1DNSMASQ(8) System Manager's Manual DNSMASQ(8)
2
6 dnsmasq - A lightweight DHCP and caching DNS server.
7
9 dnsmasq [OPTION]...
10
12 dnsmasq is a lightweight DNS, TFTP, PXE, router advertisement and DHCP
13 server. It is intended to provide coupled DNS and DHCP service to a
14 LAN.
15 Dnsmasq accepts DNS queries and either answers them from a small, lo‐
17 cal, cache or forwards them to a real, recursive, DNS server. It loads
18 the contents of /etc/hosts so that local hostnames which do not appear
19 in the global DNS can be resolved and also answers DNS queries for DHCP
20 configured hosts. It can also act as the authoritative DNS server for
21 one or more domains, allowing local names to appear in the global DNS.
22 It can be configured to do DNSSEC validation.
23 The dnsmasq DHCP server supports static address assignments and multi‐
25 ple networks. It automatically sends a sensible default set of DHCP op‐
26 tions, and can be configured to send any desired set of DHCP options,
27 including vendor-encapsulated options. It includes a secure, read-only,
28 TFTP server to allow net/PXE boot of DHCP hosts and also supports
29 BOOTP. The PXE support is full featured, and includes a proxy mode
30 which supplies PXE information to clients whilst DHCP address alloca‐
31 tion is done by another server.
32 The dnsmasq DHCPv6 server provides the same set of features as the
34 DHCPv4 server, and in addition, it includes router advertisements and a
35 neat feature which allows naming for clients which use DHCPv4 and
36 stateless autoconfiguration only for IPv6 configuration. There is sup‐
37 port for doing address allocation (both DHCPv6 and RA) from subnets
38 which are dynamically delegated via DHCPv6 prefix delegation.
39 Dnsmasq is coded with small embedded systems in mind. It aims for the
41 smallest possible memory footprint compatible with the supported func‐
42 tions, and allows unneeded functions to be omitted from the compiled
43 binary.
44
46 Note that in general missing parameters are allowed and switch off
47 functions, for instance "--pid-file" disables writing a PID file. On
48 BSD, unless the GNU getopt library is linked, the long form of the op‐
49 tions does not work on the command line; it is still recognised in the
50 configuration file.
51 --test Read and syntax check configuration file(s). Exit with code 0 if
53 all is OK, or a non-zero code otherwise. Do not start up dns‐
54 masq.
55 -w, --help
57 Display all command-line options. --help dhcp will display
58 known DHCPv4 configuration options, and --help dhcp6 will dis‐
59 play DHCPv6 options.
60 -h, --no-hosts
62 Don't read the hostnames in /etc/hosts.
63 -H, --addn-hosts=<file>
65 Additional hosts file. Read the specified file as well as
66 /etc/hosts. If --no-hosts is given, read only the specified
67 file. This option may be repeated for more than one additional
68 hosts file. If a directory is given, then read all the files
69 contained in that directory in alphabetical order.
70 --hostsdir=<path>
72 Read all the hosts files contained in the directory. New or
73 changed files are read automatically and modified and deleted
74 files have removed records automatically deleted.
75 -E, --expand-hosts
77 Add the domain to simple names (without a period) in /etc/hosts
78 in the same way as for DHCP-derived names. Note that this does
79 not apply to domain names in cnames, PTR records, TXT records
80 etc.
81 -T, --local-ttl=<time>
83 When replying with information from /etc/hosts or configuration
84 or the DHCP leases file dnsmasq by default sets the time-to-live
85 field to zero, meaning that the requester should not itself
86 cache the information. This is the correct thing to do in almost
87 all situations. This option allows a time-to-live (in seconds)
88 to be given for these replies. This will reduce the load on the
89 server at the expense of clients using stale data under some
90 circumstances.
91 --dhcp-ttl=<time>
93 As for --local-ttl, but affects only replies with information
94 from DHCP leases. If both are given, --dhcp-ttl applies for DHCP
95 information, and --local-ttl for others. Setting this to zero
96 eliminates the effect of --local-ttl for DHCP.
97 --neg-ttl=<time>
99 Negative replies from upstream servers normally contain time-to-
100 live information in SOA records which dnsmasq uses for caching.
101 If the replies from upstream servers omit this information, dns‐
102 masq does not cache the reply. This option gives a default value
103 for time-to-live (in seconds) which dnsmasq uses to cache nega‐
104 tive replies even in the absence of an SOA record.
105 --max-ttl=<time>
107 Set a maximum TTL value that will be handed out to clients. The
108 specified maximum TTL will be given to clients instead of the
109 true TTL value if it is lower. The true TTL value is however
110 kept in the cache to avoid flooding the upstream DNS servers.
111 --max-cache-ttl=<time>
113 Set a maximum TTL value for entries in the cache.
114 --min-cache-ttl=<time>
116 Extend short TTL values to the time given when caching them.
117 Note that artificially extending TTL values is in general a bad
118 idea, do not do it unless you have a good reason, and understand
119 what you are doing. Dnsmasq limits the value of this option to
120 one hour, unless recompiled.
121 --auth-ttl=<time>
123 Set the TTL value returned in answers from the authoritative
124 server.
125 --fast-dns-retry=[<initial retry delay in ms>[,<time to continue re‐
127 tries in ms>]]
128 Under normal circumstances, dnsmasq relies on DNS clients to do
129 retries; it does not generate timeouts itself. Setting this op‐
130 tion instructs dnsmasq to generate its own retries starting af‐
131 ter a delay which defaults to 1000ms. If the second parameter is
132 given this controls how long the retries will continue for oth‐
133 erwise this defaults to 10000ms. Retries are repeated with expo‐
134 nential backoff. Using this option increases memory usage and
135 network bandwidth.
136 -k, --keep-in-foreground
138 Do not go into the background at startup but otherwise run as
139 normal. This is intended for use when dnsmasq is run under dae‐
140 montools or launchd.
141 -d, --no-daemon
143 Debug mode: don't fork to the background, don't write a pid
144 file, don't change user id, generate a complete cache dump on
145 receipt on SIGUSR1, log to stderr as well as syslog, don't fork
146 new processes to handle TCP queries. Note that this option is
147 for use in debugging only, to stop dnsmasq daemonising in pro‐
148 duction, use --keep-in-foreground.
149 -q, --log-queries
151 Log the results of DNS queries handled by dnsmasq. Enable a full
152 cache dump on receipt of SIGUSR1. If the argument "extra" is
153 supplied, ie --log-queries=extra then the log has extra informa‐
154 tion at the start of each line. This consists of a serial num‐
155 ber which ties together the log lines associated with an indi‐
156 vidual query, and the IP address of the requestor.
157 -8, --log-facility=<facility>
159 Set the facility to which dnsmasq will send syslog entries, this
160 defaults to DAEMON, and to LOCAL0 when debug mode is in opera‐
161 tion. If the facility given contains at least one '/' character,
162 it is taken to be a filename, and dnsmasq logs to the given
163 file, instead of syslog. If the facility is '-' then dnsmasq
164 logs to stderr. (Errors whilst reading configuration will still
165 go to syslog, but all output from a successful startup, and all
166 output whilst running, will go exclusively to the file.) When
167 logging to a file, dnsmasq will close and reopen the file when
168 it receives SIGUSR2. This allows the log file to be rotated
169 without stopping dnsmasq.
170 --log-debug
172 Enable extra logging intended for debugging rather than informa‐
173 tion.
174 --log-async[=<lines>]
176 Enable asynchronous logging and optionally set the limit on the
177 number of lines which will be queued by dnsmasq when writing to
178 the syslog is slow. Dnsmasq can log asynchronously: this allows
179 it to continue functioning without being blocked by syslog, and
180 allows syslog to use dnsmasq for DNS queries without risking
181 deadlock. If the queue of log-lines becomes full, dnsmasq will
182 log the overflow, and the number of messages lost. The default
183 queue length is 5, a sane value would be 5-25, and a maximum
184 limit of 100 is imposed.
185 -x, --pid-file=<path>
187 Specify an alternate path for dnsmasq to record its process-id
188 in. Normally /var/run/dnsmasq.pid.
189 -u, --user=<username>
191 Specify the userid to which dnsmasq will change after startup.
192 Dnsmasq must normally be started as root, but it will drop root
193 privileges after startup by changing id to another user. Nor‐
194 mally this user is "nobody" but that can be over-ridden with
195 this switch.
196 -g, --group=<groupname>
198 Specify the group which dnsmasq will run as. The default is
199 "dip", if available, to facilitate access to /etc/ppp/re‐
200 solv.conf which is not normally world readable.
201 -v, --version
203 Print the version number.
204 -p, --port=<port>
206 Listen on <port> instead of the standard DNS port (53). Setting
207 this to zero completely disables DNS function, leaving only DHCP
208 and/or TFTP.
209 -P, --edns-packet-max=<size>
211 Specify the largest EDNS.0 UDP packet which is supported by the
212 DNS forwarder. Defaults to 1232, which is the recommended size
213 following the DNS flag day in 2020. Only increase if you know
214 what you are doing.
215 -Q, --query-port=<query_port>
217 Send outbound DNS queries from, and listen for their replies on,
218 the specific UDP port <query_port> instead of using random
219 ports. NOTE that using this option will make dnsmasq less secure
220 against DNS spoofing attacks but it may be faster and use less
221 resources. Setting this option to zero makes dnsmasq use a sin‐
222 gle port allocated to it by the OS: this was the default behav‐
223 iour in versions prior to 2.43.
224 --port-limit=<#ports>
226 By default, when sending a query via random ports to multiple
227 upstream servers or retrying a query dnsmasq will use a single
228 random port for all the tries/retries. This option allows a
229 larger number of ports to be used, which can increase robustness
230 in certain network configurations. Note that increasing this to
231 more than two or three can have security and resource implica‐
232 tions and should only be done with understanding of those.
233 --min-port=<port>
235 Do not use ports less than that given as source for outbound DNS
236 queries. Dnsmasq picks random ports as source for outbound
237 queries: when this option is given, the ports used will always
238 be larger than that specified. Useful for systems behind fire‐
239 walls. If not specified, defaults to 1024.
240 --max-port=<port>
242 Use ports lower than that given as source for outbound DNS
243 queries. Dnsmasq picks random ports as source for outbound
244 queries: when this option is given, the ports used will always
245 be lower than that specified. Useful for systems behind fire‐
246 walls.
247 -i, --interface=<interface name>
249 Listen only on the specified interface(s). Dnsmasq automatically
250 adds the loopback (local) interface to the list of interfaces to
251 use when the --interface option is used. If no --interface or
252 --listen-address options are given dnsmasq listens on all avail‐
253 able interfaces except any given in --except-interface options.
254 On Linux, when --bind-interfaces or --bind-dynamic are in ef‐
255 fect, IP alias interface labels (eg "eth1:0") are checked,
256 rather than interface names. In the degenerate case when an in‐
257 terface has one address, this amounts to the same thing but when
258 an interface has multiple addresses it allows control over which
259 of those addresses are accepted. The same effect is achievable
260 in default mode by using --listen-address. A simple wildcard,
261 consisting of a trailing '*', can be used in --interface and
262 --except-interface options.
263 -I, --except-interface=<interface name>
265 Do not listen on the specified interface. Note that the order of
266 --listen-address --interface and --except-interface options does
267 not matter and that --except-interface options always override
268 the others. The comments about interface labels for --listen-ad‐
269 dress apply here.
270 --auth-server=<domain>,[<interface>|<ip-address>...]
272 Enable DNS authoritative mode for queries arriving at an inter‐
273 face or address. Note that the interface or address need not be
274 mentioned in --interface or --listen-address configuration, in‐
275 deed --auth-server will override these and provide a different
276 DNS service on the specified interface. The <domain> is the
277 "glue record". It should resolve in the global DNS to an A
278 and/or AAAA record which points to the address dnsmasq is lis‐
279 tening on. When an interface is specified, it may be qualified
280 with "/4" or "/6" to specify only the IPv4 or IPv6 addresses as‐
281 sociated with the interface. Since any defined authoritative
282 zones are also available as part of the normal recusive DNS ser‐
283 vice supplied by dnsmasq, it can make sense to have an --auth-
284 server declaration with no interfaces or address, but simply
285 specifying the primary external nameserver.
286 --local-service
288 Accept DNS queries only from hosts whose address is on a local
289 subnet, ie a subnet for which an interface exists on the server.
290 This option only has effect if there are no --interface, --ex‐
291 cept-interface, --listen-address or --auth-server options. It is
292 intended to be set as a default on installation, to allow uncon‐
293 figured installations to be useful but also safe from being used
294 for DNS amplification attacks.
295 -2, --no-dhcp-interface=<interface name>
297 Do not provide DHCP or TFTP on the specified interface, but do
298 provide DNS service.
299 -a, --listen-address=<ipaddr>
301 Listen on the given IP address(es). Both --interface and --lis‐
302 ten-address options may be given, in which case the set of both
303 interfaces and addresses is used. Note that if no --interface
304 option is given, but --listen-address is, dnsmasq will not auto‐
305 matically listen on the loopback interface. To achieve this, its
306 IP address, 127.0.0.1, must be explicitly given as a --listen-
307 address option.
308 -z, --bind-interfaces
310 On systems which support it, dnsmasq binds the wildcard address,
311 even when it is listening on only some interfaces. It then dis‐
312 cards requests that it shouldn't reply to. This has the advan‐
313 tage of working even when interfaces come and go and change ad‐
314 dress. This option forces dnsmasq to really bind only the inter‐
315 faces it is listening on. About the only time when this is use‐
316 ful is when running another nameserver (or another instance of
317 dnsmasq) on the same machine. Setting this option also enables
318 multiple instances of dnsmasq which provide DHCP service to run
319 in the same machine.
320 --bind-dynamic
322 Enable a network mode which is a hybrid between --bind-inter‐
323 faces and the default. Dnsmasq binds the address of individual
324 interfaces, allowing multiple dnsmasq instances, but if new in‐
325 terfaces or addresses appear, it automatically listens on those
326 (subject to any access-control configuration). This makes dynam‐
327 ically created interfaces work in the same way as the default.
328 Implementing this option requires non-standard networking APIs
329 and it is only available under Linux. On other platforms it
330 falls-back to --bind-interfaces mode.
331 -y, --localise-queries
333 Return answers to DNS queries from /etc/hosts and --interface-
334 name and --dynamic-host which depend on the interface over which
335 the query was received. If a name has more than one address as‐
336 sociated with it, and at least one of those addresses is on the
337 same subnet as the interface to which the query was sent, then
338 return only the address(es) on that subnet and return all the
339 available addresses otherwise. This allows for a server to
340 have multiple addresses in /etc/hosts corresponding to each of
341 its interfaces, and hosts will get the correct address based on
342 which network they are attached to. Currently this facility is
343 limited to IPv4.
344 -b, --bogus-priv
346 Bogus private reverse lookups. All reverse lookups for private
347 IP ranges (ie 192.168.x.x, etc) which are not found in
348 /etc/hosts or the DHCP leases file are answered with "no such
349 domain" rather than being forwarded upstream. The set of pre‐
350 fixes affected is the list given in RFC6303, for IPv4 and IPv6.
351 -V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>]
353 Modify IPv4 addresses returned from upstream nameservers; old-ip
354 is replaced by new-ip. If the optional mask is given then any
355 address which matches the masked old-ip will be re-written. So,
356 for instance --alias=1.2.3.0,6.7.8.0,255.255.255.0 will map
357 1.2.3.56 to 6.7.8.56 and 1.2.3.67 to 6.7.8.67. This is what
358 Cisco PIX routers call "DNS doctoring". If the old IP is given
359 as range, then only addresses in the range, rather than a whole
360 subnet, are re-written. So
361 --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 maps
362 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
363 -B, --bogus-nxdomain=<ipaddr>[/prefix]
365 Transform replies which contain the specified address or subnet
366 into "No such domain" replies. IPv4 and IPv6 are supported. This
367 is intended to counteract a devious move made by Verisign in
368 September 2003 when they started returning the address of an ad‐
369 vertising web page in response to queries for unregistered
370 names, instead of the correct NXDOMAIN response. This option
371 tells dnsmasq to fake the correct response when it sees this be‐
372 haviour. As at Sept 2003 the IP address being returned by
373 Verisign is 64.94.110.11
374 --ignore-address=<ipaddr>[/prefix]
376 Ignore replies to A or AAAA queries which include the specified
377 address or subnet. No error is generated, dnsmasq simply con‐
378 tinues to listen for another reply. This is useful to defeat
379 blocking strategies which rely on quickly supplying a forged an‐
380 swer to a DNS request for certain domain, before the correct an‐
381 swer can arrive.
382 -f, --filterwin2k
384 Later versions of windows make periodic DNS requests which don't
385 get sensible answers from the public DNS and can cause problems
386 by triggering dial-on-demand links. This flag turns on an option
387 to filter such requests. The requests blocked are for records of
388 type ANY where the requested name has underscores, to catch LDAP
389 requests, and for all records of types SOA and SRV.
390 --filter-A
392 Remove A records from answers. No IPv4 addresses will be re‐
393 turned.
394 --filter-AAAA
396 Remove AAAA records from answers. No IPv6 addresses will be re‐
397 turned.
398 -r, --resolv-file=<file>
400 Read the IP addresses of the upstream nameservers from <file>,
401 instead of /etc/resolv.conf. For the format of this file see re‐
402 solv.conf(5). The only lines relevant to dnsmasq are nameserver
403 ones. Dnsmasq can be told to poll more than one resolv.conf
404 file, the first file name specified overrides the default, sub‐
405 sequent ones add to the list. This is only allowed when polling;
406 the file with the currently latest modification time is the one
407 used.
408 -R, --no-resolv
410 Don't read /etc/resolv.conf. Get upstream servers only from the
411 command line or the dnsmasq configuration file.
412 -1, --enable-dbus[=<service-name>]
414 Allow dnsmasq configuration to be updated via DBus method calls.
415 The configuration which can be changed is upstream DNS servers
416 (and corresponding domains) and cache clear. Requires that dns‐
417 masq has been built with DBus support. If the service name is
418 given, dnsmasq provides service at that name, rather than the
419 default which is uk.org.thekelleys.dnsmasq
420 --enable-ubus[=<service-name>]
422 Enable dnsmasq UBus interface. It sends notifications via UBus
423 on DHCPACK and DHCPRELEASE events. Furthermore it offers metrics
424 and allows configuration of Linux connection track mark based
425 filtering. When DNS query filtering based on Linux connection
426 track marks is enabled UBus notifications are generated for each
427 resolved or filtered DNS query. Requires that dnsmasq has been
428 built with UBus support. If the service name is given, dnsmasq
429 provides service at that namespace, rather than the default
430 which is dnsmasq
431 -o, --strict-order
433 By default, dnsmasq will send queries to any of the upstream
434 servers it knows about and tries to favour servers that are
435 known to be up. Setting this flag forces dnsmasq to try each
436 query with each server strictly in the order they appear in
437 /etc/resolv.conf
438 --all-servers
440 By default, when dnsmasq has more than one upstream server
441 available, it will send queries to just one server. Setting this
442 flag forces dnsmasq to send all queries to all available
443 servers. The reply from the server which answers first will be
444 returned to the original requester.
445 --dns-loop-detect
447 Enable code to detect DNS forwarding loops; ie the situation
448 where a query sent to one of the upstream server eventually re‐
449 turns as a new query to the dnsmasq instance. The process works
450 by generating TXT queries of the form <hex>.test and sending
451 them to each upstream server. The hex is a UID which encodes the
452 instance of dnsmasq sending the query and the upstream server to
453 which it was sent. If the query returns to the server which sent
454 it, then the upstream server through which it was sent is dis‐
455 abled and this event is logged. Each time the set of upstream
456 servers changes, the test is re-run on all of them, including
457 ones which were previously disabled.
458 --stop-dns-rebind
460 Reject (and log) addresses from upstream nameservers which are
461 in the private ranges. This blocks an attack where a browser be‐
462 hind a firewall is used to probe machines on the local network.
463 For IPv6, the private range covers the IPv4-mapped addresses in
464 private space plus all link-local (LL) and site-local (ULA) ad‐
465 dresses.
466 --rebind-localhost-ok
468 Exempt 127.0.0.0/8 and ::1 from rebinding checks. This address
469 range is returned by realtime black hole servers, so blocking it
470 may disable these services.
471 --rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
473 Do not detect and block dns-rebind on queries to these domains.
474 The argument may be either a single domain, or multiple domains
475 surrounded by '/', like the --server syntax, eg. --rebind-do‐
476 main-ok=/domain1/domain2/domain3/
477 -n, --no-poll
479 Don't poll /etc/resolv.conf for changes.
480 --clear-on-reload
482 Whenever /etc/resolv.conf is re-read or the upstream servers are
483 set via DBus, clear the DNS cache. This is useful when new
484 nameservers may have different data than that held in cache.
485 -D, --domain-needed
487 Tells dnsmasq to never forward A or AAAA queries for plain
488 names, without dots or domain parts, to upstream nameservers. If
489 the name is not known from /etc/hosts or DHCP then a "not found"
490 answer is returned.
491 -S, --local, --server=[/[<domain>]/[domain/]][<server>[#<port>]][@<in‐
493 terface>][@<source-ip>[#<port>]]
494 Specify upstream servers directly. Setting this flag does not
495 suppress reading of /etc/resolv.conf, use --no-resolv to do
496 that. If one or more optional domains are given, that server is
497 used only for those domains and they are queried only using the
498 specified server. This is intended for private nameservers: if
499 you have a nameserver on your network which deals with names of
500 the form xxx.internal.thekelleys.org.uk at 192.168.1.1 then giv‐
501 ing the flag --server=/internal.thekelleys.org.uk/192.168.1.1
502 will send all queries for internal machines to that nameserver,
503 everything else will go to the servers in /etc/resolv.conf.
504 DNSSEC validation is turned off for such private nameservers,
505 UNLESS a --trust-anchor is specified for the domain in question.
506 An empty domain specification, // has the special meaning of
507 "unqualified names only" ie names without any dots in them. A
508 non-standard port may be specified as part of the IP address us‐
509 ing a # character. More than one --server flag is allowed, with
510 repeated domain or ipaddr parts as required.
511 More specific domains take precedence over less specific do‐
513 mains, so: --server=/google.com/1.2.3.4
514 --server=/www.google.com/2.3.4.5 will send queries for
515 google.com and gmail.google.com to 1.2.3.4, but www.google.com
516 will go to 2.3.4.5
517 Matching of domains is normally done on complete labels, so
519 /google.com/ matches google.com and www.google.com but NOT su‐
520 pergoogle.com. This can be overridden with a * at the start of a
521 pattern only: /*google.com/ will match google.com and
522 www.google.com AND supergoogle.com. The non-wildcard form has
523 priority, so if /google.com/ and /*google.com/ are both speci‐
524 fied then google.com and www.google.com will match /google.com/
525 and /*google.com/ will only match supergoogle.com.
526 For historical reasons, the pattern /.google.com/ is equivalent
528 to /google.com/ if you wish to match any subdomain of google.com
529 but NOT google.com itself, use /*.google.com/
530 The special server address '#' means, "use the standard
532 servers", so --server=/google.com/1.2.3.4
533 --server=/www.google.com/# will send queries for google.com and
534 its subdomains to 1.2.3.4, except www.google.com (and its subdo‐
535 mains) which will be forwarded as usual.
536 Also permitted is a -S flag which gives a domain but no IP ad‐
538 dress; this tells dnsmasq that a domain is local and it may an‐
539 swer queries from /etc/hosts or DHCP but should never forward
540 queries on that domain to any upstream servers. --local is a
541 synonym for --server to make configuration files clearer in this
542 case.
543 IPv6 addresses may include an %interface scope-id, eg
545 fe80::202:a412:4512:7bbf%eth0.
546 The optional string after the @ character tells dnsmasq how to
548 set the source of the queries to this nameserver. It can either
549 be an ip-address, an interface name or both. The ip-address
550 should belong to the machine on which dnsmasq is running, other‐
551 wise this server line will be logged and then ignored. If an in‐
552 terface name is given, then queries to the server will be forced
553 via that interface; if an ip-address is given then the source
554 address of the queries will be set to that address; and if both
555 are given then a combination of ip-address and interface name
556 will be used to steer requests to the server. The query-port
557 flag is ignored for any servers which have a source address
558 specified but the port may be specified directly as part of the
559 source address. Forcing queries to an interface is not imple‐
560 mented on all platforms supported by dnsmasq.
561 Upstream servers may be specified with a hostname rather than an
563 IP address. In this case, dnsmasq will try to use the system
564 resolver to get the IP address of a server during startup. If
565 name resolution fails, starting dnsmasq fails, too. If the sys‐
566 tem's configuration is such that the system resolver sends DNS
567 queries through the dnsmasq instance which is starting up then
568 this will time-out and fail.
569 --rev-server=<ip-address>[/<prefix-len>][,<server>][#<port>][@<inter‐
571 face>][@<source-ip>[#<port>]]
572 This is functionally the same as --server, but provides some
573 syntactic sugar to make specifying address-to-name queries eas‐
574 ier. For example --rev-server=1.2.3.0/24,192.168.0.1 is exactly
575 equivalent to --server=/3.2.1.in-addr.arpa/192.168.0.1 Allowed
576 prefix lengths are 1-32 (IPv4) and 1-128 (IPv6). If the prefix
577 length is omitted, dnsmasq substitutes either 32 (IPv4) or 128
578 (IPv6).
579 -A, --address=/<domain>[/<domain>...]/[<ipaddr>]
581 Specify an IP address to return for any host in the given do‐
582 mains. A (or AAAA) queries in the domains are never forwarded
583 and always replied to with the specified IP address which may be
584 IPv4 or IPv6. To give multiple addresses or both IPv4 and IPv6
585 addresses for a domain, use repeated --address flags. Note that
586 /etc/hosts and DHCP leases override this for individual names. A
587 common use of this is to redirect the entire doubleclick.net do‐
588 main to some friendly local web server to avoid banner ads. The
589 domain specification works in the same way as for --server, with
590 the additional facility that /#/ matches any domain. Thus --ad‐
591 dress=/#/1.2.3.4 will always return 1.2.3.4 for any query not
592 answered from /etc/hosts or DHCP and not sent to an upstream
593 nameserver by a more specific --server directive. As for
594 --server, one or more domains with no address returns a no-such-
595 domain answer, so --address=/example.com/ is equivalent to
596 --server=/example.com/ and returns NXDOMAIN for example.com and
597 all its subdomains. An address specified as '#' translates to
598 the NULL address of 0.0.0.0 and its IPv6 equivalent of :: so
599 --address=/example.com/# will return NULL addresses for exam‐
600 ple.com and its subdomains. This is partly syntactic sugar for
601 --address=/example.com/0.0.0.0 and --address=/example.com/:: but
602 is also more efficient than including both as separate configu‐
603 ration lines. Note that NULL addresses normally work in the same
604 way as localhost, so beware that clients looking up these names
605 are likely to end up talking to themselves.
606 Note that the behaviour for queries which don't match the speci‐
608 fied address literal changed in version 2.86. Previous ver‐
609 sions, configured with (eg) --address=/example.com/1.2.3.4 and
610 then queried for a RR type other than A would return a NoData
611 answer. From 2.86, the query is sent upstream. To restore the
612 pre-2.86 behaviour, use the configuration --address=/exam‐
613 ple.com/1.2.3.4 --local=/example.com/
614 --ipset=/<domain>[/<domain>...]/<ipset>[,<ipset>...]
616 Places the resolved IP addresses of queries for one or more do‐
617 mains in the specified Netfilter IP set. If multiple setnames
618 are given, then the addresses are placed in each of them, sub‐
619 ject to the limitations of an IP set (IPv4 addresses cannot be
620 stored in an IPv6 IP set and vice versa). Domains and subdo‐
621 mains are matched in the same way as --address. These IP sets
622 must already exist. See ipset(8) for more details.
623 --nftset=/<domain>[/<domain>...]/[(6|4)#[<family>#]<ta‐
625 ble>#<set>[,[(6|4)#[<family>#]<table>#<set>]...]
626 Similar to the --ipset option, but accepts one or more nftables
627 sets to add IP addresses into. These sets must already exist.
628 See nft(8) for more details. The family, table and set are
629 passed directly to the nft. If the spec starts with 4# or 6#
630 then only A or AAAA records respectively are added to the set.
631 Since an nftset can hold only IPv4 or IPv6 addresses, this
632 avoids errors being logged for addresses of the wrong type.
633 --connmark-allowlist-enable[=<mask>]
635 Enables filtering of incoming DNS queries with associated Linux
636 connection track marks according to individual allowlists con‐
637 figured via a series of --connmark-allowlist options. Disallowed
638 queries are not forwarded; they are rejected with a REFUSED er‐
639 ror code. DNS queries are only allowed if they do not have an
640 associated Linux connection track mark, or if the queried do‐
641 mains match the configured DNS patterns for the associated Linux
642 connection track mark. If no allowlist is configured for a Linux
643 connection track mark, all DNS queries associated with that mark
644 are rejected. If a mask is specified, Linux connection track
645 marks are first bitwise ANDed with the given mask before being
646 processed.
647 --connmark-allowlist=<connmark>[/<mask>][,<pattern>[/<pattern>...]]
649 Configures the DNS patterns that are allowed in DNS queries as‐
650 sociated with the given Linux connection track mark. If a mask
651 is specified, Linux connection track marks are first bitwise
652 ANDed with the given mask before they are compared to the given
653 connection track mark. Patterns follow the syntax of DNS names,
654 but additionally allow the wildcard character "*" to be used up
655 to twice per label to match 0 or more characters within that la‐
656 bel. Note that the wildcard never matches a dot (e.g., "*.exam‐
657 ple.com" matches "api.example.com" but not "api.us.exam‐
658 ple.com"). Patterns must be fully qualified, i.e., consist of at
659 least two labels. The final label must not be fully numeric, and
660 must not be the "local" pseudo-TLD. A pattern must end with at
661 least two literal (non-wildcard) labels. Instead of a pattern,
662 "*" can be specified to disable allowlist filtering for a given
663 Linux connection track mark entirely.
664 -m, --mx-host=<mx name>[[,<hostname>],<preference>]
666 Return an MX record named <mx name> pointing to the given host‐
667 name (if given), or the host specified in the --mx-target switch
668 or, if that switch is not given, the host on which dnsmasq is
669 running. The default is useful for directing mail from systems
670 on a LAN to a central server. The preference value is optional,
671 and defaults to 1 if not given. More than one MX record may be
672 given for a host.
673 -t, --mx-target=<hostname>
675 Specify the default target for the MX record returned by dns‐
676 masq. See --mx-host. If --mx-target is given, but not --mx-
677 host, then dnsmasq returns a MX record containing the MX target
678 for MX queries on the hostname of the machine on which dnsmasq
679 is running.
680 -e, --selfmx
682 Return an MX record pointing to itself for each local machine.
683 Local machines are those in /etc/hosts or with DHCP leases.
684 -L, --localmx
686 Return an MX record pointing to the host given by --mx-target
687 (or the machine on which dnsmasq is running) for each local ma‐
688 chine. Local machines are those in /etc/hosts or with DHCP
689 leases.
690 -W, --srv-host=<_service>.<_prot>.[<domain>],[<target>[,<port>[,<prior‐
692 ity>[,<weight>]]]]
693 Return a SRV DNS record. See RFC2782 for details. If not sup‐
694 plied, the domain defaults to that given by --domain. The de‐
695 fault for the target domain is empty, and the default for port
696 is one and the defaults for weight and priority are zero. Be
697 careful if transposing data from BIND zone files: the port,
698 weight and priority numbers are in a different order. More than
699 one SRV record for a given service/domain is allowed, all that
700 match are returned.
701 --host-record=<name>[,<name>....],[<IPv4-address>],[<IPv6-ad‐
703 dress>][,<TTL>]
704 Add A, AAAA and PTR records to the DNS. This adds one or more
705 names to the DNS with associated IPv4 (A) and IPv6 (AAAA)
706 records. A name may appear in more than one --host-record and
707 therefore be assigned more than one address. Only the first ad‐
708 dress creates a PTR record linking the address to the name. This
709 is the same rule as is used reading hosts-files. --host-record
710 options are considered to be read before host-files, so a name
711 appearing there inhibits PTR-record creation if it appears in
712 hosts-file also. Unlike hosts-files, names are not expanded,
713 even when --expand-hosts is in effect. Short and long names may
714 appear in the same --host-record, eg. --host-record=laptop,lap‐
715 top.thekelleys.org,192.168.0.1,1234::100
716 If the time-to-live is given, it overrides the default, which is
718 zero or the value of --local-ttl. The value is a positive inte‐
719 ger and gives the time-to-live in seconds.
720 --dynamic-host=<name>,[IPv4-address],[IPv6-address],<interface>
722 Add A, AAAA and PTR records to the DNS in the same subnet as the
723 specified interface. The address is derived from the network
724 part of each address associated with the interface, and the host
725 part from the specified address. For example --dynamic-host=ex‐
726 ample.com,0.0.0.8,eth0 will, when eth0 has the address
727 192.168.78.x and netmask 255.255.255.0 give the name example.com
728 an A record for 192.168.78.8. The same principle applies to IPv6
729 addresses. Note that if an interface has more than one address,
730 more than one A or AAAA record will be created. The TTL of the
731 records is always zero, and any changes to interface addresses
732 will be immediately reflected in them.
733 -Y, --txt-record=<name>[[,<text>],<text>]
735 Return a TXT DNS record. The value of TXT record is a set of
736 strings, so any number may be included, delimited by commas;
737 use quotes to put commas into a string. Note that the maximum
738 length of a single string is 255 characters, longer strings are
739 split into 255 character chunks.
740 --ptr-record=<name>[,<target>]
742 Return a PTR DNS record.
743 --naptr-record=<name>,<order>,<preference>,<flags>,<service>,<reg‐
745 exp>[,<replacement>]
746 Return an NAPTR DNS record, as specified in RFC3403.
747 --caa-record=<name>,<flags>,<tag>,<value>
749 Return a CAA DNS record, as specified in RFC6844.
750 --cname=<cname>,[<cname>,]<target>[,<TTL>]
752 Return a CNAME record which indicates that <cname> is really
753 <target>. There is a significant limitation on the target; it
754 must be a DNS record which is known to dnsmasq and NOT a DNS
755 record which comes from an upstream server. The cname must be
756 unique, but it is permissible to have more than one cname point‐
757 ing to the same target. Indeed it's possible to declare multiple
758 cnames to a target in a single line, like so:
759 --cname=cname1,cname2,target
760 If the time-to-live is given, it overrides the default, which is
762 zero or the value of --local-ttl. The value is a positive inte‐
763 ger and gives the time-to-live in seconds.
764 --dns-rr=<name>,<RR-number>,[<hex data>]
766 Return an arbitrary DNS Resource Record. The number is the type
767 of the record (which is always in the C_IN class). The value of
768 the record is given by the hex data, which may be of the form
769 01:23:45 or 01 23 45 or 012345 or any mixture of these.
770 --interface-name=<name>,<interface>[/4|/6]
772 Return DNS records associating the name with the address(es) of
773 the given interface. This flag specifies an A or AAAA record for
774 the given name in the same way as an /etc/hosts line, except
775 that the address is not constant, but taken from the given in‐
776 terface. The interface may be followed by "/4" or "/6" to spec‐
777 ify that only IPv4 or IPv6 addresses of the interface should be
778 used. If the interface is down, not configured or non-existent,
779 an empty record is returned. The matching PTR record is also
780 created, mapping the interface address to the name. More than
781 one name may be associated with an interface address by repeat‐
782 ing the flag; in that case the first instance is used for the
783 reverse address-to-name mapping. Note that a name used in --in‐
784 terface-name may not appear in /etc/hosts.
785 --synth-domain=<domain>,<address range>[,<prefix>[*]]
787 Create artificial A/AAAA and PTR records for an address range.
788 The records either seqential numbers or the address, with peri‐
789 ods (or colons for IPv6) replaced with dashes.
790 An examples should make this clearer. First sequential numbers.
792 --synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,in‐
793 ternal-* results in the name internal-0.thekelleys.org.uk. re‐
794 turning 192.168.0.50, internal-1.thekelleys.org.uk returning
795 192.168.0.51 and so on. (note the *) The same principle applies
796 to IPv6 addresses (where the numbers may be very large). Reverse
797 lookups from address to name behave as expected.
798 Second, --synth-domain=thekelleys.org.uk,192.168.0.0/24,inter‐
800 nal- (no *) will result in a query for inter‐
801 nal-192-168-0-56.thekelleys.org.uk returning 192.168.0.56 and a
802 reverse query vice versa. The same applies to IPv6, but IPv6 ad‐
803 dresses may start with '::' but DNS labels may not start with
804 '-' so in this case if no prefix is configured a zero is added
805 in front of the label. ::1 becomes 0--1.
806 V4 mapped IPv6 addresses, which have a representation like
808 ::ffff:1.2.3.4 are handled specially, and become like
809 0--ffff-1-2-3-4
810 The address range can be of the form <start address>,<end ad‐
812 dress> or <ip address>/<prefix-length> in both forms of the op‐
813 tion. For IPv6 the start and end addresses must fall in the same
814 /64 network, or prefix-length must be greater than or equal to
815 64 except that shorter prefix lengths than 64 are allowed only
816 if non-sequential names are in use.
817 --dumpfile=<path/to/file>
819 Specify the location of a pcap-format file which dnsmasq uses to
820 dump copies of network packets for debugging purposes. If the
821 file exists when dnsmasq starts, it is not deleted; new packets
822 are added to the end.
823 --dumpmask=<mask>
825 Specify which types of packets should be added to the dumpfile.
826 The argument should be the OR of the bitmasks for each type of
827 packet to be dumped: it can be specified in hex by preceding the
828 number with 0x in the normal way. Each time a packet is written
829 to the dumpfile, dnsmasq logs the packet sequence and the mask
830 representing its type. The current types are: 0x0001 - DNS
831 queries from clients, 0x0002 DNS replies to clients, 0x0004 -
832 DNS queries to upstream, 0x0008 - DNS replies from upstream,
833 0x0010 - queries send upstream for DNSSEC validation, 0x0020 -
834 replies to queries for DNSSEC validation, 0x0040 - replies to
835 client queries which fail DNSSEC validation, 0x0080 replies to
836 queries for DNSSEC validation which fail validation, 0x1000 -
837 DHCPv4, 0x2000 - DHCPv6, 0x4000 - Router advertisement, 0x8000 -
838 TFTP.
839 --add-mac[=base64|text]
841 Add the MAC address of the requestor to DNS queries which are
842 forwarded upstream. This may be used to DNS filtering by the up‐
843 stream server. The MAC address can only be added if the re‐
844 questor is on the same subnet as the dnsmasq server. Note that
845 the mechanism used to achieve this (an EDNS0 option) is not yet
846 standardised, so this should be considered experimental. Also
847 note that exposing MAC addresses in this way may have security
848 and privacy implications. The warning about caching given for
849 --add-subnet applies to --add-mac too. An alternative encoding
850 of the MAC, as base64, is enabled by adding the "base64" parame‐
851 ter and a human-readable encoding of hex-and-colons is enabled
852 by added the "text" parameter.
853 --strip-mac
855 Remove any MAC address information already in downstream queries
856 before forwarding upstream.
857 --add-cpe-id=<string>
859 Add an arbitrary identifying string to DNS queries which are
860 forwarded upstream.
861 --add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 ad‐
863 dress>/]<IPv6 prefix length>]]
864 Add a subnet address to the DNS queries which are forwarded up‐
865 stream. If an address is specified in the flag, it will be used,
866 otherwise, the address of the requestor will be used. The amount
867 of the address forwarded depends on the prefix length parameter:
868 32 (128 for IPv6) forwards the whole address, zero forwards none
869 of it but still marks the request so that no upstream nameserver
870 will add client address information either. The default is zero
871 for both IPv4 and IPv6. Note that upstream nameservers may be
872 configured to return different results based on this informa‐
873 tion, but the dnsmasq cache does not take account. Caching is
874 therefore disabled for such replies, unless the subnet address
875 being added is constant.
876 For example, --add-subnet=24,96 will add the /24 and /96 subnets
878 of the requestor for IPv4 and IPv6 requestors, respectively.
879 --add-subnet=1.2.3.4/24 will add 1.2.3.0/24 for IPv4 requestors
880 and ::/0 for IPv6 requestors. --add-sub‐
881 net=1.2.3.4/24,1.2.3.4/24 will add 1.2.3.0/24 for both IPv4 and
882 IPv6 requestors.
883 --strip-subnet
885 Remove any subnet address already present in a downstream query
886 before forwarding it upstream. If --add-subnet is set this also
887 ensures that any downstream-provided subnet is replaced by the
888 one added by dnsmasq. Otherwise, dnsmasq will NOT replace an ex‐
889 isting subnet in the query.
890 --umbrella[=[deviceid:<deviceid>][,orgid:<orgid>][,assetid:<id>]]
892 Embeds the requestor's IP address in DNS queries forwarded up‐
893 stream. If device id or, asset id or organization id are speci‐
894 fied, the information is included in the forwarded queries and
895 may be able to be used in filtering policies and reporting. The
896 order of the id attributes is irrelevant, but they must be sepa‐
897 rated by a comma. Deviceid is a sixteen digit hexadecimal num‐
898 ber, org and asset ids are decimal numbers.
899 -c, --cache-size=<cachesize>
901 Set the size of dnsmasq's cache. The default is 150 names. Set‐
902 ting the cache size to zero disables caching. Note: huge cache
903 size impacts performance.
904 -N, --no-negcache
906 Disable negative caching. Negative caching allows dnsmasq to re‐
907 member "no such domain" answers from upstream nameservers and
908 answer identical queries without forwarding them again.
909 --no-round-robin
911 Dnsmasq normally permutes the order of A or AAAA records for the
912 same name on successive queries, for load-balancing. This turns
913 off that behaviour, so that the records are always returned in
914 the order that they are received from upstream.
915 --use-stale-cache[=<max TTL excess in s>]
917 When set, if a DNS name exists in the cache, but its time-to-
918 live has expired, dnsmasq will return the data anyway. (It at‐
919 tempts to refresh the data with an upstream query after return‐
920 ing the stale data.) This can improve speed and reliability. It
921 comes at the expense of sometimes returning out-of-date data and
922 less efficient cache utilisation, since old data cannot be
923 flushed when its TTL expires, so the cache becomes mostly least-
924 recently-used. To mitigate issues caused by massively outdated
925 DNS replies, the maximum overaging of cached records can be
926 specified in seconds (defaulting to not serve anything older
927 than one day). Setting the TTL excess time to zero will serve
928 stale cache data regardless how long it has expired.
929 -0, --dns-forward-max=<queries>
931 Set the maximum number of concurrent DNS queries. The default
932 value is 150, which should be fine for most setups. The only
933 known situation where this needs to be increased is when using
934 web-server log file resolvers, which can generate large numbers
935 of concurrent queries. This parameter actually controls the num‐
936 ber of concurrent queries per server group, where a server group
937 is the set of server(s) associated with a single domain. So if a
938 domain has it's own server via --server=/example.com/1.2.3.4 and
939 1.2.3.4 is not responding, but queries for *.example.com cannot
940 go elsewhere, then other queries will not be affected. On con‐
941 figurations with many such server groups and tight resources,
942 this value may need to be reduced.
943 --dnssec
945 Validate DNS replies and cache DNSSEC data. When forwarding DNS
946 queries, dnsmasq requests the DNSSEC records needed to validate
947 the replies. The replies are validated and the result returned
948 as the Authenticated Data bit in the DNS packet. In addition the
949 DNSSEC records are stored in the cache, making validation by
950 clients more efficient. Note that validation by clients is the
951 most secure DNSSEC mode, but for clients unable to do valida‐
952 tion, use of the AD bit set by dnsmasq is useful, provided that
953 the network between the dnsmasq server and the client is
954 trusted. Dnsmasq must be compiled with HAVE_DNSSEC enabled, and
955 DNSSEC trust anchors provided, see --trust-anchor. Because the
956 DNSSEC validation process uses the cache, it is not permitted to
957 reduce the cache size below the default when DNSSEC is enabled.
958 The nameservers upstream of dnsmasq must be DNSSEC-capable, ie
959 capable of returning DNSSEC records with data. If they are not,
960 then dnsmasq will not be able to determine the trusted status of
961 answers and this means that DNS service will be entirely broken.
962 --trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-
964 type>,<digest>
965 Provide DS records to act a trust anchors for DNSSEC validation.
966 Typically these will be the DS record(s) for Key Signing key(s)
967 (KSK) of the root zone, but trust anchors for limited domains
968 are also possible. The current root-zone trust anchors may be
969 downloaded from https://data.iana.org/root-anchors/root-an‐
970 chors.xml
971 --dnssec-check-unsigned[=no]
973 As a default, dnsmasq checks that unsigned DNS replies are le‐
974 gitimate: this entails possible extra queries even for the ma‐
975 jority of DNS zones which are not, at the moment, signed. If
976 --dnssec-check-unsigned=no appears in the configuration, then
977 such replies they are assumed to be valid and passed on (without
978 the "authentic data" bit set, of course). This does not protect
979 against an attacker forging unsigned replies for signed DNS
980 zones, but it is fast.
981 Versions of dnsmasq prior to 2.80 defaulted to not checking un‐
983 signed replies, and used --dnssec-check-unsigned to switch this
984 on. Such configurations will continue to work as before, but
985 those which used the default of no checking will need to be al‐
986 tered to explicitly select no checking. The new default is be‐
987 cause switching off checking for unsigned replies is inherently
988 dangerous. Not only does it open the possiblity of forged
989 replies, but it allows everything to appear to be working even
990 when the upstream namesevers do not support DNSSEC, and in this
991 case no DNSSEC validation at all is occurring.
992 --dnssec-no-timecheck
994 DNSSEC signatures are only valid for specified time windows, and
995 should be rejected outside those windows. This generates an in‐
996 teresting chicken-and-egg problem for machines which don't have
997 a hardware real time clock. For these machines to determine the
998 correct time typically requires use of NTP and therefore DNS,
999 but validating DNS requires that the correct time is already
1000 known. Setting this flag removes the time-window checks (but not
1001 other DNSSEC validation.) only until the dnsmasq process re‐
1002 ceives SIGINT. The intention is that dnsmasq should be started
1003 with this flag when the platform determines that reliable time
1004 is not currently available. As soon as reliable time is estab‐
1005 lished, a SIGINT should be sent to dnsmasq, which enables time
1006 checking, and purges the cache of DNS records which have not
1007 been thoroughly checked.
1008 Earlier versions of dnsmasq overloaded SIGHUP (which re-reads
1010 much configuration) to also enable time validation.
1011 If dnsmasq is run in debug mode (--no-daemon flag) then SIGINT
1013 retains its usual meaning of terminating the dnsmasq process.
1014 --dnssec-timestamp=<path>
1016 Enables an alternative way of checking the validity of the sys‐
1017 tem time for DNSSEC (see --dnssec-no-timecheck). In this case,
1018 the system time is considered to be valid once it becomes later
1019 than the timestamp on the specified file. The file is created
1020 and its timestamp set automatically by dnsmasq. The file must be
1021 stored on a persistent filesystem, so that it and its mtime are
1022 carried over system restarts. The timestamp file is created af‐
1023 ter dnsmasq has dropped root, so it must be in a location
1024 writable by the unprivileged user that dnsmasq runs as.
1025 --proxy-dnssec
1027 Copy the DNSSEC Authenticated Data bit from upstream servers to
1028 downstream clients. This is an alternative to having dnsmasq
1029 validate DNSSEC, but it depends on the security of the network
1030 between dnsmasq and the upstream servers, and the trustworthi‐
1031 ness of the upstream servers. Note that caching the Authenti‐
1032 cated Data bit correctly in all cases is not technically possi‐
1033 ble. If the AD bit is to be relied upon when using this option,
1034 then the cache should be disabled using --cache-size=0. In most
1035 cases, enabling DNSSEC validation within dnsmasq is a better op‐
1036 tion. See --dnssec for details.
1037 --dnssec-debug
1039 Set debugging mode for the DNSSEC validation, set the Checking
1040 Disabled bit on upstream queries, and don't convert replies
1041 which do not validate to responses with a return code of SERV‐
1042 FAIL. Note that setting this may affect DNS behaviour in bad
1043 ways, it is not an extra-logging flag and should not be set in
1044 production.
1045 --auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix
1047 length>].....][,exclude:<subnet>[/<prefix length>]].....]
1048 Define a DNS zone for which dnsmasq acts as authoritative
1049 server. Locally defined DNS records which are in the domain will
1050 be served. If subnet(s) are given, A and AAAA records must be in
1051 one of the specified subnets.
1052 As alternative to directly specifying the subnets, it's possible
1054 to give the name of an interface, in which case the subnets im‐
1055 plied by that interface's configured addresses and netmask/pre‐
1056 fix-length are used; this is useful when using constructed DHCP
1057 ranges as the actual address is dynamic and not known when con‐
1058 figuring dnsmasq. The interface addresses may be confined to
1059 only IPv6 addresses using <interface>/6 or to only IPv4 using
1060 <interface>/4. This is useful when an interface has dynamically
1061 determined global IPv6 addresses which should appear in the
1062 zone, but RFC1918 IPv4 addresses which should not. Interface-
1063 name and address-literal subnet specifications may be used
1064 freely in the same --auth-zone declaration.
1065 It's possible to exclude certain IP addresses from responses. It
1067 can be used, to make sure that answers contain only global
1068 routeable IP addresses (by excluding loopback, RFC1918 and ULA
1069 addresses).
1070 The subnet(s) are also used to define in-addr.arpa and ip6.arpa
1072 domains which are served for reverse-DNS queries. If not speci‐
1073 fied, the prefix length defaults to 24 for IPv4 and 64 for IPv6.
1074 For IPv4 subnets, the prefix length should be have the value 8,
1075 16 or 24 unless you are familiar with RFC 2317 and have arranged
1076 the in-addr.arpa delegation accordingly. Note that if no subnets
1077 are specified, then no reverse queries are answered.
1078 --auth-soa=<serial>[,<hostmaster>[,<refresh>[,<retry>[,<expiry>]]]]
1080 Specify fields in the SOA record associated with authoritative
1081 zones. Note that this is optional, all the values are set to
1082 sane defaults.
1083 --auth-sec-servers=<domain>[,<domain>[,<domain>...]]
1085 Specify any secondary servers for a zone for which dnsmasq is
1086 authoritative. These servers must be configured to get zone data
1087 from dnsmasq by zone transfer, and answer queries for the same
1088 authoritative zones as dnsmasq.
1089 --auth-peer=<ip-address>[,<ip-address>[,<ip-address>...]]
1091 Specify the addresses of secondary servers which are allowed to
1092 initiate zone transfer (AXFR) requests for zones for which dns‐
1093 masq is authoritative. If this option is not given but --auth-
1094 sec-servers is, then AXFR requests will be accepted from any
1095 secondary. Specifying --auth-peer without --auth-sec-servers en‐
1096 ables zone transfer but does not advertise the secondary in NS
1097 records returned by dnsmasq.
1098 --conntrack
1100 Read the Linux connection track mark associated with incoming
1101 DNS queries and set the same mark value on upstream traffic used
1102 to answer those queries. This allows traffic generated by dns‐
1103 masq to be associated with the queries which cause it, useful
1104 for bandwidth accounting and firewalling. Dnsmasq must have con‐
1105 ntrack support compiled in and the kernel must have conntrack
1106 support included and configured. This option cannot be combined
1107 with --query-port.
1108 -F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-
1110 addr>[,<end-addr>|<mode>[,<netmask>[,<broadcast>]]][,<lease time>]
1111 -F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-
1113 IPv6addr>[,<end-IPv6addr>|constructor:<interface>][,<mode>][,<prefix-
1114 len>][,<lease time>]
1115 Enable the DHCP server. Addresses will be given out from the
1117 range <start-addr> to <end-addr> and from statically defined ad‐
1118 dresses given in --dhcp-host options. If the lease time is
1119 given, then leases will be given for that length of time. The
1120 lease time is in seconds, or minutes (eg 45m) or hours (eg 1h)
1121 or days (2d) or weeks (1w) or "infinite". If not given, the de‐
1122 fault lease time is one hour for IPv4 and one day for IPv6. The
1123 minimum lease time is two minutes. For IPv6 ranges, the lease
1124 time maybe "deprecated"; this sets the preferred lifetime sent
1125 in a DHCP lease or router advertisement to zero, which causes
1126 clients to use other addresses, if available, for new connec‐
1127 tions as a prelude to renumbering.
1128 This option may be repeated, with different addresses, to enable
1130 DHCP service to more than one network. For directly connected
1131 networks (ie, networks on which the machine running dnsmasq has
1132 an interface) the netmask is optional: dnsmasq will determine it
1133 from the interface configuration. For networks which receive
1134 DHCP service via a relay agent, dnsmasq cannot determine the
1135 netmask itself, so it should be specified, otherwise dnsmasq
1136 will have to guess, based on the class (A, B or C) of the net‐
1137 work address. The broadcast address is always optional. It is
1138 always allowed to have more than one --dhcp-range in a single
1139 subnet.
1140 For IPv6, the parameters are slightly different: instead of net‐
1142 mask and broadcast address, there is an optional prefix length
1143 which must be equal to or larger then the prefix length on the
1144 local interface. If not given, this defaults to 64. Unlike the
1145 IPv4 case, the prefix length is not automatically derived from
1146 the interface configuration. The minimum size of the prefix
1147 length is 64.
1148 IPv6 (only) supports another type of range. In this, the start
1150 address and optional end address contain only the network part
1151 (ie ::1) and they are followed by constructor:<interface>. This
1152 forms a template which describes how to create ranges, based on
1153 the addresses assigned to the interface. For instance
1154 --dhcp-range=::1,::400,constructor:eth0
1156 will look for addresses on eth0 and then create a range from
1158 <network>::1 to <network>::400. If the interface is assigned
1159 more than one network, then the corresponding ranges will be au‐
1160 tomatically created, and then deprecated and finally removed
1161 again as the address is deprecated and then deleted. The inter‐
1162 face name may have a final "*" wildcard. Note that just any ad‐
1163 dress on eth0 will not do: it must not be an autoconfigured or
1164 privacy address, or be deprecated.
1165 If a --dhcp-range is only being used for stateless DHCP and/or
1167 SLAAC, then the address can be simply ::
1168 --dhcp-range=::,constructor:eth0
1170 The optional set:<tag> sets an alphanumeric label which marks
1173 this network so that DHCP options may be specified on a per-net‐
1174 work basis. When it is prefixed with 'tag:' instead, then its
1175 meaning changes from setting a tag to matching it. Only one tag
1176 may be set, but more than one tag may be matched.
1177 The optional <mode> keyword may be static which tells dnsmasq to
1179 enable DHCP for the network specified, but not to dynamically
1180 allocate IP addresses: only hosts which have static addresses
1181 given via --dhcp-host or from /etc/ethers will be served. A
1182 static-only subnet with address all zeros may be used as a
1183 "catch-all" address to enable replies to all Information-request
1184 packets on a subnet which is provided with stateless DHCPv6, ie
1185 --dhcp-range=::,static
1186 For IPv4, the <mode> may be proxy in which case dnsmasq will
1188 provide proxy-DHCP on the specified subnet. (See --pxe-prompt
1189 and --pxe-service for details.)
1190 For IPv6, the mode may be some combination of ra-only, slaac,
1192 ra-names, ra-stateless, ra-advrouter, off-link.
1193 ra-only tells dnsmasq to offer Router Advertisement only on this
1195 subnet, and not DHCP.
1196 slaac tells dnsmasq to offer Router Advertisement on this subnet
1198 and to set the A bit in the router advertisement, so that the
1199 client will use SLAAC addresses. When used with a DHCP range or
1200 static DHCP address this results in the client having both a
1201 DHCP-assigned and a SLAAC address.
1202 ra-stateless sends router advertisements with the O and A bits
1204 set, and provides a stateless DHCP service. The client will use
1205 a SLAAC address, and use DHCP for other configuration informa‐
1206 tion.
1207 ra-names enables a mode which gives DNS names to dual-stack
1209 hosts which do SLAAC for IPv6. Dnsmasq uses the host's IPv4
1210 lease to derive the name, network segment and MAC address and
1211 assumes that the host will also have an IPv6 address calculated
1212 using the SLAAC algorithm, on the same network segment. The ad‐
1213 dress is pinged, and if a reply is received, an AAAA record is
1214 added to the DNS for this IPv6 address. Note that this is only
1215 happens for directly-connected networks, (not one doing DHCP via
1216 a relay) and it will not work if a host is using privacy exten‐
1217 sions. ra-names can be combined with ra-stateless and slaac.
1218 ra-advrouter enables a mode where router address(es) rather than
1220 prefix(es) are included in the advertisements. This is de‐
1221 scribed in RFC-3775 section 7.2 and is used in mobile IPv6. In
1222 this mode the interval option is also included, as described in
1223 RFC-3775 section 7.3.
1224 off-link tells dnsmasq to advertise the prefix without the on-
1226 link (aka L) bit set.
1227 -G, --dhcp-
1230 host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,tag:<tag>][,<ipaddr>][,<host‐
1231 name>][,<lease_time>][,ignore]
1232 Specify per host parameters for the DHCP server. This allows a
1233 machine with a particular hardware address to be always allo‐
1234 cated the same hostname, IP address and lease time. A hostname
1235 specified like this overrides any supplied by the DHCP client on
1236 the machine. It is also allowable to omit the hardware address
1237 and include the hostname, in which case the IP address and lease
1238 times will apply to any machine claiming that name. For example
1239 --dhcp-host=00:20:e0:3b:13:af,wap,infinite tells dnsmasq to give
1240 the machine with hardware address 00:20:e0:3b:13:af the name
1241 wap, and an infinite DHCP lease. --dhcp-host=lap,192.168.0.199
1242 tells dnsmasq to always allocate the machine lap the IP address
1243 192.168.0.199.
1244 Addresses allocated like this are not constrained to be in the
1246 range given by the --dhcp-range option, but they must be in the
1247 same subnet as some valid dhcp-range. For subnets which don't
1248 need a pool of dynamically allocated addresses, use the "static"
1249 keyword in the --dhcp-range declaration.
1250 It is allowed to use client identifiers (called client DUID in
1252 IPv6-land) rather than hardware addresses to identify hosts by
1253 prefixing with 'id:'. Thus: --dhcp-host=id:01:02:03:04,.....
1254 refers to the host with client identifier 01:02:03:04. It is
1255 also allowed to specify the client ID as text, like this:
1256 --dhcp-host=id:clientidastext,.....
1257 A single --dhcp-host may contain an IPv4 address or one or more
1259 IPv6 addresses, or both. IPv6 addresses must be bracketed by
1260 square brackets thus: --dhcp-host=laptop,[1234::56] IPv6 ad‐
1261 dresses may contain only the host-identifier part: --dhcp-
1262 host=laptop,[::56] in which case they act as wildcards in con‐
1263 structed DHCP ranges, with the appropriate network part in‐
1264 serted. For IPv6, an address may include a prefix length:
1265 --dhcp-host=laptop,[1234:50/126] which (in this case) specifies
1266 four addresses, 1234::50 to 1234::53. This (an the ability to
1267 specify multiple addresses) is useful when a host presents ei‐
1268 ther a consistent name or hardware-ID, but varying DUIDs, since
1269 it allows dnsmasq to honour the static address allocation but
1270 assign a different adddress for each DUID. This typically occurs
1271 when chain netbooting, as each stage of the chain gets in turn
1272 allocates an address.
1273 Note that in IPv6 DHCP, the hardware address may not be avail‐
1275 able, though it normally is for direct-connected clients, or
1276 clients using DHCP relays which support RFC 6939.
1277 For DHCPv4, the special option id:* means "ignore any client-id
1280 and use MAC addresses only." This is useful when a client
1281 presents a client-id sometimes but not others.
1282 If a name appears in /etc/hosts, the associated address can be
1284 allocated to a DHCP lease, but only if a --dhcp-host option
1285 specifying the name also exists. Only one hostname can be given
1286 in a --dhcp-host option, but aliases are possible by using
1287 CNAMEs. (See --cname ). Note that /etc/hosts is NOT used when
1288 the DNS server side of dnsmasq is disabled by setting the DNS
1289 server port to zero.
1290 More than one --dhcp-host can be associated (by name, hardware
1292 address or UID) with a host. Which one is used (and therefore
1293 which address is allocated by DHCP and appears in the DNS) de‐
1294 pends on the subnet on which the host last obtained a DHCP
1295 lease: the --dhcp-host with an address within the subnet is
1296 used. If more than one address is within the subnet, the result
1297 is undefined. A corollary to this is that the name associated
1298 with a host using --dhcp-host does not appear in the DNS until
1299 the host obtains a DHCP lease.
1300 The special keyword "ignore" tells dnsmasq to never offer a DHCP
1303 lease to a machine. The machine can be specified by hardware ad‐
1304 dress, client ID or hostname, for instance --dhcp-
1305 host=00:20:e0:3b:13:af,ignore This is useful when there is an‐
1306 other DHCP server on the network which should be used by some
1307 machines.
1308 The set:<tag> construct sets the tag whenever this --dhcp-host
1310 directive is in use. This can be used to selectively send DHCP
1311 options just for this host. More than one tag can be set in a
1312 --dhcp-host directive (but not in other places where "set:<tag>"
1313 is allowed). When a host matches any --dhcp-host directive (or
1314 one implied by /etc/ethers) then the special tag "known" is set.
1315 This allows dnsmasq to be configured to ignore requests from un‐
1316 known machines using --dhcp-ignore=tag:!known If the host
1317 matches only a --dhcp-host directive which cannot be used be‐
1318 cause it specifies an address on different subnet, the tag
1319 "known-othernet" is set.
1320 The tag:<tag> construct filters which dhcp-host directives are
1322 used; more than one can be provided, in this case the request
1323 must match all of them. Tagged directives are used in preference
1324 to untagged ones. Note that one of <hwaddr>, <client_id> or
1325 <hostname> still needs to be specified (can be a wildcard).
1326 Ethernet addresses (but not client-ids) may have wildcard bytes,
1328 so for example --dhcp-host=00:20:e0:3b:13:*,ignore will cause
1329 dnsmasq to ignore a range of hardware addresses. Note that the
1330 "*" will need to be escaped or quoted on a command line, but not
1331 in the configuration file.
1332 Hardware addresses normally match any network (ARP) type, but it
1334 is possible to restrict them to a single ARP type by preceding
1335 them with the ARP-type (in HEX) and "-". so --dhcp-
1336 host=06-00:20:e0:3b:13:af,1.2.3.4 will only match a Token-Ring
1337 hardware address, since the ARP-address type for token ring is
1338 6.
1339 As a special case, in DHCPv4, it is possible to include more
1341 than one hardware address. eg: --dhcp-
1342 host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2 This allows
1343 an IP address to be associated with multiple hardware addresses,
1344 and gives dnsmasq permission to abandon a DHCP lease to one of
1345 the hardware addresses when another one asks for a lease. Beware
1346 that this is a dangerous thing to do, it will only work reliably
1347 if only one of the hardware addresses is active at any time and
1348 there is no way for dnsmasq to enforce this. It is, for in‐
1349 stance, useful to allocate a stable IP address to a laptop which
1350 has both wired and wireless interfaces.
1351 --dhcp-hostsfile=<path>
1353 Read DHCP host information from the specified file. If a direc‐
1354 tory is given, then read all the files contained in that direc‐
1355 tory in alphabetical order. The file contains information about
1356 one host per line. The format of a line is the same as text to
1357 the right of '=' in --dhcp-host. The advantage of storing DHCP
1358 host information in this file is that it can be changed without
1359 re-starting dnsmasq: the file will be re-read when dnsmasq re‐
1360 ceives SIGHUP.
1361 --dhcp-optsfile=<path>
1363 Read DHCP option information from the specified file. If a di‐
1364 rectory is given, then read all the files contained in that di‐
1365 rectory in alphabetical order. The advantage of using this op‐
1366 tion is the same as for --dhcp-hostsfile: the --dhcp-optsfile
1367 will be re-read when dnsmasq receives SIGHUP. Note that it is
1368 possible to encode the information in a --dhcp-boot flag as DHCP
1369 options, using the options names bootfile-name, server-ip-ad‐
1370 dress and tftp-server. This allows these to be included in a
1371 --dhcp-optsfile.
1372 --dhcp-hostsdir=<path>
1374 This is equivalent to --dhcp-hostsfile, except for the follow‐
1375 ing. The path MUST be a directory, and not an individual file.
1376 Changed or new files within the directory are read automati‐
1377 cally, without the need to send SIGHUP. If a file is deleted or
1378 changed after it has been read by dnsmasq, then the host record
1379 it contained will remain until dnsmasq receives a SIGHUP, or is
1380 restarted; ie host records are only added dynamically. The order
1381 in which the files in a directory are read is not defined.
1382 --dhcp-optsdir=<path>
1384 This is equivalent to --dhcp-optsfile, with the differences
1385 noted for --dhcp-hostsdir.
1386 -Z, --read-ethers
1388 Read /etc/ethers for information about hosts for the DHCP
1389 server. The format of /etc/ethers is a hardware address, fol‐
1390 lowed by either a hostname or dotted-quad IP address. When read
1391 by dnsmasq these lines have exactly the same effect as --dhcp-
1392 host options containing the same information. /etc/ethers is re-
1393 read when dnsmasq receives SIGHUP. IPv6 addresses are NOT read
1394 from /etc/ethers.
1395 -O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<en‐
1397 terprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>|op‐
1398 tion6:<opt>|option6:<opt-name>],[<value>[,<value>]]
1399 Specify different or extra options to DHCP clients. By default,
1400 dnsmasq sends some standard options to DHCP clients, the netmask
1401 and broadcast address are set to the same as the host running
1402 dnsmasq, and the DNS server and default route are set to the ad‐
1403 dress of the machine running dnsmasq. (Equivalent rules apply
1404 for IPv6.) If the domain name option has been set, that is sent.
1405 This configuration allows these defaults to be overridden, or
1406 other options specified. The option, to be sent may be given as
1407 a decimal number or as "option:<option-name>" The option numbers
1408 are specified in RFC2132 and subsequent RFCs. The set of option-
1409 names known by dnsmasq can be discovered by running "dnsmasq
1410 --help dhcp". For example, to set the default route option to
1411 192.168.4.4, do --dhcp-option=3,192.168.4.4 or --dhcp-option =
1412 option:router, 192.168.4.4 and to set the time-server address to
1413 192.168.0.4, do --dhcp-option = 42,192.168.0.4 or --dhcp-option
1414 = option:ntp-server, 192.168.0.4 The special address 0.0.0.0 is
1415 taken to mean "the address of the machine running dnsmasq".
1416 Data types allowed are comma separated dotted-quad IPv4 ad‐
1418 dresses, []-wrapped IPv6 addresses, a decimal number, colon-sep‐
1419 arated hex digits and a text string. If the optional tags are
1420 given then this option is only sent when all the tags are
1421 matched.
1422 Special processing is done on a text argument for option 119, to
1424 conform with RFC 3397. Text or dotted-quad IP addresses as argu‐
1425 ments to option 120 are handled as per RFC 3361. Dotted-quad IP
1426 addresses which are followed by a slash and then a netmask size
1427 are encoded as described in RFC 3442.
1428 IPv6 options are specified using the option6: keyword, followed
1430 by the option number or option name. The IPv6 option name space
1431 is disjoint from the IPv4 option name space. IPv6 addresses in
1432 options must be bracketed with square brackets, eg. --dhcp-op‐
1433 tion=option6:ntp-server,[1234::56] For IPv6, [::] means "the
1434 global address of the machine running dnsmasq", whilst [fd00::]
1435 is replaced with the ULA, if it exists, and [fe80::] with the
1436 link-local address.
1437 Be careful: no checking is done that the correct type of data
1439 for the option number is sent, it is quite possible to persuade
1440 dnsmasq to generate illegal DHCP packets with injudicious use of
1441 this flag. When the value is a decimal number, dnsmasq must de‐
1442 termine how large the data item is. It does this by examining
1443 the option number and/or the value, but can be overridden by ap‐
1444 pending a single letter flag as follows: b = one byte, s = two
1445 bytes, i = four bytes. This is mainly useful with encapsulated
1446 vendor class options (see below) where dnsmasq cannot determine
1447 data size from the option number. Option data which consists
1448 solely of periods and digits will be interpreted by dnsmasq as
1449 an IP address, and inserted into an option as such. To force a
1450 literal string, use quotes. For instance when using option 66 to
1451 send a literal IP address as TFTP server name, it is necessary
1452 to do --dhcp-option=66,"1.2.3.4"
1453 Encapsulated Vendor-class options may also be specified (IPv4
1455 only) using --dhcp-option: for instance --dhcp-option=vendor:PX‐
1456 EClient,1,0.0.0.0 sends the encapsulated vendor class-specific
1457 option "mftp-address=0.0.0.0" to any client whose vendor-class
1458 matches "PXEClient". The vendor-class matching is substring
1459 based (see --dhcp-vendorclass for details). If a vendor-class
1460 option (number 60) is sent by dnsmasq, then that is used for se‐
1461 lecting encapsulated options in preference to any sent by the
1462 client. It is possible to omit the vendorclass completely;
1463 --dhcp-option=vendor:,1,0.0.0.0 in which case the encapsulated
1464 option is always sent.
1465 Options may be encapsulated (IPv4 only) within other options:
1467 for instance --dhcp-option=encap:175, 190, iscsi-client0 will
1468 send option 175, within which is the option 190. If multiple op‐
1469 tions are given which are encapsulated with the same option num‐
1470 ber then they will be correctly combined into one encapsulated
1471 option. encap: and vendor: are may not both be set in the same
1472 --dhcp-option.
1473 The final variant on encapsulated options is "Vendor-Identifying
1475 Vendor Options" as specified by RFC3925. These are denoted like
1476 this: --dhcp-option=vi-encap:2, 10, text The number in the vi-
1477 encap: section is the IANA enterprise number used to identify
1478 this option. This form of encapsulation is supported in IPv6.
1479 The address 0.0.0.0 is not treated specially in encapsulated op‐
1481 tions.
1482 --dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-en‐
1484 cap:<enterprise>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
1485 This works in exactly the same way as --dhcp-option except that
1486 the option will always be sent, even if the client does not ask
1487 for it in the parameter request list. This is sometimes needed,
1488 for example when sending options to PXELinux.
1489 --dhcp-no-override
1491 (IPv4 only) Disable re-use of the DHCP servername and filename
1492 fields as extra option space. If it can, dnsmasq moves the boot
1493 server and filename information (from --dhcp-boot) out of their
1494 dedicated fields into DHCP options. This make extra space avail‐
1495 able in the DHCP packet for options but can, rarely, confuse old
1496 or broken clients. This flag forces "simple and safe" behaviour
1497 to avoid problems in such a case.
1498 --dhcp-relay=<local address>[,<server address>[#<server port>]][,<in‐
1500 terface]
1501 Configure dnsmasq to do DHCP relay. The local address is an ad‐
1502 dress allocated to an interface on the host running dnsmasq. All
1503 DHCP requests arriving on that interface will we relayed to a
1504 remote DHCP server at the server address. It is possible to re‐
1505 lay from a single local address to multiple remote servers by
1506 using multiple --dhcp-relay configs with the same local address
1507 and different server addresses. A server address must be an IP
1508 literal address, not a domain name. If the server address is
1509 omitted, the request will be forwarded by broadcast (IPv4) or
1510 multicast (IPv6). In this case the interface must be given and
1511 not be wildcard. The server address may specify a non-standard
1512 port to relay to. If this is used then --dhcp-proxy should
1513 likely also be set, otherwise parts of the DHCP conversation
1514 which do not pass through the relay will be delivered to the
1515 wrong port.
1516 Access control for DHCP clients has the same rules as for the
1518 DHCP server, see --interface, --except-interface, etc. The op‐
1519 tional interface name in the --dhcp-relay config has a different
1520 function: it controls on which interface DHCP replies from the
1521 server will be accepted. This is intended for configurations
1522 which have three interfaces: one being relayed from, a second
1523 connecting the DHCP server, and a third untrusted network, typi‐
1524 cally the wider internet. It avoids the possibility of spoof
1525 replies arriving via this third interface.
1526 It is allowed to have dnsmasq act as a DHCP server on one set of
1528 interfaces and relay from a disjoint set of interfaces. Note
1529 that whilst it is quite possible to write configurations which
1530 appear to act as a server and a relay on the same interface,
1531 this is not supported: the relay function will take precedence.
1532 Both DHCPv4 and DHCPv6 relay is supported. It's not possible to
1534 relay DHCPv4 to a DHCPv6 server or vice-versa.
1535 The DHCP relay function for IPv6 includes the ability to snoop
1537 prefix-delegation from relayed DHCP transactions. See --dhcp-
1538 script for details.
1539 -U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise num‐
1541 ber>,]<vendor-class>
1542 Map from a vendor-class string to a tag. Most DHCP clients pro‐
1543 vide a "vendor class" which represents, in some sense, the type
1544 of host. This option maps vendor classes to tags, so that DHCP
1545 options may be selectively delivered to different classes of
1546 hosts. For example --dhcp-vendorclass=set:printers,Hewlett-
1547 Packard JetDirect will allow options to be set only for HP
1548 printers like so: --dhcp-option=tag:printers,3,192.168.4.4 The
1549 vendor-class string is substring matched against the vendor-
1550 class supplied by the client, to allow fuzzy matching. The set:
1551 prefix is optional but allowed for consistency.
1552 Note that in IPv6 only, vendorclasses are namespaced with an
1554 IANA-allocated enterprise number. This is given with enterprise:
1555 keyword and specifies that only vendorclasses matching the spec‐
1556 ified number should be searched.
1557 -j, --dhcp-userclass=set:<tag>,<user-class>
1559 Map from a user-class string to a tag (with substring matching,
1560 like vendor classes). Most DHCP clients provide a "user class"
1561 which is configurable. This option maps user classes to tags, so
1562 that DHCP options may be selectively delivered to different
1563 classes of hosts. It is possible, for instance to use this to
1564 set a different printer server for hosts in the class "accounts"
1565 than for hosts in the class "engineering".
1566 -4, --dhcp-mac=set:<tag>,<MAC address>
1568 Map from a MAC address to a tag. The MAC address may include
1569 wildcards. For example --dhcp-mac=set:3com,01:34:23:*:*:* will
1570 set the tag "3com" for any host whose MAC address matches the
1571 pattern.
1572 --dhcp-circuitid=set:<tag>,<circuit-id>, --dhcp-remoteid=set:<tag>,<re‐
1574 mote-id>
1575 Map from RFC3046 relay agent options to tags. This data may be
1576 provided by DHCP relay agents. The circuit-id or remote-id is
1577 normally given as colon-separated hex, but is also allowed to be
1578 a simple string. If an exact match is achieved between the cir‐
1579 cuit or agent ID and one provided by a relay agent, the tag is
1580 set.
1581 --dhcp-remoteid (but not --dhcp-circuitid) is supported in IPv6.
1583 --dhcp-subscrid=set:<tag>,<subscriber-id>
1585 (IPv4 and IPv6) Map from RFC3993 subscriber-id relay agent op‐
1586 tions to tags.
1587 --dhcp-proxy[=<ip addr>]......
1589 (IPv4 only) A normal DHCP relay agent is only used to forward
1590 the initial parts of a DHCP interaction to the DHCP server. Once
1591 a client is configured, it communicates directly with the
1592 server. This is undesirable if the relay agent is adding extra
1593 information to the DHCP packets, such as that used by --dhcp-
1594 circuitid and --dhcp-remoteid. A full relay implementation can
1595 use the RFC 5107 serverid-override option to force the DHCP
1596 server to use the relay as a full proxy, with all packets pass‐
1597 ing through it. This flag provides an alternative method of do‐
1598 ing the same thing, for relays which don't support RFC 5107.
1599 Given alone, it manipulates the server-id for all interactions
1600 via relays. If a list of IP addresses is given, only interac‐
1601 tions via relays at those addresses are affected.
1602 --dhcp-match=set:<tag>,<option number>|option:<option name>|vi-en‐
1604 cap:<enterprise>[,<value>]
1605 Without a value, set the tag if the client sends a DHCP option
1606 of the given number or name. When a value is given, set the tag
1607 only if the option is sent and matches the value. The value may
1608 be of the form "01:ff:*:02" in which case the value must match
1609 (apart from wildcards) but the option sent may have unmatched
1610 data past the end of the value. The value may also be of the
1611 same form as in --dhcp-option in which case the option sent is
1612 treated as an array, and one element must match, so --dhcp-
1613 match=set:efi-ia32,option:client-arch,6 will set the tag "efi-
1614 ia32" if the the number 6 appears in the list of architectures
1615 sent by the client in option 93. (See RFC 4578 for details.) If
1616 the value is a string, substring matching is used.
1617 The special form with vi-encap:<enterprise number> matches
1619 against vendor-identifying vendor classes for the specified en‐
1620 terprise. Please see RFC 3925 for more details of these rare and
1621 interesting beasts.
1622 --dhcp-name-match=set:<tag>,<name>[*]
1624 Set the tag if the given name is supplied by a DHCP client.
1625 There may be a single trailing wildcard *, which has the usual
1626 meaning. Combined with dhcp-ignore or dhcp-ignore-names this
1627 gives the ability to ignore certain clients by name, or disallow
1628 certain hostnames from being claimed by a client.
1629 --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
1631 Perform boolean operations on tags. Any tag appearing as
1632 set:<tag> is set if all the tags which appear as tag:<tag> are
1633 set, (or unset when tag:!<tag> is used) If no tag:<tag> appears
1634 set:<tag> tags are set unconditionally. Any number of set: and
1635 tag: forms may appear, in any order. --tag-if lines are exe‐
1636 cuted in order, so if the tag in tag:<tag> is a tag set by an‐
1637 other --tag-if, the line which sets the tag must precede the one
1638 which tests it.
1639 As an extension, the tag:<tag> clauses support limited wildcard
1641 matching, similar to the matching in the --interface directive.
1642 This allows, for example, using --tag-if=set:ppp,tag:ppp* to set
1643 the tag 'ppp' for all requests received on any matching inter‐
1644 face (ppp0, ppp1, etc). This can be used in conjunction with
1645 the tag:!<tag> format meaning that no tag matching the wildcard
1646 may be set.
1647 -J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
1649 When all the given tags appear in the tag set ignore the host
1650 and do not allocate it a DHCP lease.
1651 --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
1653 When all the given tags appear in the tag set, ignore any host‐
1654 name provided by the host. Note that, unlike --dhcp-ignore, it
1655 is permissible to supply no tags, in which case DHCP-client sup‐
1656 plied hostnames are always ignored, and DHCP hosts are added to
1657 the DNS using only --dhcp-host configuration in dnsmasq and the
1658 contents of /etc/hosts and /etc/ethers.
1659 --dhcp-generate-names=tag:<tag>[,tag:<tag>]
1661 (IPv4 only) Generate a name for DHCP clients which do not other‐
1662 wise have one, using the MAC address expressed in hex, separated
1663 by dashes. Note that if a host provides a name, it will be used
1664 by preference to this, unless --dhcp-ignore-names is set.
1665 --dhcp-broadcast[=tag:<tag>[,tag:<tag>]]
1667 (IPv4 only) When all the given tags appear in the tag set, al‐
1668 ways use broadcast to communicate with the host when it is un‐
1669 configured. It is permissible to supply no tags, in which case
1670 this is unconditional. Most DHCP clients which need broadcast
1671 replies set a flag in their requests so that this happens auto‐
1672 matically, some old BOOTP clients do not.
1673 -M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server ad‐
1675 dress>|<tftp_servername>]]
1676 (IPv4 only) Set BOOTP options to be returned by the DHCP server.
1677 Server name and address are optional: if not provided, the name
1678 is left empty, and the address set to the address of the machine
1679 running dnsmasq. If dnsmasq is providing a TFTP service (see
1680 --enable-tftp ) then only the filename is required here to en‐
1681 able network booting. If the optional tag(s) are given, they
1682 must match for this configuration to be sent. Instead of an IP
1683 address, the TFTP server address can be given as a domain name
1684 which is looked up in /etc/hosts. This name can be associated in
1685 /etc/hosts with multiple IP addresses, which are used round-
1686 robin. This facility can be used to load balance the tftp load
1687 among a set of servers.
1688 --dhcp-sequential-ip
1690 Dnsmasq is designed to choose IP addresses for DHCP clients us‐
1691 ing a hash of the client's MAC address. This normally allows a
1692 client's address to remain stable long-term, even if the client
1693 sometimes allows its DHCP lease to expire. In this default mode
1694 IP addresses are distributed pseudo-randomly over the entire
1695 available address range. There are sometimes circumstances (typ‐
1696 ically server deployment) where it is more convenient to have IP
1697 addresses allocated sequentially, starting from the lowest
1698 available address, and setting this flag enables this mode. Note
1699 that in the sequential mode, clients which allow a lease to ex‐
1700 pire are much more likely to move IP address; for this reason it
1701 should not be generally used.
1702 --dhcp-ignore-clid
1704 Dnsmasq is reading 'client identifier' (RFC 2131) option sent by
1705 clients (if available) to identify clients. This allow to serve
1706 same IP address for a host using several interfaces. Use this
1707 option to disable 'client identifier' reading, i.e. to always
1708 identify a host using the MAC address.
1709 --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basename>|<bootservice‐
1711 type>][,<server address>|<server_name>]
1712 Most uses of PXE boot-ROMS simply allow the PXE system to obtain
1713 an IP address and then download the file specified by --dhcp-
1714 boot and execute it. However the PXE system is capable of more
1715 complex functions when supported by a suitable DHCP server.
1716 This specifies a boot option which may appear in a PXE boot
1718 menu. <CSA> is client system type, only services of the correct
1719 type will appear in a menu. The known types are x86PC, PC98,
1720 IA64_EFI, Alpha, Arc_x86, Intel_Lean_Client, IA32_EFI,
1721 x86-64_EFI, Xscale_EFI, BC_EFI, ARM32_EFI and ARM64_EFI; an in‐
1722 teger may be used for other types. The parameter after the menu
1723 text may be a file name, in which case dnsmasq acts as a boot
1724 server and directs the PXE client to download the file by TFTP,
1725 either from itself ( --enable-tftp must be set for this to work)
1726 or another TFTP server if the final server address/name is
1727 given. Note that the "layer" suffix (normally ".0") is supplied
1728 by PXE, and need not be added to the basename. Alternatively,
1729 the basename may be a filename, complete with suffix, in which
1730 case no layer suffix is added. If an integer boot service type,
1731 rather than a basename is given, then the PXE client will search
1732 for a suitable boot service for that type on the network. This
1733 search may be done by broadcast, or direct to a server if its IP
1734 address/name is provided. If no boot service type or filename
1735 is provided (or a boot service type of 0 is specified) then the
1736 menu entry will abort the net boot procedure and continue boot‐
1737 ing from local media. The server address can be given as a do‐
1738 main name which is looked up in /etc/hosts. This name can be as‐
1739 sociated in /etc/hosts with multiple IP addresses, which are
1740 used round-robin.
1741 --pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>]
1743 Setting this provides a prompt to be displayed after PXE boot.
1744 If the timeout is given then after the timeout has elapsed with
1745 no keyboard input, the first available menu option will be auto‐
1746 matically executed. If the timeout is zero then the first avail‐
1747 able menu item will be executed immediately. If --pxe-prompt is
1748 omitted the system will wait for user input if there are multi‐
1749 ple items in the menu, but boot immediately if there is only
1750 one. See --pxe-service for details of menu items.
1751 Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP
1753 server on the network is responsible for allocating IP ad‐
1754 dresses, and dnsmasq simply provides the information given in
1755 --pxe-prompt and --pxe-service to allow netbooting. This mode is
1756 enabled using the proxy keyword in --dhcp-range.
1757 --dhcp-pxe-vendor=<vendor>[,...]
1759 According to UEFI and PXE specifications, DHCP packets between
1760 PXE clients and proxy PXE servers should have PXEClient in their
1761 vendor-class field. However, the firmware of computers from a
1762 few vendors is customized to carry a different identifier in
1763 that field. This option is used to consider such identifiers
1764 valid for identifying PXE clients. For instance
1765 --dhcp-pxe-vendor=PXEClient,HW-Client
1767 will enable dnsmasq to also provide proxy PXE service to those
1769 PXE clients with HW-Client in as their identifier.
1770 -X, --dhcp-lease-max=<number>
1772 Limits dnsmasq to the specified maximum number of DHCP leases.
1773 The default is 1000. This limit is to prevent DoS attacks from
1774 hosts which create thousands of leases and use lots of memory in
1775 the dnsmasq process.
1776 -K, --dhcp-authoritative
1778 Should be set when dnsmasq is definitely the only DHCP server on
1779 a network. For DHCPv4, it changes the behaviour from strict RFC
1780 compliance so that DHCP requests on unknown leases from unknown
1781 hosts are not ignored. This allows new hosts to get a lease
1782 without a tedious timeout under all circumstances. It also al‐
1783 lows dnsmasq to rebuild its lease database without each client
1784 needing to reacquire a lease, if the database is lost. For
1785 DHCPv6 it sets the priority in replies to 255 (the maximum) in‐
1786 stead of 0 (the minimum).
1787 --dhcp-rapid-commit
1789 Enable DHCPv4 Rapid Commit Option specified in RFC 4039. When
1790 enabled, dnsmasq will respond to a DHCPDISCOVER message includ‐
1791 ing a Rapid Commit option with a DHCPACK including a Rapid Com‐
1792 mit option and fully committed address and configuration infor‐
1793 mation. Should only be enabled if either the server is the only
1794 server for the subnet, or multiple servers are present and they
1795 each commit a binding for all clients.
1796 --dhcp-alternate-port[=<server port>[,<client port>]]
1798 (IPv4 only) Change the ports used for DHCP from the default. If
1799 this option is given alone, without arguments, it changes the
1800 ports used for DHCP from 67 and 68 to 1067 and 1068. If a single
1801 argument is given, that port number is used for the server and
1802 the port number plus one used for the client. Finally, two port
1803 numbers allows arbitrary specification of both server and client
1804 ports for DHCP.
1805 -3, --bootp-dynamic[=<network-id>[,<network-id>]]
1807 (IPv4 only) Enable dynamic allocation of IP addresses to BOOTP
1808 clients. Use this with care, since each address allocated to a
1809 BOOTP client is leased forever, and therefore becomes perma‐
1810 nently unavailable for re-use by other hosts. if this is given
1811 without tags, then it unconditionally enables dynamic alloca‐
1812 tion. With tags, only when the tags are all set. It may be re‐
1813 peated with different tag sets.
1814 -5, --no-ping
1816 (IPv4 only) By default, the DHCP server will attempt to ensure
1817 that an address is not in use before allocating it to a host. It
1818 does this by sending an ICMP echo request (aka "ping") to the
1819 address in question. If it gets a reply, then the address must
1820 already be in use, and another is tried. This flag disables this
1821 check. Use with caution.
1822 --log-dhcp
1824 Extra logging for DHCP: log all the options sent to DHCP clients
1825 and the tags used to determine them.
1826 --quiet-dhcp, --quiet-dhcp6, --quiet-ra, --quiet-tftp
1828 Suppress logging of the routine operation of these protocols.
1829 Errors and problems will still be logged. --quiet-tftp does not
1830 consider file not found to be an error. --quiet-dhcp and quiet-
1831 dhcp6 are over-ridden by --log-dhcp.
1832 -l, --dhcp-leasefile=<path>
1834 Use the specified file to store DHCP lease information.
1835 --dhcp-duid=<enterprise-id>,<uid>
1837 (IPv6 only) Specify the server persistent UID which the DHCPv6
1838 server will use. This option is not normally required as dnsmasq
1839 creates a DUID automatically when it is first needed. When
1840 given, this option provides dnsmasq the data required to create
1841 a DUID-EN type DUID. Note that once set, the DUID is stored in
1842 the lease database, so to change between DUID-EN and automati‐
1843 cally created DUIDs or vice-versa, the lease database must be
1844 re-initialised. The enterprise-id is assigned by IANA, and the
1845 uid is a string of hex octets unique to a particular device.
1846 -6 --dhcp-script=<path>
1848 Whenever a new DHCP lease is created, or an old one destroyed,
1849 or a TFTP file transfer completes, the executable specified by
1850 this option is run. <path> must be an absolute pathname, no
1851 PATH search occurs. The arguments to the process are "add",
1852 "old" or "del", the MAC address of the host (or DUID for IPv6) ,
1853 the IP address, and the hostname, if known. "add" means a lease
1854 has been created, "del" means it has been destroyed, "old" is a
1855 notification of an existing lease when dnsmasq starts or a
1856 change to MAC address or hostname of an existing lease (also,
1857 lease length or expiry and client-id, if --leasefile-ro is set
1858 and lease expiry if --script-on-renewal is set). If the MAC ad‐
1859 dress is from a network type other than ethernet, it will have
1860 the network type prepended, eg "06-01:23:45:67:89:ab" for token
1861 ring. The process is run as root (assuming that dnsmasq was
1862 originally run as root) even if dnsmasq is configured to change
1863 UID to an unprivileged user.
1864 The environment is inherited from the invoker of dnsmasq, with
1866 some or all of the following variables added
1867 For both IPv4 and IPv6:
1869 DNSMASQ_DOMAIN if the fully-qualified domain name of the host is
1871 known, this is set to the domain part. (Note that the hostname
1872 passed to the script as an argument is never fully-qualified.)
1873 If the client provides a hostname, DNSMASQ_SUPPLIED_HOSTNAME
1875 If the client provides user-classes, DNSMASQ_USER_CLASS0..DNS‐
1877 MASQ_USER_CLASSn
1878 If dnsmasq was compiled with HAVE_BROKEN_RTC, then the length of
1880 the lease (in seconds) is stored in DNSMASQ_LEASE_LENGTH, other‐
1881 wise the time of lease expiry is stored in DNSMASQ_LEASE_EX‐
1882 PIRES. The number of seconds until lease expiry is always stored
1883 in DNSMASQ_TIME_REMAINING.
1884 DNSMASQ_DATA_MISSING is set to "1" during "old" events for ex‐
1886 isting leases generated at startup to indicate that data not
1887 stored in the persistent lease database will not be present.
1888 This comprises everything other than IP address, hostname, MAC
1889 address, DUID, IAID and lease length or expiry time.
1890 If a lease used to have a hostname, which is removed, an "old"
1892 event is generated with the new state of the lease, ie no name,
1893 and the former name is provided in the environment variable DNS‐
1894 MASQ_OLD_HOSTNAME.
1895 DNSMASQ_INTERFACE stores the name of the interface on which the
1897 request arrived; this is not set for "old" actions when dnsmasq
1898 restarts.
1899 DNSMASQ_RELAY_ADDRESS is set if the client used a DHCP relay to
1901 contact dnsmasq and the IP address of the relay is known.
1902 DNSMASQ_TAGS contains all the tags set during the DHCP transac‐
1904 tion, separated by spaces.
1905 DNSMASQ_LOG_DHCP is set if --log-dhcp is in effect.
1907 DNSMASQ_REQUESTED_OPTIONS a string containing the decimal values
1909 in the Parameter Request List option, comma separated, if the
1910 parameter request list option is provided by the client.
1911 DNSMASQ_MUD_URL the Manufacturer Usage Description URL if pro‐
1913 vided by the client. (See RFC8520 for details.)
1914 For IPv4 only:
1917 DNSMASQ_CLIENT_ID if the host provided a client-id.
1919 DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID, DNSMASQ_REMOTE_ID if
1921 a DHCP relay-agent added any of these options.
1922 If the client provides vendor-class, DNSMASQ_VENDOR_CLASS.
1924 For IPv6 only:
1926 If the client provides vendor-class, DNSMASQ_VENDOR_CLASS_ID,
1928 containing the IANA enterprise id for the class, and DNS‐
1929 MASQ_VENDOR_CLASS0..DNSMASQ_VENDOR_CLASSn for the data.
1930 DNSMASQ_SERVER_DUID containing the DUID of the server: this is
1932 the same for every call to the script.
1933 DNSMASQ_IAID containing the IAID for the lease. If the lease is
1935 a temporary allocation, this is prefixed to 'T'.
1936 DNSMASQ_MAC containing the MAC address of the client, if known.
1938 Note that the supplied hostname, vendorclass and userclass data
1940 is only supplied for "add" actions or "old" actions when a host
1941 resumes an existing lease, since these data are not held in dns‐
1942 masq's lease database.
1943 All file descriptors are closed except stdin, which is open to
1947 /dev/null, and stdout and stderr which capture output for log‐
1948 ging by dnsmasq. (In debug mode, stdio, stdout and stderr file
1949 are left as those inherited from the invoker of dnsmasq).
1950 The script is not invoked concurrently: at most one instance of
1952 the script is ever running (dnsmasq waits for an instance of
1953 script to exit before running the next). Changes to the lease
1954 database are which require the script to be invoked are queued
1955 awaiting exit of a running instance. If this queueing allows
1956 multiple state changes occur to a single lease before the script
1957 can be run then earlier states are discarded and the current
1958 state of that lease is reflected when the script finally runs.
1959 At dnsmasq startup, the script will be invoked for all existing
1961 leases as they are read from the lease file. Expired leases will
1962 be called with "del" and others with "old". When dnsmasq re‐
1963 ceives a HUP signal, the script will be invoked for existing
1964 leases with an "old" event.
1965 There are five further actions which may appear as the first ar‐
1968 gument to the script, "init", "arp-add", "arp-del", "relay-
1969 snoop" and "tftp". More may be added in the future, so scripts
1970 should be written to ignore unknown actions. "init" is described
1971 below in --leasefile-ro
1972 The "tftp" action is invoked when a TFTP file transfer com‐
1974 pletes: the arguments are the file size in bytes, the address to
1975 which the file was sent, and the complete pathname of the file.
1976 The "relay-snoop" action is invoked when dnsmasq is configured
1978 as a DHCP relay for DHCPv6 and it relays a prefx delegation to a
1979 client. The arguments are the name of the interface where the
1980 client is conected, its (link-local) address on that interface
1981 and the delegated prefix. This information is sufficient to in‐
1982 stall routes to the delegated prefix of a router. See --dhcp-re‐
1983 lay for more details on configuring DHCP relay.
1984 The "arp-add" and "arp-del" actions are only called if enabled
1986 with --script-arp They are are supplied with a MAC address and
1987 IP address as arguments. "arp-add" indicates the arrival of a
1988 new entry in the ARP or neighbour table, and "arp-del" indicates
1989 the deletion of same.
1990 --dhcp-luascript=<path>
1993 Specify a script written in Lua, to be run when leases are cre‐
1994 ated, destroyed or changed. To use this option, dnsmasq must be
1995 compiled with the correct support. The Lua interpreter is ini‐
1996 tialised once, when dnsmasq starts, so that global variables
1997 persist between lease events. The Lua code must define a lease
1998 function, and may provide init and shutdown functions, which are
1999 called, without arguments when dnsmasq starts up and terminates.
2000 It may also provide a tftp function.
2001 The lease function receives the information detailed in --dhcp-
2003 script. It gets two arguments, firstly the action, which is a
2004 string containing, "add", "old" or "del", and secondly a table
2005 of tag value pairs. The tags mostly correspond to the environ‐
2006 ment variables detailed above, for instance the tag "domain"
2007 holds the same data as the environment variable DNSMASQ_DOMAIN.
2008 There are a few extra tags which hold the data supplied as argu‐
2009 ments to --dhcp-script. These are mac_address, ip_address and
2010 hostname for IPv4, and client_duid, ip_address and hostname for
2011 IPv6.
2012 The tftp function is called in the same way as the lease func‐
2014 tion, and the table holds the tags destination_address,
2015 file_name and file_size.
2016 The arp and arp-old functions are called only when enabled with
2018 --script-arp and have a table which holds the tags mac_address
2019 and client_address.
2020 --dhcp-scriptuser
2022 Specify the user as which to run the lease-change script or Lua
2023 script. This defaults to root, but can be changed to another
2024 user using this flag.
2025 --script-arp
2027 Enable the "arp" and "arp-old" functions in the --dhcp-script
2028 and --dhcp-luascript.
2029 -9, --leasefile-ro
2031 Completely suppress use of the lease database file. The file
2032 will not be created, read, or written. Change the way the lease-
2033 change script (if one is provided) is called, so that the lease
2034 database may be maintained in external storage by the script. In
2035 addition to the invocations given in --dhcp-script the lease-
2036 change script is called once, at dnsmasq startup, with the sin‐
2037 gle argument "init". When called like this the script should
2038 write the saved state of the lease database, in dnsmasq lease‐
2039 file format, to stdout and exit with zero exit code. Setting
2040 this option also forces the leasechange script to be called on
2041 changes to the client-id and lease length and expiry time.
2042 --script-on-renewal
2044 Call the DHCP script when the lease expiry time changes, for in‐
2045 stance when the lease is renewed.
2046 --bridge-interface=<interface>,<alias>[,<alias>]
2048 Treat DHCP (v4 and v6) requests and IPv6 Router Solicit packets
2049 arriving at any of the <alias> interfaces as if they had arrived
2050 at <interface>. This option allows dnsmasq to provide DHCP and
2051 RA service over unaddressed and unbridged Ethernet interfaces,
2052 e.g. on an OpenStack compute host where each such interface is a
2053 TAP interface to a VM, or as in "old style bridging" on BSD
2054 platforms. A trailing '*' wildcard can be used in each <alias>.
2055 It is permissible to add more than one alias using more than one
2057 --bridge-interface option since --bridge-inter‐
2058 face=int1,alias1,alias2 is exactly equivalent to --bridge-inter‐
2059 face=int1,alias1 --bridge-interface=int1,alias2
2060 --shared-network=<interface>,<addr>
2062 --shared-network=<addr>,<addr>
2063 The DHCP server determines which DHCP ranges are useable for al‐
2064 locating an address to a DHCP client based on the network from
2065 which the DHCP request arrives, and the IP configuration of the
2066 server's interface on that network. The shared-network option
2067 extends the available subnets (and therefore DHCP ranges) beyond
2068 the subnets configured on the arrival interface.
2069 The first argument is either the name of an interface, or an ad‐
2071 dress that is configured on a local interface, and the second
2072 argument is an address which defines another subnet on which ad‐
2073 dresses can be allocated.
2074 To be useful, there must be a suitable dhcp-range which allows
2076 address allocation on this subnet and this dhcp-range MUST in‐
2077 clude the netmask.
2078 Using shared-network also needs extra consideration of routing.
2080 Dnsmasq does not have the usual information that it uses to de‐
2081 termine the default route, so the default route option (or other
2082 routing) MUST be configured manually. The client must have a
2083 route to the server: if the two-address form of shared-network
2084 is used, this needs to be to the first specified address. If the
2085 interface,address form is used, there must be a route to all of
2086 the addresses configured on the interface.
2087 The two-address form of shared-network is also usable with a
2089 DHCP relay: the first address is the address of the relay and
2090 the second, as before, specifies an extra subnet which addresses
2091 may be allocated from.
2092 -s, --domain=<domain>[[,<address range>[,local]]|<interface>]
2095 Specifies DNS domains for the DHCP server. Domains may be be
2096 given unconditionally (without the IP range) or for limited IP
2097 ranges. This has two effects; firstly it causes the DHCP server
2098 to return the domain to any hosts which request it, and secondly
2099 it sets the domain which it is legal for DHCP-configured hosts
2100 to claim. The intention is to constrain hostnames so that an un‐
2101 trusted host on the LAN cannot advertise its name via DHCP as
2102 e.g. "microsoft.com" and capture traffic not meant for it. If no
2103 domain suffix is specified, then any DHCP hostname with a domain
2104 part (ie with a period) will be disallowed and logged. If suffix
2105 is specified, then hostnames with a domain part are allowed,
2106 provided the domain part matches the suffix. In addition, when a
2107 suffix is set then hostnames without a domain part have the suf‐
2108 fix added as an optional domain part. Eg on my network I can set
2109 --domain=thekelleys.org.uk and have a machine whose DHCP host‐
2110 name is "laptop". The IP address for that machine is available
2111 from dnsmasq both as "laptop" and "laptop.thekelleys.org.uk". If
2112 the domain is given as "#" then the domain is read from the
2113 first "search" directive in /etc/resolv.conf (or equivalent).
2114 The address range can be of the form <ip address>,<ip address>
2116 or <ip address>/<netmask> or just a single <ip address>. See
2117 --dhcp-fqdn which can change the behaviour of dnsmasq with do‐
2118 mains.
2119 If the address range is given as ip-address/network-size, then a
2121 additional flag "local" may be supplied which has the effect of
2122 adding --local declarations for forward and reverse DNS queries.
2123 Eg. --domain=thekelleys.org.uk,192.168.0.0/24,local is identi‐
2124 cal to --domain=thekelleys.org.uk,192.168.0.0/24 --lo‐
2125 cal=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/
2126 The address range can also be given as a network interface name,
2128 in which case all of the subnets currently assigned to the in‐
2129 terface are used in matching the address. This allows hosts on
2130 different physical subnets to be given different domains in a
2131 way which updates automatically as the interface addresses
2132 change.
2133 --dhcp-fqdn
2135 In the default mode, dnsmasq inserts the unqualified names of
2136 DHCP clients into the DNS. For this reason, the names must be
2137 unique, even if two clients which have the same name are in dif‐
2138 ferent domains. If a second DHCP client appears which has the
2139 same name as an existing client, the name is transferred to the
2140 new client. If --dhcp-fqdn is set, this behaviour changes: the
2141 unqualified name is no longer put in the DNS, only the qualified
2142 name. Two DHCP clients with the same name may both keep the
2143 name, provided that the domain part is different (ie the fully
2144 qualified names differ.) To ensure that all names have a domain
2145 part, there must be at least --domain without an address speci‐
2146 fied when --dhcp-fqdn is set.
2147 --dhcp-client-update
2149 Normally, when giving a DHCP lease, dnsmasq sets flags in the
2150 FQDN option to tell the client not to attempt a DDNS update with
2151 its name and IP address. This is because the name-IP pair is au‐
2152 tomatically added into dnsmasq's DNS view. This flag suppresses
2153 that behaviour, this is useful, for instance, to allow Windows
2154 clients to update Active Directory servers. See RFC 4702 for de‐
2155 tails.
2156 --enable-ra
2158 Enable dnsmasq's IPv6 Router Advertisement feature. DHCPv6
2159 doesn't handle complete network configuration in the same way as
2160 DHCPv4. Router discovery and (possibly) prefix discovery for au‐
2161 tonomous address creation are handled by a different protocol.
2162 When DHCP is in use, only a subset of this is needed, and dns‐
2163 masq can handle it, using existing DHCP configuration to provide
2164 most data. When RA is enabled, dnsmasq will advertise a prefix
2165 for each --dhcp-range, with default router as the relevant
2166 link-local address on the machine running dnsmasq. By default,
2167 the "managed address" bits are set, and the "use SLAAC" bit is
2168 reset. This can be changed for individual subnets with the mode
2169 keywords described in --dhcp-range. RFC6106 DNS parameters are
2170 included in the advertisements. By default, the relevant link-
2171 local address of the machine running dnsmasq is sent as recur‐
2172 sive DNS server. If provided, the DHCPv6 options dns-server and
2173 domain-search are used for the DNS server (RDNSS) and the domain
2174 search list (DNSSL).
2175 --ra-param=<interface>,[mtu:<integer>|<interface>|off,][high,|low,]<ra-
2177 interval>[,<router lifetime>]
2178 Set non-default values for router advertisements sent via an in‐
2179 terface. The priority field for the router may be altered from
2180 the default of medium with eg --ra-param=eth0,high. The inter‐
2181 val between router advertisements may be set (in seconds) with
2182 --ra-param=eth0,60. The lifetime of the route may be changed or
2183 set to zero, which allows a router to advertise prefixes but not
2184 a route via itself. --ra-param=eth0,0,0 (A value of zero for
2185 the interval means the default value.) All four parameters may
2186 be set at once. --ra-param=eth0,mtu:1280,low,60,1200
2187 The interface field may include a wildcard.
2189 The mtu: parameter may be an arbitrary interface name, in which
2191 case the MTU value for that interface is used. This is useful
2192 for (eg) advertising the MTU of a WAN interface on the other in‐
2193 terfaces of a router.
2194 --dhcp-reply-delay=[tag:<tag>,]<integer>
2196 Delays sending DHCPOFFER and PROXYDHCP replies for at least the
2197 specified number of seconds. This can be used as workaround for
2198 bugs in PXE boot firmware that does not function properly when
2199 receiving an instant reply. This option takes into account the
2200 time already spent waiting (e.g. performing ping check) if any.
2201 --enable-tftp[=<interface>[,<interface>]]
2203 Enable the TFTP server function. This is deliberately limited to
2204 that needed to net-boot a client. Only reading is allowed; the
2205 tsize and blksize extensions are supported (tsize is only sup‐
2206 ported in octet mode). Without an argument, the TFTP service is
2207 provided to the same set of interfaces as DHCP service. If the
2208 list of interfaces is provided, that defines which interfaces
2209 receive TFTP service.
2210 --tftp-root=<directory>[,<interface>]
2212 Look for files to transfer using TFTP relative to the given di‐
2213 rectory. When this is set, TFTP paths which include ".." are re‐
2214 jected, to stop clients getting outside the specified root. Ab‐
2215 solute paths (starting with /) are allowed, but they must be
2216 within the tftp-root. If the optional interface argument is
2217 given, the directory is only used for TFTP requests via that in‐
2218 terface.
2219 --tftp-no-fail
2221 Do not abort startup if specified tftp root directories are in‐
2222 accessible.
2223 --tftp-unique-root[=ip|mac]
2225 Add the IP or hardware address of the TFTP client as a path com‐
2226 ponent on the end of the TFTP-root. Only valid if a --tftp-root
2227 is set and the directory exists. Defaults to adding IP address
2228 (in standard dotted-quad format). For instance, if --tftp-root
2229 is "/tftp" and client 1.2.3.4 requests file "myfile" then the
2230 effective path will be "/tftp/1.2.3.4/myfile" if /tftp/1.2.3.4
2231 exists or /tftp/myfile otherwise. When "=mac" is specified it
2232 will append the MAC address instead, using lowercase zero padded
2233 digits separated by dashes, e.g.: 01-02-03-04-aa-bb Note that
2234 resolving MAC addresses is only possible if the client is in the
2235 local network or obtained a DHCP lease from us.
2236 --tftp-secure
2238 Enable TFTP secure mode: without this, any file which is read‐
2239 able by the dnsmasq process under normal unix access-control
2240 rules is available via TFTP. When the --tftp-secure flag is
2241 given, only files owned by the user running the dnsmasq process
2242 are accessible. If dnsmasq is being run as root, different rules
2243 apply: --tftp-secure has no effect, but only files which have
2244 the world-readable bit set are accessible. It is not recommended
2245 to run dnsmasq as root with TFTP enabled, and certainly not
2246 without specifying --tftp-root. Doing so can expose any world-
2247 readable file on the server to any host on the net.
2248 --tftp-lowercase
2250 Convert filenames in TFTP requests to all lowercase. This is
2251 useful for requests from Windows machines, which have case-in‐
2252 sensitive filesystems and tend to play fast-and-loose with case
2253 in filenames. Note that dnsmasq's tftp server always converts
2254 "\" to "/" in filenames.
2255 --tftp-max=<connections>
2257 Set the maximum number of concurrent TFTP connections allowed.
2258 This defaults to 50. When serving a large number of TFTP connec‐
2259 tions, per-process file descriptor limits may be encountered.
2260 Dnsmasq needs one file descriptor for each concurrent TFTP con‐
2261 nection and one file descriptor per unique file (plus a few oth‐
2262 ers). So serving the same file simultaneously to n clients will
2263 use require about n + 10 file descriptors, serving different
2264 files simultaneously to n clients will require about (2*n) + 10
2265 descriptors. If --tftp-port-range is given, that can affect the
2266 number of concurrent connections.
2267 --tftp-mtu=<mtu size>
2269 Use size as the ceiling of the MTU supported by the intervening
2270 network when negotiating TFTP blocksize, overriding the MTU set‐
2271 ting of the local interface if it is larger.
2272 --tftp-no-blocksize
2274 Stop the TFTP server from negotiating the "blocksize" option
2275 with a client. Some buggy clients request this option but then
2276 behave badly when it is granted.
2277 --tftp-port-range=<start>,<end>
2279 A TFTP server listens on a well-known port (69) for connection
2280 initiation, but it also uses a dynamically-allocated port for
2281 each connection. Normally these are allocated by the OS, but
2282 this option specifies a range of ports for use by TFTP trans‐
2283 fers. This can be useful when TFTP has to traverse a firewall.
2284 The start of the range cannot be lower than 1025 unless dnsmasq
2285 is running as root. The number of concurrent TFTP connections is
2286 limited by the size of the port range.
2287 --tftp-single-port
2289 Run in a mode where the TFTP server uses ONLY the well-known
2290 port (69) for its end of the TFTP transfer. This allows TFTP to
2291 work when there in NAT is the path between client and server.
2292 Note that this is not strictly compliant with the RFCs specify‐
2293 ing the TFTP protocol: use at your own risk.
2294 -C, --conf-file=<file>
2296 Specify a configuration file. The presence of this option stops
2297 dnsmasq from reading the default configuration file (normally
2298 /etc/dnsmasq.conf). Multiple files may be specified by repeating
2299 the option either on the command line or in configuration files.
2300 A filename of "-" causes dnsmasq to read configuration from
2301 stdin.
2302 -7, --conf-dir=<directory>[,<file-extension>......],
2304 Read all the files in the given directory as configuration
2305 files. If extension(s) are given, any files which end in those
2306 extensions are skipped. Any files whose names end in ~ or start
2307 with . or start and end with # are always skipped. If the exten‐
2308 sion starts with * then only files which have that extension are
2309 loaded. So --conf-dir=/path/to/dir,*.conf loads all files with
2310 the suffix .conf in /path/to/dir. This flag may be given on the
2311 command line or in a configuration file. If giving it on the
2312 command line, be sure to escape * characters. Files are loaded
2313 in alphabetical order of filename.
2314 --servers-file=<file>
2316 A special case of --conf-file which differs in two respects.
2317 Firstly, only --server and --rev-server are allowed in the con‐
2318 figuration file included. Secondly, the file is re-read and the
2319 configuration therein is updated when dnsmasq receives SIGHUP.
2320 --conf-script=<file>[ <arg]
2322 Execute <file>, and treat what it emits to stdout as the con‐
2323 tents of a configuration file. If the script exits with a non-
2324 zero exit code, dnsmasq treats this as a fatal error. The
2325 script can be passed arguments, space seperated from the file‐
2326 name and each other so, for instance --conf-dir="/etc/dnsmasq-
2327 uncompress-ads /share/ads-domains.gz"
2328 with /etc/dnsmasq-uncompress-ads containing
2330 set -e
2332 zcat ${1} | sed -e "s:^:address=/:" -e "s:$:/:"
2334 exit 0
2336 and /share/ads-domains.gz containing a compressed list of ad
2338 server domains will save disk space with large ad-server block‐
2339 lists.
2340 --no-ident
2342 Do not respond to class CHAOS and type TXT in domain bind
2343 queries.
2344 Without this option being set, the cache statistics are also
2346 available in the DNS as answers to queries of class CHAOS and
2347 type TXT in domain bind. The domain names are cachesize.bind,
2348 insertions.bind, evictions.bind, misses.bind, hits.bind,
2349 auth.bind and servers.bind unless disabled at compile-time. An
2350 example command to query this, using the dig utility would be
2351 dig +short chaos txt cachesize.bind
2353
2356 At startup, dnsmasq reads /etc/dnsmasq.conf, if it exists. (On FreeBSD,
2357 the file is /usr/local/etc/dnsmasq.conf ) (but see the --conf-file and
2358 --conf-dir options.) The format of this file consists of one option per
2359 line, exactly as the long options detailed in the OPTIONS section but
2360 without the leading "--". Lines starting with # are comments and ig‐
2361 nored. For options which may only be specified once, the configuration
2362 file overrides the command line. Quoting is allowed in a config file:
2363 between " quotes the special meanings of ,:. and # are removed and the
2364 following escapes are allowed: \\ \" \t \e \b \r and \n. The later cor‐
2365 responding to tab, escape, backspace, return and newline.
2366
2368 When it receives a SIGHUP, dnsmasq clears its cache and then re-loads
2369 /etc/hosts and /etc/ethers and any file given by --dhcp-hostsfile,
2370 --dhcp-hostsdir, --dhcp-optsfile, --dhcp-optsdir, --addn-hosts or
2371 --hostsdir. The DHCP lease change script is called for all existing
2372 DHCP leases. If --no-poll is set SIGHUP also re-reads /etc/resolv.conf.
2373 SIGHUP does NOT re-read the configuration file.
2374 When it receives a SIGUSR1, dnsmasq writes statistics to the system
2376 log. It writes the cache size, the number of names which have had to
2377 removed from the cache before they expired in order to make room for
2378 new names and the total number of names that have been inserted into
2379 the cache. The number of cache hits and misses and the number of au‐
2380 thoritative queries answered are also given. For each upstream server
2381 it gives the number of queries sent, and the number which resulted in
2382 an error. In --no-daemon mode or when full logging is enabled (--log-
2383 queries), a complete dump of the contents of the cache is made.
2384 When it receives SIGUSR2 and it is logging direct to a file (see --log-
2386 facility ) dnsmasq will close and reopen the log file. Note that during
2387 this operation, dnsmasq will not be running as root. When it first cre‐
2388 ates the logfile dnsmasq changes the ownership of the file to the non-
2389 root user it will run as. Logrotate should be configured to create a
2390 new log file with the ownership which matches the existing one before
2391 sending SIGUSR2. If TCP DNS queries are in progress, the old logfile
2392 will remain open in child processes which are handling TCP queries and
2393 may continue to be written. There is a limit of 150 seconds, after
2394 which all existing TCP processes will have expired: for this reason, it
2395 is not wise to configure logfile compression for logfiles which have
2396 just been rotated. Using logrotate, the required options are create and
2397 delaycompress.
2398 Dnsmasq is a DNS query forwarder: it is not capable of recursively an‐
2402 swering arbitrary queries starting from the root servers but forwards
2403 such queries to a fully recursive upstream DNS server which is typi‐
2404 cally provided by an ISP. By default, dnsmasq reads /etc/resolv.conf to
2405 discover the IP addresses of the upstream nameservers it should use,
2406 since the information is typically stored there. Unless --no-poll is
2407 used, dnsmasq checks the modification time of /etc/resolv.conf (or
2408 equivalent if --resolv-file is used) and re-reads it if it changes.
2409 This allows the DNS servers to be set dynamically by PPP or DHCP since
2410 both protocols provide the information. Absence of /etc/resolv.conf is
2411 not an error since it may not have been created before a PPP connection
2412 exists. Dnsmasq simply keeps checking in case /etc/resolv.conf is cre‐
2413 ated at any time. Dnsmasq can be told to parse more than one re‐
2414 solv.conf file. This is useful on a laptop, where both PPP and DHCP may
2415 be used: dnsmasq can be set to poll both /etc/ppp/resolv.conf and
2416 /etc/dhcpc/resolv.conf and will use the contents of whichever changed
2417 last, giving automatic switching between DNS servers.
2418 Upstream servers may also be specified on the command line or in the
2420 configuration file. These server specifications optionally take a do‐
2421 main name which tells dnsmasq to use that server only to find names in
2422 that particular domain.
2423 In order to configure dnsmasq to act as cache for the host on which it
2425 is running, put "nameserver 127.0.0.1" in /etc/resolv.conf to force lo‐
2426 cal processes to send queries to dnsmasq. Then either specify the up‐
2427 stream servers directly to dnsmasq using --server options or put their
2428 addresses real in another file, say /etc/resolv.dnsmasq and run dnsmasq
2429 with the --resolv-file /etc/resolv.dnsmasq option. This second tech‐
2430 nique allows for dynamic update of the server addresses by PPP or DHCP.
2431 Addresses in /etc/hosts will "shadow" different addresses for the same
2433 names in the upstream DNS, so "mycompany.com 1.2.3.4" in /etc/hosts
2434 will ensure that queries for "mycompany.com" always return 1.2.3.4 even
2435 if queries in the upstream DNS would otherwise return a different ad‐
2436 dress. There is one exception to this: if the upstream DNS contains a
2437 CNAME which points to a shadowed name, then looking up the CNAME
2438 through dnsmasq will result in the unshadowed address associated with
2439 the target of the CNAME. To work around this, add the CNAME to
2440 /etc/hosts so that the CNAME is shadowed too.
2441 The tag system works as follows: For each DHCP request, dnsmasq col‐
2444 lects a set of valid tags from active configuration lines which include
2445 set:<tag>, including one from the --dhcp-range used to allocate the ad‐
2446 dress, one from any matching --dhcp-host (and "known" or "known-other‐
2447 net" if a --dhcp-host matches) The tag "bootp" is set for BOOTP re‐
2448 quests, and a tag whose name is the name of the interface on which the
2449 request arrived is also set.
2450 Any configuration lines which include one or more tag:<tag> constructs
2452 will only be valid if all that tags are matched in the set derived
2453 above. Typically this is --dhcp-option. --dhcp-option which has tags
2454 will be used in preference to an untagged --dhcp-option, provided that
2455 _all_ the tags match somewhere in the set collected as described above.
2456 The prefix '!' on a tag means 'not' so --dhcp-option=tag:!pur‐
2457 ple,3,1.2.3.4 sends the option when the tag purple is not in the set of
2458 valid tags. (If using this in a command line rather than a configura‐
2459 tion file, be sure to escape !, which is a shell metacharacter)
2460 When selecting --dhcp-options, a tag from --dhcp-range is second class
2462 relative to other tags, to make it easy to override options for indi‐
2463 vidual hosts, so --dhcp-range=set:interface1,...... --dhcp-
2464 host=set:myhost,..... --dhcp-option=tag:interface1,option:nis-do‐
2465 main,"domain1" --dhcp-option=tag:myhost,option:nis-domain,"domain2"
2466 will set the NIS-domain to domain1 for hosts in the range, but override
2467 that to domain2 for a particular host.
2468 Note that for --dhcp-range both tag:<tag> and set:<tag> are allowed, to
2471 both select the range in use based on (eg) --dhcp-host, and to affect
2472 the options sent, based on the range selected.
2473 This system evolved from an earlier, more limited one and for backward
2475 compatibility "net:" may be used instead of "tag:" and "set:" may be
2476 omitted. (Except in --dhcp-host, where "net:" may be used instead of
2477 "set:".) For the same reason, '#' may be used instead of '!' to indi‐
2478 cate NOT.
2479 The DHCP server in dnsmasq will function as a BOOTP server also, pro‐
2481 vided that the MAC address and IP address for clients are given, either
2482 using --dhcp-host configurations or in /etc/ethers , and a --dhcp-range
2483 configuration option is present to activate the DHCP server on a par‐
2484 ticular network. (Setting --bootp-dynamic removes the need for static
2485 address mappings.) The filename parameter in a BOOTP request is used as
2486 a tag, as is the tag "bootp", allowing some control over the options
2487 returned to different classes of hosts.
2488
2491 Configuring dnsmasq to act as an authoritative DNS server is compli‐
2492 cated by the fact that it involves configuration of external DNS
2493 servers to provide delegation. We will walk through three scenarios of
2494 increasing complexity. Prerequisites for all of these scenarios are a
2495 globally accessible IP address, an A or AAAA record pointing to that
2496 address, and an external DNS server capable of doing delegation of the
2497 zone in question. For the first part of this explanation, we will call
2498 the A (or AAAA) record for the globally accessible address server.exam‐
2499 ple.com, and the zone for which dnsmasq is authoritative our.zone.com.
2500 The simplest configuration consists of two lines of dnsmasq configura‐
2502 tion; something like
2503 --auth-server=server.example.com,eth0
2505 --auth-zone=our.zone.com,1.2.3.0/24
2506 and two records in the external DNS
2508 server.example.com A 192.0.43.10
2510 our.zone.com NS server.example.com
2511 eth0 is the external network interface on which dnsmasq is listening,
2513 and has (globally accessible) address 192.0.43.10.
2514 Note that the external IP address may well be dynamic (ie assigned from
2516 an ISP by DHCP or PPP) If so, the A record must be linked to this dy‐
2517 namic assignment by one of the usual dynamic-DNS systems.
2518 A more complex, but practically useful configuration has the address
2520 record for the globally accessible IP address residing in the authori‐
2521 tative zone which dnsmasq is serving, typically at the root. Now we
2522 have
2523 --auth-server=our.zone.com,eth0
2525 --auth-zone=our.zone.com,1.2.3.0/24
2526 our.zone.com A 1.2.3.4
2528 our.zone.com NS our.zone.com
2529 The A record for our.zone.com has now become a glue record, it solves
2531 the chicken-and-egg problem of finding the IP address of the nameserver
2532 for our.zone.com when the A record is within that zone. Note that this
2533 is the only role of this record: as dnsmasq is now authoritative from
2534 our.zone.com it too must provide this record. If the external address
2535 is static, this can be done with an /etc/hosts entry or --host-record.
2536 --auth-server=our.zone.com,eth0
2538 --host-record=our.zone.com,1.2.3.4
2539 --auth-zone=our.zone.com,1.2.3.0/24
2540 If the external address is dynamic, the address associated with
2542 our.zone.com must be derived from the address of the relevant inter‐
2543 face. This is done using --interface-name Something like:
2544 --auth-server=our.zone.com,eth0
2546 --interface-name=our.zone.com,eth0
2547 --auth-zone=our.zone.com,1.2.3.0/24,eth0
2548 (The "eth0" argument in --auth-zone adds the subnet containing eth0's
2550 dynamic address to the zone, so that the --interface-name returns the
2551 address in outside queries.)
2552 Our final configuration builds on that above, but also adds a secondary
2554 DNS server. This is another DNS server which learns the DNS data for
2555 the zone by doing zones transfer, and acts as a backup should the pri‐
2556 mary server become inaccessible. The configuration of the secondary is
2557 beyond the scope of this man-page, but the extra configuration of dns‐
2558 masq is simple:
2559 --auth-sec-servers=secondary.myisp.com
2561 and
2563 our.zone.com NS secondary.myisp.com
2565 Adding auth-sec-servers enables zone transfer in dnsmasq, to allow the
2567 secondary to collect the DNS data. If you wish to restrict this data to
2568 particular hosts then
2569 --auth-peer=<IP address of secondary>
2571 will do so.
2573 Dnsmasq acts as an authoritative server for in-addr.arpa and ip6.arpa
2575 domains associated with the subnets given in --auth-zone declarations,
2576 so reverse (address to name) lookups can be simply configured with a
2577 suitable NS record, for instance in this example, where we allow
2578 1.2.3.0/24 addresses.
2579 3.2.1.in-addr.arpa NS our.zone.com
2581 Note that at present, reverse (in-addr.arpa and ip6.arpa) zones are not
2583 available in zone transfers, so there is no point arranging secondary
2584 servers for reverse lookups.
2585 When dnsmasq is configured to act as an authoritative server, the fol‐
2588 lowing data is used to populate the authoritative zone.
2589 --mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record, --caa-
2591 record, as long as the record names are in the authoritative domain.
2592 --synth-domain as long as the domain is in the authoritative zone and,
2594 for reverse (PTR) queries, the address is in the relevant subnet.
2595 --cname as long as the record name is in the authoritative domain. If
2597 the target of the CNAME is unqualified, then it is qualified with the
2598 authoritative zone name. CNAME used in this way (only) may be wild‐
2599 cards, as in
2600 --cname=*.example.com,default.example.com
2602 IPv4 and IPv6 addresses from /etc/hosts (and --addn-hosts ) and --host-
2605 record and --interface-name and ---dynamic-host provided the address
2606 falls into one of the subnets specified in the --auth-zone.
2607 Addresses of DHCP leases, provided the address falls into one of the
2609 subnets specified in the --auth-zone. (If constructed DHCP ranges are
2610 is use, which depend on the address dynamically assigned to an inter‐
2611 face, then the form of --auth-zone which defines subnets by the dynamic
2612 address of an interface should be used to ensure this condition is
2613 met.)
2614 In the default mode, where a DHCP lease has an unqualified name, and
2616 possibly a qualified name constructed using --domain then the name in
2617 the authoritative zone is constructed from the unqualified name and the
2618 zone's domain. This may or may not equal that specified by --domain.
2619 If --dhcp-fqdn is set, then the fully qualified names associated with
2620 DHCP leases are used, and must match the zone's domain.
2621
2626 0 - Dnsmasq successfully forked into the background, or terminated nor‐
2627 mally if backgrounding is not enabled.
2628 1 - A problem with configuration was detected.
2630 2 - A problem with network access occurred (address in use, attempt to
2632 use privileged ports without permission).
2633 3 - A problem occurred with a filesystem operation (missing file/direc‐
2635 tory, permissions).
2636 4 - Memory allocation failure.
2638 5 - Other miscellaneous problem.
2640 11 or greater - a non zero return code was received from the lease-
2642 script process "init" call or a --conf-script file. The exit code from
2643 dnsmasq is the script's exit code with 10 added.
2644
2647 The default values for resource limits in dnsmasq are generally conser‐
2648 vative, and appropriate for embedded router type devices with slow pro‐
2649 cessors and limited memory. On more capable hardware, it is possible to
2650 increase the limits, and handle many more clients. The following ap‐
2651 plies to dnsmasq-2.37: earlier versions did not scale as well.
2652 Dnsmasq is capable of handling DNS and DHCP for at least a thousand
2655 clients. The DHCP lease times should not be very short (less than one
2656 hour). The value of --dns-forward-max can be increased: start with it
2657 equal to the number of clients and increase if DNS seems slow. Note
2658 that DNS performance depends too on the performance of the upstream
2659 nameservers. The size of the DNS cache may be increased: the hard limit
2660 is 10000 names and the default (150) is very low. Sending SIGUSR1 to
2661 dnsmasq makes it log information which is useful for tuning the cache
2662 size. See the NOTES section for details.
2663 The built-in TFTP server is capable of many simultaneous file trans‐
2666 fers: the absolute limit is related to the number of file-handles al‐
2667 lowed to a process and the ability of the select() system call to cope
2668 with large numbers of file handles. If the limit is set too high using
2669 --tftp-max it will be scaled down and the actual limit logged at start-
2670 up. Note that more transfers are possible when the same file is being
2671 sent than when each transfer sends a different file.
2672 It is possible to use dnsmasq to block Web advertising by using a list
2675 of known banner-ad servers, all resolving to 127.0.0.1 or 0.0.0.0, in
2676 /etc/hosts or an additional hosts file. The list can be very long, dns‐
2677 masq has been tested successfully with one million names. That size
2678 file needs a 1GHz processor and about 60Mb of RAM.
2679
2682 Dnsmasq can be compiled to support internationalisation. To do this,
2683 the make targets "all-i18n" and "install-i18n" should be used instead
2684 of the standard targets "all" and "install". When internationalisation
2685 is compiled in, dnsmasq will produce log messages in the local language
2686 and support internationalised domain names (IDN). Domain names in
2687 /etc/hosts, /etc/ethers and /etc/dnsmasq.conf which contain non-ASCII
2688 characters will be translated to the DNS-internal punycode representa‐
2689 tion. Note that dnsmasq determines both the language for messages and
2690 the assumed charset for configuration files from the LANG environment
2691 variable. This should be set to the system default value by the script
2692 which is responsible for starting dnsmasq. When editing the configura‐
2693 tion files, be careful to do so using only the system-default locale
2694 and not user-specific one, since dnsmasq has no direct way of determin‐
2695 ing the charset in use, and must assume that it is the system default.
2696
2699 /etc/dnsmasq.conf
2700 /usr/local/etc/dnsmasq.conf
2702 /etc/resolv.conf /var/run/dnsmasq/resolv.conf /etc/ppp/resolv.conf
2704 /etc/dhcpc/resolv.conf
2705 /etc/hosts
2707 /etc/ethers
2709 /var/lib/dnsmasq/dnsmasq.leases
2711 /var/db/dnsmasq.leases
2713 /var/run/dnsmasq.pid
2715
2717 hosts(5), resolver(5)
2718
2720 This manual page was written by Simon Kelley <simon@thekelleys.org.uk>.
2721 2021-08-16 DNSMASQ(8)