~cyphermox/ubuntu/precise/dnsmasq/dbus : revision 3

1

.TH DNSMASQ 8

2

.SH NAME

3

dnsmasq \- A lightweight DHCP and caching DNS server.

4

.SH SYNOPSIS

5

.B dnsmasq

6

.I [OPTION]...

7

.SH "DESCRIPTION"

8

.BR dnsmasq

9

is a lightweight DNS and DHCP server. It is intended to provide coupled DNS and DHCP service to a

10

LAN.

11

.PP

12

Dnsmasq accepts DNS queries and either answers them from a small, local,

13

cache or forwards them to a real, recursive, DNS server. It loads the

14

contents of /etc/hosts so that local hostnames

15

which do not appear in the global DNS can be resolved and also answers

16

DNS queries for DHCP configured hosts.

17

.PP

18

The dnsmasq DHCP server supports static address assignments, multiple

19

networks, DHCP-relay and RFC3011 subnet specifiers. It automatically

20

sends a sensible default set of DHCP options, and can be configured to

21

send any desired set of DHCP options. It also supports BOOTP.

22

.PP

23

Dnsmasq

24

supports IPv6.

25

.SH OPTIONS

26

Note that in general missing parameters are allowed and switch off

27

functions, for instance "--pid-file=" disables writing a PID file. On

28

BSD, unless the GNU getopt library is linked, the long form of the

29

options does not work on the command line; it is still recognised in

30

the configuration file.

31

.TP

32

.B \-h, --no-hosts

33

Don't read the hostnames in /etc/hosts.

34

.TP

35

.B \-H, --addn-hosts=<file>

36

Additional hosts file. Read the specified file as well as /etc/hosts. If -h is given, read

37

only the specified file. This option may be repeated for more than one

38

additional hosts file.

39

.TP

40

.B \-T, --local-ttl=<time>

41

When replying with information from /etc/hosts or the DHCP leases

42

file dnsmasq by default sets the time-to-live field to zero, meaning

43

that the requestor should not itself cache the information. This is

44

the correct thing to do in almost all situations. This option allows a

45

time-to-live (in seconds) to be given for these replies. This will

46

reduce the load on the server at the expense of clients using stale

47

data under some circumstances.

48

.TP

49

.B \-k, --keep-in-foreground

50

Do not go into the background at startup but otherwise run as

51

normal. This is intended for use when dnsmasq is run under daemontools.

52

.TP

53

.B \-d, --no-daemon

54

Debug mode: don't fork to the background, don't write a pid file,

55

don't change user id, generate a complete cache dump on receipt on

56

SIGUSR1, log to stderr as well as syslog, don't fork new processes

57

to handle TCP queries.

58

.TP

59

.B \-q, --log-queries

60

Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1.

61

.TP

62

.B \-x, --pid-file=<path>

63

Specify an alternate path for dnsmasq to record its process-id in. Normally /var/run/dnsmasq.pid.

64

.TP

65

.B \-u, --user=<username>

66

Specify the userid to which dnsmasq will change after startup. Dnsmasq must normally be started as root, but it will drop root

67

priviledges after startup by changing id to another user. Normally this user is "nobody" but that

68

can be over-ridden with this switch.

69

.TP

70

.B \-g, --group=<groupname>

71

Specify the group which dnsmasq will run

72

as. The defaults to "dip", if available, to facilitate access to

73

/etc/ppp/resolv.conf which is not normally world readable.

74

.TP

75

.B \-v, --version

76

Print the version number.

77

.TP

78

.B \-p, --port=<port>

79

Listen on <port> instead of the standard DNS port (53). Useful mainly for

80

debugging.

81

.TP

82

.B \-P, --edns-packet-max=<size>

83

Specify the largest EDNS.0 UDP packet which is supported by the DNS

84

forwarder. Defaults to 1280, which is the RFC2671-recommended maximum

85

for ethernet.

86

.TP

87

.B \-Q, --query-port=<query_port>

88

Send outbound DNS queries from, and listen for their replies on, the specific UDP port <query_port> instead of using one chosen at runtime. Useful to simplify your

89

firewall rules; without this, your firewall would have to allow connections from outside DNS servers to a range of UDP ports, or dynamically adapt to the

90

port being used by the current dnsmasq instance.

91

.TP

92

.B \-i, --interface=<interface name>

93

Listen only on the specified interface(s). Dnsmasq automatically adds

94

the loopback (local) interface to the list of interfaces to use when

95

the

96

.B \--interface

97

option is used. If no

98

.B \--interface

99

or

100

.B \--listen-address

101

options are given dnsmasq listens on all available interfaces except any

102

given in

103

.B \--except-interface

104

options. If IP alias interfaces (eg "eth1:0") are used with

105

.B --interface

106

or

107

.B --except-interface

108

options, then the

109

.B --bind-interfaces

110

option will be automatically set. This is required for deeply boring

111

sockets-API reasons.

112

.TP

113

.B \-I, --except-interface=<interface name>

114

Do not listen on the specified interface. Note that the order of

115

.B \--listen-address

116

.B --interface

117

and

118

.B --except-interface

119

options does not matter and that

120

.B --except-interface

121

options always override the others.

122

.TP

123

.B \-a, --listen-address=<ipaddr>

124

Listen on the given IP address(es). Both

125

.B \--interface

126

and

127

.B \--listen-address

128

options may be given, in which case the set of both interfaces and

129

addresses is used. Note that if no

130

.B \--interface

131

option is given, but

132

.B \--listen-address

133

is, dnsmasq will not automatically listen on the loopback

134

interface. To achieve this, its IP address, 127.0.0.1, must be

135

explicitly given as a

136

.B \--listen-address

137

option.

138

.TP

139

.B \-z, --bind-interfaces

140

On systems which support it, dnsmasq binds the wildcard address,

141

even when it is listening on only some interfaces. It then discards

142

requests that it shouldn't reply to. This has the advantage of

143

working even when interfaces come and go and change address. This

144

option forces dnsmasq to really bind only the interfaces it is

145

listening on. About the only time when this is useful is when

146

running another nameserver (or another instance of dnsmasq) on the

147

same machine or when using IP

148

alias. Specifying interfaces with IP alias automatically turns this

149

option on. Setting this option also enables multiple instances of

150

dnsmasq which provide DHCP service to run in the same machine.

151

.TP

152

.B \-y, --localise-queries

153

Return answers to DNS queries from /etc/hosts which depend on the interface over which the query was

154

recieved. If a name in /etc/hosts has more than one address associated with

155

it, and at least one of those addresses is on the same subnet as the

156

interface to which the query was sent, then return only the

157

address(es) on that subnet. This allows for a server to have multiple

158

addresses in /etc/hosts corresponding to each of its interfaces, and

159

hosts will get the correct address based on which network they are

160

attached to. Currently this facility is limited to IPv4.

161

.TP

162

.B \-b, --bogus-priv

163

Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192.168.x.x, etc)

164

which are not found in /etc/hosts or the DHCP leases file are answered

165

with "no such domain" rather than being forwarded upstream.

166

.TP

167

.B \-V, --alias=<old-ip>,<new-ip>[,<mask>]

168

Modify IPv4 addresses returned from upstream nameservers; old-ip is

169

replaced by new-ip. If the optional mask is given then any address

170

which matches the masked old-ip will be re-written. So, for instance

171

.B --alias=1.2.3.0,6.7.8.0,255.255.255.0

172

will map 1.2.3.56 to 6.7.8.56 and 1.2.3.67 to 6.7.8.67. This is what

173

Cisco PIX routers call "DNS doctoring".

174

.TP

175

.B \-B, --bogus-nxdomain=<ipaddr>

176

Transform replies which contain the IP address given into "No such

177

domain" replies. This is intended to counteract a devious move made by

178

Versign in September 2003 when they started returning the address of

179

an advertising web page in response to queries for unregistered names,

180

instead of the correct NXDOMAIN response. This option tells dnsmasq to

181

fake the correct response when it sees this behaviour. As at Sept 2003

182

the IP address being returnd by Verisign is 64.94.110.11

183

.TP

184

.B \-f, --filterwin2k

185

Later versions of windows make periodic DNS requests which don't get sensible answers from

186

the public DNS and can cause problems by triggering dial-on-demand links. This flag turns on an option

187

to filter such requests. The requests blocked are for records of types SOA and SRV, and type ANY where the

188

requested name has underscores, to catch LDAP requests.

189

.TP

190

.B \-r, --resolv-file=<file>

191

Read the IP addresses of the upstream nameservers from <file>, instead of

192

/etc/resolv.conf. For the format of this file see

193

.BR resolv.conf (5)

194

the only lines relevant to dnsmasq are nameserver ones. Dnsmasq can

195

be told to poll more than one resolv.conf file, the first file name specified

196

overrides the default, subsequent ones add to the list. This is only

197

allowed when polling; the file with the currently latest modification

198

time is the one used.

199

.TP

200

.B \-R, --no-resolv

201

Don't read /etc/resolv.conf. Get upstream servers only from the command

202

line or the dnsmasq configuration file.

203

.TP

204

.B \-o, --strict-order

205

By default, dnsmasq will send queries to any of the upstream servers

206

it knows about and tries to favour servers to are known to

207

be up. Setting this flag forces dnsmasq to try each query with each

208

server strictly in the order they appear in /etc/resolv.conf

209

.TP

210

.B \-n, --no-poll

211

Don't poll /etc/resolv.conf for changes.

212

.TP

213

.B \-D, --domain-needed

214

Tells dnsmasq to never forward queries for plain names, without dots

215

or domain parts, to upstream nameservers. If the name is not knowm

216

from /etc/hosts or DHCP then a "not found" answer is returned.

217

.TP

218

.B \-S, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source>[#<port>]]]

219

Specify IP address of upsream severs directly. Setting this flag does

220

not suppress reading of /etc/resolv.conf, use -R to do that. If one or

221

more

222

optional domains are given, that server is used only for those domains

223

and they are queried only using the specified server. This is

224

intended for private nameservers: if you have a nameserver on your

225

network which deals with names of the form

226

xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag

227

.B -S /.internal.thekelleys.org.uk/192.168.1.1

228

will send all queries for

229

internal machines to that nameserver, everything else will go to the

230

servers in /etc/resolv.conf. An empty domain specification,

231

.B //

232

has the special meaning of "unqualified names only" ie names without any

233

dots in them. A non-standard port may be specified as

234

part of the IP

235

address using a # character.

236

More than one -S flag is allowed, with

237

repeated domain or ipaddr parts as required.

238

239

Also permitted is a -S

240

flag which gives a domain but no IP address; this tells dnsmasq that

241

a domain is local and it may answer queries from /etc/hosts or DHCP

242

but should never forward queries on that domain to any upstream

243

servers.

244

.B local

245

is a synonym for

246

.B server

247

to make configuration files clearer in this case.

248

249

The optional second IP address after the @ character tells

250

dnsmasq how to set the source address of the queries to this

251

nameserver. It should be an address belonging to the machine on which

252

dnsmasq is running otherwise this server line will be logged and then

253

ignored. The query-port flag is ignored for any servers which have a

254

source address specified but the port may be specified directly as

255

part of the source address.

256

.TP

257

.B \-A, --address=/<domain>/[domain/]<ipaddr>

258

Specify an IP address to return for any host in the given domains.

259

Queries in the domains are never forwarded and always replied to

260

with the specified IP address which may be IPv4 or IPv6. To give

261

both IPv4 and IPv6 addresses for a domain, use repeated -A flags.

262

Note that /etc/hosts and DHCP leases override this for individual

263

names. A common use of this is to redirect the entire doubleclick.net

264

domain to some friendly local web server to avoid banner ads. The

265

domain specification works in the same was as for --server, with the

266

additional facility that /#/ matches any domain. Thus

267

--address=/#/1.2.3.4 will always return 1.2.3.4 for any query not

268

answered from /etc/hosts or DHCP and not sent to an upstream

269

nameserver by a more specific --server directive.

270

.TP

271

.B \-m, --mx-host=<mx name>[[,<hostname>],<preference>]

272

Return an MX record named <mx name> pointing to the given hostname (if

273

given), or

274

the host specified in the --mx-target switch

275

or, if that switch is not given, the host on which dnsmasq

276

is running. The default is useful for directing mail from systems on a LAN

277

to a central server. The preference value is optional, and defaults to

278

1 if not given. More than one MX record may be given for a host.

279

.TP

280

.B \-t, --mx-target=<hostname>

281

Specify the default target for the MX record returned by dnsmasq. See

282

--mx-host. If --mx-target is given, but not --mx-host, then dnsmasq

283

returns a MX record containing the MX target for MX queries on the

284

hostname of the machine on which dnsmasq is running.

285

.TP

286

.B \-e, --selfmx

287

Return an MX record pointing to itself for each local

288

machine. Local machines are those in /etc/hosts or with DHCP leases.

289

.TP

290

.B \-L, --localmx

291

Return an MX record pointing to the host given by mx-target (or the

292

machine on which dnsmasq is running) for each

293

local machine. Local machines are those in /etc/hosts or with DHCP

294

leases.

295

.TP

296

.B \-W, --srv-host=<_service>.<_prot>.[<domain>],[<target>[,<port>[,<priority>[,<weight>]]]]

297

Return a SRV DNS record. See RFC2782 for details. If not supplied, the

298

domain defaults to that given by

299

.B --domain.

300

The default for the target domain is empty, and the default for port

301

is one and the defaults for

302

weight and priority are zero. Be careful if transposing data from BIND

303

zone files: the port, weight and priority numbers are in a different

304

order. More than one SRV record for a given service/domain is allowed,

305

all that match are returned. Specifying at least one

306

.B --srv-host

307

option also turns on replies to SOA queries for the

308

domain given by the

309

.B --domain

310

option. The data in these is stereotyped, but is enough for resolvers

311

to deduce that the domain is a valid one for resolving SRV records.

312

.TP

313

.B \-Y, --txt-record=<name>[[,<text>],<text>]

314

Return a TXT DNS record. The value of TXT record is a set of strings,

315

so any number may be included, split by commas.

316

.TP

317

.B \-c, --cache-size=<cachesize>

318

Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching.

319

.TP

320

.B \-N, --no-negcache

321

Disable negative caching. Negative caching allows dnsmasq to remember

322

"no such domain" answers from upstream nameservers and answer

323

identical queries without forwarding them again. This flag disables

324

negative caching.

325

.TP

326

.B \-F, --dhcp-range=[[net:]network-id,]<start-addr>,<end-addr>[[,<netmask>],<broadcast>][,<default lease time>]

327

Enable the DHCP server. Addresses will be given out from the range

328

<start-addr> to <end-addr> and from statically defined addresses given

329

in

330

.B dhcp-host

331

options. If the lease time is given, then leases

332

will be given for that length of time. The lease time is on seconds,

333

or minutes (eg 45m) or hours (eg 1h) or the literal "infinite". This

334

option may be repeated, with different addresses, to enable DHCP

335

service to more than one network. For directly connected networks (ie,

336

networks on which the machine running dnsmasq has an interface) the

337

netmask is optional. It is, however, required for networks which

338

recieve DHCP service via a relay agent. The broadcast address is

339

always optional. On some broken systems, dnsmasq can listen on only

340

one interface when using DHCP, and the name of that interface must be

341

given using the

342

.B interface

343

option. This limitation currently affects OpenBSD. It is always

344

allowed to have more than one dhcp-range in a single subnet. The optional

345

network-id is a alphanumeric label which marks this network so that

346

dhcp options may be specified on a per-network basis.

347

When it is prefixed with 'net:' then its meaning changes from setting

348

a tag to matching it.

349

The end address may be replaced by the keyword

350

.B static

351

which tells dnsmasq to enable DHCP for the network specified, but not

352

to dynamically allocate IP addresses. Only hosts which have static

353

addresses given via

354

.B dhcp-host

355

or from /etc/ethers will be served.

356

.TP

357

.B \-G, --dhcp-host=[[<hwaddr>]|[id:[<client_id>][*]]][net:<netid>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]

358

Specify per host parameters for the DHCP server. This allows a machine

359

with a particular hardware address to be always allocated the same

360

hostname, IP address and lease time. A hostname specified like this

361

overrides any supplied by the DHCP client on the machine. It is also

362

allowable to ommit the hardware address and include the hostname, in

363

which case the IP address and lease times will apply to any machine

364

claiming that name. For example

365

.B --dhcp-host=00:20:e0:3b:13:af,wap,infinite

366

tells dnsmasq to give

367

the machine with ethernet address 00:20:e0:3b:13:af the name wap, and

368

an infinite DHCP lease.

369

.B --dhcp-host=lap,192.168.0.199

370

tells

371

dnsmasq to always allocate the machine lap the IP address

372

192.168.0.199. Addresses allocated like this are not constrained to be

373

in the range given by the --dhcp-range option, but they must be on the

374

network being served by the DHCP server. It is allowed to use client identifiers rather than

375

hardware addresses to identify hosts by prefixing with 'id:'. Thus:

376

.B --dhcp-host=id:01:02:03:04,.....

377

refers to the host with client identifier 01:02:03:04. It is also

378

allowed to specify the client ID as text, like this:

379

.B --dhcp-host=id:clientidastext,.....

380

The special option id:* means "ignore any client-id

381

and use MAC addresses only." This is useful when a client presents a client-id sometimes

382

but not others.

383

If a name appears in /etc/hosts, the associated address can be

384

allocated to a DHCP lease, but only if a

385

.B --dhcp-host

386

option specifying the name also exists. The special keyword "ignore"

387

tells dnsmasq to never offer a DHCP lease to a machine. The machine

388

can be specified by hardware address, client ID or hostname, for

389

instance

390

.B --dhcp-host=00:20:e0:3b:13:af,ignore

391

This is

392

useful when there is another DHCP server on the network which should

393

be used by some machines. The net:<network-id> parameter enables DHCP options just

394

for this host in the same way as the the network-id in

395

.B dhcp-range.

396

Ethernet addresses (but not client-ids) may have

397

wildcard bytes, so for example

398

.B --dhcp-host=00:20:e0:3b:13:*,ignore

399

will cause dnsmasq to ignore a range of ethernet addresses. Note that

400

the "*" will need to be escaped or quoted on a command line, but not

401

in the configuration file.

402

.TP

403

.B \-Z, --read-ethers

404

Read /etc/ethers for information about hosts for the DHCP server. The

405

format of /etc/ethers is a hardware address, followed by either a

406

hostname or dotted-quad IP address. When read by dnsmasq these lines

407

have exactly the same effect as

408

.B --dhcp-host

409

options containing the same information.

410

.TP

411

.B \-O, --dhcp-option=[<network-id>,[<network-id>,]][vendor:<vendor-class>]<opt>,[<value>[,<value>]]

412

Specfify different or extra options to DHCP clients. By default,

413

dnsmasq sends some standard options to DHCP clients, the netmask and

414

broadcast address are set to the same as the host running dnsmasq, and

415

the DNS server and default route are set to the address of the machine

416

running dnsmasq. If the domain name option has been set, that is sent.

417

This option allows these defaults to be overridden,

418

or other options specified. The <opt> is the number of the option, as

419

specfied in RFC2132. For example, to set the default route option to

420

192.168.4.4, do

421

.B --dhcp-option=3,192.168.4.4

422

and to set the time-server address to 192.168.0.4, do

423

.B --dhcp-option=42,192.168.0.4

424

The special address 0.0.0.0 is taken to mean "the address of the

425

machine running dnsmasq". Data types allowed are comma separated

426

dotted-quad IP addresses, a decimal number, colon-separated hex digits

427

and a text string. If the optional network-ids are given then

428

this option is only sent when all the network-ids are matched.

429

430

Be careful: no checking is done that the correct type of data for the

431

option number is sent, it is quite possible to

432

persuade dnsmasq to generate illegal DHCP packets with injudicious use

433

of this flag. When the value is a decimal number, dnsmasq must determine how

434

large the data item is. It does this by examining the option number and/or the

435

value, but can be overriden by appending a single letter flag as follows:

436

b = one byte, s = two bytes, i = four bytes. This is mainly useful with

437

encapsulated vendor class options (see below) where dnsmasq cannot determine data size from the option number.

438

439

Encapsulated Vendor-class options may also be specified using

440

--dhcp-option: for instance

441

.B --dhcp-option=vendor:PXEClient,1,0.0.0.0

442

sends the vendor class "PXEClient" and the encapsulated vendor class-specific option "mftp-address=0.0.0.0" Only one vendor class is allowed for any

443

host, but multiple options are allowed, provided they all have

444

the same vendor class. The address 0.0.0.0 is not treated specially in

445

encapsulated vendor class options.

446

.TP

447

.B \-U, --dhcp-vendorclass=<network-id>,<vendor-class>

448

Map from a vendor-class string to a network id. Most DHCP clients provide a

449

"vendor class" which represents, in some sense, the type of host. This option

450

maps vendor classes to network ids, so that DHCP options may be selectively delivered

451

to different classes of hosts. For example

452

.B dhcp-vendorclass=printers,Hewlett-Packard JetDirect

453

will allow options to be set only for HP printers like so:

454

.B --dhcp-option=printers,3,192.168.4.4

455

The vendor-class string is

456

substring matched against the vendor-class supplied by the client, to

457

allow fuzzy matching.

458

.TP

459

.B \-j, --dhcp-userclass=<network-id>,<user-class>

460

Map from a user-class string to a network id (with substring

461

matching, like vendor classes). Most DHCP clients provide a

462

"user class" which is configurable. This option

463

maps user classes to network ids, so that DHCP options may be selectively delivered

464

to different classes of hosts. It is possible, for instance to use

465

this to set a different printer server for hosts in the class

466

"accounts" than for hosts in the class "engineering".

467

.TP

468

.B \ -J, --dhcp-ignore=<network-id>[,<network-id>]

469

When all the given network-ids match the set of network-ids derived

470

from the net, host, vendor and user classes, ignore the host and do

471

not allocate it a DHCP lease.

472

.TP

473

.B \-M, --dhcp-boot=[net:<network-id>,]<filename>,[<servername>[,<server address>]]

474

Set BOOTP options to be returned by the DHCP server. These are needed

475

for machines which network boot, and tell the machine where to collect

476

its initial configuration. If the optional network-id(s) are given,

477

they must match for this configuration to be sent. Note that

478

network-ids are prefixed by "net:" to distinguish them.

479

.TP

480

.B \-X, --dhcp-lease-max=<number>

481

Limits dnsmasq to the specified maximum number of DHCP leases. The

482

default is 150. This limit is to prevent DoS attacks from hosts which

483

create thousands of leases and use lots of memory in the dnsmasq

484

process.

485

.TP

486

.B \-K, --dhcp-authoritative

487

Should be set when dnsmasq is definatively the only DHCP server on a network.

488

It changes the behaviour from strict RFC compliance so that DHCP requests on

489

unknown leases from unknown hosts are not ignored. This allows new hosts

490

to get a lease without a tedious timeout under all circumstances.

491

.TP

492

.B \-l, --dhcp-leasefile=<path>

493

Use the specified file to store DHCP lease information. If this option

494

is given but no dhcp-range option is given then dnsmasq version 1

495

behaviour is activated. The file given is assumed to be an ISC dhcpd

496

lease file and parsed for leases which are then added to the DNS

497

system if they have a hostname. This functionality may have been

498

excluded from dnsmasq at compile time, in which case an error will occur.

499

.TP

500

.B \-s, --domain=<domain>

501

Specifies the domain for the DHCP server. This has two effects;

502

firstly it causes the DHCP server to return the domain to any hosts

503

which request it, and secondly it sets the domain which it is legal

504

for DHCP-configured hosts to claim. The intention is to constrain hostnames so that an untrusted host on the LAN cannot advertise it's name via dhcp as e.g. "microsoft.com" and capture traffic not meant for it. If no domain suffix is specified, then any DHCP hostname with a domain part (ie with a period) will be disallowed and logged. If suffix is specified, then hostnames with a domain part are allowed, provided the domain part matches the suffix. In addition, when a suffix is set then hostnames without a domain part have the suffix added as an optional domain part. Eg on my network I can set

505

.B --domain-suffix=thekelleys.org.uk

506

and have a machine whose DHCP hostname is "laptop". The IP address for that machine is available from

507

.B dnsmasq

508

both as "laptop" and "laptop.thekelleys.org.uk". If the domain is

509

given as "#" then the domain is read from the first "search" directive

510

in /etc/resolv.conf (or equivalent).

511

.TP

512

.B \-E, --expand-hosts

513

Add the domain-suffix to simple names (without a period) in /etc/hosts

514

in the same way as for DHCP-derived names.

515

.SH CONFIG FILE

516

At startup, dnsmasq reads

517

.I /etc/dnsmasq.conf,

518

if it exists. (On

519

FreeBSD, the file is

520

.I /usr/local/etc/dnsmasq.conf

521

) The format of this

522

file consists of one option per line, exactly as the long options detailed

523

in the OPTIONS section but without the leading "--". Lines starting with # are comments and ignored. For

524

options which may only be specified once, the configuration file overrides

525

the command line. Use the --conf-file option to specify a different

526

configuration file. The conf-file option is also allowed in

527

configuration files, to include multiple configuration files. Only one

528

level of nesting is allowed. Quoting is allowed in a config file:

529

between " quotes the special meaning of , and # is removed and the

530

following escapes are allowed: \\\\ \\" \\t and \\n. The later two

531

corresponding to newline and tab.

532

.SH NOTES

533

When it receives a SIGHUP,

534

.B dnsmasq

535

clears its cache and then re-loads

536

.I /etc/hosts.

537

If

538

.B

539

--no-poll

540

is set SIGHUP also re-reads

541

.I /etc/resolv.conf.

542

SIGHUP

543

does NOT re-read the configuration file.

544

.PP

545

When it receives a SIGUSR1,

546

.B dnsmasq

547

writes cache statistics to the system log. It writes the cache size,

548

the number of names which have had to removed from the cache before

549

they expired in order to make room for new names and the total number

550

of names that have been inserted into the cache. In

551

.B --no-daemon

552

mode or when full logging is enabled (-q), a complete dump of the contents of the cache is made.

553

.PP

554

Dnsmasq is a DNS query forwarder: it it not capable of recursively

555

answering arbitrary queries starting from the root servers but

556

forwards such queries to a fully recursive upstream DNS server which is

557

typically provided by an ISP. By default, dnsmasq reads

558

.I /etc/resolv.conf

559

to discover the IP

560

addresses of the upstream nameservers it should use, since the

561

information is typically stored there. Unless

562

.B --no-poll

563

is used,

564

.B dnsmasq

565

checks the modification time of

566

.I /etc/resolv.conf

567

(or equivalent if

568

.B \--resolv-file

569

is used) and re-reads it if it changes. This allows the DNS servers to

570

be set dynamically by PPP or DHCP since both protocols provide the

571

information.

572

Absence of

573

.I /etc/resolv.conf

574

is not an error

575

since it may not have been created before a PPP connection exists. Dnsmasq

576

simply keeps checking in case

577

.I /etc/resolv.conf

578

is created at any

579

time. Dnsmasq can be told to parse more than one resolv.conf

580

file. This is useful on a laptop, where both PPP and DHCP may be used:

581

dnsmasq can be set to poll both

582

.I /etc/ppp/resolv.conf

583

and

584

.I /etc/dhcpc/resolv.conf

585

and will use the contents of whichever changed

586

last, giving automatic switching between DNS servers.

587

.PP

588

Upstream servers may also be specified on the command line or in

589

the configuration file. These server specifications optionally take a

590

domain name which tells dnsmasq to use that server only to find names

591

in that particular domain.

592

.PP

593

In order to configure dnsmasq to act as cache for the host on which it is running, put "nameserver 127.0.0.1" in

594

.I /etc/resolv.conf

595

to force local processes to send queries to

596

dnsmasq. Then either specify the upstream servers directly to dnsmasq

597

using

598

.B \--server

599

options or put their addresses real in another file, say

600

.I /etc/resolv.dnsmasq

601

and run dnsmasq with the

602

.B \-r /etc/resolv.dnsmasq

603

option. This second technique allows for dynamic update of the server

604

addresses by PPP or DHCP.

605

.PP

606

Addresses in /etc/hosts will "shadow" different addresses for the same

607

names in the upstream DNS, so "mycompany.com 1.2.3.4" in /etc/hosts will ensure that

608

queries for "mycompany.com" always return 1.2.3.4 even if queries in

609

the upstream DNS would otherwise return a different address. There is

610

one exception to this: if the upstream DNS contains a CNAME which

611

points to a shadowed name, then looking up the CNAME through dnsmasq

612

will result in the unshadowed address associated with the target of

613

the CNAME. To work around this, add the CNAME to /etc/hosts so that

614

the CNAME is shadowed too.

615

616

.PP

617

The network-id system works as follows: For each DHCP request, dnsmasq

618

collects a set of valid network-id tags, one from the

619

.B dhcp-range

620

used to allocate the address, one from any matching

621

.B dhcp-host

622

and possibly many from matching vendor classes and user

623

classes sent by the DHCP client. Any

624

.B dhcp-option

625

which has network-id tags will be used in preference to an untagged

626

.B dhcp-option,

627

provided that _all_ the tags match somewhere in the

628

set collected as described above. The prefix '#' on a tag means 'not'

629

so --dhcp=option=#purple,3,1.2.3.4 sends the option when the

630

network-id tag purple is not in the set of valid tags.

631

.PP

632

If the network-id in a

633

.B dhcp-range

634

is prefixed with 'net:' then its meaning changes from setting a

635

tag to matching it. Thus if there is more than dhcp-range on a subnet,

636

and one is tagged with a network-id which is set (for instance

637

from a vendorclass option) then hosts which set the netid tag will be

638

allocated addresses in the tagged range.

639

.PP

640

The DHCP server in dnsmasq will function as a BOOTP server also,

641

provided that the MAC address and IP address for clients are given,

642

either using

643

.B dhcp-host

644

configurations or in

645

.I /etc/ethers

646

, and a

647

.B dhcp-range

648

configuration option is present to activate the DHCP server

649

on a particular network. The filename

650

parameter in a BOOTP request is matched against netids in

651

.B dhcp-option

652

configurations, allowing some control over the options returned to

653

different classes of hosts.

654

655

.SH FILES

656

.IR /etc/dnsmasq.conf

657

658

.IR /usr/local/etc/dnsmasq.conf

659

660

.IR /etc/resolv.conf

661

662

.IR /etc/hosts

663

664

.IR /etc/ethers

665

666

.IR /var/lib/misc/dnsmasq.leases

667

668

.IR /var/db/dnsmasq.leases

669

670

.IR /var/run/dnsmasq.pid

671

.SH SEE ALSO

672

.BR hosts (5),

673

.BR resolver (5)

674

.SH AUTHOR

675

This manual page was written by Simon Kelley <simon@thekelleys.org.uk>.

676

677