1 Q: Why does dnsmasq open UDP ports >1024 as well as port 53.
2 Is this a security problem/trojan/backdoor?
4 A: The high ports that dnsmasq opens is for replies from the upstream
5 nameserver(s). Queries from dnsmasq to upstream nameservers are sent
6 from these ports and replies received to them. The reason for doing this is
7 that most firewall setups block incoming packets _to_ port 53, in order
8 to stop DNS queries from the outside world. If dnsmasq sent its queries
9 from port 53 the replies would be _to_ port 53 and get blocked.
11 This is not a security hole since dnsmasq will only accept replies to that
12 port: queries are dropped. The replies must be to oustanding queries
13 which dnsmasq has forwarded, otherwise they are dropped too.
15 Addendum: dnsmasq now has the option "query-port" (-Q), which allows
16 you to specify the UDP port to be used for this purpose. If not
17 specified, the operating system will select an available port number
18 just as it did before.
20 Q: Why doesn't dnsmasq support DNS queries over TCP? Don't the RFC's specify
23 A: Update: from version 2.10, it does. There are a few limitations:
24 data obtained via TCP is not cached, and source-address
25 or query-port specifications are ignored for TCP.
27 Q: When I send SIGUSR1 to dump the contents of the cache, some entries have
28 no IP address and are for names like mymachine.mydomain.com.mydomain.com.
31 A: They are negative entries: that's what the N flag means. Dnsmasq asked
32 an upstream nameserver to resolve that address and it replied "doesn't
33 exist, and won't exist for <n> hours" so dnsmasq saved that information so
34 that if _it_ gets asked the same question it can answer directly without
35 having to go back to the upstream server again. The strange repeated domains
36 result from the way resolvers search short names. See "man resolv.conf" for
40 Q: Will dnsmasq compile/run on non-Linux systems?
42 A: Yes, there is explicit support for *BSD and MacOS X. There are
43 start-up scripts for MacOS X Tiger and Panther in /contrib. Earlier
44 dnsmasq releases ran under Solaris, but that capability has
45 rotted. Dnsmasq will link with uclibc to provide small
46 binaries suitable for use in embedded systems such as
47 routers. (There's special code to support machines with flash
48 filesystems and no battery-backed RTC.)
49 If you encounter make errors with *BSD, try installing gmake from
50 ports and building dnsmasq with "make MAKE=gmake"
51 For other systems, try altering the settings in config.h.
53 Q: My companies' nameserver knows about some names which aren't in the
54 public DNS. Even though I put it first in /etc/resolv.conf, it
55 dosen't work: dnsmasq seems not to use the nameservers in the order
56 given. What am I doing wrong?
58 A: By default, dnsmasq treats all the nameservers it knows about as
59 equal: it picks the one to use using an algorithm designed to avoid
60 nameservers which aren't responding. To make dnsmasq use the
61 servers in order, give it the -o flag. If you want some queries
62 sent to a special server, think about using the -S flag to give the
63 IP address of that server, and telling dnsmasq exactly which
64 domains to use the server for.
66 Q: OK, I've got queries to a private nameserver working, now how about
67 reverse queries for a range of IP addresses?
69 A: Use the standard DNS convention of <reversed address>.in-addr.arpa.
70 For instance to send reverse queries on the range 192.168.0.0 to
71 192.168.0.255 to a nameserver at 10.0.0.1 do
72 server=/0.168.192.in-addr.arpa/10.0.0.1
73 Note that the "bogus-priv" option take priority over this option,
74 so the above will not work when the bogus-priv option is set.
76 Q: Dnsmasq fails to start with an error like this: "dnsmasq: bind
77 failed: Cannot assign requested address". What's the problem?
79 A: This has been seen when a system is bringing up a PPP interface at
80 boot time: by the time dnsmasq start the interface has been
81 created, but not brought up and assigned an address. The easiest
82 solution is to use --interface flags to specify which interfaces
83 dnsmasq should listen on. Since you are unlikely to want dnsmasq to
84 listen on a PPP interface and offer DNS service to the world, the
87 Q: I'm running on BSD and dnsmasq won't accept long options on the
90 A: Dnsmasq when built on some BSD systems doesn't use GNU getopt by
91 default. You can either just use the single-letter options or
92 change config.h and the Makefile to use getopt-long. Note that
93 options in /etc/dnsmasq.conf must always be the long form,
96 Q: Names on the internet are working fine, but looking up local names
97 from /etc/hosts or DHCP doesn't seem to work.
99 A: Resolver code sometime does strange things when given names without
100 any dots in. Win2k and WinXP may not use the DNS at all and just
101 try and look up the name using WINS. On unix look at "options ndots:"
102 in "man resolv.conf" for details on this topic. Testing lookups
103 using "nslookup" or "dig" will work, but then attempting to run
104 "ping" will get a lookup failure, appending a dot to the end of the
105 hostname will fix things. (ie "ping myhost" fails, but "ping
106 myhost." works. The solution is to make sure that all your hosts
107 have a domain set ("domain" in resolv.conf, or set a domain in
108 your DHCP server, see below fr Windows XP and Mac OS X).
109 Any domain will do, but "localnet" is traditional. Now when you
110 resolve "myhost" the resolver will attempt to look up
111 "myhost.localnet" so you need to have dnsmasq reply to that name.
112 The way to do that is to include the domain in each name on
113 /etc/hosts and/or to use the --expand-hosts and --domain options.
115 Q: How do I set the DNS domain in Windows XP or MacOS X (ref: previous
118 A: for XP, Control Panel > Network Connections > { Connection to gateway /
119 DNS } > Properties > { Highlight TCP/IP } > Properties > Advanced >
120 DNS Tab > DNS suffix for this connection:
122 A: for OS X, System Preferences > Network > {Connection to gateway / DNS } >
125 Q: Can I get dnsmasq to save the contents of its cache to disk when
126 I shut my machine down and re-load when it starts again?
128 A: No, that facility is not provided. Very few names in the DNS have
129 their time-to-live set for longer than a few hours so most of the
130 cache entries would have expired after a shutdown. For longer-lived
131 names it's much cheaper to just reload them from the upstream
132 server. Note that dnsmasq is not shut down between PPP sessions so
133 go off-line and then on-line again will not lose the contents of
136 Q: Who are Verisign, what do they have to do with the bogus-nxdomain
137 option in dnsmasq and why should I wory about it?
139 A: [note: this was written in September 2003, things may well change.]
140 Versign run the .com and .net top-level-domains. They have just
141 changed the configuration of their servers so that unknown .com and
142 .net domains, instead of returning an error code NXDOMAIN, (no such
143 domain) return the address of a host at Versign which runs a web
144 server showing a search page. Most right-thinking people regard
145 this new behaviour as broken :-). You can test to see if you are
146 suffering Versign brokeness by run a command like
148 host jlsdajkdalld.com
150 If you get "jlsdajkdalld.com" does not exist, then all is fine, if
151 host returns an IP address, then the DNS is broken. (Try a few
152 different unlikely domains, just in case you picked a wierd one
153 which really _is_ registered.)
155 Assuming that your DNS is broken, and you want to fix it, simply
156 note the IP address being returned and pass it to dnsmasq using the
157 --bogus-nxdomain flag. Dnsmasq will check for results returning
158 that address and substitute an NXDOMAIN instead.
160 As of writing, the IP address in question for the .com and .net
161 domains is is 64.94.110.11. Various other, less prominent,
162 registries pull the same stunt; there is a list of them all, and
163 the addresses to block, at http://winware.org/bogus-domains.txt
165 Q: This new DHCP server is well and good, but it doesn't work for me.
168 A: There are a couple of configuration gotchas which have been
169 encountered by people moving from the ISC dhcpd to the dnsmasq
170 integrated DHCP daemon. Both are related to differences in
171 in the way the two daemons bypass the IP stack to do "ground up"
172 IP configuration and can lead to the dnsmasq daemon failing
173 whilst the ISC one works.
175 The first thing to check is the broadcast address set for the
176 ethernet interface. This is normally the adddress on the connected
177 network with all ones in the host part. For instance if the
178 address of the ethernet interface is 192.168.55.7 and the netmask
179 is 255.255.255.0 then the broadcast address should be
180 192.168.55.255. Having a broadcast address which is not on the
181 network to which the interface is connected kills things stone
184 The second potential problem relates to firewall rules: since the ISC
185 daemon in some configurations bypasses the kernel firewall rules
186 entirely, the ability to run the ISC daemon does not indicate
187 that the current configuration is OK for the dnsmasq daemon.
188 For the dnsmasq daemon to operate it's vital that UDP packets to
189 and from ports 67 and 68 and broadcast packets with source
190 address 0.0.0.0 and destination address 255.255.255.255 are not
191 dropped by iptables/ipchains.
193 Q: I'm running Debian, and my machines get an address fine with DHCP,
194 but their names are not appearing in the DNS.
196 A: By default, none of the DHCP clients send the host-name when asking
197 for a lease. For most of the clients, you can set the host-name to
198 send with the "hostname" keyword in /etc/network/interfaces. (See
199 "man interfaces" for details.) That doesn't work for dhclient, were
200 you have to add something like "send host-name daisy" to
201 /etc/dhclient.conf [Update: the lastest dhcpcd packages _do_ send
202 the hostname by default.
204 Q: I'm network booting my machines, and trying to give them static
205 DHCP-assigned addresses. The machine gets its correct address
206 whilst booting, but then the OS starts and it seems to get
207 allocated a different address.
209 A: What is happening is this: The boot process sends a DHCP
210 request and gets allocated the static address corresponding to its
211 MAC address. The boot loader does not send a client-id. Then the OS
212 starts and repeats the DHCP process, but it it does send a
213 client-id. Dnsmasq cannot assume that the two requests are from the
214 same machine (since the client ID's don't match) and even though
215 the MAC address has a static allocation, that address is still in
216 use by the first incarnation of the machine (the one from the boot,
217 without a client ID.) dnsmasq therefore has to give the machine a
218 dynamic address from its pool. There are three ways to solve this:
219 (1) persuade your DHCP client not to send a client ID, or (2) set up
220 the static assignment to the client ID, not the MAC address. The
221 default client-id will be 01:<MAC address>, so change the dhcp-host
222 line from "dhcp-host=11:22:33:44:55:66,1.2.3.4" to
223 "dhcp-host=id:01:11:22:33:44:55:66,1.2.3.4" or (3) tell dnsmasq to
224 ignore client IDs for a particular MAC address, like this:
225 dhcp-host=11:22:33:44:55:66,id:*
227 Q: What network types are supported by the DHCP server?
229 A: Ethernet (and 802.11 wireless) are supported on all platforms. On
230 Linux Token Ring is also supported.
232 Q: What is this strange "bind-interface" option?
234 A: The DNS spec says that the reply to a DNS query must come from the
235 same address it was sent to. The traditional way to write an UDP
236 server to do this is to find all of the addresses belonging to the
237 machine (ie all the interfaces on the machine) and then create a
238 socket for each interface which is bound to the address of the
239 interface. Then when a packet is sent to address A, it is received
240 on the socket bound to address A and when the reply is also sent
241 via that socket, the source address is set to A by the kernel and
242 everything works. This is the how dnsmasq works when
243 "bind-interfaces" is set, with the obvious extension that is misses
244 out creating sockets for some interfaces depending on the
245 --interface, --address and --except-interface flags. The
246 disadvantage of this approach is that it breaks if interfaces don't
247 exist or are not configured when the daemon starts and does the
248 socket creation step. In a hotplug-aware world this is a real
251 The alternative approach is to have only one socket, which is bound
252 to the correct port and the wildcard IP address (0.0.0.0). That
253 socket will receive _all_ packets sent to port 53, no matter what
254 destination address they have. This solves the problem of
255 interfaces which are created or reconfigured after daemon
256 start-up. To make this work is more complicated because of the
257 "reply source address" problem. When a UDP packet is sent by a
258 socket bound to 0.0.0.0 its source address will be set to the
259 address of one of the machine's interfaces, but which one is not
260 determined and can vary depending on the OS being run. To get round
261 this it is neccessary to use a scary advanced API to determine the
262 address to which a query was sent, and force that to be the source
263 address in the reply. For IPv4 this stuff in non-portable and quite
264 often not even available (It's different between FreeBSD 5.x and
265 Linux, for instance, and FreeBSD 4.x, Linux 2.0.x and OpenBSD don't
266 have it at all.) Hence "bind-interfaces" has to always be available
267 as a fall back. For IPv6 the API is standard and universally
270 It could be argued that if the --interface or --address flags are
271 used then binding interfaces is more appropriate, but using
272 wildcard binding means that dnsmasq will quite happily start up
273 after being told to use interfaces which don't exist, but which are
274 created later. Wildcard binding breaks the scenario when dnsmasq is
275 listening on one interface and another server (most probably BIND)
276 is listening on another. It's not possible for BIND to bind to an
277 (address,port) pair when dnsmasq has bound (wildcard,port), hence
278 the ability to explicitly turn off wildcard binding.
280 Q: Why doesn't Kerberos work/why can't I get sensible answers to
281 queries for SRV records.
283 A: Probably because you have the "filterwin2k" option set. Note that
284 it was on by default in example configuration files included in
285 versions before 2.12, so you might have it set on without
288 Q: Can I get email notification when a new version of dnsmasq is
291 A: Yes, new releases of dnsmasq are always announced through
292 freshmeat.net, and they allow you to subcribe to email alerts when
293 new versions of particular projects are released. New releases are
294 also announced in the dnsmasq-discuss mailing list, subscribe at
295 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
297 Q: What does the dhcp-authoritative option do?
299 A: See http://www.isc.org/index.pl?/sw/dhcp/authoritative.php - that's
300 for the ISC daemon, but the same applies to dnsmasq.
302 Q: Why does my Gentoo box pause for a minute before getting a new
305 A: Because when a Gentoo box shuts down, it releases its lease with
306 the server but remembers it on the client; this seems to be a
307 Gentoo-specific patch to dhcpcd. On restart it tries to renew
308 a lease which is long gone, as far as dnsmasq is concerned, and
309 dnsmasq ignores it until is times out and restarts the process.
310 To fix this, set the dhcp-authoritative flag in dnsmasq.
312 Q: My laptop has two network interfaces, a wired one and a wireless
313 one. I never use both interfaces at the same time, and I'd like the
314 same IP and configuration to be used irrespective of which
315 interface is in use. How can I do that?
317 A: By default, the identity of a machine is determined by using the
318 MAC address, which is associated with interface hardware. Once an
319 IP is bound to the MAC address of one interface, it cannot be
320 associated with another MAC address until after the DHCP lease
321 expires. The solution to this is to use a client-id as the machine
322 identity rather than the MAC address. If you arrange for the same
323 client-id to sent when either interface is in use, the DHCP server
324 will recognise the same machine, and use the same address. The
325 method for setting the client-id varies with DHCP client software,
326 dhcpcd uses the "-I" flag. Windows uses a registry setting,
327 see http://www.jsiinc.com/SUBF/TIP2800/rh2845.htm
329 Q: Can dnsmasq do DHCP on IP-alias interfaces?
331 A: Yes, from version-2.21. The support is only available running under
332 Linux, on a kernel which provides the RT-netlink facility. All 2.4
333 and 2.6 kernels provide RT-netlink and it's an option in 2.2
336 If a physical interface has more than one IP address or aliases
337 with extra IP addresses, then any dhcp-ranges corresponding to
338 these addresses can be used for address allocation. So if an
339 interface has addresses 192.168.1.0/24 and 192.68.2.0/24 and there
340 are DHCP ranges 192.168.1.100-192.168.1.200 and
341 192.168.2.100-192.168.2.200 then both ranges would be used for host
342 connected to the physical interface. A more typical use might be to
343 have one of the address-ranges as static-only, and have known
344 hosts allocated addresses on that subnet using dhcp-host options,
345 while anonymous hosts go on the other.
348 Q: Dnsmasq sometimes logs "nameserver xxx.xxx.xxx.xxx refused
349 to do a recursive query" and DNS stops working. What's going on?
351 A: Probably the nameserver is an authoritative nameserver for a
352 particular domain, but is not configured to answer general DNS
353 queries for an arbitrary domain. It is not suitable for use by
354 dnsmasq as an upstream server and should be removed from the
355 configuration. Note that if you have more than one upstream
356 nameserver configured dnsmasq will load-balance across them and
357 it may be some time before dnsmasq gets around to using a
358 particular nameserver. This means that a particular configuration
359 may work for sometime with a broken upstream nameserver
363 Q: Does the dnsmasq DHCP server probe addresses before allocating
364 them, as recommended in RFC2131?
366 A: Yes, dynmaically allocated IP addresses are checked by sending an
367 ICMP echo request (ping). If a reply is received, then dnsmasq
368 assumes that the address is in use, and attempts to allocate an
369 different address. The wait for a reply is between two and three
370 seconds. Because the DHCP server is not re-entrant, it cannot serve
371 other DHCP requests during this time. To avoid dropping requests,
372 the address probe may be skipped when dnsmasq is under heavy load.
375 Q: I'm using dnsmasq on a machine with the Firestarter firewall, and
376 DHCP doesn't work. What's the problem?
378 A: This a variant on the iptables problem. Explicit details on how to
379 proceed can be found at
380 http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2005q3/000431.html
383 Q: Dnsmasq logs "running as root because setting capabilities failed"
384 when it starts up. Why did that happen and what can do to fix it?
386 A: Change your kernel configuration: either deselect CONFIG_SECURITY
387 _or_ select CONFIG_SECURITY_CAPABILITIES.
390 Q: Where can I get .rpms Suitable for Suse?
392 A: Dnsmasq is in Suse itself, and the latest releases are also
393 available at ftp://ftp.suse.com/pub/people/ug/
396 Q: Can I run dnsmasq in a Linux vserver?
398 A: Yes, as a DNS server, dnsmasq will just work in a vserver.
399 To use dnsmasq's DHCP function you need to give the vserver
400 extra system capabilities. Please note that doing so will lesser
401 the overall security of your system. The capabilities
402 required are NET_ADMIN and NET_RAW. NET_ADMIN is essential, NET_RAW
403 is required to do an ICMP "ping" check on newly allocated
404 addresses. If you don't need this check, you can disable it with
405 --no-ping and omit the NET_RAW capability.
406 Adding the capabilities is done by adding them, one per line, to
407 either /etc/vservers/<vservername>/ccapabilities for a 2.4 kernel or
408 /etc/vservers/<vservername>/bcapabilities for a 2.6 kernel (please
409 refer to the vserver documentation for more information).
projects / people / ms / dnsmasq.git / blob