1DNSMASQ(8) System Manager's Manual DNSMASQ(8)
2
6 dnsmasq - A lightweight DHCP and caching DNS server.
7
9 dnsmasq [OPTION]...
10
12 dnsmasq is a lightweight DNS, TFTP, PXE, router advertisement and DHCP
13 server. It is intended to provide coupled DNS and DHCP service to a
14 LAN.
15 Dnsmasq accepts DNS queries and either answers them from a small, lo‐
17 cal, cache or forwards them to a real, recursive, DNS server. It loads
18 the contents of /etc/hosts so that local hostnames which do not appear
19 in the global DNS can be resolved and also answers DNS queries for DHCP
20 configured hosts. It can also act as the authoritative DNS server for
21 one or more domains, allowing local names to appear in the global DNS.
22 It can be configured to do DNSSEC validation.
23 The dnsmasq DHCP server supports static address assignments and multi‐
25 ple networks. It automatically sends a sensible default set of DHCP op‐
26 tions, and can be configured to send any desired set of DHCP options,
27 including vendor-encapsulated options. It includes a secure, read-only,
28 TFTP server to allow net/PXE boot of DHCP hosts and also supports
29 BOOTP. The PXE support is full featured, and includes a proxy mode
30 which supplies PXE information to clients whilst DHCP address alloca‐
31 tion is done by another server.
32 The dnsmasq DHCPv6 server provides the same set of features as the
34 DHCPv4 server, and in addition, it includes router advertisements and a
35 neat feature which allows naming for clients which use DHCPv4 and
36 stateless autoconfiguration only for IPv6 configuration. There is sup‐
37 port for doing address allocation (both DHCPv6 and RA) from subnets
38 which are dynamically delegated via DHCPv6 prefix delegation.
39 Dnsmasq is coded with small embedded systems in mind. It aims for the
41 smallest possible memory footprint compatible with the supported func‐
42 tions, and allows unneeded functions to be omitted from the compiled
43 binary.
44
46 Note that in general missing parameters are allowed and switch off
47 functions, for instance "--pid-file" disables writing a PID file. On
48 BSD, unless the GNU getopt library is linked, the long form of the op‐
49 tions does not work on the command line; it is still recognised in the
50 configuration file.
51 --test Read and syntax check configuration file(s). Exit with code 0 if
53 all is OK, or a non-zero code otherwise. Do not start up dns‐
54 masq.
55 -w, --help
57 Display all command-line options. --help dhcp will display
58 known DHCPv4 configuration options, and --help dhcp6 will dis‐
59 play DHCPv6 options.
60 -h, --no-hosts
62 Don't read the hostnames in /etc/hosts.
63 -H, --addn-hosts=<file>
65 Additional hosts file. Read the specified file as well as
66 /etc/hosts. If --no-hosts is given, read only the specified
67 file. This option may be repeated for more than one additional
68 hosts file. If a directory is given, then read all the files
69 contained in that directory.
70 --hostsdir=<path>
72 Read all the hosts files contained in the directory. New or
73 changed files are read automatically. See --dhcp-hostsdir for
74 details.
75 -E, --expand-hosts
77 Add the domain to simple names (without a period) in /etc/hosts
78 in the same way as for DHCP-derived names. Note that this does
79 not apply to domain names in cnames, PTR records, TXT records
80 etc.
81 -T, --local-ttl=<time>
83 When replying with information from /etc/hosts or configuration
84 or the DHCP leases file dnsmasq by default sets the time-to-live
85 field to zero, meaning that the requester should not itself
86 cache the information. This is the correct thing to do in almost
87 all situations. This option allows a time-to-live (in seconds)
88 to be given for these replies. This will reduce the load on the
89 server at the expense of clients using stale data under some
90 circumstances.
91 --dhcp-ttl=<time>
93 As for --local-ttl, but affects only replies with information
94 from DHCP leases. If both are given, --dhcp-ttl applies for DHCP
95 information, and --local-ttl for others. Setting this to zero
96 eliminates the effect of --local-ttl for DHCP.
97 --neg-ttl=<time>
99 Negative replies from upstream servers normally contain time-to-
100 live information in SOA records which dnsmasq uses for caching.
101 If the replies from upstream servers omit this information, dns‐
102 masq does not cache the reply. This option gives a default value
103 for time-to-live (in seconds) which dnsmasq uses to cache nega‐
104 tive replies even in the absence of an SOA record.
105 --max-ttl=<time>
107 Set a maximum TTL value that will be handed out to clients. The
108 specified maximum TTL will be given to clients instead of the
109 true TTL value if it is lower. The true TTL value is however
110 kept in the cache to avoid flooding the upstream DNS servers.
111 --max-cache-ttl=<time>
113 Set a maximum TTL value for entries in the cache.
114 --min-cache-ttl=<time>
116 Extend short TTL values to the time given when caching them.
117 Note that artificially extending TTL values is in general a bad
118 idea, do not do it unless you have a good reason, and understand
119 what you are doing. Dnsmasq limits the value of this option to
120 one hour, unless recompiled.
121 --auth-ttl=<time>
123 Set the TTL value returned in answers from the authoritative
124 server.
125 -k, --keep-in-foreground
127 Do not go into the background at startup but otherwise run as
128 normal. This is intended for use when dnsmasq is run under dae‐
129 montools or launchd.
130 -d, --no-daemon
132 Debug mode: don't fork to the background, don't write a pid
133 file, don't change user id, generate a complete cache dump on
134 receipt on SIGUSR1, log to stderr as well as syslog, don't fork
135 new processes to handle TCP queries. Note that this option is
136 for use in debugging only, to stop dnsmasq daemonising in pro‐
137 duction, use --keep-in-foreground.
138 -q, --log-queries
140 Log the results of DNS queries handled by dnsmasq. Enable a full
141 cache dump on receipt of SIGUSR1. If the argument "extra" is
142 supplied, ie --log-queries=extra then the log has extra informa‐
143 tion at the start of each line. This consists of a serial num‐
144 ber which ties together the log lines associated with an indi‐
145 vidual query, and the IP address of the requestor.
146 -8, --log-facility=<facility>
148 Set the facility to which dnsmasq will send syslog entries, this
149 defaults to DAEMON, and to LOCAL0 when debug mode is in opera‐
150 tion. If the facility given contains at least one '/' character,
151 it is taken to be a filename, and dnsmasq logs to the given
152 file, instead of syslog. If the facility is '-' then dnsmasq
153 logs to stderr. (Errors whilst reading configuration will still
154 go to syslog, but all output from a successful startup, and all
155 output whilst running, will go exclusively to the file.) When
156 logging to a file, dnsmasq will close and reopen the file when
157 it receives SIGUSR2. This allows the log file to be rotated
158 without stopping dnsmasq.
159 --log-debug
161 Enable extra logging intended for debugging rather than informa‐
162 tion.
163 --log-async[=<lines>]
165 Enable asynchronous logging and optionally set the limit on the
166 number of lines which will be queued by dnsmasq when writing to
167 the syslog is slow. Dnsmasq can log asynchronously: this allows
168 it to continue functioning without being blocked by syslog, and
169 allows syslog to use dnsmasq for DNS queries without risking
170 deadlock. If the queue of log-lines becomes full, dnsmasq will
171 log the overflow, and the number of messages lost. The default
172 queue length is 5, a sane value would be 5-25, and a maximum
173 limit of 100 is imposed.
174 -x, --pid-file=<path>
176 Specify an alternate path for dnsmasq to record its process-id
177 in. Normally /var/run/dnsmasq.pid.
178 -u, --user=<username>
180 Specify the userid to which dnsmasq will change after startup.
181 Dnsmasq must normally be started as root, but it will drop root
182 privileges after startup by changing id to another user. Nor‐
183 mally this user is "nobody" but that can be over-ridden with
184 this switch.
185 -g, --group=<groupname>
187 Specify the group which dnsmasq will run as. The default is
188 "dip", if available, to facilitate access to /etc/ppp/re‐
189 solv.conf which is not normally world readable.
190 -v, --version
192 Print the version number.
193 -p, --port=<port>
195 Listen on <port> instead of the standard DNS port (53). Setting
196 this to zero completely disables DNS function, leaving only DHCP
197 and/or TFTP.
198 -P, --edns-packet-max=<size>
200 Specify the largest EDNS.0 UDP packet which is supported by the
201 DNS forwarder. Defaults to 4096, which is the RFC5625-recom‐
202 mended size.
203 -Q, --query-port=<query_port>
205 Send outbound DNS queries from, and listen for their replies on,
206 the specific UDP port <query_port> instead of using random
207 ports. NOTE that using this option will make dnsmasq less secure
208 against DNS spoofing attacks but it may be faster and use less
209 resources. Setting this option to zero makes dnsmasq use a sin‐
210 gle port allocated to it by the OS: this was the default behav‐
211 iour in versions prior to 2.43.
212 --min-port=<port>
214 Do not use ports less than that given as source for outbound DNS
215 queries. Dnsmasq picks random ports as source for outbound
216 queries: when this option is given, the ports used will always
217 be larger than that specified. Useful for systems behind fire‐
218 walls. If not specified, defaults to 1024.
219 --max-port=<port>
221 Use ports lower than that given as source for outbound DNS
222 queries. Dnsmasq picks random ports as source for outbound
223 queries: when this option is given, the ports used will always
224 be lower than that specified. Useful for systems behind fire‐
225 walls.
226 -i, --interface=<interface name>
228 Listen only on the specified interface(s). Dnsmasq automatically
229 adds the loopback (local) interface to the list of interfaces to
230 use when the --interface option is used. If no --interface or
231 --listen-address options are given dnsmasq listens on all avail‐
232 able interfaces except any given in --except-interface options.
233 On Linux, when --bind-interfaces or --bind-dynamic are in ef‐
234 fect, IP alias interface labels (eg "eth1:0") are checked,
235 rather than interface names. In the degenerate case when an in‐
236 terface has one address, this amounts to the same thing but when
237 an interface has multiple addresses it allows control over which
238 of those addresses are accepted. The same effect is achievable
239 in default mode by using --listen-address. A simple wildcard,
240 consisting of a trailing '*', can be used in --interface and
241 --except-interface options.
242 -I, --except-interface=<interface name>
244 Do not listen on the specified interface. Note that the order of
245 --listen-address --interface and --except-interface options does
246 not matter and that --except-interface options always override
247 the others. The comments about interface labels for --listen-ad‐
248 dress apply here.
249 --auth-server=<domain>,[<interface>|<ip-address>...]
251 Enable DNS authoritative mode for queries arriving at an inter‐
252 face or address. Note that the interface or address need not be
253 mentioned in --interface or --listen-address configuration, in‐
254 deed --auth-server will override these and provide a different
255 DNS service on the specified interface. The <domain> is the
256 "glue record". It should resolve in the global DNS to an A
257 and/or AAAA record which points to the address dnsmasq is lis‐
258 tening on. When an interface is specified, it may be qualified
259 with "/4" or "/6" to specify only the IPv4 or IPv6 addresses as‐
260 sociated with the interface. Since any defined authoritative
261 zones are also available as part of the normal recusive DNS ser‐
262 vice supplied by dnsmasq, it can make sense to have an --auth-
263 server declaration with no interfaces or address, but simply
264 specifying the primary external nameserver.
265 --local-service
267 Accept DNS queries only from hosts whose address is on a local
268 subnet, ie a subnet for which an interface exists on the server.
269 This option only has effect if there are no --interface, --ex‐
270 cept-interface, --listen-address or --auth-server options. It is
271 intended to be set as a default on installation, to allow uncon‐
272 figured installations to be useful but also safe from being used
273 for DNS amplification attacks.
274 -2, --no-dhcp-interface=<interface name>
276 Do not provide DHCP or TFTP on the specified interface, but do
277 provide DNS service.
278 -a, --listen-address=<ipaddr>
280 Listen on the given IP address(es). Both --interface and --lis‐
281 ten-address options may be given, in which case the set of both
282 interfaces and addresses is used. Note that if no --interface
283 option is given, but --listen-address is, dnsmasq will not auto‐
284 matically listen on the loopback interface. To achieve this, its
285 IP address, 127.0.0.1, must be explicitly given as a --listen-
286 address option.
287 -z, --bind-interfaces
289 On systems which support it, dnsmasq binds the wildcard address,
290 even when it is listening on only some interfaces. It then dis‐
291 cards requests that it shouldn't reply to. This has the advan‐
292 tage of working even when interfaces come and go and change ad‐
293 dress. This option forces dnsmasq to really bind only the inter‐
294 faces it is listening on. About the only time when this is use‐
295 ful is when running another nameserver (or another instance of
296 dnsmasq) on the same machine. Setting this option also enables
297 multiple instances of dnsmasq which provide DHCP service to run
298 in the same machine.
299 --bind-dynamic
301 Enable a network mode which is a hybrid between --bind-inter‐
302 faces and the default. Dnsmasq binds the address of individual
303 interfaces, allowing multiple dnsmasq instances, but if new in‐
304 terfaces or addresses appear, it automatically listens on those
305 (subject to any access-control configuration). This makes dynam‐
306 ically created interfaces work in the same way as the default.
307 Implementing this option requires non-standard networking APIs
308 and it is only available under Linux. On other platforms it
309 falls-back to --bind-interfaces mode.
310 -y, --localise-queries
312 Return answers to DNS queries from /etc/hosts and --interface-
313 name and --dynamic-host which depend on the interface over which
314 the query was received. If a name has more than one address as‐
315 sociated with it, and at least one of those addresses is on the
316 same subnet as the interface to which the query was sent, then
317 return only the address(es) on that subnet. This allows for a
318 server to have multiple addresses in /etc/hosts corresponding
319 to each of its interfaces, and hosts will get the correct ad‐
320 dress based on which network they are attached to. Currently
321 this facility is limited to IPv4.
322 -b, --bogus-priv
324 Bogus private reverse lookups. All reverse lookups for private
325 IP ranges (ie 192.168.x.x, etc) which are not found in
326 /etc/hosts or the DHCP leases file are answered with "no such
327 domain" rather than being forwarded upstream. The set of pre‐
328 fixes affected is the list given in RFC6303, for IPv4 and IPv6.
329 -V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>]
331 Modify IPv4 addresses returned from upstream nameservers; old-ip
332 is replaced by new-ip. If the optional mask is given then any
333 address which matches the masked old-ip will be re-written. So,
334 for instance --alias=1.2.3.0,6.7.8.0,255.255.255.0 will map
335 1.2.3.56 to 6.7.8.56 and 1.2.3.67 to 6.7.8.67. This is what
336 Cisco PIX routers call "DNS doctoring". If the old IP is given
337 as range, then only addresses in the range, rather than a whole
338 subnet, are re-written. So
339 --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 maps
340 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
341 -B, --bogus-nxdomain=<ipaddr>[/prefix]
343 Transform replies which contain the IP specified address or sub‐
344 net into "No such domain" replies. This is intended to counter‐
345 act a devious move made by Verisign in September 2003 when they
346 started returning the address of an advertising web page in re‐
347 sponse to queries for unregistered names, instead of the correct
348 NXDOMAIN response. This option tells dnsmasq to fake the correct
349 response when it sees this behaviour. As at Sept 2003 the IP ad‐
350 dress being returned by Verisign is 64.94.110.11
351 --ignore-address=<ipaddr>[/prefix]
353 Ignore replies to A-record queries which include the specified
354 address or subnet. No error is generated, dnsmasq simply con‐
355 tinues to listen for another reply. This is useful to defeat
356 blocking strategies which rely on quickly supplying a forged an‐
357 swer to a DNS request for certain domain, before the correct an‐
358 swer can arrive.
359 -f, --filterwin2k
361 Later versions of windows make periodic DNS requests which don't
362 get sensible answers from the public DNS and can cause problems
363 by triggering dial-on-demand links. This flag turns on an option
364 to filter such requests. The requests blocked are for records of
365 types SOA and SRV, and type ANY where the requested name has un‐
366 derscores, to catch LDAP requests.
367 -r, --resolv-file=<file>
369 Read the IP addresses of the upstream nameservers from <file>,
370 instead of /etc/resolv.conf. For the format of this file see re‐
371 solv.conf(5). The only lines relevant to dnsmasq are nameserver
372 ones. Dnsmasq can be told to poll more than one resolv.conf
373 file, the first file name specified overrides the default, sub‐
374 sequent ones add to the list. This is only allowed when polling;
375 the file with the currently latest modification time is the one
376 used.
377 -R, --no-resolv
379 Don't read /etc/resolv.conf. Get upstream servers only from the
380 command line or the dnsmasq configuration file.
381 -1, --enable-dbus[=<service-name>]
383 Allow dnsmasq configuration to be updated via DBus method calls.
384 The configuration which can be changed is upstream DNS servers
385 (and corresponding domains) and cache clear. Requires that dns‐
386 masq has been built with DBus support. If the service name is
387 given, dnsmasq provides service at that name, rather than the
388 default which is uk.org.thekelleys.dnsmasq
389 --enable-ubus[=<service-name>]
391 Enable dnsmasq UBus interface. It sends notifications via UBus
392 on DHCPACK and DHCPRELEASE events. Furthermore it offers met‐
393 rics. Requires that dnsmasq has been built with UBus support.
394 If the service name is given, dnsmasq provides service at that
395 namespace, rather than the default which is dnsmasq
396 -o, --strict-order
398 By default, dnsmasq will send queries to any of the upstream
399 servers it knows about and tries to favour servers that are
400 known to be up. Setting this flag forces dnsmasq to try each
401 query with each server strictly in the order they appear in
402 /etc/resolv.conf
403 --all-servers
405 By default, when dnsmasq has more than one upstream server
406 available, it will send queries to just one server. Setting this
407 flag forces dnsmasq to send all queries to all available
408 servers. The reply from the server which answers first will be
409 returned to the original requester.
410 --dns-loop-detect
412 Enable code to detect DNS forwarding loops; ie the situation
413 where a query sent to one of the upstream server eventually re‐
414 turns as a new query to the dnsmasq instance. The process works
415 by generating TXT queries of the form <hex>.test and sending
416 them to each upstream server. The hex is a UID which encodes the
417 instance of dnsmasq sending the query and the upstream server to
418 which it was sent. If the query returns to the server which sent
419 it, then the upstream server through which it was sent is dis‐
420 abled and this event is logged. Each time the set of upstream
421 servers changes, the test is re-run on all of them, including
422 ones which were previously disabled.
423 --stop-dns-rebind
425 Reject (and log) addresses from upstream nameservers which are
426 in the private ranges. This blocks an attack where a browser be‐
427 hind a firewall is used to probe machines on the local network.
428 For IPv6, the private range covers the IPv4-mapped addresses in
429 private space plus all link-local (LL) and site-local (ULA) ad‐
430 dresses.
431 --rebind-localhost-ok
433 Exempt 127.0.0.0/8 and ::1 from rebinding checks. This address
434 range is returned by realtime black hole servers, so blocking it
435 may disable these services.
436 --rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
438 Do not detect and block dns-rebind on queries to these domains.
439 The argument may be either a single domain, or multiple domains
440 surrounded by '/', like the --server syntax, eg. --rebind-do‐
441 main-ok=/domain1/domain2/domain3/
442 -n, --no-poll
444 Don't poll /etc/resolv.conf for changes.
445 --clear-on-reload
447 Whenever /etc/resolv.conf is re-read or the upstream servers are
448 set via DBus, clear the DNS cache. This is useful when new
449 nameservers may have different data than that held in cache.
450 -D, --domain-needed
452 Tells dnsmasq to never forward A or AAAA queries for plain
453 names, without dots or domain parts, to upstream nameservers. If
454 the name is not known from /etc/hosts or DHCP then a "not found"
455 answer is returned.
456 -S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>]][@<in‐
458 terface>][@<source-ip>[#<port>]]
459 Specify IP address of upstream servers directly. Setting this
460 flag does not suppress reading of /etc/resolv.conf, use --no-re‐
461 solv to do that. If one or more optional domains are given, that
462 server is used only for those domains and they are queried only
463 using the specified server. This is intended for private name‐
464 servers: if you have a nameserver on your network which deals
465 with names of the form xxx.internal.thekelleys.org.uk at
466 192.168.1.1 then giving the flag --server=/internal.thekel‐
467 leys.org.uk/192.168.1.1 will send all queries for internal ma‐
468 chines to that nameserver, everything else will go to the
469 servers in /etc/resolv.conf. DNSSEC validation is turned off for
470 such private nameservers, UNLESS a --trust-anchor is specified
471 for the domain in question. An empty domain specification, //
472 has the special meaning of "unqualified names only" ie names
473 without any dots in them. A non-standard port may be specified
474 as part of the IP address using a # character. More than one
475 --server flag is allowed, with repeated domain or ipaddr parts
476 as required.
477 More specific domains take precedence over less specific do‐
479 mains, so: --server=/google.com/1.2.3.4
480 --server=/www.google.com/2.3.4.5 will send queries for
481 *.google.com to 1.2.3.4, except *www.google.com, which will go
482 to 2.3.4.5
483 The special server address '#' means, "use the standard
485 servers", so --server=/google.com/1.2.3.4
486 --server=/www.google.com/# will send queries for *.google.com to
487 1.2.3.4, except *www.google.com which will be forwarded as
488 usual.
489 Also permitted is a -S flag which gives a domain but no IP ad‐
491 dress; this tells dnsmasq that a domain is local and it may an‐
492 swer queries from /etc/hosts or DHCP but should never forward
493 queries on that domain to any upstream servers. --local is a
494 synonym for --server to make configuration files clearer in this
495 case.
496 IPv6 addresses may include an %interface scope-id, eg
498 fe80::202:a412:4512:7bbf%eth0.
499 The optional string after the @ character tells dnsmasq how to
501 set the source of the queries to this nameserver. It can either
502 be an ip-address, an interface name or both. The ip-address
503 should belong to the machine on which dnsmasq is running, other‐
504 wise this server line will be logged and then ignored. If an in‐
505 terface name is given, then queries to the server will be forced
506 via that interface; if an ip-address is given then the source
507 address of the queries will be set to that address; and if both
508 are given then a combination of ip-address and interface name
509 will be used to steer requests to the server. The query-port
510 flag is ignored for any servers which have a source address
511 specified but the port may be specified directly as part of the
512 source address. Forcing queries to an interface is not imple‐
513 mented on all platforms supported by dnsmasq.
514 --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<inter‐
516 face>][@<source-ip>[#<port>]]
517 This is functionally the same as --server, but provides some
518 syntactic sugar to make specifying address-to-name queries eas‐
519 ier. For example --rev-server=1.2.3.0/24,192.168.0.1 is exactly
520 equivalent to --server=/3.2.1.in-addr.arpa/192.168.0.1
521 -A, --address=/<domain>[/<domain>...]/[<ipaddr>]
523 Specify an IP address to return for any host in the given do‐
524 mains. Queries in the domains are never forwarded and always
525 replied to with the specified IP address which may be IPv4 or
526 IPv6. To give both IPv4 and IPv6 addresses for a domain, use re‐
527 peated --address flags. To include multiple IP addresses for a
528 single query, use --addn-hosts=<path> instead. Note that
529 /etc/hosts and DHCP leases override this for individual names. A
530 common use of this is to redirect the entire doubleclick.net do‐
531 main to some friendly local web server to avoid banner ads. The
532 domain specification works in the same was as for --server, with
533 the additional facility that /#/ matches any domain. Thus --ad‐
534 dress=/#/1.2.3.4 will always return 1.2.3.4 for any query not
535 answered from /etc/hosts or DHCP and not sent to an upstream
536 nameserver by a more specific --server directive. As for
537 --server, one or more domains with no address returns a no-such-
538 domain answer, so --address=/example.com/ is equivalent to
539 --server=/example.com/ and returns NXDOMAIN for example.com and
540 all its subdomains. An address specified as '#' translates to
541 the NULL address of 0.0.0.0 and its IPv6 equivalent of :: so
542 --address=/example.com/# will return NULL addresses for exam‐
543 ple.com and its subdomains. This is partly syntactic sugar for
544 --address=/example.com/0.0.0.0 and --address=/example.com/:: but
545 is also more efficient than including both as separate configu‐
546 ration lines. Note that NULL addresses normally work in the same
547 way as localhost, so beware that clients looking up these names
548 are likely to end up talking to themselves.
549 --ipset=/<domain>[/<domain>...]/<ipset>[,<ipset>...]
551 Places the resolved IP addresses of queries for one or more do‐
552 mains in the specified Netfilter IP set. If multiple setnames
553 are given, then the addresses are placed in each of them, sub‐
554 ject to the limitations of an IP set (IPv4 addresses cannot be
555 stored in an IPv6 IP set and vice versa). Domains and subdo‐
556 mains are matched in the same way as --address. These IP sets
557 must already exist. See ipset(8) for more details.
558 -m, --mx-host=<mx name>[[,<hostname>],<preference>]
560 Return an MX record named <mx name> pointing to the given host‐
561 name (if given), or the host specified in the --mx-target switch
562 or, if that switch is not given, the host on which dnsmasq is
563 running. The default is useful for directing mail from systems
564 on a LAN to a central server. The preference value is optional,
565 and defaults to 1 if not given. More than one MX record may be
566 given for a host.
567 -t, --mx-target=<hostname>
569 Specify the default target for the MX record returned by dns‐
570 masq. See --mx-host. If --mx-target is given, but not --mx-
571 host, then dnsmasq returns a MX record containing the MX target
572 for MX queries on the hostname of the machine on which dnsmasq
573 is running.
574 -e, --selfmx
576 Return an MX record pointing to itself for each local machine.
577 Local machines are those in /etc/hosts or with DHCP leases.
578 -L, --localmx
580 Return an MX record pointing to the host given by --mx-target
581 (or the machine on which dnsmasq is running) for each local ma‐
582 chine. Local machines are those in /etc/hosts or with DHCP
583 leases.
584 -W, --srv-host=<_service>.<_prot>.[<domain>],[<target>[,<port>[,<prior‐
586 ity>[,<weight>]]]]
587 Return a SRV DNS record. See RFC2782 for details. If not sup‐
588 plied, the domain defaults to that given by --domain. The de‐
589 fault for the target domain is empty, and the default for port
590 is one and the defaults for weight and priority are zero. Be
591 careful if transposing data from BIND zone files: the port,
592 weight and priority numbers are in a different order. More than
593 one SRV record for a given service/domain is allowed, all that
594 match are returned.
595 --host-record=<name>[,<name>....],[<IPv4-address>],[<IPv6-ad‐
597 dress>][,<TTL>]
598 Add A, AAAA and PTR records to the DNS. This adds one or more
599 names to the DNS with associated IPv4 (A) and IPv6 (AAAA)
600 records. A name may appear in more than one --host-record and
601 therefore be assigned more than one address. Only the first ad‐
602 dress creates a PTR record linking the address to the name. This
603 is the same rule as is used reading hosts-files. --host-record
604 options are considered to be read before host-files, so a name
605 appearing there inhibits PTR-record creation if it appears in
606 hosts-file also. Unlike hosts-files, names are not expanded,
607 even when --expand-hosts is in effect. Short and long names may
608 appear in the same --host-record, eg. --host-record=laptop,lap‐
609 top.thekelleys.org,192.168.0.1,1234::100
610 If the time-to-live is given, it overrides the default, which is
612 zero or the value of --local-ttl. The value is a positive inte‐
613 ger and gives the time-to-live in seconds.
614 --dynamic-host=<name>,[IPv4-address],[IPv6-address],<interface>
616 Add A, AAAA and PTR records to the DNS in the same subnet as the
617 specified interface. The address is derived from the network
618 part of each address associated with the interface, and the host
619 part from the specified address. For example --dynamic-host=ex‐
620 ample.com,0.0.0.8,eth0 will, when eth0 has the address
621 192.168.78.x and netmask 255.255.255.0 give the name example.com
622 an A record for 192.168.78.8. The same principle applies to IPv6
623 addresses. Note that if an interface has more than one address,
624 more than one A or AAAA record will be created. The TTL of the
625 records is always zero, and any changes to interface addresses
626 will be immediately reflected in them.
627 -Y, --txt-record=<name>[[,<text>],<text>]
629 Return a TXT DNS record. The value of TXT record is a set of
630 strings, so any number may be included, delimited by commas;
631 use quotes to put commas into a string. Note that the maximum
632 length of a single string is 255 characters, longer strings are
633 split into 255 character chunks.
634 --ptr-record=<name>[,<target>]
636 Return a PTR DNS record.
637 --naptr-record=<name>,<order>,<preference>,<flags>,<service>,<reg‐
639 exp>[,<replacement>]
640 Return an NAPTR DNS record, as specified in RFC3403.
641 --caa-record=<name>,<flags>,<tag>,<value>
643 Return a CAA DNS record, as specified in RFC6844.
644 --cname=<cname>,[<cname>,]<target>[,<TTL>]
646 Return a CNAME record which indicates that <cname> is really
647 <target>. There is a significant limitation on the target; it
648 must be a DNS record which is known to dnsmasq and NOT a DNS
649 record which comes from an upstream server. The cname must be
650 unique, but it is permissible to have more than one cname point‐
651 ing to the same target. Indeed it's possible to declare multiple
652 cnames to a target in a single line, like so:
653 --cname=cname1,cname2,target
654 If the time-to-live is given, it overrides the default, which is
656 zero or the value of --local-ttl. The value is a positive inte‐
657 ger and gives the time-to-live in seconds.
658 --dns-rr=<name>,<RR-number>,[<hex data>]
660 Return an arbitrary DNS Resource Record. The number is the type
661 of the record (which is always in the C_IN class). The value of
662 the record is given by the hex data, which may be of the form
663 01:23:45 or 01 23 45 or 012345 or any mixture of these.
664 --interface-name=<name>,<interface>[/4|/6]
666 Return DNS records associating the name with the address(es) of
667 the given interface. This flag specifies an A or AAAA record for
668 the given name in the same way as an /etc/hosts line, except
669 that the address is not constant, but taken from the given in‐
670 terface. The interface may be followed by "/4" or "/6" to spec‐
671 ify that only IPv4 or IPv6 addresses of the interface should be
672 used. If the interface is down, not configured or non-existent,
673 an empty record is returned. The matching PTR record is also
674 created, mapping the interface address to the name. More than
675 one name may be associated with an interface address by repeat‐
676 ing the flag; in that case the first instance is used for the
677 reverse address-to-name mapping. Note that a name used in --in‐
678 terface-name may not appear in /etc/hosts.
679 --synth-domain=<domain>,<address range>[,<prefix>[*]]
681 Create artificial A/AAAA and PTR records for an address range.
682 The records either seqential numbers or the address, with peri‐
683 ods (or colons for IPv6) replaced with dashes.
684 An examples should make this clearer. First sequential numbers.
686 --synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,in‐
687 ternal-* results in the name internal-0.thekelleys.org.uk. re‐
688 turning 192.168.0.50, internal-1.thekelleys.org.uk returning
689 192.168.0.51 and so on. (note the *) The same principle applies
690 to IPv6 addresses (where the numbers may be very large). Reverse
691 lookups from address to name behave as expected.
692 Second, --synth-domain=thekelleys.org.uk,192.168.0.0/24,inter‐
694 nal- (no *) will result in a query for inter‐
695 nal-192-168-0-56.thekelleys.org.uk returning 192.168.0.56 and a
696 reverse query vice versa. The same applies to IPv6, but IPv6 ad‐
697 dresses may start with '::' but DNS labels may not start with
698 '-' so in this case if no prefix is configured a zero is added
699 in front of the label. ::1 becomes 0--1.
700 V4 mapped IPv6 addresses, which have a representation like
702 ::ffff:1.2.3.4 are handled specially, and become like
703 0--ffff-1-2-3-4
704 The address range can be of the form <ip address>,<ip address>
706 or <ip address>/<netmask> in both forms of the option.
707 --dumpfile=<path/to/file>
709 Specify the location of a pcap-format file which dnsmasq uses to
710 dump copies of network packets for debugging purposes. If the
711 file exists when dnsmasq starts, it is not deleted; new packets
712 are added to the end.
713 --dumpmask=<mask>
715 Specify which types of packets should be added to the dumpfile.
716 The argument should be the OR of the bitmasks for each type of
717 packet to be dumped: it can be specified in hex by preceding the
718 number with 0x in the normal way. Each time a packet is written
719 to the dumpfile, dnsmasq logs the packet sequence and the mask
720 representing its type. The current types are: 0x0001 - DNS
721 queries from clients 0x0002 DNS replies to clients 0x0004 - DNS
722 queries to upstream 0x0008 - DNS replies from upstream 0x0010 -
723 queries send upstream for DNSSEC validation 0x0020 - replies to
724 queries for DNSSEC validation 0x0040 - replies to client queries
725 which fail DNSSEC validation 0x0080 replies to queries for
726 DNSSEC validation which fail validation.
727 --add-mac[=base64|text]
729 Add the MAC address of the requestor to DNS queries which are
730 forwarded upstream. This may be used to DNS filtering by the up‐
731 stream server. The MAC address can only be added if the re‐
732 questor is on the same subnet as the dnsmasq server. Note that
733 the mechanism used to achieve this (an EDNS0 option) is not yet
734 standardised, so this should be considered experimental. Also
735 note that exposing MAC addresses in this way may have security
736 and privacy implications. The warning about caching given for
737 --add-subnet applies to --add-mac too. An alternative encoding
738 of the MAC, as base64, is enabled by adding the "base64" parame‐
739 ter and a human-readable encoding of hex-and-colons is enabled
740 by added the "text" parameter.
741 --add-cpe-id=<string>
743 Add an arbitrary identifying string to DNS queries which are
744 forwarded upstream.
745 --add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 ad‐
747 dress>/]<IPv6 prefix length>]]
748 Add a subnet address to the DNS queries which are forwarded up‐
749 stream. If an address is specified in the flag, it will be used,
750 otherwise, the address of the requestor will be used. The amount
751 of the address forwarded depends on the prefix length parameter:
752 32 (128 for IPv6) forwards the whole address, zero forwards none
753 of it but still marks the request so that no upstream nameserver
754 will add client address information either. The default is zero
755 for both IPv4 and IPv6. Note that upstream nameservers may be
756 configured to return different results based on this informa‐
757 tion, but the dnsmasq cache does not take account. Caching is
758 therefore disabled for such replies, unless the subnet address
759 being added is constant.
760 For example, --add-subnet=24,96 will add the /24 and /96 subnets
762 of the requestor for IPv4 and IPv6 requestors, respectively.
763 --add-subnet=1.2.3.4/24 will add 1.2.3.0/24 for IPv4 requestors
764 and ::/0 for IPv6 requestors. --add-sub‐
765 net=1.2.3.4/24,1.2.3.4/24 will add 1.2.3.0/24 for both IPv4 and
766 IPv6 requestors.
767 -c, --cache-size=<cachesize>
770 Set the size of dnsmasq's cache. The default is 150 names. Set‐
771 ting the cache size to zero disables caching. Note: huge cache
772 size impacts performance.
773 -N, --no-negcache
775 Disable negative caching. Negative caching allows dnsmasq to re‐
776 member "no such domain" answers from upstream nameservers and
777 answer identical queries without forwarding them again.
778 -0, --dns-forward-max=<queries>
780 Set the maximum number of concurrent DNS queries. The default
781 value is 150, which should be fine for most setups. The only
782 known situation where this needs to be increased is when using
783 web-server log file resolvers, which can generate large numbers
784 of concurrent queries.
785 --dnssec
787 Validate DNS replies and cache DNSSEC data. When forwarding DNS
788 queries, dnsmasq requests the DNSSEC records needed to validate
789 the replies. The replies are validated and the result returned
790 as the Authenticated Data bit in the DNS packet. In addition the
791 DNSSEC records are stored in the cache, making validation by
792 clients more efficient. Note that validation by clients is the
793 most secure DNSSEC mode, but for clients unable to do valida‐
794 tion, use of the AD bit set by dnsmasq is useful, provided that
795 the network between the dnsmasq server and the client is
796 trusted. Dnsmasq must be compiled with HAVE_DNSSEC enabled, and
797 DNSSEC trust anchors provided, see --trust-anchor. Because the
798 DNSSEC validation process uses the cache, it is not permitted to
799 reduce the cache size below the default when DNSSEC is enabled.
800 The nameservers upstream of dnsmasq must be DNSSEC-capable, ie
801 capable of returning DNSSEC records with data. If they are not,
802 then dnsmasq will not be able to determine the trusted status of
803 answers and this means that DNS service will be entirely broken.
804 --trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-
806 type>,<digest>
807 Provide DS records to act a trust anchors for DNSSEC validation.
808 Typically these will be the DS record(s) for Key Signing key(s)
809 (KSK) of the root zone, but trust anchors for limited domains
810 are also possible. The current root-zone trust anchors may be
811 downloaded from https://data.iana.org/root-anchors/root-an‐
812 chors.xml
813 --dnssec-check-unsigned[=no]
815 As a default, dnsmasq checks that unsigned DNS replies are le‐
816 gitimate: this entails possible extra queries even for the ma‐
817 jority of DNS zones which are not, at the moment, signed. If
818 --dnssec-check-unsigned=no appears in the configuration, then
819 such replies they are assumed to be valid and passed on (without
820 the "authentic data" bit set, of course). This does not protect
821 against an attacker forging unsigned replies for signed DNS
822 zones, but it is fast.
823 Versions of dnsmasq prior to 2.80 defaulted to not checking un‐
825 signed replies, and used --dnssec-check-unsigned to switch this
826 on. Such configurations will continue to work as before, but
827 those which used the default of no checking will need to be al‐
828 tered to explicitly select no checking. The new default is be‐
829 cause switching off checking for unsigned replies is inherently
830 dangerous. Not only does it open the possiblity of forged
831 replies, but it allows everything to appear to be working even
832 when the upstream namesevers do not support DNSSEC, and in this
833 case no DNSSEC validation at all is occurring.
834 --dnssec-no-timecheck
836 DNSSEC signatures are only valid for specified time windows, and
837 should be rejected outside those windows. This generates an in‐
838 teresting chicken-and-egg problem for machines which don't have
839 a hardware real time clock. For these machines to determine the
840 correct time typically requires use of NTP and therefore DNS,
841 but validating DNS requires that the correct time is already
842 known. Setting this flag removes the time-window checks (but not
843 other DNSSEC validation.) only until the dnsmasq process re‐
844 ceives SIGINT. The intention is that dnsmasq should be started
845 with this flag when the platform determines that reliable time
846 is not currently available. As soon as reliable time is estab‐
847 lished, a SIGINT should be sent to dnsmasq, which enables time
848 checking, and purges the cache of DNS records which have not
849 been thoroughly checked.
850 Earlier versions of dnsmasq overloaded SIGHUP (which re-reads
852 much configuration) to also enable time validation.
853 If dnsmasq is run in debug mode (--no-daemon flag) then SIGINT
855 retains its usual meaning of terminating the dnsmasq process.
856 --dnssec-timestamp=<path>
858 Enables an alternative way of checking the validity of the sys‐
859 tem time for DNSSEC (see --dnssec-no-timecheck). In this case,
860 the system time is considered to be valid once it becomes later
861 than the timestamp on the specified file. The file is created
862 and its timestamp set automatically by dnsmasq. The file must be
863 stored on a persistent filesystem, so that it and its mtime are
864 carried over system restarts. The timestamp file is created af‐
865 ter dnsmasq has dropped root, so it must be in a location
866 writable by the unprivileged user that dnsmasq runs as.
867 --proxy-dnssec
869 Copy the DNSSEC Authenticated Data bit from upstream servers to
870 downstream clients. This is an alternative to having dnsmasq
871 validate DNSSEC, but it depends on the security of the network
872 between dnsmasq and the upstream servers, and the trustworthi‐
873 ness of the upstream servers. Note that caching the Authenti‐
874 cated Data bit correctly in all cases is not technically possi‐
875 ble. If the AD bit is to be relied upon when using this option,
876 then the cache should be disabled using --cache-size=0. In most
877 cases, enabling DNSSEC validation within dnsmasq is a better op‐
878 tion. See --dnssec for details.
879 --dnssec-debug
881 Set debugging mode for the DNSSEC validation, set the Checking
882 Disabled bit on upstream queries, and don't convert replies
883 which do not validate to responses with a return code of SERV‐
884 FAIL. Note that setting this may affect DNS behaviour in bad
885 ways, it is not an extra-logging flag and should not be set in
886 production.
887 --auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix
889 length>].....][,exclude:<subnet>[/<prefix length>]].....]
890 Define a DNS zone for which dnsmasq acts as authoritative
891 server. Locally defined DNS records which are in the domain will
892 be served. If subnet(s) are given, A and AAAA records must be in
893 one of the specified subnets.
894 As alternative to directly specifying the subnets, it's possible
896 to give the name of an interface, in which case the subnets im‐
897 plied by that interface's configured addresses and netmask/pre‐
898 fix-length are used; this is useful when using constructed DHCP
899 ranges as the actual address is dynamic and not known when con‐
900 figuring dnsmasq. The interface addresses may be confined to
901 only IPv6 addresses using <interface>/6 or to only IPv4 using
902 <interface>/4. This is useful when an interface has dynamically
903 determined global IPv6 addresses which should appear in the
904 zone, but RFC1918 IPv4 addresses which should not. Interface-
905 name and address-literal subnet specifications may be used
906 freely in the same --auth-zone declaration.
907 It's possible to exclude certain IP addresses from responses. It
909 can be used, to make sure that answers contain only global
910 routeable IP addresses (by excluding loopback, RFC1918 and ULA
911 addresses).
912 The subnet(s) are also used to define in-addr.arpa and ip6.arpa
914 domains which are served for reverse-DNS queries. If not speci‐
915 fied, the prefix length defaults to 24 for IPv4 and 64 for IPv6.
916 For IPv4 subnets, the prefix length should be have the value 8,
917 16 or 24 unless you are familiar with RFC 2317 and have arranged
918 the in-addr.arpa delegation accordingly. Note that if no subnets
919 are specified, then no reverse queries are answered.
920 --auth-soa=<serial>[,<hostmaster>[,<refresh>[,<retry>[,<expiry>]]]]
922 Specify fields in the SOA record associated with authoritative
923 zones. Note that this is optional, all the values are set to
924 sane defaults.
925 --auth-sec-servers=<domain>[,<domain>[,<domain>...]]
927 Specify any secondary servers for a zone for which dnsmasq is
928 authoritative. These servers must be configured to get zone data
929 from dnsmasq by zone transfer, and answer queries for the same
930 authoritative zones as dnsmasq.
931 --auth-peer=<ip-address>[,<ip-address>[,<ip-address>...]]
933 Specify the addresses of secondary servers which are allowed to
934 initiate zone transfer (AXFR) requests for zones for which dns‐
935 masq is authoritative. If this option is not given but --auth-
936 sec-servers is, then AXFR requests will be accepted from any
937 secondary. Specifying --auth-peer without --auth-sec-servers en‐
938 ables zone transfer but does not advertise the secondary in NS
939 records returned by dnsmasq.
940 --conntrack
942 Read the Linux connection track mark associated with incoming
943 DNS queries and set the same mark value on upstream traffic used
944 to answer those queries. This allows traffic generated by dns‐
945 masq to be associated with the queries which cause it, useful
946 for bandwidth accounting and firewalling. Dnsmasq must have con‐
947 ntrack support compiled in and the kernel must have conntrack
948 support included and configured. This option cannot be combined
949 with --query-port.
950 -F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-
952 addr>[,<end-addr>|<mode>][,<netmask>[,<broadcast>]][,<lease time>]
953 -F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-
955 IPv6addr>[,<end-IPv6addr>|constructor:<interface>][,<mode>][,<prefix-
956 len>][,<lease time>]
957 Enable the DHCP server. Addresses will be given out from the
959 range <start-addr> to <end-addr> and from statically defined ad‐
960 dresses given in --dhcp-host options. If the lease time is
961 given, then leases will be given for that length of time. The
962 lease time is in seconds, or minutes (eg 45m) or hours (eg 1h)
963 or "infinite". If not given, the default lease time is one hour
964 for IPv4 and one day for IPv6. The minimum lease time is two
965 minutes. For IPv6 ranges, the lease time maybe "deprecated";
966 this sets the preferred lifetime sent in a DHCP lease or router
967 advertisement to zero, which causes clients to use other ad‐
968 dresses, if available, for new connections as a prelude to
969 renumbering.
970 This option may be repeated, with different addresses, to enable
972 DHCP service to more than one network. For directly connected
973 networks (ie, networks on which the machine running dnsmasq has
974 an interface) the netmask is optional: dnsmasq will determine it
975 from the interface configuration. For networks which receive
976 DHCP service via a relay agent, dnsmasq cannot determine the
977 netmask itself, so it should be specified, otherwise dnsmasq
978 will have to guess, based on the class (A, B or C) of the net‐
979 work address. The broadcast address is always optional. It is
980 always allowed to have more than one --dhcp-range in a single
981 subnet.
982 For IPv6, the parameters are slightly different: instead of net‐
984 mask and broadcast address, there is an optional prefix length
985 which must be equal to or larger then the prefix length on the
986 local interface. If not given, this defaults to 64. Unlike the
987 IPv4 case, the prefix length is not automatically derived from
988 the interface configuration. The minimum size of the prefix
989 length is 64.
990 IPv6 (only) supports another type of range. In this, the start
992 address and optional end address contain only the network part
993 (ie ::1) and they are followed by constructor:<interface>. This
994 forms a template which describes how to create ranges, based on
995 the addresses assigned to the interface. For instance
996 --dhcp-range=::1,::400,constructor:eth0
998 will look for addresses on eth0 and then create a range from
1000 <network>::1 to <network>::400. If the interface is assigned
1001 more than one network, then the corresponding ranges will be au‐
1002 tomatically created, and then deprecated and finally removed
1003 again as the address is deprecated and then deleted. The inter‐
1004 face name may have a final "*" wildcard. Note that just any ad‐
1005 dress on eth0 will not do: it must not be an autoconfigured or
1006 privacy address, or be deprecated.
1007 If a --dhcp-range is only being used for stateless DHCP and/or
1009 SLAAC, then the address can be simply ::
1010 --dhcp-range=::,constructor:eth0
1012 The optional set:<tag> sets an alphanumeric label which marks
1015 this network so that DHCP options may be specified on a per-net‐
1016 work basis. When it is prefixed with 'tag:' instead, then its
1017 meaning changes from setting a tag to matching it. Only one tag
1018 may be set, but more than one tag may be matched.
1019 The optional <mode> keyword may be static which tells dnsmasq to
1021 enable DHCP for the network specified, but not to dynamically
1022 allocate IP addresses: only hosts which have static addresses
1023 given via --dhcp-host or from /etc/ethers will be served. A
1024 static-only subnet with address all zeros may be used as a
1025 "catch-all" address to enable replies to all Information-request
1026 packets on a subnet which is provided with stateless DHCPv6, ie
1027 --dhcp-range=::,static
1028 For IPv4, the <mode> may be proxy in which case dnsmasq will
1030 provide proxy-DHCP on the specified subnet. (See --pxe-prompt
1031 and --pxe-service for details.)
1032 For IPv6, the mode may be some combination of ra-only, slaac,
1034 ra-names, ra-stateless, ra-advrouter, off-link.
1035 ra-only tells dnsmasq to offer Router Advertisement only on this
1037 subnet, and not DHCP.
1038 slaac tells dnsmasq to offer Router Advertisement on this subnet
1040 and to set the A bit in the router advertisement, so that the
1041 client will use SLAAC addresses. When used with a DHCP range or
1042 static DHCP address this results in the client having both a
1043 DHCP-assigned and a SLAAC address.
1044 ra-stateless sends router advertisements with the O and A bits
1046 set, and provides a stateless DHCP service. The client will use
1047 a SLAAC address, and use DHCP for other configuration informa‐
1048 tion.
1049 ra-names enables a mode which gives DNS names to dual-stack
1051 hosts which do SLAAC for IPv6. Dnsmasq uses the host's IPv4
1052 lease to derive the name, network segment and MAC address and
1053 assumes that the host will also have an IPv6 address calculated
1054 using the SLAAC algorithm, on the same network segment. The ad‐
1055 dress is pinged, and if a reply is received, an AAAA record is
1056 added to the DNS for this IPv6 address. Note that this is only
1057 happens for directly-connected networks, (not one doing DHCP via
1058 a relay) and it will not work if a host is using privacy exten‐
1059 sions. ra-names can be combined with ra-stateless and slaac.
1060 ra-advrouter enables a mode where router address(es) rather than
1062 prefix(es) are included in the advertisements. This is de‐
1063 scribed in RFC-3775 section 7.2 and is used in mobile IPv6. In
1064 this mode the interval option is also included, as described in
1065 RFC-3775 section 7.3.
1066 off-link tells dnsmasq to advertise the prefix without the on-
1068 link (aka L) bit set.
1069 -G, --dhcp-
1072 host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][tag:<tag>][,<ipaddr>][,<host‐
1073 name>][,<lease_time>][,ignore]
1074 Specify per host parameters for the DHCP server. This allows a
1075 machine with a particular hardware address to be always allo‐
1076 cated the same hostname, IP address and lease time. A hostname
1077 specified like this overrides any supplied by the DHCP client on
1078 the machine. It is also allowable to omit the hardware address
1079 and include the hostname, in which case the IP address and lease
1080 times will apply to any machine claiming that name. For example
1081 --dhcp-host=00:20:e0:3b:13:af,wap,infinite tells dnsmasq to give
1082 the machine with hardware address 00:20:e0:3b:13:af the name
1083 wap, and an infinite DHCP lease. --dhcp-host=lap,192.168.0.199
1084 tells dnsmasq to always allocate the machine lap the IP address
1085 192.168.0.199.
1086 Addresses allocated like this are not constrained to be in the
1088 range given by the --dhcp-range option, but they must be in the
1089 same subnet as some valid dhcp-range. For subnets which don't
1090 need a pool of dynamically allocated addresses, use the "static"
1091 keyword in the --dhcp-range declaration.
1092 It is allowed to use client identifiers (called client DUID in
1094 IPv6-land) rather than hardware addresses to identify hosts by
1095 prefixing with 'id:'. Thus: --dhcp-host=id:01:02:03:04,.....
1096 refers to the host with client identifier 01:02:03:04. It is
1097 also allowed to specify the client ID as text, like this:
1098 --dhcp-host=id:clientidastext,.....
1099 A single --dhcp-host may contain an IPv4 address or one or more
1101 IPv6 addresses, or both. IPv6 addresses must be bracketed by
1102 square brackets thus: --dhcp-host=laptop,[1234::56] IPv6 ad‐
1103 dresses may contain only the host-identifier part: --dhcp-
1104 host=laptop,[::56] in which case they act as wildcards in con‐
1105 structed DHCP ranges, with the appropriate network part in‐
1106 serted. For IPv6, an address may include a prefix length:
1107 --dhcp-host=laptop,[1234:50/126] which (in this case) specifies
1108 four addresses, 1234::50 to 1234::53. This (an the ability to
1109 specify multiple addresses) is useful when a host presents ei‐
1110 ther a consistent name or hardware-ID, but varying DUIDs, since
1111 it allows dnsmasq to honour the static address allocation but
1112 assign a different adddress for each DUID. This typically occurs
1113 when chain netbooting, as each stage of the chain gets in turn
1114 allocates an address.
1115 Note that in IPv6 DHCP, the hardware address may not be avail‐
1117 able, though it normally is for direct-connected clients, or
1118 clients using DHCP relays which support RFC 6939.
1119 For DHCPv4, the special option id:* means "ignore any client-id
1122 and use MAC addresses only." This is useful when a client
1123 presents a client-id sometimes but not others.
1124 If a name appears in /etc/hosts, the associated address can be
1126 allocated to a DHCP lease, but only if a --dhcp-host option
1127 specifying the name also exists. Only one hostname can be given
1128 in a --dhcp-host option, but aliases are possible by using
1129 CNAMEs. (See --cname ).
1130 More than one --dhcp-host can be associated (by name, hardware
1132 address or UID) with a host. Which one is used (and therefore
1133 which address is allocated by DHCP and appears in the DNS) de‐
1134 pends on the subnet on which the host last obtained a DHCP
1135 lease: the --dhcp-host with an address within the subnet is
1136 used. If more than one address is within the subnet, the result
1137 is undefined. A corollary to this is that the name associated
1138 with a host using --dhcp-host does not appear in the DNS until
1139 the host obtains a DHCP lease.
1140 The special keyword "ignore" tells dnsmasq to never offer a DHCP
1143 lease to a machine. The machine can be specified by hardware ad‐
1144 dress, client ID or hostname, for instance --dhcp-
1145 host=00:20:e0:3b:13:af,ignore This is useful when there is an‐
1146 other DHCP server on the network which should be used by some
1147 machines.
1148 The set:<tag> construct sets the tag whenever this --dhcp-host
1150 directive is in use. This can be used to selectively send DHCP
1151 options just for this host. More than one tag can be set in a
1152 --dhcp-host directive (but not in other places where "set:<tag>"
1153 is allowed). When a host matches any --dhcp-host directive (or
1154 one implied by /etc/ethers) then the special tag "known" is set.
1155 This allows dnsmasq to be configured to ignore requests from un‐
1156 known machines using --dhcp-ignore=tag:!known If the host
1157 matches only a --dhcp-host directive which cannot be used be‐
1158 cause it specifies an address on different subnet, the tag
1159 "known-othernet" is set.
1160 The tag:<tag> construct filters which dhcp-host directives are
1162 used. Tagged directives are used in preference to untagged ones.
1163 Ethernet addresses (but not client-ids) may have wildcard bytes,
1165 so for example --dhcp-host=00:20:e0:3b:13:*,ignore will cause
1166 dnsmasq to ignore a range of hardware addresses. Note that the
1167 "*" will need to be escaped or quoted on a command line, but not
1168 in the configuration file.
1169 Hardware addresses normally match any network (ARP) type, but it
1171 is possible to restrict them to a single ARP type by preceding
1172 them with the ARP-type (in HEX) and "-". so --dhcp-
1173 host=06-00:20:e0:3b:13:af,1.2.3.4 will only match a Token-Ring
1174 hardware address, since the ARP-address type for token ring is
1175 6.
1176 As a special case, in DHCPv4, it is possible to include more
1178 than one hardware address. eg: --dhcp-
1179 host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2 This allows
1180 an IP address to be associated with multiple hardware addresses,
1181 and gives dnsmasq permission to abandon a DHCP lease to one of
1182 the hardware addresses when another one asks for a lease. Beware
1183 that this is a dangerous thing to do, it will only work reliably
1184 if only one of the hardware addresses is active at any time and
1185 there is no way for dnsmasq to enforce this. It is, for in‐
1186 stance, useful to allocate a stable IP address to a laptop which
1187 has both wired and wireless interfaces.
1188 --dhcp-hostsfile=<path>
1190 Read DHCP host information from the specified file. If a direc‐
1191 tory is given, then read all the files contained in that direc‐
1192 tory. The file contains information about one host per line. The
1193 format of a line is the same as text to the right of '=' in
1194 --dhcp-host. The advantage of storing DHCP host information in
1195 this file is that it can be changed without re-starting dnsmasq:
1196 the file will be re-read when dnsmasq receives SIGHUP.
1197 --dhcp-optsfile=<path>
1199 Read DHCP option information from the specified file. If a di‐
1200 rectory is given, then read all the files contained in that di‐
1201 rectory. The advantage of using this option is the same as for
1202 --dhcp-hostsfile: the --dhcp-optsfile will be re-read when dns‐
1203 masq receives SIGHUP. Note that it is possible to encode the in‐
1204 formation in a --dhcp-boot flag as DHCP options, using the op‐
1205 tions names bootfile-name, server-ip-address and tftp-server.
1206 This allows these to be included in a --dhcp-optsfile.
1207 --dhcp-hostsdir=<path>
1209 This is equivalent to --dhcp-hostsfile, except for the follow‐
1210 ing. The path MUST be a directory, and not an individual file.
1211 Changed or new files within the directory are read automati‐
1212 cally, without the need to send SIGHUP. If a file is deleted or
1213 changed after it has been read by dnsmasq, then the host record
1214 it contained will remain until dnsmasq receives a SIGHUP, or is
1215 restarted; ie host records are only added dynamically.
1216 --dhcp-optsdir=<path>
1218 This is equivalent to --dhcp-optsfile, with the differences
1219 noted for --dhcp-hostsdir.
1220 -Z, --read-ethers
1222 Read /etc/ethers for information about hosts for the DHCP
1223 server. The format of /etc/ethers is a hardware address, fol‐
1224 lowed by either a hostname or dotted-quad IP address. When read
1225 by dnsmasq these lines have exactly the same effect as --dhcp-
1226 host options containing the same information. /etc/ethers is re-
1227 read when dnsmasq receives SIGHUP. IPv6 addresses are NOT read
1228 from /etc/ethers.
1229 -O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<en‐
1231 terprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>|op‐
1232 tion6:<opt>|option6:<opt-name>],[<value>[,<value>]]
1233 Specify different or extra options to DHCP clients. By default,
1234 dnsmasq sends some standard options to DHCP clients, the netmask
1235 and broadcast address are set to the same as the host running
1236 dnsmasq, and the DNS server and default route are set to the ad‐
1237 dress of the machine running dnsmasq. (Equivalent rules apply
1238 for IPv6.) If the domain name option has been set, that is sent.
1239 This configuration allows these defaults to be overridden, or
1240 other options specified. The option, to be sent may be given as
1241 a decimal number or as "option:<option-name>" The option numbers
1242 are specified in RFC2132 and subsequent RFCs. The set of option-
1243 names known by dnsmasq can be discovered by running "dnsmasq
1244 --help dhcp". For example, to set the default route option to
1245 192.168.4.4, do --dhcp-option=3,192.168.4.4 or --dhcp-option =
1246 option:router, 192.168.4.4 and to set the time-server address to
1247 192.168.0.4, do --dhcp-option = 42,192.168.0.4 or --dhcp-option
1248 = option:ntp-server, 192.168.0.4 The special address 0.0.0.0 is
1249 taken to mean "the address of the machine running dnsmasq".
1250 Data types allowed are comma separated dotted-quad IPv4 ad‐
1252 dresses, []-wrapped IPv6 addresses, a decimal number, colon-sep‐
1253 arated hex digits and a text string. If the optional tags are
1254 given then this option is only sent when all the tags are
1255 matched.
1256 Special processing is done on a text argument for option 119, to
1258 conform with RFC 3397. Text or dotted-quad IP addresses as argu‐
1259 ments to option 120 are handled as per RFC 3361. Dotted-quad IP
1260 addresses which are followed by a slash and then a netmask size
1261 are encoded as described in RFC 3442.
1262 IPv6 options are specified using the option6: keyword, followed
1264 by the option number or option name. The IPv6 option name space
1265 is disjoint from the IPv4 option name space. IPv6 addresses in
1266 options must be bracketed with square brackets, eg. --dhcp-op‐
1267 tion=option6:ntp-server,[1234::56] For IPv6, [::] means "the
1268 global address of the machine running dnsmasq", whilst [fd00::]
1269 is replaced with the ULA, if it exists, and [fe80::] with the
1270 link-local address.
1271 Be careful: no checking is done that the correct type of data
1273 for the option number is sent, it is quite possible to persuade
1274 dnsmasq to generate illegal DHCP packets with injudicious use of
1275 this flag. When the value is a decimal number, dnsmasq must de‐
1276 termine how large the data item is. It does this by examining
1277 the option number and/or the value, but can be overridden by ap‐
1278 pending a single letter flag as follows: b = one byte, s = two
1279 bytes, i = four bytes. This is mainly useful with encapsulated
1280 vendor class options (see below) where dnsmasq cannot determine
1281 data size from the option number. Option data which consists
1282 solely of periods and digits will be interpreted by dnsmasq as
1283 an IP address, and inserted into an option as such. To force a
1284 literal string, use quotes. For instance when using option 66 to
1285 send a literal IP address as TFTP server name, it is necessary
1286 to do --dhcp-option=66,"1.2.3.4"
1287 Encapsulated Vendor-class options may also be specified (IPv4
1289 only) using --dhcp-option: for instance --dhcp-option=vendor:PX‐
1290 EClient,1,0.0.0.0 sends the encapsulated vendor class-specific
1291 option "mftp-address=0.0.0.0" to any client whose vendor-class
1292 matches "PXEClient". The vendor-class matching is substring
1293 based (see --dhcp-vendorclass for details). If a vendor-class
1294 option (number 60) is sent by dnsmasq, then that is used for se‐
1295 lecting encapsulated options in preference to any sent by the
1296 client. It is possible to omit the vendorclass completely;
1297 --dhcp-option=vendor:,1,0.0.0.0 in which case the encapsulated
1298 option is always sent.
1299 Options may be encapsulated (IPv4 only) within other options:
1301 for instance --dhcp-option=encap:175, 190, iscsi-client0 will
1302 send option 175, within which is the option 190. If multiple op‐
1303 tions are given which are encapsulated with the same option num‐
1304 ber then they will be correctly combined into one encapsulated
1305 option. encap: and vendor: are may not both be set in the same
1306 --dhcp-option.
1307 The final variant on encapsulated options is "Vendor-Identifying
1309 Vendor Options" as specified by RFC3925. These are denoted like
1310 this: --dhcp-option=vi-encap:2, 10, text The number in the vi-
1311 encap: section is the IANA enterprise number used to identify
1312 this option. This form of encapsulation is supported in IPv6.
1313 The address 0.0.0.0 is not treated specially in encapsulated op‐
1315 tions.
1316 --dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-en‐
1318 cap:<enterprise>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
1319 This works in exactly the same way as --dhcp-option except that
1320 the option will always be sent, even if the client does not ask
1321 for it in the parameter request list. This is sometimes needed,
1322 for example when sending options to PXELinux.
1323 --dhcp-no-override
1325 (IPv4 only) Disable re-use of the DHCP servername and filename
1326 fields as extra option space. If it can, dnsmasq moves the boot
1327 server and filename information (from --dhcp-boot) out of their
1328 dedicated fields into DHCP options. This make extra space avail‐
1329 able in the DHCP packet for options but can, rarely, confuse old
1330 or broken clients. This flag forces "simple and safe" behaviour
1331 to avoid problems in such a case.
1332 --dhcp-relay=<local address>,<server address>[,<interface]
1334 Configure dnsmasq to do DHCP relay. The local address is an ad‐
1335 dress allocated to an interface on the host running dnsmasq. All
1336 DHCP requests arriving on that interface will we relayed to a
1337 remote DHCP server at the server address. It is possible to re‐
1338 lay from a single local address to multiple remote servers by
1339 using multiple --dhcp-relay configs with the same local address
1340 and different server addresses. A server address must be an IP
1341 literal address, not a domain name. In the case of DHCPv6, the
1342 server address may be the ALL_SERVERS multicast address,
1343 ff05::1:3. In this case the interface must be given, not be
1344 wildcard, and is used to direct the multicast to the correct in‐
1345 terface to reach the DHCP server.
1346 Access control for DHCP clients has the same rules as for the
1348 DHCP server, see --interface, --except-interface, etc. The op‐
1349 tional interface name in the --dhcp-relay config has a different
1350 function: it controls on which interface DHCP replies from the
1351 server will be accepted. This is intended for configurations
1352 which have three interfaces: one being relayed from, a second
1353 connecting the DHCP server, and a third untrusted network, typi‐
1354 cally the wider internet. It avoids the possibility of spoof
1355 replies arriving via this third interface.
1356 It is allowed to have dnsmasq act as a DHCP server on one set of
1358 interfaces and relay from a disjoint set of interfaces. Note
1359 that whilst it is quite possible to write configurations which
1360 appear to act as a server and a relay on the same interface,
1361 this is not supported: the relay function will take precedence.
1362 Both DHCPv4 and DHCPv6 relay is supported. It's not possible to
1364 relay DHCPv4 to a DHCPv6 server or vice-versa.
1365 -U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise num‐
1367 ber>,]<vendor-class>
1368 Map from a vendor-class string to a tag. Most DHCP clients pro‐
1369 vide a "vendor class" which represents, in some sense, the type
1370 of host. This option maps vendor classes to tags, so that DHCP
1371 options may be selectively delivered to different classes of
1372 hosts. For example --dhcp-vendorclass=set:printers,Hewlett-
1373 Packard JetDirect will allow options to be set only for HP
1374 printers like so: --dhcp-option=tag:printers,3,192.168.4.4 The
1375 vendor-class string is substring matched against the vendor-
1376 class supplied by the client, to allow fuzzy matching. The set:
1377 prefix is optional but allowed for consistency.
1378 Note that in IPv6 only, vendorclasses are namespaced with an
1380 IANA-allocated enterprise number. This is given with enterprise:
1381 keyword and specifies that only vendorclasses matching the spec‐
1382 ified number should be searched.
1383 -j, --dhcp-userclass=set:<tag>,<user-class>
1385 Map from a user-class string to a tag (with substring matching,
1386 like vendor classes). Most DHCP clients provide a "user class"
1387 which is configurable. This option maps user classes to tags, so
1388 that DHCP options may be selectively delivered to different
1389 classes of hosts. It is possible, for instance to use this to
1390 set a different printer server for hosts in the class "accounts"
1391 than for hosts in the class "engineering".
1392 -4, --dhcp-mac=set:<tag>,<MAC address>
1394 Map from a MAC address to a tag. The MAC address may include
1395 wildcards. For example --dhcp-mac=set:3com,01:34:23:*:*:* will
1396 set the tag "3com" for any host whose MAC address matches the
1397 pattern.
1398 --dhcp-circuitid=set:<tag>,<circuit-id>, --dhcp-remoteid=set:<tag>,<re‐
1400 mote-id>
1401 Map from RFC3046 relay agent options to tags. This data may be
1402 provided by DHCP relay agents. The circuit-id or remote-id is
1403 normally given as colon-separated hex, but is also allowed to be
1404 a simple string. If an exact match is achieved between the cir‐
1405 cuit or agent ID and one provided by a relay agent, the tag is
1406 set.
1407 --dhcp-remoteid (but not --dhcp-circuitid) is supported in IPv6.
1409 --dhcp-subscrid=set:<tag>,<subscriber-id>
1411 (IPv4 and IPv6) Map from RFC3993 subscriber-id relay agent op‐
1412 tions to tags.
1413 --dhcp-proxy[=<ip addr>]......
1415 (IPv4 only) A normal DHCP relay agent is only used to forward
1416 the initial parts of a DHCP interaction to the DHCP server. Once
1417 a client is configured, it communicates directly with the
1418 server. This is undesirable if the relay agent is adding extra
1419 information to the DHCP packets, such as that used by --dhcp-
1420 circuitid and --dhcp-remoteid. A full relay implementation can
1421 use the RFC 5107 serverid-override option to force the DHCP
1422 server to use the relay as a full proxy, with all packets pass‐
1423 ing through it. This flag provides an alternative method of do‐
1424 ing the same thing, for relays which don't support RFC 5107.
1425 Given alone, it manipulates the server-id for all interactions
1426 via relays. If a list of IP addresses is given, only interac‐
1427 tions via relays at those addresses are affected.
1428 --dhcp-match=set:<tag>,<option number>|option:<option name>|vi-en‐
1430 cap:<enterprise>[,<value>]
1431 Without a value, set the tag if the client sends a DHCP option
1432 of the given number or name. When a value is given, set the tag
1433 only if the option is sent and matches the value. The value may
1434 be of the form "01:ff:*:02" in which case the value must match
1435 (apart from wildcards) but the option sent may have unmatched
1436 data past the end of the value. The value may also be of the
1437 same form as in --dhcp-option in which case the option sent is
1438 treated as an array, and one element must match, so --dhcp-
1439 match=set:efi-ia32,option:client-arch,6 will set the tag "efi-
1440 ia32" if the the number 6 appears in the list of architectures
1441 sent by the client in option 93. (See RFC 4578 for details.) If
1442 the value is a string, substring matching is used.
1443 The special form with vi-encap:<enterprise number> matches
1445 against vendor-identifying vendor classes for the specified en‐
1446 terprise. Please see RFC 3925 for more details of these rare and
1447 interesting beasts.
1448 --dhcp-name-match=set:<tag>,<name>[*]
1450 Set the tag if the given name is supplied by a DHCP client.
1451 There may be a single trailing wildcard *, which has the usual
1452 meaning. Combined with dhcp-ignore or dhcp-ignore-names this
1453 gives the ability to ignore certain clients by name, or disallow
1454 certain hostnames from being claimed by a client.
1455 --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
1457 Perform boolean operations on tags. Any tag appearing as
1458 set:<tag> is set if all the tags which appear as tag:<tag> are
1459 set, (or unset when tag:!<tag> is used) If no tag:<tag> appears
1460 set:<tag> tags are set unconditionally. Any number of set: and
1461 tag: forms may appear, in any order. --tag-if lines are exe‐
1462 cuted in order, so if the tag in tag:<tag> is a tag set by an‐
1463 other --tag-if, the line which sets the tag must precede the one
1464 which tests it.
1465 -J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
1467 When all the given tags appear in the tag set ignore the host
1468 and do not allocate it a DHCP lease.
1469 --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
1471 When all the given tags appear in the tag set, ignore any host‐
1472 name provided by the host. Note that, unlike --dhcp-ignore, it
1473 is permissible to supply no tags, in which case DHCP-client sup‐
1474 plied hostnames are always ignored, and DHCP hosts are added to
1475 the DNS using only --dhcp-host configuration in dnsmasq and the
1476 contents of /etc/hosts and /etc/ethers.
1477 --dhcp-generate-names=tag:<tag>[,tag:<tag>]
1479 (IPv4 only) Generate a name for DHCP clients which do not other‐
1480 wise have one, using the MAC address expressed in hex, separated
1481 by dashes. Note that if a host provides a name, it will be used
1482 by preference to this, unless --dhcp-ignore-names is set.
1483 --dhcp-broadcast[=tag:<tag>[,tag:<tag>]]
1485 (IPv4 only) When all the given tags appear in the tag set, al‐
1486 ways use broadcast to communicate with the host when it is un‐
1487 configured. It is permissible to supply no tags, in which case
1488 this is unconditional. Most DHCP clients which need broadcast
1489 replies set a flag in their requests so that this happens auto‐
1490 matically, some old BOOTP clients do not.
1491 -M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server ad‐
1493 dress>|<tftp_servername>]]
1494 (IPv4 only) Set BOOTP options to be returned by the DHCP server.
1495 Server name and address are optional: if not provided, the name
1496 is left empty, and the address set to the address of the machine
1497 running dnsmasq. If dnsmasq is providing a TFTP service (see
1498 --enable-tftp ) then only the filename is required here to en‐
1499 able network booting. If the optional tag(s) are given, they
1500 must match for this configuration to be sent. Instead of an IP
1501 address, the TFTP server address can be given as a domain name
1502 which is looked up in /etc/hosts. This name can be associated in
1503 /etc/hosts with multiple IP addresses, which are used round-
1504 robin. This facility can be used to load balance the tftp load
1505 among a set of servers.
1506 --dhcp-sequential-ip
1508 Dnsmasq is designed to choose IP addresses for DHCP clients us‐
1509 ing a hash of the client's MAC address. This normally allows a
1510 client's address to remain stable long-term, even if the client
1511 sometimes allows its DHCP lease to expire. In this default mode
1512 IP addresses are distributed pseudo-randomly over the entire
1513 available address range. There are sometimes circumstances (typ‐
1514 ically server deployment) where it is more convenient to have IP
1515 addresses allocated sequentially, starting from the lowest
1516 available address, and setting this flag enables this mode. Note
1517 that in the sequential mode, clients which allow a lease to ex‐
1518 pire are much more likely to move IP address; for this reason it
1519 should not be generally used.
1520 --dhcp-ignore-clid
1522 Dnsmasq is reading 'client identifier' (RFC 2131) option sent by
1523 clients (if available) to identify clients. This allow to serve
1524 same IP address for a host using several interfaces. Use this
1525 option to disable 'client identifier' reading, i.e. to always
1526 identify a host using the MAC address.
1527 --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basename>|<bootservice‐
1529 type>][,<server address>|<server_name>]
1530 Most uses of PXE boot-ROMS simply allow the PXE system to obtain
1531 an IP address and then download the file specified by --dhcp-
1532 boot and execute it. However the PXE system is capable of more
1533 complex functions when supported by a suitable DHCP server.
1534 This specifies a boot option which may appear in a PXE boot
1536 menu. <CSA> is client system type, only services of the correct
1537 type will appear in a menu. The known types are x86PC, PC98,
1538 IA64_EFI, Alpha, Arc_x86, Intel_Lean_Client, IA32_EFI,
1539 x86-64_EFI, Xscale_EFI, BC_EFI, ARM32_EFI and ARM64_EFI; an in‐
1540 teger may be used for other types. The parameter after the menu
1541 text may be a file name, in which case dnsmasq acts as a boot
1542 server and directs the PXE client to download the file by TFTP,
1543 either from itself ( --enable-tftp must be set for this to work)
1544 or another TFTP server if the final server address/name is
1545 given. Note that the "layer" suffix (normally ".0") is supplied
1546 by PXE, and need not be added to the basename. Alternatively,
1547 the basename may be a filename, complete with suffix, in which
1548 case no layer suffix is added. If an integer boot service type,
1549 rather than a basename is given, then the PXE client will search
1550 for a suitable boot service for that type on the network. This
1551 search may be done by broadcast, or direct to a server if its IP
1552 address/name is provided. If no boot service type or filename
1553 is provided (or a boot service type of 0 is specified) then the
1554 menu entry will abort the net boot procedure and continue boot‐
1555 ing from local media. The server address can be given as a do‐
1556 main name which is looked up in /etc/hosts. This name can be as‐
1557 sociated in /etc/hosts with multiple IP addresses, which are
1558 used round-robin.
1559 --pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>]
1561 Setting this provides a prompt to be displayed after PXE boot.
1562 If the timeout is given then after the timeout has elapsed with
1563 no keyboard input, the first available menu option will be auto‐
1564 matically executed. If the timeout is zero then the first avail‐
1565 able menu item will be executed immediately. If --pxe-prompt is
1566 omitted the system will wait for user input if there are multi‐
1567 ple items in the menu, but boot immediately if there is only
1568 one. See --pxe-service for details of menu items.
1569 Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP
1571 server on the network is responsible for allocating IP ad‐
1572 dresses, and dnsmasq simply provides the information given in
1573 --pxe-prompt and --pxe-service to allow netbooting. This mode is
1574 enabled using the proxy keyword in --dhcp-range.
1575 --dhcp-pxe-vendor=<vendor>[,...]
1577 According to UEFI and PXE specifications, DHCP packets between
1578 PXE clients and proxy PXE servers should have PXEClient in their
1579 vendor-class field. However, the firmware of computers from a
1580 few vendors is customized to carry a different identifier in
1581 that field. This option is used to consider such identifiers
1582 valid for identifying PXE clients. For instance
1583 --dhcp-pxe-vendor=PXEClient,HW-Client
1585 will enable dnsmasq to also provide proxy PXE service to those
1587 PXE clients with HW-Client in as their identifier. >>>>>>>
1588 907def3... pxe: support pxe clients with custom vendor-class
1589 -X, --dhcp-lease-max=<number>
1591 Limits dnsmasq to the specified maximum number of DHCP leases.
1592 The default is 1000. This limit is to prevent DoS attacks from
1593 hosts which create thousands of leases and use lots of memory in
1594 the dnsmasq process.
1595 -K, --dhcp-authoritative
1597 Should be set when dnsmasq is definitely the only DHCP server on
1598 a network. For DHCPv4, it changes the behaviour from strict RFC
1599 compliance so that DHCP requests on unknown leases from unknown
1600 hosts are not ignored. This allows new hosts to get a lease
1601 without a tedious timeout under all circumstances. It also al‐
1602 lows dnsmasq to rebuild its lease database without each client
1603 needing to reacquire a lease, if the database is lost. For
1604 DHCPv6 it sets the priority in replies to 255 (the maximum) in‐
1605 stead of 0 (the minimum).
1606 --dhcp-rapid-commit
1608 Enable DHCPv4 Rapid Commit Option specified in RFC 4039. When
1609 enabled, dnsmasq will respond to a DHCPDISCOVER message includ‐
1610 ing a Rapid Commit option with a DHCPACK including a Rapid Com‐
1611 mit option and fully committed address and configuration infor‐
1612 mation. Should only be enabled if either the server is the only
1613 server for the subnet, or multiple servers are present and they
1614 each commit a binding for all clients.
1615 --dhcp-alternate-port[=<server port>[,<client port>]]
1617 (IPv4 only) Change the ports used for DHCP from the default. If
1618 this option is given alone, without arguments, it changes the
1619 ports used for DHCP from 67 and 68 to 1067 and 1068. If a single
1620 argument is given, that port number is used for the server and
1621 the port number plus one used for the client. Finally, two port
1622 numbers allows arbitrary specification of both server and client
1623 ports for DHCP.
1624 -3, --bootp-dynamic[=<network-id>[,<network-id>]]
1626 (IPv4 only) Enable dynamic allocation of IP addresses to BOOTP
1627 clients. Use this with care, since each address allocated to a
1628 BOOTP client is leased forever, and therefore becomes perma‐
1629 nently unavailable for re-use by other hosts. if this is given
1630 without tags, then it unconditionally enables dynamic alloca‐
1631 tion. With tags, only when the tags are all set. It may be re‐
1632 peated with different tag sets.
1633 -5, --no-ping
1635 (IPv4 only) By default, the DHCP server will attempt to ensure
1636 that an address is not in use before allocating it to a host. It
1637 does this by sending an ICMP echo request (aka "ping") to the
1638 address in question. If it gets a reply, then the address must
1639 already be in use, and another is tried. This flag disables this
1640 check. Use with caution.
1641 --log-dhcp
1643 Extra logging for DHCP: log all the options sent to DHCP clients
1644 and the tags used to determine them.
1645 --quiet-dhcp, --quiet-dhcp6, --quiet-ra
1647 Suppress logging of the routine operation of these protocols.
1648 Errors and problems will still be logged. --quiet-dhcp and
1649 quiet-dhcp6 are over-ridden by --log-dhcp.
1650 -l, --dhcp-leasefile=<path>
1652 Use the specified file to store DHCP lease information.
1653 --dhcp-duid=<enterprise-id>,<uid>
1655 (IPv6 only) Specify the server persistent UID which the DHCPv6
1656 server will use. This option is not normally required as dnsmasq
1657 creates a DUID automatically when it is first needed. When
1658 given, this option provides dnsmasq the data required to create
1659 a DUID-EN type DUID. Note that once set, the DUID is stored in
1660 the lease database, so to change between DUID-EN and automati‐
1661 cally created DUIDs or vice-versa, the lease database must be
1662 re-initialised. The enterprise-id is assigned by IANA, and the
1663 uid is a string of hex octets unique to a particular device.
1664 -6 --dhcp-script=<path>
1666 Whenever a new DHCP lease is created, or an old one destroyed,
1667 or a TFTP file transfer completes, the executable specified by
1668 this option is run. <path> must be an absolute pathname, no
1669 PATH search occurs. The arguments to the process are "add",
1670 "old" or "del", the MAC address of the host (or DUID for IPv6) ,
1671 the IP address, and the hostname, if known. "add" means a lease
1672 has been created, "del" means it has been destroyed, "old" is a
1673 notification of an existing lease when dnsmasq starts or a
1674 change to MAC address or hostname of an existing lease (also,
1675 lease length or expiry and client-id, if --leasefile-ro is set
1676 and lease expiry if --script-on-renewal is set). If the MAC ad‐
1677 dress is from a network type other than ethernet, it will have
1678 the network type prepended, eg "06-01:23:45:67:89:ab" for token
1679 ring. The process is run as root (assuming that dnsmasq was
1680 originally run as root) even if dnsmasq is configured to change
1681 UID to an unprivileged user.
1682 The environment is inherited from the invoker of dnsmasq, with
1684 some or all of the following variables added
1685 For both IPv4 and IPv6:
1687 DNSMASQ_DOMAIN if the fully-qualified domain name of the host is
1689 known, this is set to the domain part. (Note that the hostname
1690 passed to the script as an argument is never fully-qualified.)
1691 If the client provides a hostname, DNSMASQ_SUPPLIED_HOSTNAME
1693 If the client provides user-classes, DNSMASQ_USER_CLASS0..DNS‐
1695 MASQ_USER_CLASSn
1696 If dnsmasq was compiled with HAVE_BROKEN_RTC, then the length of
1698 the lease (in seconds) is stored in DNSMASQ_LEASE_LENGTH, other‐
1699 wise the time of lease expiry is stored in DNSMASQ_LEASE_EX‐
1700 PIRES. The number of seconds until lease expiry is always stored
1701 in DNSMASQ_TIME_REMAINING.
1702 If a lease used to have a hostname, which is removed, an "old"
1704 event is generated with the new state of the lease, ie no name,
1705 and the former name is provided in the environment variable DNS‐
1706 MASQ_OLD_HOSTNAME.
1707 DNSMASQ_INTERFACE stores the name of the interface on which the
1709 request arrived; this is not set for "old" actions when dnsmasq
1710 restarts.
1711 DNSMASQ_RELAY_ADDRESS is set if the client used a DHCP relay to
1713 contact dnsmasq and the IP address of the relay is known.
1714 DNSMASQ_TAGS contains all the tags set during the DHCP transac‐
1716 tion, separated by spaces.
1717 DNSMASQ_LOG_DHCP is set if --log-dhcp is in effect.
1719 For IPv4 only:
1721 DNSMASQ_CLIENT_ID if the host provided a client-id.
1723 DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID, DNSMASQ_REMOTE_ID if
1725 a DHCP relay-agent added any of these options.
1726 If the client provides vendor-class, DNSMASQ_VENDOR_CLASS.
1728 DNSMASQ_REQUESTED_OPTIONS a string containing the decimal values
1730 in the Parameter Request List option, comma separated, if the
1731 parameter request list option is provided by the client.
1732 For IPv6 only:
1734 If the client provides vendor-class, DNSMASQ_VENDOR_CLASS_ID,
1736 containing the IANA enterprise id for the class, and DNS‐
1737 MASQ_VENDOR_CLASS0..DNSMASQ_VENDOR_CLASSn for the data.
1738 DNSMASQ_SERVER_DUID containing the DUID of the server: this is
1740 the same for every call to the script.
1741 DNSMASQ_IAID containing the IAID for the lease. If the lease is
1743 a temporary allocation, this is prefixed to 'T'.
1744 DNSMASQ_MAC containing the MAC address of the client, if known.
1746 Note that the supplied hostname, vendorclass and userclass data
1748 is only supplied for "add" actions or "old" actions when a host
1749 resumes an existing lease, since these data are not held in dns‐
1750 masq's lease database.
1751 All file descriptors are closed except stdin, which is open to
1755 /dev/null, and stdout and stderr which capture output for log‐
1756 ging by dnsmasq. (In debug mode, stdio, stdout and stderr file
1757 are left as those inherited from the invoker of dnsmasq).
1758 The script is not invoked concurrently: at most one instance of
1760 the script is ever running (dnsmasq waits for an instance of
1761 script to exit before running the next). Changes to the lease
1762 database are which require the script to be invoked are queued
1763 awaiting exit of a running instance. If this queueing allows
1764 multiple state changes occur to a single lease before the script
1765 can be run then earlier states are discarded and the current
1766 state of that lease is reflected when the script finally runs.
1767 At dnsmasq startup, the script will be invoked for all existing
1769 leases as they are read from the lease file. Expired leases will
1770 be called with "del" and others with "old". When dnsmasq re‐
1771 ceives a HUP signal, the script will be invoked for existing
1772 leases with an "old" event.
1773 There are four further actions which may appear as the first ar‐
1776 gument to the script, "init", "arp-add", "arp-del" and "tftp".
1777 More may be added in the future, so scripts should be written to
1778 ignore unknown actions. "init" is described below in --lease‐
1779 file-ro The "tftp" action is invoked when a TFTP file transfer
1780 completes: the arguments are the file size in bytes, the address
1781 to which the file was sent, and the complete pathname of the
1782 file.
1783 The "arp-add" and "arp-del" actions are only called if enabled
1785 with --script-arp They are are supplied with a MAC address and
1786 IP address as arguments. "arp-add" indicates the arrival of a
1787 new entry in the ARP or neighbour table, and "arp-del" indicates
1788 the deletion of same.
1789 --dhcp-luascript=<path>
1792 Specify a script written in Lua, to be run when leases are cre‐
1793 ated, destroyed or changed. To use this option, dnsmasq must be
1794 compiled with the correct support. The Lua interpreter is ini‐
1795 tialised once, when dnsmasq starts, so that global variables
1796 persist between lease events. The Lua code must define a lease
1797 function, and may provide init and shutdown functions, which are
1798 called, without arguments when dnsmasq starts up and terminates.
1799 It may also provide a tftp function.
1800 The lease function receives the information detailed in --dhcp-
1802 script. It gets two arguments, firstly the action, which is a
1803 string containing, "add", "old" or "del", and secondly a table
1804 of tag value pairs. The tags mostly correspond to the environ‐
1805 ment variables detailed above, for instance the tag "domain"
1806 holds the same data as the environment variable DNSMASQ_DOMAIN.
1807 There are a few extra tags which hold the data supplied as argu‐
1808 ments to --dhcp-script. These are mac_address, ip_address and
1809 hostname for IPv4, and client_duid, ip_address and hostname for
1810 IPv6.
1811 The tftp function is called in the same way as the lease func‐
1813 tion, and the table holds the tags destination_address,
1814 file_name and file_size.
1815 The arp and arp-old functions are called only when enabled with
1817 --script-arp and have a table which holds the tags mac_address
1818 and client_address.
1819 --dhcp-scriptuser
1821 Specify the user as which to run the lease-change script or Lua
1822 script. This defaults to root, but can be changed to another
1823 user using this flag.
1824 --script-arp
1826 Enable the "arp" and "arp-old" functions in the --dhcp-script
1827 and --dhcp-luascript.
1828 -9, --leasefile-ro
1830 Completely suppress use of the lease database file. The file
1831 will not be created, read, or written. Change the way the lease-
1832 change script (if one is provided) is called, so that the lease
1833 database may be maintained in external storage by the script. In
1834 addition to the invocations given in --dhcp-script the lease-
1835 change script is called once, at dnsmasq startup, with the sin‐
1836 gle argument "init". When called like this the script should
1837 write the saved state of the lease database, in dnsmasq lease‐
1838 file format, to stdout and exit with zero exit code. Setting
1839 this option also forces the leasechange script to be called on
1840 changes to the client-id and lease length and expiry time.
1841 --script-on-renewal
1843 Call the DHCP script when the lease expiry time changes, for in‐
1844 stance when the lease is renewed.
1845 --bridge-interface=<interface>,<alias>[,<alias>]
1847 Treat DHCP (v4 and v6) requests and IPv6 Router Solicit packets
1848 arriving at any of the <alias> interfaces as if they had arrived
1849 at <interface>. This option allows dnsmasq to provide DHCP and
1850 RA service over unaddressed and unbridged Ethernet interfaces,
1851 e.g. on an OpenStack compute host where each such interface is a
1852 TAP interface to a VM, or as in "old style bridging" on BSD
1853 platforms. A trailing '*' wildcard can be used in each <alias>.
1854 It is permissible to add more than one alias using more than one
1856 --bridge-interface option since --bridge-inter‐
1857 face=int1,alias1,alias2 is exactly equivalent to --bridge-inter‐
1858 face=int1,alias1 --bridge-interface=int1,alias2
1859 --shared-network=<interface>,<addr>
1861 --shared-network=<addr>,<addr>
1862 The DHCP server determines which DHCP ranges are useable for al‐
1863 locating an address to a DHCP client based on the network from
1864 which the DHCP request arrives, and the IP configuration of the
1865 server's interface on that network. The shared-network option
1866 extends the available subnets (and therefore DHCP ranges) beyond
1867 the subnets configured on the arrival interface.
1868 The first argument is either the name of an interface, or an ad‐
1870 dress that is configured on a local interface, and the second
1871 argument is an address which defines another subnet on which ad‐
1872 dresses can be allocated.
1873 To be useful, there must be a suitable dhcp-range which allows
1875 address allocation on this subnet and this dhcp-range MUST in‐
1876 clude the netmask.
1877 Using shared-network also needs extra consideration of routing.
1879 Dnsmasq does not have the usual information that it uses to de‐
1880 termine the default route, so the default route option (or other
1881 routing) MUST be configured manually. The client must have a
1882 route to the server: if the two-address form of shared-network
1883 is used, this needs to be to the first specified address. If the
1884 interface,address form is used, there must be a route to all of
1885 the addresses configured on the interface.
1886 The two-address form of shared-network is also usable with a
1888 DHCP relay: the first address is the address of the relay and
1889 the second, as before, specifies an extra subnet which addresses
1890 may be allocated from.
1891 -s, --domain=<domain>[,<address range>[,local]]
1894 Specifies DNS domains for the DHCP server. Domains may be be
1895 given unconditionally (without the IP range) or for limited IP
1896 ranges. This has two effects; firstly it causes the DHCP server
1897 to return the domain to any hosts which request it, and secondly
1898 it sets the domain which it is legal for DHCP-configured hosts
1899 to claim. The intention is to constrain hostnames so that an un‐
1900 trusted host on the LAN cannot advertise its name via DHCP as
1901 e.g. "microsoft.com" and capture traffic not meant for it. If no
1902 domain suffix is specified, then any DHCP hostname with a domain
1903 part (ie with a period) will be disallowed and logged. If suffix
1904 is specified, then hostnames with a domain part are allowed,
1905 provided the domain part matches the suffix. In addition, when a
1906 suffix is set then hostnames without a domain part have the suf‐
1907 fix added as an optional domain part. Eg on my network I can set
1908 --domain=thekelleys.org.uk and have a machine whose DHCP host‐
1909 name is "laptop". The IP address for that machine is available
1910 from dnsmasq both as "laptop" and "laptop.thekelleys.org.uk". If
1911 the domain is given as "#" then the domain is read from the
1912 first "search" directive in /etc/resolv.conf (or equivalent).
1913 The address range can be of the form <ip address>,<ip address>
1915 or <ip address>/<netmask> or just a single <ip address>. See
1916 --dhcp-fqdn which can change the behaviour of dnsmasq with do‐
1917 mains.
1918 If the address range is given as ip-address/network-size, then a
1920 additional flag "local" may be supplied which has the effect of
1921 adding --local declarations for forward and reverse DNS queries.
1922 Eg. --domain=thekelleys.org.uk,192.168.0.0/24,local is identi‐
1923 cal to --domain=thekelleys.org.uk,192.168.0.0/24 --lo‐
1924 cal=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/ The
1925 network size must be 8, 16 or 24 for this to be legal.
1926 --dhcp-fqdn
1928 In the default mode, dnsmasq inserts the unqualified names of
1929 DHCP clients into the DNS. For this reason, the names must be
1930 unique, even if two clients which have the same name are in dif‐
1931 ferent domains. If a second DHCP client appears which has the
1932 same name as an existing client, the name is transferred to the
1933 new client. If --dhcp-fqdn is set, this behaviour changes: the
1934 unqualified name is no longer put in the DNS, only the qualified
1935 name. Two DHCP clients with the same name may both keep the
1936 name, provided that the domain part is different (ie the fully
1937 qualified names differ.) To ensure that all names have a domain
1938 part, there must be at least --domain without an address speci‐
1939 fied when --dhcp-fqdn is set.
1940 --dhcp-client-update
1942 Normally, when giving a DHCP lease, dnsmasq sets flags in the
1943 FQDN option to tell the client not to attempt a DDNS update with
1944 its name and IP address. This is because the name-IP pair is au‐
1945 tomatically added into dnsmasq's DNS view. This flag suppresses
1946 that behaviour, this is useful, for instance, to allow Windows
1947 clients to update Active Directory servers. See RFC 4702 for de‐
1948 tails.
1949 --enable-ra
1951 Enable dnsmasq's IPv6 Router Advertisement feature. DHCPv6
1952 doesn't handle complete network configuration in the same way as
1953 DHCPv4. Router discovery and (possibly) prefix discovery for au‐
1954 tonomous address creation are handled by a different protocol.
1955 When DHCP is in use, only a subset of this is needed, and dns‐
1956 masq can handle it, using existing DHCP configuration to provide
1957 most data. When RA is enabled, dnsmasq will advertise a prefix
1958 for each --dhcp-range, with default router as the relevant
1959 link-local address on the machine running dnsmasq. By default,
1960 the "managed address" bits are set, and the "use SLAAC" bit is
1961 reset. This can be changed for individual subnets with the mode
1962 keywords described in --dhcp-range. RFC6106 DNS parameters are
1963 included in the advertisements. By default, the relevant link-
1964 local address of the machine running dnsmasq is sent as recur‐
1965 sive DNS server. If provided, the DHCPv6 options dns-server and
1966 domain-search are used for the DNS server (RDNSS) and the domain
1967 search list (DNSSL).
1968 --ra-param=<interface>,[mtu:<integer>|<interface>|off,][high,|low,]<ra-
1970 interval>[,<router lifetime>]
1971 Set non-default values for router advertisements sent via an in‐
1972 terface. The priority field for the router may be altered from
1973 the default of medium with eg --ra-param=eth0,high. The inter‐
1974 val between router advertisements may be set (in seconds) with
1975 --ra-param=eth0,60. The lifetime of the route may be changed or
1976 set to zero, which allows a router to advertise prefixes but not
1977 a route via itself. --ra-param=eth0,0,0 (A value of zero for
1978 the interval means the default value.) All four parameters may
1979 be set at once. --ra-param=eth0,mtu:1280,low,60,1200
1980 The interface field may include a wildcard.
1982 The mtu: parameter may be an arbitrary interface name, in which
1984 case the MTU value for that interface is used. This is useful
1985 for (eg) advertising the MTU of a WAN interface on the other in‐
1986 terfaces of a router.
1987 --dhcp-reply-delay=[tag:<tag>,]<integer>
1989 Delays sending DHCPOFFER and PROXYDHCP replies for at least the
1990 specified number of seconds. This can be used as workaround for
1991 bugs in PXE boot firmware that does not function properly when
1992 receiving an instant reply. This option takes into account the
1993 time already spent waiting (e.g. performing ping check) if any.
1994 --enable-tftp[=<interface>[,<interface>]]
1996 Enable the TFTP server function. This is deliberately limited to
1997 that needed to net-boot a client. Only reading is allowed; the
1998 tsize and blksize extensions are supported (tsize is only sup‐
1999 ported in octet mode). Without an argument, the TFTP service is
2000 provided to the same set of interfaces as DHCP service. If the
2001 list of interfaces is provided, that defines which interfaces
2002 receive TFTP service.
2003 --tftp-root=<directory>[,<interface>]
2005 Look for files to transfer using TFTP relative to the given di‐
2006 rectory. When this is set, TFTP paths which include ".." are re‐
2007 jected, to stop clients getting outside the specified root. Ab‐
2008 solute paths (starting with /) are allowed, but they must be
2009 within the tftp-root. If the optional interface argument is
2010 given, the directory is only used for TFTP requests via that in‐
2011 terface.
2012 --tftp-no-fail
2014 Do not abort startup if specified tftp root directories are in‐
2015 accessible.
2016 --tftp-unique-root[=ip|mac]
2018 Add the IP or hardware address of the TFTP client as a path com‐
2019 ponent on the end of the TFTP-root. Only valid if a --tftp-root
2020 is set and the directory exists. Defaults to adding IP address
2021 (in standard dotted-quad format). For instance, if --tftp-root
2022 is "/tftp" and client 1.2.3.4 requests file "myfile" then the
2023 effective path will be "/tftp/1.2.3.4/myfile" if /tftp/1.2.3.4
2024 exists or /tftp/myfile otherwise. When "=mac" is specified it
2025 will append the MAC address instead, using lowercase zero padded
2026 digits separated by dashes, e.g.: 01-02-03-04-aa-bb Note that
2027 resolving MAC addresses is only possible if the client is in the
2028 local network or obtained a DHCP lease from us.
2029 --tftp-secure
2031 Enable TFTP secure mode: without this, any file which is read‐
2032 able by the dnsmasq process under normal unix access-control
2033 rules is available via TFTP. When the --tftp-secure flag is
2034 given, only files owned by the user running the dnsmasq process
2035 are accessible. If dnsmasq is being run as root, different rules
2036 apply: --tftp-secure has no effect, but only files which have
2037 the world-readable bit set are accessible. It is not recommended
2038 to run dnsmasq as root with TFTP enabled, and certainly not
2039 without specifying --tftp-root. Doing so can expose any world-
2040 readable file on the server to any host on the net.
2041 --tftp-lowercase
2043 Convert filenames in TFTP requests to all lowercase. This is
2044 useful for requests from Windows machines, which have case-in‐
2045 sensitive filesystems and tend to play fast-and-loose with case
2046 in filenames. Note that dnsmasq's tftp server always converts
2047 "\" to "/" in filenames.
2048 --tftp-max=<connections>
2050 Set the maximum number of concurrent TFTP connections allowed.
2051 This defaults to 50. When serving a large number of TFTP connec‐
2052 tions, per-process file descriptor limits may be encountered.
2053 Dnsmasq needs one file descriptor for each concurrent TFTP con‐
2054 nection and one file descriptor per unique file (plus a few oth‐
2055 ers). So serving the same file simultaneously to n clients will
2056 use require about n + 10 file descriptors, serving different
2057 files simultaneously to n clients will require about (2*n) + 10
2058 descriptors. If --tftp-port-range is given, that can affect the
2059 number of concurrent connections.
2060 --tftp-mtu=<mtu size>
2062 Use size as the ceiling of the MTU supported by the intervening
2063 network when negotiating TFTP blocksize, overriding the MTU set‐
2064 ting of the local interface if it is larger.
2065 --tftp-no-blocksize
2067 Stop the TFTP server from negotiating the "blocksize" option
2068 with a client. Some buggy clients request this option but then
2069 behave badly when it is granted.
2070 --tftp-port-range=<start>,<end>
2072 A TFTP server listens on a well-known port (69) for connection
2073 initiation, but it also uses a dynamically-allocated port for
2074 each connection. Normally these are allocated by the OS, but
2075 this option specifies a range of ports for use by TFTP trans‐
2076 fers. This can be useful when TFTP has to traverse a firewall.
2077 The start of the range cannot be lower than 1025 unless dnsmasq
2078 is running as root. The number of concurrent TFTP connections is
2079 limited by the size of the port range.
2080 --tftp-single-port
2082 Run in a mode where the TFTP server uses ONLY the well-known
2083 port (69) for its end of the TFTP transfer. This allows TFTP to
2084 work when there in NAT is the path between client and server.
2085 Note that this is not strictly compliant with the RFCs specify‐
2086 ing the TFTP protocol: use at your own risk.
2087 -C, --conf-file=<file>
2089 Specify a configuration file. The presence of this option stops
2090 dnsmasq from reading the default configuration file (normally
2091 /etc/dnsmasq.conf). Multiple files may be specified by repeating
2092 the option either on the command line or in configuration files.
2093 A filename of "-" causes dnsmasq to read configuration from
2094 stdin.
2095 -7, --conf-dir=<directory>[,<file-extension>......],
2097 Read all the files in the given directory as configuration
2098 files. If extension(s) are given, any files which end in those
2099 extensions are skipped. Any files whose names end in ~ or start
2100 with . or start and end with # are always skipped. If the exten‐
2101 sion starts with * then only files which have that extension are
2102 loaded. So --conf-dir=/path/to/dir,*.conf loads all files with
2103 the suffix .conf in /path/to/dir. This flag may be given on the
2104 command line or in a configuration file. If giving it on the
2105 command line, be sure to escape * characters. Files are loaded
2106 in alphabetical order of filename.
2107 --servers-file=<file>
2109 A special case of --conf-file which differs in two respects.
2110 Firstly, only --server and --rev-server are allowed in the con‐
2111 figuration file included. Secondly, the file is re-read and the
2112 configuration therein is updated when dnsmasq receives SIGHUP.
2113
2115 At startup, dnsmasq reads /etc/dnsmasq.conf, if it exists. (On FreeBSD,
2116 the file is /usr/local/etc/dnsmasq.conf ) (but see the --conf-file and
2117 --conf-dir options.) The format of this file consists of one option per
2118 line, exactly as the long options detailed in the OPTIONS section but
2119 without the leading "--". Lines starting with # are comments and ig‐
2120 nored. For options which may only be specified once, the configuration
2121 file overrides the command line. Quoting is allowed in a config file:
2122 between " quotes the special meanings of ,:. and # are removed and the
2123 following escapes are allowed: \\ \" \t \e \b \r and \n. The later cor‐
2124 responding to tab, escape, backspace, return and newline.
2125
2127 When it receives a SIGHUP, dnsmasq clears its cache and then re-loads
2128 /etc/hosts and /etc/ethers and any file given by --dhcp-hostsfile,
2129 --dhcp-hostsdir, --dhcp-optsfile, --dhcp-optsdir, --addn-hosts or
2130 --hostsdir. The DHCP lease change script is called for all existing
2131 DHCP leases. If --no-poll is set SIGHUP also re-reads /etc/resolv.conf.
2132 SIGHUP does NOT re-read the configuration file.
2133 When it receives a SIGUSR1, dnsmasq writes statistics to the system
2135 log. It writes the cache size, the number of names which have had to
2136 removed from the cache before they expired in order to make room for
2137 new names and the total number of names that have been inserted into
2138 the cache. The number of cache hits and misses and the number of au‐
2139 thoritative queries answered are also given. For each upstream server
2140 it gives the number of queries sent, and the number which resulted in
2141 an error. In --no-daemon mode or when full logging is enabled (--log-
2142 queries), a complete dump of the contents of the cache is made.
2143 The cache statistics are also available in the DNS as answers to
2145 queries of class CHAOS and type TXT in domain bind. The domain names
2146 are cachesize.bind, insertions.bind, evictions.bind, misses.bind,
2147 hits.bind, auth.bind and servers.bind. An example command to query
2148 this, using the dig utility would be
2149 dig +short chaos txt cachesize.bind
2151 When it receives SIGUSR2 and it is logging direct to a file (see --log-
2154 facility ) dnsmasq will close and reopen the log file. Note that during
2155 this operation, dnsmasq will not be running as root. When it first cre‐
2156 ates the logfile dnsmasq changes the ownership of the file to the non-
2157 root user it will run as. Logrotate should be configured to create a
2158 new log file with the ownership which matches the existing one before
2159 sending SIGUSR2. If TCP DNS queries are in progress, the old logfile
2160 will remain open in child processes which are handling TCP queries and
2161 may continue to be written. There is a limit of 150 seconds, after
2162 which all existing TCP processes will have expired: for this reason, it
2163 is not wise to configure logfile compression for logfiles which have
2164 just been rotated. Using logrotate, the required options are create and
2165 delaycompress.
2166 Dnsmasq is a DNS query forwarder: it is not capable of recursively an‐
2170 swering arbitrary queries starting from the root servers but forwards
2171 such queries to a fully recursive upstream DNS server which is typi‐
2172 cally provided by an ISP. By default, dnsmasq reads /etc/resolv.conf to
2173 discover the IP addresses of the upstream nameservers it should use,
2174 since the information is typically stored there. Unless --no-poll is
2175 used, dnsmasq checks the modification time of /etc/resolv.conf (or
2176 equivalent if --resolv-file is used) and re-reads it if it changes.
2177 This allows the DNS servers to be set dynamically by PPP or DHCP since
2178 both protocols provide the information. Absence of /etc/resolv.conf is
2179 not an error since it may not have been created before a PPP connection
2180 exists. Dnsmasq simply keeps checking in case /etc/resolv.conf is cre‐
2181 ated at any time. Dnsmasq can be told to parse more than one re‐
2182 solv.conf file. This is useful on a laptop, where both PPP and DHCP may
2183 be used: dnsmasq can be set to poll both /etc/ppp/resolv.conf and
2184 /etc/dhcpc/resolv.conf and will use the contents of whichever changed
2185 last, giving automatic switching between DNS servers.
2186 Upstream servers may also be specified on the command line or in the
2188 configuration file. These server specifications optionally take a do‐
2189 main name which tells dnsmasq to use that server only to find names in
2190 that particular domain.
2191 In order to configure dnsmasq to act as cache for the host on which it
2193 is running, put "nameserver 127.0.0.1" in /etc/resolv.conf to force lo‐
2194 cal processes to send queries to dnsmasq. Then either specify the up‐
2195 stream servers directly to dnsmasq using --server options or put their
2196 addresses real in another file, say /etc/resolv.dnsmasq and run dnsmasq
2197 with the --resolv-file /etc/resolv.dnsmasq option. This second tech‐
2198 nique allows for dynamic update of the server addresses by PPP or DHCP.
2199 Addresses in /etc/hosts will "shadow" different addresses for the same
2201 names in the upstream DNS, so "mycompany.com 1.2.3.4" in /etc/hosts
2202 will ensure that queries for "mycompany.com" always return 1.2.3.4 even
2203 if queries in the upstream DNS would otherwise return a different ad‐
2204 dress. There is one exception to this: if the upstream DNS contains a
2205 CNAME which points to a shadowed name, then looking up the CNAME
2206 through dnsmasq will result in the unshadowed address associated with
2207 the target of the CNAME. To work around this, add the CNAME to
2208 /etc/hosts so that the CNAME is shadowed too.
2209 The tag system works as follows: For each DHCP request, dnsmasq col‐
2212 lects a set of valid tags from active configuration lines which include
2213 set:<tag>, including one from the --dhcp-range used to allocate the ad‐
2214 dress, one from any matching --dhcp-host (and "known" or "known-other‐
2215 net" if a --dhcp-host matches) The tag "bootp" is set for BOOTP re‐
2216 quests, and a tag whose name is the name of the interface on which the
2217 request arrived is also set.
2218 Any configuration lines which include one or more tag:<tag> constructs
2220 will only be valid if all that tags are matched in the set derived
2221 above. Typically this is --dhcp-option. --dhcp-option which has tags
2222 will be used in preference to an untagged --dhcp-option, provided that
2223 _all_ the tags match somewhere in the set collected as described above.
2224 The prefix '!' on a tag means 'not' so --dhcp-option=tag:!pur‐
2225 ple,3,1.2.3.4 sends the option when the tag purple is not in the set of
2226 valid tags. (If using this in a command line rather than a configura‐
2227 tion file, be sure to escape !, which is a shell metacharacter)
2228 When selecting --dhcp-options, a tag from --dhcp-range is second class
2230 relative to other tags, to make it easy to override options for indi‐
2231 vidual hosts, so --dhcp-range=set:interface1,...... --dhcp-
2232 host=set:myhost,..... --dhcp-option=tag:interface1,option:nis-do‐
2233 main,"domain1" --dhcp-option=tag:myhost,option:nis-domain,"domain2"
2234 will set the NIS-domain to domain1 for hosts in the range, but override
2235 that to domain2 for a particular host.
2236 Note that for --dhcp-range both tag:<tag> and set:<tag> are allowed, to
2239 both select the range in use based on (eg) --dhcp-host, and to affect
2240 the options sent, based on the range selected.
2241 This system evolved from an earlier, more limited one and for backward
2243 compatibility "net:" may be used instead of "tag:" and "set:" may be
2244 omitted. (Except in --dhcp-host, where "net:" may be used instead of
2245 "set:".) For the same reason, '#' may be used instead of '!' to indi‐
2246 cate NOT.
2247 The DHCP server in dnsmasq will function as a BOOTP server also, pro‐
2249 vided that the MAC address and IP address for clients are given, either
2250 using --dhcp-host configurations or in /etc/ethers , and a --dhcp-range
2251 configuration option is present to activate the DHCP server on a par‐
2252 ticular network. (Setting --bootp-dynamic removes the need for static
2253 address mappings.) The filename parameter in a BOOTP request is used as
2254 a tag, as is the tag "bootp", allowing some control over the options
2255 returned to different classes of hosts.
2256
2259 Configuring dnsmasq to act as an authoritative DNS server is compli‐
2260 cated by the fact that it involves configuration of external DNS
2261 servers to provide delegation. We will walk through three scenarios of
2262 increasing complexity. Prerequisites for all of these scenarios are a
2263 globally accessible IP address, an A or AAAA record pointing to that
2264 address, and an external DNS server capable of doing delegation of the
2265 zone in question. For the first part of this explanation, we will call
2266 the A (or AAAA) record for the globally accessible address server.exam‐
2267 ple.com, and the zone for which dnsmasq is authoritative our.zone.com.
2268 The simplest configuration consists of two lines of dnsmasq configura‐
2270 tion; something like
2271 --auth-server=server.example.com,eth0
2273 --auth-zone=our.zone.com,1.2.3.0/24
2274 and two records in the external DNS
2276 server.example.com A 192.0.43.10
2278 our.zone.com NS server.example.com
2279 eth0 is the external network interface on which dnsmasq is listening,
2281 and has (globally accessible) address 192.0.43.10.
2282 Note that the external IP address may well be dynamic (ie assigned from
2284 an ISP by DHCP or PPP) If so, the A record must be linked to this dy‐
2285 namic assignment by one of the usual dynamic-DNS systems.
2286 A more complex, but practically useful configuration has the address
2288 record for the globally accessible IP address residing in the authori‐
2289 tative zone which dnsmasq is serving, typically at the root. Now we
2290 have
2291 --auth-server=our.zone.com,eth0
2293 --auth-zone=our.zone.com,1.2.3.0/24
2294 our.zone.com A 1.2.3.4
2296 our.zone.com NS our.zone.com
2297 The A record for our.zone.com has now become a glue record, it solves
2299 the chicken-and-egg problem of finding the IP address of the nameserver
2300 for our.zone.com when the A record is within that zone. Note that this
2301 is the only role of this record: as dnsmasq is now authoritative from
2302 our.zone.com it too must provide this record. If the external address
2303 is static, this can be done with an /etc/hosts entry or --host-record.
2304 --auth-server=our.zone.com,eth0
2306 --host-record=our.zone.com,1.2.3.4
2307 --auth-zone=our.zone.com,1.2.3.0/24
2308 If the external address is dynamic, the address associated with
2310 our.zone.com must be derived from the address of the relevant inter‐
2311 face. This is done using --interface-name Something like:
2312 --auth-server=our.zone.com,eth0
2314 --interface-name=our.zone.com,eth0
2315 --auth-zone=our.zone.com,1.2.3.0/24,eth0
2316 (The "eth0" argument in --auth-zone adds the subnet containing eth0's
2318 dynamic address to the zone, so that the --interface-name returns the
2319 address in outside queries.)
2320 Our final configuration builds on that above, but also adds a secondary
2322 DNS server. This is another DNS server which learns the DNS data for
2323 the zone by doing zones transfer, and acts as a backup should the pri‐
2324 mary server become inaccessible. The configuration of the secondary is
2325 beyond the scope of this man-page, but the extra configuration of dns‐
2326 masq is simple:
2327 --auth-sec-servers=secondary.myisp.com
2329 and
2331 our.zone.com NS secondary.myisp.com
2333 Adding auth-sec-servers enables zone transfer in dnsmasq, to allow the
2335 secondary to collect the DNS data. If you wish to restrict this data to
2336 particular hosts then
2337 --auth-peer=<IP address of secondary>
2339 will do so.
2341 Dnsmasq acts as an authoritative server for in-addr.arpa and ip6.arpa
2343 domains associated with the subnets given in --auth-zone declarations,
2344 so reverse (address to name) lookups can be simply configured with a
2345 suitable NS record, for instance in this example, where we allow
2346 1.2.3.0/24 addresses.
2347 3.2.1.in-addr.arpa NS our.zone.com
2349 Note that at present, reverse (in-addr.arpa and ip6.arpa) zones are not
2351 available in zone transfers, so there is no point arranging secondary
2352 servers for reverse lookups.
2353 When dnsmasq is configured to act as an authoritative server, the fol‐
2356 lowing data is used to populate the authoritative zone.
2357 --mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record, --caa-
2359 record, as long as the record names are in the authoritative domain.
2360 --cname as long as the record name is in the authoritative domain. If
2362 the target of the CNAME is unqualified, then it is qualified with the
2363 authoritative zone name. CNAME used in this way (only) may be wild‐
2364 cards, as in
2365 --cname=*.example.com,default.example.com
2367 IPv4 and IPv6 addresses from /etc/hosts (and --addn-hosts ) and --host-
2370 record and --interface-name and ---dynamic-host provided the address
2371 falls into one of the subnets specified in the --auth-zone.
2372 Addresses of DHCP leases, provided the address falls into one of the
2374 subnets specified in the --auth-zone. (If constructed DHCP ranges are
2375 is use, which depend on the address dynamically assigned to an inter‐
2376 face, then the form of --auth-zone which defines subnets by the dynamic
2377 address of an interface should be used to ensure this condition is
2378 met.)
2379 In the default mode, where a DHCP lease has an unqualified name, and
2381 possibly a qualified name constructed using --domain then the name in
2382 the authoritative zone is constructed from the unqualified name and the
2383 zone's domain. This may or may not equal that specified by --domain.
2384 If --dhcp-fqdn is set, then the fully qualified names associated with
2385 DHCP leases are used, and must match the zone's domain.
2386
2391 0 - Dnsmasq successfully forked into the background, or terminated nor‐
2392 mally if backgrounding is not enabled.
2393 1 - A problem with configuration was detected.
2395 2 - A problem with network access occurred (address in use, attempt to
2397 use privileged ports without permission).
2398 3 - A problem occurred with a filesystem operation (missing file/direc‐
2400 tory, permissions).
2401 4 - Memory allocation failure.
2403 5 - Other miscellaneous problem.
2405 11 or greater - a non zero return code was received from the lease-
2407 script process "init" call. The exit code from dnsmasq is the script's
2408 exit code with 10 added.
2409
2412 The default values for resource limits in dnsmasq are generally conser‐
2413 vative, and appropriate for embedded router type devices with slow pro‐
2414 cessors and limited memory. On more capable hardware, it is possible to
2415 increase the limits, and handle many more clients. The following ap‐
2416 plies to dnsmasq-2.37: earlier versions did not scale as well.
2417 Dnsmasq is capable of handling DNS and DHCP for at least a thousand
2420 clients. The DHCP lease times should not be very short (less than one
2421 hour). The value of --dns-forward-max can be increased: start with it
2422 equal to the number of clients and increase if DNS seems slow. Note
2423 that DNS performance depends too on the performance of the upstream
2424 nameservers. The size of the DNS cache may be increased: the hard limit
2425 is 10000 names and the default (150) is very low. Sending SIGUSR1 to
2426 dnsmasq makes it log information which is useful for tuning the cache
2427 size. See the NOTES section for details.
2428 The built-in TFTP server is capable of many simultaneous file trans‐
2431 fers: the absolute limit is related to the number of file-handles al‐
2432 lowed to a process and the ability of the select() system call to cope
2433 with large numbers of file handles. If the limit is set too high using
2434 --tftp-max it will be scaled down and the actual limit logged at start-
2435 up. Note that more transfers are possible when the same file is being
2436 sent than when each transfer sends a different file.
2437 It is possible to use dnsmasq to block Web advertising by using a list
2440 of known banner-ad servers, all resolving to 127.0.0.1 or 0.0.0.0, in
2441 /etc/hosts or an additional hosts file. The list can be very long, dns‐
2442 masq has been tested successfully with one million names. That size
2443 file needs a 1GHz processor and about 60Mb of RAM.
2444
2447 Dnsmasq can be compiled to support internationalisation. To do this,
2448 the make targets "all-i18n" and "install-i18n" should be used instead
2449 of the standard targets "all" and "install". When internationalisation
2450 is compiled in, dnsmasq will produce log messages in the local language
2451 and support internationalised domain names (IDN). Domain names in
2452 /etc/hosts, /etc/ethers and /etc/dnsmasq.conf which contain non-ASCII
2453 characters will be translated to the DNS-internal punycode representa‐
2454 tion. Note that dnsmasq determines both the language for messages and
2455 the assumed charset for configuration files from the LANG environment
2456 variable. This should be set to the system default value by the script
2457 which is responsible for starting dnsmasq. When editing the configura‐
2458 tion files, be careful to do so using only the system-default locale
2459 and not user-specific one, since dnsmasq has no direct way of determin‐
2460 ing the charset in use, and must assume that it is the system default.
2461
2464 /etc/dnsmasq.conf
2465 /usr/local/etc/dnsmasq.conf
2467 /etc/resolv.conf /var/run/dnsmasq/resolv.conf /etc/ppp/resolv.conf
2469 /etc/dhcpc/resolv.conf
2470 /etc/hosts
2472 /etc/ethers
2474 /var/lib/dnsmasq/dnsmasq.leases
2476 /var/db/dnsmasq.leases
2478 /var/run/dnsmasq.pid
2480
2482 hosts(5), resolver(5)
2483
2485 This manual page was written by Simon Kelley <simon@thekelleys.org.uk>.
2486 2020-04-05 DNSMASQ(8)