source: src/router/dnsmasq/man/dnsmasq.8 @ 31703

Last change on this file since 31703 was 31703, checked in by brainslayer, 3 months ago

latest dnsmasq

File size: 105.7 KB
3dnsmasq \- A lightweight DHCP and caching DNS server.
5.B dnsmasq
6.I [OPTION]...
8.BR dnsmasq
9is a lightweight DNS, TFTP, PXE, router advertisement and DHCP server. It is intended to provide
10coupled DNS and DHCP service to a LAN.
12Dnsmasq accepts DNS queries and either answers them from a small, local,
13cache or forwards them to a real, recursive, DNS server. It loads the
14contents of /etc/hosts so that local hostnames
15which do not appear in the global DNS can be resolved and also answers
16DNS queries for DHCP configured hosts. It can also act as the
17authoritative DNS server for one or more domains, allowing local names
18to appear in the global DNS. It can be configured to do DNSSEC
21The dnsmasq DHCP server supports static address assignments and multiple
22networks. It automatically
23sends a sensible default set of DHCP options, and can be configured to
24send any desired set of DHCP options, including vendor-encapsulated
25options. It includes a secure, read-only,
26TFTP server to allow net/PXE boot of DHCP hosts and also supports BOOTP. The PXE support is full featured, and includes a proxy mode which supplies PXE information to clients whilst DHCP address allocation is done by another server.
28The dnsmasq DHCPv6 server provides the same set of features as the
29DHCPv4 server, and in addition, it includes router advertisements and
30a neat feature which allows nameing for clients which use DHCPv4 and
31stateless autoconfiguration only for IPv6 configuration. There is support for doing address allocation (both DHCPv6 and RA) from subnets which are dynamically delegated via DHCPv6 prefix delegation.
33Dnsmasq is coded with small embedded systems in mind. It aims for the smallest possible memory footprint compatible with the supported functions,  and allows unneeded functions to be omitted from the compiled binary. 
35Note that in general missing parameters are allowed and switch off
36functions, for instance "--pid-file" disables writing a PID file. On
37BSD, unless the GNU getopt library is linked, the long form of the
38options does not work on the command line; it is still recognised in
39the configuration file.
41.B --test
42Read and syntax check configuration file(s). Exit with code 0 if all
43is OK, or a non-zero code otherwise. Do not start up dnsmasq.
45.B \-w, --help
46Display all command-line options.
47.B --help dhcp
48will display known DHCPv4 configuration options, and
49.B --help dhcp6
50will display DHCPv6 options.
52.B \-h, --no-hosts
53Don't read the hostnames in /etc/hosts.
55.B \-H, --addn-hosts=<file>
56Additional hosts file. Read the specified file as well as /etc/hosts. If -h is given, read
57only the specified file. This option may be repeated for more than one
58additional hosts file. If a directory is given, then read all the files contained in that directory.
60.B --hostsdir=<path>
61Read all the hosts files contained in the directory. New or changed files
62are read automatically. See --dhcp-hostsdir for details.
64.B \-E, --expand-hosts
65Add the domain to simple names (without a period) in /etc/hosts
66in the same way as for DHCP-derived names. Note that this does not
67apply to domain names in cnames, PTR records, TXT records etc.
69.B \-T, --local-ttl=<time>
70When replying with information from /etc/hosts or configuration or the DHCP leases
71file dnsmasq by default sets the time-to-live field to zero, meaning
72that the requester should not itself cache the information. This is
73the correct thing to do in almost all situations. This option allows a
74time-to-live (in seconds) to be given for these replies. This will
75reduce the load on the server at the expense of clients using stale
76data under some circumstances.
78.B --dhcp-ttl=<time>
79As for --local-ttl, but affects only replies with information from DHCP leases. If both are given, --dhcp-ttl applies for DHCP information, and --local-ttl for others. Setting this to zero eliminates the effect of --local-ttl for DHCP.
81.B --neg-ttl=<time>
82Negative replies from upstream servers normally contain time-to-live
83information in SOA records which dnsmasq uses for caching. If the
84replies from upstream servers omit this information, dnsmasq does not
85cache the reply. This option gives a default value for time-to-live
86(in seconds) which dnsmasq uses to cache negative replies even in
87the absence of an SOA record.
89.B --max-ttl=<time>
90Set a maximum TTL value that will be handed out to clients. The specified
91maximum TTL will be given to clients instead of the true TTL value if it is
92lower. The true TTL value is however kept in the cache to avoid flooding
93the upstream DNS servers.
95.B --max-cache-ttl=<time>
96Set a maximum TTL value for entries in the cache.
98.B --min-cache-ttl=<time>
99Extend short TTL values to the time given when caching them. Note that
100artificially extending TTL values is in general a bad idea, do not do it
101unless you have a good reason, and understand what you are doing.
102Dnsmasq limits the value of this option to one hour, unless recompiled.
104.B --auth-ttl=<time>
105Set the TTL value returned in answers from the authoritative server.
107.B \-k, --keep-in-foreground
108Do not go into the background at startup but otherwise run as
109normal. This is intended for use when dnsmasq is run under daemontools
110or launchd.
112.B \-d, --no-daemon
113Debug mode: don't fork to the background, don't write a pid file,
114don't change user id, generate a complete cache dump on receipt on
115SIGUSR1, log to stderr as well as syslog, don't fork new processes
116to handle TCP queries. Note that this option is for use in debugging
117only, to stop dnsmasq daemonising in production, use
118.B -k.
120.B \-q, --log-queries
121Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1. If the argument "extra" is supplied, ie
122.B --log-queries=extra
123then the log has extra information at the start of each line.
124This consists of a serial number which ties together the log lines associated with an individual query, and the IP address of the requestor.
126.B \-8, --log-facility=<facility>
127Set the facility to which dnsmasq will send syslog entries, this
128defaults to DAEMON, and to LOCAL0 when debug mode is in operation. If
129the facility given contains at least one '/' character, it is taken to
130be a filename, and dnsmasq logs to the given file, instead of
131syslog. If the facility is '-' then dnsmasq logs to stderr.
132(Errors whilst reading configuration will still go to syslog,
133but all output from a successful startup, and all output whilst
134running, will go exclusively to the file.) When logging to a file,
135dnsmasq will close and reopen the file when it receives SIGUSR2. This
136allows the log file to be rotated without stopping dnsmasq.
138.B --log-async[=<lines>]
139Enable asynchronous logging and optionally set the limit on the
140number of lines
141which will be queued by dnsmasq when writing to the syslog is slow.
142Dnsmasq can log asynchronously: this
143allows it to continue functioning without being blocked by syslog, and
144allows syslog to use dnsmasq for DNS queries without risking deadlock.
145If the queue of log-lines becomes full, dnsmasq will log the
146overflow, and the number of messages  lost. The default queue length is
1475, a sane value would be 5-25, and a maximum limit of 100 is imposed.
149.B \-x, --pid-file=<path>
150Specify an alternate path for dnsmasq to record its process-id in. Normally /var/run/
152.B \-u, --user=<username>
153Specify the userid to which dnsmasq will change after startup. Dnsmasq must normally be started as root, but it will drop root
154privileges after startup by changing id to another user. Normally this user is "nobody" but that
155can be over-ridden with this switch.
157.B \-g, --group=<groupname>
158Specify the group which dnsmasq will run
159as. The defaults to "dip", if available, to facilitate access to
160/etc/ppp/resolv.conf which is not normally world readable.
162.B \-v, --version
163Print the version number.
165.B \-p, --port=<port>
166Listen on <port> instead of the standard DNS port (53). Setting this
167to zero completely disables DNS function, leaving only DHCP and/or TFTP.
169.B \-P, --edns-packet-max=<size>
170Specify the largest EDNS.0 UDP packet which is supported by the DNS
171forwarder. Defaults to 4096, which is the RFC5625-recommended size.
173.B \-Q, --query-port=<query_port>
174Send outbound DNS queries from, and listen for their replies on, the
175specific UDP port <query_port> instead of using random ports. NOTE
176that using this option will make dnsmasq less secure against DNS
177spoofing attacks but it may be faster and use less resources.  Setting this option
178to zero makes dnsmasq use a single port allocated to it by the
179OS: this was the default behaviour in versions prior to 2.43.
181.B --min-port=<port>
182Do not use ports less than that given as source for outbound DNS
183queries. Dnsmasq picks random ports as source for outbound queries:
184when this option is given, the ports used will always to larger
185than that specified. Useful for systems behind firewalls.
187.B --max-port=<port>
188Use ports lower than that given as source for outbound DNS queries.
189Dnsmasq picks random ports as source for outbound queries:
190when this option is given, the ports used will always be lower
191than that specified. Useful for systems behind firewalls.
194.B \-i, --interface=<interface name>
195Listen only on the specified interface(s). Dnsmasq automatically adds
196the loopback (local) interface to the list of interfaces to use when
198.B \--interface
199option  is used. If no
200.B \--interface
202.B \--listen-address
203options are given dnsmasq listens on all available interfaces except any
204given in
205.B \--except-interface
206options. On Linux, when
207.B \--bind-interfaces
209.B \--bind-dynamic
210are in effect, IP alias interface labels (eg "eth1:0") are checked, rather than
211interface names. In the degenerate case when an interface has one address, this amounts to the same thing but when an interface has multiple addresses it
212allows control over which of those addresses are accepted.
213The same effect is achievable in default mode by using
214.B \--listen-address.
215A simple wildcard, consisting of a trailing '*',
216can be used in
217.B \--interface
219.B \--except-interface
222.B \-I, --except-interface=<interface name>
223Do not listen on the specified interface. Note that the order of
224.B \--listen-address
225.B --interface
227.B --except-interface
228options does not matter and that
229.B --except-interface
230options always override the others. The comments about interface labels for
231.B --listen-address
232apply here.
234.B --auth-server=<domain>,<interface>|<ip-address>
235Enable DNS authoritative mode for queries arriving at an interface or address. Note that the interface or address
236need not be mentioned in
237.B --interface
239.B --listen-address
240configuration, indeed
241.B --auth-server
242will override these and provide a different DNS service on the
243specified interface. The <domain> is the "glue record". It should
244resolve in the global DNS to a A and/or AAAA record which points to
245the address dnsmasq is listening on. When an interface is specified,
246it may be qualified with "/4" or "/6" to specify only the IPv4 or IPv6
247addresses associated with the interface.
249.B --local-service
250Accept DNS queries only from hosts whose address is on a local subnet,
251ie a subnet for which an interface exists on the server. This option
252only has effect if there are no --interface --except-interface,
253--listen-address or --auth-server options. It is intended to be set as
254a default on installation, to allow unconfigured installations to be
255useful but also safe from being used for DNS amplification attacks.
257.B \-2, --no-dhcp-interface=<interface name>
258Do not provide DHCP or TFTP on the specified interface, but do provide DNS service.
260.B \-a, --listen-address=<ipaddr>
261Listen on the given IP address(es). Both
262.B \--interface
264.B \--listen-address
265options may be given, in which case the set of both interfaces and
266addresses is used. Note that if no
267.B \--interface
268option is given, but
269.B \--listen-address
270is, dnsmasq will not automatically listen on the loopback
271interface. To achieve this, its IP address,, must be
272explicitly given as a
273.B \--listen-address
276.B \-z, --bind-interfaces
277On systems which support it, dnsmasq binds the wildcard address,
278even when it is listening on only some interfaces. It then discards
279requests that it shouldn't reply to. This has the advantage of
280working even when interfaces come and go and change address. This
281option forces dnsmasq to really bind only the interfaces it is
282listening on. About the only time when this is useful is when
283running another nameserver (or another instance of dnsmasq) on the
284same machine. Setting this option also enables multiple instances of
285dnsmasq which provide DHCP service to run in the same machine.
287.B --bind-dynamic
288Enable a network mode which is a hybrid between
289.B --bind-interfaces
290and the default. Dnsmasq binds the address of individual interfaces,
291allowing multiple dnsmasq instances, but if new interfaces or
292addresses appear, it automatically listens on those (subject to any
293access-control configuration). This makes dynamically created
294interfaces work in the same way as the default. Implementing this
295option requires non-standard networking APIs and it is only available
296under Linux. On other platforms it falls-back to --bind-interfaces mode.
298.B \-y, --localise-queries
299Return answers to DNS queries from /etc/hosts which depend on the interface over which the query was
300received. If a name in /etc/hosts has more than one address associated with
301it, and at least one of those addresses is on the same subnet as the
302interface to which the query was sent, then return only the
303address(es) on that subnet. This allows for a server  to have multiple
304addresses in /etc/hosts corresponding to each of its interfaces, and
305hosts will get the correct address based on which network they are
306attached to. Currently this facility is limited to IPv4.
308.B \-b, --bogus-priv
309Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192.168.x.x, etc)
310which are not found in /etc/hosts or the DHCP leases file are answered
311with "no such domain" rather than being forwarded upstream. The
312set of prefixes affected is the list given in RFC6303, for IPv4 and IPv6.
314.B \-V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>]
315Modify IPv4 addresses returned from upstream nameservers; old-ip is
316replaced by new-ip. If the optional mask is given then any address
317which matches the masked old-ip will be re-written. So, for instance
318.B --alias=,,
319will map to and to This is what
320Cisco PIX routers call "DNS doctoring". If the old IP is given as
321range, then only addresses in the range, rather than a whole subnet,
322are re-written. So
323.B --alias=,,
324maps> to>
326.B \-B, --bogus-nxdomain=<ipaddr>
327Transform replies which contain the IP address given into "No such
328domain" replies. This is intended to counteract a devious move made by
329Verisign in September 2003 when they started returning the address of
330an advertising web page in response to queries for unregistered names,
331instead of the correct NXDOMAIN response. This option tells dnsmasq to
332fake the correct response when it sees this behaviour. As at Sept 2003
333the IP address being returned by Verisign is
335.B --ignore-address=<ipaddr>
336Ignore replies to A-record queries which include the specified address.
337No error is generated, dnsmasq simply continues to listen for another reply.
338This is useful to defeat blocking strategies which rely on quickly supplying a
339forged answer to a DNS request for certain domain, before the correct answer can arrive.
341.B \-f, --filterwin2k
342Later versions of windows make periodic DNS requests which don't get sensible answers from
343the public DNS and can cause problems by triggering dial-on-demand links. This flag turns on an option
344to filter such requests. The requests blocked are for records of types SOA and SRV, and type ANY where the
345requested name has underscores, to catch LDAP requests.
347.B \-r, --resolv-file=<file>
348Read the IP addresses of the upstream nameservers from <file>, instead of
349/etc/resolv.conf. For the format of this file see
350.BR resolv.conf (5).
351The only lines relevant to dnsmasq are nameserver ones. Dnsmasq can
352be told to poll more than one resolv.conf file, the first file name  specified
353overrides the default, subsequent ones add to the list. This is only
354allowed when polling; the file with the currently latest modification
355time is the one used.
357.B \-R, --no-resolv
358Don't read /etc/resolv.conf. Get upstream servers only from the command
359line or the dnsmasq configuration file.
361.B \-1, --enable-dbus[=<service-name>]
362Allow dnsmasq configuration to be updated via DBus method calls. The
363configuration which can be changed is upstream DNS servers (and
364corresponding domains) and cache clear. Requires that dnsmasq has
365been built with DBus support. If the service name is given, dnsmasq
366provides service at that name, rather than the default which is
369.B \-o, --strict-order
370By default, dnsmasq will send queries to any of the upstream servers
371it knows about and tries to favour servers that are known to
372be up. Setting this flag forces dnsmasq to try each query with each
373server strictly in the order they appear in /etc/resolv.conf
375.B --all-servers
376By default, when dnsmasq has more than one upstream server available,
377it will send queries to just one server. Setting this flag forces
378dnsmasq to send all queries to all available servers. The reply from
379the server which answers first will be returned to the original requester.
381.B --dns-loop-detect
382Enable code to detect DNS forwarding loops; ie the situation where a query sent to one
383of the upstream server eventually returns as a new query to the dnsmasq instance. The
384process works by generating TXT queries of the form <hex>.test and sending them to
385each upstream server. The hex is a UID which encodes the instance of dnsmasq sending the query
386and the upstream server to which it was sent. If the query returns to the server which sent it, then
387the upstream server through which it was sent is disabled and this event is logged. Each time the
388set of upstream servers changes, the test is re-run on all of them, including ones which
389were previously disabled.
391.B --stop-dns-rebind
392Reject (and log) addresses from upstream nameservers which are in the
393private IP ranges. This blocks an attack where a browser behind a
394firewall is used to probe machines on the local network.
396.B --rebind-localhost-ok
397Exempt from rebinding checks. This address range is
398returned by realtime black hole servers, so blocking it may disable
399these services.
401.B  --rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
402Do not detect and block dns-rebind on queries to these domains. The
403argument may be either a single domain, or multiple domains surrounded
404by '/', like the --server syntax, eg.
405.B  --rebind-domain-ok=/domain1/domain2/domain3/
407.B \-n, --no-poll
408Don't poll /etc/resolv.conf for changes.
410.B --clear-on-reload
411Whenever /etc/resolv.conf is re-read or the upstream servers are set
412via DBus, clear the DNS cache.
413This is useful when new nameservers may have different
414data than that held in cache.
416.B \-D, --domain-needed
417Tells dnsmasq to never forward A or AAAA queries for plain names, without dots
418or domain parts, to upstream nameservers. If the name is not known
419from /etc/hosts or DHCP then a "not found" answer is returned.
421.B \-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]]
422Specify IP address of upstream servers directly. Setting this flag does
423not suppress reading of /etc/resolv.conf, use -R to do that. If one or
425optional domains are given, that server is used only for those domains
426and they are queried only using the specified server. This is
427intended for private nameservers: if you have a nameserver on your
428network which deals with names of the form at then giving  the flag
430.B -S /
431will send all queries for
432internal machines to that nameserver, everything else will go to the
433servers in /etc/resolv.conf. DNSSEC validation is turned off for such
434private nameservers, UNLESS a
435.B --trust-anchor
436is specified for the domain in question. An empty domain specification,
437.B //
438has the special meaning of "unqualified names only" ie names without any
439dots in them. A non-standard port may be specified as
440part of the IP
441address using a # character.
442More than one -S flag is allowed, with
443repeated domain or ipaddr parts as required.
445More specific domains take precedence over less specific domains, so:
446.B --server=/
447.B --server=/
448will send queries for * to, except *,
449which will go to
451The special server address '#' means, "use the standard servers", so
452.B --server=/
453.B --server=/
454will send queries for * to, except * which will
455be forwarded as usual.
457Also permitted is a -S
458flag which gives a domain but no IP address; this tells dnsmasq that
459a domain is local and it may answer queries from /etc/hosts or DHCP
460but should never forward queries on that domain to any upstream
462.B local
463is a synonym for
464.B server
465to make configuration files clearer in this case.
467IPv6 addresses may include a %interface scope-id, eg
470The optional string after the @ character tells
471dnsmasq how to set the source of the queries to this
472nameserver. It should be an ip-address, which should belong to the machine on which
473dnsmasq is running otherwise this server line will be logged and then
474ignored, or an interface name. If an interface name is given, then
475queries to the server will be forced via that interface; if an
476ip-address is given then the source address of the queries will be set
477to that address.
478The query-port flag is ignored for any servers which have a
479source address specified but the port may be specified directly as
480part of the source address. Forcing queries to an interface is not
481implemented on all platforms supported by dnsmasq.
483.B --rev-server=<ip-address>/<prefix-len>,<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]]
484This is functionally the same as
485.B --server,
486but provides some syntactic sugar to make specifying address-to-name queries easier. For example
487.B --rev-server=,
488is exactly equivalent to
489.B --server=/
491.B \-A, --address=/<domain>[/<domain>...]/[<ipaddr>]
492Specify an IP address to return for any host in the given domains.
493Queries in the domains are never forwarded and always replied to
494with the specified IP address which may be IPv4 or IPv6. To give
495both IPv4 and IPv6 addresses for a domain, use repeated \fB-A\fP flags.
496To include multiple IP addresses for a single query, use
497\fB--addn-hosts=<path>\fP instead.
498Note that /etc/hosts and DHCP leases override this for individual
499names. A common use of this is to redirect the entire
500domain to some friendly local web server to avoid banner ads. The
501domain specification works in the same was as for \fB--server\fP, with
502the additional facility that \fB/#/\fP matches any domain. Thus
503\fB--address=/#/\fP will always return \fB1.2.3.4\fP for any
504query not answered from \fB/etc/hosts\fP or DHCP and not sent to an
505upstream nameserver by a more specific \fB--server\fP directive. As for
506\fB--server\fP, one or more domains with no address returns a
507no-such-domain answer, so \fB--address=/\fP is equivalent to
508\fB--server=/\fP and returns NXDOMAIN for and
509all its subdomains.
511.B --ipset=/<domain>[/<domain>...]/<ipset>[,<ipset>...]
512Places the resolved IP addresses of queries for one or more domains in
513the specified Netfilter IP set. If multiple setnames are given, then the
514addresses are placed in each of them, subject to the limitations of an
515IP set (IPv4 addresses cannot be stored in an IPv6 IP set and vice
516versa).  Domains and subdomains are matched in the same way as
518These IP sets must already exist. See
519.BR ipset (8)
520for more details.
522.B \-m, --mx-host=<mx name>[[,<hostname>],<preference>]
523Return an MX record named <mx name> pointing to the given hostname (if
524given), or
525the host specified in the --mx-target switch
526or, if that switch is not given, the host on which dnsmasq
527is running. The default is useful for directing mail from systems on a LAN
528to a central server. The preference value is optional, and defaults to
5291 if not given. More than one MX record may be given for a host.
531.B \-t, --mx-target=<hostname>
532Specify the default target for the MX record returned by dnsmasq. See
533--mx-host.  If --mx-target is given, but not --mx-host, then dnsmasq
534returns a MX record containing the MX target for MX queries on the
535hostname of the machine on which dnsmasq is running.
537.B \-e, --selfmx
538Return an MX record pointing to itself for each local
539machine. Local machines are those in /etc/hosts or with DHCP leases.
541.B \-L, --localmx
542Return an MX record pointing to the host given by mx-target (or the
543machine on which dnsmasq is running) for each
544local machine. Local machines are those in /etc/hosts or with DHCP
547.B \-W, --srv-host=<_service>.<_prot>.[<domain>],[<target>[,<port>[,<priority>[,<weight>]]]]
548Return a SRV DNS record. See RFC2782 for details. If not supplied, the
549domain defaults to that given by
550.B --domain.
551The default for the target domain is empty, and the default for port
552is one and the defaults for
553weight and priority are zero. Be careful if transposing data from BIND
554zone files: the port, weight and priority numbers are in a different
555order. More than one SRV record for a given service/domain is allowed,
556all that match are returned.
558.B --host-record=<name>[,<name>....],[<IPv4-address>],[<IPv6-address>][,<TTL>]
559Add A, AAAA and PTR records to the DNS. This adds one or more names to
560the DNS with associated IPv4 (A) and IPv6 (AAAA) records. A name may
561appear in more than one
562.B host-record
563and therefore be assigned more than one address. Only the first
564address creates a PTR record linking the address to the name. This is
565the same rule as is used reading hosts-files.
566.B host-record
567options are considered to be read before host-files, so a name
568appearing there inhibits PTR-record creation if it appears in
569hosts-file also. Unlike hosts-files, names are not expanded, even when
570.B expand-hosts
571is in effect. Short and long names may appear in the same
572.B host-record,
574.B --host-record=laptop,,,1234::100
576If the time-to-live is given, it overrides the default, which is zero
577or the value of --local-ttl. The value is a positive integer and gives
578the time-to-live in seconds.
580.B \-Y, --txt-record=<name>[[,<text>],<text>]
581Return a TXT DNS record. The value of TXT record is a set of strings,
582so  any number may be included, delimited by commas; use quotes to put
583commas into a string. Note that the maximum length of a single string
584is 255 characters, longer strings are split into 255 character chunks.
586.B --ptr-record=<name>[,<target>]
587Return a PTR DNS record.
589.B --naptr-record=<name>,<order>,<preference>,<flags>,<service>,<regexp>[,<replacement>]
590Return an NAPTR DNS record, as specified in RFC3403.
592.B --cname=<cname>,[<cname>,]<target>[,<TTL>]
593Return a CNAME record which indicates that <cname> is really
594<target>. There are significant limitations on the target; it must be a
595DNS name which is known to dnsmasq from /etc/hosts (or additional
596hosts files), from DHCP, from --interface-name or from another
597.B --cname.
598If the target does not satisfy this
599criteria, the whole cname is ignored. The cname must be unique, but it
600is permissable to have more than one cname pointing to the same target. Indeed
601it's possible to declare multiple cnames to a target in a single line, like so:
602.B --cname=cname1,cname2,target
604If the time-to-live is given, it overrides the default, which is zero
605or the value of -local-ttl. The value is a positive integer and gives
606the time-to-live in seconds.
608.B --dns-rr=<name>,<RR-number>,[<hex data>]
609Return an arbitrary DNS Resource Record. The number is the type of the
610record (which is always in the C_IN class). The value of the record is
611given by the hex data, which may be of the form 01:23:45 or 01 23 45 or
612012345 or any mixture of these.
614.B --interface-name=<name>,<interface>[/4|/6]
615Return a DNS record associating the name with the primary address on
616the given interface. This flag specifies an A or AAAA record for the given
617name in the same way as an /etc/hosts line, except that the address is
618not constant, but taken from the given interface. The interface may be
619followed by "/4" or "/6" to specify that only IPv4 or IPv6 addresses
620of the interface should be used. If the interface is
621down, not configured or non-existent, an empty record is returned. The
622matching PTR record is also created, mapping the interface address to
623the name. More than one name may be associated with an interface
624address by repeating the flag; in that case the first instance is used
625for the reverse address-to-name mapping.
627.B --synth-domain=<domain>,<address range>[,<prefix>]
628Create artificial A/AAAA and PTR records for an address range. The
629records use the address, with periods (or colons for IPv6) replaced
630with dashes.
632An example should make this clearer.
634will result in a query for returning
635192.168.0.56 and a reverse query vice versa. The same applies to IPv6,
636but IPv6 addresses may start with '::'
637but DNS labels may not start with '-' so in this case if no prefix is
638configured a zero is added in front of the label. ::1 becomes 0--1.
640V4 mapped IPv6 addresses, which have a representation like ::ffff: are handled specially, and become like 0--ffff-1-2-3-4
642The address range can be of the form
643<ip address>,<ip address> or <ip address>/<netmask>
645.B --add-mac[=base64|text]
646Add the MAC address of the requestor to DNS queries which are
647forwarded upstream. This may be used to DNS filtering by the upstream
648server. The MAC address can only be added if the requestor is on the same
649subnet as the dnsmasq server. Note that the mechanism used to achieve this (an EDNS0 option)
650is not yet standardised, so this should be considered
651experimental. Also note that exposing MAC addresses in this way may
652have security and privacy implications. The warning about caching
653given for --add-subnet applies to --add-mac too. An alternative encoding of the
654MAC, as base64, is enabled by adding the "base64" parameter and a human-readable encoding of hex-and-colons is enabled by added the "text" parameter.
656.B --add-cpe-id=<string>
657Add a arbitrary identifying string to o DNS queries which are
658forwarded upstream.
660.B --add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 address>/]<IPv6 prefix length>]]
661Add a subnet address to the DNS queries which are forwarded
662upstream. If an address is specified in the flag, it will be used,
663otherwise, the address of the requestor will be used. The amount of
664the address forwarded depends on the prefix length parameter: 32 (128
665for IPv6) forwards the whole address, zero forwards none of it but
666still marks the request so that no upstream nameserver will add client
667address information either. The default is zero for both IPv4 and
668IPv6. Note that upstream nameservers may be configured to return
669different results based on this information, but the dnsmasq cache
670does not take account. If a dnsmasq instance is configured such that
671different results may be encountered, caching should be disabled.
673For example,
674.B --add-subnet=24,96
675will add the /24 and /96 subnets of the requestor for IPv4 and IPv6 requestors, respectively.
676.B --add-subnet=
677will add for IPv4 requestors and ::/0 for IPv6 requestors.
678.B --add-subnet=,
679will add for both IPv4 and IPv6 requestors.
682.B \-c, --cache-size=<cachesize>
683Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching.
685.B \-N, --no-negcache
686Disable negative caching. Negative caching allows dnsmasq to remember
687"no such domain" answers from upstream nameservers and answer
688identical queries without forwarding them again.
690.B \-0, --dns-forward-max=<queries>
691Set the maximum number of concurrent DNS queries. The default value is
692150, which should be fine for most setups. The only known situation
693where this needs to be increased is when using web-server log file
694resolvers, which can generate large numbers of concurrent queries.
696.B --dnssec
697Validate DNS replies and cache DNSSEC data. When forwarding DNS queries, dnsmasq requests the
698DNSSEC records needed to validate the replies. The replies are validated and the result returned as
699the Authenticated Data bit in the DNS packet. In addition the DNSSEC records are stored in the cache, making
700validation by clients more efficient. Note that validation by clients is the most secure DNSSEC mode, but for
701clients unable to do validation, use of the AD bit set by dnsmasq is useful, provided that the network between
702the dnsmasq server and the client is trusted. Dnsmasq must be compiled with HAVE_DNSSEC enabled, and DNSSEC
703trust anchors provided, see
704.B --trust-anchor.
705Because the DNSSEC validation process uses the cache, it is not
706permitted to reduce the cache size below the default when DNSSEC is
707enabled. The nameservers upstream of dnsmasq must be DNSSEC-capable,
708ie capable of returning DNSSEC records with data. If they are not,
709then dnsmasq will not be able to determine the trusted status of
710answers. In the default mode, this means that all replies will be
711marked as untrusted. If
712.B --dnssec-check-unsigned
713is set and the upstream servers don't support DNSSEC, then DNS service will be entirely broken.
715.B --trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-type>,<digest>
716Provide DS records to act a trust anchors for DNSSEC
717validation. Typically these will be the DS record(s) for Zone Signing
718key(s) of the root zone,
719but trust anchors for limited domains are also possible. The current
720root-zone trust anchors may be downloaded from
722.B --dnssec-check-unsigned
723As a default, dnsmasq does not check that unsigned DNS replies are
724legitimate: they are assumed to be valid and passed on (without the
725"authentic data" bit set, of course). This does not protect against an
726attacker forging unsigned replies for signed DNS zones, but it is
727fast. If this flag is set, dnsmasq will check the zones of unsigned
728replies, to ensure that unsigned replies are allowed in those
729zones. The cost of this is more upstream queries and slower
730performance. See also the warning about upstream servers in the
731section on
732.B --dnssec
734.B --dnssec-no-timecheck
735DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an
736interesting chicken-and-egg problem for machines which don't have a hardware real time clock. For these machines to determine the correct
737time typically requires use of NTP and therefore DNS, but validating DNS requires that the correct time is already known. Setting this flag
738removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGHUP. The intention is
739that dnsmasq should be started with this flag when the platform determines that reliable time is not currently available. As soon as
740reliable time is established, a SIGHUP should be sent to dnsmasq, which enables time checking, and purges the cache of DNS records
741which have not been throughly checked.
743.B --dnssec-timestamp=<path>
744Enables an alternative way of checking the validity of the system time for DNSSEC (see --dnssec-no-timecheck). In this case, the
745system time is considered to be valid once it becomes later than the timestamp on the specified file. The file is created and
746its timestamp set automatically by dnsmasq. The file must be stored on a persistent filesystem, so that it and its mtime are carried
747over system restarts. The timestamp file is created after dnsmasq has dropped root, so it must be in a location writable by the
748unprivileged user that dnsmasq runs as.
750.B --proxy-dnssec
751Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it.  This is an
752alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between
753dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.
755.B --dnssec-debug
756Set debugging mode for the DNSSEC validation, set the Checking Disabled bit on upstream queries,
757and don't convert replies which do not validate to responses with
758a return code of SERVFAIL. Note that
759setting this may affect DNS behaviour in bad ways, it is not an
760extra-logging flag and should not be set in production.
762.B --auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix length>].....][,exclude:<subnet>[/<prefix length>]].....]
763Define a DNS zone for which dnsmasq acts as authoritative server. Locally defined DNS records which are in the domain
764will be served. If subnet(s) are given, A and AAAA records must be in one of the
765specified subnets.
767As alternative to directly specifying the subnets, it's possible to
768give the name of an interface, in which case the subnets implied by
769that interface's configured addresses and netmask/prefix-length are
770used; this is useful when using constructed DHCP ranges as the actual
771address is dynamic and not known when configuring dnsmasq. The
772interface addresses may be confined to only IPv6 addresses using
773<interface>/6 or to only IPv4 using <interface>/4. This is useful when
774an interface has dynamically determined global IPv6 addresses which should
775appear in the zone, but RFC1918 IPv4 addresses which should not.
776Interface-name and address-literal subnet specifications may be used
777freely in the same --auth-zone declaration.
779It's possible to exclude certain IP addresses from responses. It can be
780used, to make sure that answers contain only global routeable IP
781addresses (by excluding loopback, RFC1918 and ULA addresses).
783The subnet(s) are also used to define and domains which are served for reverse-DNS queries. If not
785specified, the prefix length defaults to 24 for IPv4 and 64 for IPv6.
786For IPv4 subnets, the prefix length should be have the value 8, 16 or 24
787unless you are familiar with RFC 2317 and have arranged the delegation accordingly. Note that if no subnets are
789specified, then no reverse queries are answered.
791.B --auth-soa=<serial>[,<hostmaster>[,<refresh>[,<retry>[,<expiry>]]]]
792Specify fields in the SOA record associated with authoritative
793zones. Note that this is optional, all the values are set to sane defaults.
795.B --auth-sec-servers=<domain>[,<domain>[,<domain>...]]
796Specify any secondary servers for a zone for which dnsmasq is
797authoritative. These servers must be configured to get zone data from
798dnsmasq by zone transfer, and answer queries for the same
799authoritative zones as dnsmasq.
801.B --auth-peer=<ip-address>[,<ip-address>[,<ip-address>...]]
802Specify the addresses of secondary servers which are allowed to
803initiate zone transfer (AXFR) requests for zones for which dnsmasq is
804authoritative. If this option is not given, then AXFR requests will be
805accepted from any secondary.
807.B --conntrack
808Read the Linux connection track mark associated with incoming DNS
809queries and set the same mark value on upstream traffic used to answer
810those queries. This allows traffic generated by dnsmasq to be
811associated with the queries which cause it, useful for bandwidth
812accounting and firewalling. Dnsmasq must have conntrack support
813compiled in and the kernel must have conntrack support
814included and configured. This option cannot be combined with
817.B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-addr>|<mode>][,<netmask>[,<broadcast>]][,<lease time>]
819.B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-IPv6addr>[,<end-IPv6addr>|constructor:<interface>][,<mode>][,<prefix-len>][,<lease time>]
821Enable the DHCP server. Addresses will be given out from the range
822<start-addr> to <end-addr> and from statically defined addresses given
824.B dhcp-host
825options. If the lease time is given, then leases
826will be given for that length of time. The lease time is in seconds,
827or minutes (eg 45m) or hours (eg 1h) or "infinite". If not given,
828the default lease time is one hour. The
829minimum lease time is two minutes. For IPv6 ranges, the lease time
830maybe "deprecated"; this sets the preferred lifetime sent in a DHCP
831lease or router advertisement to zero, which causes clients to use
832other addresses, if available, for new connections as a prelude to renumbering.
834This option may be repeated, with different addresses, to enable DHCP
835service to more than one network. For directly connected networks (ie,
836networks on which the machine running dnsmasq has an interface) the
837netmask is optional: dnsmasq will determine it from the interface
838configuration. For networks which receive DHCP service via a relay
839agent, dnsmasq cannot determine the netmask itself, so it should be
840specified, otherwise dnsmasq will have to guess, based on the class (A, B or
841C) of the network address. The broadcast address is
842always optional. It is always
843allowed to have more than one dhcp-range in a single subnet.
845For IPv6, the parameters are slightly different: instead of netmask
846and broadcast address, there is an optional prefix length which must
847be equal to or larger then the prefix length on the local interface. If not
848given, this defaults to 64. Unlike the IPv4 case, the prefix length is not
849automatically derived from the interface configuration. The minimum
850size of the prefix length is 64.
852IPv6 (only) supports another type of range. In this, the start address and optional end address contain only the network part (ie ::1) and they are followed by
853.B constructor:<interface>.
854This forms a template which describes how to create ranges, based on the addresses assigned to the interface. For instance
856.B --dhcp-range=::1,::400,constructor:eth0
858will look for addresses on
859eth0 and then create a range from <network>::1 to <network>::400. If
860the interface is assigned more than one network, then the
861corresponding ranges will be automatically created, and then
862deprecated and finally removed again as the address is deprecated and
863then deleted. The interface name may have a final "*" wildcard. Note
864that just any address on eth0 will not do: it must not be an
865autoconfigured or privacy address, or be deprecated.
867If a dhcp-range is only being used for stateless DHCP and/or SLAAC,
868then the address can be simply ::
870.B --dhcp-range=::,constructor:eth0
873The optional
874.B set:<tag>
875sets an alphanumeric label which marks this network so that
876dhcp options may be specified on a per-network basis.
877When it is prefixed with 'tag:' instead, then its meaning changes from setting
878a tag to matching it. Only one tag may be set, but more than one tag
879may be matched.
881The optional <mode> keyword may be
882.B static
883which tells dnsmasq to enable DHCP for the network specified, but not
884to dynamically allocate IP addresses: only hosts which have static
885addresses given via
886.B dhcp-host
887or from /etc/ethers will be served. A static-only subnet with address
888all zeros may be used as a "catch-all" address to enable replies to all
889Information-request packets on a subnet which is provided with
890stateless DHCPv6, ie
891.B --dhcp-range=::,static
893For IPv4, the <mode> may be
894.B proxy
895in which case dnsmasq will provide proxy-DHCP on the specified
896subnet. (See
897.B pxe-prompt
899.B pxe-service
900for details.)
902For IPv6, the mode may be some combination of
903.B ra-only, slaac, ra-names, ra-stateless, ra-advrouter, off-link.
905.B ra-only
906tells dnsmasq to offer Router Advertisement only on this subnet,
907and not DHCP.
909.B slaac
910tells dnsmasq to offer Router Advertisement on this subnet and to set
911the A bit in the router advertisement, so that the client will use
912SLAAC addresses. When used with a DHCP range or static DHCP address
913this results in the client having both a DHCP-assigned and a SLAAC
916.B ra-stateless
917sends router advertisements with the O and A bits set, and provides a
918stateless DHCP service. The client will use a SLAAC address, and use
919DHCP for other configuration information.
921.B ra-names
922enables a mode
923which gives DNS names to dual-stack hosts which do SLAAC for
924IPv6. Dnsmasq uses the host's IPv4 lease to derive the name, network
925segment and MAC address and assumes that the host will also have an
926IPv6 address calculated using the SLAAC algorithm, on the same network
927segment. The address is pinged, and if a reply is received, an AAAA
928record is added to the DNS for this IPv6
929address. Note that this is only happens for directly-connected
930networks, (not one doing DHCP via a relay) and it will not work
931if a host is using privacy extensions.
932.B ra-names
933can be combined  with
934.B ra-stateless
936.B slaac.
938.B ra-advrouter
939enables a mode where router address(es) rather than prefix(es) are included in the advertisements.
940This is described in RFC-3775 section 7.2 and is used in mobile IPv6. In this mode the interval option
941is also included, as described in RFC-3775 section 7.3.
943.B off-link
944tells dnsmasq to advertise the prefix without the on-link (aka L) bit set.
947.B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
948Specify per host parameters for the DHCP server. This allows a machine
949with a particular hardware address to be always allocated the same
950hostname, IP address and lease time. A hostname specified like this
951overrides any supplied by the DHCP client on the machine. It is also
952allowable to omit the hardware address and include the hostname, in
953which case the IP address and lease times will apply to any machine
954claiming that name. For example
955.B --dhcp-host=00:20:e0:3b:13:af,wap,infinite
956tells dnsmasq to give
957the machine with hardware address 00:20:e0:3b:13:af the name wap, and
958an infinite DHCP lease.
959.B --dhcp-host=lap,
961dnsmasq to always allocate the machine lap the IP address
964Addresses allocated like this are not constrained to be
965in the range given by the --dhcp-range option, but they must be in
966the same subnet as some valid dhcp-range.  For
967subnets which don't need a pool of dynamically allocated addresses,
968use the "static" keyword in the dhcp-range declaration.
970It is allowed to use client identifiers (called client
971DUID in IPv6-land) rather than
972hardware addresses to identify hosts by prefixing with 'id:'. Thus:
973.B --dhcp-host=id:01:02:03:04,.....
974refers to the host with client identifier 01:02:03:04. It is also
975allowed to specify the client ID as text, like this:
976.B --dhcp-host=id:clientidastext,.....
978A single
979.B dhcp-host
980may contain an IPv4 address or an IPv6 address, or both. IPv6 addresses must be bracketed by square brackets thus:
981.B --dhcp-host=laptop,[1234::56]
982IPv6 addresses may contain only the host-identifier part:
983.B --dhcp-host=laptop,[::56]
984in which case they act as wildcards in constructed dhcp ranges, with
985the appropriate network part inserted.
986Note that in IPv6 DHCP, the hardware address may not be
987available, though it normally is for direct-connected clients, or
988clients using DHCP relays which support RFC 6939.
991For DHCPv4, the  special option id:* means "ignore any client-id
992and use MAC addresses only." This is useful when a client presents a client-id sometimes
993but not others.
995If a name appears in /etc/hosts, the associated address can be
996allocated to a DHCP lease, but only if a
997.B --dhcp-host
998option specifying the name also exists. Only one hostname can be
999given in a
1000.B dhcp-host
1001option, but aliases are possible by using CNAMEs. (See
1002.B --cname
1005The special keyword "ignore"
1006tells dnsmasq to never offer a DHCP lease to a machine. The machine
1007can be specified by hardware address, client ID or hostname, for
1009.B --dhcp-host=00:20:e0:3b:13:af,ignore
1010This is
1011useful when there is another DHCP server on the network which should
1012be used by some machines.
1014The set:<tag> construct sets the tag
1015whenever this dhcp-host directive is in use. This can be used to
1016selectively send DHCP options just for this host. More than one tag
1017can be set in a dhcp-host directive (but not in other places where
1018"set:<tag>" is allowed). When a host matches any
1019dhcp-host directive (or one implied by /etc/ethers) then the special
1020tag "known" is set. This allows dnsmasq to be configured to
1021ignore requests from unknown machines using
1022.B --dhcp-ignore=tag:!known
1023Ethernet addresses (but not client-ids) may have
1024wildcard bytes, so for example
1025.B --dhcp-host=00:20:e0:3b:13:*,ignore
1026will cause dnsmasq to ignore a range of hardware addresses. Note that
1027the "*" will need to be escaped or quoted on a command line, but not
1028in the configuration file.
1030Hardware addresses normally match any
1031network (ARP) type, but it is possible to restrict them to a single
1032ARP type by preceding them with the ARP-type (in HEX) and "-". so
1033.B --dhcp-host=06-00:20:e0:3b:13:af,
1034will only match a
1035Token-Ring hardware address, since the ARP-address type for token ring
1036is 6.
1038As a special case, in DHCPv4, it is possible to include more than one
1039hardware address. eg:
1040.B --dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,
1041This allows an IP address to be associated with
1042multiple hardware addresses, and gives dnsmasq permission to abandon a
1043DHCP lease to one of the hardware addresses when another one asks for
1044a lease. Beware that this is a dangerous thing to do, it will only
1045work reliably if only one of the hardware addresses is active at any
1046time and there is no way for dnsmasq to enforce this. It is, for instance,
1047useful to allocate a stable IP address to a laptop which
1048has both wired and wireless interfaces.
1050.B --dhcp-hostsfile=<path>
1051Read DHCP host information from the specified file. If a directory
1052is given, then read all the files contained in that directory. The file contains
1053information about one host per line. The format of a line is the same
1054as text to the right of '=' in --dhcp-host. The advantage of storing DHCP host information
1055in this file is that it can be changed without re-starting dnsmasq:
1056the file will be re-read when dnsmasq receives SIGHUP.
1058.B --dhcp-optsfile=<path>
1059Read DHCP option information from the specified file.  If a directory
1060is given, then read all the files contained in that directory. The advantage of
1061using this option is the same as for --dhcp-hostsfile: the
1062dhcp-optsfile will be re-read when dnsmasq receives SIGHUP. Note that
1063it is possible to encode the information in a
1064.B --dhcp-boot
1065flag as DHCP options, using the options names bootfile-name,
1066server-ip-address and tftp-server. This allows these to be included
1067in a dhcp-optsfile.
1069.B --dhcp-hostsdir=<path>
1070This is equivalent to dhcp-hostsfile, except for the following. The path MUST be a
1071directory, and not an individual file. Changed or new files within
1072the directory are read automatically, without the need to send SIGHUP.
1073If a file is deleted for changed after it has been read by dnsmasq, then the
1074host record it contained will remain until dnsmasq receives a SIGHUP, or
1075is restarted; ie host records are only added dynamically.
1077.B --dhcp-optsdir=<path>
1078This is equivalent to dhcp-optsfile, with the differences noted for --dhcp-hostsdir.
1080.B \-Z, --read-ethers
1081Read /etc/ethers for information about hosts for the DHCP server. The
1082format of /etc/ethers is a hardware address, followed by either a
1083hostname or dotted-quad IP address. When read by dnsmasq these lines
1084have exactly the same effect as
1085.B --dhcp-host
1086options containing the same information. /etc/ethers is re-read when
1087dnsmasq receives SIGHUP. IPv6 addresses are NOT read from /etc/ethers.
1089.B \-O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>|option6:<opt>|option6:<opt-name>],[<value>[,<value>]]
1090Specify different or extra options to DHCP clients. By default,
1091dnsmasq sends some standard options to DHCP clients, the netmask and
1092broadcast address are set to the same as the host running dnsmasq, and
1093the DNS server and default route are set to the address of the machine
1094running dnsmasq. (Equivalent rules apply for IPv6.) If the domain name option has been set, that is sent.
1095This configuration allows these defaults to be overridden,
1096or other options specified. The option, to be sent may be given as a
1097decimal number or as "option:<option-name>" The option numbers are
1098specified in RFC2132 and subsequent RFCs. The set of option-names
1099known by dnsmasq can be discovered by running "dnsmasq --help dhcp".
1100For example, to set the default route option to
1101192.168.4.4, do
1102.B --dhcp-option=3,
1104.B --dhcp-option = option:router,
1105and to set the time-server address to, do
1106.B --dhcp-option = 42,
1108.B --dhcp-option = option:ntp-server,
1109The special address is taken to mean "the address of the
1110machine running dnsmasq".
1112Data types allowed are comma separated
1113dotted-quad IPv4 addresses, []-wrapped IPv6 addresses, a decimal number, colon-separated hex digits
1114and a text string. If the optional tags are given then
1115this option is only sent when all the tags are matched.
1117Special processing is done on a text argument for option 119, to
1118conform with RFC 3397. Text or dotted-quad IP addresses as arguments
1119to option 120 are handled as per RFC 3361. Dotted-quad IP addresses
1120which are followed by a slash and then a netmask size are encoded as
1121described in RFC 3442.
1123IPv6 options are specified using the
1124.B option6:
1125keyword, followed by the option number or option name. The IPv6 option
1126name space is disjoint from the IPv4 option name space. IPv6 addresses
1127in options must be bracketed with square brackets, eg.
1128.B --dhcp-option=option6:ntp-server,[1234::56]
1129For IPv6, [::] means "the global address of
1130the machine running dnsmasq", whilst [fd00::] is replaced with the
1131ULA, if it exists, and [fe80::] with the link-local address.
1133Be careful: no checking is done that the correct type of data for the
1134option number is sent, it is quite possible to
1135persuade dnsmasq to generate illegal DHCP packets with injudicious use
1136of this flag. When the value is a decimal number, dnsmasq must determine how
1137large the data item is. It does this by examining the option number and/or the
1138value, but can be overridden by appending a single letter flag as follows:
1139b = one byte, s = two bytes, i = four bytes. This is mainly useful with
1140encapsulated vendor class options (see below) where dnsmasq cannot
1141determine data size from the  option number. Option data which
1142consists solely of periods and digits will be interpreted by dnsmasq
1143as an IP address, and inserted into an option as such. To force a
1144literal string, use quotes. For instance when using option 66 to send
1145a literal IP address as TFTP server name, it is necessary to do
1146.B --dhcp-option=66,""
1148Encapsulated Vendor-class options may also be specified (IPv4 only) using
1149--dhcp-option: for instance
1150.B --dhcp-option=vendor:PXEClient,1,
1151sends the encapsulated vendor
1152class-specific option "mftp-address=" to any client whose
1153vendor-class matches "PXEClient". The vendor-class matching is
1154substring based (see --dhcp-vendorclass for details). If a
1155vendor-class option (number 60) is sent by dnsmasq, then that is used
1156for selecting encapsulated options in preference to any sent by the
1157client. It is
1158possible to omit the vendorclass completely;
1159.B --dhcp-option=vendor:,1,
1160in which case the encapsulated option is always sent.
1162Options may be encapsulated (IPv4 only) within other options: for instance
1163.B --dhcp-option=encap:175, 190, "iscsi-client0"
1164will send option 175, within which is the option 190. If multiple
1165options are given which are encapsulated with the same option number
1166then they will be correctly combined into one encapsulated option.
1167encap: and vendor: are may not both be set in the same dhcp-option.
1169The final variant on encapsulated options is "Vendor-Identifying
1170Vendor Options" as specified by RFC3925. These are denoted like this:
1171.B --dhcp-option=vi-encap:2, 10, "text"
1172The number in the vi-encap: section is the IANA enterprise number
1173used to identify this option. This form of encapsulation is supported
1174in IPv6.
1176The address is not treated specially in
1177encapsulated options.
1179.B --dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
1180This works in exactly the same way as
1181.B --dhcp-option
1182except that the option will always be sent, even if the client does
1183not ask for it in the parameter request list. This is sometimes
1184needed, for example when sending options to PXELinux.
1186.B --dhcp-no-override
1187(IPv4 only) Disable re-use of the DHCP servername and filename fields as extra
1188option space. If it can, dnsmasq moves the boot server and filename
1189information (from dhcp-boot) out of their dedicated fields into
1190DHCP options. This make extra space available in the DHCP packet for
1191options but can, rarely, confuse old or broken clients. This flag
1192forces "simple and safe" behaviour to avoid problems in such a case.
1194.B --dhcp-relay=<local address>,<server address>[,<interface]
1195Configure dnsmasq to do DHCP relay. The local address is an address
1196allocated to an interface on the host running dnsmasq. All DHCP
1197requests arriving on that interface will we relayed to a remote DHCP
1198server at the server address. It is possible to relay from a single local
1199address to multiple remote servers by using multiple dhcp-relay
1200configs with the same local address and different server
1201addresses. A server address must be an IP literal address, not a
1202domain name. In the case of DHCPv6, the server address may be the
1203ALL_SERVERS multicast address, ff05::1:3. In this case the interface
1204must be given, not be wildcard, and is used to direct the multicast to the
1205correct interface to reach the DHCP server.
1207Access control for DHCP clients has the same rules as for the DHCP
1208server, see --interface, --except-interface, etc. The optional
1209interface name in the dhcp-relay config has a different function: it
1210controls on which interface DHCP replies from the server will be
1211accepted. This is intended for configurations which have three
1212interfaces: one being relayed from, a second connecting the DHCP
1213server, and a third untrusted network, typically the wider
1214internet. It avoids the possibility of spoof replies arriving via this
1215third interface.
1217It is allowed to have dnsmasq act as a DHCP server on one set of
1218interfaces and relay from a disjoint set of interfaces. Note that
1219whilst it is quite possible to write configurations which appear to
1220act as a server and a relay on the same interface, this is not
1221supported: the relay function will take precedence.
1223Both DHCPv4 and DHCPv6 relay is supported. It's not possible to relay
1224DHCPv4 to a DHCPv6 server or vice-versa.
1226.B \-U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise number>,]<vendor-class>
1227Map from a vendor-class string to a tag. Most DHCP clients provide a
1228"vendor class" which represents, in some sense, the type of host. This option
1229maps vendor classes to tags, so that DHCP options may be selectively delivered
1230to different classes of hosts. For example
1231.B dhcp-vendorclass=set:printers,Hewlett-Packard JetDirect
1232will allow options to be set only for HP printers like so:
1233.B --dhcp-option=tag:printers,3,
1234The vendor-class string is
1235substring matched against the vendor-class supplied by the client, to
1236allow fuzzy matching. The set: prefix is optional but allowed for
1239Note that in IPv6 only, vendorclasses are namespaced with an
1240IANA-allocated enterprise number. This is given with enterprise:
1241keyword and specifies that only vendorclasses matching the specified
1242number should be searched.
1244.B \-j, --dhcp-userclass=set:<tag>,<user-class>
1245Map from a user-class string to a tag (with substring
1246matching, like vendor classes). Most DHCP clients provide a
1247"user class" which is configurable. This option
1248maps user classes to tags, so that DHCP options may be selectively delivered
1249to different classes of hosts. It is possible, for instance to use
1250this to set a different printer server for hosts in the class
1251"accounts" than for hosts in the class "engineering".
1253.B \-4, --dhcp-mac=set:<tag>,<MAC address>
1254Map from a MAC address to a tag. The MAC address may include
1255wildcards. For example
1256.B --dhcp-mac=set:3com,01:34:23:*:*:*
1257will set the tag "3com" for any host whose MAC address matches the pattern.
1259.B --dhcp-circuitid=set:<tag>,<circuit-id>, --dhcp-remoteid=set:<tag>,<remote-id>
1260Map from RFC3046 relay agent options to tags. This data may
1261be provided by DHCP relay agents. The circuit-id or remote-id is
1262normally given as colon-separated hex, but is also allowed to be a
1263simple string. If an exact match is achieved between the circuit or
1264agent ID and one provided by a relay agent, the tag is set.
1266.B dhcp-remoteid
1267(but not dhcp-circuitid) is supported in IPv6.
1269.B --dhcp-subscrid=set:<tag>,<subscriber-id>
1270(IPv4 and IPv6) Map from RFC3993 subscriber-id relay agent options to tags.
1272.B --dhcp-proxy[=<ip addr>]......
1273(IPv4 only) A normal DHCP relay agent is only used to forward the initial parts of
1274a DHCP interaction to the DHCP server. Once a client is configured, it
1275communicates directly with the server. This is undesirable if the
1276relay agent is adding extra information to the DHCP packets, such as
1277that used by
1278.B dhcp-circuitid
1280.B dhcp-remoteid.
1281A full relay implementation can use the RFC 5107 serverid-override
1282option to force the DHCP server to use the relay as a full proxy, with all
1283packets passing through it. This flag provides an alternative method
1284of doing the same thing, for relays which don't support RFC
12855107. Given alone, it manipulates the server-id for all interactions
1286via relays. If a list of IP addresses is given, only interactions via
1287relays at those addresses are affected.
1289.B --dhcp-match=set:<tag>,<option number>|option:<option name>|vi-encap:<enterprise>[,<value>]
1290Without a value, set the tag if the client sends a DHCP
1291option of the given number or name. When a value is given, set the tag only if
1292the option is sent and matches the value. The value may be of the form
1293"01:ff:*:02" in which case the value must match (apart from wildcards)
1294but the option sent may have unmatched data past the end of the
1295value. The value may also be of the same form as in
1296.B dhcp-option
1297in which case the option sent is treated as an array, and one element
1298must match, so
1302will set the tag "efi-ia32" if the the number 6 appears in the list of
1303architectures sent by the client in option 93. (See RFC 4578 for
1304details.)  If the value is a string, substring matching is used.
1306The special form with vi-encap:<enterprise number> matches against
1307vendor-identifying vendor classes for the specified enterprise. Please
1308see RFC 3925 for more details of these rare and interesting beasts.
1310.B --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
1311Perform boolean operations on tags. Any tag appearing as set:<tag> is set if
1312all the tags which appear as tag:<tag> are set, (or unset when tag:!<tag> is used)
1313If no tag:<tag> appears set:<tag> tags are set unconditionally.
1314Any number of set: and tag: forms may appear, in any order.
1315Tag-if lines ares executed in order, so if the tag in tag:<tag> is a
1316tag set by another
1317.B tag-if,
1318the line which sets the tag must precede the one which tests it.
1320.B \-J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
1321When all the given tags appear in the tag set ignore the host and do
1322not allocate it a DHCP lease.
1324.B --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
1325When all the given tags appear in the tag set, ignore any hostname
1326provided by the host. Note that, unlike dhcp-ignore, it is permissible
1327to supply no tags, in which case DHCP-client supplied hostnames
1328are always ignored, and DHCP hosts are added to the DNS using only
1329dhcp-host configuration in dnsmasq and the contents of /etc/hosts and
1332.B --dhcp-generate-names=tag:<tag>[,tag:<tag>]
1333(IPv4 only) Generate a name for DHCP clients which do not otherwise have one,
1334using the MAC address expressed in hex, separated by dashes. Note that
1335if a host provides a name, it will be used by preference to this,
1337.B --dhcp-ignore-names
1338is set.
1340.B --dhcp-broadcast[=tag:<tag>[,tag:<tag>]]
1341(IPv4 only) When all the given tags appear in the tag set, always use broadcast to
1342communicate with the host when it is unconfigured. It is permissible
1343to supply no tags, in which case this is unconditional. Most DHCP clients which
1344need broadcast replies set a flag in their requests so that this
1345happens automatically, some old BOOTP clients do not.
1347.B \-M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server address>|<tftp_servername>]]
1348(IPv4 only) Set BOOTP options to be returned by the DHCP server. Server name and
1349address are optional: if not provided, the name is left empty, and the
1350address set to the address of the machine running dnsmasq. If dnsmasq
1351is providing a TFTP service (see
1352.B --enable-tftp
1353) then only the filename is required here to enable network booting.
1354If the optional tag(s) are given,
1355they must match for this configuration to be sent.
1356Instead of an IP address, the TFTP server address can be given as a domain
1357name which is looked up in /etc/hosts. This name can be associated in
1358/etc/hosts with multiple IP addresses, which are used round-robin.
1359This facility can be used to load balance the tftp load among a set of servers.
1361.B --dhcp-sequential-ip
1362Dnsmasq is designed to choose IP addresses for DHCP clients using a
1363hash of the client's MAC address. This normally allows a client's
1364address to remain stable long-term, even if the client  sometimes allows its DHCP
1365lease to expire. In this default mode IP addresses are distributed
1366pseudo-randomly over the entire available address range. There are
1367sometimes circumstances (typically server deployment) where it is more
1368convenient to have IP
1369addresses allocated sequentially, starting from the lowest available
1370address, and setting this flag enables this mode. Note that in the
1371sequential mode, clients which allow a lease to expire are much more
1372likely to move IP address; for this reason it should not be generally used.
1374.B --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basename>|<bootservicetype>][,<server address>|<server_name>]
1375Most uses of PXE boot-ROMS simply allow the PXE
1376system to obtain an IP address and then download the file specified by
1377.B dhcp-boot
1378and execute it. However the PXE system is capable of more complex
1379functions when supported by a suitable DHCP server.
1381This specifies a boot option which may appear in a PXE boot menu. <CSA> is
1382client system type, only services of the correct type will appear in a
1383menu. The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86,
1384Intel_Lean_Client, IA32_EFI,  X86-64_EFI, Xscale_EFI, BC_EFI, ARM32_EFI and ARM64_EFI; an
1385integer may be used for other types. The
1386parameter after the menu text may be a file name, in which case dnsmasq acts as a
1387boot server and directs the PXE client to download the file by TFTP,
1388either from itself (
1389.B enable-tftp
1390must be set for this to work) or another TFTP server if the final server
1391address/name is given.
1392Note that the "layer"
1393suffix (normally ".0") is supplied by PXE, and need not be added to
1394the basename. Alternatively, the basename may be a filename, complete with suffix, in which case
1395no layer suffix is added. If an integer boot service type, rather than a basename
1396is given, then the PXE client will search for a
1397suitable boot service for that type on the network. This search may be done
1398by broadcast, or direct to a server if its IP address/name is provided. 
1399If no boot service type or filename is provided (or a boot service type of 0 is specified)
1400then the menu entry will abort the net boot procedure and
1401continue booting from local media. The server address can be given as a domain
1402name which is looked up in /etc/hosts. This name can be associated in
1403/etc/hosts with multiple IP addresses, which are used round-robin.
1405.B --pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>]
1406Setting this provides a prompt to be displayed after PXE boot. If the
1407timeout is given then after the
1408timeout has elapsed with no keyboard input, the first available menu
1409option will be automatically executed. If the timeout is zero then the first available menu
1410item will be executed immediately. If
1411.B pxe-prompt
1412is omitted the system will wait for user input if there are multiple
1413items in the menu, but boot immediately if
1414there is only one. See
1415.B pxe-service
1416for details of menu items.
1418Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP server on
1419the network is responsible for allocating IP addresses, and dnsmasq
1420simply provides the information given in
1421.B pxe-prompt
1423.B pxe-service
1424to allow netbooting. This mode is enabled using the
1425.B proxy
1426keyword in
1427.B dhcp-range.
1429.B \-X, --dhcp-lease-max=<number>
1430Limits dnsmasq to the specified maximum number of DHCP leases. The
1431default is 1000. This limit is to prevent DoS attacks from hosts which
1432create thousands of leases and use lots of memory in the dnsmasq
1435.B \-K, --dhcp-authoritative
1436Should be set when dnsmasq is definitely the only DHCP server on a network.
1437For DHCPv4, it changes the behaviour from strict RFC compliance so that DHCP requests on
1438unknown leases from unknown hosts are not ignored. This allows new hosts
1439to get a lease without a tedious timeout under all circumstances. It also
1440allows dnsmasq to rebuild its lease database without each client needing to
1441reacquire a lease, if the database is lost. For DHCPv6 it sets the
1442priority in replies to 255 (the maximum) instead of 0 (the minimum).
1444.B --dhcp-alternate-port[=<server port>[,<client port>]]
1445(IPv4 only) Change the ports used for DHCP from the default. If this option is
1446given alone, without arguments, it changes the ports used for DHCP
1447from 67 and 68 to 1067 and 1068. If a single argument is given, that
1448port number is used for the server and the port number plus one used
1449for the client. Finally, two port numbers allows arbitrary
1450specification of both server and client ports for DHCP.
1452.B \-3, --bootp-dynamic[=<network-id>[,<network-id>]]
1453(IPv4 only) Enable dynamic allocation of IP addresses to BOOTP clients. Use this
1454with care, since each address allocated to a BOOTP client is leased
1455forever, and therefore becomes permanently unavailable for re-use by
1456other hosts. if this is given without tags, then it unconditionally
1457enables dynamic allocation. With tags, only when the tags are all
1458set. It may be repeated with different tag sets.
1460.B \-5, --no-ping
1461(IPv4 only) By default, the DHCP server will attempt to ensure that an address is
1462not in use before allocating it to a host. It does this by sending an
1463ICMP echo request (aka "ping") to the address in question. If it gets
1464a reply, then the address must already be in use, and another is
1465tried. This flag disables this check. Use with caution.
1467.B --log-dhcp
1468Extra logging for DHCP: log all the options sent to DHCP clients and
1469the tags used to determine them.
1471.B --quiet-dhcp, --quiet-dhcp6, --quiet-ra
1472Suppress logging of the routine operation of these protocols. Errors and
1473problems will still be logged. --quiet-dhcp and quiet-dhcp6 are
1474over-ridden by --log-dhcp.
1476.B \-l, --dhcp-leasefile=<path>
1477Use the specified file to store DHCP lease information.
1479.B --dhcp-duid=<enterprise-id>,<uid>
1480(IPv6 only) Specify the server persistent UID which the DHCPv6 server
1481will use. This option is not normally required as dnsmasq creates a
1482DUID automatically when it is first needed. When given, this option
1483provides dnsmasq the data required to create a DUID-EN type DUID. Note
1484that once set, the DUID is stored in the lease database, so to change between DUID-EN and
1485automatically created DUIDs or vice-versa, the lease database must be
1486re-initialised. The enterprise-id is assigned by IANA, and the uid is a
1487string of hex octets unique to a particular device.
1489.B \-6 --dhcp-script=<path>
1490Whenever a new DHCP lease is created, or an old one destroyed, or a
1491TFTP file transfer completes, the
1492executable specified by this option is run.  <path>
1493must be an absolute pathname, no PATH search occurs.
1494The arguments to the process
1495are "add", "old" or "del", the MAC
1496address of the host (or DUID for IPv6) , the IP address, and the hostname,
1497if known. "add" means a lease has been created, "del" means it has
1498been destroyed, "old" is a notification of an existing lease when
1499dnsmasq starts or a change to MAC address or hostname of an existing
1500lease (also, lease length or expiry and client-id, if leasefile-ro is set).
1501If the MAC address is from a network type other than ethernet,
1502it will have the network type prepended, eg "06-01:23:45:67:89:ab" for
1503token ring. The process is run as root (assuming that dnsmasq was originally run as
1504root) even if dnsmasq is configured to change UID to an unprivileged user.
1506The environment is inherited from the invoker of dnsmasq, with some or
1507all of the following variables added
1509For both IPv4 and IPv6:
1511DNSMASQ_DOMAIN if the fully-qualified domain name of the host is
1512known, this is set to the  domain part. (Note that the hostname passed
1513to the script as an argument is never fully-qualified.)
1515If the client provides a hostname, DNSMASQ_SUPPLIED_HOSTNAME
1517If the client provides user-classes, DNSMASQ_USER_CLASS0..DNSMASQ_USER_CLASSn
1519If dnsmasq was compiled with HAVE_BROKEN_RTC, then
1520the length of the lease (in seconds) is stored in
1521DNSMASQ_LEASE_LENGTH, otherwise the time of lease expiry is stored in
1522DNSMASQ_LEASE_EXPIRES. The number of seconds until lease expiry is
1523always stored in DNSMASQ_TIME_REMAINING.
1525If a lease used to have a hostname, which is
1526removed, an "old" event is generated with the new state of the lease,
1527ie no name, and the former name is provided in the environment
1530DNSMASQ_INTERFACE stores the name of
1531the interface on which the request arrived; this is not set for "old"
1532actions when dnsmasq restarts.
1534DNSMASQ_RELAY_ADDRESS is set if the client
1535used a DHCP relay to contact dnsmasq and the IP address of the relay
1536is known.
1538DNSMASQ_TAGS contains all the tags set during the
1539DHCP transaction, separated by spaces.
1541DNSMASQ_LOG_DHCP is set if
1542.B --log-dhcp
1543is in effect.
1545For IPv4 only:
1547DNSMASQ_CLIENT_ID if the host provided a client-id.
1550DHCP relay-agent added any of these options.
1552If the client provides vendor-class, DNSMASQ_VENDOR_CLASS.
1554DNSMASQ_REQUESTED_OPTIONS a string containing the decimal values in the Parameter Request List option, comma separated, if the parameter request list option is provided by the client.
1556For IPv6 only:
1558If the client provides vendor-class, DNSMASQ_VENDOR_CLASS_ID,
1559containing the IANA enterprise id for the class, and
1562DNSMASQ_SERVER_DUID containing the DUID of the server: this is the same for
1563every call to the script.
1565DNSMASQ_IAID containing the IAID for the lease. If the lease is a
1566temporary allocation, this is prefixed to 'T'.
1568DNSMASQ_MAC containing the MAC address of the client, if known.
1570Note that the supplied hostname, vendorclass and userclass data is
1571only  supplied for
1572"add" actions or "old" actions when a host resumes an existing lease,
1573since these data are not held in dnsmasq's lease
1578All file descriptors are
1579closed except stdin, stdout and stderr which are open to /dev/null
1580(except in debug mode).
1582The script is not invoked concurrently: at most one instance
1583of the script is ever running (dnsmasq waits for an instance of script to exit
1584before running the next). Changes to the lease database are which
1585require the script to be invoked are queued awaiting exit of a running instance.
1586If this queueing allows multiple state changes occur to a single
1587lease before the script can be run then
1588earlier states are discarded and the current state of that lease is
1589reflected when the script finally runs.
1591At dnsmasq startup, the script will be invoked for
1592all existing leases as they are read from the lease file. Expired
1593leases will be called with "del" and others with "old". When dnsmasq
1594receives a HUP signal, the script will be invoked for existing leases
1595with an "old" event.
1598There are four further actions which may appear as the first argument
1599to the script, "init", "arp-add", "arp-del" and "tftp". More may be added in the future, so
1600scripts should be written to ignore unknown actions. "init" is
1601described below in
1602.B --leasefile-ro
1603The "tftp" action is invoked when a TFTP file transfer completes: the
1604arguments are the file size in bytes, the address to which the file
1605was sent, and the complete pathname of the file.
1607The "arp-add" and "arp-del" actions are only called if enabled with
1608.B --script-arp
1609They are are supplied with a MAC address and IP address as arguments. "arp-add" indicates
1610the arrival of a new entry in the ARP or neighbour table, and "arp-del" indicates the deletion of same.
1613.B --dhcp-luascript=<path>
1614Specify a script written in Lua, to be run when leases are created,
1615destroyed or changed. To use this option, dnsmasq must be compiled
1616with the correct support. The Lua interpreter is initialised once, when
1617dnsmasq starts, so that global variables persist between lease
1618events. The Lua code must define a
1619.B lease
1620function, and may provide
1621.B init
1623.B shutdown
1624functions, which are called, without arguments when dnsmasq starts up
1625and terminates. It may also provide a
1626.B tftp
1630.B lease
1631function receives the information detailed in
1632.B --dhcp-script.
1633It gets two arguments, firstly the action, which is a string
1634containing, "add", "old" or "del", and secondly a table of tag value
1635pairs. The tags mostly correspond to the environment variables
1636detailed above, for instance the tag "domain" holds the same data as
1637the environment variable DNSMASQ_DOMAIN. There are a few extra tags
1638which hold the data supplied as arguments to
1639.B --dhcp-script.
1640These are
1641.B mac_address, ip_address
1643.B hostname
1644for IPv4, and
1645.B client_duid, ip_address
1647.B hostname
1648for IPv6.
1651.B tftp
1652function is called in the same way as the lease function, and the
1653table holds the tags
1654.B destination_address,
1655.B file_name
1657.B file_size.
1660.B arp
1662.B arp-old
1663functions are called only when enabled with
1664.B --script-arp
1665and have a table which holds the tags
1666.B mac_address
1668.B client_address.
1670.B --dhcp-scriptuser
1671Specify the user as which to run the lease-change script or Lua script. This defaults to root, but can be changed to another user using this flag.
1673.B --script-arp
1674Enable the "arp" and "arp-old" functions in the dhcp-script and dhcp-luascript.
1676.B \-9, --leasefile-ro
1677Completely suppress use of the lease database file. The file will not
1678be created, read, or written. Change the way the lease-change
1679script (if one is provided) is called, so that the lease database may
1680be maintained in external storage by the script. In addition to the
1681invocations  given in
1682.B  --dhcp-script
1683the lease-change script is called once, at dnsmasq startup, with the
1684single argument "init". When called like this the script should write
1685the saved state of the lease database, in dnsmasq leasefile format, to
1686stdout and exit with zero exit code. Setting this
1687option also forces the leasechange script to be called on changes
1688to the client-id and lease length and expiry time.
1690.B --bridge-interface=<interface>,<alias>[,<alias>]
1691Treat DHCP (v4 and v6) request and IPv6 Router Solicit packets
1692arriving at any of the <alias> interfaces as if they had arrived at
1693<interface>.  This option allows dnsmasq to provide DHCP and RA
1694service over unaddressed and unbridged Ethernet interfaces, e.g. on an
1695OpenStack compute host where each such interface is a TAP interface to
1696a VM, or as in "old style bridging" on BSD platforms.  A trailing '*'
1697wildcard can be used in each <alias>.
1699.B \-s, --domain=<domain>[,<address range>[,local]]
1700Specifies DNS domains for the DHCP server. Domains may be be given
1701unconditionally (without the IP range) or for limited IP ranges. This has two effects;
1702firstly it causes the DHCP server to return the domain to any hosts
1703which request it, and secondly it sets the domain which it is legal
1704for DHCP-configured hosts to claim. The intention is to constrain
1705hostnames so that an untrusted host on the LAN cannot advertise
1706its name via dhcp as e.g. "" and capture traffic not
1707meant for it. If no domain suffix is specified, then any DHCP
1708hostname with a domain part (ie with a period) will be disallowed
1709and logged. If suffix is specified, then hostnames with a domain
1710part are allowed, provided the domain part matches the suffix. In
1711addition, when a suffix is set then hostnames without a domain
1712part have the suffix added as an optional domain part. Eg on my network I can set
1714and have a machine whose DHCP hostname is "laptop". The IP address for that machine is available from
1715.B dnsmasq
1716both as "laptop" and "". If the domain is
1717given as "#" then the domain is read from the first "search" directive
1718in /etc/resolv.conf (or equivalent).
1720The address range can be of the form
1721<ip address>,<ip address> or <ip address>/<netmask> or just a single
1722<ip address>. See
1723.B --dhcp-fqdn
1724which can change the behaviour of dnsmasq with domains.
1726If the address range is given as ip-address/network-size, then a
1727additional flag "local" may be supplied which has the effect of adding
1728--local declarations for forward and reverse DNS queries. Eg.
1730is identical to
1732--local=/ --local=/
1733The network size must be 8, 16 or 24 for this to be legal.
1735.B --dhcp-fqdn
1736In the default mode, dnsmasq inserts the unqualified names of
1737DHCP clients into the DNS. For this reason, the names must be unique,
1738even if two clients which have the same name are in different
1739domains. If a second DHCP client appears which has the same name as an
1740existing client, the name is transferred to the new client. If
1741.B --dhcp-fqdn
1742is set, this behaviour changes: the unqualified name is no longer
1743put in the DNS, only the qualified name. Two DHCP clients with the
1744same name may both keep the name, provided that the domain part is
1745different (ie the fully qualified names differ.) To ensure that all
1746names have a domain part, there must be at least
1747.B --domain
1748without an address specified when
1749.B --dhcp-fqdn
1750is set.
1752.B --dhcp-client-update
1753Normally, when giving a DHCP lease, dnsmasq sets flags in the FQDN
1754option to tell the client not to attempt a DDNS update with its name
1755and IP address. This is because the name-IP pair is automatically
1756added into dnsmasq's DNS view. This flag suppresses that behaviour,
1757this is useful, for instance, to allow Windows clients to update
1758Active Directory servers. See RFC 4702 for details.
1760.B --enable-ra
1761Enable dnsmasq's IPv6 Router Advertisement feature. DHCPv6 doesn't
1762handle complete network configuration in the same way as DHCPv4. Router
1763discovery and (possibly) prefix discovery for autonomous address
1764creation are handled by a different protocol. When DHCP is in use,
1765only a subset of this is needed, and dnsmasq can handle it, using
1766existing DHCP configuration to provide most data. When RA is enabled,
1767dnsmasq will advertise a prefix for each dhcp-range, with default
1768router  as the relevant link-local address on
1769the machine running dnsmasq. By default, the "managed address" bits are set, and
1770the "use SLAAC" bit is reset. This can be changed for individual
1771subnets with the mode keywords described in
1772.B --dhcp-range.
1773RFC6106 DNS parameters are included in the advertisements. By default,
1774the relevant link-local address of the machine running dnsmasq is sent
1775as recursive DNS server. If provided, the DHCPv6 options dns-server and
1776domain-search are used for the DNS server (RDNSS) and the domain search list (DNSSL).
1778.B --ra-param=<interface>,[high|low],[[<ra-interval>],<router lifetime>]
1779Set non-default values for router advertisements sent via an
1780interface. The priority field for the router may be altered from the
1781default of medium with eg
1782.B --ra-param=eth0,high.
1783The interval between router advertisements may be set (in seconds) with
1784.B --ra-param=eth0,60.
1785The lifetime of the route may be changed or set to zero, which allows
1786a router to advertise prefixes but not a route via itself.
1787.B --ra-parm=eth0,0,0
1788(A value of zero for the interval means the default value.) All three parameters may be set at once.
1789.B --ra-param=low,60,1200
1790The interface field may include a wildcard.
1792.B --enable-tftp[=<interface>[,<interface>]]
1793Enable the TFTP server function. This is deliberately limited to that
1794needed to net-boot a client. Only reading is allowed; the tsize and
1795blksize extensions are supported (tsize is only supported in octet
1796mode). Without an argument, the TFTP service is provided to the same set of interfaces as DHCP service.
1797If the list of interfaces is provided, that defines which interfaces receive TFTP service.
1799.B --tftp-root=<directory>[,<interface>]
1800Look for files to transfer using TFTP relative to the given
1801directory. When this is set, TFTP paths which include ".." are
1802rejected, to stop clients getting outside the specified root.
1803Absolute paths (starting with /) are allowed, but they must be within
1804the tftp-root. If the optional interface argument is given, the
1805directory is only used for TFTP requests via that interface.
1807.B --tftp-no-fail
1808Do not abort startup if specified tftp root directories are inaccessible.
1810.B --tftp-unique-root
1811Add the IP address of the TFTP client as a path component on the end
1812of the TFTP-root (in standard dotted-quad format). Only valid if a
1813tftp-root is set and the directory exists. For instance, if tftp-root is "/tftp" and client
18141.2.3.4 requests file "myfile" then the effective path will be
1815"/tftp/" if /tftp/ exists or /tftp/myfile otherwise.
1817.B --tftp-secure
1818Enable TFTP secure mode: without this, any file which is readable by
1819the dnsmasq process under normal unix access-control rules is
1820available via TFTP. When the --tftp-secure flag is given, only files
1821owned by the user running the dnsmasq process are accessible. If
1822dnsmasq is being run as root, different rules apply: --tftp-secure
1823has no effect, but only files which have the world-readable bit set
1824are accessible. It is not recommended to run dnsmasq as root with TFTP
1825enabled, and certainly not without specifying --tftp-root. Doing so
1826can expose any world-readable file on the server to any host on the net.
1828.B --tftp-lowercase
1829Convert filenames in TFTP requests to all lowercase. This is useful
1830for requests from Windows machines, which have case-insensitive
1831filesystems and tend to play fast-and-loose with case in filenames.
1832Note that dnsmasq's tftp server always converts "\\" to "/" in filenames.
1834.B --tftp-max=<connections>
1835Set the maximum number of concurrent TFTP connections allowed. This
1836defaults to 50. When serving a large number of TFTP connections,
1837per-process file descriptor limits may be encountered. Dnsmasq needs
1838one file descriptor for each concurrent TFTP connection and one
1839file descriptor per unique file (plus a few others). So serving the
1840same file simultaneously to n clients will use require about n + 10 file
1841descriptors, serving different files simultaneously to n clients will
1842require about (2*n) + 10 descriptors. If
1843.B --tftp-port-range
1844is given, that can affect the number of concurrent connections.
1846.B --tftp-mtu=<mtu size>
1847Use size as the ceiling of the MTU supported by the intervening network when
1848negotiating TFTP blocksize, overriding the MTU setting of the local interface  if it is larger.
1850.B --tftp-no-blocksize
1851Stop the TFTP server from negotiating the "blocksize" option with a
1852client. Some buggy clients request this option but then behave badly
1853when it is granted.
1855.B --tftp-port-range=<start>,<end>
1856A TFTP server listens on a well-known port (69) for connection initiation,
1857but it also uses a dynamically-allocated port for each
1858connection. Normally these are allocated by the OS, but this option
1859specifies a range of ports for use by TFTP transfers. This can be
1860useful when TFTP has to traverse a firewall. The start of the range
1861cannot be lower than 1025 unless dnsmasq is running as root. The number
1862of concurrent TFTP connections is limited by the size of the port range.
1864.B \-C, --conf-file=<file>
1865Specify a different configuration file. The conf-file option is also allowed in
1866configuration files, to include multiple configuration files. A
1867filename of "-" causes dnsmasq to read configuration from stdin.
1869.B \-7, --conf-dir=<directory>[,<file-extension>......],
1870Read all the files in the given directory as configuration
1871files. If extension(s) are given, any files which end in those
1872extensions are skipped. Any files whose names end in ~ or start with . or start and end
1873with # are always skipped. If the extension starts with * then only files
1874which have that extension are loaded. So
1875.B --conf-dir=/path/to/dir,*.conf
1876loads all files with the suffix .conf in /path/to/dir. This flag may be given on the command
1877line or in a configuration file. If giving it on the command line, be sure to
1878escape * characters.
1880.B --servers-file=<file>
1881A special case of
1882.B --conf-file
1883which differs in two respects. Firstly, only --server and --rev-server are allowed
1884in the configuration file included. Secondly, the file is re-read and the configuration
1885therein is updated when dnsmasq receives SIGHUP.
1887At startup, dnsmasq reads
1888.I /etc/dnsmasq.conf,
1889if it exists. (On
1890FreeBSD, the file is
1891.I /usr/local/etc/dnsmasq.conf
1892) (but see the
1893.B \-C
1895.B \-7
1896options.) The format of this
1897file consists of one option per line, exactly as the long options detailed
1898in the OPTIONS section but without the leading "--". Lines starting with # are comments and ignored. For
1899options which may only be specified once, the configuration file overrides
1900the command line.  Quoting is allowed in a config file:
1901between " quotes the special meanings of ,:. and # are removed and the
1902following escapes are allowed: \\\\ \\" \\t \\e \\b \\r and \\n. The later
1903corresponding to tab, escape, backspace, return and newline.
1905When it receives a SIGHUP,
1906.B dnsmasq
1907clears its cache and then re-loads
1908.I /etc/hosts
1910.I /etc/ethers
1911and any file given by --dhcp-hostsfile, --dhcp-hostsdir, --dhcp-optsfile,
1912--dhcp-optsdir, --addn-hosts or --hostsdir.
1913The dhcp lease change script is called for all
1914existing DHCP leases. If
1917is set SIGHUP also re-reads
1918.I /etc/resolv.conf.
1920does NOT re-read the configuration file.
1922When it receives a SIGUSR1,
1923.B dnsmasq
1924writes statistics to the system log. It writes the cache size,
1925the number of names which have had to removed from the cache before
1926they expired in order to make room for new names and the total number
1927of names that have been inserted into the cache. The number of cache hits and
1928misses and the number of authoritative queries answered are also given. For each upstream
1929server it gives the number of queries sent, and the number which
1930resulted in an error. In
1931.B --no-daemon
1932mode or when full logging is enabled (-q), a complete dump of the
1933contents of the cache is made.
1935The cache statistics are also available in the DNS as answers to
1936queries of class CHAOS and type TXT in domain bind. The domain names are cachesize.bind, insertions.bind, evictions.bind,
1937misses.bind, hits.bind, auth.bind and servers.bind. An example command to query this, using the
1938.B dig
1939utility would be
1941dig +short chaos txt cachesize.bind
1944When it receives SIGUSR2 and it is logging direct to a file (see
1945.B --log-facility
1947.B dnsmasq
1948will close and reopen the log file. Note that during this operation,
1949dnsmasq will not be running as root. When it first creates the logfile
1950dnsmasq changes the ownership of the file to the non-root user it will run
1951as. Logrotate should be configured to create a new log file with
1952the ownership which matches the existing one before sending SIGUSR2.
1953If TCP DNS queries are in progress, the old logfile will remain open in
1954child processes which are handling TCP queries and may continue to be
1955written. There is a limit of 150 seconds, after which all existing TCP
1956processes will have expired: for this reason, it is not wise to
1957configure logfile compression for logfiles which have just been
1958rotated. Using logrotate, the required options are
1959.B create
1961.B delaycompress.
1965Dnsmasq is a DNS query forwarder: it it not capable of recursively
1966answering arbitrary queries starting from the root servers but
1967forwards such queries to a fully recursive upstream DNS server which is
1968typically provided by an ISP. By default, dnsmasq reads
1969.I /etc/resolv.conf
1970to discover the IP
1971addresses of the upstream nameservers it should use, since the
1972information is typically stored there. Unless
1973.B --no-poll
1974is used,
1975.B dnsmasq
1976checks the modification time of
1977.I /etc/resolv.conf
1978(or equivalent if
1979.B \--resolv-file
1980is used) and re-reads it if it changes. This allows the DNS servers to
1981be set dynamically by PPP or DHCP since both protocols provide the
1983Absence of
1984.I /etc/resolv.conf
1985is not an error
1986since it may not have been created before a PPP connection exists. Dnsmasq
1987simply keeps checking in case
1988.I /etc/resolv.conf
1989is created at any
1990time. Dnsmasq can be told to parse more than one resolv.conf
1991file. This is useful on a laptop, where both PPP and DHCP may be used:
1992dnsmasq can be set to poll both
1993.I /etc/ppp/resolv.conf
1995.I /etc/dhcpc/resolv.conf
1996and will use the contents of whichever changed
1997last, giving automatic switching between DNS servers.
1999Upstream servers may also be specified on the command line or in
2000the configuration file. These server specifications optionally take a
2001domain name which tells dnsmasq to use that server only to find names
2002in that particular domain.
2004In order to configure dnsmasq to act as cache for the host on which it is running, put "nameserver" in
2005.I /etc/resolv.conf
2006to force local processes to send queries to
2007dnsmasq. Then either specify the upstream servers directly to dnsmasq
2009.B \--server
2010options or put their addresses real in another file, say
2011.I /etc/resolv.dnsmasq
2012and run dnsmasq with the
2013.B \-r /etc/resolv.dnsmasq
2014option. This second technique allows for dynamic update of the server
2015addresses by PPP or DHCP.
2017Addresses in /etc/hosts will "shadow" different addresses for the same
2018names in the upstream DNS, so "" in /etc/hosts will ensure that
2019queries for "" always return even if queries in
2020the upstream DNS would otherwise return a different address. There is
2021one exception to this: if the upstream DNS contains a CNAME which
2022points to a shadowed name, then looking up the CNAME through dnsmasq
2023will result in the unshadowed address associated with the target of
2024the CNAME. To work around this, add the CNAME to /etc/hosts so that
2025the CNAME is shadowed too.
2028The tag system works as follows: For each DHCP request, dnsmasq
2029collects a set of valid tags from active configuration lines which
2030include set:<tag>, including one from the
2031.B dhcp-range
2032used to allocate the address, one from any matching
2033.B dhcp-host
2034(and "known" if a dhcp-host matches)
2035The tag "bootp" is set for BOOTP requests, and a tag whose name is the
2036name of the interface on which the request arrived is also set.
2038Any configuration lines which include one or more tag:<tag> constructs
2039will only be valid if all that tags are matched in the set derived
2040above. Typically this is dhcp-option.
2041.B dhcp-option
2042which has tags will be used in preference  to an untagged
2043.B dhcp-option,
2044provided that _all_ the tags match somewhere in the
2045set collected as described above. The prefix '!' on a tag means 'not'
2046so --dhcp-option=tag:!purple,3, sends the option when the
2047tag purple is not in the set of valid tags. (If using this in a
2048command line rather than a configuration file, be sure to escape !,
2049which is a shell metacharacter)
2051When selecting dhcp-options, a tag from dhcp-range is second class
2052relative to other tags, to make it easy to override options for
2053individual hosts, so
2054.B dhcp-range=set:interface1,......
2055.B dhcp-host=set:myhost,.....
2056.B dhcp-option=tag:interface1,option:nis-domain,"domain1"
2057.B dhcp-option=tag:myhost,option:nis-domain,"domain2"
2058will set the NIS-domain to domain1 for hosts in the range, but
2059override that to domain2 for a particular host.
2062Note that for
2063.B dhcp-range
2064both tag:<tag> and set:<tag> are allowed, to both select the range in
2065use based on (eg) dhcp-host, and to affect the options sent, based on
2066the range selected.
2068This system evolved from an earlier, more limited one and for backward
2069compatibility "net:" may be used instead of "tag:" and "set:" may be
2070omitted. (Except in
2071.B dhcp-host,
2072where "net:" may be used instead of "set:".) For the same reason, '#'
2073may be used instead of '!' to indicate NOT.
2075The DHCP server in dnsmasq will function as a BOOTP server also,
2076provided that the MAC address and IP address for clients are given,
2077either using
2078.B dhcp-host
2079configurations or in
2080.I /etc/ethers
2081, and a
2082.B dhcp-range
2083configuration option is present to activate the DHCP server
2084on a particular network. (Setting --bootp-dynamic removes the need for
2085static address mappings.) The filename
2086parameter in a BOOTP request is used as a tag,
2087as is the tag "bootp", allowing some control over the options returned to
2088different classes of hosts.
2092Configuring dnsmasq to act as an authoritative DNS server is
2093complicated by the fact that it involves configuration of external DNS
2094servers to provide delegation. We will walk through three scenarios of
2095increasing complexity. Prerequisites for all of these scenarios
2096are a globally accessible IP address, an A or AAAA record pointing to that address,
2097and an external DNS server capable of doing delegation of the zone in
2098question. For the first part of this explanation, we will call the A (or AAAA) record
2099for the globally accessible address, and the zone
2100for which dnsmasq is authoritative
2102The simplest configuration consists of two lines of dnsmasq configuration; something like
2109and two records in the external DNS
2110       A            NS
2116eth0 is the external network interface on which dnsmasq is listening,
2117and has (globally accessible) address
2119Note that the external IP address may well be dynamic (ie assigned
2120from an ISP by DHCP or PPP) If so, the A record must be linked to this
2121dynamic assignment by one of the usual dynamic-DNS systems.
2123A more complex, but practically useful configuration has the address
2124record for the globally accessible IP address residing in the
2125authoritative zone which dnsmasq is serving, typically at the root. Now
2126we have
2132             A            NS
2138The A record for has now become a glue record, it solves
2139the chicken-and-egg problem of finding the IP address of the
2140nameserver for when the A record is within that
2141zone. Note that this is the only role of this record: as dnsmasq is
2142now authoritative from it too must provide this
2143record. If the external address is static, this can be done with an
2144.B /etc/hosts
2145entry or
2146.B --host-record.
2154If the external address is dynamic, the address
2155associated with must be derived from the address of the
2156relevant interface. This is done using
2157.B interface-name
2158Something like:
2166(The "eth0" argument in auth-zone adds the subnet containing eth0's
2167dynamic address to the zone, so that the interface-name returns the
2168address in outside queries.)
2170Our final configuration builds on that above, but also adds a
2171secondary DNS server. This is another DNS server which learns the DNS data
2172for the zone by doing zones transfer, and acts as a backup should
2173the primary server become inaccessible. The configuration of the
2174secondary is beyond the scope of this man-page, but the extra
2175configuration of dnsmasq is simple:
2182           NS
2187Adding auth-sec-servers enables zone transfer in dnsmasq, to allow the
2188secondary to collect the DNS data. If you wish to restrict this data
2189to particular hosts then
2192.B auth-peer=<IP address of secondary>
2195will do so.
2197Dnsmasq acts as an authoritative server for and domains associated with the subnets given in auth-zone
2199declarations, so reverse (address to name) lookups can be simply
2200configured with a suitable NS record, for instance in this example,
2201where we allow addresses.
2204  NS
2207Note that at present, reverse ( and zones are
2208not available in zone transfers, so there is no point arranging
2209secondary servers for reverse lookups.
2212When dnsmasq is configured to act as an authoritative server, the
2213following data is used to populate the authoritative zone.
2215.B --mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record
2216, as long as the record names are in the authoritative domain.
2218.B --cname
2219as long as the record name is in  the authoritative domain. If the
2220target of the CNAME is unqualified, then it  is qualified with the
2221authoritative zone name. CNAME used in this way (only) may be wildcards, as in
2224.B cname=*,
2228IPv4 and IPv6 addresses from /etc/hosts (and
2229.B --addn-hosts
2230) and
2231.B --host-record
2233.B --interface-name
2234provided the address falls into one of the subnets specified in the
2235.B --auth-zone.
2237Addresses of DHCP leases, provided the address falls into one of the subnets specified in the
2238.B --auth-zone.
2239(If constructed DHCP ranges are is use, which depend on the address dynamically
2240assigned to an interface, then the form of
2241.B --auth-zone
2242which defines subnets by the dynamic address of an interface should
2243be used to ensure this condition is met.)
2245In the default mode, where a DHCP lease
2246has an unqualified name, and possibly a qualified name constructed
2248.B --domain
2249then the name in the authoritative zone is constructed from the
2250unqualified name and the zone's domain. This may or may not equal
2251that specified by
2252.B --domain.
2254.B --dhcp-fqdn
2255is set, then the fully qualified names associated with DHCP leases are
2256used, and must match the zone's domain.
22620 - Dnsmasq successfully forked into the background, or terminated
2263normally if backgrounding is not enabled.
22651 - A problem with configuration was detected.
22672 - A problem with network access occurred (address in use, attempt
2268to use privileged ports without permission).
22703 - A problem occurred with a filesystem operation (missing
2271file/directory, permissions).
22734 - Memory allocation failure.
22755 - Other miscellaneous problem.
227711 or greater - a non zero return code was received from the
2278lease-script process "init" call. The exit code from dnsmasq is the
2279script's exit code with 10 added.
2282The default values for resource limits in dnsmasq are generally
2283conservative, and appropriate for embedded router type devices with
2284slow processors and limited memory. On more capable hardware, it is
2285possible to increase the limits, and handle many more clients. The
2286following applies to dnsmasq-2.37: earlier versions did not scale as well.
2289Dnsmasq is capable of handling DNS and DHCP for at least a thousand
2290clients. The DHCP lease times should not be very short (less than one hour). The
2291value of
2292.B --dns-forward-max
2293can be increased: start with it equal to
2294the number of clients and increase if DNS seems slow. Note that DNS
2295performance depends too on the performance of the upstream
2296nameservers. The size of the DNS cache may be increased: the hard
2297limit is 10000 names and the default (150) is very low. Sending
2298SIGUSR1 to dnsmasq makes it log information which is useful for tuning
2299the cache size. See the
2300.B NOTES
2301section for details.
2304The built-in TFTP server is capable of many simultaneous file
2305transfers: the absolute limit is related to the number of file-handles
2306allowed to a process and the ability of the select() system call to
2307cope with large numbers of file handles. If the limit is set too high
2309.B --tftp-max
2310it will be scaled down and the actual limit logged at
2311start-up. Note that more transfers are possible when the same file is
2312being sent than when each transfer sends a different file.
2315It is possible to use dnsmasq to block Web advertising by using a list
2316of known banner-ad servers, all resolving to or, in
2317.B /etc/hosts
2318or an additional hosts file. The list can be very long,
2319dnsmasq has been tested successfully with one million names. That size
2320file needs a 1GHz processor and about 60Mb of RAM.
2323Dnsmasq can be compiled to support internationalisation. To do this,
2324the make targets "all-i18n" and "install-i18n" should be used instead of
2325the standard targets "all" and "install". When internationalisation
2326is compiled in, dnsmasq will produce log messages in the local
2327language and support internationalised domain names (IDN). Domain
2328names in /etc/hosts, /etc/ethers and /etc/dnsmasq.conf which contain
2329non-ASCII characters will be translated to the DNS-internal punycode
2330representation. Note that
2331dnsmasq determines both the language for messages and the assumed
2332charset for configuration
2333files from the LANG environment variable. This should be set to the system
2334default value by the script which is responsible for starting
2335dnsmasq. When editing the configuration files, be careful to do so
2336using only the system-default locale and not user-specific one, since
2337dnsmasq has no direct way of determining the charset in use, and must
2338assume that it is the system default.
2341.IR /etc/dnsmasq.conf
2343.IR /usr/local/etc/dnsmasq.conf
2345.IR /etc/resolv.conf
2346.IR /var/run/dnsmasq/resolv.conf
2347.IR /etc/ppp/resolv.conf
2348.IR /etc/dhcpc/resolv.conf
2350.IR /etc/hosts
2352.IR /etc/ethers
2354.IR /var/lib/misc/dnsmasq.leases
2356.IR /var/db/dnsmasq.leases
2358.IR /var/run/
2360.BR hosts (5),
2361.BR resolver (5)
2363This manual page was written by Simon Kelley <>.
Note: See TracBrowser for help on using the repository browser.