]>
Commit | Line | Data |
---|---|---|
9e4abcb5 SK |
1 | .TH DNSMASQ 8 |
2 | .SH NAME | |
3 | dnsmasq \- A lightweight DHCP and caching DNS server. | |
4 | .SH SYNOPSIS | |
5 | .B dnsmasq | |
6 | .I [OPTION]... | |
7 | .SH "DESCRIPTION" | |
8 | .BR dnsmasq | |
5aabfc78 SK |
9 | is a lightweight DNS, TFTP and DHCP server. It is intended to provide |
10 | coupled DNS and DHCP service to a LAN. | |
9e4abcb5 SK |
11 | .PP |
12 | Dnsmasq accepts DNS queries and either answers them from a small, local, | |
13 | cache or forwards them to a real, recursive, DNS server. It loads the | |
14 | contents of /etc/hosts so that local hostnames | |
15 | which do not appear in the global DNS can be resolved and also answers | |
16 | DNS queries for DHCP configured hosts. | |
17 | .PP | |
73a08a24 SK |
18 | The dnsmasq DHCP server supports static address assignments and multiple |
19 | networks. It automatically | |
3be34541 | 20 | sends a sensible default set of DHCP options, and can be configured to |
f2621c7f | 21 | send any desired set of DHCP options, including vendor-encapsulated |
1b7ecd11 SK |
22 | options. It includes a secure, read-only, |
23 | TFTP server to allow net/PXE boot of DHCP hosts and also supports BOOTP. | |
9e4abcb5 | 24 | .PP |
3be34541 | 25 | Dnsmasq |
28866e95 | 26 | supports IPv6 for DNS and TFTP, but not DHCP. |
9e4abcb5 SK |
27 | .SH OPTIONS |
28 | Note that in general missing parameters are allowed and switch off | |
832af0ba | 29 | functions, for instance "--pid-file" disables writing a PID file. On |
33820b7e SK |
30 | BSD, unless the GNU getopt library is linked, the long form of the |
31 | options does not work on the command line; it is still recognised in | |
32 | the configuration file. | |
9e4abcb5 | 33 | .TP |
7622fc06 SK |
34 | .B --test |
35 | Read and syntax check configuration file(s). Exit with code 0 if all | |
36 | is OK, or a non-zero code otherwise. Do not start up dnsmasq. | |
37 | .TP | |
9e4abcb5 SK |
38 | .B \-h, --no-hosts |
39 | Don't read the hostnames in /etc/hosts. | |
40 | .TP | |
41 | .B \-H, --addn-hosts=<file> | |
42 | Additional hosts file. Read the specified file as well as /etc/hosts. If -h is given, read | |
fd9fa481 | 43 | only the specified file. This option may be repeated for more than one |
7622fc06 | 44 | additional hosts file. If a directory is given, then read all the files contained in that directory. |
9e4abcb5 | 45 | .TP |
832af0ba SK |
46 | .B \-E, --expand-hosts |
47 | Add the domain to simple names (without a period) in /etc/hosts | |
1f15b81d SK |
48 | in the same way as for DHCP-derived names. Note that this does not |
49 | apply to domain names in cnames, PTR records, TXT records etc. | |
832af0ba | 50 | .TP |
9e4abcb5 SK |
51 | .B \-T, --local-ttl=<time> |
52 | When replying with information from /etc/hosts or the DHCP leases | |
53 | file dnsmasq by default sets the time-to-live field to zero, meaning | |
c72daea8 | 54 | that the requester should not itself cache the information. This is |
9e4abcb5 SK |
55 | the correct thing to do in almost all situations. This option allows a |
56 | time-to-live (in seconds) to be given for these replies. This will | |
57 | reduce the load on the server at the expense of clients using stale | |
58 | data under some circumstances. | |
59 | .TP | |
824af85b SK |
60 | .B --neg-ttl=<time> |
61 | Negative replies from upstream servers normally contain time-to-live | |
62 | information in SOA records which dnsmasq uses for caching. If the | |
63 | replies from upstream servers omit this information, dnsmasq does not | |
64 | cache the reply. This option gives a default value for time-to-live | |
65 | (in seconds) which dnsmasq uses to cache negative replies even in | |
66 | the absence of an SOA record. | |
67 | .TP | |
8ef5ada2 SK |
68 | .B --max-ttl=<time> |
69 | Set a maximum TTL value that will be handed out to clients. The specified | |
70 | maximum TTL will be given to clients instead of the true TTL value if it is | |
71 | lower. The true TTL value is however kept in the cache to avoid flooding | |
72 | the upstream DNS servers. | |
73 | .TP | |
3be34541 SK |
74 | .B \-k, --keep-in-foreground |
75 | Do not go into the background at startup but otherwise run as | |
3d8df260 SK |
76 | normal. This is intended for use when dnsmasq is run under daemontools |
77 | or launchd. | |
3be34541 | 78 | .TP |
9e4abcb5 SK |
79 | .B \-d, --no-daemon |
80 | Debug mode: don't fork to the background, don't write a pid file, | |
81 | don't change user id, generate a complete cache dump on receipt on | |
3be34541 SK |
82 | SIGUSR1, log to stderr as well as syslog, don't fork new processes |
83 | to handle TCP queries. | |
9e4abcb5 SK |
84 | .TP |
85 | .B \-q, --log-queries | |
86 | Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1. | |
87 | .TP | |
849a8357 SK |
88 | .B \-8, --log-facility=<facility> |
89 | Set the facility to which dnsmasq will send syslog entries, this | |
f2621c7f | 90 | defaults to DAEMON, and to LOCAL0 when debug mode is in operation. If |
9e038946 | 91 | the facility given contains at least one '/' character, it is taken to |
f2621c7f | 92 | be a filename, and dnsmasq logs to the given file, instead of |
8ef5ada2 SK |
93 | syslog. If the facility is '-' then dnsmasq logs to stderr. |
94 | (Errors whilst reading configuration will still go to syslog, | |
f2621c7f | 95 | but all output from a successful startup, and all output whilst |
5aabfc78 SK |
96 | running, will go exclusively to the file.) When logging to a file, |
97 | dnsmasq will close and reopen the file when it receives SIGUSR2. This | |
98 | allows the log file to be rotated without stopping dnsmasq. | |
f2621c7f SK |
99 | .TP |
100 | .B --log-async[=<lines>] | |
101 | Enable asynchronous logging and optionally set the limit on the | |
102 | number of lines | |
103 | which will be queued by dnsmasq when writing to the syslog is slow. | |
104 | Dnsmasq can log asynchronously: this | |
105 | allows it to continue functioning without being blocked by syslog, and | |
106 | allows syslog to use dnsmasq for DNS queries without risking deadlock. | |
107 | If the queue of log-lines becomes full, dnsmasq will log the | |
108 | overflow, and the number of messages lost. The default queue length is | |
109 | 5, a sane value would be 5-25, and a maximum limit of 100 is imposed. | |
849a8357 | 110 | .TP |
9e4abcb5 SK |
111 | .B \-x, --pid-file=<path> |
112 | Specify an alternate path for dnsmasq to record its process-id in. Normally /var/run/dnsmasq.pid. | |
113 | .TP | |
114 | .B \-u, --user=<username> | |
115 | Specify the userid to which dnsmasq will change after startup. Dnsmasq must normally be started as root, but it will drop root | |
b8187c80 | 116 | privileges after startup by changing id to another user. Normally this user is "nobody" but that |
9e4abcb5 SK |
117 | can be over-ridden with this switch. |
118 | .TP | |
119 | .B \-g, --group=<groupname> | |
120 | Specify the group which dnsmasq will run | |
121 | as. The defaults to "dip", if available, to facilitate access to | |
122 | /etc/ppp/resolv.conf which is not normally world readable. | |
123 | .TP | |
124 | .B \-v, --version | |
125 | Print the version number. | |
126 | .TP | |
127 | .B \-p, --port=<port> | |
824af85b SK |
128 | Listen on <port> instead of the standard DNS port (53). Setting this |
129 | to zero completely disables DNS function, leaving only DHCP and/or TFTP. | |
9e4abcb5 | 130 | .TP |
feba5c1d SK |
131 | .B \-P, --edns-packet-max=<size> |
132 | Specify the largest EDNS.0 UDP packet which is supported by the DNS | |
316e2730 | 133 | forwarder. Defaults to 4096, which is the RFC5625-recommended size. |
feba5c1d | 134 | .TP |
9e4abcb5 | 135 | .B \-Q, --query-port=<query_port> |
1a6bca81 SK |
136 | Send outbound DNS queries from, and listen for their replies on, the |
137 | specific UDP port <query_port> instead of using random ports. NOTE | |
138 | that using this option will make dnsmasq less secure against DNS | |
139 | spoofing attacks but it may be faster and use less resources. Setting this option | |
140 | to zero makes dnsmasq use a single port allocated to it by the | |
141 | OS: this was the default behaviour in versions prior to 2.43. | |
142 | .TP | |
143 | .B --min-port=<port> | |
144 | Do not use ports less than that given as source for outbound DNS | |
145 | queries. Dnsmasq picks random ports as source for outbound queries: | |
146 | when this option is given, the ports used will always to larger | |
147 | than that specified. Useful for systems behind firewalls. | |
9e4abcb5 SK |
148 | .TP |
149 | .B \-i, --interface=<interface name> | |
feba5c1d SK |
150 | Listen only on the specified interface(s). Dnsmasq automatically adds |
151 | the loopback (local) interface to the list of interfaces to use when | |
152 | the | |
153 | .B \--interface | |
154 | option is used. If no | |
155 | .B \--interface | |
9e4abcb5 | 156 | or |
feba5c1d SK |
157 | .B \--listen-address |
158 | options are given dnsmasq listens on all available interfaces except any | |
159 | given in | |
160 | .B \--except-interface | |
309331f5 | 161 | options. IP alias interfaces (eg "eth1:0") cannot be used with |
8a911ccc SK |
162 | .B --interface |
163 | or | |
164 | .B --except-interface | |
309331f5 | 165 | options, use --listen-address instead. |
9e4abcb5 SK |
166 | .TP |
167 | .B \-I, --except-interface=<interface name> | |
feba5c1d SK |
168 | Do not listen on the specified interface. Note that the order of |
169 | .B \--listen-address | |
170 | .B --interface | |
171 | and | |
172 | .B --except-interface | |
173 | options does not matter and that | |
174 | .B --except-interface | |
175 | options always override the others. | |
9e4abcb5 | 176 | .TP |
3d8df260 | 177 | .B \-2, --no-dhcp-interface=<interface name> |
832af0ba | 178 | Do not provide DHCP or TFTP on the specified interface, but do provide DNS service. |
3d8df260 | 179 | .TP |
44a2a316 | 180 | .B \-a, --listen-address=<ipaddr> |
feba5c1d SK |
181 | Listen on the given IP address(es). Both |
182 | .B \--interface | |
183 | and | |
184 | .B \--listen-address | |
185 | options may be given, in which case the set of both interfaces and | |
186 | addresses is used. Note that if no | |
187 | .B \--interface | |
188 | option is given, but | |
189 | .B \--listen-address | |
190 | is, dnsmasq will not automatically listen on the loopback | |
191 | interface. To achieve this, its IP address, 127.0.0.1, must be | |
192 | explicitly given as a | |
193 | .B \--listen-address | |
194 | option. | |
9e4abcb5 | 195 | .TP |
44a2a316 SK |
196 | .B \-z, --bind-interfaces |
197 | On systems which support it, dnsmasq binds the wildcard address, | |
198 | even when it is listening on only some interfaces. It then discards | |
199 | requests that it shouldn't reply to. This has the advantage of | |
200 | working even when interfaces come and go and change address. This | |
201 | option forces dnsmasq to really bind only the interfaces it is | |
202 | listening on. About the only time when this is useful is when | |
f6b7dc47 | 203 | running another nameserver (or another instance of dnsmasq) on the |
309331f5 | 204 | same machine. Setting this option also enables multiple instances of |
f6b7dc47 SK |
205 | dnsmasq which provide DHCP service to run in the same machine. |
206 | .TP | |
207 | .B \-y, --localise-queries | |
208 | Return answers to DNS queries from /etc/hosts which depend on the interface over which the query was | |
b8187c80 | 209 | received. If a name in /etc/hosts has more than one address associated with |
f6b7dc47 SK |
210 | it, and at least one of those addresses is on the same subnet as the |
211 | interface to which the query was sent, then return only the | |
212 | address(es) on that subnet. This allows for a server to have multiple | |
213 | addresses in /etc/hosts corresponding to each of its interfaces, and | |
214 | hosts will get the correct address based on which network they are | |
215 | attached to. Currently this facility is limited to IPv4. | |
44a2a316 | 216 | .TP |
9e4abcb5 SK |
217 | .B \-b, --bogus-priv |
218 | Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192.168.x.x, etc) | |
feba5c1d SK |
219 | which are not found in /etc/hosts or the DHCP leases file are answered |
220 | with "no such domain" rather than being forwarded upstream. | |
9e4abcb5 | 221 | .TP |
73a08a24 | 222 | .B \-V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>] |
1cff166d SK |
223 | Modify IPv4 addresses returned from upstream nameservers; old-ip is |
224 | replaced by new-ip. If the optional mask is given then any address | |
225 | which matches the masked old-ip will be re-written. So, for instance | |
226 | .B --alias=1.2.3.0,6.7.8.0,255.255.255.0 | |
227 | will map 1.2.3.56 to 6.7.8.56 and 1.2.3.67 to 6.7.8.67. This is what | |
73a08a24 SK |
228 | Cisco PIX routers call "DNS doctoring". If the old IP is given as |
229 | range, then only addresses in the range, rather than a whole subnet, | |
230 | are re-written. So | |
231 | .B --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 | |
232 | maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 | |
1cff166d | 233 | .TP |
9e4abcb5 SK |
234 | .B \-B, --bogus-nxdomain=<ipaddr> |
235 | Transform replies which contain the IP address given into "No such | |
236 | domain" replies. This is intended to counteract a devious move made by | |
b8187c80 | 237 | Verisign in September 2003 when they started returning the address of |
9e4abcb5 SK |
238 | an advertising web page in response to queries for unregistered names, |
239 | instead of the correct NXDOMAIN response. This option tells dnsmasq to | |
240 | fake the correct response when it sees this behaviour. As at Sept 2003 | |
b8187c80 | 241 | the IP address being returned by Verisign is 64.94.110.11 |
9e4abcb5 SK |
242 | .TP |
243 | .B \-f, --filterwin2k | |
244 | Later versions of windows make periodic DNS requests which don't get sensible answers from | |
245 | the public DNS and can cause problems by triggering dial-on-demand links. This flag turns on an option | |
246 | to filter such requests. The requests blocked are for records of types SOA and SRV, and type ANY where the | |
247 | requested name has underscores, to catch LDAP requests. | |
248 | .TP | |
249 | .B \-r, --resolv-file=<file> | |
250 | Read the IP addresses of the upstream nameservers from <file>, instead of | |
251 | /etc/resolv.conf. For the format of this file see | |
7de060b0 SK |
252 | .BR resolv.conf (5). |
253 | The only lines relevant to dnsmasq are nameserver ones. Dnsmasq can | |
9e4abcb5 SK |
254 | be told to poll more than one resolv.conf file, the first file name specified |
255 | overrides the default, subsequent ones add to the list. This is only | |
256 | allowed when polling; the file with the currently latest modification | |
257 | time is the one used. | |
258 | .TP | |
259 | .B \-R, --no-resolv | |
260 | Don't read /etc/resolv.conf. Get upstream servers only from the command | |
b49644f3 | 261 | line or the dnsmasq configuration file. |
9e4abcb5 | 262 | .TP |
3d8df260 SK |
263 | .B \-1, --enable-dbus |
264 | Allow dnsmasq configuration to be updated via DBus method calls. The | |
265 | configuration which can be changed is upstream DNS servers (and | |
b8187c80 | 266 | corresponding domains) and cache clear. Requires that dnsmasq has |
3d8df260 SK |
267 | been built with DBus support. |
268 | .TP | |
9e4abcb5 SK |
269 | .B \-o, --strict-order |
270 | By default, dnsmasq will send queries to any of the upstream servers | |
824af85b | 271 | it knows about and tries to favour servers that are known to |
9e4abcb5 SK |
272 | be up. Setting this flag forces dnsmasq to try each query with each |
273 | server strictly in the order they appear in /etc/resolv.conf | |
274 | .TP | |
824af85b SK |
275 | .B --all-servers |
276 | By default, when dnsmasq has more than one upstream server available, | |
277 | it will send queries to just one server. Setting this flag forces | |
278 | dnsmasq to send all queries to all available servers. The reply from | |
c72daea8 | 279 | the server which answers first will be returned to the original requester. |
824af85b SK |
280 | .TP |
281 | .B --stop-dns-rebind | |
282 | Reject (and log) addresses from upstream nameservers which are in the | |
283 | private IP ranges. This blocks an attack where a browser behind a | |
284 | firewall is used to probe machines on the local network. | |
285 | .TP | |
8ef5ada2 SK |
286 | .B --rebind-localhost-ok |
287 | Exempt 127.0.0.0/8 from rebinding checks. This address range is | |
288 | returned by realtime black hole servers, so blocking it may disable | |
289 | these services. | |
290 | .TP | |
291 | .B --rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/] | |
292 | Do not detect and block dns-rebind on queries to these domains. The | |
293 | argument may be either a single domain, or multiple domains surrounded | |
294 | by '/', like the --server syntax, eg. | |
295 | .B --rebind-domain-ok=/domain1/domain2/domain3/ | |
296 | .TP | |
9e4abcb5 SK |
297 | .B \-n, --no-poll |
298 | Don't poll /etc/resolv.conf for changes. | |
299 | .TP | |
1697269c SK |
300 | .B --clear-on-reload |
301 | Whenever /etc/resolv.conf is re-read, clear the DNS cache. | |
302 | This is useful when new nameservers may have different | |
303 | data than that held in cache. | |
304 | .TP | |
9e4abcb5 | 305 | .B \-D, --domain-needed |
7de060b0 | 306 | Tells dnsmasq to never forward A or AAAA queries for plain names, without dots |
3d8df260 | 307 | or domain parts, to upstream nameservers. If the name is not known |
9e4abcb5 SK |
308 | from /etc/hosts or DHCP then a "not found" answer is returned. |
309 | .TP | |
824af85b | 310 | .B \-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]] |
5aabfc78 | 311 | Specify IP address of upstream servers directly. Setting this flag does |
9e4abcb5 SK |
312 | not suppress reading of /etc/resolv.conf, use -R to do that. If one or |
313 | more | |
314 | optional domains are given, that server is used only for those domains | |
315 | and they are queried only using the specified server. This is | |
316 | intended for private nameservers: if you have a nameserver on your | |
317 | network which deals with names of the form | |
318 | xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag | |
b8187c80 | 319 | .B -S /internal.thekelleys.org.uk/192.168.1.1 |
9e4abcb5 SK |
320 | will send all queries for |
321 | internal machines to that nameserver, everything else will go to the | |
322 | servers in /etc/resolv.conf. An empty domain specification, | |
323 | .B // | |
324 | has the special meaning of "unqualified names only" ie names without any | |
325 | dots in them. A non-standard port may be specified as | |
326 | part of the IP | |
327 | address using a # character. | |
328 | More than one -S flag is allowed, with | |
8ef5ada2 SK |
329 | repeated domain or ipaddr parts as required. |
330 | ||
331 | More specific domains take precendence over less specific domains, so: | |
332 | .B --server=/google.com/1.2.3.4 | |
333 | .B --server=/www.google.com/2.3.4.5 | |
334 | will send queries for *.google.com to 1.2.3.4, except *www.google.com, | |
335 | which will go to 2.3.4.5 | |
336 | ||
337 | The special server address '#' means, "use the standard servers", so | |
338 | .B --server=/google.com/1.2.3.4 | |
339 | .B --server=/www.google.com/# | |
340 | will send queries for *.google.com to 1.2.3.4, except *www.google.com which will | |
341 | be forwarded as usual. | |
9e4abcb5 SK |
342 | |
343 | Also permitted is a -S | |
344 | flag which gives a domain but no IP address; this tells dnsmasq that | |
345 | a domain is local and it may answer queries from /etc/hosts or DHCP | |
346 | but should never forward queries on that domain to any upstream | |
347 | servers. | |
348 | .B local | |
349 | is a synonym for | |
350 | .B server | |
351 | to make configuration files clearer in this case. | |
352 | ||
7de060b0 SK |
353 | IPv6 addresses may include a %interface scope-id, eg |
354 | fe80::202:a412:4512:7bbf%eth0. | |
355 | ||
824af85b SK |
356 | The optional string after the @ character tells |
357 | dnsmasq how to set the source of the queries to this | |
358 | nameserver. It should be an ip-address, which should belong to the machine on which | |
9e4abcb5 | 359 | dnsmasq is running otherwise this server line will be logged and then |
824af85b SK |
360 | ignored, or an interface name. If an interface name is given, then |
361 | queries to the server will be forced via that interface; if an | |
362 | ip-address is given then the source address of the queries will be set | |
363 | to that address. | |
364 | The query-port flag is ignored for any servers which have a | |
9e4abcb5 | 365 | source address specified but the port may be specified directly as |
824af85b SK |
366 | part of the source address. Forcing queries to an interface is not |
367 | implemented on all platforms supported by dnsmasq. | |
9e4abcb5 SK |
368 | .TP |
369 | .B \-A, --address=/<domain>/[domain/]<ipaddr> | |
370 | Specify an IP address to return for any host in the given domains. | |
371 | Queries in the domains are never forwarded and always replied to | |
372 | with the specified IP address which may be IPv4 or IPv6. To give | |
373 | both IPv4 and IPv6 addresses for a domain, use repeated -A flags. | |
374 | Note that /etc/hosts and DHCP leases override this for individual | |
375 | names. A common use of this is to redirect the entire doubleclick.net | |
a222641c SK |
376 | domain to some friendly local web server to avoid banner ads. The |
377 | domain specification works in the same was as for --server, with the | |
378 | additional facility that /#/ matches any domain. Thus | |
379 | --address=/#/1.2.3.4 will always return 1.2.3.4 for any query not | |
380 | answered from /etc/hosts or DHCP and not sent to an upstream | |
381 | nameserver by a more specific --server directive. | |
9e4abcb5 | 382 | .TP |
f6b7dc47 | 383 | .B \-m, --mx-host=<mx name>[[,<hostname>],<preference>] |
de37951c SK |
384 | Return an MX record named <mx name> pointing to the given hostname (if |
385 | given), or | |
386 | the host specified in the --mx-target switch | |
9e4abcb5 | 387 | or, if that switch is not given, the host on which dnsmasq |
f6b7dc47 SK |
388 | is running. The default is useful for directing mail from systems on a LAN |
389 | to a central server. The preference value is optional, and defaults to | |
390 | 1 if not given. More than one MX record may be given for a host. | |
9e4abcb5 SK |
391 | .TP |
392 | .B \-t, --mx-target=<hostname> | |
f6b7dc47 SK |
393 | Specify the default target for the MX record returned by dnsmasq. See |
394 | --mx-host. If --mx-target is given, but not --mx-host, then dnsmasq | |
395 | returns a MX record containing the MX target for MX queries on the | |
396 | hostname of the machine on which dnsmasq is running. | |
9e4abcb5 SK |
397 | .TP |
398 | .B \-e, --selfmx | |
399 | Return an MX record pointing to itself for each local | |
400 | machine. Local machines are those in /etc/hosts or with DHCP leases. | |
401 | .TP | |
402 | .B \-L, --localmx | |
403 | Return an MX record pointing to the host given by mx-target (or the | |
404 | machine on which dnsmasq is running) for each | |
405 | local machine. Local machines are those in /etc/hosts or with DHCP | |
406 | leases. | |
407 | .TP | |
f6b7dc47 SK |
408 | .B \-W, --srv-host=<_service>.<_prot>.[<domain>],[<target>[,<port>[,<priority>[,<weight>]]]] |
409 | Return a SRV DNS record. See RFC2782 for details. If not supplied, the | |
410 | domain defaults to that given by | |
411 | .B --domain. | |
412 | The default for the target domain is empty, and the default for port | |
413 | is one and the defaults for | |
414 | weight and priority are zero. Be careful if transposing data from BIND | |
415 | zone files: the port, weight and priority numbers are in a different | |
416 | order. More than one SRV record for a given service/domain is allowed, | |
3d8df260 | 417 | all that match are returned. |
f6b7dc47 | 418 | .TP |
0a852541 SK |
419 | .B \-Y, --txt-record=<name>[[,<text>],<text>] |
420 | Return a TXT DNS record. The value of TXT record is a set of strings, | |
28866e95 SK |
421 | so any number may be included, delimited by commas; use quotes to put |
422 | commas into a string. Note that the maximum length of a single string | |
423 | is 255 characters, longer strings are split into 255 character chunks. | |
0a852541 | 424 | .TP |
832af0ba SK |
425 | .B --ptr-record=<name>[,<target>] |
426 | Return a PTR DNS record. | |
427 | .TP | |
1a6bca81 SK |
428 | .B --naptr-record=<name>,<order>,<preference>,<flags>,<service>,<regexp>[,<replacement>] |
429 | Return an NAPTR DNS record, as specified in RFC3403. | |
430 | .TP | |
9009d746 SK |
431 | .B --cname=<cname>,<target> |
432 | Return a CNAME record which indicates that <cname> is really | |
433 | <target>. There are significant limitations on the target; it must be a | |
434 | DNS name which is known to dnsmasq from /etc/hosts (or additional | |
435 | hosts files) or from DHCP. If the target does not satisfy this | |
436 | criteria, the whole cname is ignored. The cname must be unique, but it | |
437 | is permissable to have more than one cname pointing to the same target. | |
438 | .TP | |
f2621c7f SK |
439 | .B --interface-name=<name>,<interface> |
440 | Return a DNS record associating the name with the primary address on | |
441 | the given interface. This flag specifies an A record for the given | |
442 | name in the same way as an /etc/hosts line, except that the address is | |
443 | not constant, but taken from the given interface. If the interface is | |
9e038946 | 444 | down, not configured or non-existent, an empty record is returned. The |
f2621c7f SK |
445 | matching PTR record is also created, mapping the interface address to |
446 | the name. More than one name may be associated with an interface | |
447 | address by repeating the flag; in that case the first instance is used | |
448 | for the reverse address-to-name mapping. | |
449 | .TP | |
28866e95 SK |
450 | .B --add-mac |
451 | Add the MAC address of the requestor to DNS queries which are | |
452 | forwarded upstream. This may be used to DNS filtering by the upstream | |
453 | server. The MAC address can only be added if the requestor is on the same | |
454 | subnet as the dnsmasq server. Note that the mechanism used to achieve this (an EDNS0 option) | |
455 | is not yet standardised, so this should be considered | |
456 | experimental. Also note that exposing MAC addresses in this way may | |
457 | have security and privacy implications. | |
458 | .TP | |
9e4abcb5 SK |
459 | .B \-c, --cache-size=<cachesize> |
460 | Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching. | |
461 | .TP | |
462 | .B \-N, --no-negcache | |
463 | Disable negative caching. Negative caching allows dnsmasq to remember | |
464 | "no such domain" answers from upstream nameservers and answer | |
5aabfc78 | 465 | identical queries without forwarding them again. |
9e4abcb5 | 466 | .TP |
1697269c SK |
467 | .B \-0, --dns-forward-max=<queries> |
468 | Set the maximum number of concurrent DNS queries. The default value is | |
469 | 150, which should be fine for most setups. The only known situation | |
470 | where this needs to be increased is when using web-server log file | |
471 | resolvers, which can generate large numbers of concurrent queries. | |
208b65c5 | 472 | .TP |
28866e95 SK |
473 | .B --proxy-dnssec |
474 | A resolver on a client machine can do DNSSEC validation in two ways: it | |
475 | can perform the cryptograhic operations on the reply it receives, or | |
476 | it can rely on the upstream recursive nameserver to do the validation | |
477 | and set a bit in the reply if it succeeds. Dnsmasq is not a DNSSEC | |
478 | validator, so it cannot perform the validation role of the recursive nameserver, | |
479 | but it can pass through the validation results from its own upstream | |
480 | nameservers. This option enables this behaviour. You should only do | |
481 | this if you trust all the configured upstream nameservers | |
482 | .I and the network between you and them. | |
483 | If you use the first DNSSEC mode, validating resolvers in clients, | |
484 | this option is not required. Dnsmasq always returns all the data | |
485 | needed for a client to do validation itself. | |
486 | .TP | |
7de060b0 SK |
487 | .B --conntrack |
488 | Read the Linux connection track mark associated with incoming DNS | |
489 | queries and set the same mark value on upstream traffic used to answer | |
490 | those queries. This allows traffic generated by dnsmasq to be | |
491 | associated with the queries which cause it, useful for bandwidth | |
492 | accounting and firewalling. Dnsmasq must have conntrack support | |
493 | compiled in and the kernel must have conntrack support | |
494 | included and configured. This option cannot be combined with | |
495 | --query-port. | |
496 | .TP | |
8ef5ada2 | 497 | .B \-F, --dhcp-range=[interface:<interface>,][tag:<tag>[,tag:<tag>],][set:<tag],]<start-addr>,<end-addr>[,<netmask>[,<broadcast>]][,<lease time>] |
9e4abcb5 | 498 | Enable the DHCP server. Addresses will be given out from the range |
44a2a316 SK |
499 | <start-addr> to <end-addr> and from statically defined addresses given |
500 | in | |
501 | .B dhcp-host | |
502 | options. If the lease time is given, then leases | |
b8187c80 | 503 | will be given for that length of time. The lease time is in seconds, |
7622fc06 SK |
504 | or minutes (eg 45m) or hours (eg 1h) or "infinite". If not given, |
505 | the default lease time is one hour. The | |
9e038946 | 506 | minimum lease time is two minutes. This |
9e4abcb5 | 507 | option may be repeated, with different addresses, to enable DHCP |
44a2a316 SK |
508 | service to more than one network. For directly connected networks (ie, |
509 | networks on which the machine running dnsmasq has an interface) the | |
7de060b0 SK |
510 | netmask is optional: dnsmasq will determine it from the interface |
511 | configuration. For networks which receive DHCP service via a relay | |
512 | agent, dnsmasq cannot determine the netmask itself, so it should be | |
513 | specified, otherwise dnsmasq will have to guess, based on the class (A, B or | |
514 | C) of the network address. The broadcast address is | |
7622fc06 | 515 | always optional. It is always |
8ef5ada2 SK |
516 | allowed to have more than one dhcp-range in a single subnet. |
517 | ||
518 | The optional | |
519 | .B set:<tag> | |
520 | sets an alphanumeric label which marks this network so that | |
0a852541 | 521 | dhcp options may be specified on a per-network basis. |
8ef5ada2 | 522 | When it is prefixed with 'tag:' instead, then its meaning changes from setting |
cdeda28f | 523 | a tag to matching it. Only one tag may be set, but more than one tag may be matched. |
0a852541 | 524 | The end address may be replaced by the keyword |
33820b7e SK |
525 | .B static |
526 | which tells dnsmasq to enable DHCP for the network specified, but not | |
7622fc06 | 527 | to dynamically allocate IP addresses: only hosts which have static |
33820b7e SK |
528 | addresses given via |
529 | .B dhcp-host | |
7622fc06 SK |
530 | or from /etc/ethers will be served. The end address may be replaced by |
531 | the keyword | |
532 | .B proxy | |
533 | in which case dnsmasq will provide proxy-DHCP on the specified | |
534 | subnet. (See | |
535 | .B pxe-prompt | |
536 | and | |
537 | .B pxe-service | |
538 | for details.) | |
8ef5ada2 SK |
539 | |
540 | The interface:<interface name> section is not normally used. See the | |
541 | NOTES section for details of this. | |
9e4abcb5 | 542 | .TP |
8ef5ada2 | 543 | .B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore] |
9e4abcb5 SK |
544 | Specify per host parameters for the DHCP server. This allows a machine |
545 | with a particular hardware address to be always allocated the same | |
546 | hostname, IP address and lease time. A hostname specified like this | |
547 | overrides any supplied by the DHCP client on the machine. It is also | |
c72daea8 | 548 | allowable to omit the hardware address and include the hostname, in |
9e4abcb5 SK |
549 | which case the IP address and lease times will apply to any machine |
550 | claiming that name. For example | |
551 | .B --dhcp-host=00:20:e0:3b:13:af,wap,infinite | |
552 | tells dnsmasq to give | |
cdeda28f | 553 | the machine with hardware address 00:20:e0:3b:13:af the name wap, and |
9e4abcb5 SK |
554 | an infinite DHCP lease. |
555 | .B --dhcp-host=lap,192.168.0.199 | |
556 | tells | |
557 | dnsmasq to always allocate the machine lap the IP address | |
8ef5ada2 SK |
558 | 192.168.0.199. |
559 | ||
560 | Addresses allocated like this are not constrained to be | |
561 | in the range given by the --dhcp-range option, but they must be in | |
562 | the same subnet as some valid dhcp-range. For | |
563 | subnets which don't need a pool of dynamically allocated addresses, | |
564 | use the "static" keyword in the dhcp-range declaration. | |
565 | ||
566 | It is allowed to use client identifiers rather than | |
9e4abcb5 SK |
567 | hardware addresses to identify hosts by prefixing with 'id:'. Thus: |
568 | .B --dhcp-host=id:01:02:03:04,..... | |
569 | refers to the host with client identifier 01:02:03:04. It is also | |
570 | allowed to specify the client ID as text, like this: | |
a84fa1d0 | 571 | .B --dhcp-host=id:clientidastext,..... |
9009d746 | 572 | |
a84fa1d0 SK |
573 | The special option id:* means "ignore any client-id |
574 | and use MAC addresses only." This is useful when a client presents a client-id sometimes | |
575 | but not others. | |
9009d746 | 576 | |
1ab84e2f SK |
577 | If a name appears in /etc/hosts, the associated address can be |
578 | allocated to a DHCP lease, but only if a | |
579 | .B --dhcp-host | |
8ef5ada2 SK |
580 | option specifying the name also exists. Only one hostname can be |
581 | given in a | |
582 | .B dhcp-host | |
583 | option, but aliases are possible by using CNAMEs. (See | |
584 | .B --cname | |
585 | ). | |
586 | ||
587 | The special keyword "ignore" | |
33820b7e SK |
588 | tells dnsmasq to never offer a DHCP lease to a machine. The machine |
589 | can be specified by hardware address, client ID or hostname, for | |
590 | instance | |
591 | .B --dhcp-host=00:20:e0:3b:13:af,ignore | |
592 | This is | |
593 | useful when there is another DHCP server on the network which should | |
9009d746 SK |
594 | be used by some machines. |
595 | ||
8ef5ada2 | 596 | The set:<tag> contruct sets the tag |
9009d746 | 597 | whenever this dhcp-host directive is in use. This can be used to |
8ef5ada2 SK |
598 | selectively send DHCP options just for this host. More than one tag |
599 | can be set in a dhcp-host directive (but not in other places where | |
600 | "set:<tag>" is allowed). When a host matches any | |
5aabfc78 | 601 | dhcp-host directive (or one implied by /etc/ethers) then the special |
8ef5ada2 | 602 | tag "known" is set. This allows dnsmasq to be configured to |
5aabfc78 | 603 | ignore requests from unknown machines using |
8ef5ada2 | 604 | .B --dhcp-ignore=tag:!known |
0a852541 SK |
605 | Ethernet addresses (but not client-ids) may have |
606 | wildcard bytes, so for example | |
607 | .B --dhcp-host=00:20:e0:3b:13:*,ignore | |
cdeda28f | 608 | will cause dnsmasq to ignore a range of hardware addresses. Note that |
0a852541 | 609 | the "*" will need to be escaped or quoted on a command line, but not |
9009d746 SK |
610 | in the configuration file. |
611 | ||
612 | Hardware addresses normally match any | |
cdeda28f SK |
613 | network (ARP) type, but it is possible to restrict them to a single |
614 | ARP type by preceding them with the ARP-type (in HEX) and "-". so | |
615 | .B --dhcp-host=06-00:20:e0:3b:13:af,1.2.3.4 | |
616 | will only match a | |
617 | Token-Ring hardware address, since the ARP-address type for token ring | |
9009d746 SK |
618 | is 6. |
619 | ||
620 | As a special case, it is possible to include more than one | |
73a08a24 SK |
621 | hardware address. eg: |
622 | .B --dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2 | |
623 | This allows an IP address to be associated with | |
9009d746 SK |
624 | multiple hardware addresses, and gives dnsmasq permission to abandon a |
625 | DHCP lease to one of the hardware addresses when another one asks for | |
626 | a lease. Beware that this is a dangerous thing to do, it will only | |
627 | work reliably if only one of the hardware addresses is active at any | |
73a08a24 SK |
628 | time and there is no way for dnsmasq to enforce this. It is, for instance, |
629 | useful to allocate a stable IP address to a laptop which | |
9009d746 | 630 | has both wired and wireless interfaces. |
5aabfc78 | 631 | .TP |
28866e95 SK |
632 | .B --dhcp-hostsfile=<path> |
633 | Read DHCP host information from the specified file. If a directory | |
634 | is given, then read all the files contained in that directory. The file contains | |
5aabfc78 SK |
635 | information about one host per line. The format of a line is the same |
636 | as text to the right of '=' in --dhcp-host. The advantage of storing DHCP host information | |
637 | in this file is that it can be changed without re-starting dnsmasq: | |
638 | the file will be re-read when dnsmasq receives SIGHUP. | |
824af85b | 639 | .TP |
28866e95 SK |
640 | .B --dhcp-optsfile=<path> |
641 | Read DHCP option information from the specified file. If a directory | |
642 | is given, then read all the files contained in that directory. The advantage of | |
824af85b | 643 | using this option is the same as for --dhcp-hostsfile: the |
1f15b81d SK |
644 | dhcp-optsfile will be re-read when dnsmasq receives SIGHUP. Note that |
645 | it is possible to encode the information in a | |
646 | .B --dhcp-boot | |
647 | flag as DHCP options, using the options names bootfile-name, | |
648 | server-ip-address and tftp-server. This allows these to be included | |
649 | in a dhcp-optsfile. | |
44a2a316 SK |
650 | .TP |
651 | .B \-Z, --read-ethers | |
652 | Read /etc/ethers for information about hosts for the DHCP server. The | |
653 | format of /etc/ethers is a hardware address, followed by either a | |
654 | hostname or dotted-quad IP address. When read by dnsmasq these lines | |
655 | have exactly the same effect as | |
656 | .B --dhcp-host | |
5aabfc78 SK |
657 | options containing the same information. /etc/ethers is re-read when |
658 | dnsmasq receives SIGHUP. | |
9e4abcb5 | 659 | .TP |
8ef5ada2 | 660 | .B \-O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>],[<value>[,<value>]] |
b8187c80 | 661 | Specify different or extra options to DHCP clients. By default, |
9e4abcb5 SK |
662 | dnsmasq sends some standard options to DHCP clients, the netmask and |
663 | broadcast address are set to the same as the host running dnsmasq, and | |
664 | the DNS server and default route are set to the address of the machine | |
665 | running dnsmasq. If the domain name option has been set, that is sent. | |
f2621c7f SK |
666 | This configuration allows these defaults to be overridden, |
667 | or other options specified. The option, to be sent may be given as a | |
668 | decimal number or as "option:<option-name>" The option numbers are | |
669 | specified in RFC2132 and subsequent RFCs. The set of option-names | |
670 | known by dnsmasq can be discovered by running "dnsmasq --help dhcp". | |
671 | For example, to set the default route option to | |
9e4abcb5 | 672 | 192.168.4.4, do |
f2621c7f SK |
673 | .B --dhcp-option=3,192.168.4.4 |
674 | or | |
675 | .B --dhcp-option = option:router, 192.168.4.4 | |
9e4abcb5 | 676 | and to set the time-server address to 192.168.0.4, do |
f2621c7f SK |
677 | .B --dhcp-option = 42,192.168.0.4 |
678 | or | |
679 | .B --dhcp-option = option:ntp-server, 192.168.0.4 | |
1ab84e2f | 680 | The special address 0.0.0.0 is taken to mean "the address of the |
f6b7dc47 SK |
681 | machine running dnsmasq". Data types allowed are comma separated |
682 | dotted-quad IP addresses, a decimal number, colon-separated hex digits | |
8ef5ada2 SK |
683 | and a text string. If the optional tags are given then |
684 | this option is only sent when all the tags are matched. | |
91dccd09 | 685 | |
cdeda28f | 686 | Special processing is done on a text argument for option 119, to |
832af0ba SK |
687 | conform with RFC 3397. Text or dotted-quad IP addresses as arguments |
688 | to option 120 are handled as per RFC 3361. Dotted-quad IP addresses | |
689 | which are followed by a slash and then a netmask size are encoded as | |
690 | described in RFC 3442. | |
cdeda28f | 691 | |
9e4abcb5 | 692 | Be careful: no checking is done that the correct type of data for the |
26128d27 | 693 | option number is sent, it is quite possible to |
9e4abcb5 | 694 | persuade dnsmasq to generate illegal DHCP packets with injudicious use |
91dccd09 SK |
695 | of this flag. When the value is a decimal number, dnsmasq must determine how |
696 | large the data item is. It does this by examining the option number and/or the | |
b8187c80 | 697 | value, but can be overridden by appending a single letter flag as follows: |
91dccd09 | 698 | b = one byte, s = two bytes, i = four bytes. This is mainly useful with |
3d8df260 SK |
699 | encapsulated vendor class options (see below) where dnsmasq cannot |
700 | determine data size from the option number. Option data which | |
701 | consists solely of periods and digits will be interpreted by dnsmasq | |
702 | as an IP address, and inserted into an option as such. To force a | |
703 | literal string, use quotes. For instance when using option 66 to send | |
704 | a literal IP address as TFTP server name, it is necessary to do | |
705 | .B --dhcp-option=66,"1.2.3.4" | |
91dccd09 SK |
706 | |
707 | Encapsulated Vendor-class options may also be specified using | |
708 | --dhcp-option: for instance | |
1b7ecd11 SK |
709 | .B --dhcp-option=vendor:PXEClient,1,0.0.0.0 |
710 | sends the encapsulated vendor | |
711 | class-specific option "mftp-address=0.0.0.0" to any client whose | |
712 | vendor-class matches "PXEClient". The vendor-class matching is | |
6b01084f SK |
713 | substring based (see --dhcp-vendorclass for details). If a |
714 | vendor-class option (number 60) is sent by dnsmasq, then that is used | |
715 | for selecting encapsulated options in preference to any sent by the | |
716 | client. It is | |
1b7ecd11 SK |
717 | possible to omit the vendorclass completely; |
718 | .B --dhcp-option=vendor:,1,0.0.0.0 | |
719 | in which case the encapsulated option is always sent. | |
73a08a24 SK |
720 | |
721 | Options may be encapsulated within other options: for instance | |
722 | .B --dhcp-option=encap:175, 190, "iscsi-client0" | |
723 | will send option 175, within which is the option 190. If multiple | |
724 | options are given which are encapsulated with the same option number | |
725 | then they will be correctly combined into one encapsulated option. | |
726 | encap: and vendor: are may not both be set in the same dhcp-option. | |
727 | ||
316e2730 SK |
728 | The final variant on encapsulated options is "Vendor-Identifying |
729 | Vendor Options" as specified by RFC3925. These are denoted like this: | |
730 | .B --dhcp-option=vi-encap:2, 10, "text" | |
731 | The number in the vi-encap: section is the IANA enterprise number | |
732 | used to identify this option. | |
733 | ||
1b7ecd11 | 734 | The address 0.0.0.0 is not treated specially in |
73a08a24 | 735 | encapsulated options. |
9e4abcb5 | 736 | .TP |
8ef5ada2 | 737 | .B --dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]] |
6b01084f | 738 | This works in exactly the same way as |
f2621c7f SK |
739 | .B --dhcp-option |
740 | except that the option will always be sent, even if the client does | |
6b01084f SK |
741 | not ask for it in the parameter request list. This is sometimes |
742 | needed, for example when sending options to PXELinux. | |
743 | .TP | |
824af85b SK |
744 | .B --dhcp-no-override |
745 | Disable re-use of the DHCP servername and filename fields as extra | |
746 | option space. If it can, dnsmasq moves the boot server and filename | |
747 | information (from dhcp-boot) out of their dedicated fields into | |
748 | DHCP options. This make extra space available in the DHCP packet for | |
749 | options but can, rarely, confuse old or broken clients. This flag | |
750 | forces "simple and safe" behaviour to avoid problems in such a case. | |
751 | .TP | |
8ef5ada2 SK |
752 | .B \-U, --dhcp-vendorclass=set:<tag>,<vendor-class> |
753 | Map from a vendor-class string to a tag. Most DHCP clients provide a | |
a222641c | 754 | "vendor class" which represents, in some sense, the type of host. This option |
f2621c7f | 755 | maps vendor classes to tags, so that DHCP options may be selectively delivered |
a84fa1d0 | 756 | to different classes of hosts. For example |
8ef5ada2 | 757 | .B dhcp-vendorclass=set:printers,Hewlett-Packard JetDirect |
a84fa1d0 | 758 | will allow options to be set only for HP printers like so: |
8ef5ada2 | 759 | .B --dhcp-option=tag:printers,3,192.168.4.4 |
a222641c SK |
760 | The vendor-class string is |
761 | substring matched against the vendor-class supplied by the client, to | |
8ef5ada2 | 762 | allow fuzzy matching. The set: prefix is optional but allowed for consistency. |
a222641c | 763 | .TP |
8ef5ada2 SK |
764 | .B \-j, --dhcp-userclass=set:<tag>,<user-class> |
765 | Map from a user-class string to a tag (with substring | |
a222641c SK |
766 | matching, like vendor classes). Most DHCP clients provide a |
767 | "user class" which is configurable. This option | |
f2621c7f | 768 | maps user classes to tags, so that DHCP options may be selectively delivered |
a222641c SK |
769 | to different classes of hosts. It is possible, for instance to use |
770 | this to set a different printer server for hosts in the class | |
771 | "accounts" than for hosts in the class "engineering". | |
a84fa1d0 | 772 | .TP |
8ef5ada2 SK |
773 | .B \-4, --dhcp-mac=set:<tag>,<MAC address> |
774 | Map from a MAC address to a tag. The MAC address may include | |
cdeda28f | 775 | wildcards. For example |
8ef5ada2 | 776 | .B --dhcp-mac=set:3com,01:34:23:*:*:* |
cdeda28f SK |
777 | will set the tag "3com" for any host whose MAC address matches the pattern. |
778 | .TP | |
8ef5ada2 SK |
779 | .B --dhcp-circuitid=set:<tag>,<circuit-id>, --dhcp-remoteid=set:<tag>,<remote-id> |
780 | Map from RFC3046 relay agent options to tags. This data may | |
f2621c7f SK |
781 | be provided by DHCP relay agents. The circuit-id or remote-id is |
782 | normally given as colon-separated hex, but is also allowed to be a | |
783 | simple string. If an exact match is achieved between the circuit or | |
8ef5ada2 SK |
784 | agent ID and one provided by a relay agent, the tag is set. |
785 | .TP | |
786 | .B --dhcp-subscrid=set:<tag>,<subscriber-id> | |
787 | Map from RFC3993 subscriber-id relay agent options to tags. | |
788 | .TP | |
789 | .B --dhcp-proxy[=<ip addr>]...... | |
790 | A normal DHCP relay agent is only used to forward the initial parts of | |
791 | a DHCP interaction to the DHCP server. Once a client is configured, it | |
792 | communicates directly with the server. This is undesirable if the | |
793 | relay agent is addding extra information to the DHCP packets, such as | |
794 | that used by | |
795 | .B dhcp-circuitid | |
796 | and | |
797 | .B dhcp-remoteid. | |
798 | A full relay implementation can use the RFC 5107 serverid-override | |
799 | option to force the DHCP server to use the relay as a full proxy, with all | |
800 | packets passing through it. This flag provides an alternative method | |
801 | of doing the same thing, for relays which don't support RFC | |
802 | 5107. Given alone, it manipulates the server-id for all interactions | |
803 | via relays. If a list of IP addresses is given, only interactions via | |
804 | relays at those addresses are affected. | |
805 | .TP | |
806 | .B --dhcp-match=set:<tag>,<option number>|option:<option name>|vi-encap:<enterprise>[,<value>] | |
807 | Without a value, set the tag if the client sends a DHCP | |
73a08a24 SK |
808 | option of the given number or name. When a value is given, set the tag only if |
809 | the option is sent and matches the value. The value may be of the form | |
810 | "01:ff:*:02" in which case the value must match (apart from widcards) | |
811 | but the option sent may have unmatched data past the end of the | |
812 | value. The value may also be of the same form as in | |
813 | .B dhcp-option | |
814 | in which case the option sent is treated as an array, and one element | |
815 | must match, so | |
816 | ||
8ef5ada2 | 817 | --dhcp-match=set:efi-ia32,option:client-arch,6 |
73a08a24 SK |
818 | |
819 | will set the tag "efi-ia32" if the the number 6 appears in the list of | |
820 | architectures sent by the client in option 93. (See RFC 4578 for | |
316e2730 SK |
821 | details.) If the value is a string, substring matching is used. |
822 | ||
823 | The special form with vi-encap:<enterpise number> matches against | |
824 | vendor-identifying vendor classes for the specified enterprise. Please | |
8ef5ada2 SK |
825 | see RFC 3925 for more details of these rare and interesting beasts. |
826 | .TP | |
827 | .B --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]] | |
828 | Perform boolean operations on tags. Any tag appearing as set:<tag> is set if | |
829 | all the tags which appear as tag:<tag> are set, (or unset when tag:!<tag> is used) | |
830 | If no tag:<tag> appears set:<tag> tags are set unconditionally. | |
831 | Any number of set: and tag: forms may appear, in any order. | |
832 | Tag-if lines ares executed in order, so if the tag in tag:<tag> is a | |
833 | tag set by another | |
834 | .B tag-if, | |
835 | the line which sets the tag must precede the one which tests it. | |
836 | .TP | |
837 | .B \-J, --dhcp-ignore=tag:<tag>[,tag:<tag>] | |
838 | When all the given tags appear in the tag set ignore the host and do | |
26128d27 SK |
839 | not allocate it a DHCP lease. |
840 | .TP | |
8ef5ada2 SK |
841 | .B --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]] |
842 | When all the given tags appear in the tag set, ignore any hostname | |
9e038946 | 843 | provided by the host. Note that, unlike dhcp-ignore, it is permissible |
8ef5ada2 | 844 | to supply no tags, in which case DHCP-client supplied hostnames |
832af0ba SK |
845 | are always ignored, and DHCP hosts are added to the DNS using only |
846 | dhcp-host configuration in dnsmasq and the contents of /etc/hosts and | |
847 | /etc/ethers. | |
848 | .TP | |
8ef5ada2 SK |
849 | .B --dhcp-generate-names=tag:<tag>[,tag:<tag>] |
850 | Generate a name for DHCP clients which do not otherwise have one, | |
851 | using the MAC address expressed in hex, seperated by dashes. Note that | |
852 | if a host provides a name, it will be used by preference to this, | |
853 | unless | |
854 | .B --dhcp-ignore-names | |
855 | is set. | |
856 | .TP | |
857 | .B --dhcp-broadcast[=tag:<tag>[,tag:<tag>]] | |
858 | When all the given tags appear in the tag set, always use broadcast to | |
859 | communicate with the host when it is unconfigured. It is permissible | |
860 | to supply no tags, in which case this is unconditional. Most DHCP clients which | |
824af85b SK |
861 | need broadcast replies set a flag in their requests so that this |
862 | happens automatically, some old BOOTP clients do not. | |
863 | .TP | |
7de060b0 | 864 | .B \-M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server address>|<tftp_servername>]] |
832af0ba SK |
865 | Set BOOTP options to be returned by the DHCP server. Server name and |
866 | address are optional: if not provided, the name is left empty, and the | |
867 | address set to the address of the machine running dnsmasq. If dnsmasq | |
868 | is providing a TFTP service (see | |
869 | .B --enable-tftp | |
870 | ) then only the filename is required here to enable network booting. | |
8ef5ada2 SK |
871 | If the optional tag(s) are given, |
872 | they must match for this configuration to be sent. | |
7de060b0 SK |
873 | Instead of an IP address, the TFTP server address can be given as a domain |
874 | name which is looked up in /etc/hosts. This name can be associated in | |
875 | /etc/hosts with multiple IP addresses, which are used round-robin. | |
876 | This facility can be used to load balance the tftp load among a set of servers. | |
877 | .TP | |
878 | .B --dhcp-sequential-ip | |
879 | Dnsmasq is designed to choose IP addresses for DHCP clients using a | |
880 | hash of the client's MAC address. This normally allows a client's | |
881 | address to remain stable long-term, even if the client sometimes allows its DHCP | |
882 | lease to expire. In this default mode IP addresses are distributed | |
883 | pseudo-randomly over the entire available address range. There are | |
884 | sometimes circumstances (typically server deployment) where it is more | |
885 | convenient to have IP | |
886 | addresses allocated sequentially, starting from the lowest available | |
887 | address, and setting this flag enables this mode. Note that in the | |
888 | sequential mode, clients which allow a lease to expire are much more | |
889 | likely to move IP address; for this reason it should not be generally used. | |
7622fc06 | 890 | .TP |
751d6f4a | 891 | .B --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basename>|<bootservicetype>][,<server address>|<server_name>] |
7622fc06 SK |
892 | Most uses of PXE boot-ROMS simply allow the PXE |
893 | system to obtain an IP address and then download the file specified by | |
894 | .B dhcp-boot | |
895 | and execute it. However the PXE system is capable of more complex | |
896 | functions when supported by a suitable DHCP server. | |
897 | ||
898 | This specifies a boot option which may appear in a PXE boot menu. <CSA> is | |
899 | client system type, only services of the correct type will appear in a | |
900 | menu. The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86, | |
901 | Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI; an | |
902 | integer may be used for other types. The | |
903 | parameter after the menu text may be a file name, in which case dnsmasq acts as a | |
904 | boot server and directs the PXE client to download the file by TFTP, | |
905 | either from itself ( | |
906 | .B enable-tftp | |
751d6f4a SK |
907 | must be set for this to work) or another TFTP server if the final server |
908 | address/name is given. | |
7622fc06 SK |
909 | Note that the "layer" |
910 | suffix (normally ".0") is supplied by PXE, and should not be added to | |
911 | the basename. If an integer boot service type, rather than a basename | |
912 | is given, then the PXE client will search for a | |
913 | suitable boot service for that type on the network. This search may be done | |
751d6f4a | 914 | by broadcast, or direct to a server if its IP address/name is provided. |
316e2730 SK |
915 | If no boot service type or filename is provided (or a boot service type of 0 is specified) |
916 | then the menu entry will abort the net boot procedure and | |
751d6f4a SK |
917 | continue booting from local media. The server address can be given as a domain |
918 | name which is looked up in /etc/hosts. This name can be associated in | |
919 | /etc/hosts with multiple IP addresses, which are used round-robin. | |
7622fc06 | 920 | .TP |
8ef5ada2 | 921 | .B --pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>] |
7622fc06 SK |
922 | Setting this provides a prompt to be displayed after PXE boot. If the |
923 | timeout is given then after the | |
924 | timeout has elapsed with no keyboard input, the first available menu | |
925 | option will be automatically executed. If the timeout is zero then the first available menu | |
926 | item will be executed immediately. If | |
927 | .B pxe-prompt | |
928 | is ommitted the system will wait for user input if there are multiple | |
929 | items in the menu, but boot immediately if | |
930 | there is only one. See | |
931 | .B pxe-service | |
932 | for details of menu items. | |
933 | ||
934 | Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP server on | |
935 | the network is responsible for allocating IP addresses, and dnsmasq | |
936 | simply provides the information given in | |
937 | .B pxe-prompt | |
938 | and | |
939 | .B pxe-service | |
940 | to allow netbooting. This mode is enabled using the | |
941 | .B proxy | |
942 | keyword in | |
943 | .B dhcp-range. | |
9e4abcb5 | 944 | .TP |
44a2a316 SK |
945 | .B \-X, --dhcp-lease-max=<number> |
946 | Limits dnsmasq to the specified maximum number of DHCP leases. The | |
8ef5ada2 | 947 | default is 1000. This limit is to prevent DoS attacks from hosts which |
44a2a316 SK |
948 | create thousands of leases and use lots of memory in the dnsmasq |
949 | process. | |
950 | .TP | |
fd9fa481 | 951 | .B \-K, --dhcp-authoritative |
f2621c7f | 952 | Should be set when dnsmasq is definitely the only DHCP server on a network. |
fd9fa481 SK |
953 | It changes the behaviour from strict RFC compliance so that DHCP requests on |
954 | unknown leases from unknown hosts are not ignored. This allows new hosts | |
cdeda28f SK |
955 | to get a lease without a tedious timeout under all circumstances. It also |
956 | allows dnsmasq to rebuild its lease database without each client needing to | |
9e038946 SK |
957 | reacquire a lease, if the database is lost. |
958 | .TP | |
959 | .B --dhcp-alternate-port[=<server port>[,<client port>]] | |
960 | Change the ports used for DHCP from the default. If this option is | |
961 | given alone, without arguments, it changes the ports used for DHCP | |
962 | from 67 and 68 to 1067 and 1068. If a single argument is given, that | |
963 | port number is used for the server and the port number plus one used | |
964 | for the client. Finally, two port numbers allows arbitrary | |
965 | specification of both server and client ports for DHCP. | |
fd9fa481 | 966 | .TP |
9009d746 | 967 | .B \-3, --bootp-dynamic[=<network-id>[,<network-id>]] |
3d8df260 SK |
968 | Enable dynamic allocation of IP addresses to BOOTP clients. Use this |
969 | with care, since each address allocated to a BOOTP client is leased | |
970 | forever, and therefore becomes permanently unavailable for re-use by | |
9009d746 SK |
971 | other hosts. if this is given without tags, then it unconditionally |
972 | enables dynamic allocation. With tags, only when the tags are all | |
973 | set. It may be repeated with different tag sets. | |
3d8df260 | 974 | .TP |
5e9e0efb SK |
975 | .B \-5, --no-ping |
976 | By default, the DHCP server will attempt to ensure that an address in | |
977 | not in use before allocating it to a host. It does this by sending an | |
978 | ICMP echo request (aka "ping") to the address in question. If it gets | |
979 | a reply, then the address must already be in use, and another is | |
980 | tried. This flag disables this check. Use with caution. | |
981 | .TP | |
f2621c7f SK |
982 | .B --log-dhcp |
983 | Extra logging for DHCP: log all the options sent to DHCP clients and | |
8ef5ada2 | 984 | the tags used to determine them. |
f2621c7f | 985 | .TP |
9e4abcb5 | 986 | .B \-l, --dhcp-leasefile=<path> |
73a08a24 | 987 | Use the specified file to store DHCP lease information. |
208b65c5 | 988 | .TP |
7cebd20f SK |
989 | .B \-6 --dhcp-script=<path> |
990 | Whenever a new DHCP lease is created, or an old one destroyed, the | |
8ef5ada2 SK |
991 | executable specified by this option is run. <path> |
992 | must be an absolute pathname, no PATH search occurs. | |
993 | The arguments to the process | |
7cebd20f | 994 | are "add", "old" or "del", the MAC |
9009d746 | 995 | address of the host, the IP address, and the hostname, |
7cebd20f SK |
996 | if known. "add" means a lease has been created, "del" means it has |
997 | been destroyed, "old" is a notification of an existing lease when | |
208b65c5 SK |
998 | dnsmasq starts or a change to MAC address or hostname of an existing |
999 | lease (also, lease length or expiry and client-id, if leasefile-ro is set). | |
9009d746 SK |
1000 | If the MAC address is from a network type other than ethernet, |
1001 | it will have the network type prepended, eg "06-01:23:45:67:89:ab" for | |
1002 | token ring. The process is run as root (assuming that dnsmasq was originally run as | |
1697269c | 1003 | root) even if dnsmasq is configured to change UID to an unprivileged user. |
8ef5ada2 SK |
1004 | |
1005 | The environment is inherited from the invoker of dnsmasq, with some or | |
1006 | all of the following variables added. | |
1007 | ||
1008 | DNSMASQ_CLIENT_ID if the host provided a client-id. | |
1009 | ||
1010 | DNSMASQ_DOMAIN if the fully-qualified domain name of the host is | |
28866e95 SK |
1011 | known, this is set to the domain part. (Note that the hostname passed |
1012 | to the script as an argument is never fully-qualified.) | |
8ef5ada2 SK |
1013 | |
1014 | If the client provides vendor-class, hostname or user-class, | |
1015 | these are provided in DNSMASQ_VENDOR_CLASS | |
1f15b81d | 1016 | DNSMASQ_SUPPLIED_HOSTNAME and |
1b7ecd11 | 1017 | DNSMASQ_USER_CLASS0..DNSMASQ_USER_CLASSn variables, but only for |
4011c4e0 SK |
1018 | "add" actions or "old" actions when a host resumes an existing lease, |
1019 | since these data are not held in dnsmasq's lease | |
8ef5ada2 SK |
1020 | database. |
1021 | ||
1022 | If dnsmasq was compiled with HAVE_BROKEN_RTC, then | |
208b65c5 | 1023 | the length of the lease (in seconds) is stored in |
1697269c | 1024 | DNSMASQ_LEASE_LENGTH, otherwise the time of lease expiry is stored in |
5aabfc78 SK |
1025 | DNSMASQ_LEASE_EXPIRES. The number of seconds until lease expiry is |
1026 | always stored in DNSMASQ_TIME_REMAINING. | |
8ef5ada2 | 1027 | |
5aabfc78 | 1028 | If a lease used to have a hostname, which is |
1697269c SK |
1029 | removed, an "old" event is generated with the new state of the lease, |
1030 | ie no name, and the former name is provided in the environment | |
8ef5ada2 SK |
1031 | variable DNSMASQ_OLD_HOSTNAME. |
1032 | ||
1033 | DNSMASQ_INTERFACE stores the name of | |
9e038946 | 1034 | the interface on which the request arrived; this is not set for "old" |
8ef5ada2 SK |
1035 | actions when dnsmasq restarts. |
1036 | ||
1037 | DNSMASQ_RELAY_ADDRESS is set if the client | |
316e2730 | 1038 | used a DHCP relay to contact dnsmasq and the IP address of the relay |
8ef5ada2 SK |
1039 | is known. |
1040 | ||
1041 | DNSMASQ_TAGS contains all the tags set during the | |
316e2730 | 1042 | DHCP transaction, separated by spaces. |
8ef5ada2 | 1043 | |
9e038946 | 1044 | All file descriptors are |
7cebd20f SK |
1045 | closed except stdin, stdout and stderr which are open to /dev/null |
1046 | (except in debug mode). | |
8ef5ada2 SK |
1047 | |
1048 | The script is not invoked concurrently: at most one instance | |
1049 | of the script is ever running (dnsmasq waits for an instance of script to exit | |
1050 | before running the next). Changes to the lease database are which | |
1051 | require the script to be invoked are queued awaiting exit of a running instance. | |
1052 | If this queueing allows multiple state changes occur to a single | |
1053 | lease before the script can be run then | |
1054 | earlier states are discarded and the current state of that lease is | |
1055 | reflected when the script finally runs. | |
1056 | ||
1057 | At dnsmasq startup, the script will be invoked for | |
7cebd20f | 1058 | all existing leases as they are read from the lease file. Expired |
8ef5ada2 | 1059 | leases will be called with "del" and others with "old". When dnsmasq |
5aabfc78 | 1060 | receives a HUP signal, the script will be invoked for existing leases |
9e038946 SK |
1061 | with an "old " event. |
1062 | .TP | |
1063 | .B --dhcp-scriptuser | |
1064 | Specify the user as which to run the lease-change script. This defaults to root, but can be changed to another user using this flag. | |
208b65c5 SK |
1065 | .TP |
1066 | .B \-9, --leasefile-ro | |
1067 | Completely suppress use of the lease database file. The file will not | |
1068 | be created, read, or written. Change the way the lease-change | |
1069 | script (if one is provided) is called, so that the lease database may | |
1070 | be maintained in external storage by the script. In addition to the | |
f2621c7f | 1071 | invocations given in |
208b65c5 SK |
1072 | .B --dhcp-script |
1073 | the lease-change script is called once, at dnsmasq startup, with the | |
1074 | single argument "init". When called like this the script should write | |
1075 | the saved state of the lease database, in dnsmasq leasefile format, to | |
1076 | stdout and exit with zero exit code. Setting this | |
1077 | option also forces the leasechange script to be called on changes | |
1078 | to the client-id and lease length and expiry time. | |
9e4abcb5 | 1079 | .TP |
832af0ba SK |
1080 | .B --bridge-interface=<interface>,<alias>[,<alias>] |
1081 | Treat DHCP request packets arriving at any of the <alias> interfaces | |
7622fc06 SK |
1082 | as if they had arrived at <interface>. This option is necessary when |
1083 | using "old style" bridging on BSD platforms, since | |
832af0ba SK |
1084 | packets arrive at tap interfaces which don't have an IP address. |
1085 | .TP | |
28866e95 | 1086 | .B \-s, --domain=<domain>[,<address range>[,local]] |
9009d746 SK |
1087 | Specifies DNS domains for the DHCP server. Domains may be be given |
1088 | unconditionally (without the IP range) or for limited IP ranges. This has two effects; | |
9e4abcb5 SK |
1089 | firstly it causes the DHCP server to return the domain to any hosts |
1090 | which request it, and secondly it sets the domain which it is legal | |
1b7ecd11 SK |
1091 | for DHCP-configured hosts to claim. The intention is to constrain |
1092 | hostnames so that an untrusted host on the LAN cannot advertise | |
1093 | its name via dhcp as e.g. "microsoft.com" and capture traffic not | |
1094 | meant for it. If no domain suffix is specified, then any DHCP | |
1095 | hostname with a domain part (ie with a period) will be disallowed | |
1096 | and logged. If suffix is specified, then hostnames with a domain | |
1097 | part are allowed, provided the domain part matches the suffix. In | |
1098 | addition, when a suffix is set then hostnames without a domain | |
1099 | part have the suffix added as an optional domain part. Eg on my network I can set | |
3d8df260 | 1100 | .B --domain=thekelleys.org.uk |
9e4abcb5 SK |
1101 | and have a machine whose DHCP hostname is "laptop". The IP address for that machine is available from |
1102 | .B dnsmasq | |
de37951c SK |
1103 | both as "laptop" and "laptop.thekelleys.org.uk". If the domain is |
1104 | given as "#" then the domain is read from the first "search" directive | |
28866e95 SK |
1105 | in /etc/resolv.conf (or equivalent). |
1106 | ||
1107 | The address range can be of the form | |
9009d746 SK |
1108 | <ip address>,<ip address> or <ip address>/<netmask> or just a single |
1109 | <ip address>. See | |
1110 | .B --dhcp-fqdn | |
1111 | which can change the behaviour of dnsmasq with domains. | |
28866e95 SK |
1112 | |
1113 | If the address range is given as ip-address/network-size, then a | |
1114 | additional flag "local" may be supplied which has the effect of adding | |
1115 | --local declarations for forward and reverse DNS queries. Eg. | |
1116 | .B --domain=thekelleys.org.uk,192.168.0.0/24,local | |
1117 | is identical to | |
1118 | .B --domain=thekelleys.org.uk,192.168.0.0/24 | |
1119 | --local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/ | |
1120 | The network size must be 8, 16 or 24 for this to be legal. | |
9009d746 SK |
1121 | .TP |
1122 | .B --dhcp-fqdn | |
1123 | In the default mode, dnsmasq inserts the unqualified names of | |
1124 | DHCP clients into the DNS. For this reason, the names must be unique, | |
1125 | even if two clients which have the same name are in different | |
1126 | domains. If a second DHCP client appears which has the same name as an | |
1127 | existing client, the name is transfered to the new client. If | |
1128 | .B --dhcp-fqdn | |
1129 | is set, this behaviour changes: the unqualified name is no longer | |
1130 | put in the DNS, only the qualified name. Two DHCP clients with the | |
1131 | same name may both keep the name, provided that the domain part is | |
1132 | different (ie the fully qualified names differ.) To ensure that all | |
1133 | names have a domain part, there must be at least | |
1134 | .B --domain | |
1135 | without an address specified when | |
1136 | .B --dhcp-fqdn | |
1137 | is set. | |
9e4abcb5 | 1138 | .TP |
c72daea8 SK |
1139 | .B --dhcp-client-update |
1140 | Normally, when giving a DHCP lease, dnsmasq sets flags in the FQDN | |
1141 | option to tell the client not to attempt a DDNS update with its name | |
1142 | and IP address. This is because the name-IP pair is automatically | |
1143 | added into dnsmasq's DNS view. This flag suppresses that behaviour, | |
1144 | this is useful, for instance, to allow Windows clients to update | |
1145 | Active Directory servers. See RFC 4702 for details. | |
1146 | .TP | |
8ef5ada2 | 1147 | .B --enable-tftp[=<interface>] |
832af0ba | 1148 | Enable the TFTP server function. This is deliberately limited to that |
9e038946 | 1149 | needed to net-boot a client. Only reading is allowed; the tsize and |
8ef5ada2 SK |
1150 | blksize extensions are supported (tsize is only supported in octet |
1151 | mode). See NOTES section for use of the interface argument. | |
1152 | ||
832af0ba | 1153 | .TP |
8ef5ada2 | 1154 | .B --tftp-root=<directory>[,<interface>] |
832af0ba SK |
1155 | Look for files to transfer using TFTP relative to the given |
1156 | directory. When this is set, TFTP paths which include ".." are | |
1157 | rejected, to stop clients getting outside the specified root. | |
f2621c7f | 1158 | Absolute paths (starting with /) are allowed, but they must be within |
8ef5ada2 SK |
1159 | the tftp-root. If the optional interface argument is given, the |
1160 | directory is only used for TFTP requests via that interface. | |
832af0ba | 1161 | .TP |
5aabfc78 SK |
1162 | .B --tftp-unique-root |
1163 | Add the IP address of the TFTP client as a path component on the end | |
1164 | of the TFTP-root (in standard dotted-quad format). Only valid if a | |
1165 | tftp-root is set and the directory exists. For instance, if tftp-root is "/tftp" and client | |
1166 | 1.2.3.4 requests file "myfile" then the effective path will be | |
1167 | "/tftp/1.2.3.4/myfile" if /tftp/1.2.3.4 exists or /tftp/myfile otherwise. | |
1168 | .TP | |
832af0ba | 1169 | .B --tftp-secure |
5aabfc78 | 1170 | Enable TFTP secure mode: without this, any file which is readable by |
832af0ba SK |
1171 | the dnsmasq process under normal unix access-control rules is |
1172 | available via TFTP. When the --tftp-secure flag is given, only files | |
1173 | owned by the user running the dnsmasq process are accessible. If | |
1174 | dnsmasq is being run as root, different rules apply: --tftp-secure | |
1b7ecd11 | 1175 | has no effect, but only files which have the world-readable bit set |
832af0ba SK |
1176 | are accessible. It is not recommended to run dnsmasq as root with TFTP |
1177 | enabled, and certainly not without specifying --tftp-root. Doing so | |
1178 | can expose any world-readable file on the server to any host on the net. | |
1179 | .TP | |
1180 | .B --tftp-max=<connections> | |
1181 | Set the maximum number of concurrent TFTP connections allowed. This | |
1182 | defaults to 50. When serving a large number of TFTP connections, | |
1183 | per-process file descriptor limits may be encountered. Dnsmasq needs | |
1184 | one file descriptor for each concurrent TFTP connection and one | |
1185 | file descriptor per unique file (plus a few others). So serving the | |
1186 | same file simultaneously to n clients will use require about n + 10 file | |
1187 | descriptors, serving different files simultaneously to n clients will | |
824af85b SK |
1188 | require about (2*n) + 10 descriptors. If |
1189 | .B --tftp-port-range | |
1190 | is given, that can affect the number of concurrent connections. | |
6b01084f SK |
1191 | .TP |
1192 | .B --tftp-no-blocksize | |
1193 | Stop the TFTP server from negotiating the "blocksize" option with a | |
1194 | client. Some buggy clients request this option but then behave badly | |
1195 | when it is granted. | |
824af85b SK |
1196 | .TP |
1197 | .B --tftp-port-range=<start>,<end> | |
1198 | A TFTP server listens on a well-known port (69) for connection initiation, | |
1199 | but it also uses a dynamically-allocated port for each | |
1200 | connection. Normally these are allocated by the OS, but this option | |
1201 | specifies a range of ports for use by TFTP transfers. This can be | |
1202 | useful when TFTP has to traverse a firewall. The start of the range | |
1203 | cannot be lower than 1025 unless dnsmasq is running as root. The number | |
1204 | of concurrent TFTP connections is limited by the size of the port range. | |
832af0ba | 1205 | .TP |
b8187c80 SK |
1206 | .B \-C, --conf-file=<file> |
1207 | Specify a different configuration file. The conf-file option is also allowed in | |
28866e95 SK |
1208 | configuration files, to include multiple configuration files. A |
1209 | filename of "-" causes dnsmasq to read configuration from stdin. | |
849a8357 | 1210 | .TP |
1f15b81d | 1211 | .B \-7, --conf-dir=<directory>[,<file-extension>......] |
849a8357 | 1212 | Read all the files in the given directory as configuration |
1f15b81d SK |
1213 | files. If extension(s) are given, any files which end in those |
1214 | extensions are skipped. Any files whose names end in ~ or start with . or start and end | |
1215 | with # are always skipped. This flag may be given on the command | |
849a8357 | 1216 | line or in a configuration file. |
9e4abcb5 | 1217 | .SH CONFIG FILE |
3be34541 SK |
1218 | At startup, dnsmasq reads |
1219 | .I /etc/dnsmasq.conf, | |
1220 | if it exists. (On | |
1221 | FreeBSD, the file is | |
1222 | .I /usr/local/etc/dnsmasq.conf | |
b8187c80 SK |
1223 | ) (but see the |
1224 | .B \-C | |
849a8357 SK |
1225 | and |
1226 | .B \-7 | |
1227 | options.) The format of this | |
9e4abcb5 SK |
1228 | file consists of one option per line, exactly as the long options detailed |
1229 | in the OPTIONS section but without the leading "--". Lines starting with # are comments and ignored. For | |
b49644f3 | 1230 | options which may only be specified once, the configuration file overrides |
b8187c80 | 1231 | the command line. Quoting is allowed in a config file: |
3d8df260 | 1232 | between " quotes the special meanings of ,:. and # are removed and the |
824af85b SK |
1233 | following escapes are allowed: \\\\ \\" \\t \\e \\b \\r and \\n. The later |
1234 | corresponding to tab, escape, backspace, return and newline. | |
9e4abcb5 SK |
1235 | .SH NOTES |
1236 | When it receives a SIGHUP, | |
1237 | .B dnsmasq | |
3be34541 | 1238 | clears its cache and then re-loads |
5aabfc78 SK |
1239 | .I /etc/hosts |
1240 | and | |
1241 | .I /etc/ethers | |
824af85b | 1242 | and any file given by --dhcp-hostsfile, --dhcp-optsfile or --addn-hosts. |
5aabfc78 SK |
1243 | The dhcp lease change script is called for all |
1244 | existing DHCP leases. If | |
9e4abcb5 SK |
1245 | .B |
1246 | --no-poll | |
3be34541 SK |
1247 | is set SIGHUP also re-reads |
1248 | .I /etc/resolv.conf. | |
1249 | SIGHUP | |
b49644f3 | 1250 | does NOT re-read the configuration file. |
9e4abcb5 SK |
1251 | .PP |
1252 | When it receives a SIGUSR1, | |
1253 | .B dnsmasq | |
824af85b | 1254 | writes statistics to the system log. It writes the cache size, |
9e4abcb5 SK |
1255 | the number of names which have had to removed from the cache before |
1256 | they expired in order to make room for new names and the total number | |
824af85b SK |
1257 | of names that have been inserted into the cache. For each upstream |
1258 | server it gives the number of queries sent, and the number which | |
1259 | resulted in an error. In | |
9e4abcb5 | 1260 | .B --no-daemon |
5aabfc78 SK |
1261 | mode or when full logging is enabled (-q), a complete dump of the |
1262 | contents of the cache is made. | |
1263 | .PP | |
1264 | When it receives SIGUSR2 and it is logging direct to a file (see | |
1265 | .B --log-facility | |
1266 | ) | |
1267 | .B dnsmasq | |
1268 | will close and reopen the log file. Note that during this operation, | |
1269 | dnsmasq will not be running as root. When it first creates the logfile | |
1270 | dnsmasq changes the ownership of the file to the non-root user it will run | |
1271 | as. Logrotate should be configured to create a new log file with | |
9e038946 | 1272 | the ownership which matches the existing one before sending SIGUSR2. |
5aabfc78 SK |
1273 | If TCP DNS queries are in progress, the old logfile will remain open in |
1274 | child processes which are handling TCP queries and may continue to be | |
1275 | written. There is a limit of 150 seconds, after which all existing TCP | |
1276 | processes will have expired: for this reason, it is not wise to | |
1277 | configure logfile compression for logfiles which have just been | |
1278 | rotated. Using logrotate, the required options are | |
1279 | .B create | |
1280 | and | |
1281 | .B delaycompress. | |
1282 | ||
1283 | ||
9e4abcb5 | 1284 | .PP |
9e4abcb5 SK |
1285 | Dnsmasq is a DNS query forwarder: it it not capable of recursively |
1286 | answering arbitrary queries starting from the root servers but | |
1287 | forwards such queries to a fully recursive upstream DNS server which is | |
1288 | typically provided by an ISP. By default, dnsmasq reads | |
3be34541 SK |
1289 | .I /etc/resolv.conf |
1290 | to discover the IP | |
9e4abcb5 SK |
1291 | addresses of the upstream nameservers it should use, since the |
1292 | information is typically stored there. Unless | |
1293 | .B --no-poll | |
1294 | is used, | |
1295 | .B dnsmasq | |
3be34541 SK |
1296 | checks the modification time of |
1297 | .I /etc/resolv.conf | |
1298 | (or equivalent if | |
9e4abcb5 SK |
1299 | .B \--resolv-file |
1300 | is used) and re-reads it if it changes. This allows the DNS servers to | |
1301 | be set dynamically by PPP or DHCP since both protocols provide the | |
1302 | information. | |
3be34541 SK |
1303 | Absence of |
1304 | .I /etc/resolv.conf | |
1305 | is not an error | |
9e4abcb5 | 1306 | since it may not have been created before a PPP connection exists. Dnsmasq |
3be34541 SK |
1307 | simply keeps checking in case |
1308 | .I /etc/resolv.conf | |
1309 | is created at any | |
9e4abcb5 SK |
1310 | time. Dnsmasq can be told to parse more than one resolv.conf |
1311 | file. This is useful on a laptop, where both PPP and DHCP may be used: | |
3be34541 SK |
1312 | dnsmasq can be set to poll both |
1313 | .I /etc/ppp/resolv.conf | |
1314 | and | |
1315 | .I /etc/dhcpc/resolv.conf | |
1316 | and will use the contents of whichever changed | |
9e4abcb5 SK |
1317 | last, giving automatic switching between DNS servers. |
1318 | .PP | |
1319 | Upstream servers may also be specified on the command line or in | |
b49644f3 | 1320 | the configuration file. These server specifications optionally take a |
9e4abcb5 SK |
1321 | domain name which tells dnsmasq to use that server only to find names |
1322 | in that particular domain. | |
1323 | .PP | |
1324 | In order to configure dnsmasq to act as cache for the host on which it is running, put "nameserver 127.0.0.1" in | |
1325 | .I /etc/resolv.conf | |
1326 | to force local processes to send queries to | |
1327 | dnsmasq. Then either specify the upstream servers directly to dnsmasq | |
1328 | using | |
1329 | .B \--server | |
1330 | options or put their addresses real in another file, say | |
1331 | .I /etc/resolv.dnsmasq | |
1332 | and run dnsmasq with the | |
1333 | .B \-r /etc/resolv.dnsmasq | |
1334 | option. This second technique allows for dynamic update of the server | |
1335 | addresses by PPP or DHCP. | |
f6b7dc47 SK |
1336 | .PP |
1337 | Addresses in /etc/hosts will "shadow" different addresses for the same | |
1338 | names in the upstream DNS, so "mycompany.com 1.2.3.4" in /etc/hosts will ensure that | |
1339 | queries for "mycompany.com" always return 1.2.3.4 even if queries in | |
1340 | the upstream DNS would otherwise return a different address. There is | |
1341 | one exception to this: if the upstream DNS contains a CNAME which | |
1342 | points to a shadowed name, then looking up the CNAME through dnsmasq | |
1343 | will result in the unshadowed address associated with the target of | |
1344 | the CNAME. To work around this, add the CNAME to /etc/hosts so that | |
1345 | the CNAME is shadowed too. | |
1346 | ||
3be34541 | 1347 | .PP |
8ef5ada2 SK |
1348 | The tag system works as follows: For each DHCP request, dnsmasq |
1349 | collects a set of valid tags from active configuration lines which | |
1350 | include set:<tag>, including one from the | |
26128d27 SK |
1351 | .B dhcp-range |
1352 | used to allocate the address, one from any matching | |
1353 | .B dhcp-host | |
9009d746 | 1354 | (and "known" if a dhcp-host matches) |
8ef5ada2 SK |
1355 | The tag "bootp" is set for BOOTP requests, and a tag whose name is the |
1356 | name of the interface on which the request arrived is also set. | |
1357 | ||
1358 | Any configuration lines which includes one or more tag:<tag> contructs | |
1359 | will only be valid if all that tags are matched in the set derived | |
1360 | above. Typically this is dhcp-option. | |
26128d27 | 1361 | .B dhcp-option |
8ef5ada2 | 1362 | which has tags will be used in preference to an untagged |
26128d27 SK |
1363 | .B dhcp-option, |
1364 | provided that _all_ the tags match somewhere in the | |
8ef5ada2 SK |
1365 | set collected as described above. The prefix '!' on a tag means 'not' |
1366 | so --dhcp=option=tag:!purple,3,1.2.3.4 sends the option when the | |
1367 | tag purple is not in the set of valid tags. (If using this in a | |
1368 | command line rather than a configuration file, be sure to escape !, | |
1369 | which is a shell metacharacter) | |
7de060b0 SK |
1370 | |
1371 | When selecting dhcp-options, a tag from dhcp-range is second class | |
1372 | relative to other tags, to make it easy to override options for | |
1373 | individual hosts, so | |
1374 | .B dhcp-range=set:interface1,...... | |
1375 | .B dhcp-host=set:myhost,..... | |
1376 | .B dhcp-option=tag:interface1,option:nis-domain,"domain1" | |
1377 | .B dhcp-option=tag:myhost,option:nis-domain,"domain2" | |
1378 | will set the NIS-domain to domain1 for hosts in the range, but | |
1379 | override that to domain2 for a particular host. | |
1380 | ||
26128d27 | 1381 | .PP |
8ef5ada2 | 1382 | Note that for |
f6b7dc47 | 1383 | .B dhcp-range |
8ef5ada2 SK |
1384 | both tag:<tag> and set:<tag> are allowed, to both select the range in |
1385 | use based on (eg) dhcp-host, and to affect the options sent, based on | |
1386 | the range selected. | |
1387 | ||
1388 | This system evolved from an earlier, more limited one and for backward | |
1389 | compatibility "net:" may be used instead of "tag:" and "set:" may be | |
1390 | omitted. (Except in | |
1391 | .B dhcp-host, | |
1392 | where "net:" may be used instead of "set:".) For the same reason, '#' | |
1393 | may be used instead of '!' to indicate NOT. | |
f6b7dc47 | 1394 | .PP |
3be34541 SK |
1395 | The DHCP server in dnsmasq will function as a BOOTP server also, |
1396 | provided that the MAC address and IP address for clients are given, | |
1397 | either using | |
1398 | .B dhcp-host | |
1399 | configurations or in | |
1400 | .I /etc/ethers | |
1401 | , and a | |
1402 | .B dhcp-range | |
1403 | configuration option is present to activate the DHCP server | |
b8187c80 SK |
1404 | on a particular network. (Setting --bootp-dynamic removes the need for |
1405 | static address mappings.) The filename | |
8ef5ada2 SK |
1406 | parameter in a BOOTP request is used as a tag, |
1407 | as is the tag "bootp", allowing some control over the options returned to | |
3be34541 SK |
1408 | different classes of hosts. |
1409 | ||
8ef5ada2 SK |
1410 | .B dhcp-range |
1411 | may have an interface name supplied as | |
1412 | "interface:<interface-name>". The semantics if this are as follows: | |
1413 | For DHCP, if any other dhcp-range exists _without_ an interface name, | |
1414 | then the interface name is ignored and and dnsmasq behaves as if the | |
1415 | interface parts did not exist, otherwise DHCP is only provided to | |
1416 | interfaces mentioned in dhcp-range | |
1417 | declarations. For DNS, if there are no | |
1418 | .B --interface | |
1419 | or | |
1420 | .B --listen-address | |
1421 | flags, behaviour is unchanged by the interface part. If either of | |
1422 | these flags are present, the interfaces mentioned in | |
1423 | dhcp-ranges are added to the set which get DNS service. | |
1424 | ||
1425 | Similarly, | |
1426 | .B enable-tftp | |
1427 | may take an interface name, which enables TFTP only for a particular | |
1428 | interface, ignoring | |
1429 | .B --interface | |
1430 | or | |
1431 | .B --listen-address | |
1432 | flags. In addition | |
1433 | .B --tftp-secure | |
1434 | and | |
1435 | .B --tftp-unique-root | |
1436 | and | |
1437 | .B --tftp-no-blocksize | |
1438 | are ignored for requests from such interfaces. (A | |
1439 | .B --tftp-root | |
1440 | directive giving a root path and an interface should be | |
1441 | provided too.) | |
1442 | ||
1443 | These rules may seem odd at first sight, but they | |
1444 | allow a single line of the form "dhcp-range=interface:virt0,192.168.0.4,192.168.0.200" | |
1445 | to be added to dnsmasq configuration which then supplies | |
1446 | DHCP and DNS services to that interface, without affecting | |
1447 | what services are supplied to other interfaces and irrespective of | |
1448 | the existance or lack of "interface=<interface>" | |
1449 | lines elsewhere in the dnsmasq configuration. | |
1450 | "enable-tftp=virt0" and "tftp-root=<root>,virt0" do the same job for TFTP. | |
1451 | The idea is | |
1452 | that such a line can be added automatically by libvirt | |
1453 | or equivalent systems, without disturbing any manual | |
1454 | configuration. | |
1455 | ||
5aabfc78 SK |
1456 | .SH EXIT CODES |
1457 | .PP | |
1458 | 0 - Dnsmasq successfully forked into the background, or terminated | |
1459 | normally if backgrounding is not enabled. | |
1460 | .PP | |
1461 | 1 - A problem with configuration was detected. | |
1462 | .PP | |
1463 | 2 - A problem with network access occurred (address in use, attempt | |
1464 | to use privileged ports without permission). | |
1465 | .PP | |
9e038946 | 1466 | 3 - A problem occurred with a filesystem operation (missing |
5aabfc78 SK |
1467 | file/directory, permissions). |
1468 | .PP | |
1469 | 4 - Memory allocation failure. | |
1470 | .PP | |
1471 | 5 - Other miscellaneous problem. | |
1472 | .PP | |
1473 | 11 or greater - a non zero return code was received from the | |
1474 | lease-script process "init" call. The exit code from dnsmasq is the | |
1475 | script's exit code with 10 added. | |
1476 | ||
1b7ecd11 SK |
1477 | .SH LIMITS |
1478 | The default values for resource limits in dnsmasq are generally | |
1479 | conservative, and appropriate for embedded router type devices with | |
1480 | slow processors and limited memory. On more capable hardware, it is | |
1481 | possible to increase the limits, and handle many more clients. The | |
1482 | following applies to dnsmasq-2.37: earlier versions did not scale as well. | |
1483 | ||
1484 | .PP | |
1485 | Dnsmasq is capable of handling DNS and DHCP for at least a thousand | |
8ef5ada2 | 1486 | clients. The DHCP lease times should not be very short (less than one hour). The |
1b7ecd11 SK |
1487 | value of |
1488 | .B --dns-forward-max | |
1489 | can be increased: start with it equal to | |
1490 | the number of clients and increase if DNS seems slow. Note that DNS | |
1491 | performance depends too on the performance of the upstream | |
1492 | nameservers. The size of the DNS cache may be increased: the hard | |
1493 | limit is 10000 names and the default (150) is very low. Sending | |
1494 | SIGUSR1 to dnsmasq makes it log information which is useful for tuning | |
1495 | the cache size. See the | |
1496 | .B NOTES | |
1497 | section for details. | |
1498 | ||
1499 | .PP | |
1500 | The built-in TFTP server is capable of many simultaneous file | |
1501 | transfers: the absolute limit is related to the number of file-handles | |
1502 | allowed to a process and the ability of the select() system call to | |
1503 | cope with large numbers of file handles. If the limit is set too high | |
1504 | using | |
1505 | .B --tftp-max | |
1506 | it will be scaled down and the actual limit logged at | |
1507 | start-up. Note that more transfers are possible when the same file is | |
1508 | being sent than when each transfer sends a different file. | |
1509 | ||
1510 | .PP | |
1511 | It is possible to use dnsmasq to block Web advertising by using a list | |
1512 | of known banner-ad servers, all resolving to 127.0.0.1 or 0.0.0.0, in | |
1513 | .B /etc/hosts | |
1514 | or an additional hosts file. The list can be very long, | |
1515 | dnsmasq has been tested successfully with one million names. That size | |
1516 | file needs a 1GHz processor and about 60Mb of RAM. | |
1517 | ||
1f15b81d SK |
1518 | .SH INTERNATIONALISATION |
1519 | Dnsmasq can be compiled to support internationalisation. To do this, | |
1520 | the make targets "all-i18n" and "install-i18n" should be used instead of | |
1521 | the standard targets "all" and "install". When internationalisation | |
1522 | is compiled in, dnsmasq will produce log messages in the local | |
1523 | language and support internationalised domain names (IDN). Domain | |
1524 | names in /etc/hosts, /etc/ethers and /etc/dnsmasq.conf which contain | |
1525 | non-ASCII characters will be translated to the DNS-internal punycode | |
1526 | representation. Note that | |
1527 | dnsmasq determines both the language for messages and the assumed | |
1528 | charset for configuration | |
1529 | files from the LANG environment variable. This should be set to the system | |
1530 | default value by the script which is responsible for starting | |
1531 | dnsmasq. When editing the configuration files, be careful to do so | |
1532 | using only the system-default locale and not user-specific one, since | |
1533 | dnsmasq has no direct way of determining the charset in use, and must | |
1534 | assume that it is the system default. | |
1535 | ||
9e4abcb5 | 1536 | .SH FILES |
b49644f3 SK |
1537 | .IR /etc/dnsmasq.conf |
1538 | ||
1539 | .IR /usr/local/etc/dnsmasq.conf | |
9e4abcb5 SK |
1540 | |
1541 | .IR /etc/resolv.conf | |
28866e95 SK |
1542 | .IR /var/run/dnsmasq/resolv.conf |
1543 | .IR /etc/ppp/resolv.conf | |
1544 | .IR /etc/dhcpc/resolv.conf | |
9e4abcb5 SK |
1545 | |
1546 | .IR /etc/hosts | |
1547 | ||
3be34541 SK |
1548 | .IR /etc/ethers |
1549 | ||
b49644f3 SK |
1550 | .IR /var/lib/misc/dnsmasq.leases |
1551 | ||
1552 | .IR /var/db/dnsmasq.leases | |
9e4abcb5 SK |
1553 | |
1554 | .IR /var/run/dnsmasq.pid | |
1555 | .SH SEE ALSO | |
9e4abcb5 SK |
1556 | .BR hosts (5), |
1557 | .BR resolver (5) | |
1558 | .SH AUTHOR | |
1559 | This manual page was written by Simon Kelley <simon@thekelleys.org.uk>. | |
1560 | ||
1561 |