]>
Commit | Line | Data |
---|---|---|
9e4abcb5 SK |
1 | .TH DNSMASQ 8 |
2 | .SH NAME | |
3 | dnsmasq \- A lightweight DHCP and caching DNS server. | |
4 | .SH SYNOPSIS | |
5 | .B dnsmasq | |
6 | .I [OPTION]... | |
7 | .SH "DESCRIPTION" | |
8 | .BR dnsmasq | |
9 | is a lightweight DNS and DHCP server. It is intended to provide coupled DNS and DHCP service to a | |
10 | LAN. | |
11 | .PP | |
12 | Dnsmasq accepts DNS queries and either answers them from a small, local, | |
13 | cache or forwards them to a real, recursive, DNS server. It loads the | |
14 | contents of /etc/hosts so that local hostnames | |
15 | which do not appear in the global DNS can be resolved and also answers | |
16 | DNS queries for DHCP configured hosts. | |
17 | .PP | |
3be34541 SK |
18 | The dnsmasq DHCP server supports static address assignments, multiple |
19 | networks, DHCP-relay and RFC3011 subnet specifiers. It automatically | |
20 | sends a sensible default set of DHCP options, and can be configured to | |
21 | send any desired set of DHCP options. It also supports BOOTP. | |
9e4abcb5 | 22 | .PP |
3be34541 SK |
23 | Dnsmasq |
24 | supports IPv6. | |
9e4abcb5 SK |
25 | .SH OPTIONS |
26 | Note that in general missing parameters are allowed and switch off | |
33820b7e SK |
27 | functions, for instance "--pid-file=" disables writing a PID file. On |
28 | BSD, unless the GNU getopt library is linked, the long form of the | |
29 | options does not work on the command line; it is still recognised in | |
30 | the configuration file. | |
9e4abcb5 SK |
31 | .TP |
32 | .B \-h, --no-hosts | |
33 | Don't read the hostnames in /etc/hosts. | |
34 | .TP | |
35 | .B \-H, --addn-hosts=<file> | |
36 | Additional hosts file. Read the specified file as well as /etc/hosts. If -h is given, read | |
fd9fa481 SK |
37 | only the specified file. This option may be repeated for more than one |
38 | additional hosts file. | |
9e4abcb5 SK |
39 | .TP |
40 | .B \-T, --local-ttl=<time> | |
41 | When replying with information from /etc/hosts or the DHCP leases | |
42 | file dnsmasq by default sets the time-to-live field to zero, meaning | |
43 | that the requestor should not itself cache the information. This is | |
44 | the correct thing to do in almost all situations. This option allows a | |
45 | time-to-live (in seconds) to be given for these replies. This will | |
46 | reduce the load on the server at the expense of clients using stale | |
47 | data under some circumstances. | |
48 | .TP | |
3be34541 SK |
49 | .B \-k, --keep-in-foreground |
50 | Do not go into the background at startup but otherwise run as | |
51 | normal. This is intended for use when dnsmasq is run under daemontools. | |
52 | .TP | |
9e4abcb5 SK |
53 | .B \-d, --no-daemon |
54 | Debug mode: don't fork to the background, don't write a pid file, | |
55 | don't change user id, generate a complete cache dump on receipt on | |
3be34541 SK |
56 | SIGUSR1, log to stderr as well as syslog, don't fork new processes |
57 | to handle TCP queries. | |
9e4abcb5 SK |
58 | .TP |
59 | .B \-q, --log-queries | |
60 | Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1. | |
61 | .TP | |
62 | .B \-x, --pid-file=<path> | |
63 | Specify an alternate path for dnsmasq to record its process-id in. Normally /var/run/dnsmasq.pid. | |
64 | .TP | |
65 | .B \-u, --user=<username> | |
66 | Specify the userid to which dnsmasq will change after startup. Dnsmasq must normally be started as root, but it will drop root | |
67 | priviledges after startup by changing id to another user. Normally this user is "nobody" but that | |
68 | can be over-ridden with this switch. | |
69 | .TP | |
70 | .B \-g, --group=<groupname> | |
71 | Specify the group which dnsmasq will run | |
72 | as. The defaults to "dip", if available, to facilitate access to | |
73 | /etc/ppp/resolv.conf which is not normally world readable. | |
74 | .TP | |
75 | .B \-v, --version | |
76 | Print the version number. | |
77 | .TP | |
78 | .B \-p, --port=<port> | |
79 | Listen on <port> instead of the standard DNS port (53). Useful mainly for | |
80 | debugging. | |
81 | .TP | |
feba5c1d SK |
82 | .B \-P, --edns-packet-max=<size> |
83 | Specify the largest EDNS.0 UDP packet which is supported by the DNS | |
84 | forwarder. Defaults to 1280, which is the RFC2671-recommended maximum | |
85 | for ethernet. | |
86 | .TP | |
9e4abcb5 SK |
87 | .B \-Q, --query-port=<query_port> |
88 | Send outbound DNS queries from, and listen for their replies on, the specific UDP port <query_port> instead of using one chosen at runtime. Useful to simplify your | |
89 | firewall rules; without this, your firewall would have to allow connections from outside DNS servers to a range of UDP ports, or dynamically adapt to the | |
90 | port being used by the current dnsmasq instance. | |
91 | .TP | |
92 | .B \-i, --interface=<interface name> | |
feba5c1d SK |
93 | Listen only on the specified interface(s). Dnsmasq automatically adds |
94 | the loopback (local) interface to the list of interfaces to use when | |
95 | the | |
96 | .B \--interface | |
97 | option is used. If no | |
98 | .B \--interface | |
9e4abcb5 | 99 | or |
feba5c1d SK |
100 | .B \--listen-address |
101 | options are given dnsmasq listens on all available interfaces except any | |
102 | given in | |
103 | .B \--except-interface | |
104 | options. If IP alias interfaces (eg "eth1:0") are used with | |
8a911ccc SK |
105 | .B --interface |
106 | or | |
107 | .B --except-interface | |
108 | options, then the | |
109 | .B --bind-interfaces | |
110 | option will be automatically set. This is required for deeply boring | |
111 | sockets-API reasons. | |
9e4abcb5 SK |
112 | .TP |
113 | .B \-I, --except-interface=<interface name> | |
feba5c1d SK |
114 | Do not listen on the specified interface. Note that the order of |
115 | .B \--listen-address | |
116 | .B --interface | |
117 | and | |
118 | .B --except-interface | |
119 | options does not matter and that | |
120 | .B --except-interface | |
121 | options always override the others. | |
9e4abcb5 | 122 | .TP |
44a2a316 | 123 | .B \-a, --listen-address=<ipaddr> |
feba5c1d SK |
124 | Listen on the given IP address(es). Both |
125 | .B \--interface | |
126 | and | |
127 | .B \--listen-address | |
128 | options may be given, in which case the set of both interfaces and | |
129 | addresses is used. Note that if no | |
130 | .B \--interface | |
131 | option is given, but | |
132 | .B \--listen-address | |
133 | is, dnsmasq will not automatically listen on the loopback | |
134 | interface. To achieve this, its IP address, 127.0.0.1, must be | |
135 | explicitly given as a | |
136 | .B \--listen-address | |
137 | option. | |
9e4abcb5 | 138 | .TP |
44a2a316 SK |
139 | .B \-z, --bind-interfaces |
140 | On systems which support it, dnsmasq binds the wildcard address, | |
141 | even when it is listening on only some interfaces. It then discards | |
142 | requests that it shouldn't reply to. This has the advantage of | |
143 | working even when interfaces come and go and change address. This | |
144 | option forces dnsmasq to really bind only the interfaces it is | |
145 | listening on. About the only time when this is useful is when | |
8a911ccc SK |
146 | running another nameserver on the same machine or using IP |
147 | alias. Specifying interfaces with IP alias automatically turns this | |
de37951c SK |
148 | option on. Note that this only applies to the DNS part of dnsmasq, the |
149 | DHCP server always binds the wildcard address in order to receive | |
150 | broadcast packets. | |
44a2a316 | 151 | .TP |
9e4abcb5 SK |
152 | .B \-b, --bogus-priv |
153 | Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192.168.x.x, etc) | |
feba5c1d SK |
154 | which are not found in /etc/hosts or the DHCP leases file are answered |
155 | with "no such domain" rather than being forwarded upstream. | |
9e4abcb5 | 156 | .TP |
1cff166d SK |
157 | .B \-V, --alias=<old-ip>,<new-ip>[,<mask>] |
158 | Modify IPv4 addresses returned from upstream nameservers; old-ip is | |
159 | replaced by new-ip. If the optional mask is given then any address | |
160 | which matches the masked old-ip will be re-written. So, for instance | |
161 | .B --alias=1.2.3.0,6.7.8.0,255.255.255.0 | |
162 | will map 1.2.3.56 to 6.7.8.56 and 1.2.3.67 to 6.7.8.67. This is what | |
163 | Cisco PIX routers call "DNS doctoring". | |
164 | .TP | |
9e4abcb5 SK |
165 | .B \-B, --bogus-nxdomain=<ipaddr> |
166 | Transform replies which contain the IP address given into "No such | |
167 | domain" replies. This is intended to counteract a devious move made by | |
168 | Versign in September 2003 when they started returning the address of | |
169 | an advertising web page in response to queries for unregistered names, | |
170 | instead of the correct NXDOMAIN response. This option tells dnsmasq to | |
171 | fake the correct response when it sees this behaviour. As at Sept 2003 | |
172 | the IP address being returnd by Verisign is 64.94.110.11 | |
173 | .TP | |
174 | .B \-f, --filterwin2k | |
175 | Later versions of windows make periodic DNS requests which don't get sensible answers from | |
176 | the public DNS and can cause problems by triggering dial-on-demand links. This flag turns on an option | |
177 | to filter such requests. The requests blocked are for records of types SOA and SRV, and type ANY where the | |
178 | requested name has underscores, to catch LDAP requests. | |
179 | .TP | |
180 | .B \-r, --resolv-file=<file> | |
181 | Read the IP addresses of the upstream nameservers from <file>, instead of | |
182 | /etc/resolv.conf. For the format of this file see | |
183 | .BR resolv.conf (5) | |
184 | the only lines relevant to dnsmasq are nameserver ones. Dnsmasq can | |
185 | be told to poll more than one resolv.conf file, the first file name specified | |
186 | overrides the default, subsequent ones add to the list. This is only | |
187 | allowed when polling; the file with the currently latest modification | |
188 | time is the one used. | |
189 | .TP | |
190 | .B \-R, --no-resolv | |
191 | Don't read /etc/resolv.conf. Get upstream servers only from the command | |
b49644f3 | 192 | line or the dnsmasq configuration file. |
9e4abcb5 SK |
193 | .TP |
194 | .B \-o, --strict-order | |
195 | By default, dnsmasq will send queries to any of the upstream servers | |
196 | it knows about and tries to favour servers to are known to | |
197 | be up. Setting this flag forces dnsmasq to try each query with each | |
198 | server strictly in the order they appear in /etc/resolv.conf | |
199 | .TP | |
200 | .B \-n, --no-poll | |
201 | Don't poll /etc/resolv.conf for changes. | |
202 | .TP | |
203 | .B \-D, --domain-needed | |
204 | Tells dnsmasq to never forward queries for plain names, without dots | |
205 | or domain parts, to upstream nameservers. If the name is not knowm | |
206 | from /etc/hosts or DHCP then a "not found" answer is returned. | |
207 | .TP | |
208 | .B \-S, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source>[#<port>]]] | |
209 | Specify IP address of upsream severs directly. Setting this flag does | |
210 | not suppress reading of /etc/resolv.conf, use -R to do that. If one or | |
211 | more | |
212 | optional domains are given, that server is used only for those domains | |
213 | and they are queried only using the specified server. This is | |
214 | intended for private nameservers: if you have a nameserver on your | |
215 | network which deals with names of the form | |
216 | xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag | |
217 | .B -S /internal.thekelleys.org.uk/192.168.1.1 | |
218 | will send all queries for | |
219 | internal machines to that nameserver, everything else will go to the | |
220 | servers in /etc/resolv.conf. An empty domain specification, | |
221 | .B // | |
222 | has the special meaning of "unqualified names only" ie names without any | |
223 | dots in them. A non-standard port may be specified as | |
224 | part of the IP | |
225 | address using a # character. | |
226 | More than one -S flag is allowed, with | |
227 | repeated domain or ipaddr parts as required. | |
228 | ||
229 | Also permitted is a -S | |
230 | flag which gives a domain but no IP address; this tells dnsmasq that | |
231 | a domain is local and it may answer queries from /etc/hosts or DHCP | |
232 | but should never forward queries on that domain to any upstream | |
233 | servers. | |
234 | .B local | |
235 | is a synonym for | |
236 | .B server | |
237 | to make configuration files clearer in this case. | |
238 | ||
239 | The optional second IP address after the @ character tells | |
240 | dnsmasq how to set the source address of the queries to this | |
241 | nameserver. It should be an address belonging to the machine on which | |
242 | dnsmasq is running otherwise this server line will be logged and then | |
243 | ignored. The query-port flag is ignored for any servers which have a | |
244 | source address specified but the port may be specified directly as | |
245 | part of the source address. | |
246 | .TP | |
247 | .B \-A, --address=/<domain>/[domain/]<ipaddr> | |
248 | Specify an IP address to return for any host in the given domains. | |
249 | Queries in the domains are never forwarded and always replied to | |
250 | with the specified IP address which may be IPv4 or IPv6. To give | |
251 | both IPv4 and IPv6 addresses for a domain, use repeated -A flags. | |
252 | Note that /etc/hosts and DHCP leases override this for individual | |
253 | names. A common use of this is to redirect the entire doubleclick.net | |
a222641c SK |
254 | domain to some friendly local web server to avoid banner ads. The |
255 | domain specification works in the same was as for --server, with the | |
256 | additional facility that /#/ matches any domain. Thus | |
257 | --address=/#/1.2.3.4 will always return 1.2.3.4 for any query not | |
258 | answered from /etc/hosts or DHCP and not sent to an upstream | |
259 | nameserver by a more specific --server directive. | |
9e4abcb5 | 260 | .TP |
de37951c SK |
261 | .B \-m, --mx-host=<mx name>[,<hostname>] |
262 | Return an MX record named <mx name> pointing to the given hostname (if | |
263 | given), or | |
264 | the host specified in the --mx-target switch | |
9e4abcb5 SK |
265 | or, if that switch is not given, the host on which dnsmasq |
266 | is running. This is useful for directing mail from systems on a LAN | |
267 | to a central server. | |
268 | .TP | |
269 | .B \-t, --mx-target=<hostname> | |
270 | Specify target for the MX record returned by dnsmasq. See --mx-host. Note that to turn on the MX function, | |
271 | at least one of --mx-host and --mx-target must be set. If only one of --mx-host and --mx-target | |
272 | is set, the other defaults to the hostname of the machine on which dnsmasq is running. | |
273 | .TP | |
274 | .B \-e, --selfmx | |
275 | Return an MX record pointing to itself for each local | |
276 | machine. Local machines are those in /etc/hosts or with DHCP leases. | |
277 | .TP | |
278 | .B \-L, --localmx | |
279 | Return an MX record pointing to the host given by mx-target (or the | |
280 | machine on which dnsmasq is running) for each | |
281 | local machine. Local machines are those in /etc/hosts or with DHCP | |
282 | leases. | |
283 | .TP | |
284 | .B \-c, --cache-size=<cachesize> | |
285 | Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching. | |
286 | .TP | |
287 | .B \-N, --no-negcache | |
288 | Disable negative caching. Negative caching allows dnsmasq to remember | |
289 | "no such domain" answers from upstream nameservers and answer | |
290 | identical queries without forwarding them again. This flag disables | |
291 | negative caching. | |
292 | .TP | |
44a2a316 | 293 | .B \-F, --dhcp-range=[network-id,]<start-addr>,<end-addr>[[,<netmask>],<broadcast>][,<default lease time>] |
9e4abcb5 | 294 | Enable the DHCP server. Addresses will be given out from the range |
44a2a316 SK |
295 | <start-addr> to <end-addr> and from statically defined addresses given |
296 | in | |
297 | .B dhcp-host | |
298 | options. If the lease time is given, then leases | |
9e4abcb5 SK |
299 | will be given for that length of time. The lease time is on seconds, |
300 | or minutes (eg 45m) or hours (eg 1h) or the literal "infinite". This | |
301 | option may be repeated, with different addresses, to enable DHCP | |
44a2a316 SK |
302 | service to more than one network. For directly connected networks (ie, |
303 | networks on which the machine running dnsmasq has an interface) the | |
304 | netmask is optional. It is, however, required for networks which | |
305 | recieve DHCP service via a relay agent. The broadcast address is | |
306 | always optional. On some broken systems, dnsmasq can listen on only | |
307 | one interface when using DHCP, and the name of that interface must be | |
308 | given using the | |
309 | .B interface | |
310 | option. This limitation currently affects OpenBSD. The optional | |
311 | network-id is a alphanumeric label which marks this network so that | |
33820b7e SK |
312 | dhcp options may be specified on a per-network basis. The end address |
313 | may be replaced by the keyword | |
314 | .B static | |
315 | which tells dnsmasq to enable DHCP for the network specified, but not | |
316 | to dynamically allocate IP addresses. Only hosts which have static | |
317 | addresses given via | |
318 | .B dhcp-host | |
319 | or from /etc/ethers will be served. | |
9e4abcb5 | 320 | .TP |
a84fa1d0 | 321 | .B \-G, --dhcp-host=[[<hwaddr>]|[id:[<client_id>][*]]][net:<netid>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore] |
9e4abcb5 SK |
322 | Specify per host parameters for the DHCP server. This allows a machine |
323 | with a particular hardware address to be always allocated the same | |
324 | hostname, IP address and lease time. A hostname specified like this | |
325 | overrides any supplied by the DHCP client on the machine. It is also | |
326 | allowable to ommit the hardware address and include the hostname, in | |
327 | which case the IP address and lease times will apply to any machine | |
328 | claiming that name. For example | |
329 | .B --dhcp-host=00:20:e0:3b:13:af,wap,infinite | |
330 | tells dnsmasq to give | |
331 | the machine with ethernet address 00:20:e0:3b:13:af the name wap, and | |
332 | an infinite DHCP lease. | |
333 | .B --dhcp-host=lap,192.168.0.199 | |
334 | tells | |
335 | dnsmasq to always allocate the machine lap the IP address | |
1ab84e2f | 336 | 192.168.0.199. Addresses allocated like this are not constrained to be |
9e4abcb5 SK |
337 | in the range given by the --dhcp-range option, but they must be on the |
338 | network being served by the DHCP server. It is allowed to use client identifiers rather than | |
339 | hardware addresses to identify hosts by prefixing with 'id:'. Thus: | |
340 | .B --dhcp-host=id:01:02:03:04,..... | |
341 | refers to the host with client identifier 01:02:03:04. It is also | |
342 | allowed to specify the client ID as text, like this: | |
a84fa1d0 SK |
343 | .B --dhcp-host=id:clientidastext,..... |
344 | The special option id:* means "ignore any client-id | |
345 | and use MAC addresses only." This is useful when a client presents a client-id sometimes | |
346 | but not others. | |
1ab84e2f SK |
347 | If a name appears in /etc/hosts, the associated address can be |
348 | allocated to a DHCP lease, but only if a | |
349 | .B --dhcp-host | |
33820b7e SK |
350 | option specifying the name also exists. The special keyword "ignore" |
351 | tells dnsmasq to never offer a DHCP lease to a machine. The machine | |
352 | can be specified by hardware address, client ID or hostname, for | |
353 | instance | |
354 | .B --dhcp-host=00:20:e0:3b:13:af,ignore | |
355 | This is | |
356 | useful when there is another DHCP server on the network which should | |
357 | be used by some machines. The net:<network-id> parameter enables DHCP options just | |
358 | for this host in the same way as the the network-id in | |
359 | .B dhcp-range. | |
44a2a316 SK |
360 | .TP |
361 | .B \-Z, --read-ethers | |
362 | Read /etc/ethers for information about hosts for the DHCP server. The | |
363 | format of /etc/ethers is a hardware address, followed by either a | |
364 | hostname or dotted-quad IP address. When read by dnsmasq these lines | |
365 | have exactly the same effect as | |
366 | .B --dhcp-host | |
367 | options containing the same information. | |
9e4abcb5 | 368 | .TP |
44a2a316 | 369 | .B \-O, --dhcp-option=[network-id,]<opt>,[<value>[,<value>]] |
9e4abcb5 SK |
370 | Specfify different or extra options to DHCP clients. By default, |
371 | dnsmasq sends some standard options to DHCP clients, the netmask and | |
372 | broadcast address are set to the same as the host running dnsmasq, and | |
373 | the DNS server and default route are set to the address of the machine | |
374 | running dnsmasq. If the domain name option has been set, that is sent. | |
375 | This option allows these defaults to be overridden, | |
376 | or other options specified. The <opt> is the number of the option, as | |
377 | specfied in RFC2132. For example, to set the default route option to | |
378 | 192.168.4.4, do | |
379 | .B --dhcp-option=3,192.168.4.4 | |
380 | and to set the time-server address to 192.168.0.4, do | |
a84fa1d0 | 381 | .B --dhcp-option=42,192.168.0.4 |
1ab84e2f | 382 | The special address 0.0.0.0 is taken to mean "the address of the |
33820b7e SK |
383 | machine running dnsmasq". Data types allowed are comma seperated |
384 | dotted-quad IP addresses, a decimal number, colon-seperated hex digits | |
385 | and a text string. If the optional network-id is given then | |
44a2a316 SK |
386 | this option is only sent to machines on the network whose dhcp-range |
387 | contains a matching network-id. | |
9e4abcb5 SK |
388 | Be careful: no checking is done that the correct type of data for the |
389 | option number is sent, and there are option numbers for which it is not | |
390 | possible to generate the correct data type; it is quite possible to | |
391 | persuade dnsmasq to generate illegal DHCP packets with injudicious use | |
392 | of this flag. | |
393 | .TP | |
a84fa1d0 SK |
394 | .B \-U, --dhcp-vendorclass=<network-id>,<vendor-class> |
395 | Map from a vendor-class string to a network id. Most DHCP clients provide a | |
a222641c | 396 | "vendor class" which represents, in some sense, the type of host. This option |
a84fa1d0 SK |
397 | maps vendor classes to network ids, so that DHCP options may be selectively delivered |
398 | to different classes of hosts. For example | |
399 | .B dhcp-vendorclass=printers,Hewlett-Packard JetDirect | |
400 | will allow options to be set only for HP printers like so: | |
a222641c SK |
401 | .B --dhcp-option=printers,3,192.168.4.4 |
402 | The vendor-class string is | |
403 | substring matched against the vendor-class supplied by the client, to | |
404 | allow fuzzy matching. | |
405 | .TP | |
406 | .B \-j, --dhcp-userclass=<network-id>,<user-class> | |
407 | Map from a user-class string to a network id (with substring | |
408 | matching, like vendor classes). Most DHCP clients provide a | |
409 | "user class" which is configurable. This option | |
410 | maps user classes to network ids, so that DHCP options may be selectively delivered | |
411 | to different classes of hosts. It is possible, for instance to use | |
412 | this to set a different printer server for hosts in the class | |
413 | "accounts" than for hosts in the class "engineering". | |
a84fa1d0 | 414 | .TP |
9e4abcb5 SK |
415 | .B \-M, --dhcp-boot=<filename>,[<servername>[,<server address>]] |
416 | Set BOOTP options to be returned by the DHCP server. These are needed | |
417 | for machines which network boot, and tell the machine where to collect | |
418 | its initial configuration. | |
419 | .TP | |
44a2a316 SK |
420 | .B \-X, --dhcp-lease-max=<number> |
421 | Limits dnsmasq to the specified maximum number of DHCP leases. The | |
422 | default is 150. This limit is to prevent DoS attacks from hosts which | |
423 | create thousands of leases and use lots of memory in the dnsmasq | |
424 | process. | |
425 | .TP | |
fd9fa481 SK |
426 | .B \-K, --dhcp-authoritative |
427 | Should be set when dnsmasq is definatively the only DHCP server on a network. | |
428 | It changes the behaviour from strict RFC compliance so that DHCP requests on | |
429 | unknown leases from unknown hosts are not ignored. This allows new hosts | |
430 | to get a lease without a tedious timeout under all circumstances. | |
431 | .TP | |
9e4abcb5 | 432 | .B \-l, --dhcp-leasefile=<path> |
33820b7e SK |
433 | Use the specified file to store DHCP lease information. If this option |
434 | is given but no dhcp-range option is given then dnsmasq version 1 | |
435 | behaviour is activated. The file given is assumed to be an ISC dhcpd | |
436 | lease file and parsed for leases which are then added to the DNS | |
437 | system if they have a hostname. This functionality may have been | |
438 | excluded from dnsmasq at compile time, in which case an error will occur. | |
9e4abcb5 SK |
439 | .TP |
440 | .B \-s, --domain=<domain> | |
441 | Specifies the domain for the DHCP server. This has two effects; | |
442 | firstly it causes the DHCP server to return the domain to any hosts | |
443 | which request it, and secondly it sets the domain which it is legal | |
444 | for DHCP-configured hosts to claim. The intention is to constrain hostnames so that an untrusted host on the LAN cannot advertise it's name via dhcp as e.g. "microsoft.com" and capture traffic not meant for it. If no domain suffix is specified, then any DHCP hostname with a domain part (ie with a period) will be disallowed and logged. If suffix is specified, then hostnames with a domain part are allowed, provided the domain part matches the suffix. In addition, when a suffix is set then hostnames without a domain part have the suffix added as an optional domain part. Eg on my network I can set | |
445 | .B --domain-suffix=thekelleys.org.uk | |
446 | and have a machine whose DHCP hostname is "laptop". The IP address for that machine is available from | |
447 | .B dnsmasq | |
de37951c SK |
448 | both as "laptop" and "laptop.thekelleys.org.uk". If the domain is |
449 | given as "#" then the domain is read from the first "search" directive | |
450 | in /etc/resolv.conf (or equivalent). | |
9e4abcb5 SK |
451 | .TP |
452 | .B \-E, --expand-hosts | |
453 | Add the domain-suffix to simple names (without a period) in /etc/hosts | |
454 | in the same way as for DHCP-derived names. | |
455 | .SH CONFIG FILE | |
3be34541 SK |
456 | At startup, dnsmasq reads |
457 | .I /etc/dnsmasq.conf, | |
458 | if it exists. (On | |
459 | FreeBSD, the file is | |
460 | .I /usr/local/etc/dnsmasq.conf | |
461 | ) The format of this | |
9e4abcb5 SK |
462 | file consists of one option per line, exactly as the long options detailed |
463 | in the OPTIONS section but without the leading "--". Lines starting with # are comments and ignored. For | |
b49644f3 | 464 | options which may only be specified once, the configuration file overrides |
9e4abcb5 | 465 | the command line. Use the --conf-file option to specify a different |
33820b7e SK |
466 | configuration file. The conf-file option is also allowed in |
467 | configuration files, to include multiple configuration files. Only one | |
468 | level of nesting is allowed. | |
9e4abcb5 SK |
469 | .SH NOTES |
470 | When it receives a SIGHUP, | |
471 | .B dnsmasq | |
3be34541 SK |
472 | clears its cache and then re-loads |
473 | .I /etc/hosts. | |
474 | If | |
9e4abcb5 SK |
475 | .B |
476 | --no-poll | |
3be34541 SK |
477 | is set SIGHUP also re-reads |
478 | .I /etc/resolv.conf. | |
479 | SIGHUP | |
b49644f3 | 480 | does NOT re-read the configuration file. |
9e4abcb5 SK |
481 | .PP |
482 | When it receives a SIGUSR1, | |
483 | .B dnsmasq | |
484 | writes cache statistics to the system log. It writes the cache size, | |
485 | the number of names which have had to removed from the cache before | |
486 | they expired in order to make room for new names and the total number | |
487 | of names that have been inserted into the cache. In | |
488 | .B --no-daemon | |
489 | mode or when full logging is enabled (-q), a complete dump of the contents of the cache is made. | |
490 | .PP | |
9e4abcb5 SK |
491 | Dnsmasq is a DNS query forwarder: it it not capable of recursively |
492 | answering arbitrary queries starting from the root servers but | |
493 | forwards such queries to a fully recursive upstream DNS server which is | |
494 | typically provided by an ISP. By default, dnsmasq reads | |
3be34541 SK |
495 | .I /etc/resolv.conf |
496 | to discover the IP | |
9e4abcb5 SK |
497 | addresses of the upstream nameservers it should use, since the |
498 | information is typically stored there. Unless | |
499 | .B --no-poll | |
500 | is used, | |
501 | .B dnsmasq | |
3be34541 SK |
502 | checks the modification time of |
503 | .I /etc/resolv.conf | |
504 | (or equivalent if | |
9e4abcb5 SK |
505 | .B \--resolv-file |
506 | is used) and re-reads it if it changes. This allows the DNS servers to | |
507 | be set dynamically by PPP or DHCP since both protocols provide the | |
508 | information. | |
3be34541 SK |
509 | Absence of |
510 | .I /etc/resolv.conf | |
511 | is not an error | |
9e4abcb5 | 512 | since it may not have been created before a PPP connection exists. Dnsmasq |
3be34541 SK |
513 | simply keeps checking in case |
514 | .I /etc/resolv.conf | |
515 | is created at any | |
9e4abcb5 SK |
516 | time. Dnsmasq can be told to parse more than one resolv.conf |
517 | file. This is useful on a laptop, where both PPP and DHCP may be used: | |
3be34541 SK |
518 | dnsmasq can be set to poll both |
519 | .I /etc/ppp/resolv.conf | |
520 | and | |
521 | .I /etc/dhcpc/resolv.conf | |
522 | and will use the contents of whichever changed | |
9e4abcb5 SK |
523 | last, giving automatic switching between DNS servers. |
524 | .PP | |
525 | Upstream servers may also be specified on the command line or in | |
b49644f3 | 526 | the configuration file. These server specifications optionally take a |
9e4abcb5 SK |
527 | domain name which tells dnsmasq to use that server only to find names |
528 | in that particular domain. | |
529 | .PP | |
530 | In order to configure dnsmasq to act as cache for the host on which it is running, put "nameserver 127.0.0.1" in | |
531 | .I /etc/resolv.conf | |
532 | to force local processes to send queries to | |
533 | dnsmasq. Then either specify the upstream servers directly to dnsmasq | |
534 | using | |
535 | .B \--server | |
536 | options or put their addresses real in another file, say | |
537 | .I /etc/resolv.dnsmasq | |
538 | and run dnsmasq with the | |
539 | .B \-r /etc/resolv.dnsmasq | |
540 | option. This second technique allows for dynamic update of the server | |
541 | addresses by PPP or DHCP. | |
3be34541 SK |
542 | .PP |
543 | The DHCP server in dnsmasq will function as a BOOTP server also, | |
544 | provided that the MAC address and IP address for clients are given, | |
545 | either using | |
546 | .B dhcp-host | |
547 | configurations or in | |
548 | .I /etc/ethers | |
549 | , and a | |
550 | .B dhcp-range | |
551 | configuration option is present to activate the DHCP server | |
552 | on a particular network. The filename | |
553 | parameter in a BOOTP request is matched against netids in | |
554 | .B dhcp-option | |
555 | configurations, allowing some control over the options returned to | |
556 | different classes of hosts. | |
557 | ||
9e4abcb5 | 558 | .SH FILES |
b49644f3 SK |
559 | .IR /etc/dnsmasq.conf |
560 | ||
561 | .IR /usr/local/etc/dnsmasq.conf | |
9e4abcb5 SK |
562 | |
563 | .IR /etc/resolv.conf | |
564 | ||
565 | .IR /etc/hosts | |
566 | ||
3be34541 SK |
567 | .IR /etc/ethers |
568 | ||
b49644f3 SK |
569 | .IR /var/lib/misc/dnsmasq.leases |
570 | ||
571 | .IR /var/db/dnsmasq.leases | |
9e4abcb5 SK |
572 | |
573 | .IR /var/run/dnsmasq.pid | |
574 | .SH SEE ALSO | |
9e4abcb5 SK |
575 | .BR hosts (5), |
576 | .BR resolver (5) | |
577 | .SH AUTHOR | |
578 | This manual page was written by Simon Kelley <simon@thekelleys.org.uk>. | |
579 | ||
580 |