1DNSMASQ(8) System Manager's Manual DNSMASQ(8)
2
3
4
6 dnsmasq - A lightweight DHCP and caching DNS server.
7
9 dnsmasq [OPTION]...
10
12 dnsmasq is a lightweight DNS, TFTP, PXE, router advertisement and DHCP
13 server. It is intended to provide coupled DNS and DHCP service to a
14 LAN.
15
16 Dnsmasq accepts DNS queries and either answers them from a small, lo‐
17 cal, cache or forwards them to a real, recursive, DNS server. It loads
18 the contents of /etc/hosts so that local hostnames which do not appear
19 in the global DNS can be resolved and also answers DNS queries for DHCP
20 configured hosts. It can also act as the authoritative DNS server for
21 one or more domains, allowing local names to appear in the global DNS.
22 It can be configured to do DNSSEC validation.
23
24 The dnsmasq DHCP server supports static address assignments and multi‐
25 ple networks. It automatically sends a sensible default set of DHCP op‐
26 tions, and can be configured to send any desired set of DHCP options,
27 including vendor-encapsulated options. It includes a secure, read-only,
28 TFTP server to allow net/PXE boot of DHCP hosts and also supports
29 BOOTP. The PXE support is full featured, and includes a proxy mode
30 which supplies PXE information to clients whilst DHCP address alloca‐
31 tion is done by another server.
32
33 The dnsmasq DHCPv6 server provides the same set of features as the
34 DHCPv4 server, and in addition, it includes router advertisements and a
35 neat feature which allows naming for clients which use DHCPv4 and
36 stateless autoconfiguration only for IPv6 configuration. There is sup‐
37 port for doing address allocation (both DHCPv6 and RA) from subnets
38 which are dynamically delegated via DHCPv6 prefix delegation.
39
40 Dnsmasq is coded with small embedded systems in mind. It aims for the
41 smallest possible memory footprint compatible with the supported func‐
42 tions, and allows unneeded functions to be omitted from the compiled
43 binary.
44
46 Note that in general missing parameters are allowed and switch off
47 functions, for instance "--pid-file" disables writing a PID file. On
48 BSD, unless the GNU getopt library is linked, the long form of the op‐
49 tions does not work on the command line; it is still recognised in the
50 configuration file.
51
52 --test Read and syntax check configuration file(s). Exit with code 0 if
53 all is OK, or a non-zero code otherwise. Do not start up dns‐
54 masq.
55
56 -w, --help
57 Display all command-line options. --help dhcp will display
58 known DHCPv4 configuration options, and --help dhcp6 will dis‐
59 play DHCPv6 options.
60
61 -h, --no-hosts
62 Don't read the hostnames in /etc/hosts.
63
64 -H, --addn-hosts=<file>
65 Additional hosts file. Read the specified file as well as
66 /etc/hosts. If --no-hosts is given, read only the specified
67 file. This option may be repeated for more than one additional
68 hosts file. If a directory is given, then read all the files
69 contained in that directory in alphabetical order.
70
71 --hostsdir=<path>
72 Read all the hosts files contained in the directory. New or
73 changed files are read automatically and modified and deleted
74 files have removed records automatically deleted.
75
76 -E, --expand-hosts
77 Add the domain to simple names (without a period) in /etc/hosts
78 in the same way as for DHCP-derived names. Note that this does
79 not apply to domain names in cnames, PTR records, TXT records
80 etc.
81
82 -T, --local-ttl=<time>
83 When replying with information from /etc/hosts or configuration
84 or the DHCP leases file dnsmasq by default sets the time-to-live
85 field to zero, meaning that the requester should not itself
86 cache the information. This is the correct thing to do in almost
87 all situations. This option allows a time-to-live (in seconds)
88 to be given for these replies. This will reduce the load on the
89 server at the expense of clients using stale data under some
90 circumstances.
91
92 --dhcp-ttl=<time>
93 As for --local-ttl, but affects only replies with information
94 from DHCP leases. If both are given, --dhcp-ttl applies for DHCP
95 information, and --local-ttl for others. Setting this to zero
96 eliminates the effect of --local-ttl for DHCP.
97
98 --neg-ttl=<time>
99 Negative replies from upstream servers normally contain time-to-
100 live information in SOA records which dnsmasq uses for caching.
101 If the replies from upstream servers omit this information, dns‐
102 masq does not cache the reply. This option gives a default value
103 for time-to-live (in seconds) which dnsmasq uses to cache nega‐
104 tive replies even in the absence of an SOA record.
105
106 --max-ttl=<time>
107 Set a maximum TTL value that will be handed out to clients. The
108 specified maximum TTL will be given to clients instead of the
109 true TTL value if it is lower. The true TTL value is however
110 kept in the cache to avoid flooding the upstream DNS servers.
111
112 --max-cache-ttl=<time>
113 Set a maximum TTL value for entries in the cache.
114
115 --min-cache-ttl=<time>
116 Extend short TTL values to the time given when caching them.
117 Note that artificially extending TTL values is in general a bad
118 idea, do not do it unless you have a good reason, and understand
119 what you are doing. Dnsmasq limits the value of this option to
120 one hour, unless recompiled.
121
122 --auth-ttl=<time>
123 Set the TTL value returned in answers from the authoritative
124 server.
125
126 --fast-dns-retry=[<initial retry delay in ms>[,<time to continue re‐
127 tries in ms>]]
128 Under normal circumstances, dnsmasq relies on DNS clients to do
129 retries; it does not generate timeouts itself. Setting this op‐
130 tion instructs dnsmasq to generate its own retries starting af‐
131 ter a delay which defaults to 1000ms. If the second parameter is
132 given this controls how long the retries will continue for oth‐
133 erwise this defaults to 10000ms. Retries are repeated with expo‐
134 nential backoff. Using this option increases memory usage and
135 network bandwidth.
136
137 -k, --keep-in-foreground
138 Do not go into the background at startup but otherwise run as
139 normal. This is intended for use when dnsmasq is run under dae‐
140 montools or launchd.
141
142 -d, --no-daemon
143 Debug mode: don't fork to the background, don't write a pid
144 file, don't change user id, generate a complete cache dump on
145 receipt on SIGUSR1, log to stderr as well as syslog, don't fork
146 new processes to handle TCP queries. Note that this option is
147 for use in debugging only, to stop dnsmasq daemonising in pro‐
148 duction, use --keep-in-foreground.
149
150 -q, --log-queries
151 Log the results of DNS queries handled by dnsmasq. Enable a full
152 cache dump on receipt of SIGUSR1. If the argument "extra" is
153 supplied, ie --log-queries=extra then the log has extra informa‐
154 tion at the start of each line. This consists of a serial num‐
155 ber which ties together the log lines associated with an indi‐
156 vidual query, and the IP address of the requestor.
157
158 -8, --log-facility=<facility>
159 Set the facility to which dnsmasq will send syslog entries, this
160 defaults to DAEMON, and to LOCAL0 when debug mode is in opera‐
161 tion. If the facility given contains at least one '/' character,
162 it is taken to be a filename, and dnsmasq logs to the given
163 file, instead of syslog. If the facility is '-' then dnsmasq
164 logs to stderr. (Errors whilst reading configuration will still
165 go to syslog, but all output from a successful startup, and all
166 output whilst running, will go exclusively to the file.) When
167 logging to a file, dnsmasq will close and reopen the file when
168 it receives SIGUSR2. This allows the log file to be rotated
169 without stopping dnsmasq.
170
171 --log-debug
172 Enable extra logging intended for debugging rather than informa‐
173 tion.
174
175 --log-async[=<lines>]
176 Enable asynchronous logging and optionally set the limit on the
177 number of lines which will be queued by dnsmasq when writing to
178 the syslog is slow. Dnsmasq can log asynchronously: this allows
179 it to continue functioning without being blocked by syslog, and
180 allows syslog to use dnsmasq for DNS queries without risking
181 deadlock. If the queue of log-lines becomes full, dnsmasq will
182 log the overflow, and the number of messages lost. The default
183 queue length is 5, a sane value would be 5-25, and a maximum
184 limit of 100 is imposed.
185
186 -x, --pid-file=<path>
187 Specify an alternate path for dnsmasq to record its process-id
188 in. Normally /var/run/dnsmasq.pid.
189
190 -u, --user=<username>
191 Specify the userid to which dnsmasq will change after startup.
192 Dnsmasq must normally be started as root, but it will drop root
193 privileges after startup by changing id to another user. Nor‐
194 mally this user is "nobody" but that can be over-ridden with
195 this switch.
196
197 -g, --group=<groupname>
198 Specify the group which dnsmasq will run as. The default is
199 "dip", if available, to facilitate access to /etc/ppp/re‐
200 solv.conf which is not normally world readable.
201
202 -v, --version
203 Print the version number.
204
205 -p, --port=<port>
206 Listen on <port> instead of the standard DNS port (53). Setting
207 this to zero completely disables DNS function, leaving only DHCP
208 and/or TFTP.
209
210 -P, --edns-packet-max=<size>
211 Specify the largest EDNS.0 UDP packet which is supported by the
212 DNS forwarder. Defaults to 4096, which is the RFC5625-recom‐
213 mended size.
214
215 -Q, --query-port=<query_port>
216 Send outbound DNS queries from, and listen for their replies on,
217 the specific UDP port <query_port> instead of using random
218 ports. NOTE that using this option will make dnsmasq less secure
219 against DNS spoofing attacks but it may be faster and use less
220 resources. Setting this option to zero makes dnsmasq use a sin‐
221 gle port allocated to it by the OS: this was the default behav‐
222 iour in versions prior to 2.43.
223
224 --port-limit=<#ports>
225 By default, when sending a query via random ports to multiple
226 upstream servers or retrying a query dnsmasq will use a single
227 random port for all the tries/retries. This option allows a
228 larger number of ports to be used, which can increase robustness
229 in certain network configurations. Note that increasing this to
230 more than two or three can have security and resource implica‐
231 tions and should only be done with understanding of those.
232
233 --min-port=<port>
234 Do not use ports less than that given as source for outbound DNS
235 queries. Dnsmasq picks random ports as source for outbound
236 queries: when this option is given, the ports used will always
237 be larger than that specified. Useful for systems behind fire‐
238 walls. If not specified, defaults to 1024.
239
240 --max-port=<port>
241 Use ports lower than that given as source for outbound DNS
242 queries. Dnsmasq picks random ports as source for outbound
243 queries: when this option is given, the ports used will always
244 be lower than that specified. Useful for systems behind fire‐
245 walls.
246
247 -i, --interface=<interface name>
248 Listen only on the specified interface(s). Dnsmasq automatically
249 adds the loopback (local) interface to the list of interfaces to
250 use when the --interface option is used. If no --interface or
251 --listen-address options are given dnsmasq listens on all avail‐
252 able interfaces except any given in --except-interface options.
253 On Linux, when --bind-interfaces or --bind-dynamic are in ef‐
254 fect, IP alias interface labels (eg "eth1:0") are checked,
255 rather than interface names. In the degenerate case when an in‐
256 terface has one address, this amounts to the same thing but when
257 an interface has multiple addresses it allows control over which
258 of those addresses are accepted. The same effect is achievable
259 in default mode by using --listen-address. A simple wildcard,
260 consisting of a trailing '*', can be used in --interface and
261 --except-interface options.
262
263 -I, --except-interface=<interface name>
264 Do not listen on the specified interface. Note that the order of
265 --listen-address --interface and --except-interface options does
266 not matter and that --except-interface options always override
267 the others. The comments about interface labels for --listen-ad‐
268 dress apply here.
269
270 --auth-server=<domain>,[<interface>|<ip-address>...]
271 Enable DNS authoritative mode for queries arriving at an inter‐
272 face or address. Note that the interface or address need not be
273 mentioned in --interface or --listen-address configuration, in‐
274 deed --auth-server will override these and provide a different
275 DNS service on the specified interface. The <domain> is the
276 "glue record". It should resolve in the global DNS to an A
277 and/or AAAA record which points to the address dnsmasq is lis‐
278 tening on. When an interface is specified, it may be qualified
279 with "/4" or "/6" to specify only the IPv4 or IPv6 addresses as‐
280 sociated with the interface. Since any defined authoritative
281 zones are also available as part of the normal recusive DNS ser‐
282 vice supplied by dnsmasq, it can make sense to have an --auth-
283 server declaration with no interfaces or address, but simply
284 specifying the primary external nameserver.
285
286 --local-service
287 Accept DNS queries only from hosts whose address is on a local
288 subnet, ie a subnet for which an interface exists on the server.
289 This option only has effect if there are no --interface, --ex‐
290 cept-interface, --listen-address or --auth-server options. It is
291 intended to be set as a default on installation, to allow uncon‐
292 figured installations to be useful but also safe from being used
293 for DNS amplification attacks.
294
295 -2, --no-dhcp-interface=<interface name>
296 Do not provide DHCP or TFTP on the specified interface, but do
297 provide DNS service.
298
299 -a, --listen-address=<ipaddr>
300 Listen on the given IP address(es). Both --interface and --lis‐
301 ten-address options may be given, in which case the set of both
302 interfaces and addresses is used. Note that if no --interface
303 option is given, but --listen-address is, dnsmasq will not auto‐
304 matically listen on the loopback interface. To achieve this, its
305 IP address, 127.0.0.1, must be explicitly given as a --listen-
306 address option.
307
308 -z, --bind-interfaces
309 On systems which support it, dnsmasq binds the wildcard address,
310 even when it is listening on only some interfaces. It then dis‐
311 cards requests that it shouldn't reply to. This has the advan‐
312 tage of working even when interfaces come and go and change ad‐
313 dress. This option forces dnsmasq to really bind only the inter‐
314 faces it is listening on. About the only time when this is use‐
315 ful is when running another nameserver (or another instance of
316 dnsmasq) on the same machine. Setting this option also enables
317 multiple instances of dnsmasq which provide DHCP service to run
318 in the same machine.
319
320 --bind-dynamic
321 Enable a network mode which is a hybrid between --bind-inter‐
322 faces and the default. Dnsmasq binds the address of individual
323 interfaces, allowing multiple dnsmasq instances, but if new in‐
324 terfaces or addresses appear, it automatically listens on those
325 (subject to any access-control configuration). This makes dynam‐
326 ically created interfaces work in the same way as the default.
327 Implementing this option requires non-standard networking APIs
328 and it is only available under Linux. On other platforms it
329 falls-back to --bind-interfaces mode.
330
331 -y, --localise-queries
332 Return answers to DNS queries from /etc/hosts and --interface-
333 name and --dynamic-host which depend on the interface over which
334 the query was received. If a name has more than one address as‐
335 sociated with it, and at least one of those addresses is on the
336 same subnet as the interface to which the query was sent, then
337 return only the address(es) on that subnet and return all the
338 available addresses otherwise. This allows for a server to
339 have multiple addresses in /etc/hosts corresponding to each of
340 its interfaces, and hosts will get the correct address based on
341 which network they are attached to. Currently this facility is
342 limited to IPv4.
343
344 -b, --bogus-priv
345 Bogus private reverse lookups. All reverse lookups for private
346 IP ranges (ie 192.168.x.x, etc) which are not found in
347 /etc/hosts or the DHCP leases file are answered with "no such
348 domain" rather than being forwarded upstream. The set of pre‐
349 fixes affected is the list given in RFC6303, for IPv4 and IPv6.
350
351 -V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>]
352 Modify IPv4 addresses returned from upstream nameservers; old-ip
353 is replaced by new-ip. If the optional mask is given then any
354 address which matches the masked old-ip will be re-written. So,
355 for instance --alias=1.2.3.0,6.7.8.0,255.255.255.0 will map
356 1.2.3.56 to 6.7.8.56 and 1.2.3.67 to 6.7.8.67. This is what
357 Cisco PIX routers call "DNS doctoring". If the old IP is given
358 as range, then only addresses in the range, rather than a whole
359 subnet, are re-written. So
360 --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 maps
361 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
362
363 -B, --bogus-nxdomain=<ipaddr>[/prefix]
364 Transform replies which contain the specified address or subnet
365 into "No such domain" replies. IPv4 and IPv6 are supported. This
366 is intended to counteract a devious move made by Verisign in
367 September 2003 when they started returning the address of an ad‐
368 vertising web page in response to queries for unregistered
369 names, instead of the correct NXDOMAIN response. This option
370 tells dnsmasq to fake the correct response when it sees this be‐
371 haviour. As at Sept 2003 the IP address being returned by
372 Verisign is 64.94.110.11
373
374 --ignore-address=<ipaddr>[/prefix]
375 Ignore replies to A or AAAA queries which include the specified
376 address or subnet. No error is generated, dnsmasq simply con‐
377 tinues to listen for another reply. This is useful to defeat
378 blocking strategies which rely on quickly supplying a forged an‐
379 swer to a DNS request for certain domain, before the correct an‐
380 swer can arrive.
381
382 -f, --filterwin2k
383 Later versions of windows make periodic DNS requests which don't
384 get sensible answers from the public DNS and can cause problems
385 by triggering dial-on-demand links. This flag turns on an option
386 to filter such requests. The requests blocked are for records of
387 type ANY where the requested name has underscores, to catch LDAP
388 requests, and for all records of types SOA and SRV.
389
390 --filter-A
391 Remove A records from answers. No IPv4 addresses will be re‐
392 turned.
393
394 --filter-AAAA
395 Remove AAAA records from answers. No IPv6 addresses will be re‐
396 turned.
397
398 -r, --resolv-file=<file>
399 Read the IP addresses of the upstream nameservers from <file>,
400 instead of /etc/resolv.conf. For the format of this file see re‐
401 solv.conf(5). The only lines relevant to dnsmasq are nameserver
402 ones. Dnsmasq can be told to poll more than one resolv.conf
403 file, the first file name specified overrides the default, sub‐
404 sequent ones add to the list. This is only allowed when polling;
405 the file with the currently latest modification time is the one
406 used.
407
408 -R, --no-resolv
409 Don't read /etc/resolv.conf. Get upstream servers only from the
410 command line or the dnsmasq configuration file.
411
412 -1, --enable-dbus[=<service-name>]
413 Allow dnsmasq configuration to be updated via DBus method calls.
414 The configuration which can be changed is upstream DNS servers
415 (and corresponding domains) and cache clear. Requires that dns‐
416 masq has been built with DBus support. If the service name is
417 given, dnsmasq provides service at that name, rather than the
418 default which is uk.org.thekelleys.dnsmasq
419
420 --enable-ubus[=<service-name>]
421 Enable dnsmasq UBus interface. It sends notifications via UBus
422 on DHCPACK and DHCPRELEASE events. Furthermore it offers metrics
423 and allows configuration of Linux connection track mark based
424 filtering. When DNS query filtering based on Linux connection
425 track marks is enabled UBus notifications are generated for each
426 resolved or filtered DNS query. Requires that dnsmasq has been
427 built with UBus support. If the service name is given, dnsmasq
428 provides service at that namespace, rather than the default
429 which is dnsmasq
430
431 -o, --strict-order
432 By default, dnsmasq will send queries to any of the upstream
433 servers it knows about and tries to favour servers that are
434 known to be up. Setting this flag forces dnsmasq to try each
435 query with each server strictly in the order they appear in
436 /etc/resolv.conf
437
438 --all-servers
439 By default, when dnsmasq has more than one upstream server
440 available, it will send queries to just one server. Setting this
441 flag forces dnsmasq to send all queries to all available
442 servers. The reply from the server which answers first will be
443 returned to the original requester.
444
445 --dns-loop-detect
446 Enable code to detect DNS forwarding loops; ie the situation
447 where a query sent to one of the upstream server eventually re‐
448 turns as a new query to the dnsmasq instance. The process works
449 by generating TXT queries of the form <hex>.test and sending
450 them to each upstream server. The hex is a UID which encodes the
451 instance of dnsmasq sending the query and the upstream server to
452 which it was sent. If the query returns to the server which sent
453 it, then the upstream server through which it was sent is dis‐
454 abled and this event is logged. Each time the set of upstream
455 servers changes, the test is re-run on all of them, including
456 ones which were previously disabled.
457
458 --stop-dns-rebind
459 Reject (and log) addresses from upstream nameservers which are
460 in the private ranges. This blocks an attack where a browser be‐
461 hind a firewall is used to probe machines on the local network.
462 For IPv6, the private range covers the IPv4-mapped addresses in
463 private space plus all link-local (LL) and site-local (ULA) ad‐
464 dresses.
465
466 --rebind-localhost-ok
467 Exempt 127.0.0.0/8 and ::1 from rebinding checks. This address
468 range is returned by realtime black hole servers, so blocking it
469 may disable these services.
470
471 --rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
472 Do not detect and block dns-rebind on queries to these domains.
473 The argument may be either a single domain, or multiple domains
474 surrounded by '/', like the --server syntax, eg. --rebind-do‐
475 main-ok=/domain1/domain2/domain3/
476
477 -n, --no-poll
478 Don't poll /etc/resolv.conf for changes.
479
480 --clear-on-reload
481 Whenever /etc/resolv.conf is re-read or the upstream servers are
482 set via DBus, clear the DNS cache. This is useful when new
483 nameservers may have different data than that held in cache.
484
485 -D, --domain-needed
486 Tells dnsmasq to never forward A or AAAA queries for plain
487 names, without dots or domain parts, to upstream nameservers. If
488 the name is not known from /etc/hosts or DHCP then a "not found"
489 answer is returned.
490
491 -S, --local, --server=[/[<domain>]/[domain/]][<server>[#<port>]][@<in‐
492 terface>][@<source-ip>[#<port>]]
493 Specify upstream servers directly. Setting this flag does not
494 suppress reading of /etc/resolv.conf, use --no-resolv to do
495 that. If one or more optional domains are given, that server is
496 used only for those domains and they are queried only using the
497 specified server. This is intended for private nameservers: if
498 you have a nameserver on your network which deals with names of
499 the form xxx.internal.thekelleys.org.uk at 192.168.1.1 then giv‐
500 ing the flag --server=/internal.thekelleys.org.uk/192.168.1.1
501 will send all queries for internal machines to that nameserver,
502 everything else will go to the servers in /etc/resolv.conf.
503 DNSSEC validation is turned off for such private nameservers,
504 UNLESS a --trust-anchor is specified for the domain in question.
505 An empty domain specification, // has the special meaning of
506 "unqualified names only" ie names without any dots in them. A
507 non-standard port may be specified as part of the IP address us‐
508 ing a # character. More than one --server flag is allowed, with
509 repeated domain or ipaddr parts as required.
510
511 More specific domains take precedence over less specific do‐
512 mains, so: --server=/google.com/1.2.3.4
513 --server=/www.google.com/2.3.4.5 will send queries for
514 google.com and gmail.google.com to 1.2.3.4, but www.google.com
515 will go to 2.3.4.5
516
517 Matching of domains is normally done on complete labels, so
518 /google.com/ matches google.com and www.google.com but NOT su‐
519 pergoogle.com. This can be overridden with a * at the start of a
520 pattern only: /*google.com/ will match google.com and
521 www.google.com AND supergoogle.com. The non-wildcard form has
522 priority, so if /google.com/ and /*google.com/ are both speci‐
523 fied then google.com and www.google.com will match /google.com/
524 and /*google.com/ will only match supergoogle.com.
525
526 For historical reasons, the pattern /.google.com/ is equivalent
527 to /google.com/ if you wish to match any subdomain of google.com
528 but NOT google.com itself, use /*.google.com/
529
530 The special server address '#' means, "use the standard
531 servers", so --server=/google.com/1.2.3.4
532 --server=/www.google.com/# will send queries for google.com and
533 its subdomains to 1.2.3.4, except www.google.com (and its subdo‐
534 mains) which will be forwarded as usual.
535
536 Also permitted is a -S flag which gives a domain but no IP ad‐
537 dress; this tells dnsmasq that a domain is local and it may an‐
538 swer queries from /etc/hosts or DHCP but should never forward
539 queries on that domain to any upstream servers. --local is a
540 synonym for --server to make configuration files clearer in this
541 case.
542
543 IPv6 addresses may include an %interface scope-id, eg
544 fe80::202:a412:4512:7bbf%eth0.
545
546 The optional string after the @ character tells dnsmasq how to
547 set the source of the queries to this nameserver. It can either
548 be an ip-address, an interface name or both. The ip-address
549 should belong to the machine on which dnsmasq is running, other‐
550 wise this server line will be logged and then ignored. If an in‐
551 terface name is given, then queries to the server will be forced
552 via that interface; if an ip-address is given then the source
553 address of the queries will be set to that address; and if both
554 are given then a combination of ip-address and interface name
555 will be used to steer requests to the server. The query-port
556 flag is ignored for any servers which have a source address
557 specified but the port may be specified directly as part of the
558 source address. Forcing queries to an interface is not imple‐
559 mented on all platforms supported by dnsmasq.
560
561 Upstream servers may be specified with a hostname rather than an
562 IP address. In this case, dnsmasq will try to use the system
563 resolver to get the IP address of a server during startup. If
564 name resolution fails, starting dnsmasq fails, too. If the sys‐
565 tem's configuration is such that the system resolver sends DNS
566 queries through the dnsmasq instance which is starting up then
567 this will time-out and fail.
568
569 --rev-server=<ip-address>[/<prefix-len>][,<server>][#<port>][@<inter‐
570 face>][@<source-ip>[#<port>]]
571 This is functionally the same as --server, but provides some
572 syntactic sugar to make specifying address-to-name queries eas‐
573 ier. For example --rev-server=1.2.3.0/24,192.168.0.1 is exactly
574 equivalent to --server=/3.2.1.in-addr.arpa/192.168.0.1 Allowed
575 prefix lengths are 1-32 (IPv4) and 1-128 (IPv6). If the prefix
576 length is omitted, dnsmasq substitutes either 32 (IPv4) or 128
577 (IPv6).
578
579 -A, --address=/<domain>[/<domain>...]/[<ipaddr>]
580 Specify an IP address to return for any host in the given do‐
581 mains. A (or AAAA) queries in the domains are never forwarded
582 and always replied to with the specified IP address which may be
583 IPv4 or IPv6. To give multiple addresses or both IPv4 and IPv6
584 addresses for a domain, use repeated --address flags. Note that
585 /etc/hosts and DHCP leases override this for individual names. A
586 common use of this is to redirect the entire doubleclick.net do‐
587 main to some friendly local web server to avoid banner ads. The
588 domain specification works in the same way as for --server, with
589 the additional facility that /#/ matches any domain. Thus --ad‐
590 dress=/#/1.2.3.4 will always return 1.2.3.4 for any query not
591 answered from /etc/hosts or DHCP and not sent to an upstream
592 nameserver by a more specific --server directive. As for
593 --server, one or more domains with no address returns a no-such-
594 domain answer, so --address=/example.com/ is equivalent to
595 --server=/example.com/ and returns NXDOMAIN for example.com and
596 all its subdomains. An address specified as '#' translates to
597 the NULL address of 0.0.0.0 and its IPv6 equivalent of :: so
598 --address=/example.com/# will return NULL addresses for exam‐
599 ple.com and its subdomains. This is partly syntactic sugar for
600 --address=/example.com/0.0.0.0 and --address=/example.com/:: but
601 is also more efficient than including both as separate configu‐
602 ration lines. Note that NULL addresses normally work in the same
603 way as localhost, so beware that clients looking up these names
604 are likely to end up talking to themselves.
605
606 Note that the behaviour for queries which don't match the speci‐
607 fied address literal changed in version 2.86. Previous ver‐
608 sions, configured with (eg) --address=/example.com/1.2.3.4 and
609 then queried for a RR type other than A would return a NoData
610 answer. From 2.86, the query is sent upstream. To restore the
611 pre-2.86 behaviour, use the configuration --address=/exam‐
612 ple.com/1.2.3.4 --local=/example.com/
613
614 --ipset=/<domain>[/<domain>...]/<ipset>[,<ipset>...]
615 Places the resolved IP addresses of queries for one or more do‐
616 mains in the specified Netfilter IP set. If multiple setnames
617 are given, then the addresses are placed in each of them, sub‐
618 ject to the limitations of an IP set (IPv4 addresses cannot be
619 stored in an IPv6 IP set and vice versa). Domains and subdo‐
620 mains are matched in the same way as --address. These IP sets
621 must already exist. See ipset(8) for more details.
622
623 --nftset=/<domain>[/<domain>...]/[(6|4)#[<family>#]<ta‐
624 ble>#<set>[,[(6|4)#[<family>#]<table>#<set>]...]
625 Similar to the --ipset option, but accepts one or more nftables
626 sets to add IP addresses into. These sets must already exist.
627 See nft(8) for more details. The family, table and set are
628 passed directly to the nft. If the spec starts with 4# or 6#
629 then only A or AAAA records respectively are added to the set.
630 Since an nftset can hold only IPv4 or IPv6 addresses, this
631 avoids errors being logged for addresses of the wrong type.
632
633 --connmark-allowlist-enable[=<mask>]
634 Enables filtering of incoming DNS queries with associated Linux
635 connection track marks according to individual allowlists con‐
636 figured via a series of --connmark-allowlist options. Disallowed
637 queries are not forwarded; they are rejected with a REFUSED er‐
638 ror code. DNS queries are only allowed if they do not have an
639 associated Linux connection track mark, or if the queried do‐
640 mains match the configured DNS patterns for the associated Linux
641 connection track mark. If no allowlist is configured for a Linux
642 connection track mark, all DNS queries associated with that mark
643 are rejected. If a mask is specified, Linux connection track
644 marks are first bitwise ANDed with the given mask before being
645 processed.
646
647 --connmark-allowlist=<connmark>[/<mask>][,<pattern>[/<pattern>...]]
648 Configures the DNS patterns that are allowed in DNS queries as‐
649 sociated with the given Linux connection track mark. If a mask
650 is specified, Linux connection track marks are first bitwise
651 ANDed with the given mask before they are compared to the given
652 connection track mark. Patterns follow the syntax of DNS names,
653 but additionally allow the wildcard character "*" to be used up
654 to twice per label to match 0 or more characters within that la‐
655 bel. Note that the wildcard never matches a dot (e.g., "*.exam‐
656 ple.com" matches "api.example.com" but not "api.us.exam‐
657 ple.com"). Patterns must be fully qualified, i.e., consist of at
658 least two labels. The final label must not be fully numeric, and
659 must not be the "local" pseudo-TLD. A pattern must end with at
660 least two literal (non-wildcard) labels. Instead of a pattern,
661 "*" can be specified to disable allowlist filtering for a given
662 Linux connection track mark entirely.
663
664 -m, --mx-host=<mx name>[[,<hostname>],<preference>]
665 Return an MX record named <mx name> pointing to the given host‐
666 name (if given), or the host specified in the --mx-target switch
667 or, if that switch is not given, the host on which dnsmasq is
668 running. The default is useful for directing mail from systems
669 on a LAN to a central server. The preference value is optional,
670 and defaults to 1 if not given. More than one MX record may be
671 given for a host.
672
673 -t, --mx-target=<hostname>
674 Specify the default target for the MX record returned by dns‐
675 masq. See --mx-host. If --mx-target is given, but not --mx-
676 host, then dnsmasq returns a MX record containing the MX target
677 for MX queries on the hostname of the machine on which dnsmasq
678 is running.
679
680 -e, --selfmx
681 Return an MX record pointing to itself for each local machine.
682 Local machines are those in /etc/hosts or with DHCP leases.
683
684 -L, --localmx
685 Return an MX record pointing to the host given by --mx-target
686 (or the machine on which dnsmasq is running) for each local ma‐
687 chine. Local machines are those in /etc/hosts or with DHCP
688 leases.
689
690 -W, --srv-host=<_service>.<_prot>.[<domain>],[<target>[,<port>[,<prior‐
691 ity>[,<weight>]]]]
692 Return a SRV DNS record. See RFC2782 for details. If not sup‐
693 plied, the domain defaults to that given by --domain. The de‐
694 fault for the target domain is empty, and the default for port
695 is one and the defaults for weight and priority are zero. Be
696 careful if transposing data from BIND zone files: the port,
697 weight and priority numbers are in a different order. More than
698 one SRV record for a given service/domain is allowed, all that
699 match are returned.
700
701 --host-record=<name>[,<name>....],[<IPv4-address>],[<IPv6-ad‐
702 dress>][,<TTL>]
703 Add A, AAAA and PTR records to the DNS. This adds one or more
704 names to the DNS with associated IPv4 (A) and IPv6 (AAAA)
705 records. A name may appear in more than one --host-record and
706 therefore be assigned more than one address. Only the first ad‐
707 dress creates a PTR record linking the address to the name. This
708 is the same rule as is used reading hosts-files. --host-record
709 options are considered to be read before host-files, so a name
710 appearing there inhibits PTR-record creation if it appears in
711 hosts-file also. Unlike hosts-files, names are not expanded,
712 even when --expand-hosts is in effect. Short and long names may
713 appear in the same --host-record, eg. --host-record=laptop,lap‐
714 top.thekelleys.org,192.168.0.1,1234::100
715
716 If the time-to-live is given, it overrides the default, which is
717 zero or the value of --local-ttl. The value is a positive inte‐
718 ger and gives the time-to-live in seconds.
719
720 --dynamic-host=<name>,[IPv4-address],[IPv6-address],<interface>
721 Add A, AAAA and PTR records to the DNS in the same subnet as the
722 specified interface. The address is derived from the network
723 part of each address associated with the interface, and the host
724 part from the specified address. For example --dynamic-host=ex‐
725 ample.com,0.0.0.8,eth0 will, when eth0 has the address
726 192.168.78.x and netmask 255.255.255.0 give the name example.com
727 an A record for 192.168.78.8. The same principle applies to IPv6
728 addresses. Note that if an interface has more than one address,
729 more than one A or AAAA record will be created. The TTL of the
730 records is always zero, and any changes to interface addresses
731 will be immediately reflected in them.
732
733 -Y, --txt-record=<name>[[,<text>],<text>]
734 Return a TXT DNS record. The value of TXT record is a set of
735 strings, so any number may be included, delimited by commas;
736 use quotes to put commas into a string. Note that the maximum
737 length of a single string is 255 characters, longer strings are
738 split into 255 character chunks.
739
740 --ptr-record=<name>[,<target>]
741 Return a PTR DNS record.
742
743 --naptr-record=<name>,<order>,<preference>,<flags>,<service>,<reg‐
744 exp>[,<replacement>]
745 Return an NAPTR DNS record, as specified in RFC3403.
746
747 --caa-record=<name>,<flags>,<tag>,<value>
748 Return a CAA DNS record, as specified in RFC6844.
749
750 --cname=<cname>,[<cname>,]<target>[,<TTL>]
751 Return a CNAME record which indicates that <cname> is really
752 <target>. There is a significant limitation on the target; it
753 must be a DNS record which is known to dnsmasq and NOT a DNS
754 record which comes from an upstream server. The cname must be
755 unique, but it is permissible to have more than one cname point‐
756 ing to the same target. Indeed it's possible to declare multiple
757 cnames to a target in a single line, like so:
758 --cname=cname1,cname2,target
759
760 If the time-to-live is given, it overrides the default, which is
761 zero or the value of --local-ttl. The value is a positive inte‐
762 ger and gives the time-to-live in seconds.
763
764 --dns-rr=<name>,<RR-number>,[<hex data>]
765 Return an arbitrary DNS Resource Record. The number is the type
766 of the record (which is always in the C_IN class). The value of
767 the record is given by the hex data, which may be of the form
768 01:23:45 or 01 23 45 or 012345 or any mixture of these.
769
770 --interface-name=<name>,<interface>[/4|/6]
771 Return DNS records associating the name with the address(es) of
772 the given interface. This flag specifies an A or AAAA record for
773 the given name in the same way as an /etc/hosts line, except
774 that the address is not constant, but taken from the given in‐
775 terface. The interface may be followed by "/4" or "/6" to spec‐
776 ify that only IPv4 or IPv6 addresses of the interface should be
777 used. If the interface is down, not configured or non-existent,
778 an empty record is returned. The matching PTR record is also
779 created, mapping the interface address to the name. More than
780 one name may be associated with an interface address by repeat‐
781 ing the flag; in that case the first instance is used for the
782 reverse address-to-name mapping. Note that a name used in --in‐
783 terface-name may not appear in /etc/hosts.
784
785 --synth-domain=<domain>,<address range>[,<prefix>[*]]
786 Create artificial A/AAAA and PTR records for an address range.
787 The records either seqential numbers or the address, with peri‐
788 ods (or colons for IPv6) replaced with dashes.
789
790 An examples should make this clearer. First sequential numbers.
791 --synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,in‐
792 ternal-* results in the name internal-0.thekelleys.org.uk. re‐
793 turning 192.168.0.50, internal-1.thekelleys.org.uk returning
794 192.168.0.51 and so on. (note the *) The same principle applies
795 to IPv6 addresses (where the numbers may be very large). Reverse
796 lookups from address to name behave as expected.
797
798 Second, --synth-domain=thekelleys.org.uk,192.168.0.0/24,inter‐
799 nal- (no *) will result in a query for inter‐
800 nal-192-168-0-56.thekelleys.org.uk returning 192.168.0.56 and a
801 reverse query vice versa. The same applies to IPv6, but IPv6 ad‐
802 dresses may start with '::' but DNS labels may not start with
803 '-' so in this case if no prefix is configured a zero is added
804 in front of the label. ::1 becomes 0--1.
805
806 V4 mapped IPv6 addresses, which have a representation like
807 ::ffff:1.2.3.4 are handled specially, and become like
808 0--ffff-1-2-3-4
809
810 The address range can be of the form <start address>,<end ad‐
811 dress> or <ip address>/<prefix-length> in both forms of the op‐
812 tion. For IPv6 the start and end addresses must fall in the same
813 /64 network, or prefix-length must be greater than or equal to
814 64 except that shorter prefix lengths than 64 are allowed only
815 if non-sequential names are in use.
816
817 --dumpfile=<path/to/file>
818 Specify the location of a pcap-format file which dnsmasq uses to
819 dump copies of network packets for debugging purposes. If the
820 file exists when dnsmasq starts, it is not deleted; new packets
821 are added to the end.
822
823 --dumpmask=<mask>
824 Specify which types of packets should be added to the dumpfile.
825 The argument should be the OR of the bitmasks for each type of
826 packet to be dumped: it can be specified in hex by preceding the
827 number with 0x in the normal way. Each time a packet is written
828 to the dumpfile, dnsmasq logs the packet sequence and the mask
829 representing its type. The current types are: 0x0001 - DNS
830 queries from clients, 0x0002 DNS replies to clients, 0x0004 -
831 DNS queries to upstream, 0x0008 - DNS replies from upstream,
832 0x0010 - queries send upstream for DNSSEC validation, 0x0020 -
833 replies to queries for DNSSEC validation, 0x0040 - replies to
834 client queries which fail DNSSEC validation, 0x0080 replies to
835 queries for DNSSEC validation which fail validation, 0x1000 -
836 DHCPv4, 0x2000 - DHCPv6, 0x4000 - Router advertisement, 0x8000 -
837 TFTP.
838
839 --add-mac[=base64|text]
840 Add the MAC address of the requestor to DNS queries which are
841 forwarded upstream. This may be used to DNS filtering by the up‐
842 stream server. The MAC address can only be added if the re‐
843 questor is on the same subnet as the dnsmasq server. Note that
844 the mechanism used to achieve this (an EDNS0 option) is not yet
845 standardised, so this should be considered experimental. Also
846 note that exposing MAC addresses in this way may have security
847 and privacy implications. The warning about caching given for
848 --add-subnet applies to --add-mac too. An alternative encoding
849 of the MAC, as base64, is enabled by adding the "base64" parame‐
850 ter and a human-readable encoding of hex-and-colons is enabled
851 by added the "text" parameter.
852
853 --strip-mac
854 Remove any MAC address information already in downstream queries
855 before forwarding upstream.
856
857 --add-cpe-id=<string>
858 Add an arbitrary identifying string to DNS queries which are
859 forwarded upstream.
860
861 --add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 ad‐
862 dress>/]<IPv6 prefix length>]]
863 Add a subnet address to the DNS queries which are forwarded up‐
864 stream. If an address is specified in the flag, it will be used,
865 otherwise, the address of the requestor will be used. The amount
866 of the address forwarded depends on the prefix length parameter:
867 32 (128 for IPv6) forwards the whole address, zero forwards none
868 of it but still marks the request so that no upstream nameserver
869 will add client address information either. The default is zero
870 for both IPv4 and IPv6. Note that upstream nameservers may be
871 configured to return different results based on this informa‐
872 tion, but the dnsmasq cache does not take account. Caching is
873 therefore disabled for such replies, unless the subnet address
874 being added is constant.
875
876 For example, --add-subnet=24,96 will add the /24 and /96 subnets
877 of the requestor for IPv4 and IPv6 requestors, respectively.
878 --add-subnet=1.2.3.4/24 will add 1.2.3.0/24 for IPv4 requestors
879 and ::/0 for IPv6 requestors. --add-sub‐
880 net=1.2.3.4/24,1.2.3.4/24 will add 1.2.3.0/24 for both IPv4 and
881 IPv6 requestors.
882
883 --strip-subnet
884 Remove any subnet address already present in a downstream query
885 before forwarding it upstream. If --add-subnet is set this also
886 ensures that any downstream-provided subnet is replaced by the
887 one added by dnsmasq. Otherwise, dnsmasq will NOT replace an ex‐
888 isting subnet in the query.
889
890 --umbrella[=[deviceid:<deviceid>][,orgid:<orgid>][,assetid:<id>]]
891 Embeds the requestor's IP address in DNS queries forwarded up‐
892 stream. If device id or, asset id or organization id are speci‐
893 fied, the information is included in the forwarded queries and
894 may be able to be used in filtering policies and reporting. The
895 order of the id attributes is irrelevant, but they must be sepa‐
896 rated by a comma. Deviceid is a sixteen digit hexadecimal num‐
897 ber, org and asset ids are decimal numbers.
898
899 -c, --cache-size=<cachesize>
900 Set the size of dnsmasq's cache. The default is 150 names. Set‐
901 ting the cache size to zero disables caching. Note: huge cache
902 size impacts performance.
903
904 -N, --no-negcache
905 Disable negative caching. Negative caching allows dnsmasq to re‐
906 member "no such domain" answers from upstream nameservers and
907 answer identical queries without forwarding them again.
908
909 --no-round-robin
910 Dnsmasq normally permutes the order of A or AAAA records for the
911 same name on successive queries, for load-balancing. This turns
912 off that behaviour, so that the records are always returned in
913 the order that they are received from upstream.
914
915 --use-stale-cache[=<max TTL excess in s>]
916 When set, if a DNS name exists in the cache, but its time-to-
917 live has expired, dnsmasq will return the data anyway. (It at‐
918 tempts to refresh the data with an upstream query after return‐
919 ing the stale data.) This can improve speed and reliability. It
920 comes at the expense of sometimes returning out-of-date data and
921 less efficient cache utilisation, since old data cannot be
922 flushed when its TTL expires, so the cache becomes mostly least-
923 recently-used. To mitigate issues caused by massively outdated
924 DNS replies, the maximum overaging of cached records can be
925 specified in seconds (defaulting to not serve anything older
926 than one day). Setting the TTL excess time to zero will serve
927 stale cache data regardless how long it has expired.
928
929 -0, --dns-forward-max=<queries>
930 Set the maximum number of concurrent DNS queries. The default
931 value is 150, which should be fine for most setups. The only
932 known situation where this needs to be increased is when using
933 web-server log file resolvers, which can generate large numbers
934 of concurrent queries. This parameter actually controls the num‐
935 ber of concurrent queries per server group, where a server group
936 is the set of server(s) associated with a single domain. So if a
937 domain has it's own server via --server=/example.com/1.2.3.4 and
938 1.2.3.4 is not responding, but queries for *.example.com cannot
939 go elsewhere, then other queries will not be affected. On con‐
940 figurations with many such server groups and tight resources,
941 this value may need to be reduced.
942
943 --dnssec
944 Validate DNS replies and cache DNSSEC data. When forwarding DNS
945 queries, dnsmasq requests the DNSSEC records needed to validate
946 the replies. The replies are validated and the result returned
947 as the Authenticated Data bit in the DNS packet. In addition the
948 DNSSEC records are stored in the cache, making validation by
949 clients more efficient. Note that validation by clients is the
950 most secure DNSSEC mode, but for clients unable to do valida‐
951 tion, use of the AD bit set by dnsmasq is useful, provided that
952 the network between the dnsmasq server and the client is
953 trusted. Dnsmasq must be compiled with HAVE_DNSSEC enabled, and
954 DNSSEC trust anchors provided, see --trust-anchor. Because the
955 DNSSEC validation process uses the cache, it is not permitted to
956 reduce the cache size below the default when DNSSEC is enabled.
957 The nameservers upstream of dnsmasq must be DNSSEC-capable, ie
958 capable of returning DNSSEC records with data. If they are not,
959 then dnsmasq will not be able to determine the trusted status of
960 answers and this means that DNS service will be entirely broken.
961
962 --trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-
963 type>,<digest>
964 Provide DS records to act a trust anchors for DNSSEC validation.
965 Typically these will be the DS record(s) for Key Signing key(s)
966 (KSK) of the root zone, but trust anchors for limited domains
967 are also possible. The current root-zone trust anchors may be
968 downloaded from https://data.iana.org/root-anchors/root-an‐
969 chors.xml
970
971 --dnssec-check-unsigned[=no]
972 As a default, dnsmasq checks that unsigned DNS replies are le‐
973 gitimate: this entails possible extra queries even for the ma‐
974 jority of DNS zones which are not, at the moment, signed. If
975 --dnssec-check-unsigned=no appears in the configuration, then
976 such replies they are assumed to be valid and passed on (without
977 the "authentic data" bit set, of course). This does not protect
978 against an attacker forging unsigned replies for signed DNS
979 zones, but it is fast.
980
981 Versions of dnsmasq prior to 2.80 defaulted to not checking un‐
982 signed replies, and used --dnssec-check-unsigned to switch this
983 on. Such configurations will continue to work as before, but
984 those which used the default of no checking will need to be al‐
985 tered to explicitly select no checking. The new default is be‐
986 cause switching off checking for unsigned replies is inherently
987 dangerous. Not only does it open the possiblity of forged
988 replies, but it allows everything to appear to be working even
989 when the upstream namesevers do not support DNSSEC, and in this
990 case no DNSSEC validation at all is occurring.
991
992 --dnssec-no-timecheck
993 DNSSEC signatures are only valid for specified time windows, and
994 should be rejected outside those windows. This generates an in‐
995 teresting chicken-and-egg problem for machines which don't have
996 a hardware real time clock. For these machines to determine the
997 correct time typically requires use of NTP and therefore DNS,
998 but validating DNS requires that the correct time is already
999 known. Setting this flag removes the time-window checks (but not
1000 other DNSSEC validation.) only until the dnsmasq process re‐
1001 ceives SIGINT. The intention is that dnsmasq should be started
1002 with this flag when the platform determines that reliable time
1003 is not currently available. As soon as reliable time is estab‐
1004 lished, a SIGINT should be sent to dnsmasq, which enables time
1005 checking, and purges the cache of DNS records which have not
1006 been thoroughly checked.
1007
1008 Earlier versions of dnsmasq overloaded SIGHUP (which re-reads
1009 much configuration) to also enable time validation.
1010
1011 If dnsmasq is run in debug mode (--no-daemon flag) then SIGINT
1012 retains its usual meaning of terminating the dnsmasq process.
1013
1014 --dnssec-timestamp=<path>
1015 Enables an alternative way of checking the validity of the sys‐
1016 tem time for DNSSEC (see --dnssec-no-timecheck). In this case,
1017 the system time is considered to be valid once it becomes later
1018 than the timestamp on the specified file. The file is created
1019 and its timestamp set automatically by dnsmasq. The file must be
1020 stored on a persistent filesystem, so that it and its mtime are
1021 carried over system restarts. The timestamp file is created af‐
1022 ter dnsmasq has dropped root, so it must be in a location
1023 writable by the unprivileged user that dnsmasq runs as.
1024
1025 --proxy-dnssec
1026 Copy the DNSSEC Authenticated Data bit from upstream servers to
1027 downstream clients. This is an alternative to having dnsmasq
1028 validate DNSSEC, but it depends on the security of the network
1029 between dnsmasq and the upstream servers, and the trustworthi‐
1030 ness of the upstream servers. Note that caching the Authenti‐
1031 cated Data bit correctly in all cases is not technically possi‐
1032 ble. If the AD bit is to be relied upon when using this option,
1033 then the cache should be disabled using --cache-size=0. In most
1034 cases, enabling DNSSEC validation within dnsmasq is a better op‐
1035 tion. See --dnssec for details.
1036
1037 --dnssec-debug
1038 Set debugging mode for the DNSSEC validation, set the Checking
1039 Disabled bit on upstream queries, and don't convert replies
1040 which do not validate to responses with a return code of SERV‐
1041 FAIL. Note that setting this may affect DNS behaviour in bad
1042 ways, it is not an extra-logging flag and should not be set in
1043 production.
1044
1045 --auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix
1046 length>].....][,exclude:<subnet>[/<prefix length>]].....]
1047 Define a DNS zone for which dnsmasq acts as authoritative
1048 server. Locally defined DNS records which are in the domain will
1049 be served. If subnet(s) are given, A and AAAA records must be in
1050 one of the specified subnets.
1051
1052 As alternative to directly specifying the subnets, it's possible
1053 to give the name of an interface, in which case the subnets im‐
1054 plied by that interface's configured addresses and netmask/pre‐
1055 fix-length are used; this is useful when using constructed DHCP
1056 ranges as the actual address is dynamic and not known when con‐
1057 figuring dnsmasq. The interface addresses may be confined to
1058 only IPv6 addresses using <interface>/6 or to only IPv4 using
1059 <interface>/4. This is useful when an interface has dynamically
1060 determined global IPv6 addresses which should appear in the
1061 zone, but RFC1918 IPv4 addresses which should not. Interface-
1062 name and address-literal subnet specifications may be used
1063 freely in the same --auth-zone declaration.
1064
1065 It's possible to exclude certain IP addresses from responses. It
1066 can be used, to make sure that answers contain only global
1067 routeable IP addresses (by excluding loopback, RFC1918 and ULA
1068 addresses).
1069
1070 The subnet(s) are also used to define in-addr.arpa and ip6.arpa
1071 domains which are served for reverse-DNS queries. If not speci‐
1072 fied, the prefix length defaults to 24 for IPv4 and 64 for IPv6.
1073 For IPv4 subnets, the prefix length should be have the value 8,
1074 16 or 24 unless you are familiar with RFC 2317 and have arranged
1075 the in-addr.arpa delegation accordingly. Note that if no subnets
1076 are specified, then no reverse queries are answered.
1077
1078 --auth-soa=<serial>[,<hostmaster>[,<refresh>[,<retry>[,<expiry>]]]]
1079 Specify fields in the SOA record associated with authoritative
1080 zones. Note that this is optional, all the values are set to
1081 sane defaults.
1082
1083 --auth-sec-servers=<domain>[,<domain>[,<domain>...]]
1084 Specify any secondary servers for a zone for which dnsmasq is
1085 authoritative. These servers must be configured to get zone data
1086 from dnsmasq by zone transfer, and answer queries for the same
1087 authoritative zones as dnsmasq.
1088
1089 --auth-peer=<ip-address>[,<ip-address>[,<ip-address>...]]
1090 Specify the addresses of secondary servers which are allowed to
1091 initiate zone transfer (AXFR) requests for zones for which dns‐
1092 masq is authoritative. If this option is not given but --auth-
1093 sec-servers is, then AXFR requests will be accepted from any
1094 secondary. Specifying --auth-peer without --auth-sec-servers en‐
1095 ables zone transfer but does not advertise the secondary in NS
1096 records returned by dnsmasq.
1097
1098 --conntrack
1099 Read the Linux connection track mark associated with incoming
1100 DNS queries and set the same mark value on upstream traffic used
1101 to answer those queries. This allows traffic generated by dns‐
1102 masq to be associated with the queries which cause it, useful
1103 for bandwidth accounting and firewalling. Dnsmasq must have con‐
1104 ntrack support compiled in and the kernel must have conntrack
1105 support included and configured. This option cannot be combined
1106 with --query-port.
1107
1108 -F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-
1109 addr>[,<end-addr>|<mode>[,<netmask>[,<broadcast>]]][,<lease time>]
1110
1111 -F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-
1112 IPv6addr>[,<end-IPv6addr>|constructor:<interface>][,<mode>][,<prefix-
1113 len>][,<lease time>]
1114
1115 Enable the DHCP server. Addresses will be given out from the
1116 range <start-addr> to <end-addr> and from statically defined ad‐
1117 dresses given in --dhcp-host options. If the lease time is
1118 given, then leases will be given for that length of time. The
1119 lease time is in seconds, or minutes (eg 45m) or hours (eg 1h)
1120 or days (2d) or weeks (1w) or "infinite". If not given, the de‐
1121 fault lease time is one hour for IPv4 and one day for IPv6. The
1122 minimum lease time is two minutes. For IPv6 ranges, the lease
1123 time maybe "deprecated"; this sets the preferred lifetime sent
1124 in a DHCP lease or router advertisement to zero, which causes
1125 clients to use other addresses, if available, for new connec‐
1126 tions as a prelude to renumbering.
1127
1128 This option may be repeated, with different addresses, to enable
1129 DHCP service to more than one network. For directly connected
1130 networks (ie, networks on which the machine running dnsmasq has
1131 an interface) the netmask is optional: dnsmasq will determine it
1132 from the interface configuration. For networks which receive
1133 DHCP service via a relay agent, dnsmasq cannot determine the
1134 netmask itself, so it should be specified, otherwise dnsmasq
1135 will have to guess, based on the class (A, B or C) of the net‐
1136 work address. The broadcast address is always optional. It is
1137 always allowed to have more than one --dhcp-range in a single
1138 subnet.
1139
1140 For IPv6, the parameters are slightly different: instead of net‐
1141 mask and broadcast address, there is an optional prefix length
1142 which must be equal to or larger then the prefix length on the
1143 local interface. If not given, this defaults to 64. Unlike the
1144 IPv4 case, the prefix length is not automatically derived from
1145 the interface configuration. The minimum size of the prefix
1146 length is 64.
1147
1148 IPv6 (only) supports another type of range. In this, the start
1149 address and optional end address contain only the network part
1150 (ie ::1) and they are followed by constructor:<interface>. This
1151 forms a template which describes how to create ranges, based on
1152 the addresses assigned to the interface. For instance
1153
1154 --dhcp-range=::1,::400,constructor:eth0
1155
1156 will look for addresses on eth0 and then create a range from
1157 <network>::1 to <network>::400. If the interface is assigned
1158 more than one network, then the corresponding ranges will be au‐
1159 tomatically created, and then deprecated and finally removed
1160 again as the address is deprecated and then deleted. The inter‐
1161 face name may have a final "*" wildcard. Note that just any ad‐
1162 dress on eth0 will not do: it must not be an autoconfigured or
1163 privacy address, or be deprecated.
1164
1165 If a --dhcp-range is only being used for stateless DHCP and/or
1166 SLAAC, then the address can be simply ::
1167
1168 --dhcp-range=::,constructor:eth0
1169
1170
1171 The optional set:<tag> sets an alphanumeric label which marks
1172 this network so that DHCP options may be specified on a per-net‐
1173 work basis. When it is prefixed with 'tag:' instead, then its
1174 meaning changes from setting a tag to matching it. Only one tag
1175 may be set, but more than one tag may be matched.
1176
1177 The optional <mode> keyword may be static which tells dnsmasq to
1178 enable DHCP for the network specified, but not to dynamically
1179 allocate IP addresses: only hosts which have static addresses
1180 given via --dhcp-host or from /etc/ethers will be served. A
1181 static-only subnet with address all zeros may be used as a
1182 "catch-all" address to enable replies to all Information-request
1183 packets on a subnet which is provided with stateless DHCPv6, ie
1184 --dhcp-range=::,static
1185
1186 For IPv4, the <mode> may be proxy in which case dnsmasq will
1187 provide proxy-DHCP on the specified subnet. (See --pxe-prompt
1188 and --pxe-service for details.)
1189
1190 For IPv6, the mode may be some combination of ra-only, slaac,
1191 ra-names, ra-stateless, ra-advrouter, off-link.
1192
1193 ra-only tells dnsmasq to offer Router Advertisement only on this
1194 subnet, and not DHCP.
1195
1196 slaac tells dnsmasq to offer Router Advertisement on this subnet
1197 and to set the A bit in the router advertisement, so that the
1198 client will use SLAAC addresses. When used with a DHCP range or
1199 static DHCP address this results in the client having both a
1200 DHCP-assigned and a SLAAC address.
1201
1202 ra-stateless sends router advertisements with the O and A bits
1203 set, and provides a stateless DHCP service. The client will use
1204 a SLAAC address, and use DHCP for other configuration informa‐
1205 tion.
1206
1207 ra-names enables a mode which gives DNS names to dual-stack
1208 hosts which do SLAAC for IPv6. Dnsmasq uses the host's IPv4
1209 lease to derive the name, network segment and MAC address and
1210 assumes that the host will also have an IPv6 address calculated
1211 using the SLAAC algorithm, on the same network segment. The ad‐
1212 dress is pinged, and if a reply is received, an AAAA record is
1213 added to the DNS for this IPv6 address. Note that this is only
1214 happens for directly-connected networks, (not one doing DHCP via
1215 a relay) and it will not work if a host is using privacy exten‐
1216 sions. ra-names can be combined with ra-stateless and slaac.
1217
1218 ra-advrouter enables a mode where router address(es) rather than
1219 prefix(es) are included in the advertisements. This is de‐
1220 scribed in RFC-3775 section 7.2 and is used in mobile IPv6. In
1221 this mode the interval option is also included, as described in
1222 RFC-3775 section 7.3.
1223
1224 off-link tells dnsmasq to advertise the prefix without the on-
1225 link (aka L) bit set.
1226
1227
1228 -G, --dhcp-
1229 host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,tag:<tag>][,<ipaddr>][,<host‐
1230 name>][,<lease_time>][,ignore]
1231 Specify per host parameters for the DHCP server. This allows a
1232 machine with a particular hardware address to be always allo‐
1233 cated the same hostname, IP address and lease time. A hostname
1234 specified like this overrides any supplied by the DHCP client on
1235 the machine. It is also allowable to omit the hardware address
1236 and include the hostname, in which case the IP address and lease
1237 times will apply to any machine claiming that name. For example
1238 --dhcp-host=00:20:e0:3b:13:af,wap,infinite tells dnsmasq to give
1239 the machine with hardware address 00:20:e0:3b:13:af the name
1240 wap, and an infinite DHCP lease. --dhcp-host=lap,192.168.0.199
1241 tells dnsmasq to always allocate the machine lap the IP address
1242 192.168.0.199.
1243
1244 Addresses allocated like this are not constrained to be in the
1245 range given by the --dhcp-range option, but they must be in the
1246 same subnet as some valid dhcp-range. For subnets which don't
1247 need a pool of dynamically allocated addresses, use the "static"
1248 keyword in the --dhcp-range declaration.
1249
1250 It is allowed to use client identifiers (called client DUID in
1251 IPv6-land) rather than hardware addresses to identify hosts by
1252 prefixing with 'id:'. Thus: --dhcp-host=id:01:02:03:04,.....
1253 refers to the host with client identifier 01:02:03:04. It is
1254 also allowed to specify the client ID as text, like this:
1255 --dhcp-host=id:clientidastext,.....
1256
1257 A single --dhcp-host may contain an IPv4 address or one or more
1258 IPv6 addresses, or both. IPv6 addresses must be bracketed by
1259 square brackets thus: --dhcp-host=laptop,[1234::56] IPv6 ad‐
1260 dresses may contain only the host-identifier part: --dhcp-
1261 host=laptop,[::56] in which case they act as wildcards in con‐
1262 structed DHCP ranges, with the appropriate network part in‐
1263 serted. For IPv6, an address may include a prefix length:
1264 --dhcp-host=laptop,[1234:50/126] which (in this case) specifies
1265 four addresses, 1234::50 to 1234::53. This (an the ability to
1266 specify multiple addresses) is useful when a host presents ei‐
1267 ther a consistent name or hardware-ID, but varying DUIDs, since
1268 it allows dnsmasq to honour the static address allocation but
1269 assign a different adddress for each DUID. This typically occurs
1270 when chain netbooting, as each stage of the chain gets in turn
1271 allocates an address.
1272
1273 Note that in IPv6 DHCP, the hardware address may not be avail‐
1274 able, though it normally is for direct-connected clients, or
1275 clients using DHCP relays which support RFC 6939.
1276
1277
1278 For DHCPv4, the special option id:* means "ignore any client-id
1279 and use MAC addresses only." This is useful when a client
1280 presents a client-id sometimes but not others.
1281
1282 If a name appears in /etc/hosts, the associated address can be
1283 allocated to a DHCP lease, but only if a --dhcp-host option
1284 specifying the name also exists. Only one hostname can be given
1285 in a --dhcp-host option, but aliases are possible by using
1286 CNAMEs. (See --cname ). Note that /etc/hosts is NOT used when
1287 the DNS server side of dnsmasq is disabled by setting the DNS
1288 server port to zero.
1289
1290 More than one --dhcp-host can be associated (by name, hardware
1291 address or UID) with a host. Which one is used (and therefore
1292 which address is allocated by DHCP and appears in the DNS) de‐
1293 pends on the subnet on which the host last obtained a DHCP
1294 lease: the --dhcp-host with an address within the subnet is
1295 used. If more than one address is within the subnet, the result
1296 is undefined. A corollary to this is that the name associated
1297 with a host using --dhcp-host does not appear in the DNS until
1298 the host obtains a DHCP lease.
1299
1300
1301 The special keyword "ignore" tells dnsmasq to never offer a DHCP
1302 lease to a machine. The machine can be specified by hardware ad‐
1303 dress, client ID or hostname, for instance --dhcp-
1304 host=00:20:e0:3b:13:af,ignore This is useful when there is an‐
1305 other DHCP server on the network which should be used by some
1306 machines.
1307
1308 The set:<tag> construct sets the tag whenever this --dhcp-host
1309 directive is in use. This can be used to selectively send DHCP
1310 options just for this host. More than one tag can be set in a
1311 --dhcp-host directive (but not in other places where "set:<tag>"
1312 is allowed). When a host matches any --dhcp-host directive (or
1313 one implied by /etc/ethers) then the special tag "known" is set.
1314 This allows dnsmasq to be configured to ignore requests from un‐
1315 known machines using --dhcp-ignore=tag:!known If the host
1316 matches only a --dhcp-host directive which cannot be used be‐
1317 cause it specifies an address on different subnet, the tag
1318 "known-othernet" is set.
1319
1320 The tag:<tag> construct filters which dhcp-host directives are
1321 used; more than one can be provided, in this case the request
1322 must match all of them. Tagged directives are used in preference
1323 to untagged ones. Note that one of <hwaddr>, <client_id> or
1324 <hostname> still needs to be specified (can be a wildcard).
1325
1326 Ethernet addresses (but not client-ids) may have wildcard bytes,
1327 so for example --dhcp-host=00:20:e0:3b:13:*,ignore will cause
1328 dnsmasq to ignore a range of hardware addresses. Note that the
1329 "*" will need to be escaped or quoted on a command line, but not
1330 in the configuration file.
1331
1332 Hardware addresses normally match any network (ARP) type, but it
1333 is possible to restrict them to a single ARP type by preceding
1334 them with the ARP-type (in HEX) and "-". so --dhcp-
1335 host=06-00:20:e0:3b:13:af,1.2.3.4 will only match a Token-Ring
1336 hardware address, since the ARP-address type for token ring is
1337 6.
1338
1339 As a special case, in DHCPv4, it is possible to include more
1340 than one hardware address. eg: --dhcp-
1341 host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2 This allows
1342 an IP address to be associated with multiple hardware addresses,
1343 and gives dnsmasq permission to abandon a DHCP lease to one of
1344 the hardware addresses when another one asks for a lease. Beware
1345 that this is a dangerous thing to do, it will only work reliably
1346 if only one of the hardware addresses is active at any time and
1347 there is no way for dnsmasq to enforce this. It is, for in‐
1348 stance, useful to allocate a stable IP address to a laptop which
1349 has both wired and wireless interfaces.
1350
1351 --dhcp-hostsfile=<path>
1352 Read DHCP host information from the specified file. If a direc‐
1353 tory is given, then read all the files contained in that direc‐
1354 tory in alphabetical order. The file contains information about
1355 one host per line. The format of a line is the same as text to
1356 the right of '=' in --dhcp-host. The advantage of storing DHCP
1357 host information in this file is that it can be changed without
1358 re-starting dnsmasq: the file will be re-read when dnsmasq re‐
1359 ceives SIGHUP.
1360
1361 --dhcp-optsfile=<path>
1362 Read DHCP option information from the specified file. If a di‐
1363 rectory is given, then read all the files contained in that di‐
1364 rectory in alphabetical order. The advantage of using this op‐
1365 tion is the same as for --dhcp-hostsfile: the --dhcp-optsfile
1366 will be re-read when dnsmasq receives SIGHUP. Note that it is
1367 possible to encode the information in a --dhcp-boot flag as DHCP
1368 options, using the options names bootfile-name, server-ip-ad‐
1369 dress and tftp-server. This allows these to be included in a
1370 --dhcp-optsfile.
1371
1372 --dhcp-hostsdir=<path>
1373 This is equivalent to --dhcp-hostsfile, except for the follow‐
1374 ing. The path MUST be a directory, and not an individual file.
1375 Changed or new files within the directory are read automati‐
1376 cally, without the need to send SIGHUP. If a file is deleted or
1377 changed after it has been read by dnsmasq, then the host record
1378 it contained will remain until dnsmasq receives a SIGHUP, or is
1379 restarted; ie host records are only added dynamically. The order
1380 in which the files in a directory are read is not defined.
1381
1382 --dhcp-optsdir=<path>
1383 This is equivalent to --dhcp-optsfile, with the differences
1384 noted for --dhcp-hostsdir.
1385
1386 -Z, --read-ethers
1387 Read /etc/ethers for information about hosts for the DHCP
1388 server. The format of /etc/ethers is a hardware address, fol‐
1389 lowed by either a hostname or dotted-quad IP address. When read
1390 by dnsmasq these lines have exactly the same effect as --dhcp-
1391 host options containing the same information. /etc/ethers is re-
1392 read when dnsmasq receives SIGHUP. IPv6 addresses are NOT read
1393 from /etc/ethers.
1394
1395 -O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<en‐
1396 terprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>|op‐
1397 tion6:<opt>|option6:<opt-name>],[<value>[,<value>]]
1398 Specify different or extra options to DHCP clients. By default,
1399 dnsmasq sends some standard options to DHCP clients, the netmask
1400 and broadcast address are set to the same as the host running
1401 dnsmasq, and the DNS server and default route are set to the ad‐
1402 dress of the machine running dnsmasq. (Equivalent rules apply
1403 for IPv6.) If the domain name option has been set, that is sent.
1404 This configuration allows these defaults to be overridden, or
1405 other options specified. The option, to be sent may be given as
1406 a decimal number or as "option:<option-name>" The option numbers
1407 are specified in RFC2132 and subsequent RFCs. The set of option-
1408 names known by dnsmasq can be discovered by running "dnsmasq
1409 --help dhcp". For example, to set the default route option to
1410 192.168.4.4, do --dhcp-option=3,192.168.4.4 or --dhcp-option =
1411 option:router, 192.168.4.4 and to set the time-server address to
1412 192.168.0.4, do --dhcp-option = 42,192.168.0.4 or --dhcp-option
1413 = option:ntp-server, 192.168.0.4 The special address 0.0.0.0 is
1414 taken to mean "the address of the machine running dnsmasq".
1415
1416 Data types allowed are comma separated dotted-quad IPv4 ad‐
1417 dresses, []-wrapped IPv6 addresses, a decimal number, colon-sep‐
1418 arated hex digits and a text string. If the optional tags are
1419 given then this option is only sent when all the tags are
1420 matched.
1421
1422 Special processing is done on a text argument for option 119, to
1423 conform with RFC 3397. Text or dotted-quad IP addresses as argu‐
1424 ments to option 120 are handled as per RFC 3361. Dotted-quad IP
1425 addresses which are followed by a slash and then a netmask size
1426 are encoded as described in RFC 3442.
1427
1428 IPv6 options are specified using the option6: keyword, followed
1429 by the option number or option name. The IPv6 option name space
1430 is disjoint from the IPv4 option name space. IPv6 addresses in
1431 options must be bracketed with square brackets, eg. --dhcp-op‐
1432 tion=option6:ntp-server,[1234::56] For IPv6, [::] means "the
1433 global address of the machine running dnsmasq", whilst [fd00::]
1434 is replaced with the ULA, if it exists, and [fe80::] with the
1435 link-local address.
1436
1437 Be careful: no checking is done that the correct type of data
1438 for the option number is sent, it is quite possible to persuade
1439 dnsmasq to generate illegal DHCP packets with injudicious use of
1440 this flag. When the value is a decimal number, dnsmasq must de‐
1441 termine how large the data item is. It does this by examining
1442 the option number and/or the value, but can be overridden by ap‐
1443 pending a single letter flag as follows: b = one byte, s = two
1444 bytes, i = four bytes. This is mainly useful with encapsulated
1445 vendor class options (see below) where dnsmasq cannot determine
1446 data size from the option number. Option data which consists
1447 solely of periods and digits will be interpreted by dnsmasq as
1448 an IP address, and inserted into an option as such. To force a
1449 literal string, use quotes. For instance when using option 66 to
1450 send a literal IP address as TFTP server name, it is necessary
1451 to do --dhcp-option=66,"1.2.3.4"
1452
1453 Encapsulated Vendor-class options may also be specified (IPv4
1454 only) using --dhcp-option: for instance --dhcp-option=vendor:PX‐
1455 EClient,1,0.0.0.0 sends the encapsulated vendor class-specific
1456 option "mftp-address=0.0.0.0" to any client whose vendor-class
1457 matches "PXEClient". The vendor-class matching is substring
1458 based (see --dhcp-vendorclass for details). If a vendor-class
1459 option (number 60) is sent by dnsmasq, then that is used for se‐
1460 lecting encapsulated options in preference to any sent by the
1461 client. It is possible to omit the vendorclass completely;
1462 --dhcp-option=vendor:,1,0.0.0.0 in which case the encapsulated
1463 option is always sent.
1464
1465 Options may be encapsulated (IPv4 only) within other options:
1466 for instance --dhcp-option=encap:175, 190, iscsi-client0 will
1467 send option 175, within which is the option 190. If multiple op‐
1468 tions are given which are encapsulated with the same option num‐
1469 ber then they will be correctly combined into one encapsulated
1470 option. encap: and vendor: are may not both be set in the same
1471 --dhcp-option.
1472
1473 The final variant on encapsulated options is "Vendor-Identifying
1474 Vendor Options" as specified by RFC3925. These are denoted like
1475 this: --dhcp-option=vi-encap:2, 10, text The number in the vi-
1476 encap: section is the IANA enterprise number used to identify
1477 this option. This form of encapsulation is supported in IPv6.
1478
1479 The address 0.0.0.0 is not treated specially in encapsulated op‐
1480 tions.
1481
1482 --dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-en‐
1483 cap:<enterprise>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
1484 This works in exactly the same way as --dhcp-option except that
1485 the option will always be sent, even if the client does not ask
1486 for it in the parameter request list. This is sometimes needed,
1487 for example when sending options to PXELinux.
1488
1489 --dhcp-no-override
1490 (IPv4 only) Disable re-use of the DHCP servername and filename
1491 fields as extra option space. If it can, dnsmasq moves the boot
1492 server and filename information (from --dhcp-boot) out of their
1493 dedicated fields into DHCP options. This make extra space avail‐
1494 able in the DHCP packet for options but can, rarely, confuse old
1495 or broken clients. This flag forces "simple and safe" behaviour
1496 to avoid problems in such a case.
1497
1498 --dhcp-relay=<local address>[,<server address>[#<server port>]][,<in‐
1499 terface]
1500 Configure dnsmasq to do DHCP relay. The local address is an ad‐
1501 dress allocated to an interface on the host running dnsmasq. All
1502 DHCP requests arriving on that interface will we relayed to a
1503 remote DHCP server at the server address. It is possible to re‐
1504 lay from a single local address to multiple remote servers by
1505 using multiple --dhcp-relay configs with the same local address
1506 and different server addresses. A server address must be an IP
1507 literal address, not a domain name. If the server address is
1508 omitted, the request will be forwarded by broadcast (IPv4) or
1509 multicast (IPv6). In this case the interface must be given and
1510 not be wildcard. The server address may specify a non-standard
1511 port to relay to. If this is used then --dhcp-proxy should
1512 likely also be set, otherwise parts of the DHCP conversation
1513 which do not pass through the relay will be delivered to the
1514 wrong port.
1515
1516 Access control for DHCP clients has the same rules as for the
1517 DHCP server, see --interface, --except-interface, etc. The op‐
1518 tional interface name in the --dhcp-relay config has a different
1519 function: it controls on which interface DHCP replies from the
1520 server will be accepted. This is intended for configurations
1521 which have three interfaces: one being relayed from, a second
1522 connecting the DHCP server, and a third untrusted network, typi‐
1523 cally the wider internet. It avoids the possibility of spoof
1524 replies arriving via this third interface.
1525
1526 It is allowed to have dnsmasq act as a DHCP server on one set of
1527 interfaces and relay from a disjoint set of interfaces. Note
1528 that whilst it is quite possible to write configurations which
1529 appear to act as a server and a relay on the same interface,
1530 this is not supported: the relay function will take precedence.
1531
1532 Both DHCPv4 and DHCPv6 relay is supported. It's not possible to
1533 relay DHCPv4 to a DHCPv6 server or vice-versa.
1534
1535 The DHCP relay function for IPv6 includes the ability to snoop
1536 prefix-delegation from relayed DHCP transactions. See --dhcp-
1537 script for details.
1538
1539 -U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise num‐
1540 ber>,]<vendor-class>
1541 Map from a vendor-class string to a tag. Most DHCP clients pro‐
1542 vide a "vendor class" which represents, in some sense, the type
1543 of host. This option maps vendor classes to tags, so that DHCP
1544 options may be selectively delivered to different classes of
1545 hosts. For example --dhcp-vendorclass=set:printers,Hewlett-
1546 Packard JetDirect will allow options to be set only for HP
1547 printers like so: --dhcp-option=tag:printers,3,192.168.4.4 The
1548 vendor-class string is substring matched against the vendor-
1549 class supplied by the client, to allow fuzzy matching. The set:
1550 prefix is optional but allowed for consistency.
1551
1552 Note that in IPv6 only, vendorclasses are namespaced with an
1553 IANA-allocated enterprise number. This is given with enterprise:
1554 keyword and specifies that only vendorclasses matching the spec‐
1555 ified number should be searched.
1556
1557 -j, --dhcp-userclass=set:<tag>,<user-class>
1558 Map from a user-class string to a tag (with substring matching,
1559 like vendor classes). Most DHCP clients provide a "user class"
1560 which is configurable. This option maps user classes to tags, so
1561 that DHCP options may be selectively delivered to different
1562 classes of hosts. It is possible, for instance to use this to
1563 set a different printer server for hosts in the class "accounts"
1564 than for hosts in the class "engineering".
1565
1566 -4, --dhcp-mac=set:<tag>,<MAC address>
1567 Map from a MAC address to a tag. The MAC address may include
1568 wildcards. For example --dhcp-mac=set:3com,01:34:23:*:*:* will
1569 set the tag "3com" for any host whose MAC address matches the
1570 pattern.
1571
1572 --dhcp-circuitid=set:<tag>,<circuit-id>, --dhcp-remoteid=set:<tag>,<re‐
1573 mote-id>
1574 Map from RFC3046 relay agent options to tags. This data may be
1575 provided by DHCP relay agents. The circuit-id or remote-id is
1576 normally given as colon-separated hex, but is also allowed to be
1577 a simple string. If an exact match is achieved between the cir‐
1578 cuit or agent ID and one provided by a relay agent, the tag is
1579 set.
1580
1581 --dhcp-remoteid (but not --dhcp-circuitid) is supported in IPv6.
1582
1583 --dhcp-subscrid=set:<tag>,<subscriber-id>
1584 (IPv4 and IPv6) Map from RFC3993 subscriber-id relay agent op‐
1585 tions to tags.
1586
1587 --dhcp-proxy[=<ip addr>]......
1588 (IPv4 only) A normal DHCP relay agent is only used to forward
1589 the initial parts of a DHCP interaction to the DHCP server. Once
1590 a client is configured, it communicates directly with the
1591 server. This is undesirable if the relay agent is adding extra
1592 information to the DHCP packets, such as that used by --dhcp-
1593 circuitid and --dhcp-remoteid. A full relay implementation can
1594 use the RFC 5107 serverid-override option to force the DHCP
1595 server to use the relay as a full proxy, with all packets pass‐
1596 ing through it. This flag provides an alternative method of do‐
1597 ing the same thing, for relays which don't support RFC 5107.
1598 Given alone, it manipulates the server-id for all interactions
1599 via relays. If a list of IP addresses is given, only interac‐
1600 tions via relays at those addresses are affected.
1601
1602 --dhcp-match=set:<tag>,<option number>|option:<option name>|vi-en‐
1603 cap:<enterprise>[,<value>]
1604 Without a value, set the tag if the client sends a DHCP option
1605 of the given number or name. When a value is given, set the tag
1606 only if the option is sent and matches the value. The value may
1607 be of the form "01:ff:*:02" in which case the value must match
1608 (apart from wildcards) but the option sent may have unmatched
1609 data past the end of the value. The value may also be of the
1610 same form as in --dhcp-option in which case the option sent is
1611 treated as an array, and one element must match, so --dhcp-
1612 match=set:efi-ia32,option:client-arch,6 will set the tag "efi-
1613 ia32" if the the number 6 appears in the list of architectures
1614 sent by the client in option 93. (See RFC 4578 for details.) If
1615 the value is a string, substring matching is used.
1616
1617 The special form with vi-encap:<enterprise number> matches
1618 against vendor-identifying vendor classes for the specified en‐
1619 terprise. Please see RFC 3925 for more details of these rare and
1620 interesting beasts.
1621
1622 --dhcp-name-match=set:<tag>,<name>[*]
1623 Set the tag if the given name is supplied by a DHCP client.
1624 There may be a single trailing wildcard *, which has the usual
1625 meaning. Combined with dhcp-ignore or dhcp-ignore-names this
1626 gives the ability to ignore certain clients by name, or disallow
1627 certain hostnames from being claimed by a client.
1628
1629 --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
1630 Perform boolean operations on tags. Any tag appearing as
1631 set:<tag> is set if all the tags which appear as tag:<tag> are
1632 set, (or unset when tag:!<tag> is used) If no tag:<tag> appears
1633 set:<tag> tags are set unconditionally. Any number of set: and
1634 tag: forms may appear, in any order. --tag-if lines are exe‐
1635 cuted in order, so if the tag in tag:<tag> is a tag set by an‐
1636 other --tag-if, the line which sets the tag must precede the one
1637 which tests it.
1638
1639 As an extension, the tag:<tag> clauses support limited wildcard
1640 matching, similar to the matching in the --interface directive.
1641 This allows, for example, using --tag-if=set:ppp,tag:ppp* to set
1642 the tag 'ppp' for all requests received on any matching inter‐
1643 face (ppp0, ppp1, etc). This can be used in conjunction with
1644 the tag:!<tag> format meaning that no tag matching the wildcard
1645 may be set.
1646
1647 -J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
1648 When all the given tags appear in the tag set ignore the host
1649 and do not allocate it a DHCP lease.
1650
1651 --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
1652 When all the given tags appear in the tag set, ignore any host‐
1653 name provided by the host. Note that, unlike --dhcp-ignore, it
1654 is permissible to supply no tags, in which case DHCP-client sup‐
1655 plied hostnames are always ignored, and DHCP hosts are added to
1656 the DNS using only --dhcp-host configuration in dnsmasq and the
1657 contents of /etc/hosts and /etc/ethers.
1658
1659 --dhcp-generate-names=tag:<tag>[,tag:<tag>]
1660 (IPv4 only) Generate a name for DHCP clients which do not other‐
1661 wise have one, using the MAC address expressed in hex, separated
1662 by dashes. Note that if a host provides a name, it will be used
1663 by preference to this, unless --dhcp-ignore-names is set.
1664
1665 --dhcp-broadcast[=tag:<tag>[,tag:<tag>]]
1666 (IPv4 only) When all the given tags appear in the tag set, al‐
1667 ways use broadcast to communicate with the host when it is un‐
1668 configured. It is permissible to supply no tags, in which case
1669 this is unconditional. Most DHCP clients which need broadcast
1670 replies set a flag in their requests so that this happens auto‐
1671 matically, some old BOOTP clients do not.
1672
1673 -M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server ad‐
1674 dress>|<tftp_servername>]]
1675 (IPv4 only) Set BOOTP options to be returned by the DHCP server.
1676 Server name and address are optional: if not provided, the name
1677 is left empty, and the address set to the address of the machine
1678 running dnsmasq. If dnsmasq is providing a TFTP service (see
1679 --enable-tftp ) then only the filename is required here to en‐
1680 able network booting. If the optional tag(s) are given, they
1681 must match for this configuration to be sent. Instead of an IP
1682 address, the TFTP server address can be given as a domain name
1683 which is looked up in /etc/hosts. This name can be associated in
1684 /etc/hosts with multiple IP addresses, which are used round-
1685 robin. This facility can be used to load balance the tftp load
1686 among a set of servers.
1687
1688 --dhcp-sequential-ip
1689 Dnsmasq is designed to choose IP addresses for DHCP clients us‐
1690 ing a hash of the client's MAC address. This normally allows a
1691 client's address to remain stable long-term, even if the client
1692 sometimes allows its DHCP lease to expire. In this default mode
1693 IP addresses are distributed pseudo-randomly over the entire
1694 available address range. There are sometimes circumstances (typ‐
1695 ically server deployment) where it is more convenient to have IP
1696 addresses allocated sequentially, starting from the lowest
1697 available address, and setting this flag enables this mode. Note
1698 that in the sequential mode, clients which allow a lease to ex‐
1699 pire are much more likely to move IP address; for this reason it
1700 should not be generally used.
1701
1702 --dhcp-ignore-clid
1703 Dnsmasq is reading 'client identifier' (RFC 2131) option sent by
1704 clients (if available) to identify clients. This allow to serve
1705 same IP address for a host using several interfaces. Use this
1706 option to disable 'client identifier' reading, i.e. to always
1707 identify a host using the MAC address.
1708
1709 --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basename>|<bootservice‐
1710 type>][,<server address>|<server_name>]
1711 Most uses of PXE boot-ROMS simply allow the PXE system to obtain
1712 an IP address and then download the file specified by --dhcp-
1713 boot and execute it. However the PXE system is capable of more
1714 complex functions when supported by a suitable DHCP server.
1715
1716 This specifies a boot option which may appear in a PXE boot
1717 menu. <CSA> is client system type, only services of the correct
1718 type will appear in a menu. The known types are x86PC, PC98,
1719 IA64_EFI, Alpha, Arc_x86, Intel_Lean_Client, IA32_EFI,
1720 x86-64_EFI, Xscale_EFI, BC_EFI, ARM32_EFI and ARM64_EFI; an in‐
1721 teger may be used for other types. The parameter after the menu
1722 text may be a file name, in which case dnsmasq acts as a boot
1723 server and directs the PXE client to download the file by TFTP,
1724 either from itself ( --enable-tftp must be set for this to work)
1725 or another TFTP server if the final server address/name is
1726 given. Note that the "layer" suffix (normally ".0") is supplied
1727 by PXE, and need not be added to the basename. Alternatively,
1728 the basename may be a filename, complete with suffix, in which
1729 case no layer suffix is added. If an integer boot service type,
1730 rather than a basename is given, then the PXE client will search
1731 for a suitable boot service for that type on the network. This
1732 search may be done by broadcast, or direct to a server if its IP
1733 address/name is provided. If no boot service type or filename
1734 is provided (or a boot service type of 0 is specified) then the
1735 menu entry will abort the net boot procedure and continue boot‐
1736 ing from local media. The server address can be given as a do‐
1737 main name which is looked up in /etc/hosts. This name can be as‐
1738 sociated in /etc/hosts with multiple IP addresses, which are
1739 used round-robin.
1740
1741 --pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>]
1742 Setting this provides a prompt to be displayed after PXE boot.
1743 If the timeout is given then after the timeout has elapsed with
1744 no keyboard input, the first available menu option will be auto‐
1745 matically executed. If the timeout is zero then the first avail‐
1746 able menu item will be executed immediately. If --pxe-prompt is
1747 omitted the system will wait for user input if there are multi‐
1748 ple items in the menu, but boot immediately if there is only
1749 one. See --pxe-service for details of menu items.
1750
1751 Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP
1752 server on the network is responsible for allocating IP ad‐
1753 dresses, and dnsmasq simply provides the information given in
1754 --pxe-prompt and --pxe-service to allow netbooting. This mode is
1755 enabled using the proxy keyword in --dhcp-range.
1756
1757 --dhcp-pxe-vendor=<vendor>[,...]
1758 According to UEFI and PXE specifications, DHCP packets between
1759 PXE clients and proxy PXE servers should have PXEClient in their
1760 vendor-class field. However, the firmware of computers from a
1761 few vendors is customized to carry a different identifier in
1762 that field. This option is used to consider such identifiers
1763 valid for identifying PXE clients. For instance
1764
1765 --dhcp-pxe-vendor=PXEClient,HW-Client
1766
1767 will enable dnsmasq to also provide proxy PXE service to those
1768 PXE clients with HW-Client in as their identifier.
1769
1770 -X, --dhcp-lease-max=<number>
1771 Limits dnsmasq to the specified maximum number of DHCP leases.
1772 The default is 1000. This limit is to prevent DoS attacks from
1773 hosts which create thousands of leases and use lots of memory in
1774 the dnsmasq process.
1775
1776 -K, --dhcp-authoritative
1777 Should be set when dnsmasq is definitely the only DHCP server on
1778 a network. For DHCPv4, it changes the behaviour from strict RFC
1779 compliance so that DHCP requests on unknown leases from unknown
1780 hosts are not ignored. This allows new hosts to get a lease
1781 without a tedious timeout under all circumstances. It also al‐
1782 lows dnsmasq to rebuild its lease database without each client
1783 needing to reacquire a lease, if the database is lost. For
1784 DHCPv6 it sets the priority in replies to 255 (the maximum) in‐
1785 stead of 0 (the minimum).
1786
1787 --dhcp-rapid-commit
1788 Enable DHCPv4 Rapid Commit Option specified in RFC 4039. When
1789 enabled, dnsmasq will respond to a DHCPDISCOVER message includ‐
1790 ing a Rapid Commit option with a DHCPACK including a Rapid Com‐
1791 mit option and fully committed address and configuration infor‐
1792 mation. Should only be enabled if either the server is the only
1793 server for the subnet, or multiple servers are present and they
1794 each commit a binding for all clients.
1795
1796 --dhcp-alternate-port[=<server port>[,<client port>]]
1797 (IPv4 only) Change the ports used for DHCP from the default. If
1798 this option is given alone, without arguments, it changes the
1799 ports used for DHCP from 67 and 68 to 1067 and 1068. If a single
1800 argument is given, that port number is used for the server and
1801 the port number plus one used for the client. Finally, two port
1802 numbers allows arbitrary specification of both server and client
1803 ports for DHCP.
1804
1805 -3, --bootp-dynamic[=<network-id>[,<network-id>]]
1806 (IPv4 only) Enable dynamic allocation of IP addresses to BOOTP
1807 clients. Use this with care, since each address allocated to a
1808 BOOTP client is leased forever, and therefore becomes perma‐
1809 nently unavailable for re-use by other hosts. if this is given
1810 without tags, then it unconditionally enables dynamic alloca‐
1811 tion. With tags, only when the tags are all set. It may be re‐
1812 peated with different tag sets.
1813
1814 -5, --no-ping
1815 (IPv4 only) By default, the DHCP server will attempt to ensure
1816 that an address is not in use before allocating it to a host. It
1817 does this by sending an ICMP echo request (aka "ping") to the
1818 address in question. If it gets a reply, then the address must
1819 already be in use, and another is tried. This flag disables this
1820 check. Use with caution.
1821
1822 --log-dhcp
1823 Extra logging for DHCP: log all the options sent to DHCP clients
1824 and the tags used to determine them.
1825
1826 --quiet-dhcp, --quiet-dhcp6, --quiet-ra, --quiet-tftp
1827 Suppress logging of the routine operation of these protocols.
1828 Errors and problems will still be logged. --quiet-tftp does not
1829 consider file not found to be an error. --quiet-dhcp and quiet-
1830 dhcp6 are over-ridden by --log-dhcp.
1831
1832 -l, --dhcp-leasefile=<path>
1833 Use the specified file to store DHCP lease information.
1834
1835 --dhcp-duid=<enterprise-id>,<uid>
1836 (IPv6 only) Specify the server persistent UID which the DHCPv6
1837 server will use. This option is not normally required as dnsmasq
1838 creates a DUID automatically when it is first needed. When
1839 given, this option provides dnsmasq the data required to create
1840 a DUID-EN type DUID. Note that once set, the DUID is stored in
1841 the lease database, so to change between DUID-EN and automati‐
1842 cally created DUIDs or vice-versa, the lease database must be
1843 re-initialised. The enterprise-id is assigned by IANA, and the
1844 uid is a string of hex octets unique to a particular device.
1845
1846 -6 --dhcp-script=<path>
1847 Whenever a new DHCP lease is created, or an old one destroyed,
1848 or a TFTP file transfer completes, the executable specified by
1849 this option is run. <path> must be an absolute pathname, no
1850 PATH search occurs. The arguments to the process are "add",
1851 "old" or "del", the MAC address of the host (or DUID for IPv6) ,
1852 the IP address, and the hostname, if known. "add" means a lease
1853 has been created, "del" means it has been destroyed, "old" is a
1854 notification of an existing lease when dnsmasq starts or a
1855 change to MAC address or hostname of an existing lease (also,
1856 lease length or expiry and client-id, if --leasefile-ro is set
1857 and lease expiry if --script-on-renewal is set). If the MAC ad‐
1858 dress is from a network type other than ethernet, it will have
1859 the network type prepended, eg "06-01:23:45:67:89:ab" for token
1860 ring. The process is run as root (assuming that dnsmasq was
1861 originally run as root) even if dnsmasq is configured to change
1862 UID to an unprivileged user.
1863
1864 The environment is inherited from the invoker of dnsmasq, with
1865 some or all of the following variables added
1866
1867 For both IPv4 and IPv6:
1868
1869 DNSMASQ_DOMAIN if the fully-qualified domain name of the host is
1870 known, this is set to the domain part. (Note that the hostname
1871 passed to the script as an argument is never fully-qualified.)
1872
1873 If the client provides a hostname, DNSMASQ_SUPPLIED_HOSTNAME
1874
1875 If the client provides user-classes, DNSMASQ_USER_CLASS0..DNS‐
1876 MASQ_USER_CLASSn
1877
1878 If dnsmasq was compiled with HAVE_BROKEN_RTC, then the length of
1879 the lease (in seconds) is stored in DNSMASQ_LEASE_LENGTH, other‐
1880 wise the time of lease expiry is stored in DNSMASQ_LEASE_EX‐
1881 PIRES. The number of seconds until lease expiry is always stored
1882 in DNSMASQ_TIME_REMAINING.
1883
1884 DNSMASQ_DATA_MISSING is set to "1" during "old" events for ex‐
1885 isting leases generated at startup to indicate that data not
1886 stored in the persistent lease database will not be present.
1887 This comprises everything other than IP address, hostname, MAC
1888 address, DUID, IAID and lease length or expiry time.
1889
1890 If a lease used to have a hostname, which is removed, an "old"
1891 event is generated with the new state of the lease, ie no name,
1892 and the former name is provided in the environment variable DNS‐
1893 MASQ_OLD_HOSTNAME.
1894
1895 DNSMASQ_INTERFACE stores the name of the interface on which the
1896 request arrived; this is not set for "old" actions when dnsmasq
1897 restarts.
1898
1899 DNSMASQ_RELAY_ADDRESS is set if the client used a DHCP relay to
1900 contact dnsmasq and the IP address of the relay is known.
1901
1902 DNSMASQ_TAGS contains all the tags set during the DHCP transac‐
1903 tion, separated by spaces.
1904
1905 DNSMASQ_LOG_DHCP is set if --log-dhcp is in effect.
1906
1907 DNSMASQ_REQUESTED_OPTIONS a string containing the decimal values
1908 in the Parameter Request List option, comma separated, if the
1909 parameter request list option is provided by the client.
1910
1911 DNSMASQ_MUD_URL the Manufacturer Usage Description URL if pro‐
1912 vided by the client. (See RFC8520 for details.)
1913
1914
1915 For IPv4 only:
1916
1917 DNSMASQ_CLIENT_ID if the host provided a client-id.
1918
1919 DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID, DNSMASQ_REMOTE_ID if
1920 a DHCP relay-agent added any of these options.
1921
1922 If the client provides vendor-class, DNSMASQ_VENDOR_CLASS.
1923
1924 For IPv6 only:
1925
1926 If the client provides vendor-class, DNSMASQ_VENDOR_CLASS_ID,
1927 containing the IANA enterprise id for the class, and DNS‐
1928 MASQ_VENDOR_CLASS0..DNSMASQ_VENDOR_CLASSn for the data.
1929
1930 DNSMASQ_SERVER_DUID containing the DUID of the server: this is
1931 the same for every call to the script.
1932
1933 DNSMASQ_IAID containing the IAID for the lease. If the lease is
1934 a temporary allocation, this is prefixed to 'T'.
1935
1936 DNSMASQ_MAC containing the MAC address of the client, if known.
1937
1938 Note that the supplied hostname, vendorclass and userclass data
1939 is only supplied for "add" actions or "old" actions when a host
1940 resumes an existing lease, since these data are not held in dns‐
1941 masq's lease database.
1942
1943
1944
1945 All file descriptors are closed except stdin, which is open to
1946 /dev/null, and stdout and stderr which capture output for log‐
1947 ging by dnsmasq. (In debug mode, stdio, stdout and stderr file
1948 are left as those inherited from the invoker of dnsmasq).
1949
1950 The script is not invoked concurrently: at most one instance of
1951 the script is ever running (dnsmasq waits for an instance of
1952 script to exit before running the next). Changes to the lease
1953 database are which require the script to be invoked are queued
1954 awaiting exit of a running instance. If this queueing allows
1955 multiple state changes occur to a single lease before the script
1956 can be run then earlier states are discarded and the current
1957 state of that lease is reflected when the script finally runs.
1958
1959 At dnsmasq startup, the script will be invoked for all existing
1960 leases as they are read from the lease file. Expired leases will
1961 be called with "del" and others with "old". When dnsmasq re‐
1962 ceives a HUP signal, the script will be invoked for existing
1963 leases with an "old" event.
1964
1965
1966 There are five further actions which may appear as the first ar‐
1967 gument to the script, "init", "arp-add", "arp-del", "relay-
1968 snoop" and "tftp". More may be added in the future, so scripts
1969 should be written to ignore unknown actions. "init" is described
1970 below in --leasefile-ro
1971
1972 The "tftp" action is invoked when a TFTP file transfer com‐
1973 pletes: the arguments are the file size in bytes, the address to
1974 which the file was sent, and the complete pathname of the file.
1975
1976 The "relay-snoop" action is invoked when dnsmasq is configured
1977 as a DHCP relay for DHCPv6 and it relays a prefx delegation to a
1978 client. The arguments are the name of the interface where the
1979 client is conected, its (link-local) address on that interface
1980 and the delegated prefix. This information is sufficient to in‐
1981 stall routes to the delegated prefix of a router. See --dhcp-re‐
1982 lay for more details on configuring DHCP relay.
1983
1984 The "arp-add" and "arp-del" actions are only called if enabled
1985 with --script-arp They are are supplied with a MAC address and
1986 IP address as arguments. "arp-add" indicates the arrival of a
1987 new entry in the ARP or neighbour table, and "arp-del" indicates
1988 the deletion of same.
1989
1990
1991 --dhcp-luascript=<path>
1992 Specify a script written in Lua, to be run when leases are cre‐
1993 ated, destroyed or changed. To use this option, dnsmasq must be
1994 compiled with the correct support. The Lua interpreter is ini‐
1995 tialised once, when dnsmasq starts, so that global variables
1996 persist between lease events. The Lua code must define a lease
1997 function, and may provide init and shutdown functions, which are
1998 called, without arguments when dnsmasq starts up and terminates.
1999 It may also provide a tftp function.
2000
2001 The lease function receives the information detailed in --dhcp-
2002 script. It gets two arguments, firstly the action, which is a
2003 string containing, "add", "old" or "del", and secondly a table
2004 of tag value pairs. The tags mostly correspond to the environ‐
2005 ment variables detailed above, for instance the tag "domain"
2006 holds the same data as the environment variable DNSMASQ_DOMAIN.
2007 There are a few extra tags which hold the data supplied as argu‐
2008 ments to --dhcp-script. These are mac_address, ip_address and
2009 hostname for IPv4, and client_duid, ip_address and hostname for
2010 IPv6.
2011
2012 The tftp function is called in the same way as the lease func‐
2013 tion, and the table holds the tags destination_address,
2014 file_name and file_size.
2015
2016 The arp and arp-old functions are called only when enabled with
2017 --script-arp and have a table which holds the tags mac_address
2018 and client_address.
2019
2020 --dhcp-scriptuser
2021 Specify the user as which to run the lease-change script or Lua
2022 script. This defaults to root, but can be changed to another
2023 user using this flag.
2024
2025 --script-arp
2026 Enable the "arp" and "arp-old" functions in the --dhcp-script
2027 and --dhcp-luascript.
2028
2029 -9, --leasefile-ro
2030 Completely suppress use of the lease database file. The file
2031 will not be created, read, or written. Change the way the lease-
2032 change script (if one is provided) is called, so that the lease
2033 database may be maintained in external storage by the script. In
2034 addition to the invocations given in --dhcp-script the lease-
2035 change script is called once, at dnsmasq startup, with the sin‐
2036 gle argument "init". When called like this the script should
2037 write the saved state of the lease database, in dnsmasq lease‐
2038 file format, to stdout and exit with zero exit code. Setting
2039 this option also forces the leasechange script to be called on
2040 changes to the client-id and lease length and expiry time.
2041
2042 --script-on-renewal
2043 Call the DHCP script when the lease expiry time changes, for in‐
2044 stance when the lease is renewed.
2045
2046 --bridge-interface=<interface>,<alias>[,<alias>]
2047 Treat DHCP (v4 and v6) requests and IPv6 Router Solicit packets
2048 arriving at any of the <alias> interfaces as if they had arrived
2049 at <interface>. This option allows dnsmasq to provide DHCP and
2050 RA service over unaddressed and unbridged Ethernet interfaces,
2051 e.g. on an OpenStack compute host where each such interface is a
2052 TAP interface to a VM, or as in "old style bridging" on BSD
2053 platforms. A trailing '*' wildcard can be used in each <alias>.
2054
2055 It is permissible to add more than one alias using more than one
2056 --bridge-interface option since --bridge-inter‐
2057 face=int1,alias1,alias2 is exactly equivalent to --bridge-inter‐
2058 face=int1,alias1 --bridge-interface=int1,alias2
2059
2060 --shared-network=<interface>,<addr>
2061 --shared-network=<addr>,<addr>
2062 The DHCP server determines which DHCP ranges are useable for al‐
2063 locating an address to a DHCP client based on the network from
2064 which the DHCP request arrives, and the IP configuration of the
2065 server's interface on that network. The shared-network option
2066 extends the available subnets (and therefore DHCP ranges) beyond
2067 the subnets configured on the arrival interface.
2068
2069 The first argument is either the name of an interface, or an ad‐
2070 dress that is configured on a local interface, and the second
2071 argument is an address which defines another subnet on which ad‐
2072 dresses can be allocated.
2073
2074 To be useful, there must be a suitable dhcp-range which allows
2075 address allocation on this subnet and this dhcp-range MUST in‐
2076 clude the netmask.
2077
2078 Using shared-network also needs extra consideration of routing.
2079 Dnsmasq does not have the usual information that it uses to de‐
2080 termine the default route, so the default route option (or other
2081 routing) MUST be configured manually. The client must have a
2082 route to the server: if the two-address form of shared-network
2083 is used, this needs to be to the first specified address. If the
2084 interface,address form is used, there must be a route to all of
2085 the addresses configured on the interface.
2086
2087 The two-address form of shared-network is also usable with a
2088 DHCP relay: the first address is the address of the relay and
2089 the second, as before, specifies an extra subnet which addresses
2090 may be allocated from.
2091
2092
2093 -s, --domain=<domain>[[,<address range>[,local]]|<interface>]
2094 Specifies DNS domains for the DHCP server. Domains may be be
2095 given unconditionally (without the IP range) or for limited IP
2096 ranges. This has two effects; firstly it causes the DHCP server
2097 to return the domain to any hosts which request it, and secondly
2098 it sets the domain which it is legal for DHCP-configured hosts
2099 to claim. The intention is to constrain hostnames so that an un‐
2100 trusted host on the LAN cannot advertise its name via DHCP as
2101 e.g. "microsoft.com" and capture traffic not meant for it. If no
2102 domain suffix is specified, then any DHCP hostname with a domain
2103 part (ie with a period) will be disallowed and logged. If suffix
2104 is specified, then hostnames with a domain part are allowed,
2105 provided the domain part matches the suffix. In addition, when a
2106 suffix is set then hostnames without a domain part have the suf‐
2107 fix added as an optional domain part. Eg on my network I can set
2108 --domain=thekelleys.org.uk and have a machine whose DHCP host‐
2109 name is "laptop". The IP address for that machine is available
2110 from dnsmasq both as "laptop" and "laptop.thekelleys.org.uk". If
2111 the domain is given as "#" then the domain is read from the
2112 first "search" directive in /etc/resolv.conf (or equivalent).
2113
2114 The address range can be of the form <ip address>,<ip address>
2115 or <ip address>/<netmask> or just a single <ip address>. See
2116 --dhcp-fqdn which can change the behaviour of dnsmasq with do‐
2117 mains.
2118
2119 If the address range is given as ip-address/network-size, then a
2120 additional flag "local" may be supplied which has the effect of
2121 adding --local declarations for forward and reverse DNS queries.
2122 Eg. --domain=thekelleys.org.uk,192.168.0.0/24,local is identi‐
2123 cal to --domain=thekelleys.org.uk,192.168.0.0/24 --lo‐
2124 cal=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/
2125
2126 The address range can also be given as a network interface name,
2127 in which case all of the subnets currently assigned to the in‐
2128 terface are used in matching the address. This allows hosts on
2129 different physical subnets to be given different domains in a
2130 way which updates automatically as the interface addresses
2131 change.
2132
2133 --dhcp-fqdn
2134 In the default mode, dnsmasq inserts the unqualified names of
2135 DHCP clients into the DNS. For this reason, the names must be
2136 unique, even if two clients which have the same name are in dif‐
2137 ferent domains. If a second DHCP client appears which has the
2138 same name as an existing client, the name is transferred to the
2139 new client. If --dhcp-fqdn is set, this behaviour changes: the
2140 unqualified name is no longer put in the DNS, only the qualified
2141 name. Two DHCP clients with the same name may both keep the
2142 name, provided that the domain part is different (ie the fully
2143 qualified names differ.) To ensure that all names have a domain
2144 part, there must be at least --domain without an address speci‐
2145 fied when --dhcp-fqdn is set.
2146
2147 --dhcp-client-update
2148 Normally, when giving a DHCP lease, dnsmasq sets flags in the
2149 FQDN option to tell the client not to attempt a DDNS update with
2150 its name and IP address. This is because the name-IP pair is au‐
2151 tomatically added into dnsmasq's DNS view. This flag suppresses
2152 that behaviour, this is useful, for instance, to allow Windows
2153 clients to update Active Directory servers. See RFC 4702 for de‐
2154 tails.
2155
2156 --enable-ra
2157 Enable dnsmasq's IPv6 Router Advertisement feature. DHCPv6
2158 doesn't handle complete network configuration in the same way as
2159 DHCPv4. Router discovery and (possibly) prefix discovery for au‐
2160 tonomous address creation are handled by a different protocol.
2161 When DHCP is in use, only a subset of this is needed, and dns‐
2162 masq can handle it, using existing DHCP configuration to provide
2163 most data. When RA is enabled, dnsmasq will advertise a prefix
2164 for each --dhcp-range, with default router as the relevant
2165 link-local address on the machine running dnsmasq. By default,
2166 the "managed address" bits are set, and the "use SLAAC" bit is
2167 reset. This can be changed for individual subnets with the mode
2168 keywords described in --dhcp-range. RFC6106 DNS parameters are
2169 included in the advertisements. By default, the relevant link-
2170 local address of the machine running dnsmasq is sent as recur‐
2171 sive DNS server. If provided, the DHCPv6 options dns-server and
2172 domain-search are used for the DNS server (RDNSS) and the domain
2173 search list (DNSSL).
2174
2175 --ra-param=<interface>,[mtu:<integer>|<interface>|off,][high,|low,]<ra-
2176 interval>[,<router lifetime>]
2177 Set non-default values for router advertisements sent via an in‐
2178 terface. The priority field for the router may be altered from
2179 the default of medium with eg --ra-param=eth0,high. The inter‐
2180 val between router advertisements may be set (in seconds) with
2181 --ra-param=eth0,60. The lifetime of the route may be changed or
2182 set to zero, which allows a router to advertise prefixes but not
2183 a route via itself. --ra-param=eth0,0,0 (A value of zero for
2184 the interval means the default value.) All four parameters may
2185 be set at once. --ra-param=eth0,mtu:1280,low,60,1200
2186
2187 The interface field may include a wildcard.
2188
2189 The mtu: parameter may be an arbitrary interface name, in which
2190 case the MTU value for that interface is used. This is useful
2191 for (eg) advertising the MTU of a WAN interface on the other in‐
2192 terfaces of a router.
2193
2194 --dhcp-reply-delay=[tag:<tag>,]<integer>
2195 Delays sending DHCPOFFER and PROXYDHCP replies for at least the
2196 specified number of seconds. This can be used as workaround for
2197 bugs in PXE boot firmware that does not function properly when
2198 receiving an instant reply. This option takes into account the
2199 time already spent waiting (e.g. performing ping check) if any.
2200
2201 --enable-tftp[=<interface>[,<interface>]]
2202 Enable the TFTP server function. This is deliberately limited to
2203 that needed to net-boot a client. Only reading is allowed; the
2204 tsize and blksize extensions are supported (tsize is only sup‐
2205 ported in octet mode). Without an argument, the TFTP service is
2206 provided to the same set of interfaces as DHCP service. If the
2207 list of interfaces is provided, that defines which interfaces
2208 receive TFTP service.
2209
2210 --tftp-root=<directory>[,<interface>]
2211 Look for files to transfer using TFTP relative to the given di‐
2212 rectory. When this is set, TFTP paths which include ".." are re‐
2213 jected, to stop clients getting outside the specified root. Ab‐
2214 solute paths (starting with /) are allowed, but they must be
2215 within the tftp-root. If the optional interface argument is
2216 given, the directory is only used for TFTP requests via that in‐
2217 terface.
2218
2219 --tftp-no-fail
2220 Do not abort startup if specified tftp root directories are in‐
2221 accessible.
2222
2223 --tftp-unique-root[=ip|mac]
2224 Add the IP or hardware address of the TFTP client as a path com‐
2225 ponent on the end of the TFTP-root. Only valid if a --tftp-root
2226 is set and the directory exists. Defaults to adding IP address
2227 (in standard dotted-quad format). For instance, if --tftp-root
2228 is "/tftp" and client 1.2.3.4 requests file "myfile" then the
2229 effective path will be "/tftp/1.2.3.4/myfile" if /tftp/1.2.3.4
2230 exists or /tftp/myfile otherwise. When "=mac" is specified it
2231 will append the MAC address instead, using lowercase zero padded
2232 digits separated by dashes, e.g.: 01-02-03-04-aa-bb Note that
2233 resolving MAC addresses is only possible if the client is in the
2234 local network or obtained a DHCP lease from us.
2235
2236 --tftp-secure
2237 Enable TFTP secure mode: without this, any file which is read‐
2238 able by the dnsmasq process under normal unix access-control
2239 rules is available via TFTP. When the --tftp-secure flag is
2240 given, only files owned by the user running the dnsmasq process
2241 are accessible. If dnsmasq is being run as root, different rules
2242 apply: --tftp-secure has no effect, but only files which have
2243 the world-readable bit set are accessible. It is not recommended
2244 to run dnsmasq as root with TFTP enabled, and certainly not
2245 without specifying --tftp-root. Doing so can expose any world-
2246 readable file on the server to any host on the net.
2247
2248 --tftp-lowercase
2249 Convert filenames in TFTP requests to all lowercase. This is
2250 useful for requests from Windows machines, which have case-in‐
2251 sensitive filesystems and tend to play fast-and-loose with case
2252 in filenames. Note that dnsmasq's tftp server always converts
2253 "\" to "/" in filenames.
2254
2255 --tftp-max=<connections>
2256 Set the maximum number of concurrent TFTP connections allowed.
2257 This defaults to 50. When serving a large number of TFTP connec‐
2258 tions, per-process file descriptor limits may be encountered.
2259 Dnsmasq needs one file descriptor for each concurrent TFTP con‐
2260 nection and one file descriptor per unique file (plus a few oth‐
2261 ers). So serving the same file simultaneously to n clients will
2262 use require about n + 10 file descriptors, serving different
2263 files simultaneously to n clients will require about (2*n) + 10
2264 descriptors. If --tftp-port-range is given, that can affect the
2265 number of concurrent connections.
2266
2267 --tftp-mtu=<mtu size>
2268 Use size as the ceiling of the MTU supported by the intervening
2269 network when negotiating TFTP blocksize, overriding the MTU set‐
2270 ting of the local interface if it is larger.
2271
2272 --tftp-no-blocksize
2273 Stop the TFTP server from negotiating the "blocksize" option
2274 with a client. Some buggy clients request this option but then
2275 behave badly when it is granted.
2276
2277 --tftp-port-range=<start>,<end>
2278 A TFTP server listens on a well-known port (69) for connection
2279 initiation, but it also uses a dynamically-allocated port for
2280 each connection. Normally these are allocated by the OS, but
2281 this option specifies a range of ports for use by TFTP trans‐
2282 fers. This can be useful when TFTP has to traverse a firewall.
2283 The start of the range cannot be lower than 1025 unless dnsmasq
2284 is running as root. The number of concurrent TFTP connections is
2285 limited by the size of the port range.
2286
2287 --tftp-single-port
2288 Run in a mode where the TFTP server uses ONLY the well-known
2289 port (69) for its end of the TFTP transfer. This allows TFTP to
2290 work when there in NAT is the path between client and server.
2291 Note that this is not strictly compliant with the RFCs specify‐
2292 ing the TFTP protocol: use at your own risk.
2293
2294 -C, --conf-file=<file>
2295 Specify a configuration file. The presence of this option stops
2296 dnsmasq from reading the default configuration file (normally
2297 /etc/dnsmasq.conf). Multiple files may be specified by repeating
2298 the option either on the command line or in configuration files.
2299 A filename of "-" causes dnsmasq to read configuration from
2300 stdin.
2301
2302 -7, --conf-dir=<directory>[,<file-extension>......],
2303 Read all the files in the given directory as configuration
2304 files. If extension(s) are given, any files which end in those
2305 extensions are skipped. Any files whose names end in ~ or start
2306 with . or start and end with # are always skipped. If the exten‐
2307 sion starts with * then only files which have that extension are
2308 loaded. So --conf-dir=/path/to/dir,*.conf loads all files with
2309 the suffix .conf in /path/to/dir. This flag may be given on the
2310 command line or in a configuration file. If giving it on the
2311 command line, be sure to escape * characters. Files are loaded
2312 in alphabetical order of filename.
2313
2314 --servers-file=<file>
2315 A special case of --conf-file which differs in two respects.
2316 Firstly, only --server and --rev-server are allowed in the con‐
2317 figuration file included. Secondly, the file is re-read and the
2318 configuration therein is updated when dnsmasq receives SIGHUP.
2319
2320 --conf-script=<file>[ <arg]
2321 Execute <file>, and treat what it emits to stdout as the con‐
2322 tents of a configuration file. If the script exits with a non-
2323 zero exit code, dnsmasq treats this as a fatal error. The
2324 script can be passed arguments, space seperated from the file‐
2325 name and each other so, for instance --conf-dir="/etc/dnsmasq-
2326 uncompress-ads /share/ads-domains.gz"
2327
2328 with /etc/dnsmasq-uncompress-ads containing
2329
2330 set -e
2331
2332 zcat ${1} | sed -e "s:^:address=/:" -e "s:$:/:"
2333
2334 exit 0
2335
2336 and /share/ads-domains.gz containing a compressed list of ad
2337 server domains will save disk space with large ad-server block‐
2338 lists.
2339
2341 At startup, dnsmasq reads /etc/dnsmasq.conf, if it exists. (On FreeBSD,
2342 the file is /usr/local/etc/dnsmasq.conf ) (but see the --conf-file and
2343 --conf-dir options.) The format of this file consists of one option per
2344 line, exactly as the long options detailed in the OPTIONS section but
2345 without the leading "--". Lines starting with # are comments and ig‐
2346 nored. For options which may only be specified once, the configuration
2347 file overrides the command line. Quoting is allowed in a config file:
2348 between " quotes the special meanings of ,:. and # are removed and the
2349 following escapes are allowed: \\ \" \t \e \b \r and \n. The later cor‐
2350 responding to tab, escape, backspace, return and newline.
2351
2353 When it receives a SIGHUP, dnsmasq clears its cache and then re-loads
2354 /etc/hosts and /etc/ethers and any file given by --dhcp-hostsfile,
2355 --dhcp-hostsdir, --dhcp-optsfile, --dhcp-optsdir, --addn-hosts or
2356 --hostsdir. The DHCP lease change script is called for all existing
2357 DHCP leases. If --no-poll is set SIGHUP also re-reads /etc/resolv.conf.
2358 SIGHUP does NOT re-read the configuration file.
2359
2360 When it receives a SIGUSR1, dnsmasq writes statistics to the system
2361 log. It writes the cache size, the number of names which have had to
2362 removed from the cache before they expired in order to make room for
2363 new names and the total number of names that have been inserted into
2364 the cache. The number of cache hits and misses and the number of au‐
2365 thoritative queries answered are also given. For each upstream server
2366 it gives the number of queries sent, and the number which resulted in
2367 an error. In --no-daemon mode or when full logging is enabled (--log-
2368 queries), a complete dump of the contents of the cache is made.
2369
2370 The cache statistics are also available in the DNS as answers to
2371 queries of class CHAOS and type TXT in domain bind. The domain names
2372 are cachesize.bind, insertions.bind, evictions.bind, misses.bind,
2373 hits.bind, auth.bind and servers.bind. An example command to query
2374 this, using the dig utility would be
2375
2376 dig +short chaos txt cachesize.bind
2377
2378
2379 When it receives SIGUSR2 and it is logging direct to a file (see --log-
2380 facility ) dnsmasq will close and reopen the log file. Note that during
2381 this operation, dnsmasq will not be running as root. When it first cre‐
2382 ates the logfile dnsmasq changes the ownership of the file to the non-
2383 root user it will run as. Logrotate should be configured to create a
2384 new log file with the ownership which matches the existing one before
2385 sending SIGUSR2. If TCP DNS queries are in progress, the old logfile
2386 will remain open in child processes which are handling TCP queries and
2387 may continue to be written. There is a limit of 150 seconds, after
2388 which all existing TCP processes will have expired: for this reason, it
2389 is not wise to configure logfile compression for logfiles which have
2390 just been rotated. Using logrotate, the required options are create and
2391 delaycompress.
2392
2393
2394
2395 Dnsmasq is a DNS query forwarder: it is not capable of recursively an‐
2396 swering arbitrary queries starting from the root servers but forwards
2397 such queries to a fully recursive upstream DNS server which is typi‐
2398 cally provided by an ISP. By default, dnsmasq reads /etc/resolv.conf to
2399 discover the IP addresses of the upstream nameservers it should use,
2400 since the information is typically stored there. Unless --no-poll is
2401 used, dnsmasq checks the modification time of /etc/resolv.conf (or
2402 equivalent if --resolv-file is used) and re-reads it if it changes.
2403 This allows the DNS servers to be set dynamically by PPP or DHCP since
2404 both protocols provide the information. Absence of /etc/resolv.conf is
2405 not an error since it may not have been created before a PPP connection
2406 exists. Dnsmasq simply keeps checking in case /etc/resolv.conf is cre‐
2407 ated at any time. Dnsmasq can be told to parse more than one re‐
2408 solv.conf file. This is useful on a laptop, where both PPP and DHCP may
2409 be used: dnsmasq can be set to poll both /etc/ppp/resolv.conf and
2410 /etc/dhcpc/resolv.conf and will use the contents of whichever changed
2411 last, giving automatic switching between DNS servers.
2412
2413 Upstream servers may also be specified on the command line or in the
2414 configuration file. These server specifications optionally take a do‐
2415 main name which tells dnsmasq to use that server only to find names in
2416 that particular domain.
2417
2418 In order to configure dnsmasq to act as cache for the host on which it
2419 is running, put "nameserver 127.0.0.1" in /etc/resolv.conf to force lo‐
2420 cal processes to send queries to dnsmasq. Then either specify the up‐
2421 stream servers directly to dnsmasq using --server options or put their
2422 addresses real in another file, say /etc/resolv.dnsmasq and run dnsmasq
2423 with the --resolv-file /etc/resolv.dnsmasq option. This second tech‐
2424 nique allows for dynamic update of the server addresses by PPP or DHCP.
2425
2426 Addresses in /etc/hosts will "shadow" different addresses for the same
2427 names in the upstream DNS, so "mycompany.com 1.2.3.4" in /etc/hosts
2428 will ensure that queries for "mycompany.com" always return 1.2.3.4 even
2429 if queries in the upstream DNS would otherwise return a different ad‐
2430 dress. There is one exception to this: if the upstream DNS contains a
2431 CNAME which points to a shadowed name, then looking up the CNAME
2432 through dnsmasq will result in the unshadowed address associated with
2433 the target of the CNAME. To work around this, add the CNAME to
2434 /etc/hosts so that the CNAME is shadowed too.
2435
2436
2437 The tag system works as follows: For each DHCP request, dnsmasq col‐
2438 lects a set of valid tags from active configuration lines which include
2439 set:<tag>, including one from the --dhcp-range used to allocate the ad‐
2440 dress, one from any matching --dhcp-host (and "known" or "known-other‐
2441 net" if a --dhcp-host matches) The tag "bootp" is set for BOOTP re‐
2442 quests, and a tag whose name is the name of the interface on which the
2443 request arrived is also set.
2444
2445 Any configuration lines which include one or more tag:<tag> constructs
2446 will only be valid if all that tags are matched in the set derived
2447 above. Typically this is --dhcp-option. --dhcp-option which has tags
2448 will be used in preference to an untagged --dhcp-option, provided that
2449 _all_ the tags match somewhere in the set collected as described above.
2450 The prefix '!' on a tag means 'not' so --dhcp-option=tag:!pur‐
2451 ple,3,1.2.3.4 sends the option when the tag purple is not in the set of
2452 valid tags. (If using this in a command line rather than a configura‐
2453 tion file, be sure to escape !, which is a shell metacharacter)
2454
2455 When selecting --dhcp-options, a tag from --dhcp-range is second class
2456 relative to other tags, to make it easy to override options for indi‐
2457 vidual hosts, so --dhcp-range=set:interface1,...... --dhcp-
2458 host=set:myhost,..... --dhcp-option=tag:interface1,option:nis-do‐
2459 main,"domain1" --dhcp-option=tag:myhost,option:nis-domain,"domain2"
2460 will set the NIS-domain to domain1 for hosts in the range, but override
2461 that to domain2 for a particular host.
2462
2463
2464 Note that for --dhcp-range both tag:<tag> and set:<tag> are allowed, to
2465 both select the range in use based on (eg) --dhcp-host, and to affect
2466 the options sent, based on the range selected.
2467
2468 This system evolved from an earlier, more limited one and for backward
2469 compatibility "net:" may be used instead of "tag:" and "set:" may be
2470 omitted. (Except in --dhcp-host, where "net:" may be used instead of
2471 "set:".) For the same reason, '#' may be used instead of '!' to indi‐
2472 cate NOT.
2473
2474 The DHCP server in dnsmasq will function as a BOOTP server also, pro‐
2475 vided that the MAC address and IP address for clients are given, either
2476 using --dhcp-host configurations or in /etc/ethers , and a --dhcp-range
2477 configuration option is present to activate the DHCP server on a par‐
2478 ticular network. (Setting --bootp-dynamic removes the need for static
2479 address mappings.) The filename parameter in a BOOTP request is used as
2480 a tag, as is the tag "bootp", allowing some control over the options
2481 returned to different classes of hosts.
2482
2483
2485 Configuring dnsmasq to act as an authoritative DNS server is compli‐
2486 cated by the fact that it involves configuration of external DNS
2487 servers to provide delegation. We will walk through three scenarios of
2488 increasing complexity. Prerequisites for all of these scenarios are a
2489 globally accessible IP address, an A or AAAA record pointing to that
2490 address, and an external DNS server capable of doing delegation of the
2491 zone in question. For the first part of this explanation, we will call
2492 the A (or AAAA) record for the globally accessible address server.exam‐
2493 ple.com, and the zone for which dnsmasq is authoritative our.zone.com.
2494
2495 The simplest configuration consists of two lines of dnsmasq configura‐
2496 tion; something like
2497
2498 --auth-server=server.example.com,eth0
2499 --auth-zone=our.zone.com,1.2.3.0/24
2500
2501 and two records in the external DNS
2502
2503 server.example.com A 192.0.43.10
2504 our.zone.com NS server.example.com
2505
2506 eth0 is the external network interface on which dnsmasq is listening,
2507 and has (globally accessible) address 192.0.43.10.
2508
2509 Note that the external IP address may well be dynamic (ie assigned from
2510 an ISP by DHCP or PPP) If so, the A record must be linked to this dy‐
2511 namic assignment by one of the usual dynamic-DNS systems.
2512
2513 A more complex, but practically useful configuration has the address
2514 record for the globally accessible IP address residing in the authori‐
2515 tative zone which dnsmasq is serving, typically at the root. Now we
2516 have
2517
2518 --auth-server=our.zone.com,eth0
2519 --auth-zone=our.zone.com,1.2.3.0/24
2520
2521 our.zone.com A 1.2.3.4
2522 our.zone.com NS our.zone.com
2523
2524 The A record for our.zone.com has now become a glue record, it solves
2525 the chicken-and-egg problem of finding the IP address of the nameserver
2526 for our.zone.com when the A record is within that zone. Note that this
2527 is the only role of this record: as dnsmasq is now authoritative from
2528 our.zone.com it too must provide this record. If the external address
2529 is static, this can be done with an /etc/hosts entry or --host-record.
2530
2531 --auth-server=our.zone.com,eth0
2532 --host-record=our.zone.com,1.2.3.4
2533 --auth-zone=our.zone.com,1.2.3.0/24
2534
2535 If the external address is dynamic, the address associated with
2536 our.zone.com must be derived from the address of the relevant inter‐
2537 face. This is done using --interface-name Something like:
2538
2539 --auth-server=our.zone.com,eth0
2540 --interface-name=our.zone.com,eth0
2541 --auth-zone=our.zone.com,1.2.3.0/24,eth0
2542
2543 (The "eth0" argument in --auth-zone adds the subnet containing eth0's
2544 dynamic address to the zone, so that the --interface-name returns the
2545 address in outside queries.)
2546
2547 Our final configuration builds on that above, but also adds a secondary
2548 DNS server. This is another DNS server which learns the DNS data for
2549 the zone by doing zones transfer, and acts as a backup should the pri‐
2550 mary server become inaccessible. The configuration of the secondary is
2551 beyond the scope of this man-page, but the extra configuration of dns‐
2552 masq is simple:
2553
2554 --auth-sec-servers=secondary.myisp.com
2555
2556 and
2557
2558 our.zone.com NS secondary.myisp.com
2559
2560 Adding auth-sec-servers enables zone transfer in dnsmasq, to allow the
2561 secondary to collect the DNS data. If you wish to restrict this data to
2562 particular hosts then
2563
2564 --auth-peer=<IP address of secondary>
2565
2566 will do so.
2567
2568 Dnsmasq acts as an authoritative server for in-addr.arpa and ip6.arpa
2569 domains associated with the subnets given in --auth-zone declarations,
2570 so reverse (address to name) lookups can be simply configured with a
2571 suitable NS record, for instance in this example, where we allow
2572 1.2.3.0/24 addresses.
2573
2574 3.2.1.in-addr.arpa NS our.zone.com
2575
2576 Note that at present, reverse (in-addr.arpa and ip6.arpa) zones are not
2577 available in zone transfers, so there is no point arranging secondary
2578 servers for reverse lookups.
2579
2580
2581 When dnsmasq is configured to act as an authoritative server, the fol‐
2582 lowing data is used to populate the authoritative zone.
2583
2584 --mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record, --caa-
2585 record, as long as the record names are in the authoritative domain.
2586
2587 --synth-domain as long as the domain is in the authoritative zone and,
2588 for reverse (PTR) queries, the address is in the relevant subnet.
2589
2590 --cname as long as the record name is in the authoritative domain. If
2591 the target of the CNAME is unqualified, then it is qualified with the
2592 authoritative zone name. CNAME used in this way (only) may be wild‐
2593 cards, as in
2594
2595 --cname=*.example.com,default.example.com
2596
2597
2598 IPv4 and IPv6 addresses from /etc/hosts (and --addn-hosts ) and --host-
2599 record and --interface-name and ---dynamic-host provided the address
2600 falls into one of the subnets specified in the --auth-zone.
2601
2602 Addresses of DHCP leases, provided the address falls into one of the
2603 subnets specified in the --auth-zone. (If constructed DHCP ranges are
2604 is use, which depend on the address dynamically assigned to an inter‐
2605 face, then the form of --auth-zone which defines subnets by the dynamic
2606 address of an interface should be used to ensure this condition is
2607 met.)
2608
2609 In the default mode, where a DHCP lease has an unqualified name, and
2610 possibly a qualified name constructed using --domain then the name in
2611 the authoritative zone is constructed from the unqualified name and the
2612 zone's domain. This may or may not equal that specified by --domain.
2613 If --dhcp-fqdn is set, then the fully qualified names associated with
2614 DHCP leases are used, and must match the zone's domain.
2615
2616
2617
2618
2620 0 - Dnsmasq successfully forked into the background, or terminated nor‐
2621 mally if backgrounding is not enabled.
2622
2623 1 - A problem with configuration was detected.
2624
2625 2 - A problem with network access occurred (address in use, attempt to
2626 use privileged ports without permission).
2627
2628 3 - A problem occurred with a filesystem operation (missing file/direc‐
2629 tory, permissions).
2630
2631 4 - Memory allocation failure.
2632
2633 5 - Other miscellaneous problem.
2634
2635 11 or greater - a non zero return code was received from the lease-
2636 script process "init" call or a --conf-script file. The exit code from
2637 dnsmasq is the script's exit code with 10 added.
2638
2639
2641 The default values for resource limits in dnsmasq are generally conser‐
2642 vative, and appropriate for embedded router type devices with slow pro‐
2643 cessors and limited memory. On more capable hardware, it is possible to
2644 increase the limits, and handle many more clients. The following ap‐
2645 plies to dnsmasq-2.37: earlier versions did not scale as well.
2646
2647
2648 Dnsmasq is capable of handling DNS and DHCP for at least a thousand
2649 clients. The DHCP lease times should not be very short (less than one
2650 hour). The value of --dns-forward-max can be increased: start with it
2651 equal to the number of clients and increase if DNS seems slow. Note
2652 that DNS performance depends too on the performance of the upstream
2653 nameservers. The size of the DNS cache may be increased: the hard limit
2654 is 10000 names and the default (150) is very low. Sending SIGUSR1 to
2655 dnsmasq makes it log information which is useful for tuning the cache
2656 size. See the NOTES section for details.
2657
2658
2659 The built-in TFTP server is capable of many simultaneous file trans‐
2660 fers: the absolute limit is related to the number of file-handles al‐
2661 lowed to a process and the ability of the select() system call to cope
2662 with large numbers of file handles. If the limit is set too high using
2663 --tftp-max it will be scaled down and the actual limit logged at start-
2664 up. Note that more transfers are possible when the same file is being
2665 sent than when each transfer sends a different file.
2666
2667
2668 It is possible to use dnsmasq to block Web advertising by using a list
2669 of known banner-ad servers, all resolving to 127.0.0.1 or 0.0.0.0, in
2670 /etc/hosts or an additional hosts file. The list can be very long, dns‐
2671 masq has been tested successfully with one million names. That size
2672 file needs a 1GHz processor and about 60Mb of RAM.
2673
2674
2676 Dnsmasq can be compiled to support internationalisation. To do this,
2677 the make targets "all-i18n" and "install-i18n" should be used instead
2678 of the standard targets "all" and "install". When internationalisation
2679 is compiled in, dnsmasq will produce log messages in the local language
2680 and support internationalised domain names (IDN). Domain names in
2681 /etc/hosts, /etc/ethers and /etc/dnsmasq.conf which contain non-ASCII
2682 characters will be translated to the DNS-internal punycode representa‐
2683 tion. Note that dnsmasq determines both the language for messages and
2684 the assumed charset for configuration files from the LANG environment
2685 variable. This should be set to the system default value by the script
2686 which is responsible for starting dnsmasq. When editing the configura‐
2687 tion files, be careful to do so using only the system-default locale
2688 and not user-specific one, since dnsmasq has no direct way of determin‐
2689 ing the charset in use, and must assume that it is the system default.
2690
2691
2693 /etc/dnsmasq.conf
2694
2695 /usr/local/etc/dnsmasq.conf
2696
2697 /etc/resolv.conf /var/run/dnsmasq/resolv.conf /etc/ppp/resolv.conf
2698 /etc/dhcpc/resolv.conf
2699
2700 /etc/hosts
2701
2702 /etc/ethers
2703
2704 /var/lib/dnsmasq/dnsmasq.leases
2705
2706 /var/db/dnsmasq.leases
2707
2708 /var/run/dnsmasq.pid
2709
2711 hosts(5), resolver(5)
2712
2714 This manual page was written by Simon Kelley <simon@thekelleys.org.uk>.
2715
2716
2717
2718
2719
2720 2021-08-16 DNSMASQ(8)