| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| docs:guide-user:base-system:dhcp [2023/09/24 02:18] – [Classifying clients and assigning individual options] systemcrash | docs:guide-user:base-system:dhcp [2023/12/10 08:50] – [DHCP and DNS configuration /etc/config/dhcp] vgaetera |
|---|
| ====== DNS and DHCP configuration /etc/config/dhcp ====== | ====== DHCP and DNS configuration /etc/config/dhcp ====== |
| See also: [[dhcp_configuration|DNS and DHCP examples]], [[docs:guide-user:base-system:dhcp.dnsmasq|dnsmasq]], [[docs:techref:odhcpd|odhcpd]] | See also: |
| | [[docs:guide-user:base-system:dhcp_configuration|DHCP and DNS examples]], |
| | [[docs:guide-user:base-system:dhcp.dnsmasq|dnsmasq]], |
| | [[docs:techref:odhcpd|odhcpd]] |
| |
| OpenWrt uses //dnsmasq// and //odhcpd// to serve DNS/DHCP and DHCPv6 by default. | OpenWrt uses //dnsmasq// and //odhcpd// to serve DNS/DHCP and DHCPv6 by default. |
| |
| ^ Roles ^ Ports ^ Packages ^ Configuration ^ | ^ Roles ^ Ports ^ Packages ^ Configuration ^ |
| | DNS | 53/UDP, 53/TCP | [[packages:pkgdata:dnsmasq]] | ''/etc/config/dhcp'' | | | DNS server | 53/UDP, 53/TCP | [[packages:pkgdata:dnsmasq]] | ''/etc/config/dhcp'' | |
| | DHCP | 67/UDP, 68/UDP | ::: | ::: | | | DHCP server | 67/UDP | ::: | ::: | |
| | DHCPv6 | 547/UDP | [[packages:pkgdata:odhcpd-ipv6only]] | ::: | | | DHCP relay | 68/UDP | ::: | ::: | |
| | | DHCPv6 server | 547/UDP | [[packages:pkgdata:odhcpd-ipv6only]] | ::: | |
| | RA (Router Advertisemenents) | ICMPv6 | ::: | ::: | | | RA (Router Advertisemenents) | ICMPv6 | ::: | ::: | |
| |
| |
| <code bash> | <code bash> |
| # uci -N show dhcp.@dnsmasq[0] | config dnsmasq |
| dhcp.@dnsmasq[0]=dnsmasq | option domainneeded '1' |
| dhcp.@dnsmasq[0].domainneeded='1' | option boguspriv '1' |
| dhcp.@dnsmasq[0].boguspriv='1' | option filterwin2k '0' |
| dhcp.@dnsmasq[0].filterwin2k='0' | option localise_queries '1' |
| dhcp.@dnsmasq[0].localise_queries='1' | option rebind_protection '1' |
| dhcp.@dnsmasq[0].rebind_protection='1' | option rebind_localhost '1' |
| dhcp.@dnsmasq[0].rebind_localhost='1' | option local '/lan/' |
| dhcp.@dnsmasq[0].local='/lan/' | option domain 'lan' |
| dhcp.@dnsmasq[0].domain='lan' | option expandhosts '1' |
| dhcp.@dnsmasq[0].expandhosts='1' | option nonegcache '0' |
| dhcp.@dnsmasq[0].nonegcache='0' | option cachesize '1000' |
| dhcp.@dnsmasq[0].authoritative='1' | option authoritative '1' |
| dhcp.@dnsmasq[0].readethers='1' | option readethers '1' |
| dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases' | option leasefile '/tmp/dhcp.leases' |
| dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto' | option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' |
| dhcp.@dnsmasq[0].nonwildcard='1' | option nonwildcard '1' |
| dhcp.@dnsmasq[0].localservice='1' | option localservice '1' |
| | option ednspacket_max '1232' |
| | option filter_aaaa '0' |
| | option filter_a '0' |
| </code> | </code> |
| |
| Options: | Options: |
| * ''local'' and ''domain'' enable //dnsmasq// to serve entries in ''/etc/hosts'', as well as DHCP client's names if configured under //lan// domain. | * ''local'' and ''domain'' enable //dnsmasq// to serve entries in ''/etc/hosts'', as well as DHCP client's names if configured under //lan// domain. |
| * ''domainneeded'', ''boguspriv'', ''localise_queries'', and ''expandhosts'' ensure requests for local host names are not forwarded to upstream DNS servers. | * ''domainneeded'', ''boguspriv'', ''localise_queries'', and ''expandhosts'' ensure requests for local host names are not forwarded to upstream DNS servers. |
| * ''authoritative'' makes router the only DHCP server on this network; clients get their IP lease a lot faster this way. | * ''authoritative'' makes router the only DHCP server on this network; clients get their IP lease a lot faster this way. |
| * ''leasefile'' stores leases in a file so they can be picked up again if //dnsmasq// is restarted. | * ''leasefile'' stores leases in a file so they can be picked up again if //dnsmasq// is restarted. |
| * ''resolvfile'' tells //dnsmasq// to use this file to find upstream name servers; it gets created by the WAN DHCP or PPP client. | * ''resolvfile'' tells //dnsmasq// to use this file to find upstream name servers; it gets created by the WAN DHCP or PPP client. |
| * ''enable_tftp'' and ''tftp_root'' turn on the TFTP server and serve files from tftp_root. | * ''enable_tftp'' and ''tftp_root'' turn on the TFTP server and serve files from tftp_root. |
| * May need to set server's IP on client, changing it by setting ''serverip'' (e.g. ''setenv serverip 192.168.1.10''). | * May need to set server's IP on client, changing it by setting ''serverip'' (e.g. ''setenv serverip 192.168.1.10''). |
| ==== All options ==== | ==== All options ==== |
| <sortable> | <sortable> |
| ^ Name ^ Type ^ Default ^ Option ^ Description ^ | ^ Name ^ Type ^ Default ^ Option ^ Description ^ |
| | ''add_local_domain'' | boolean | ''1'' | | Add the local domain as search directive in resolv.conf. | | | ''add_local_domain'' | boolean | ''1'' | | Add the local domain as search directive in resolv.conf. | |
| | ''add_local_hostname'' | boolean | ''1'' | | Add A, AAAA, and PTR records for this router only on DHCP served LAN. \\ :!: enhanced function available since 18.06 with option ''add_local_fqdn'' | | | ''add_local_hostname'' | boolean | ''1'' | | Add A, AAAA, and PTR records for this router only on DHCP served LAN. \\ :!: enhanced function available since 18.06 with option ''add_local_fqdn'' | |
| | ''add_local_fqdn'' | integer | ''1'' | | Add A, AAAA, and PTR records for this router only on DHCP served LAN. \\ ''0''**:** Disable.\\ ''1''**:** Hostname on Primary Address.\\ ''2''**:** Hostname on All Addresses.\\ ''3''**:** FDQN on All Addresses.\\ ''4''**:** ''iface.host.domain'' on All Addresses. \\ :!: ''add_local_fqdn'' available since 18.06 | | | ''add_local_fqdn'' | integer | ''1'' | | Add A, AAAA, and PTR records for this router only on DHCP served LAN. \\ ''0''**:** Disable.\\ ''1''**:** Hostname on Primary Address.\\ ''2''**:** Hostname on All Addresses.\\ ''3''**:** FDQN on All Addresses.\\ ''4''**:** ''iface.host.domain'' on All Addresses. \\ :!: ''add_local_fqdn'' available since 18.06 | |
| | ''add_wan_fqdn'' | integer | ''0'' | | Labels WAN interfaces like ''add_local_fqdn'' instead of your ISP assigned default which may be obscure. WAN is inferred from ''config dhcp'' sections with ''option ignore 1'' set, so they do not need to be named //WAN// \\ :!: ''add_wan_fqdn'' available since 18.06 | | | ''add_wan_fqdn'' | integer | ''0'' | | Labels WAN interfaces like ''add_local_fqdn'' instead of your ISP assigned default which may be obscure. WAN is inferred from ''config dhcp'' sections with ''option ignore 1'' set, so they do not need to be named //WAN// \\ :!: ''add_wan_fqdn'' available since 18.06 | |
| | ''addnhosts'' | list of file paths | //(none)// | ''-H'' | Additional host files to read for serving DNS responses. Syntax in each file is the same as ''/etc/hosts'' | | | ''addnhosts'' | list of file paths | //(none)// | ''-H'' | Additional host files to read for serving DNS responses. Syntax in each file is the same as ''/etc/hosts'' | |
| | ''authoritative'' | boolean | ''1'' | ''-K'' | Force //dnsmasq// into authoritative mode. This speeds up DHCP leasing. Used if this is the only server on the network | | | ''addnmount'' | list of directory or file paths | //(none)// | | Expose additional filesystem paths to the jailed //dnsmasq// process. This is useful in the case of manually configured includes in the configuration file or symlinks pointing outside of the exposed paths as used, for example, by an ad blocker or other name-banning package. | |
| | ''bogusnxdomain'' | list of IP addresses | //(none)// | ''-B'' | IP addresses to convert into NXDOMAIN responses (to counteract "helpful" upstream DNS servers that never return NXDOMAIN). | | | ''authoritative'' | boolean | ''1'' | ''-K'' | Force //dnsmasq// into authoritative mode. This speeds up DHCP leasing. Used if this is the only server on the network | |
| | ''boguspriv'' | boolean | ''1'' | ''-b'' | Reject reverse lookups to private IP ranges where no corresponding entry exists in ''/etc/hosts'' | | | ''bogusnxdomain'' | list of IP addresses | //(none)// | ''-B'' | IP addresses to convert into NXDOMAIN responses (to counteract "helpful" upstream DNS servers that never return NXDOMAIN). | |
| | ''cachelocal'' | boolean | ''1'' | | When set to ''0'', use each network interface's ''dns'' address in the local ''/etc/resolv.conf''. Normally, only the loopback address is used, and all queries go through //dnsmasq//. | | | ''boguspriv'' | boolean | ''1'' | ''-b'' | Reject reverse lookups to private IP ranges where no corresponding entry exists in ''/etc/hosts'' | |
| | ''cachesize'' | integer | ''150'' | ''-c'' | Size of //dnsmasq// query cache. | | | ''cachelocal'' | boolean | ''1'' | | When set to ''0'', use each network interface's ''dns'' address in the local ''/etc/resolv.conf''. Normally, only the loopback address is used, and all queries go through //dnsmasq//. | |
| | ''dbus'' | boolean | ''0'' | ''-1'' | Enable DBus messaging for //dnsmasq//.\\ :!: Standard builds of //dnsmasq// on OpenWrt do not include DBus support. | | | ''cachesize'' | integer | ''150'' | ''-c'' | Size of //dnsmasq// query cache. | |
| | ''dhcp_boot'' | string | //(none)// | ''%%--dhcp-boot%%'' | Specifies BOOTP options, in most cases just the file name. You can also use: "''file name'', ''tftp server name'', ''tftp ip address''" | | | ''dbus'' | boolean | ''0'' | ''-1'' | Enable DBus messaging for //dnsmasq//.\\ :!: Standard builds of //dnsmasq// on OpenWrt do not include DBus support. | |
| | ''dhcphostsfile'' | file path | //(none)// | ''%%--dhcp-hostsfile%%'' | Specify an external file with per host DHCP options | | | ''dhcp_boot'' | string | //(none)// | ''%%--dhcp-boot%%'' | Specifies BOOTP options, in most cases just the file name. You can also use: "''file name'', ''tftp server name'', ''tftp ip address''" | |
| | ''dhcpleasemax'' | integer | ''150'' | ''-X'' | Maximum number of DHCP leases | | | ''dhcphostsfile'' | file path | //(none)// | ''%%--dhcp-hostsfile%%'' | Specify an external file with per host DHCP options | |
| | ''dnsforwardmax'' | integer | ''150'' | ''-0'' (zero) | Maximum number of concurrent connections | | | ''dhcpleasemax'' | integer | ''150'' | ''-X'' | Maximum number of DHCP leases | |
| | ''domain'' | domain name | //(none)// | ''-s'' | DNS domain handed out to DHCP clients | | | ''dnsforwardmax'' | integer | ''150'' | ''-0'' (zero) | Maximum number of concurrent connections | |
| | ''domainneeded'' | boolean | ''1'' | ''-D'' | Tells //dnsmasq// never to forward queries for plain names, without dots or domain parts, to upstream nameservers. If the name is not known from /etc/hosts or DHCP then a "not found" answer is returned | | | ''domain'' | domain name | //(none)// | ''-s'' | DNS domain handed out to DHCP clients | |
| | ''dnssec'' | boolean | ''0'' | ''%%--dnssec%%'' | Validate DNS replies and cache DNSSEC data.\\ :!: Requires the [[packages:pkgdata:dnsmasq-full]] package. | | | ''domainneeded'' | boolean | ''1'' | ''-D'' | Tells //dnsmasq// never to forward queries for plain names, without dots or domain parts, to upstream nameservers. If the name is not known from /etc/hosts or DHCP then a "not found" answer is returned | |
| | ''dnsseccheckunsigned'' | boolean | ''0'' | ''%%--dnssec-check-unsigned%%'' | Check the zones of unsigned replies to ensure that unsigned replies are allowed in those zones. This protects against an attacker forging unsigned replies for signed DNS zones, but is slower and requires that the nameservers upstream of //dnsmasq// are DNSSEC-capable.\\ :!: Requires the [[packages:pkgdata:dnsmasq-full]] package.\\ :!: Caution: If you use this option on a device that doesn't have a hardware clock, dns resolution may break after a reboot of the device due to an incorrect system time. | | | ''dnssec'' | boolean | ''0'' | ''%%--dnssec%%'' | Validate DNS replies and cache DNSSEC data.\\ :!: Requires the [[packages:pkgdata:dnsmasq-full]] package. | |
| | ''ednspacket_max'' | integer | ''1232'' | ''-P'' | Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder | | | ''dnsseccheckunsigned'' | boolean | ''0'' | ''%%--dnssec-check-unsigned%%'' | Check the zones of unsigned replies to ensure that unsigned replies are allowed in those zones. This protects against an attacker forging unsigned replies for signed DNS zones, but is slower and requires that the nameservers upstream of //dnsmasq// are DNSSEC-capable.\\ :!: Requires the [[packages:pkgdata:dnsmasq-full]] package.\\ :!: Caution: If you use this option on a device that doesn't have a hardware clock, dns resolution may break after a reboot of the device due to an incorrect system time. | |
| | ''enable_tftp'' | boolean | ''0'' | ''%%--enable-tftp%%'' | Enable the builtin TFTP server | | | ''ednspacket_max'' | integer | ''1232'' | ''-P'' | Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder | |
| | ''expandhosts'' | boolean | ''1'' | ''-E'' | Add the local domain part to names found in ''/etc/hosts'' | | | ''enable_tftp'' | boolean | ''0'' | ''%%--enable-tftp%%'' | Enable the builtin TFTP server | |
| | ''filterwin2k'' | boolean | ''0'' | ''-f'' | Do not forward requests that cannot be answered by public name servers.\\ Make sure it is disabled if you need to resolve SRV records or use SIP phones. | | | ''expandhosts'' | boolean | ''1'' | ''-E'' | Add the local domain part to names found in ''/etc/hosts'' | |
| | ''fqdn'' | boolean | ''0'' | ''%%--dhcp-fqdn%%'' | Do not resolve unqualifed local hostnames. Needs ''domain'' to be set. | | | ''filterwin2k'' | boolean | ''0'' | ''-f'' | Do not forward requests that cannot be answered by public name servers.\\ Make sure it is disabled if you need to resolve SRV records or use SIP phones. | |
| | ''interface'' | list of interface names | //(all interfaces)// | ''-i'' | List of interfaces to listen on. If unspecified, //dnsmasq// will listen to all interfaces except those listed in ''notinterface''. Note that //dnsmasq// listens on loopback by default. | | | ''fqdn'' | boolean | ''0'' | ''%%--dhcp-fqdn%%'' | Do not resolve unqualifed local hostnames. Needs ''domain'' to be set. | |
| | ''ipset'' | list of strings | //(none)// | ''%%--ipset%%'' | The syntax is: ''%%list ipset '/example.com/example.org/example_ipv4,example_ipv6'%%'' \\ :!: Requires the [[packages:pkgdata:dnsmasq-full]] package. | | | ''listen_address'' | list of IP addresses | //(none)// | ''-a'' | Listen only on the specified IP addresses. If unspecified, listen on IP addresses from each interface | |
| | ''leasefile'' | file path | //(none)// | ''-l'' (lowercase "L") | Store DHCP leases in this file | | | ''interface'' | list of interface names | //(all interfaces)// | ''-i'' | List of interfaces to listen on. If unspecified, //dnsmasq// will listen to all interfaces except those listed in ''notinterface''. Note that //dnsmasq// listens on loopback by default. | |
| | ''local'' | string | //(none)// | ''-S'' | Look up DNS entries for this domain from ''/etc/hosts''. This follows the same syntax as ''server'' entries, see the man page. | | | ''notinterface'' | list of interface names | //(none)// | ''-I'' (uppercase "i") | Interfaces //dnsmasq// should not listen on. | |
| | ''localise_queries'' | boolean | ''1'' | ''-y'' | Choose IP address to match the incoming interface if multiple addresses are assigned to a host name in ''/etc/hosts''. Initially [[https://github.com/openwrt/openwrt/blob/master/package/network/services/dnsmasq/files/dnsmasq.init#L879|disabled]], but still [[https://github.com/openwrt/openwrt/blob/master/package/network/services/dnsmasq/files/dhcp.conf#L5|enabled]] in the config by default. :!: Note well the spelling of this option. | | | ''ipset'' | list of strings | //(none)// | ''%%--ipset%%'' | The syntax is: ''%%list ipset '/example.com/example.org/example_ipv4,example_ipv6'%%'' \\ :!: Requires the [[packages:pkgdata:dnsmasq-full]] package. | |
| | ''localservice'' | boolean | ''1'' | ''%%--local-service%%'' | Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server. | | | ''leasefile'' | file path | //(none)// | ''-l'' (lowercase "L") | Store DHCP leases in this file | |
| | ''local_ttl'' | integer | ''0'' | ''%%--local-ttl%%'' | Default TTL for locally authoritative answers. | | | ''local'' | string | //(none)// | ''-S'' | Look up DNS entries for this domain from ''/etc/hosts''. This follows the same syntax as ''server'' entries, see the man page. | |
| | ''localuse'' | boolean | ''1'' | | Use //dnsmasq// as a local system resolver. Initially [[https://github.com/openwrt/openwrt/blob/master/package/network/services/dnsmasq/files/dnsmasq.init#L771|disabled]], but still [[https://github.com/openwrt/openwrt/blob/master/package/network/services/dnsmasq/files/dnsmasq.init#L924-L931|enabled]] via the default ''noresolv'' and ''resolvfile'' options. | | | ''localise_queries'' | boolean | ''1'' | ''-y'' | Choose IP address to match the incoming interface if multiple addresses are assigned to a host name in ''/etc/hosts''. Initially [[https://github.com/openwrt/openwrt/blob/master/package/network/services/dnsmasq/files/dnsmasq.init#L879|disabled]], but still [[https://github.com/openwrt/openwrt/blob/master/package/network/services/dnsmasq/files/dhcp.conf#L5|enabled]] in the config by default. :!: Note well the spelling of this option. | |
| | ''logfacility'' | string | ''DAEMON'' | ''%%--log-facility=<facility>%%'' | Set the facility to which dnsmasq will send syslog entries. See the [[https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html|dnsmasq man page]] for available facilities. | | | ''localservice'' | boolean | ''1'' | ''%%--local-service%%'' | Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server. | |
| | ''logqueries'' | boolean | ''0'' | ''%%--log-queries=extra%%'' | Log the results of DNS queries, dump cache on SIGUSR1, include requesting IP | | | ''local_ttl'' | integer | ''0'' | ''%%--local-ttl%%'' | Default TTL for locally authoritative answers. | |
| | ''nodaemon'' | boolean | ''0'' | ''-d'' | Don't daemonize the //dnsmasq// process | | | ''localuse'' | boolean | ''1'' | | Use //dnsmasq// as a local system resolver. Initially [[https://github.com/openwrt/openwrt/blob/master/package/network/services/dnsmasq/files/dnsmasq.init#L771|disabled]], but still [[https://github.com/openwrt/openwrt/blob/master/package/network/services/dnsmasq/files/dnsmasq.init#L924-L931|enabled]] via the default ''noresolv'' and ''resolvfile'' options. | |
| | ''nohosts'' | boolean | ''0'' | ''-h'' | Don't read DNS names from ''/etc/hosts'' | | | ''logfacility'' | string | ''DAEMON'' | ''%%--log-facility=<facility>%%'' | Set the facility to which dnsmasq will send syslog entries. See the [[https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html|dnsmasq man page]] for available facilities. | |
| | ''nonegcache'' | boolean | ''0'' | ''-N'' | Disable caching of negative "no such domain" responses | | | ''logqueries'' | boolean | ''0'' | ''%%--log-queries=extra%%'' | Log the results of DNS queries, dump cache on SIGUSR1, include requesting IP | |
| | ''noresolv'' | boolean | ''0'' | ''-R'' | Don't read upstream servers from ''/etc/resolv.conf'' which is linked to ''resolvfile'' by default | | | ''nodaemon'' | boolean | ''0'' | ''-d'' | Don't daemonize the //dnsmasq// process | |
| | ''notinterface'' | list of interface names | //(none)// | ''-I'' (uppercase "i") | Interfaces //dnsmasq// should not listen on. | | | ''nohosts'' | boolean | ''0'' | ''-h'' | Don't read DNS names from ''/etc/hosts'' | |
| | ''nonwildcard'' | boolean | ''1'' | ''%%--bind-dynamic%%'' | Bind only configured interface addresses, instead of the wildcard address. | | | ''nonegcache'' | boolean | ''0'' | ''-N'' | Disable caching of negative "no such domain" responses | |
| | ''port'' | port number | ''53'' | ''-p'' | Listening port for DNS queries, disables DNS server functionality if set to ''0'' | | | ''noresolv'' | boolean | ''0'' | ''-R'' | Don't read upstream servers from ''/etc/resolv.conf'' which is linked to ''resolvfile'' by default | |
| | ''queryport'' | integer | //(none)// | ''-Q'' | Use a fixed port for outbound DNS queries | | | ''nonwildcard'' | boolean | ''1'' | ''%%--bind-dynamic%%'' | Bind only configured interface addresses, instead of the wildcard address. | |
| | ''readethers'' | boolean | ''0'' | ''-Z'' | Read static lease entries from ''/etc/ethers'', re-read on SIGHUP | | | ''port'' | port number | ''53'' | ''-p'' | Listening port for DNS queries, disables DNS server functionality if set to ''0'' | |
| | ''rebind_protection'' | boolean | ''1'' | ''%%--stop-dns-rebind%%'' | Enables DNS rebind attack protection by discarding upstream RFC1918 responses | | | ''queryport'' | integer | //(none)// | ''-Q'' | Use a fixed port for outbound DNS queries | |
| | ''rebind_localhost'' | boolean | ''1'' | ''%%--rebind-localhost-ok%%'' | Allows upstream 127.0.0.0/8 responses, required for DNS based blacklist services, only takes effect if rebind protection is enabled | | | ''readethers'' | boolean | ''0'' | ''-Z'' | Read static lease entries from ''/etc/ethers'', re-read on SIGHUP | |
| | ''rebind_domain'' | list of domain names | //(none)// | ''%%--rebind-domain-ok%%'' | List of domains to allow RFC1918 responses for, only takes effect if rebind protection is enabled. The correct syntax is: ''%%list rebind_domain '/example.com/'%%'' | | | ''rebind_protection'' | boolean | ''1'' | ''%%--stop-dns-rebind%%'' | Enables DNS rebind attack protection by discarding upstream RFC1918 responses | |
| | ''resolvfile'' | file path | ''/tmp/resolv.conf.d/resolv.conf.auto'' | ''-r'' | Specifies an alternative resolv file | | | ''rebind_localhost'' | boolean | ''1'' | ''%%--rebind-localhost-ok%%'' | Allows upstream 127.0.0.0/8 responses, required for DNS based blacklist services, only takes effect if rebind protection is enabled | |
| | ''server'' | list of strings | //(none)// | ''-S'' | List of DNS servers to forward requests to. See the //dnsmasq// man page for syntax details. | | | ''rebind_domain'' | list of domain names | //(none)// | ''%%--rebind-domain-ok%%'' | List of domains to allow RFC1918 responses for, only takes effect if rebind protection is enabled. The correct syntax is: ''%%list rebind_domain '/example.com/'%%'' | |
| | ''serverlist'' | file path | ''/etc/dnsmasq.servers'' | ''-S'' | Specify upstream servers directly. If one or more optional domains are given, that server is used only for those domains and they are queried only using the specified server. Syntax is ''server=/*.mydomain.tld/192.168.100.1'' or see the //dnsmasq// man page for details. | | | ''resolvfile'' | file path | ''/tmp/resolv.conf.d/resolv.conf.auto'' | ''-r'' | Specifies an alternative resolv file | |
| | ''rev_server'' | list of strings | //(none)// | ''%%--rev-server%%'' | List of network range with a DNS server to forward reverse DNS requests to. See the //dnsmasq// man page for syntax details. | | | ''server'' | list of strings | //(none)// | ''-S'' | List of DNS servers to forward requests to. See the //dnsmasq// man page for syntax details. | |
| | ''address'' | list of strings | //(none)// | ''%%--address%%'' | List of IP addresses for queried domains. See the //dnsmasq// man page for syntax details. | | | ''serverlist'' | file path | ''/etc/dnsmasq.servers'' | ''-S'' | Specify upstream servers directly. If one or more optional domains are given, that server is used only for those domains and they are queried only using the specified server. Syntax is ''server=/*.mydomain.tld/192.168.100.1'' or see the //dnsmasq// man page for details. | |
| | ''strictorder'' | boolean | ''0'' | ''-o'' | Obey order of DNS servers in ''/etc/resolv.conf'' | | | ''rev_server'' | list of strings | //(none)// | ''%%--rev-server%%'' | List of network range with a DNS server to forward reverse DNS requests to. See the //dnsmasq// man page for syntax details. | |
| | ''tftp_root'' | directory path | //(none)// | ''%%--tftp-root%%'' | Specifies the TFTP root directory | | | ''address'' | list of strings | //(none)// | ''-A'' | List of IP addresses for queried domains. See the //dnsmasq// man page for syntax details. | |
| | ''minport'' | integer | ''0'' | ''%%--min-port%%'' | Dnsmasq picks random ports as source for outbound queries. When this option is given, the ports used will always be larger than or equal to the specified minport value (min valid value 1024). Useful for systems behind firewalls. | | | ''strictorder'' | boolean | ''0'' | ''-o'' | Obey order of DNS servers in ''/etc/resolv.conf'' | |
| | ''maxport'' | integer | ''0'' | ''%%--max-port%%'' | Dnsmasq picks random ports as source for outbound queries. When this option is given, the ports used will always be smaller than or equal to the specified maxport value (max valid value 65535). Useful for systems behind firewalls. | | | ''tftp_root'' | directory path | //(none)// | ''%%--tftp-root%%'' | Specifies the TFTP root directory | |
| | ''noping'' | boolean | ''0'' | ''%%--no-ping%%'' | By default dnsmasq checks if an IPv4 address is in use before allocating it to a host by sending ICMP echo request (aka ping) to the address in question. This parameter allows to disable this check. | | | ''minport'' | integer | ''0'' | ''%%--min-port%%'' | Dnsmasq picks random ports as source for outbound queries. When this option is given, the ports used will always be larger than or equal to the specified minport value (min valid value 1024). Useful for systems behind firewalls. | |
| | ''allservers'' | boolean | ''0'' | ''%%--all-servers%%'' | By default, when dnsmasq has more than one upstream server available, it will send queries to just one server. Setting this parameter forces dnsmasq to send all queries to all available servers. The reply from the server which answers first will be returned to the original requeser. | | | ''maxport'' | integer | ''0'' | ''%%--max-port%%'' | Dnsmasq picks random ports as source for outbound queries. When this option is given, the ports used will always be smaller than or equal to the specified maxport value (max valid value 65535). Useful for systems behind firewalls. | |
| | ''quietdhcp'' | boolean | ''0'' | ''%%--quiet-dhcp%%'' | Suppress logging of the routine operation of DHCP. Errors and problems will still be logged | | | ''noping'' | boolean | ''0'' | ''%%--no-ping%%'' | By default dnsmasq checks if an IPv4 address is in use before allocating it to a host by sending ICMP echo request (aka ping) to the address in question. This parameter allows to disable this check. | |
| | ''sequential_ip'' | boolean | ''0'' | ''%%--dhcp-sequential-ip%%'' | Dnsmasq is designed to choose IP addresses for DHCP clients using a hash of the client's MAC address. This normally allows a client's address to remain stable long-term, even if the client sometimes allows its DHCP lease to expire. In this default mode IP addresses are distributed pseudo-randomly over the entire available address range. There are sometimes circumstances (typically server deployment) where it is more convenient to have IP addresses allocated sequentially, starting from the lowest available address, and setting this parameter enables this mode. Note that in the sequential mode, clients which allow a lease to expire are much more likely to move IP address; for this reason it should not be generally used. | | | ''allservers'' | boolean | ''0'' | ''%%--all-servers%%'' | By default, when dnsmasq has more than one upstream server available, it will send queries to just one server. Setting this parameter forces dnsmasq to send all queries to all available servers. The reply from the server which answers first will be returned to the original requeser. | |
| | ''addmac'' | [0,1,base64,text] | ''0'' | ''%%--add-mac%%'' | Add the MAC address of the requester to DNS queries which are forwarded upstream; this may be used to do DNS filtering by the upstream server.\\ The MAC address can only be added if the requester is on the same subnet as the dnsmasq server. Note that the mechanism used to achieve this (an EDNS0 option) is not yet standardised, so this should be considered experimental. Also note that exposing MAC addresses in this way may have security and privacy implications. | | | ''quietdhcp'' | boolean | ''0'' | ''%%--quiet-dhcp%%'' | Suppress logging of the routine operation of DHCP. Errors and problems will still be logged | |
| | ''logdhcp'' | boolean | ''0'' | ''%%--log-dhcp%%'' | Enables extra DHCP logging; logs all the options sent to the DHCP clients and the tags used to determine them | | | ''sequential_ip'' | boolean | ''0'' | ''%%--dhcp-sequential-ip%%'' | Dnsmasq is designed to choose IP addresses for DHCP clients using a hash of the client's MAC address. This normally allows a client's address to remain stable long-term, even if the client sometimes allows its DHCP lease to expire. In this default mode IP addresses are distributed pseudo-randomly over the entire available address range. There are sometimes circumstances (typically server deployment) where it is more convenient to have IP addresses allocated sequentially, starting from the lowest available address, and setting this parameter enables this mode. Note that in the sequential mode, clients which allow a lease to expire are much more likely to move IP address; for this reason it should not be generally used. | |
| | ''dhcpscript'' | string | //(none)// | ''%%--dhcp-script%%'' | Run a custom script upon DHCP lease add / renew / remove actions | | | ''addmac'' | [0,1,base64,text] | ''0'' | ''%%--add-mac%%'' | Add the MAC address of the requester to DNS queries which are forwarded upstream; this may be used to do DNS filtering by the upstream server.\\ The MAC address can only be added if the requester is on the same subnet as the dnsmasq server. Note that the mechanism used to achieve this (an EDNS0 option) is not yet standardised, so this should be considered experimental. Also note that exposing MAC addresses in this way may have security and privacy implications. | |
| | ''confdir'' | directory path | ''/tmp/dnsmasq.d'' | ''%%--conf-dir%%'' | Directory with additional configuration files | | | ''logdhcp'' | boolean | ''0'' | ''%%--log-dhcp%%'' | Enables extra DHCP logging; logs all the options sent to the DHCP clients and the tags used to determine them | |
| | ''max_ttl'' | integer | //(none)// | ''%%--max-ttl%%'' | limit the ttl in the DNS answer to this value | | | ''dhcpscript'' | string | //(none)// | ''%%--dhcp-script%%'' | Run a custom script upon DHCP lease add / renew / remove actions | |
| | ''min_cache_ttl'' | integer | //(none)// | ''%%--min-cache-ttl%%'' | set the minimum time-to-live of DNS answers, even when the ttl in the answer is lower | | | ''confdir'' | directory path | ''/tmp/dnsmasq.d'' | ''%%--conf-dir%%'' | Directory with additional configuration files | |
| | ''max_cache_ttl'' | integer | //(none)// | ''%%--max-cache-ttl%%'' | the maximum time-to-live for any DNS answer, even if higher | | | ''max_ttl'' | integer | //(none)// | ''%%--max-ttl%%'' | limit the ttl in the DNS answer to this value | |
| | ''rapidcommit'' | boolean | ''0'' | ''--dhcp-rapid-commit'' | Enable DHCPv4 Rapid Commit (fast address assignment) See [[https://www.rfc-editor.org/rfc/rfc4039|RFC 4039]]. | | | ''min_cache_ttl'' | integer | //(none)// | ''%%--min-cache-ttl%%'' | set the minimum time-to-live of DNS answers, even when the ttl in the answer is lower | |
| | | ''max_cache_ttl'' | integer | //(none)// | ''%%--max-cache-ttl%%'' | the maximum time-to-live for any DNS answer, even if higher | |
| | | ''rapidcommit'' | boolean | ''0'' | ''--dhcp-rapid-commit'' | Enable DHCPv4 Rapid Commit (fast address assignment) See [[https://www.rfc-editor.org/rfc/rfc4039|RFC 4039]]. | |
| </sortable> | </sortable> |
| |
| |
| <code bash> | <code bash> |
| # uci -N show dhcp.@dhcp[0] | config dhcp 'lan' |
| dhcp.@dhcp[0]=dhcp | option interface 'lan' |
| dhcp.@dhcp[0].interface='lan' | option start '100' |
| dhcp.@dhcp[0].start='100' | option limit '150' |
| dhcp.@dhcp[0].limit='150' | option leasetime '12h' |
| dhcp.@dhcp[0].leasetime='12h' | |
| </code> | </code> |
| | |
| * ''lan'' specifies the OpenWrt interface that is served by this DHCP pool | * ''lan'' specifies the OpenWrt interface that is served by this DHCP pool |
| * ''100'' is the offset from the network address, in the default configuration this would mean start leasing addresses from ''192.168.1.100'' | * ''100'' is the offset from the network address, in the default configuration this would mean start leasing addresses from ''192.168.1.100'' |
| * ''150'' is the maximum number of addresses that may be leased, in the default configuration this would mean leasing addresses up to ''192.168.1.249'' | * ''150'' is the maximum number of addresses that may be leased, in the default configuration this would mean leasing addresses up to ''192.168.1.249'' |
| * ''12h'' specifies the time to live for handed out leases, twelve hours in this example | * ''12h'' specifies the time to live for handed out leases, twelve hours in this example |
| * ''server'' defines the mode for IPv6 configuration (RA & DHCPv6) | * ''server'' defines the mode for IPv6 configuration (RA & DHCPv6) |
| |
| </sortable> | </sortable> |
| |
| Notes: | Notes: |
| * ''interface'' is a logical interface / network name, i.e. ''lan'', ''wan'', ''wifi'' etc. (section names in ''/etc/config/network''), NOT a layer 3 device name like ''eth0'', ''eth1'', ''wlan0'' etc. (the ''ifname'' IDs in ''/etc/config/network''). | * ''interface'' is a logical interface / network name, i.e. ''lan'', ''wan'', ''wifi'' etc. (section names in ''/etc/config/network''), NOT a layer 3 device name like ''eth0'', ''eth1'', ''wlan0'' etc. (the ''ifname'' IDs in ''/etc/config/network''). |
| * ''networkid'' is a layer 3 device name, i.e. ''eth0'', ''eth1'', ''wlan0'' etc., not a network name (''lan'', ''wan'', ''wifi'' etc.). | * ''networkid'' is a layer 3 device name, i.e. ''eth0'', ''eth1'', ''wlan0'' etc., not a network name (''lan'', ''wan'', ''wifi'' etc.). |
| This departs from ''ifname'' and ''network'' as used in ''/etc/config/network'' and in ''/etc/config/wireless'', so double check! | This departs from ''ifname'' and ''network'' as used in ''/etc/config/network'' and in ''/etc/config/wireless'', so double check! |
| <sortable> | <sortable> |
| ^ Name ^ Type ^ Required ^ Default ^ Description ^ | ^ Name ^ Type ^ Required ^ Default ^ Description ^ |
| | ''ip'' | string | no | //(none)// | the IP address to be used for this host, or ''ignore'' to ignore any DHCP request from this host | | | ''ip'' | string | no | //(none)// | the IP address to be used for this host, or ''ignore'' to ignore any DHCP request from this host | |
| | ''mac'' | string | no | //(none)// | The hardware address(es) of this host, separated by spaces. | | | ''mac'' | string | no | //(none)// | The hardware address(es) of this host, separated by spaces. | |
| | ''hostid'' | string | no | //(none)// | The IPv6 interface identifier (address suffix) as hexadecimal number (max. 8 chars) | | | ''hostid'' | string | no | //(none)// | The IPv6 interface identifier (address suffix) as hexadecimal number (max. 16 chars, 64 bits, 8 bytes) | |
| | ''duid'' | string | no | //(none)// | The DHCPv6-DUID of this host. | | | ''duid'' | string | no | //(none)// | The DHCPv6-DUID of this host. | |
| | ''name'' | string | no | //(none)// | Optional hostname to assign. | | | ''name'' | string | no | //(none)// | Optional hostname to assign. | |
| |
| ==== Booting options ==== | ==== Booting options ==== |
| Some hosts support booting over the network (PXE booting). Sections of the type ''boot'' specify how DHCP/BOOTP is used to tell the host which file to boot and the server to load it from. | Some hosts support booting over the network (PXE booting). |
| | Sections of the type ''boot'' specify how DHCP/BOOTP is used to tell the host which file to boot and the server to load it from. |
| Each client can only receive one set of filename and server address options. | Each client can only receive one set of filename and server address options. |
| If different hosts should boot different files, or boot from different servers, you can use //network-ids// to map options to each client. | If different hosts should boot different files, or boot from different servers, you can use //tags// aka //network-ids// to map options to each client. |
| |
| Usually, you need to set additional DHCP options (through ''dhcp_option'') for further stages of the boot process. | Usually, you need to set additional DHCP options (through ''dhcp_option'') for further stages of the boot process. |
| See the //dnsmasq// man page for details on the syntax of the ''O'' option. | See the //dnsmasq// man page for details on the syntax of the ''O'' option. |
| |
| The configuration options in this section are used to construct a ''-M'' option for //dnsmasq//. | The configuration options in this section are used to construct an ''-M'' option for //dnsmasq//. |
| |
| *Note*: odhcp currently lacks support root-path specification. | *Note*: odhcp currently lacks support root-path specification. |
| | ''dhcp_option'' | list of strings | no | //(none)// | Additional options to be added for this network-id. :!: If you specify this, you also need to specify the network-id. | | | ''dhcp_option'' | list of strings | no | //(none)// | Additional options to be added for this network-id. :!: If you specify this, you also need to specify the network-id. | |
| | ''filename'' | string | yes | //(none)// | The filename the host should request from the boot server. | | | ''filename'' | string | yes | //(none)// | The filename the host should request from the boot server. | |
| | ''networkid'' | string | no | //(none)// | The network-id these boot options should apply to. Applies to all clients if left unspecified. | | | ''networkid'' | string | no | //(none)// | The tag (aka network-id) these boot options should apply to. Applies to all clients if left unspecified. | |
| | ''serveraddress'' | string | yes | //(none)// | The IP address of the boot server. | | | ''serveraddress'' | string | yes | //(none)// | The IP address of the boot server. | |
| | ''servername'' | string | yes | //(none)// | The hostname of the boot server. | | | ''servername'' | string | yes | //(none)// | The hostname of the boot server. | |
| | ''force'' | bool | no | //(none)// | ''dhcp_option'' will always be sent, even if the client does not ask for it in the parameter request list. This is sometimes needed, for example when sending options to PXELinux. | | | ''force'' | bool | no | //(none)// | ''dhcp_option'' will always be sent even if the client does not ask for it in the parameter request list. This is sometimes needed, for example when sending options to PXELinux. | |
| | ''instance'' | dnsmasq instance | no | //(none)// | Dnsmasq instance to which the boot section is bound. If not specified the section is valid for all dnsmasq instances. | | | ''instance'' | dnsmasq instance | no | //(none)// | Dnsmasq instance to which the boot section is bound. If not specified the section is valid for all dnsmasq instances. | |
| </sortable> | </sortable> |
| DHCP can provide the client with numerous options, such as the domain name, NTP servers, network booting options, etc. | DHCP can provide the client with numerous options, such as the domain name, NTP servers, network booting options, etc. |
| While some settings are applicable to all hosts in a network segment, others are more specific and are relevant only to a group of hosts, or even only a single one. | While some settings are applicable to all hosts in a network segment, others are more specific and are relevant only to a group of hosts, or even only a single one. |
| //dnsmasq// offers to group DHCP options and their values by a tag, internally named ''networkid'', which is an alphanumeric identifier, and sending options only to hosts which have been tagged with that networkid. | //dnsmasq// offers to group DHCP options and their values by a ''tag'', internally named ''networkid'', which is an alphanumeric identifier, and sending options only to hosts which have been tagged with that ''networkid''. |
| |
| In OpenWrt, you can tag hosts by the DHCP range they're in (section ''dhcp''), or a number of options the client might send with their DHCP request. | In OpenWrt, you can tag hosts by the DHCP range they're in (section ''dhcp''), or a number of options the client might send with their DHCP request. |
| |
| Each classifying section (except ''tag'') has one configuration option: which tag it will be assigned. | Each classifying section (except ''tag'') has one configuration option: which tag it will be assigned. |
| | |
| | E.g. a ''mac'' section with an ''mac'' entry that exactly matches your ethernet MAC, and a tag (aka ''networkid'') of ''green'' will be tagged ''green''. |
| |
| <sortable> | <sortable> |
| </sortable> | </sortable> |
| |
| ''tag'' classifying sections have one configuration option: values of DHCP options to assign to this tag. | ''tag'' classifying sections have one configuration option: values of DHCP options to assign to this tag. |
| | |
| | E.g. continuing the previous example, ''green'' tagged DHCP clients can be selectively forced to receive a ''dhcp_option'' if there is a ''tag'' entry with ''tag'' value of ''green'', where a list of ''dhcp_option'' is also supplied, and ''force'' is set. |
| |
| <sortable> | <sortable> |
| ^ Name ^ Type ^ Required ^ Default ^ Description ^ | ^ Name ^ Type ^ Required ^ Default ^ Description ^ |
| | //''<classifier>''// | string | yes | //(none)// | Use section type as option name and classifying filter as option value. | | | //''<classifier>''// | string | yes | //(none)// | Use section type as option name and classifying filter as option value. | |
| | ''dhcp_option'' | list of strings | no | //(none)// | Additional options to be added for this network-id. | | | ''dhcp_option'' | list of strings | no | //(none)// | Additional options to be added for this tag aka networkid. | |
| | ''force'' | bool | no | //false// | Whether to send the additional options from ''dhcp_option'' list to the clients that didn't request them. | | | ''force'' | bool | no | //false// | Whether to send the additional options from ''dhcp_option'' list to the clients that didn't request them. | |
| </sortable> | </sortable> |
| | |
| ==== IP sets ==== | ==== IP sets ==== |
| :!: Requires the [[packages:pkgdata:dnsmasq-full]] package. | :!: Requires the [[packages:pkgdata:dnsmasq-full]] package. |
| |
| dnsmasq can automatically populate Netfilter IP sets with resolved addresses of the specified domains. This feature can be enabled using ''ipset'' option in the ''dnsmasq'' section, or, with a more convenient syntax, using a dedicated ''ipset'' section. Every ''ipset'' section contains names of the IP sets to populate (''name'', multiple IP set names can be specified in one section), and domains whose resolved addresses should be added to the specified IP sets (''domain''). Example: | dnsmasq can automatically populate Netfilter IP sets with resolved addresses of the specified domains. This feature can be enabled using ''ipset'' option in the ''dnsmasq'' section, or, with a more convenient syntax, using a dedicated ''ipset'' section. |
| | Every ''ipset'' section contains names of the IP sets to populate (''name'', multiple IP set names can be specified in one section), and domains whose resolved addresses should be added to the specified IP sets (''domain''). |
| | Example: |
| |
| <code bash> | <code bash> |
| # uci -N show dhcp.@ipset[0] | dhcp ipset |
| dhcp.@ipset[0]=ipset | list name 'ss_rules_dst_forward' |
| dhcp.@ipset[0].name='ss_rules_dst_forward' 'ss_rules6_dst_forward' | list name 'ss_rules6_dst_forward' |
| dhcp.@ipset[0].domain='telegram.org' 'linkedin.com' | list domain 'linkedin.com' |
| | list domain 'telegram.org' |
| </code> | </code> |
| |
| ==== DHCP relay ==== | ==== DHCP relay ==== |
| |
| If you are routing between two interfaces (i.e. they are not bridged) then you will find that clients on the far end of the network sending DHCP requests get no response, as the DHCP broadcast cannot be routed between interfaces. | If you are routing between two interfaces (i.e. they are not bridged) then you will find that clients on the far end of the network sending DHCP requests get no response, as the DHCP broadcast cannot be routed between interfaces. |
| |
| This can be solved without setting up an independent DHCP server for the far subnet by configuring dnsmasq to act as a DHCP relay. In this configuration it listens for DHCP requests as normal, forwards them to a remote DHCP server, then any response it receives it broadcasts back in the original subnet. | This can be solved without setting up an independent DHCP server for the far subnet by configuring dnsmasq to act as a DHCP relay. |
| | In this configuration it listens for DHCP requests as normal, forwards them to a remote DHCP server, then any response it receives it broadcasts back in the original subnet. |
| |
| This configuration allows a single DHCP server to handle address assignments across a large network broken up into multiple subnets. | This configuration allows a single DHCP server to handle address assignments across a large network broken up into multiple subnets. |
| As of October 2021 LuCI does not have an interface for this so the configuration file must be manually edited. | As of October 2021 LuCI does not have an interface for this so the configuration file must be manually edited. |
| |
| Add the following section to ''/etc/config/dhcp'': | Example DHCP relay configuration: |
| |
| <code> | <code bash> |
| config relay 'id' | config relay 'id' |
| option interface 'lan' | option interface 'lan' |
| option local_addr '1.1.1.1' | option local_addr '1.1.1.1' |
| option server_addr '2.2.2.2' | option server_addr '2.2.2.2' |
| </code> | </code> |
| |
| ^ Name ^ Type ^ Required ^ Default ^ Description ^ | ^ Name ^ Type ^ Required ^ Default ^ Description ^ |
| | ''id'' | string | yes | //(none)// | A unique name for the section, which must be different to every other section's name. | | | ''id'' | string | yes | //(none)// | A unique name for the section, which must be different to every other section's name. | |
| | ''interface'' | string | yes | //(none)// | OpenWRT interface name (NOT network device name) where the destination DHCP server is located. | | | ''interface'' | string | yes | //(none)// | Logical network interface where the destination DHCP server is located. | |
| | ''local_addr'' | string | yes | //(none)// | This OpenWRT device's own IP address on the far subnet, where it will listen for DHCP requests. | | | ''local_addr'' | string | yes | //(none)// | IP address to listen for DHCP requests. | |
| | ''server_addr'' | string | yes | //(none)// | IP address of the upstream DHCP server accessible through the network given by the //interface// option. DHCP responses picked up on the far subnet will be relayed to this server. This address must be routed correctly (i.e. you can ping it successfully from the OpenWRT command line). | | | ''server_addr'' | string | yes | //(none)// | IP address of the upstream DHCP server accessible through the network given by the //interface// option. DHCP responses picked up on the far subnet will be relayed to this server. This address must be routed correctly (i.e. you can ping it successfully from the OpenWrt command line). | |
| </sortable> | </sortable> |
| |
| Restart dnsmasq after making the change with ''/etc/init.d/dnsmasq restart''. | |