv.conf. Get upstream servers only from the
367 command line or the dnsmasq configuration file.
368 -1, --enable-dbus[=<service-name>]
370 Allow dnsmasq configuration to be updated via DBus method calls.
371 The configuration which can be changed is upstream DNS servers
372 (and corresponding domains) and cache clear. Requires that dns‐
373 masq has been built with DBus support. If the service name is
374 given, dnsmasq provides service at that name, rather than the
375 default which is uk.org.thekelleys.dnsmasq
376 -o, --strict-order
378 By default, dnsmasq will send queries to any of the upstream
379 servers it knows about and tries to favour servers that are
380 known to be up. Setting this flag forces dnsmasq to try each
381 query with each server strictly in the order they appear in
382 /etc/resolv.conf
383 --all-servers
385 By default, when dnsmasq has more than one upstream server
386 available, it will send queries to just one server. Setting this
387 flag forces dnsmasq to send all queries to all available
388 servers. The reply from the server which answers first will be
389 returned to the original requester.
390 --dns-loop-detect
392 Enable code to detect DNS forwarding loops; ie the situation
393 where a query sent to one of the upstream server eventually
394 returns as a new query to the dnsmasq instance. The process
395 works by generating TXT queries of the form <hex>.test and send‐
396 ing them to each upstream server. The hex is a UID which encodes
397 the instance of dnsmasq sending the query and the upstream
398 server to which it was sent. If the query returns to the server
399 which sent it, then the upstream server through which it was
400 sent is disabled and this event is logged. Each time the set of
401 upstream servers changes, the test is re-run on all of them,
402 including ones which were previously disabled.
403 --stop-dns-rebind
405 Reject (and log) addresses from upstream nameservers which are
406 in the private IP ranges. This blocks an attack where a browser
407 behind a firewall is used to probe machines on the local net‐
408 work.
409 --rebind-localhost-ok
411 Exempt 127.0.0.0/8 from rebinding checks. This address range is
412 returned by realtime black hole servers, so blocking it may dis‐
413 able these services.
414 --rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
416 Do not detect and block dns-rebind on queries to these domains.
417 The argument may be either a single domain, or multiple domains
418 surrounded by '/', like the --server syntax, eg. --rebind-
419 domain-ok=/domain1/domain2/domain3/
420 -n, --no-poll
422 Don't poll /etc/resolv.conf for changes.
423 --clear-on-reload
425 Whenever /etc/resolv.conf is re-read or the upstream servers are
426 set via DBus, clear the DNS cache. This is useful when new
427 nameservers may have different data than that held in cache.
428 -D, --domain-needed
430 Tells dnsmasq to never forward A or AAAA queries for plain
431 names, without dots or domain parts, to upstream nameservers. If
432 the name is not known from /etc/hosts or DHCP then a "not found"
433 answer is returned.
434 -S, --local,
436 --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source-ip>|<inter‐
437 face>[#<port>]]
438 Specify IP address of upstream servers directly. Setting this
439 flag does not suppress reading of /etc/resolv.conf, use -R to do
440 that. If one or more optional domains are given, that server is
441 used only for those domains and they are queried only using the
442 specified server. This is intended for private nameservers: if
443 you have a nameserver on your network which deals with names of
444 the form xxx.internal.thekelleys.org.uk at 192.168.1.1 then giv‐
445 ing the flag -S /internal.thekelleys.org.uk/192.168.1.1 will
446 send all queries for internal machines to that nameserver,
447 everything else will go to the servers in /etc/resolv.conf.
448 DNSSEC validation is turned off for such private nameservers,
449 UNLESS a --trust-anchor is specified for the domain in question.
450 An empty domain specification, // has the special meaning of
451 "unqualified names only" ie names without any dots in them. A
452 non-standard port may be specified as part of the IP address
453 using a # character. More than one -S flag is allowed, with
454 repeated domain or ipaddr parts as required.
455 More specific domains take precendence over less specific
457 domains, so: --server=/google.com/1.2.3.4
458 --server=/www.google.com/2.3.4.5 will send queries for
459 *.google.com to 1.2.3.4, except *www.google.com, which will go
460 to 2.3.4.5
461 The special server address '#' means, "use the standard
463 servers", so --server=/google.com/1.2.3.4
464 --server=/www.google.com/# will send queries for *.google.com to
465 1.2.3.4, except *www.google.com which will be forwarded as
466 usual.
467 Also permitted is a -S flag which gives a domain but no IP
469 address; this tells dnsmasq that a domain is local and it may
470 answer queries from /etc/hosts or DHCP but should never forward
471 queries on that domain to any upstream servers. local is a syn‐
472 onym for server to make configuration files clearer in this
473 case.
474 IPv6 addresses may include a %interface scope-id, eg
476 fe80::202:a412:4512:7bbf%eth0.
477 The optional string after the @ character tells dnsmasq how to
479 set the source of the queries to this nameserver. It should be
480 an ip-address, which should belong to the machine on which dns‐
481 masq is running otherwise this server line will be logged and
482 then ignored, or an interface name. If an interface name is
483 given, then queries to the server will be forced via that inter‐
484 face; if an ip-address is given then the source address of the
485 queries will be set to that address. The query-port flag is
486 ignored for any servers which have a source address specified
487 but the port may be specified directly as part of the source
488 address. Forcing queries to an interface is not implemented on
489 all platforms supported by dnsmasq.
490 --rev-server=<ip-address>/<prefix-len>,<ipaddr>[#<port>][@<source-
492 ip>|<interface>[#<port>]]
493 This is functionally the same as --server, but provides some
494 syntactic sugar to make specifying address-to-name queries eas‐
495 ier. For example --rev-server=1.2.3.0/24,192.168.0.1 is exactly
496 equivalent to --server=/3.2.1.in-addr.arpa/192.168.0.1
497 -A, --address=/<domain>/[domain/][<ipaddr>]
499 Specify an IP address to return for any host in the given
500 domains. Queries in the domains are never forwarded and always
501 replied to with the specified IP address which may be IPv4 or
502 IPv6. To give both IPv4 and IPv6 addresses for a domain, use
503 repeated -A flags. Note that /etc/hosts and DHCP leases over‐
504 ride this for individual names. A common use of this is to redi‐
505 rect the entire doubleclick.net domain to some friendly local
506 web server to avoid banner ads. The domain specification works
507 in the same was as for --server, with the additional facility
508 that /#/ matches any domain. Thus --address=/#/1.2.3.4 will
509 always return 1.2.3.4 for any query not answered from /etc/hosts
510 or DHCP and not sent to an upstream nameserver by a more spe‐
511 cific --server directive. As for --server, one or more domains
512 with no address returns a no-such-domain answer, so
513 --address=/example.com/ is equivalent to --server=/example.com/
514 and returns NXDOMAIN for example.com and all its subdomains.
515 --ipset=/<domain>/[domain/]<ipset>[,<ipset>]
517 Places the resolved IP addresses of queries for the specified
518 domains in the specified netfilter ip sets. Domains and subdo‐
519 mains are matched in the same way as --address. These ip sets
520 must already exist. See ipset(8) for more details.
521 -m, --mx-host=<mx name>[[,<hostname>],<preference>]
523 Return an MX record named <mx name> pointing to the given host‐
524 name (if given), or the host specified in the --mx-target switch
525 or, if that switch is not given, the host on which dnsmasq is
526 running. The default is useful for directing mail from systems
527 on a LAN to a central server. The preference value is optional,
528 and defaults to 1 if not given. More than one MX record may be
529 given for a host.
530 -t, --mx-target=<hostname>
532 Specify the default target for the MX record returned by dns‐
533 masq. See --mx-host. If --mx-target is given, but not --mx-
534 host, then dnsmasq returns a MX record containing the MX target
535 for MX queries on the hostname of the machine on which dnsmasq
536 is running.
537 -e, --selfmx
539 Return an MX record pointing to itself for each local machine.
540 Local machines are those in /etc/hosts or with DHCP leases.
541 -L, --localmx
543 Return an MX record pointing to the host given by mx-target (or
544 the machine on which dnsmasq is running) for each local machine.
545 Local machines are those in /etc/hosts or with DHCP leases.
546 -W, --srv-host=<_service>.<_prot>.[<domain>],[<target>[,<port>[,<prior‐
548 ity>[,<weight>]]]]
549 Return a SRV DNS record. See RFC2782 for details. If not sup‐
550 plied, the domain defaults to that given by --domain. The
551 default for the target domain is empty, and the default for port
552 is one and the defaults for weight and priority are zero. Be
553 careful if transposing data from BIND zone files: the port,
554 weight and priority numbers are in a different order. More than
555 one SRV record for a given service/domain is allowed, all that
556 match are returned.
557 --host-
559 record=<name>[,<name>....],[<IPv4-address>],[<IPv6-address>][,<TTL>]
560 Add A, AAAA and PTR records to the DNS. This adds one or more
561 names to the DNS with associated IPv4 (A) and IPv6 (AAAA)
562 records. A name may appear in more than one host-record and
563 therefore be assigned more than one address. Only the first
564 address creates a PTR record linking the address to the name.
565 This is the same rule as is used reading hosts-files. host-
566 record options are considered to be read before host-files, so a
567 name appearing there inhibits PTR-record creation if it appears
568 in hosts-file also. Unlike hosts-files, names are not expanded,
569 even when expand-hosts is in effect. Short and long names may
570 appear in the same host-record, eg. --host-record=laptop,lap‐
571 top.thekelleys.org,192.168.0.1,1234::100
572 If the time-to-live is given, it overrides the default, which is
574 zero or the value of --local-ttl. The value is a positive inte‐
575 ger and gives the time-to-live in seconds.
576 -Y, --txt-record=<name>[[,<text>],<text>]
578 Return a TXT DNS record. The value of TXT record is a set of
579 strings, so any number may be included, delimited by commas;
580 use quotes to put commas into a string. Note that the maximum
581 length of a single string is 255 characters, longer strings are
582 split into 255 character chunks.
583 --ptr-record=<name>[,<target>]
585 Return a PTR DNS record.
586 --naptr-record=<name>,<order>,<preference>,<flags>,<service>,<reg‐
588 exp>[,<replacement>]
589 Return an NAPTR DNS record, as specified in RFC3403.
590 --cname=<cname>,<target>[,<TTL>]
592 Return a CNAME record which indicates that <cname> is really
593 <target>. There are significant limitations on the target; it
594 must be a DNS name which is known to dnsmasq from /etc/hosts (or
595 additional hosts files), from DHCP, from --interface-name or
596 from another --cname. If the target does not satisfy this cri‐
597 teria, the whole cname is ignored. The cname must be unique, but
598 it is permissable to have more than one cname pointing to the
599 same target.
600 If the time-to-live is given, it overrides the default, which is
602 zero or the value of -local-ttl. The value is a positive integer
603 and gives the time-to-live in seconds.
604 --dns-rr=<name>,<RR-number>,[<hex data>]
606 Return an arbitrary DNS Resource Record. The number is the type
607 of the record (which is always in the C_IN class). The value of
608 the record is given by the hex data, which may be of the form
609 01:23:45 or 01 23 45 or 012345 or any mixture of these.
610 --interface-name=<name>,<interface>[/4|/6]
612 Return a DNS record associating the name with the primary
613 address on the given interface. This flag specifies an A or AAAA
614 record for the given name in the same way as an /etc/hosts line,
615 except that the address is not constant, but taken from the
616 given interface. The interface may be followed by "/4" or "/6"
617 to specify that only IPv4 or IPv6 addresses of the interface
618 should be used. If the interface is down, not configured or non-
619 existent, an empty record is returned. The matching PTR record
620 is also created, mapping the interface address to the name. More
621 than one name may be associated with an interface address by
622 repeating the flag; in that case the first instance is used for
623 the reverse address-to-name mapping.
624 --synth-domain=<domain>,<address range>[,<prefix>]
626 Create artificial A/AAAA and PTR records for an address range.
627 The records use the address, with periods (or colons for IPv6)
628 replaced with dashes.
629 An example should make this clearer. --synth-domain=thekel‐
631 leys.org.uk,192.168.0.0/24,internal- will result in a query for
632 internal-192-168-0-56.thekelleys.org.uk returning 192.168.0.56
633 and a reverse query vice versa. The same applies to IPv6, but
634 IPv6 addresses may start with '::' but DNS labels may not start
635 with '-' so in this case if no prefix is configured a zero is
636 added in front of the label. ::1 becomes 0--1.
637 The address range can be of the form <ip address>,<ip address>
639 or <ip address>/<netmask>
640 --add-mac[=base64|text]
642 Add the MAC address of the requestor to DNS queries which are
643 forwarded upstream. This may be used to DNS filtering by the
644 upstream server. The MAC address can only be added if the
645 requestor is on the same subnet as the dnsmasq server. Note that
646 the mechanism used to achieve this (an EDNS0 option) is not yet
647 standardised, so this should be considered experimental. Also
648 note that exposing MAC addresses in this way may have security
649 and privacy implications. The warning about caching given for
650 --add-subnet applies to --add-mac too. An alternative encoding
651 of the MAC, as base64, is enabled by adding the "base64" parame‐
652 ter and a human-readable encoding of hex-and-colons is enabled
653 by added the "text" parameter.
654 --add-cpe-id=<string>
656 Add a arbitrary identifying string to o DNS queries which are
657 forwarded upstream.
658 --add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6
660 address>/]<IPv6 prefix length>]]
661 Add a subnet address to the DNS queries which are forwarded
662 upstream. If an address is specified in the flag, it will be
663 used, otherwise, the address of the requestor will be used. The
664 amount of the address forwarded depends on the prefix length
665 parameter: 32 (128 for IPv6) forwards the whole address, zero
666 forwards none of it but still marks the request so that no
667 upstream nameserver will add client address information either.
668 The default is zero for both IPv4 and IPv6. Note that upstream
669 nameservers may be configured to return different results based
670 on this information, but the dnsmasq cache does not take
671 account. If a dnsmasq instance is configured such that different
672 results may be encountered, caching should be disabled.
673 For example, --add-subnet=24,96 will add the /24 and /96 subnets
675 of the requestor for IPv4 and IPv6 requestors, respectively.
676 --add-subnet=1.2.3.4/24 will add 1.2.3.0/24 for IPv4 requestors
677 and ::/0 for IPv6 requestors. --add-sub‐
678 net=1.2.3.4/24,1.2.3.4/24 will add 1.2.3.0/24 for both IPv4 and
679 IPv6 requestors.
680 -c, --cache-size=<cachesize>
683 Set the size of dnsmasq's cache. The default is 150 names. Set‐
684 ting the cache size to zero disables caching.
685 -N, --no-negcache
687 Disable negative caching. Negative caching allows dnsmasq to
688 remember "no such domain" answers from upstream nameservers and
689 answer identical queries without forwarding them again.
690 -0, --dns-forward-max=<queries>
692 Set the maximum number of concurrent DNS queries. The default
693 value is 150, which should be fine for most setups. The only
694 known situation where this needs to be increased is when using
695 web-server log file resolvers, which can generate large numbers
696 of concurrent queries.
697 --dnssec
699 Validate DNS replies and cache DNSSEC data. When forwarding DNS
700 queries, dnsmasq requests the DNSSEC records needed to validate
701 the replies. The replies are validated and the result returned
702 as the Authenticated Data bit in the DNS packet. In addition the
703 DNSSEC records are stored in the cache, making validation by
704 clients more efficient. Note that validation by clients is the
705 most secure DNSSEC mode, but for clients unable to do valida‐
706 tion, use of the AD bit set by dnsmasq is useful, provided that
707 the network between the dnsmasq server and the client is
708 trusted. Dnsmasq must be compiled with HAVE_DNSSEC enabled, and
709 DNSSEC trust anchors provided, see --trust-anchor. Because the
710 DNSSEC validation process uses the cache, it is not permitted to
711 reduce the cache size below the default when DNSSEC is enabled.
712 The nameservers upstream of dnsmasq must be DNSSEC-capable, ie
713 capable of returning DNSSEC records with data. If they are not,
714 then dnsmasq will not be able to determine the trusted status of
715 answers. In the default mode, this menas that all replies will
716 be marked as untrusted. If --dnssec-check-unsigned is set and
717 the upstream servers don't support DNSSEC, then DNS service will
718 be entirely broken.
719 --trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-
721 type>,<digest>
722 Provide DS records to act a trust anchors for DNSSEC validation.
723 Typically these will be the DS record(s) for Zone Signing key(s)
724 of the root zone, but trust anchors for limited domains are also
725 possible. The current root-zone trust anchors may be downloaded
726 from https://data.iana.org/root-anchors/root-anchors.xml
727 --dnssec-check-unsigned
729 As a default, dnsmasq does not check that unsigned DNS replies
730 are legitimate: they are assumed to be valid and passed on
731 (without the "authentic data" bit set, of course). This does not
732 protect against an attacker forging unsigned replies for signed
733 DNS zones, but it is fast. If this flag is set, dnsmasq will
734 check the zones of unsigned replies, to ensure that unsigned
735 replies are allowed in those zones. The cost of this is more
736 upstream queries and slower performance. See also the warning
737 about upstream servers in the section on --dnssec
738 --dnssec-no-timecheck
740 DNSSEC signatures are only valid for specified time windows, and
741 should be rejected outside those windows. This generates an
742 interesting chicken-and-egg problem for machines which don't
743 have a hardware real time clock. For these machines to determine
744 the correct time typically requires use of NTP and therefore
745 DNS, but validating DNS requires that the correct time is
746 already known. Setting this flag removes the time-window checks
747 (but not other DNSSEC validation.) only until the dnsmasq
748 process receives SIGHUP. The intention is that dnsmasq should be
749 started with this flag when the platform determines that reli‐
750 able time is not currently available. As soon as reliable time
751 is established, a SIGHUP should be sent to dnsmasq, which
752 enables time checking, and purges the cache of DNS records which
753 have not been throughly checked.
754 --dnssec-timestamp=<path>
756 Enables an alternative way of checking the validity of the sys‐
757 tem time for DNSSEC (see --dnssec-no-timecheck). In this case,
758 the system time is considered to be valid once it becomes later
759 than the timestamp on the specified file. The file is created
760 and its timestamp set automatically by dnsmasq. The file must be
761 stored on a persistent filesystem, so that it and its mtime are
762 carried over system restarts. The timestamp file is created
763 after dnsmasq has dropped root, so it must be in a location
764 writable by the unprivileged user that dnsmasq runs as.
765 --proxy-dnssec
767 Copy the DNSSEC Authenticated Data bit from upstream servers to
768 downstream clients and cache it. This is an alternative to hav‐
769 ing dnsmasq validate DNSSEC, but it depends on the security of
770 the network between dnsmasq and the upstream servers, and the
771 trustworthiness of the upstream servers.
772 --dnssec-debug
774 Set debugging mode for the DNSSEC validation, set the Checking
775 Disabled bit on upstream queries, and don't convert replies
776 which do not validate to responses with a return code of SERV‐
777 FAIL. Note that setting this may affect DNS behaviour in bad
778 ways, it is not an extra-logging flag and should not be set in
779 production.
780 --auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix
782 length>].....]]
783 Define a DNS zone for which dnsmasq acts as authoritative
784 server. Locally defined DNS records which are in the domain will
785 be served. If subnet(s) are given, A and AAAA records must be in
786 one of the specified subnets.
787 As alternative to directly specifying the subnets, it's possible
789 to give the name of an interface, in which case the subnets
790 implied by that interface's configured addresses and net‐
791 mask/prefix-length are used; this is useful when using con‐
792 structed DHCP ranges as the actual address is dynamic and not
793 known when configuring dnsmasq. The interface addresses may be
794 confined to only IPv6 addresses using <interface>/6 or to only
795 IPv4 using <interface>/4. This is useful when an interface has
796 dynamically determined global IPv6 addresses which should appear
797 in the zone, but RFC1918 IPv4 addresses which should not.
798 Interface-name and address-literal subnet specifications may be
799 used freely in the same --auth-zone declaration.
800 The subnet(s) are also used to define in-addr.arpa and ip6.arpa
802 domains which are served for reverse-DNS queries. If not speci‐
803 fied, the prefix length defaults to 24 for IPv4 and 64 for IPv6.
804 For IPv4 subnets, the prefix length should be have the value 8,
805 16 or 24 unless you are familiar with RFC 2317 and have arranged
806 the in-addr.arpa delegation accordingly. Note that if no subnets
807 are specified, then no reverse queries are answered.
808 --auth-soa=<serial>[,<hostmaster>[,<refresh>[,<retry>[,<expiry>]]]]
810 Specify fields in the SOA record associated with authoritative
811 zones. Note that this is optional, all the values are set to
812 sane defaults.
813 --auth-sec-servers=<domain>[,<domain>[,<domain>...]]
815 Specify any secondary servers for a zone for which dnsmasq is
816 authoritative. These servers must be configured to get zone data
817 from dnsmasq by zone transfer, and answer queries for the same
818 authoritative zones as dnsmasq.
819 --auth-peer=<ip-address>[,<ip-address>[,<ip-address>...]]
821 Specify the addresses of secondary servers which are allowed to
822 initiate zone transfer (AXFR) requests for zones for which dns‐
823 masq is authoritative. If this option is not given, then AXFR
824 requests will be accepted from any secondary.
825 --conntrack
827 Read the Linux connection track mark associated with incoming
828 DNS queries and set the same mark value on upstream traffic used
829 to answer those queries. This allows traffic generated by dns‐
830 masq to be associated with the queries which cause it, useful
831 for bandwidth accounting and firewalling. Dnsmasq must have con‐
832 ntrack support compiled in and the kernel must have conntrack
833 support included and configured. This option cannot be combined
834 with --query-port.
835 -F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-
837 addr>[,<end-addr>|<mode>][,<netmask>[,<broadcast>]][,<lease time>]
838 -F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-
840 IPv6addr>[,<end-IPv6addr>|constructor:<interface>][,<mode>][,<prefix-
841 len>][,<lease time>]
842 Enable the DHCP server. Addresses will be given out from the
844 range <start-addr> to <end-addr> and from statically defined
845 addresses given in dhcp-host options. If the lease time is
846 given, then leases will be given for that length of time. The
847 lease time is in seconds, or minutes (eg 45m) or hours (eg 1h)
848 or "infinite". If not given, the default lease time is one hour.
849 The minimum lease time is two minutes. For IPv6 ranges, the
850 lease time maybe "deprecated"; this sets the preferred lifetime
851 sent in a DHCP lease or router advertisement to zero, which
852 causes clients to use other addresses, if available, for new
853 connections as a prelude to renumbering.
854 This option may be repeated, with different addresses, to enable
856 DHCP service to more than one network. For directly connected
857 networks (ie, networks on which the machine running dnsmasq has
858 an interface) the netmask is optional: dnsmasq will determine it
859 from the interface configuration. For networks which receive
860 DHCP service via a relay agent, dnsmasq cannot determine the
861 netmask itself, so it should be specified, otherwise dnsmasq
862 will have to guess, based on the class (A, B or C) of the net‐
863 work address. The broadcast address is always optional. It is
864 always allowed to have more than one dhcp-range in a single sub‐
865 net.
866 For IPv6, the parameters are slightly different: instead of net‐
868 mask and broadcast address, there is an optional prefix length
869 which must be equal to or larger then the prefix length on the
870 local interface. If not given, this defaults to 64. Unlike the
871 IPv4 case, the prefix length is not automatically derived from
872 the interface configuration. The mimimum size of the prefix
873 length is 64.
874 IPv6 (only) supports another type of range. In this, the start
876 address and optional end address contain only the network part
877 (ie ::1) and they are followed by constructor:<interface>. This
878 forms a template which describes how to create ranges, based on
879 the addresses assigned to the interface. For instance
880 --dhcp-range=::1,::400,constructor:eth0
882 will look for addresses on eth0 and then create a range from
884 <network>::1 to <network>::400. If the interface is assigned
885 more than one network, then the corresponding ranges will be
886 automatically created, and then deprecated and finally removed
887 again as the address is deprecated and then deleted. The inter‐
888 face name may have a final "*" wildcard. Note that just any
889 address on eth0 will not do: it must not be an autoconfigured or
890 privacy address, or be deprecated.
891 If a dhcp-range is only being used for stateless DHCP and/or
893 SLAAC, then the address can be simply ::
894 --dhcp-range=::,constructor:eth0
896 The optional set:<tag> sets an alphanumeric label which marks
899 this network so that dhcp options may be specified on a per-net‐
900 work basis. When it is prefixed with 'tag:' instead, then its
901 meaning changes from setting a tag to matching it. Only one tag
902 may be set, but more than one tag may be matched.
903 The optional <mode> keyword may be static which tells dnsmasq to
905 enable DHCP for the network specified, but not to dynamically
906 allocate IP addresses: only hosts which have static addresses
907 given via dhcp-host or from /etc/ethers will be served. A
908 static-only subnet with address all zeros may be used as a
909 "catch-all" address to enable replies to all Information-request
910 packets on a subnet which is provided with stateless DHCPv6, ie
911 --dhcp-range=::,static
912 For IPv4, the <mode> may be proxy in which case dnsmasq will
914 provide proxy-DHCP on the specified subnet. (See pxe-prompt and
915 pxe-service for details.)
916 For IPv6, the mode may be some combination of ra-only, slaac,
918 ra-names, ra-stateless, ra-advrouter, off-link.
919 ra-only tells dnsmasq to offer Router Advertisement only on this
921 subnet, and not DHCP.
922 slaac tells dnsmasq to offer Router Advertisement on this subnet
924 and to set the A bit in the router advertisement, so that the
925 client will use SLAAC addresses. When used with a DHCP range or
926 static DHCP address this results in the client having both a
927 DHCP-assigned and a SLAAC address.
928 ra-stateless sends router advertisements with the O and A bits
930 set, and provides a stateless DHCP service. The client will use
931 a SLAAC address, and use DHCP for other configuration informa‐
932 tion.
933 ra-names enables a mode which gives DNS names to dual-stack
935 hosts which do SLAAC for IPv6. Dnsmasq uses the host's IPv4
936 lease to derive the name, network segment and MAC address and
937 assumes that the host will also have an IPv6 address calculated
938 using the SLAAC algorithm, on the same network segment. The
939 address is pinged, and if a reply is received, an AAAA record is
940 added to the DNS for this IPv6 address. Note that this is only
941 happens for directly-connected networks, (not one doing DHCP via
942 a relay) and it will not work if a host is using privacy exten‐
943 sions. ra-names can be combined with ra-stateless and slaac.
944 ra-advrouter enables a mode where router address(es) rather than
946 prefix(es) are included in the advertisements. This is
947 described in RFC-3775 section 7.2 and is used in mobile IPv6. In
948 this mode the interval option is also included, as described in
949 RFC-3775 section 7.3.
950 off-link tells dnsmasq to advertise the prefix without the on-
952 link (aka L) bit set.
953 -G, --dhcp-
956 host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,<ipaddr>][,<host‐
957 name>][,<lease_time>][,ignore]
958 Specify per host parameters for the DHCP server. This allows a
959 machine with a particular hardware address to be always allo‐
960 cated the same hostname, IP address and lease time. A hostname
961 specified like this overrides any supplied by the DHCP client on
962 the machine. It is also allowable to omit the hardware address
963 and include the hostname, in which case the IP address and lease
964 times will apply to any machine claiming that name. For example
965 --dhcp-host=00:20:e0:3b:13:af,wap,infinite tells dnsmasq to give
966 the machine with hardware address 00:20:e0:3b:13:af the name
967 wap, and an infinite DHCP lease. --dhcp-host=lap,192.168.0.199
968 tells dnsmasq to always allocate the machine lap the IP address
969 192.168.0.199.
970 Addresses allocated like this are not constrained to be in the
972 range given by the --dhcp-range option, but they must be in the
973 same subnet as some valid dhcp-range. For subnets which don't
974 need a pool of dynamically allocated addresses, use the "static"
975 keyword in the dhcp-range declaration.
976 It is allowed to use client identifiers (called client DUID in
978 IPv6-land rather than hardware addresses to identify hosts by
979 prefixing with 'id:'. Thus: --dhcp-host=id:01:02:03:04,.....
980 refers to the host with client identifier 01:02:03:04. It is
981 also allowed to specify the client ID as text, like this:
982 --dhcp-host=id:clientidastext,.....
983 A single dhcp-host may contain an IPv4 address or an IPv6
985 address, or both. IPv6 addresses must be bracketed by square
986 brackets thus: --dhcp-host=laptop,[1234::56] IPv6 addresses may
987 contain only the host-identifier part: --dhcp-host=laptop,[::56]
988 in which case they act as wildcards in constructed dhcp ranges,
989 with the appropriate network part inserted. Note that in IPv6
990 DHCP, the hardware address may not be available, though it nor‐
991 mally is for direct-connected clients, or clients using DHCP
992 relays which support RFC 6939.
993 For DHCPv4, the special option id:* means "ignore any client-id
996 and use MAC addresses only." This is useful when a client
997 presents a client-id sometimes but not others.
998 If a name appears in /etc/hosts, the associated address can be
1000 allocated to a DHCP lease, but only if a --dhcp-host option
1001 specifying the name also exists. Only one hostname can be given
1002 in a dhcp-host option, but aliases are possible by using CNAMEs.
1003 (See --cname ).
1004 The special keyword "ignore" tells dnsmasq to never offer a DHCP
1006 lease to a machine. The machine can be specified by hardware
1007 address, client ID or hostname, for instance --dhcp-
1008 host=00:20:e0:3b:13:af,ignore This is useful when there is
1009 another DHCP server on the network which should be used by some
1010 machines.
1011 The set:<tag> construct sets the tag whenever this dhcp-host
1013 directive is in use. This can be used to selectively send DHCP
1014 options just for this host. More than one tag can be set in a
1015 dhcp-host directive (but not in other places where "set:<tag>"
1016 is allowed). When a host matches any dhcp-host directive (or one
1017 implied by /etc/ethers) then the special tag "known" is set.
1018 This allows dnsmasq to be configured to ignore requests from
1019 unknown machines using --dhcp-ignore=tag:!known Ethernet
1020 addresses (but not client-ids) may have wildcard bytes, so for
1021 example --dhcp-host=00:20:e0:3b:13:*,ignore will cause dnsmasq
1022 to ignore a range of hardware addresses. Note that the "*" will
1023 need to be escaped or quoted on a command line, but not in the
1024 configuration file.
1025 Hardware addresses normally match any network (ARP) type, but it
1027 is possible to restrict them to a single ARP type by preceding
1028 them with the ARP-type (in HEX) and "-". so --dhcp-
1029 host=06-00:20:e0:3b:13:af,1.2.3.4 will only match a Token-Ring
1030 hardware address, since the ARP-address type for token ring is
1031 6.
1032 As a special case, in DHCPv4, it is possible to include more
1034 than one hardware address. eg: --dhcp-
1035 host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2 This allows
1036 an IP address to be associated with multiple hardware addresses,
1037 and gives dnsmasq permission to abandon a DHCP lease to one of
1038 the hardware addresses when another one asks for a lease. Beware
1039 that this is a dangerous thing to do, it will only work reliably
1040 if only one of the hardware addresses is active at any time and
1041 there is no way for dnsmasq to enforce this. It is, for
1042 instance, useful to allocate a stable IP address to a laptop
1043 which has both wired and wireless interfaces.
1044 --dhcp-hostsfile=<path>
1046 Read DHCP host information from the specified file. If a direc‐
1047 tory is given, then read all the files contained in that direc‐
1048 tory. The file contains information about one host per line. The
1049 format of a line is the same as text to the right of '=' in
1050 --dhcp-host. The advantage of storing DHCP host information in
1051 this file is that it can be changed without re-starting dnsmasq:
1052 the file will be re-read when dnsmasq receives SIGHUP.
1053 --dhcp-optsfile=<path>
1055 Read DHCP option information from the specified file. If a
1056 directory is given, then read all the files contained in that
1057 directory. The advantage of using this option is the same as for
1058 --dhcp-hostsfile: the dhcp-optsfile will be re-read when dnsmasq
1059 receives SIGHUP. Note that it is possible to encode the informa‐
1060 tion in a
1061 --dhcp-hostsdir=<path>
1063 This is equivalent to dhcp-hostsfile, except for the following.
1064 The path MUST be a directory, and not an individual file.
1065 Changed or new files within the directory are read automati‐
1066 cally, without the need to send SIGHUP. If a file is deleted
1067 for changed after it has been read by dnsmasq, then the host
1068 record it contained will remain until dnsmasq recieves a SIGHUP,
1069 or is restarted; ie host records are only added dynamically.
1070 --dhcp-optsdir=<path>
1072 This is equivalent to dhcp-optsfile, with the differences noted
1073 for --dhcp-hostsdir.
1074 --dhcp-boot
1076 flag as DHCP options, using the options names bootfile-name,
1077 server-ip-address and tftp-server. This allows these to be
1078 included in a dhcp-optsfile.
1079 -Z, --read-ethers
1081 Read /etc/ethers for information about hosts for the DHCP
1082 server. The format of /etc/ethers is a hardware address, fol‐
1083 lowed by either a hostname or dotted-quad IP address. When read
1084 by dnsmasq these lines have exactly the same effect as --dhcp-
1085 host options containing the same information. /etc/ethers is re-
1086 read when dnsmasq receives SIGHUP. IPv6 addresses are NOT read
1087 from /etc/ethers.
1088 -O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-
1090 encap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-
1091 name>|option6:<opt>|option6:<opt-name>],[<value>[,<value>]]
1092 Specify different or extra options to DHCP clients. By default,
1093 dnsmasq sends some standard options to DHCP clients, the netmask
1094 and broadcast address are set to the same as the host running
1095 dnsmasq, and the DNS server and default route are set to the
1096 address of the machine running dnsmasq. (Equivalent rules apply
1097 for IPv6.) If the domain name option has been set, that is sent.
1098 This configuration allows these defaults to be overridden, or
1099 other options specified. The option, to be sent may be given as
1100 a decimal number or as "option:<option-name>" The option numbers
1101 are specified in RFC2132 and subsequent RFCs. The set of option-
1102 names known by dnsmasq can be discovered by running "dnsmasq
1103 --help dhcp". For example, to set the default route option to
1104 192.168.4.4, do --dhcp-option=3,192.168.4.4 or --dhcp-option =
1105 option:router, 192.168.4.4 and to set the time-server address to
1106 192.168.0.4, do --dhcp-option = 42,192.168.0.4 or --dhcp-option
1107 = option:ntp-server, 192.168.0.4 The special address 0.0.0.0 is
1108 taken to mean "the address of the machine running dnsmasq".
1109 Data types allowed are comma separated dotted-quad IPv4
1111 addresses, []-wrapped IPv6 addresses, a decimal number, colon-
1112 separated hex digits and a text string. If the optional tags are
1113 given then this option is only sent when all the tags are
1114 matched.
1115 Special processing is done on a text argument for option 119, to
1117 conform with RFC 3397. Text or dotted-quad IP addresses as argu‐
1118 ments to option 120 are handled as per RFC 3361. Dotted-quad IP
1119 addresses which are followed by a slash and then a netmask size
1120 are encoded as described in RFC 3442.
1121 IPv6 options are specified using the option6: keyword, followed
1123 by the option number or option name. The IPv6 option name space
1124 is disjoint from the IPv4 option name space. IPv6 addresses in
1125 options must be bracketed with square brackets, eg. --dhcp-
1126 option=option6:ntp-server,[1234::56] For IPv6, [::] means "the
1127 global address of the machine running dnsmasq", whilst [fd00::]
1128 is replaced with the ULA, if it exists, and [fe80::] with the
1129 link-local address.
1130 Be careful: no checking is done that the correct type of data
1132 for the option number is sent, it is quite possible to persuade
1133 dnsmasq to generate illegal DHCP packets with injudicious use of
1134 this flag. When the value is a decimal number, dnsmasq must
1135 determine how large the data item is. It does this by examining
1136 the option number and/or the value, but can be overridden by
1137 appending a single letter flag as follows: b = one byte, s = two
1138 bytes, i = four bytes. This is mainly useful with encapsulated
1139 vendor class options (see below) where dnsmasq cannot determine
1140 data size from the option number. Option data which consists
1141 solely of periods and digits will be interpreted by dnsmasq as
1142 an IP address, and inserted into an option as such. To force a
1143 literal string, use quotes. For instance when using option 66 to
1144 send a literal IP address as TFTP server name, it is necessary
1145 to do --dhcp-option=66,"1.2.3.4"
1146 Encapsulated Vendor-class options may also be specified (IPv4
1148 only) using --dhcp-option: for instance --dhcp-option=ven‐
1149 dor:PXEClient,1,0.0.0.0 sends the encapsulated vendor class-spe‐
1150 cific option "mftp-address=0.0.0.0" to any client whose vendor-
1151 class matches "PXEClient". The vendor-class matching is sub‐
1152 string based (see --dhcp-vendorclass for details). If a vendor-
1153 class option (number 60) is sent by dnsmasq, then that is used
1154 for selecting encapsulated options in preference to any sent by
1155 the client. It is possible to omit the vendorclass completely;
1156 --dhcp-option=vendor:,1,0.0.0.0 in which case the encapsulated
1157 option is always sent.
1158 Options may be encapsulated (IPv4 only) within other options:
1160 for instance --dhcp-option=encap:175, 190, iscsi-client0 will
1161 send option 175, within which is the option 190. If multiple
1162 options are given which are encapsulated with the same option
1163 number then they will be correctly combined into one encapsu‐
1164 lated option. encap: and vendor: are may not both be set in the
1165 same dhcp-option.
1166 The final variant on encapsulated options is "Vendor-Identifying
1168 Vendor Options" as specified by RFC3925. These are denoted like
1169 this: --dhcp-option=vi-encap:2, 10, text The number in the vi-
1170 encap: section is the IANA enterprise number used to identify
1171 this option. This form of encapsulation is supported in IPv6.
1172 The address 0.0.0.0 is not treated specially in encapsulated
1174 options.
1175 --dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-
1177 encap:<enterprise>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
1178 This works in exactly the same way as --dhcp-option except that
1179 the option will always be sent, even if the client does not ask
1180 for it in the parameter request list. This is sometimes needed,
1181 for example when sending options to PXELinux.
1182 --dhcp-no-override
1184 (IPv4 only) Disable re-use of the DHCP servername and filename
1185 fields as extra option space. If it can, dnsmasq moves the boot
1186 server and filename information (from dhcp-boot) out of their
1187 dedicated fields into DHCP options. This make extra space avail‐
1188 able in the DHCP packet for options but can, rarely, confuse old
1189 or broken clients. This flag forces "simple and safe" behaviour
1190 to avoid problems in such a case.
1191 --dhcp-relay=<local address>,<server address>[,<interface]
1193 Configure dnsmasq to do DHCP relay. The local address is an
1194 address allocated to an interface on the host running dnsmasq.
1195 All DHCP requests arriving on that interface will we relayed to
1196 a remote DHCP server at the server address. It is possible to
1197 relay from a single local address to multiple remote servers by
1198 using multiple dhcp-relay configs with the same local address
1199 and different server addresses. A server address must be an IP
1200 literal address, not a domain name. In the case of DHCPv6, the
1201 server address may be the ALL_SERVERS multicast address,
1202 ff05::1:3. In this case the interface must be given, not be
1203 wildcard, and is used to direct the multicast to the correct
1204 interface to reach the DHCP server.
1205 Access control for DHCP clients has the same rules as for the
1207 DHCP server, see --interface, --except-interface, etc. The
1208 optional interface name in the dhcp-relay config has a different
1209 function: it controls on which interface DHCP replies from the
1210 server will be accepted. This is intended for configurations
1211 which have three interfaces: one being relayed from, a second
1212 connecting the DHCP server, and a third untrusted network, typi‐
1213 cally the wider internet. It avoids the possibility of spoof
1214 replies arriving via this third interface.
1215 It is allowed to have dnsmasq act as a DHCP server on one set of
1217 interfaces and relay from a disjoint set of interfaces. Note
1218 that whilst it is quite possible to write configurations which
1219 appear to act as a server and a relay on the same interface,
1220 this is not supported: the relay function will take precedence.
1221 Both DHCPv4 and DHCPv6 relay is supported. It's not possible to
1223 relay DHCPv4 to a DHCPv6 server or vice-versa.
1224 -U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise num‐
1226 ber>,]<vendor-class>
1227 Map from a vendor-class string to a tag. Most DHCP clients pro‐
1228 vide a "vendor class" which represents, in some sense, the type
1229 of host. This option maps vendor classes to tags, so that DHCP
1230 options may be selectively delivered to different classes of
1231 hosts. For example dhcp-vendorclass=set:printers,Hewlett-Packard
1232 JetDirect will allow options to be set only for HP printers like
1233 so: --dhcp-option=tag:printers,3,192.168.4.4 The vendor-class
1234 string is substring matched against the vendor-class supplied by
1235 the client, to allow fuzzy matching. The set: prefix is optional
1236 but allowed for consistency.
1237 Note that in IPv6 only, vendorclasses are namespaced with an
1239 IANA-allocated enterprise number. This is given with enterprise:
1240 keyword and specifies that only vendorclasses matching the spec‐
1241 ified number should be searched.
1242 -j, --dhcp-userclass=set:<tag>,<user-class>
1244 Map from a user-class string to a tag (with substring matching,
1245 like vendor classes). Most DHCP clients provide a "user class"
1246 which is configurable. This option maps user classes to tags, so
1247 that DHCP options may be selectively delivered to different
1248 classes of hosts. It is possible, for instance to use this to
1249 set a different printer server for hosts in the class "accounts"
1250 than for hosts in the class "engineering".
1251 -4, --dhcp-mac=set:<tag>,<MAC address>
1253 Map from a MAC address to a tag. The MAC address may include
1254 wildcards. For example --dhcp-mac=set:3com,01:34:23:*:*:* will
1255 set the tag "3com" for any host whose MAC address matches the
1256 pattern.
1257 --dhcp-circuitid=set:<tag>,<circuit-id>, --dhcp-
1259 remoteid=set:<tag>,<remote-id>
1260 Map from RFC3046 relay agent options to tags. This data may be
1261 provided by DHCP relay agents. The circuit-id or remote-id is
1262 normally given as colon-separated hex, but is also allowed to be
1263 a simple string. If an exact match is achieved between the cir‐
1264 cuit or agent ID and one provided by a relay agent, the tag is
1265 set.
1266 dhcp-remoteid (but not dhcp-circuitid) is supported in IPv6.
1268 --dhcp-subscrid=set:<tag>,<subscriber-id>
1270 (IPv4 and IPv6) Map from RFC3993 subscriber-id relay agent
1271 options to tags.
1272 --dhcp-proxy[=<ip addr>]......
1274 (IPv4 only) A normal DHCP relay agent is only used to forward
1275 the initial parts of a DHCP interaction to the DHCP server. Once
1276 a client is configured, it communicates directly with the
1277 server. This is undesirable if the relay agent is adding extra
1278 information to the DHCP packets, such as that used by dhcp-cir‐
1279 cuitid and dhcp-remoteid. A full relay implementation can use
1280 the RFC 5107 serverid-override option to force the DHCP server
1281 to use the relay as a full proxy, with all packets passing
1282 through it. This flag provides an alternative method of doing
1283 the same thing, for relays which don't support RFC 5107. Given
1284 alone, it manipulates the server-id for all interactions via
1285 relays. If a list of IP addresses is given, only interactions
1286 via relays at those addresses are affected.
1287 --dhcp-match=set:<tag>,<option number>|option:<option name>|vi-
1289 encap:<enterprise>[,<value>]
1290 Without a value, set the tag if the client sends a DHCP option
1291 of the given number or name. When a value is given, set the tag
1292 only if the option is sent and matches the value. The value may
1293 be of the form "01:ff:*:02" in which case the value must match
1294 (apart from wildcards) but the option sent may have unmatched
1295 data past the end of the value. The value may also be of the
1296 same form as in dhcp-option in which case the option sent is
1297 treated as an array, and one element must match, so
1298 --dhcp-match=set:efi-ia32,option:client-arch,6
1300 will set the tag "efi-ia32" if the the number 6 appears in the
1302 list of architectures sent by the client in option 93. (See RFC
1303 4578 for details.) If the value is a string, substring matching
1304 is used.
1305 The special form with vi-encap:<enterprise number> matches
1307 against vendor-identifying vendor classes for the specified
1308 enterprise. Please see RFC 3925 for more details of these rare
1309 and interesting beasts.
1310 --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
1312 Perform boolean operations on tags. Any tag appearing as
1313 set:<tag> is set if all the tags which appear as tag:<tag> are
1314 set, (or unset when tag:!<tag> is used) If no tag:<tag> appears
1315 set:<tag> tags are set unconditionally. Any number of set: and
1316 tag: forms may appear, in any order. Tag-if lines ares executed
1317 in order, so if the tag in tag:<tag> is a tag set by another
1318 tag-if, the line which sets the tag must precede the one which
1319 tests it.
1320 -J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
1322 When all the given tags appear in the tag set ignore the host
1323 and do not allocate it a DHCP lease.
1324 --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
1326 When all the given tags appear in the tag set, ignore any host‐
1327 name provided by the host. Note that, unlike dhcp-ignore, it is
1328 permissible to supply no tags, in which case DHCP-client sup‐
1329 plied hostnames are always ignored, and DHCP hosts are added to
1330 the DNS using only dhcp-host configuration in dnsmasq and the
1331 contents of /etc/hosts and /etc/ethers.
1332 --dhcp-generate-names=tag:<tag>[,tag:<tag>]
1334 (IPv4 only) Generate a name for DHCP clients which do not other‐
1335 wise have one, using the MAC address expressed in hex, separated
1336 by dashes. Note that if a host provides a name, it will be used
1337 by preference to this, unless --dhcp-ignore-names is set.
1338 --dhcp-broadcast[=tag:<tag>[,tag:<tag>]]
1340 (IPv4 only) When all the given tags appear in the tag set,
1341 always use broadcast to communicate with the host when it is
1342 unconfigured. It is permissible to supply no tags, in which case
1343 this is unconditional. Most DHCP clients which need broadcast
1344 replies set a flag in their requests so that this happens auto‐
1345 matically, some old BOOTP clients do not.
1346 -M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server
1348 address>|<tftp_servername>]]
1349 (IPv4 only) Set BOOTP options to be returned by the DHCP server.
1350 Server name and address are optional: if not provided, the name
1351 is left empty, and the address set to the address of the machine
1352 running dnsmasq. If dnsmasq is providing a TFTP service (see
1353 --enable-tftp ) then only the filename is required here to
1354 enable network booting. If the optional tag(s) are given, they
1355 must match for this configuration to be sent. Instead of an IP
1356 address, the TFTP server address can be given as a domain name
1357 which is looked up in /etc/hosts. This name can be associated in
1358 /etc/hosts with multiple IP addresses, which are used round-
1359 robin. This facility can be used to load balance the tftp load
1360 among a set of servers.
1361 --dhcp-sequential-ip
1363 Dnsmasq is designed to choose IP addresses for DHCP clients
1364 using a hash of the client's MAC address. This normally allows a
1365 client's address to remain stable long-term, even if the client
1366 sometimes allows its DHCP lease to expire. In this default mode
1367 IP addresses are distributed pseudo-randomly over the entire
1368 available address range. There are sometimes circumstances (typ‐
1369 ically server deployment) where it is more convenient to have IP
1370 addresses allocated sequentially, starting from the lowest
1371 available address, and setting this flag enables this mode. Note
1372 that in the sequential mode, clients which allow a lease to
1373 expire are much more likely to move IP address; for this reason
1374 it should not be generally used.
1375 --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basename>|<bootservice‐
1377 type>][,<server address>|<server_name>]
1378 Most uses of PXE boot-ROMS simply allow the PXE system to obtain
1379 an IP address and then download the file specified by dhcp-boot
1380 and execute it. However the PXE system is capable of more com‐
1381 plex functions when supported by a suitable DHCP server.
1382 This specifies a boot option which may appear in a PXE boot
1384 menu. <CSA> is client system type, only services of the correct
1385 type will appear in a menu. The known types are x86PC, PC98,
1386 IA64_EFI, Alpha, Arc_x86, Intel_Lean_Client, IA32_EFI,
1387 X86-64_EFI, Xscale_EFI, BC_EFI, ARM32_EFI and ARM64_EFI; an
1388 integer may be used for other types. The parameter after the
1389 menu text may be a file name, in which case dnsmasq acts as a
1390 boot server and directs the PXE client to download the file by
1391 TFTP, either from itself ( enable-tftp must be set for this to
1392 work) or another TFTP server if the final server address/name is
1393 given. Note that the "layer" suffix (normally ".0") is supplied
1394 by PXE, and need not be added to the basename. Alternatively,
1395 the basename may be a filename, complete with suffix, in which
1396 case no layer suffix is added. If an integer boot service type,
1397 rather than a basename is given, then the PXE client will search
1398 for a suitable boot service for that type on the network. This
1399 search may be done by broadcast, or direct to a server if its IP
1400 address/name is provided. If no boot service type or filename
1401 is provided (or a boot service type of 0 is specified) then the
1402 menu entry will abort the net boot procedure and continue boot‐
1403 ing from local media. The server address can be given as a
1404 domain name which is looked up in /etc/hosts. This name can be
1405 associated in /etc/hosts with multiple IP addresses, which are
1406 used round-robin.
1407 --pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>]
1409 Setting this provides a prompt to be displayed after PXE boot.
1410 If the timeout is given then after the timeout has elapsed with
1411 no keyboard input, the first available menu option will be auto‐
1412 matically executed. If the timeout is zero then the first avail‐
1413 able menu item will be executed immediately. If pxe-prompt is
1414 omitted the system will wait for user input if there are multi‐
1415 ple items in the menu, but boot immediately if there is only
1416 one. See pxe-service for details of menu items.
1417 Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP
1419 server on the network is responsible for allocating IP
1420 addresses, and dnsmasq simply provides the information given in
1421 pxe-prompt and pxe-service to allow netbooting. This mode is
1422 enabled using the proxy keyword in dhcp-range.
1423 -X, --dhcp-lease-max=<number>
1425 Limits dnsmasq to the specified maximum number of DHCP leases.
1426 The default is 1000. This limit is to prevent DoS attacks from
1427 hosts which create thousands of leases and use lots of memory in
1428 the dnsmasq process.
1429 -K, --dhcp-authoritative
1431 Should be set when dnsmasq is definitely the only DHCP server on
1432 a network. For DHCPv4, it changes the behaviour from strict RFC
1433 compliance so that DHCP requests on unknown leases from unknown
1434 hosts are not ignored. This allows new hosts to get a lease
1435 without a tedious timeout under all circumstances. It also
1436 allows dnsmasq to rebuild its lease database without each client
1437 needing to reacquire a lease, if the database is lost. For
1438 DHCPv6 it sets the priority in replies to 255 (the maximum)
1439 instead of 0 (the minimum).
1440 --dhcp-alternate-port[=<server port>[,<client port>]]
1442 (IPv4 only) Change the ports used for DHCP from the default. If
1443 this option is given alone, without arguments, it changes the
1444 ports used for DHCP from 67 and 68 to 1067 and 1068. If a single
1445 argument is given, that port number is used for the server and
1446 the port number plus one used for the client. Finally, two port
1447 numbers allows arbitrary specification of both server and client
1448 ports for DHCP.
1449 -3, --bootp-dynamic[=<network-id>[,<network-id>]]
1451 (IPv4 only) Enable dynamic allocation of IP addresses to BOOTP
1452 clients. Use this with care, since each address allocated to a
1453 BOOTP client is leased forever, and therefore becomes perma‐
1454 nently unavailable for re-use by other hosts. if this is given
1455 without tags, then it unconditionally enables dynamic alloca‐
1456 tion. With tags, only when the tags are all set. It may be
1457 repeated with different tag sets.
1458 -5, --no-ping
1460 (IPv4 only) By default, the DHCP server will attempt to ensure
1461 that an address is not in use before allocating it to a host. It
1462 does this by sending an ICMP echo request (aka "ping") to the
1463 address in question. If it gets a reply, then the address must
1464 already be in use, and another is tried. This flag disables this
1465 check. Use with caution.
1466 --log-dhcp
1468 Extra logging for DHCP: log all the options sent to DHCP clients
1469 and the tags used to determine them.
1470 --quiet-dhcp, --quiet-dhcp6, --quiet-ra
1472 Suppress logging of the routine operation of these protocols.
1473 Errors and problems will still be logged. --quiet-dhcp and
1474 quiet-dhcp6 are over-ridden by --log-dhcp.
1475 -l, --dhcp-leasefile=<path>
1477 Use the specified file to store DHCP lease information.
1478 --dhcp-duid=<enterprise-id>,<uid>
1480 (IPv6 only) Specify the server persistent UID which the DHCPv6
1481 server will use. This option is not normally required as dnsmasq
1482 creates a DUID automatically when it is first needed. When
1483 given, this option provides dnsmasq the data required to create
1484 a DUID-EN type DUID. Note that once set, the DUID is stored in
1485 the lease database, so to change between DUID-EN and automati‐
1486 cally created DUIDs or vice-versa, the lease database must be
1487 re-intialised. The enterprise-id is assigned by IANA, and the
1488 uid is a string of hex octets unique to a particular device.
1489 -6 --dhcp-script=<path>
1491 Whenever a new DHCP lease is created, or an old one destroyed,
1492 or a TFTP file transfer completes, the executable specified by
1493 this option is run. <path> must be an absolute pathname, no
1494 PATH search occurs. The arguments to the process are "add",
1495 "old" or "del", the MAC address of the host (or DUID for IPv6) ,
1496 the IP address, and the hostname, if known. "add" means a lease
1497 has been created, "del" means it has been destroyed, "old" is a
1498 notification of an existing lease when dnsmasq starts or a
1499 change to MAC address or hostname of an existing lease (also,
1500 lease length or expiry and client-id, if leasefile-ro is set).
1501 If the MAC address is from a network type other than ethernet,
1502 it will have the network type prepended, eg
1503 "06-01:23:45:67:89:ab" for token ring. The process is run as
1504 root (assuming that dnsmasq was originally run as root) even if
1505 dnsmasq is configured to change UID to an unprivileged user.
1506 The environment is inherited from the invoker of dnsmasq, with
1508 some or all of the following variables added
1509 For both IPv4 and IPv6:
1511 DNSMASQ_DOMAIN if the fully-qualified domain name of the host is
1513 known, this is set to the domain part. (Note that the hostname
1514 passed to the script as an argument is never fully-qualified.)
1515 If the client provides a hostname, DNSMASQ_SUPPLIED_HOSTNAME
1517 If the client provides user-classes, DNSMASQ_USER_CLASS0..DNS‐
1519 MASQ_USER_CLASSn
1520 If dnsmasq was compiled with HAVE_BROKEN_RTC, then the length of
1522 the lease (in seconds) is stored in DNSMASQ_LEASE_LENGTH, other‐
1523 wise the time of lease expiry is stored in DNS‐
1524 MASQ_LEASE_EXPIRES. The number of seconds until lease expiry is
1525 always stored in DNSMASQ_TIME_REMAINING.
1526 If a lease used to have a hostname, which is removed, an "old"
1528 event is generated with the new state of the lease, ie no name,
1529 and the former name is provided in the environment variable DNS‐
1530 MASQ_OLD_HOSTNAME.
1531 DNSMASQ_INTERFACE stores the name of the interface on which the
1533 request arrived; this is not set for "old" actions when dnsmasq
1534 restarts.
1535 DNSMASQ_RELAY_ADDRESS is set if the client used a DHCP relay to
1537 contact dnsmasq and the IP address of the relay is known.
1538 DNSMASQ_TAGS contains all the tags set during the DHCP transac‐
1540 tion, separated by spaces.
1541 DNSMASQ_LOG_DHCP is set if --log-dhcp is in effect.
1543 For IPv4 only:
1545 DNSMASQ_CLIENT_ID if the host provided a client-id.
1547 DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID, DNSMASQ_REMOTE_ID if
1549 a DHCP relay-agent added any of these options.
1550 If the client provides vendor-class, DNSMASQ_VENDOR_CLASS.
1552 For IPv6 only:
1554 If the client provides vendor-class, DNSMASQ_VENDOR_CLASS_ID,
1556 containing the IANA enterprise id for the class, and DNS‐
1557 MASQ_VENDOR_CLASS0..DNSMASQ_VENDOR_CLASSn for the data.
1558 DNSMASQ_SERVER_DUID containing the DUID of the server: this is
1560 the same for every call to the script.
1561 DNSMASQ_IAID containing the IAID for the lease. If the lease is
1563 a temporary allocation, this is prefixed to 'T'.
1564 DNSMASQ_MAC containing the MAC address of the client, if known.
1566 Note that the supplied hostname, vendorclass and userclass data
1568 is only supplied for "add" actions or "old" actions when a host
1569 resumes an existing lease, since these data are not held in dns‐
1570 masq's lease database.
1571 All file descriptors are closed except stdin, which is open to
1575 /dev/null, and stdout and stderr which capture output for log‐
1576 ging by dnsmasq. (In debug mode, stdio, stdout and stderr file
1577 are left as those inherited from the invoker of dnsmasq).
1578 The script is not invoked concurrently: at most one instance of
1580 the script is ever running (dnsmasq waits for an instance of
1581 script to exit before running the next). Changes to the lease
1582 database are which require the script to be invoked are queued
1583 awaiting exit of a running instance. If this queueing allows
1584 multiple state changes occur to a single lease before the script
1585 can be run then earlier states are discarded and the current
1586 state of that lease is reflected when the script finally runs.
1587 At dnsmasq startup, the script will be invoked for all existing
1589 leases as they are read from the lease file. Expired leases will
1590 be called with "del" and others with "old". When dnsmasq
1591 receives a HUP signal, the script will be invoked for existing
1592 leases with an "old" event.
1593 There are four further actions which may appear as the first
1596 argument to the script, "init", "arp-add", "arp-del" and "tftp".
1597 More may be added in the future, so scripts should be written to
1598 ignore unknown actions. "init" is described below in --lease‐
1599 file-ro The "tftp" action is invoked when a TFTP file transfer
1600 completes: the arguments are the file size in bytes, the address
1601 to which the file was sent, and the complete pathname of the
1602 file.
1603 The "arp-add" and "arp-del" actions are only called if enabled
1605 with --script-arp They are are supplied with a MAC address and
1606 IP address as arguments. "arp-add" indicates the arrival of a
1607 new entry in the ARP or neighbour table, and "arp-del" indicates
1608 the deletion of same.
1609 --dhcp-luascript=<path>
1612 Specify a script written in Lua, to be run when leases are cre‐
1613 ated, destroyed or changed. To use this option, dnsmasq must be
1614 compiled with the correct support. The Lua interpreter is
1615 intialised once, when dnsmasq starts, so that global variables
1616 persist between lease events. The Lua code must define a lease
1617 function, and may provide init and shutdown functions, which are
1618 called, without arguments when dnsmasq starts up and terminates.
1619 It may also provide a tftp function.
1620 The lease function receives the information detailed in --dhcp-
1622 script. It gets two arguments, firstly the action, which is a
1623 string containing, "add", "old" or "del", and secondly a table
1624 of tag value pairs. The tags mostly correspond to the environ‐
1625 ment variables detailed above, for instance the tag "domain"
1626 holds the same data as the environment variable DNSMASQ_DOMAIN.
1627 There are a few extra tags which hold the data supplied as argu‐
1628 ments to --dhcp-script. These are mac_address, ip_address and
1629 hostname for IPv4, and client_duid, ip_address and hostname for
1630 IPv6.
1631 The tftp function is called in the same way as the lease func‐
1633 tion, and the table holds the tags destination_address,
1634 file_name and file_size.
1635 The arp and arp-old functions are called only when enabled with
1637 --script-arp and have a table which holds the tags mac_addres
1638 and client_address.
1639 --dhcp-scriptuser
1641 Specify the user as which to run the lease-change script or Lua
1642 script. This defaults to root, but can be changed to another
1643 user using this flag.
1644 --script-arp
1646 Enable the "arp" and "arp-old" functions in the dhcp-script and
1647 dhcp-luascript.
1648 -9, --leasefile-ro
1650 Completely suppress use of the lease database file. The file
1651 will not be created, read, or written. Change the way the lease-
1652 change script (if one is provided) is called, so that the lease
1653 database may be maintained in external storage by the script. In
1654 addition to the invocations given in --dhcp-script the lease-
1655 change script is called once, at dnsmasq startup, with the sin‐
1656 gle argument "init". When called like this the script should
1657 write the saved state of the lease database, in dnsmasq lease‐
1658 file format, to stdout and exit with zero exit code. Setting
1659 this option also forces the leasechange script to be called on
1660 changes to the client-id and lease length and expiry time.
1661 --bridge-interface=<interface>,<alias>[,<alias>]
1663 Treat DHCP (v4 and v6) request and IPv6 Router Solicit packets
1664 arriving at any of the <alias> interfaces as if they had arrived
1665 at <interface>. This option allows dnsmasq to provide DHCP and
1666 RA service over unaddressed and unbridged Ethernet interfaces,
1667 e.g. on an OpenStack compute host where each such interface is a
1668 TAP interface to a VM, or as in "old style bridging" on BSD
1669 platforms. A trailing '*' wildcard can be used in each <alias>.
1670 -s, --domain=<domain>[,<address range>[,local]]
1672 Specifies DNS domains for the DHCP server. Domains may be be
1673 given unconditionally (without the IP range) or for limited IP
1674 ranges. This has two effects; firstly it causes the DHCP server
1675 to return the domain to any hosts which request it, and secondly
1676 it sets the domain which it is legal for DHCP-configured hosts
1677 to claim. The intention is to constrain hostnames so that an
1678 untrusted host on the LAN cannot advertise its name via dhcp as
1679 e.g. "microsoft.com" and capture traffic not meant for it. If no
1680 domain suffix is specified, then any DHCP hostname with a domain
1681 part (ie with a period) will be disallowed and logged. If suffix
1682 is specified, then hostnames with a domain part are allowed,
1683 provided the domain part matches the suffix. In addition, when a
1684 suffix is set then hostnames without a domain part have the suf‐
1685 fix added as an optional domain part. Eg on my network I can set
1686 --domain=thekelleys.org.uk and have a machine whose DHCP host‐
1687 name is "laptop". The IP address for that machine is available
1688 from dnsmasq both as "laptop" and "laptop.thekelleys.org.uk". If
1689 the domain is given as "#" then the domain is read from the
1690 first "search" directive in /etc/resolv.conf (or equivalent).
1691 The address range can be of the form <ip address>,<ip address>
1693 or <ip address>/<netmask> or just a single <ip address>. See
1694 --dhcp-fqdn which can change the behaviour of dnsmasq with
1695 domains.
1696 If the address range is given as ip-address/network-size, then a
1698 additional flag "local" may be supplied which has the effect of
1699 adding --local declarations for forward and reverse DNS queries.
1700 Eg. --domain=thekelleys.org.uk,192.168.0.0/24,local is identi‐
1701 cal to --domain=thekelleys.org.uk,192.168.0.0/24
1702 --local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/ The
1703 network size must be 8, 16 or 24 for this to be legal.
1704 --dhcp-fqdn
1706 In the default mode, dnsmasq inserts the unqualified names of
1707 DHCP clients into the DNS. For this reason, the names must be
1708 unique, even if two clients which have the same name are in dif‐
1709 ferent domains. If a second DHCP client appears which has the
1710 same name as an existing client, the name is transferred to the
1711 new client. If --dhcp-fqdn is set, this behaviour changes: the
1712 unqualified name is no longer put in the DNS, only the qualified
1713 name. Two DHCP clients with the same name may both keep the
1714 name, provided that the domain part is different (ie the fully
1715 qualified names differ.) To ensure that all names have a domain
1716 part, there must be at least --domain without an address speci‐
1717 fied when --dhcp-fqdn is set.
1718 --dhcp-client-update
1720 Normally, when giving a DHCP lease, dnsmasq sets flags in the
1721 FQDN option to tell the client not to attempt a DDNS update with
1722 its name and IP address. This is because the name-IP pair is
1723 automatically added into dnsmasq's DNS view. This flag sup‐
1724 presses that behaviour, this is useful, for instance, to allow
1725 Windows clients to update Active Directory servers. See RFC 4702
1726 for details.
1727 --enable-ra
1729 Enable dnsmasq's IPv6 Router Advertisement feature. DHCPv6
1730 doesn't handle complete network configuration in the same way as
1731 DHCPv4. Router discovery and (possibly) prefix discovery for au‐
1732 tonomous address creation are handled by a different protocol.
1733 When DHCP is in use, only a subset of this is needed, and dns‐
1734 masq can handle it, using existing DHCP configuration to provide
1735 most data. When RA is enabled, dnsmasq will advertise a prefix
1736 for each dhcp-range, with default router as the relevant link-
1737 local address on the machine running dnsmasq. By default, the
1738 "managed address" bits are set, and the "use SLAAC" bit is
1739 reset. This can be changed for individual subnets with the mode
1740 keywords described in --dhcp-range. RFC6106 DNS parameters are
1741 included in the advertisements. By default, the relevant link-
1742 local address of the machine running dnsmasq is sent as recur‐
1743 sive DNS server. If provided, the DHCPv6 options dns-server and
1744 domain-search are used for the DNS server (RDNSS) and the domain
1745 serach list (DNSSL).
1746 --ra-param=<interface>,[high|low],[[<ra-interval>],<router lifetime>]
1748 Set non-default values for router advertisements sent via an
1749 interface. The priority field for the router may be altered from
1750 the default of medium with eg --ra-param=eth0,high. The inter‐
1751 val between router advertisements may be set (in seconds) with
1752 --ra-param=eth0,60. The lifetime of the route may be changed or
1753 set to zero, which allows a router to advertise prefixes but not
1754 a route via itself. --ra-parm=eth0,0,0 (A value of zero for the
1755 interval means the default value.) All three parameters may be
1756 set at once. --ra-param=low,60,1200 The interface field may
1757 include a wildcard.
1758 --enable-tftp[=<interface>[,<interface>]]
1760 Enable the TFTP server function. This is deliberately limited to
1761 that needed to net-boot a client. Only reading is allowed; the
1762 tsize and blksize extensions are supported (tsize is only sup‐
1763 ported in octet mode). Without an argument, the TFTP service is
1764 provided to the same set of interfaces as DHCP service. If the
1765 list of interfaces is provided, that defines which interfaces
1766 recieve TFTP service.
1767 --tftp-root=<directory>[,<interface>]
1769 Look for files to transfer using TFTP relative to the given
1770 directory. When this is set, TFTP paths which include ".." are
1771 rejected, to stop clients getting outside the specified root.
1772 Absolute paths (starting with /) are allowed, but they must be
1773 within the tftp-root. If the optional interface argument is
1774 given, the directory is only used for TFTP requests via that
1775 interface.
1776 --tftp-no-fail
1778 Do not abort startup if specified tftp root directories are
1779 inaccessible.
1780 --tftp-unique-root
1782 Add the IP address of the TFTP client as a path component on the
1783 end of the TFTP-root (in standard dotted-quad format). Only
1784 valid if a tftp-root is set and the directory exists. For
1785 instance, if tftp-root is "/tftp" and client 1.2.3.4 requests
1786 file "myfile" then the effective path will be
1787 "/tftp/1.2.3.4/myfile" if /tftp/1.2.3.4 exists or /tftp/myfile
1788 otherwise.
1789 --tftp-secure
1791 Enable TFTP secure mode: without this, any file which is read‐
1792 able by the dnsmasq process under normal unix access-control
1793 rules is available via TFTP. When the --tftp-secure flag is
1794 given, only files owned by the user running the dnsmasq process
1795 are accessible. If dnsmasq is being run as root, different rules
1796 apply: --tftp-secure has no effect, but only files which have
1797 the world-readable bit set are accessible. It is not recommended
1798 to run dnsmasq as root with TFTP enabled, and certainly not
1799 without specifying --tftp-root. Doing so can expose any world-
1800 readable file on the server to any host on the net.
1801 --tftp-lowercase
1803 Convert filenames in TFTP requests to all lowercase. This is
1804 useful for requests from Windows machines, which have case-
1805 insensitive filesystems and tend to play fast-and-loose with
1806 case in filenames. Note that dnsmasq's tftp server always con‐
1807 verts "\" to "/" in filenames.
1808 --tftp-max=<connections>
1810 Set the maximum number of concurrent TFTP connections allowed.
1811 This defaults to 50. When serving a large number of TFTP connec‐
1812 tions, per-process file descriptor limits may be encountered.
1813 Dnsmasq needs one file descriptor for each concurrent TFTP con‐
1814 nection and one file descriptor per unique file (plus a few oth‐
1815 ers). So serving the same file simultaneously to n clients will
1816 use require about n + 10 file descriptors, serving different
1817 files simultaneously to n clients will require about (2*n) + 10
1818 descriptors. If --tftp-port-range is given, that can affect the
1819 number of concurrent connections.
1820 --tftp-mtu=<mtu size>
1822 Use size as the ceiling of the MTU supported by the intervening
1823 network when negotiating TFTP blocksize, overriding the MTU set‐
1824 ting of the local interface if it is larger.
1825 --tftp-no-blocksize
1827 Stop the TFTP server from negotiating the "blocksize" option
1828 with a client. Some buggy clients request this option but then
1829 behave badly when it is granted.
1830 --tftp-port-range=<start>,<end>
1832 A TFTP server listens on a well-known port (69) for connection
1833 initiation, but it also uses a dynamically-allocated port for
1834 each connection. Normally these are allocated by the OS, but
1835 this option specifies a range of ports for use by TFTP trans‐
1836 fers. This can be useful when TFTP has to traverse a firewall.
1837 The start of the range cannot be lower than 1025 unless dnsmasq
1838 is running as root. The number of concurrent TFTP connections is
1839 limited by the size of the port range.
1840 -C, --conf-file=<file>
1842 Specify a different configuration file. The conf-file option is
1843 also allowed in configuration files, to include multiple config‐
1844 uration files. A filename of "-" causes dnsmasq to read configu‐
1845 ration from stdin.
1846 -7, --conf-dir=<directory>[,<file-extension>......],
1848 Read all the files in the given directory as configuration
1849 files. If extension(s) are given, any files which end in those
1850 extensions are skipped. Any files whose names end in ~ or start
1851 with . or start and end with # are always skipped. If the exten‐
1852 sion starts with * then only files which have that extension are
1853 loaded. So --conf-dir=/path/to/dir,*.conf loads all files with
1854 the suffix .conf in /path/to/dir. This flag may be given on the
1855 command line or in a configuration file. If giving it on the
1856 command line, be sure to escape * characters.
1857 --servers-file=<file>
1859 A special case of --conf-file which differs in two respects.
1860 Firstly, only --server and --rev-server are allowed in the con‐
1861 figuration file included. Secondly, the file is re-read and the
1862 configuration therein is updated when dnsmasq recieves SIGHUP.
1863
1865 At startup, dnsmasq reads /etc/dnsmasq.conf, if it exists. (On FreeBSD,
1866 the file is /usr/local/etc/dnsmasq.conf ) (but see the -C and -7
1867 options.) The format of this file consists of one option per line,
1868 exactly as the long options detailed in the OPTIONS section but without
1869 the leading "--". Lines starting with # are comments and ignored. For
1870 options which may only be specified once, the configuration file over‐
1871 rides the command line. Quoting is allowed in a config file: between "
1872 quotes the special meanings of ,:. and # are removed and the following
1873 escapes are allowed: \\ \" \t \e \b \r and \n. The later corresponding
1874 to tab, escape, backspace, return and newline.
1875
1877 When it receives a SIGHUP, dnsmasq clears its cache and then re-loads
1878 /etc/hosts and /etc/ethers and any file given by --dhcp-hostsfile,
1879 --dhcp-hostsdir, --dhcp-optsfile, --dhcp-optsdir, --addn-hosts or
1880 --hostsdir. The dhcp lease change script is called for all existing
1881 DHCP leases. If --no-poll is set SIGHUP also re-reads /etc/resolv.conf.
1882 SIGHUP does NOT re-read the configuration file.
1883 When it receives a SIGUSR1, dnsmasq writes statistics to the system
1885 log. It writes the cache size, the number of names which have had to
1886 removed from the cache before they expired in order to make room for
1887 new names and the total number of names that have been inserted into
1888 the cache. The number of cache hits and misses and the number of
1889 authoritative queries answered are also given. For each upstream server
1890 it gives the number of queries sent, and the number which resulted in
1891 an error. In --no-daemon mode or when full logging is enabled (-q), a
1892 complete dump of the contents of the cache is made.
1893 The cache statistics are also available in the DNS as answers to
1895 queries of class CHAOS and type TXT in domain bind. The domain names
1896 are cachesize.bind, insertions.bind, evictions.bind, misses.bind,
1897 hits.bind, auth.bind and servers.bind. An example command to query
1898 this, using the dig utility would be
1899 dig +short chaos txt cachesize.bind
1901 When it receives SIGUSR2 and it is logging direct to a file (see --log-
1904 facility ) dnsmasq will close and reopen the log file. Note that during
1905 this operation, dnsmasq will not be running as root. When it first cre‐
1906 ates the logfile dnsmasq changes the ownership of the file to the non-
1907 root user it will run as. Logrotate should be configured to create a
1908 new log file with the ownership which matches the existing one before
1909 sending SIGUSR2. If TCP DNS queries are in progress, the old logfile
1910 will remain open in child processes which are handling TCP queries and
1911 may continue to be written. There is a limit of 150 seconds, after
1912 which all existing TCP processes will have expired: for this reason, it
1913 is not wise to configure logfile compression for logfiles which have
1914 just been rotated. Using logrotate, the required options are create and
1915 delaycompress.
1916 Dnsmasq is a DNS query forwarder: it it not capable of recursively
1920 answering arbitrary queries starting from the root servers but forwards
1921 such queries to a fully recursive upstream DNS server which is typi‐
1922 cally provided by an ISP. By default, dnsmasq reads /etc/resolv.conf to
1923 discover the IP addresses of the upstream nameservers it should use,
1924 since the information is typically stored there. Unless --no-poll is
1925 used, dnsmasq checks the modification time of /etc/resolv.conf (or
1926 equivalent if --resolv-file is used) and re-reads it if it changes.
1927 This allows the DNS servers to be set dynamically by PPP or DHCP since
1928 both protocols provide the information. Absence of /etc/resolv.conf is
1929 not an error since it may not have been created before a PPP connection
1930 exists. Dnsmasq simply keeps checking in case /etc/resolv.conf is cre‐
1931 ated at any time. Dnsmasq can be told to parse more than one
1932 resolv.conf file. This is useful on a laptop, where both PPP and DHCP
1933 may be used: dnsmasq can be set to poll both /etc/ppp/resolv.conf and
1934 /etc/dhcpc/resolv.conf and will use the contents of whichever changed
1935 last, giving automatic switching between DNS servers.
1936 Upstream servers may also be specified on the command line or in the
1938 configuration file. These server specifications optionally take a
1939 domain name which tells dnsmasq to use that server only to find names
1940 in that particular domain.
1941 In order to configure dnsmasq to act as cache for the host on which it
1943 is running, put "nameserver 127.0.0.1" in /etc/resolv.conf to force
1944 local processes to send queries to dnsmasq. Then either specify the
1945 upstream servers directly to dnsmasq using --server options or put
1946 their addresses real in another file, say /etc/resolv.dnsmasq and run
1947 dnsmasq with the -r /etc/resolv.dnsmasq option. This second technique
1948 allows for dynamic update of the server addresses by PPP or DHCP.
1949 Addresses in /etc/hosts will "shadow" different addresses for the same
1951 names in the upstream DNS, so "mycompany.com 1.2.3.4" in /etc/hosts
1952 will ensure that queries for "mycompany.com" always return 1.2.3.4 even
1953 if queries in the upstream DNS would otherwise return a different
1954 address. There is one exception to this: if the upstream DNS contains a
1955 CNAME which points to a shadowed name, then looking up the CNAME
1956 through dnsmasq will result in the unshadowed address associated with
1957 the target of the CNAME. To work around this, add the CNAME to
1958 /etc/hosts so that the CNAME is shadowed too.
1959 The tag system works as follows: For each DHCP request, dnsmasq col‐
1962 lects a set of valid tags from active configuration lines which include
1963 set:<tag>, including one from the dhcp-range used to allocate the
1964 address, one from any matching dhcp-host (and "known" if a dhcp-host
1965 matches) The tag "bootp" is set for BOOTP requests, and a tag whose
1966 name is the name of the interface on which the request arrived is also
1967 set.
1968 Any configuration lines which include one or more tag:<tag> constructs
1970 will only be valid if all that tags are matched in the set derived
1971 above. Typically this is dhcp-option. dhcp-option which has tags will
1972 be used in preference to an untagged dhcp-option, provided that _all_
1973 the tags match somewhere in the set collected as described above. The
1974 prefix '!' on a tag means 'not' so --dhcp-option=tag:!purple,3,1.2.3.4
1975 sends the option when the tag purple is not in the set of valid tags.
1976 (If using this in a command line rather than a configuration file, be
1977 sure to escape !, which is a shell metacharacter)
1978 When selecting dhcp-options, a tag from dhcp-range is second class rel‐
1980 ative to other tags, to make it easy to override options for individual
1981 hosts, so dhcp-range=set:interface1,...... dhcp-host=set:myhost,.....
1982 dhcp-option=tag:interface1,option:nis-domain,"domain1" dhcp-
1983 option=tag:myhost,option:nis-domain,"domain2" will set the NIS-domain
1984 to domain1 for hosts in the range, but override that to domain2 for a
1985 particular host.
1986 Note that for dhcp-range both tag:<tag> and set:<tag> are allowed, to
1989 both select the range in use based on (eg) dhcp-host, and to affect the
1990 options sent, based on the range selected.
1991 This system evolved from an earlier, more limited one and for backward
1993 compatibility "net:" may be used instead of "tag:" and "set:" may be
1994 omitted. (Except in dhcp-host, where "net:" may be used instead of
1995 "set:".) For the same reason, '#' may be used instead of '!' to indi‐
1996 cate NOT.
1997 The DHCP server in dnsmasq will function as a BOOTP server also, pro‐
1999 vided that the MAC address and IP address for clients are given, either
2000 using dhcp-host configurations or in /etc/ethers , and a dhcp-range
2001 configuration option is present to activate the DHCP server on a par‐
2002 ticular network. (Setting --bootp-dynamic removes the need for static
2003 address mappings.) The filename parameter in a BOOTP request is used as
2004 a tag, as is the tag "bootp", allowing some control over the options
2005 returned to different classes of hosts.
2006
2009 Configuring dnsmasq to act as an authoritative DNS server is compli‐
2010 cated by the fact that it involves configuration of external DNS
2011 servers to provide delegation. We will walk through three scenarios of
2012 increasing complexity. Prerequisites for all of these scenarios are a
2013 globally accessible IP address, an A or AAAA record pointing to that
2014 address, and an external DNS server capable of doing delegation of the
2015 zone in question. For the first part of this explanation, we will call
2016 the A (or AAAA) record for the globally accessible address server.exam‐
2017 ple.com, and the zone for which dnsmasq is authoritative our.zone.com.
2018 The simplest configuration consists of two lines of dnsmasq configura‐
2020 tion; something like
2021 auth-server=server.example.com,eth0
2023 auth-zone=our.zone.com,1.2.3.0/24
2024 and two records in the external DNS
2026 server.example.com A 192.0.43.10
2028 our.zone.com NS server.example.com
2029 eth0 is the external network interface on which dnsmasq is listening,
2031 and has (globally accessible) address 192.0.43.10.
2032 Note that the external IP address may well be dynamic (ie assigned from
2034 an ISP by DHCP or PPP) If so, the A record must be linked to this
2035 dynamic assignment by one of the usual dynamic-DNS systems.
2036 A more complex, but practically useful configuration has the address
2038 record for the globally accessible IP address residing in the authori‐
2039 tative zone which dnsmasq is serving, typically at the root. Now we
2040 have
2041 auth-server=our.zone.com,eth0
2043 auth-zone=our.zone.com,1.2.3.0/24
2044 our.zone.com A 1.2.3.4
2046 our.zone.com NS our.zone.com
2047 The A record for our.zone.com has now become a glue record, it solves
2049 the chicken-and-egg problem of finding the IP address of the nameserver
2050 for our.zone.com when the A record is within that zone. Note that this
2051 is the only role of this record: as dnsmasq is now authoritative from
2052 our.zone.com it too must provide this record. If the external address
2053 is static, this can be done with an /etc/hosts entry or --host-record.
2054 auth-server=our.zone.com,eth0
2056 host-record=our.zone.com,1.2.3.4
2057 auth-zone=our.zone.com,1.2.3.0/24
2058 If the external address is dynamic, the address associated with
2060 our.zone.com must be derived from the address of the relevant inter‐
2061 face. This is done using interface-name Something like:
2062 auth-server=our.zone.com,eth0
2064 interface-name=our.zone.com,eth0
2065 auth-zone=our.zone.com,1.2.3.0/24,eth0
2066 (The "eth0" argument in auth-zone adds the subnet containing eth0's
2068 dynamic address to the zone, so that the interface-name returns the
2069 address in outside queries.)
2070 Our final configuration builds on that above, but also adds a secondary
2072 DNS server. This is another DNS server which learns the DNS data for
2073 the zone by doing zones transfer, and acts as a backup should the pri‐
2074 mary server become inaccessible. The configuration of the secondary is
2075 beyond the scope of this man-page, but the extra configuration of dns‐
2076 masq is simple:
2077 auth-sec-servers=secondary.myisp.com
2079 and
2081 our.zone.com NS secondary.myisp.com
2083 Adding auth-sec-servers enables zone transfer in dnsmasq, to allow the
2085 secondary to collect the DNS data. If you wish to restrict this data to
2086 particular hosts then
2087 auth-peer=<IP address of secondary>
2089 will do so.
2091 Dnsmasq acts as an authoritative server for in-addr.arpa and ip6.arpa
2093 domains associated with the subnets given in auth-zone declarations, so
2094 reverse (address to name) lookups can be simply configured with a suit‐
2095 able NS record, for instance in this example, where we allow 1.2.3.0/24
2096 addresses.
2097 3.2.1.in-addr.arpa NS our.zone.com
2099 Note that at present, reverse (in-addr.arpa and ip6.arpa) zones are not
2101 available in zone transfers, so there is no point arranging secondary
2102 servers for reverse lookups.
2103 When dnsmasq is configured to act as an authoritative server, the fol‐
2106 lowing data is used to populate the authoritative zone.
2107 --mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record , as long
2109 as the record names are in the authoritative domain.
2110 --cname as long as the record name is in the authoritative domain. If
2112 the target of the CNAME is unqualified, then it is qualified with the
2113 authoritative zone name.
2114 IPv4 and IPv6 addresses from /etc/hosts (and --addn-hosts ) and --host-
2116 record and --interface-name provided the address falls into one of the
2117 subnets specified in the --auth-zone.
2118 Addresses of DHCP leases, provided the address falls into one of the
2120 subnets specified in the --auth-zone. (If contructed DHCP ranges are
2121 is use, which depend on the address dynamically assigned to an inter‐
2122 face, then the form of --auth-zone which defines subnets by the dynamic
2123 address of an interface should be used to ensure this condition is
2124 met.)
2125 In the default mode, where a DHCP lease has an unqualified name, and
2127 possibly a qualified name constructed using --domain then the name in
2128 the authoritative zone is constructed from the unqualified name and the
2129 zone's domain. This may or may not equal that specified by --domain.
2130 If --dhcp-fqdn is set, then the fully qualified names associated with
2131 DHCP leases are used, and must match the zone's domain.
2132
2137 0 - Dnsmasq successfully forked into the background, or terminated nor‐
2138 mally if backgrounding is not enabled.
2139 1 - A problem with configuration was detected.
2141 2 - A problem with network access occurred (address in use, attempt to
2143 use privileged ports without permission).
2144 3 - A problem occurred with a filesystem operation (missing file/direc‐
2146 tory, permissions).
2147 4 - Memory allocation failure.
2149 5 - Other miscellaneous problem.
2151 11 or greater - a non zero return code was received from the lease-
2153 script process "init" call. The exit code from dnsmasq is the script's
2154 exit code with 10 added.
2155
2158 The default values for resource limits in dnsmasq are generally conser‐
2159 vative, and appropriate for embedded router type devices with slow pro‐
2160 cessors and limited memory. On more capable hardware, it is possible to
2161 increase the limits, and handle many more clients. The following
2162 applies to dnsmasq-2.37: earlier versions did not scale as well.
2163 Dnsmasq is capable of handling DNS and DHCP for at least a thousand
2166 clients. The DHCP lease times should not be very short (less than one
2167 hour). The value of --dns-forward-max can be increased: start with it
2168 equal to the number of clients and increase if DNS seems slow. Note
2169 that DNS performance depends too on the performance of the upstream
2170 nameservers. The size of the DNS cache may be increased: the hard limit
2171 is 10000 names and the default (150) is very low. Sending SIGUSR1 to
2172 dnsmasq makes it log information which is useful for tuning the cache
2173 size. See the NOTES section for details.
2174 The built-in TFTP server is capable of many simultaneous file trans‐
2177 fers: the absolute limit is related to the number of file-handles
2178 allowed to a process and the ability of the select() system call to
2179 cope with large numbers of file handles. If the limit is set too high
2180 using --tftp-max it will be scaled down and the actual limit logged at
2181 start-up. Note that more transfers are possible when the same file is
2182 being sent than when each transfer sends a different file.
2183 It is possible to use dnsmasq to block Web advertising by using a list
2186 of known banner-ad servers, all resolving to 127.0.0.1 or 0.0.0.0, in
2187 /etc/hosts or an additional hosts file. The list can be very long, dns‐
2188 masq has been tested successfully with one million names. That size
2189 file needs a 1GHz processor and about 60Mb of RAM.
2190
2193 Dnsmasq can be compiled to support internationalisation. To do this,
2194 the make targets "all-i18n" and "install-i18n" should be used instead
2195 of the standard targets "all" and "install". When internationalisation
2196 is compiled in, dnsmasq will produce log messages in the local language
2197 and support internationalised domain names (IDN). Domain names in
2198 /etc/hosts, /etc/ethers and /etc/dnsmasq.conf which contain non-ASCII
2199 characters will be translated to the DNS-internal punycode representa‐
2200 tion. Note that dnsmasq determines both the language for messages and
2201 the assumed charset for configuration files from the LANG environment
2202 variable. This should be set to the system default value by the script
2203 which is responsible for starting dnsmasq. When editing the configura‐
2204 tion files, be careful to do so using only the system-default locale
2205 and not user-specific one, since dnsmasq has no direct way of determin‐
2206 ing the charset in use, and must assume that it is the system default.
2207
2210 /etc/dnsmasq.conf
2211 /usr/local/etc/dnsmasq.conf
2213 /etc/resolv.conf /var/run/dnsmasq/resolv.conf /etc/ppp/resolv.conf
2215 /etc/dhcpc/resolv.conf
2216 /etc/hosts
2218 /etc/ethers
2220 /var/lib/dnsmasq/dnsmasq.leases
2222 /var/db/dnsmasq.leases
2224 /var/run/dnsmasq.pid
2226
2228 hosts(5), resolver(5)
2229
2231 This manual page was written by Simon Kelley <simon@thekelleys.org.uk>.
2232 DNSMASQ(8)