[people/ms/dnsmasq.git] / dnsmasq.8

.TH DNSMASQ 8
.SH NAME
dnsmasq \- A lightweight DHCP and caching DNS server.
.SH SYNOPSIS
.B dnsmasq
.I [OPTION]...
.SH "DESCRIPTION"
.BR dnsmasq
is a lightweight DNS and DHCP server. It is intended to provide coupled DNS and DHCP service to a
LAN.
.PP
Dnsmasq accepts DNS queries and either answers them from a small, local,
cache or forwards them to a real, recursive, DNS server. It loads the
contents of /etc/hosts so that local hostnames
which do not appear in the global DNS can be resolved and also answers
DNS queries for DHCP configured hosts.
.PP
.BR dnsmasq 
supports IPv6.
.PP
.BR dnsmasq
is lightweight and easy to configure. It is intended as be run on
small router/firewalls and  provide a DNS (and optionally, DHCP) service to a LAN.
.SH OPTIONS
Note that in general missing parameters are allowed and switch off
functions, for instance "--pid-file=" disables writing a PID file. On
BSD, unless the GNU getopt library is linked, the long form of the
options does not work on the command line; it is still recognised in
the configuration file.
.TP
.B \-h, --no-hosts
Don't read the hostnames in /etc/hosts.
.TP
.B \-H, --addn-hosts=<file>
Additional hosts file. Read the specified file as well as /etc/hosts. If -h is given, read
only the specified file. At most one additional hosts file may be
given.
.TP
.B \-T, --local-ttl=<time>
When replying with information from /etc/hosts or the DHCP leases
file dnsmasq by default sets the time-to-live field to zero, meaning
that the requestor should not itself cache the information. This is
the correct thing to do in almost all situations. This option allows a
time-to-live (in seconds) to be given for these replies. This will
reduce the load on the server at the expense of clients using stale
data under some circumstances.
.TP
.B \-d, --no-daemon
Debug mode: don't fork to the background, don't write a pid file,
don't change user id, generate a complete cache dump on receipt on
SIGUSR1, log to stderr as well as syslog.
.TP
.B \-q, --log-queries
Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1.
.TP
.B \-x, --pid-file=<path>
Specify an alternate path for dnsmasq to record its process-id in. Normally /var/run/dnsmasq.pid.
.TP
.B \-u, --user=<username>
Specify the userid to which dnsmasq will change after startup. Dnsmasq must normally be started as root, but it will drop root 
priviledges after startup by changing id to another user. Normally this user is "nobody" but that 
can be over-ridden with this switch.
.TP
.B \-g, --group=<groupname> 
Specify the group which dnsmasq will run
as. The defaults to "dip", if available, to facilitate access to
/etc/ppp/resolv.conf which is not normally world readable.
.TP
.B \-v, --version
Print the version number.
.TP
.B \-p, --port=<port>
Listen on <port> instead of the standard DNS port (53). Useful mainly for
debugging.
.TP
.B \-Q, --query-port=<query_port>
Send outbound DNS queries from, and listen for their replies on, the specific UDP port <query_port> instead of using one chosen at runtime.  Useful to simplify your
firewall rules; without this, your firewall would have to allow connections from outside DNS servers to a range of UDP ports, or dynamically adapt to the
port being used by the current dnsmasq instance.
.TP
.B \-i, --interface=<interface name>
Listen only on the specified interface. More than one interface may be specified. Dnsmasq always listens on the loopback (local) interface. If no
.B \-i
flags are given, dnsmasq listens on all available interfaces unless overridden by 
.B \-a
or
.B \-I
flags. If IP alias interfaces (eg "eth1:0") are used with
.B --interface
or
.B --except-interface
options, then the 
.B --bind-interfaces 
option will be automatically set. This is required for deeply boring
sockets-API reasons. 
.TP
.B \-I, --except-interface=<interface name>
Do not listen on the specified interface.
.TP 
.B \-a, --listen-address=<ipaddr>
Listen only on the given IP address. As with 
.B \-i
more than one address may be specified. Unlike 
.B \-i
the loopback interface is not special: if dnsmasq is to listen on the loopback interface, 
it's IP, 127.0.0.1, must be explicitly given. If no 
.B \-a
flags are given, dnsmasq listens on all available interfaces unless overridden by 
.B \-i
or
.B \-I
flags.
.TP
.B \-z, --bind-interfaces
On systems which support it, dnsmasq binds the wildcard address,
even when it is listening on only some interfaces. It then discards
requests that it shouldn't reply to. This has the advantage of 
working even when interfaces come and go and change address. This
option forces dnsmasq to really bind only the interfaces it is
listening on. About the only time when this is useful is when 
running another nameserver on the same machine or using IP
alias. Specifying interfaces with IP alias automatically turns this
option on.
.TP
.B \-b, --bogus-priv
Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192.168.x.x, etc)
which are not found in /etc/hosts or the DHCP leases file are resolved to the IP address in dotted-quad form.
.TP
.B \-V, --alias=<old-ip>,<new-ip>[,<mask>]
Modify IPv4 addresses returned from upstream nameservers; old-ip is
replaced by new-ip. If the optional mask is given then any address
which matches the masked old-ip will be re-written. So, for instance
.B --alias=1.2.3.0,6.7.8.0,255.255.255.0 
will map 1.2.3.56 to 6.7.8.56 and 1.2.3.67 to 6.7.8.67. This is what
Cisco PIX routers call "DNS doctoring".
.TP 
.B \-B, --bogus-nxdomain=<ipaddr>
Transform replies which contain the IP address given into "No such
domain" replies. This is intended to counteract a devious move made by
Versign in September 2003 when they started returning the address of
an advertising web page in response to queries for unregistered names,
instead of the correct NXDOMAIN response. This option tells dnsmasq to
fake the correct response when it sees this behaviour. As at Sept 2003
the IP address being returnd by Verisign is 64.94.110.11
.TP
.B \-f, --filterwin2k
Later versions of windows make periodic DNS requests which don't get sensible answers from
the public DNS and can cause problems by triggering dial-on-demand links. This flag turns on an option
to filter such requests. The requests blocked are for records of types SOA and SRV, and type ANY where the 
requested name has underscores, to catch LDAP requests.
.TP
.B \-r, --resolv-file=<file>
Read the IP addresses of the upstream nameservers from <file>, instead of
/etc/resolv.conf. For the format of this file see
.BR resolv.conf (5) 
the only lines relevant to dnsmasq are nameserver ones. Dnsmasq can
be told to poll more than one resolv.conf file, the first file name  specified
overrides the default, subsequent ones add to the list. This is only
allowed when polling; the file with the currently latest modification
time is the one used. 
.TP
.B \-R, --no-resolv
Don't read /etc/resolv.conf. Get upstream servers only from the command
line or the dnsmasq configuration file.
.TP
.B \-o, --strict-order
By default, dnsmasq will send queries to any of the upstream servers
it knows about and tries to favour servers to are known to
be up. Setting this flag forces dnsmasq to try each query with each
server strictly in the order they appear in /etc/resolv.conf
.TP
.B \-n, --no-poll
Don't poll /etc/resolv.conf for changes.
.TP
.B \-D, --domain-needed
Tells dnsmasq to never forward queries for plain names, without dots
or domain parts, to upstream nameservers. If the name is not knowm
from /etc/hosts or DHCP then a "not found" answer is returned.
.TP
.B \-S, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source>[#<port>]]]
Specify IP address of upsream severs directly. Setting this flag does
not suppress reading of /etc/resolv.conf, use -R to do that. If one or
more 
optional domains are given, that server is used only for those domains
and they are queried only using the specified server. This is
intended for private nameservers: if you have a nameserver on your
network which deals with names of the form
xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving  the flag 
.B -S /internal.thekelleys.org.uk/192.168.1.1 
will send all queries for
internal machines to that nameserver, everything else will go to the
servers in /etc/resolv.conf. An empty domain specification,
.B // 
has the special meaning of "unqualified names only" ie names without any
dots in them. A non-standard port may be specified as 
part of the IP
address using a # character.
More than one -S flag is allowed, with
repeated domain or ipaddr parts as required. 

Also permitted is a -S
flag which gives a domain but no IP address; this tells dnsmasq that
a domain is local and it may answer queries from /etc/hosts or DHCP
but should never forward queries on that domain to any upstream
servers.
.B local
is a synonym for
.B server
to make configuration files clearer in this case.

The optional second IP address after the @ character tells
dnsmasq how to set the source address of the queries to this
nameserver. It should be an address belonging to the machine on which
dnsmasq is running otherwise this server line will be logged and then
ignored. The query-port flag is ignored for any servers which have a
source address specified but the port may be specified directly as
part of the source address.
.TP
.B \-A, --address=/<domain>/[domain/]<ipaddr>
Specify an IP address to return for any host in the given domains.
Queries in the domains are never forwarded and always replied to
with the specified IP address which may be IPv4 or IPv6. To give
both IPv4 and IPv6 addresses for a domain, use repeated -A flags.
Note that /etc/hosts and DHCP leases override this for individual
names. A common use of this is to redirect the entire doubleclick.net
domain to some friendly local web server to avoid banner ads.
.TP
.B \-m, --mx-host=<mx name>
Return an MX record named <mx name> pointing to the host specified in the --mx-target switch
or, if that switch is not given, the host on which dnsmasq 
is running. This is useful for directing mail from systems on a LAN
to a central server.
.TP 
.B \-t, --mx-target=<hostname>
Specify target for the MX record returned by dnsmasq. See --mx-host. Note that to turn on the MX function, 
at least one of --mx-host and --mx-target must be set. If only one of --mx-host and --mx-target 
is set, the other defaults to the hostname of the machine on which dnsmasq is running.
.TP
.B \-e, --selfmx
Return an MX record pointing to itself for each local
machine. Local machines are those in /etc/hosts or with DHCP leases.
.TP 
.B \-L, --localmx
Return an MX record pointing to the host given by mx-target (or the
machine on which dnsmasq is running) for each
local machine. Local machines are those in /etc/hosts or with DHCP
leases.
.TP
.B \-c, --cache-size=<cachesize>
Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching.
.TP
.B \-N, --no-negcache
Disable negative caching. Negative caching allows dnsmasq to remember
"no such domain" answers from upstream nameservers and answer
identical queries without forwarding them again. This flag disables
negative caching.
.TP
.B \-F, --dhcp-range=[network-id,]<start-addr>,<end-addr>[[,<netmask>],<broadcast>][,<default lease time>]
Enable the DHCP server. Addresses will be given out from the range
<start-addr> to <end-addr> and from statically defined addresses given
in 
.B dhcp-host
options. If the lease time is given, then leases
will be given for that length of time. The lease time is on seconds,
or minutes (eg 45m) or hours (eg 1h) or the literal "infinite". This
option may be repeated, with different addresses, to enable DHCP
service to more than one network. For directly connected networks (ie,
networks on which the machine running dnsmasq has an interface) the
netmask is optional. It is, however, required for networks which
recieve DHCP service via a relay agent. The broadcast address is
always optional. On some broken systems, dnsmasq can listen on only
one interface when using DHCP, and the name of that interface must be
given using the
.B interface
option. This limitation currently affects OpenBSD. The optional
network-id is a alphanumeric label which marks this network so that
dhcp options may be specified on a per-network basis. The end address
may be replaced by the keyword 
.B static
which tells dnsmasq to enable DHCP for the network specified, but not
to dynamically allocate IP addresses. Only hosts which have static
addresses given via 
.B dhcp-host
or from /etc/ethers will be served.
.TP
.B \-G, --dhcp-host=[[<hwaddr>]|[id:<client_id>]][net:<netid>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
Specify per host parameters for the DHCP server. This allows a machine
with a particular hardware address to be always allocated the same
hostname, IP address and lease time. A hostname specified like this
overrides any supplied by the DHCP client on the machine. It is also
allowable to ommit the hardware address and include the hostname, in
which case the IP address and lease times will apply to any machine
claiming that name. For example 
.B --dhcp-host=00:20:e0:3b:13:af,wap,infinite 
tells dnsmasq to give
the machine with ethernet address 00:20:e0:3b:13:af the name wap, and
an infinite DHCP lease. 
.B --dhcp-host=lap,192.168.0.199 
tells
dnsmasq to always allocate the machine lap the IP address
192.168.0.199. Addresses allocated like this are not constrained to be
in the range given by the --dhcp-range option, but they must be on the
network being served by the DHCP server. It is allowed to use client identifiers rather than
hardware addresses to identify hosts by prefixing with 'id:'. Thus: 
.B --dhcp-host=id:01:02:03:04,..... 
refers to the host with client identifier 01:02:03:04. It is also
allowed to specify the client ID as text, like this:
.B --dhcp-host=id:clientidastext,.....
If a name appears in /etc/hosts, the associated address can be
allocated to a DHCP lease, but only if a 
.B --dhcp-host
option specifying the name also exists. The special keyword "ignore"
tells dnsmasq to never offer a DHCP lease to a machine. The machine
can be specified by hardware address, client ID or hostname, for
instance
.B --dhcp-host=00:20:e0:3b:13:af,ignore
This is
useful when there is another DHCP server on the network which should
be used by some machines. The net:<network-id> parameter enables DHCP options just
for this host in the same way as the the network-id in
.B dhcp-range.
.TP 
.B \-Z, --read-ethers
Read /etc/ethers for information about hosts for the DHCP server. The
format of /etc/ethers is a hardware address, followed by either a
hostname or dotted-quad IP address. When read by dnsmasq these lines
have exactly the same effect as
.B --dhcp-host
options containing the same information.
.TP
.B \-O, --dhcp-option=[network-id,]<opt>,[<value>[,<value>]]
Specfify different or extra options to DHCP clients. By default,
dnsmasq sends some standard options to DHCP clients, the netmask and
broadcast address are set to the same as the host running dnsmasq, and
the DNS server and default route are set to the address of the machine
running dnsmasq. If the domain name option has been set, that is sent.
This option allows these defaults to be overridden,
or other options specified. The <opt> is the number of the option, as
specfied in RFC2132. For example, to set the default route option to 
192.168.4.4, do 
.B --dhcp-option=3,192.168.4.4
and to set the time-server address to 192.168.0.4, do
.B dhcp-option=42,192.168.0.4
The special address 0.0.0.0 is taken to mean "the address of the
machine running dnsmasq". Data types allowed are comma seperated
dotted-quad IP addresses, a decimal number, colon-seperated hex digits
and a text string. If the optional network-id is given then
this option is only sent to machines on the network whose dhcp-range
contains a matching network-id.
Be careful: no checking is done that the correct type of data for the
option number is sent, and there are option numbers for which it is not
possible to generate the correct data type; it is quite possible to
persuade dnsmasq to generate illegal DHCP packets with injudicious use
of this flag.
.TP
.B \-M, --dhcp-boot=<filename>,[<servername>[,<server address>]]
Set BOOTP options to be returned by the DHCP server. These are needed
for machines which network boot, and tell the machine where to collect
its initial configuration.
.TP  
.B \-X, --dhcp-lease-max=<number>
Limits dnsmasq to the specified maximum number of DHCP leases. The
default is 150. This limit is to prevent DoS attacks from hosts which
create thousands of leases and use lots of memory in the dnsmasq
process.
.TP
.B \-l, --dhcp-leasefile=<path>
Use the specified file to store DHCP lease information. If this option
is given but no dhcp-range option is given then dnsmasq version 1
behaviour is activated. The file given is assumed to be an ISC dhcpd
lease file and parsed for leases which are then added to the DNS
system if they have a hostname. This functionality may have been
excluded from dnsmasq at compile time, in which case an error will occur.
.TP
.B \-s, --domain=<domain>
Specifies the domain for the DHCP server. This has two effects;
firstly it causes the DHCP server to return the domain to any hosts
which request it, and secondly it sets the domain which it is legal
for DHCP-configured hosts to claim. The intention is to constrain hostnames so that an untrusted host on the LAN cannot advertise it's name via dhcp as e.g. "microsoft.com" and capture traffic not meant for it. If no domain suffix is specified, then any DHCP hostname with a domain part (ie with a period) will be disallowed and logged. If suffix is specified, then hostnames with a domain part are allowed, provided the domain part matches the suffix. In addition, when a suffix is set then hostnames without a domain part have the suffix added as an optional domain part. Eg on my network I can set 
.B --domain-suffix=thekelleys.org.uk
and have a machine whose DHCP hostname is "laptop". The IP address for that machine is available from 
.B dnsmasq
both as "laptop" and "laptop.thekelleys.org.uk".
.TP
.B \-E, --expand-hosts
Add the domain-suffix to simple names (without a period) in /etc/hosts
in the same way as for DHCP-derived names.
.SH CONFIG FILE
At startup, dnsmasq reads /etc/dnsmasq.conf, if it exists. (On
FreeBSD and OpenBSD, the file is /usr/local/etc/dnsmasq.conf) The format of this
file consists of one option per line, exactly as the long options detailed 
in the OPTIONS section but without the leading "--". Lines starting with # are comments and ignored. For
options which may only be specified once, the configuration file overrides 
the command line. Use the --conf-file option to specify a different
configuration file. The conf-file option is also allowed in
configuration files, to include multiple configuration files. Only one
level of nesting is allowed.
.SH NOTES
When it receives a SIGHUP, 
.B dnsmasq 
clears its cache and then re-loads /etc/hosts. If 
.B
--no-poll
is set SIGHUP also re-reads /etc/resolv.conf. SIGHUP
does NOT re-read the configuration file.
.PP
When it receives a SIGUSR1,
.B dnsmasq 
writes cache statistics to the system log. It writes the cache size,
the number of names which have had to removed from the cache before
they expired in order to make room for new names and the total number
of names that have been inserted into the cache. In 
.B --no-daemon
mode or when full logging is enabled (-q), a complete dump of the contents of the cache is made.
.PP
Dnsmasq is a DNS query forwarder: it it not capable of recursively
answering arbitrary queries starting from the root servers but
forwards such queries to a fully recursive upstream DNS server which is
typically provided by an ISP. By default, dnsmasq reads
/etc/resolv.conf to discover the IP
addresses of the upstream nameservers it should use, since the
information is typically stored there. Unless
.B --no-poll
is used,
.B dnsmasq
checks the modification time of /etc/resolv.conf (or 
equivalent if 
.B \--resolv-file 
is used) and re-reads it if it changes. This allows the DNS servers to
be set dynamically by PPP or DHCP since both protocols provide the
information.
Absence of /etc/resolv.conf is not an error
since it may not have been created before a PPP connection exists. Dnsmasq 
simply keeps checking in case /etc/resolv.conf is created at any
time. Dnsmasq can be told to parse more than one resolv.conf
file. This is useful on a laptop, where both PPP and DHCP may be used:
dnsmasq can be set to poll both /etc/ppp/resolv.conf and
/etc/dhcpc/resolv.conf and will use the contents of whichever changed
last, giving automatic switching between DNS servers.
.PP
Upstream servers may also be specified on the command line or in
the configuration file. These server specifications optionally take a
domain name which tells dnsmasq to use that server only to find names
in that particular domain.
.PP
In order to configure dnsmasq to act as cache for the host on which it is running, put "nameserver 127.0.0.1" in
.I /etc/resolv.conf
to force local processes to send queries to
dnsmasq. Then either specify the upstream servers directly to dnsmasq
using 
.B \--server
options or put their addresses real in another file, say
.I /etc/resolv.dnsmasq
and run dnsmasq with the 
.B \-r /etc/resolv.dnsmasq
option. This second technique allows for dynamic update of the server
addresses by PPP or DHCP.
.SH FILES
.IR /etc/dnsmasq.conf 

.IR /usr/local/etc/dnsmasq.conf

.IR /etc/resolv.conf

.IR /etc/hosts

.IR /var/lib/misc/dnsmasq.leases 

.IR /var/db/dnsmasq.leases

.IR /var/run/dnsmasq.pid
.SH SEE ALSO
.BR hosts (5), 
.BR resolver (5)
.SH AUTHOR
This manual page was written by Simon Kelley <simon@thekelleys.org.uk>.