Show pagesourceOld revisionsBacklinksBack to top × Table of Contents DNS and DHCP configuration examples Introduction Instructions Static leases Race conditions with netifd MAC filtering DHCP options Client classifying and individual options DHCP pool for a large network Domains A and AAAA RR SRV RR CNAME RR MX RR TFTP boot Multiple DHCP/DNS server/forwarder instances Disabling DHCP role Disabling DNS role Replacing dnsmasq with odhcpd and Unbound Providing custom DNS with DHCP DNS forwarding Enforcing dnsmasq for local system Selective DNS forwarding DNS filtering Race conditions with sysntpd Upstream DNS provider DNS and DHCP configuration examples See also: DNS and DHCP configuration /etc/config/dhcp, DNS encryption, DNS hijacking Introduction This guide provides most common dnsmasq and odhcpd tuning scenarios adapted for OpenWrt. Instructions Static leases Add a fixed IPv4 address 192.168.1.22 and name mydesktop for a machine with the MAC address 00:11:22:33:44:55. uci add dhcp host uci set dhcp.@host[-1].ip="192.168.1.22" uci set dhcp.@host[-1].mac="00:11:22:33:44:55" uci set dhcp.@host[-1].name="mydesktop" uci commit dhcp /etc/init.d/dnsmasq restart This is equivalent to (in /etc/config/dhcp): config host option ip 192.168.1.22 option mac 00:11:22:33:44:55 option name mydesktop Add a fixed IPv4 address 192.168.1.23, IPv6 interface identifier (address suffix) 23 and name mylaptop for a machine with the MAC address 11:22:33:44:55:66 or aa:bb:cc:dd:ee:ff and DUID 000100004fd454041c6f65d26f43. uci add dhcp host uci set dhcp.@host[-1].name="mylaptop" uci add_list dhcp.@host[-1].mac="11:22:33:44:55:66" uci add_list dhcp.@host[-1].mac="aa:bb:cc:dd:ee:ff" uci set dhcp.@host[-1].ip="192.168.1.23" uci set dhcp.@host[-1].duid="000100004fd454041c6f65d26f43" uci set dhcp.@host[-1].hostid="23" uci commit dhcp /etc/init.d/dnsmasq restart /etc/init.d/odhcpd restart Reconnect your clients to apply the changes. If you plan to connect more than one interface simultaneously, add a separate host entry for each interface, otherwise it's unreliable. See also: odhcpd leases Race conditions with netifd Resolve the race condition with netifd service. uci set dhcp.lan.force="1" uci commit dhcp /etc/init.d/dnsmasq restart MAC filtering If you want to distribute IPv4 addresses to known clients only (static leases), use: uci set dhcp.lan.dynamicdhcp="0" uci commit dhcp /etc/init.d/dnsmasq restart With this, dnsmasq will consider static leases defined in “config host” blocks and in /etc/ethers, and refuse to hand out any IPv4 address to unknown clients. Note that you shouldn't use this as a security feature to prevent unwanted clients from connecting. A client can simply configure a static IP in the right range to have access to the network. DHCP options DHCP options can be configured under via dhcp_option. Use an alternative default gateway, DNS server and NTP server. uci add_list dhcp.lan.dhcp_option="3,192.168.1.2" uci add_list dhcp.lan.dhcp_option="6,172.16.60.64" uci add_list dhcp.lan.dhcp_option="42,172.16.60.64" uci commit dhcp /etc/init.d/dnsmasq restart A list of options can be found here. Client classifying and individual options An example using the mac classifier to create a tagged network for VPN to assign different DHCP options. Use custom default gateway and DNS, disable WINS. uci set dhcp.mac_vpn="mac" uci set dhcp.mac_vpn.mac="00:FF:*:*:*:*" uci set dhcp.mac_vpn.networkid="vpn" uci add_list dhcp.mac_vpn.dhcp_option="3,192.168.1.2" uci add_list dhcp.mac_vpn.dhcp_option="6,192.168.1.3" uci add_list dhcp.mac_vpn.dhcp_option="44" uci commit dhcp /etc/init.d/dnsmasq restart Assign different DHCP options to multiple hosts. uci set dhcp.j400="host" uci set dhcp.j400.name="j400" uci set dhcp.j400.mac="00:21:63:75:aa:17" uci set dhcp.j400.ip="10.11.12.14" uci set dhcp.j400.tag="vpn" uci set dhcp.j500="host" uci set dhcp.j500.name="j500" uci set dhcp.j500.mac="01:22:64:76:bb:18" uci set dhcp.j500.ip="10.11.12.15" uci set dhcp.j500.tag="vpn" uci set dhcp.vpn="tag" uci set dhcp.vpn.dhcp_option="6,8.8.8.8,8.8.4.4" uci commit dhcp /etc/init.d/dnsmasq restart DHCP pool for a large network 10.0.0.0 - network address 255.0.0.0 - network mask 10.22.0.1 - pool start 10.22.0.254 - pool end $((22*2**16+1)) - start offset 253 - limit offset # ipcalc.sh 10.0.0.0 255.0.0.0 $((22*2**16+1)) 253 IP=10.0.0.0 NETMASK=255.0.0.0 BROADCAST=10.255.255.255 NETWORK=10.0.0.0 PREFIX=8 START=10.22.0.1 END=10.22.0.254 uci set dhcp.lan.start="$((22*2**16+1))" uci set dhcp.lan.limit="253" uci commit dhcp /etc/init.d/dnsmasq restart Domains This is an implementation of the --host-record option. Define a custom domain name and the corresponding PTR record - assigns the IPv4 address 192.168.1.23 and IPv6 address fdce::23 to the domain name mylaptop and construct an appropriate reverse records. You can also use this to rebind domain names. It works like an entry in /etc/hosts but more flexible and integrated. uci add dhcp domain uci set dhcp.@domain[-1].name="mylaptop" uci set dhcp.@domain[-1].ip="192.168.1.23" uci add dhcp domain uci set dhcp.@domain[-1].name="mylaptop" uci set dhcp.@domain[-1].ip="fdce::23" uci commit dhcp /etc/init.d/dnsmasq restart A and AAAA RR This is an implementation of the --address option. Return 10.10.10.1 on query domain home and subdomain *.home. uci add_list dhcp.@dnsmasq[0].address="/home/10.10.10.1" uci commit dhcp /etc/init.d/dnsmasq restart SRV RR This is an implementation of the --srv-host option. Define an SRV record for SIP over UDP, with the default port of 5060 on the host pbx.mydomain.com, with a class of 0 and a weight of 10. uci add dhcp srvhost uci set dhcp.@srvhost[-1].srv="_sip._udp.mydomain.com" uci set dhcp.@srvhost[-1].target="pbx.mydomain.com" uci set dhcp.@srvhost[-1].port="5060" uci set dhcp.@srvhost[-1].class="0" uci set dhcp.@srvhost[-1].weight="10" uci commit dhcp /etc/init.d/dnsmasq restart CNAME RR This is an implementation of the --cname option. A Canonical Name record specifes that a domain name is an alias for another domain, the “canonical” domain. Specify that the FTP server is on the same host as the web server. uci add dhcp cname uci set dhcp.@cname[-1].cname="ftp.example.com" uci set dhcp.@cname[-1].target="www.example.com" uci commit dhcp /etc/init.d/dnsmasq restart Note that it is necessary to use fully qualified domain names. MX RR This is an implementation of the --mx-host option. If you're running the mail server for your domain behind a firewall (and therefore, with split-horizon for your own domain) then you might need to convince that mailer that it's actually authoritative for your domain. If sendmail tells you “Domain of sender address xxx@yyy.zzz does not exist” this is because it isn't finding an MX record confirming that it's an MX relay for that domain. Mitigate the issues caused by split-horizon: uci add dhcp mxhost uci set dhcp.@mxhost[-1].domain="yyy.zzz" uci set dhcp.@mxhost[-1].relay="my.host.com" uci set dhcp.@mxhost[-1].pref="10" uci commit dhcp /etc/init.d/dnsmasq restart TFTP boot Direct BOOTP requests to the TFTP server. Tell the client to load pxelinux.0 from the server at 192.168.1.2, and mount root from /data/netboot/root on the same server. uci set dhcp.linux="boot" uci set dhcp.linux.filename="/tftpboot/pxelinux.0" uci set dhcp.linux.serveraddress="192.168.1.2" uci set dhcp.linux.servername="fileserver" uci add_list dhcp.linux.dhcp_option="option:root-path,192.168.1.2:/data/netboot/root" uci commit dhcp /etc/init.d/dnsmasq restart Multiple DHCP/DNS server/forwarder instances If you need multiple DNS forwarders with different configurations or DHCP server with different sets of lease files. Running multiple dnsmasq instances as DNS forwarder and/or DHCPv4 server, each having their own configuration and lease list can be configured by creating multiple dnsmasq sections. Typically in such configs each dnsmasq section will be bound to a specific interface by using the interface list; assigning sections like dhcp, host, etc. to a specific dnsmasq instance is done by the instance option. By default dnsmasq adds the loopback interface to the interface list to listen when the --interface option is used; therefore the loopback interface needs to be excluded in one of the dnsmasq instances by using the notinterface list. These are example settings for multiple dnsmasq instances each having their own dhcp section. dnsmasq instance lan_dns is bound to the lan interface while the dnsmasq instance guest_dns is bound to the guest interface. # Remove default instances while uci -q delete dhcp.@dnsmasq[0]; do :; done while uci -q delete dhcp.@dhcp[0]; do :; done # Use network interface names for DHCP/DNS instance names for INST in lan guest do uci set dhcp.${INST}_dns="dnsmasq" uci set dhcp.${INST}_dns.domainneeded="1" uci set dhcp.${INST}_dns.boguspriv="1" uci set dhcp.${INST}_dns.filterwin2k="0" uci set dhcp.${INST}_dns.localise_queries="1" uci set dhcp.${INST}_dns.rebind_protection="1" uci set dhcp.${INST}_dns.rebind_localhost="1" uci set dhcp.${INST}_dns.local="/${INST}/" uci set dhcp.${INST}_dns.domain="${INST}" uci set dhcp.${INST}_dns.expandhosts="1" uci set dhcp.${INST}_dns.nonegcache="0" uci set dhcp.${INST}_dns.authoritative="1" uci set dhcp.${INST}_dns.readethers="1" uci set dhcp.${INST}_dns.leasefile="/tmp/dhcp.leases.${INST}" uci set dhcp.${INST}_dns.resolvfile="/etc/resolv.conf.${INST}" uci set dhcp.${INST}_dns.nonwildcard="1" uci add_list dhcp.${INST}_dns.interface="${INST}" uci add_list dhcp.${INST}_dns.notinterface="loopback" uci set dhcp.${INST}="dhcp" uci set dhcp.${INST}.instance="${INST}_dns" uci set dhcp.${INST}.interface="${INST}" uci set dhcp.${INST}.start="100" uci set dhcp.${INST}.limit="150" uci set dhcp.${INST}.leasetime="12h" ln -f -s /tmp/resolv.conf.auto /etc/resolv.conf.${INST} done uci -q delete dhcp.@dnsmasq[0].notinterface uci commit dhcp /etc/init.d/dnsmasq restart The LuCI web interface has not been updated to support multiple dnsmasq instances. Disabling DHCP role This change turns off DHCP on the specified interface but leaves DNS services available. uci set dhcp.lan.ignore="1" uci commit dhcp /etc/init.d/dnsmasq restart /etc/init.d/odhcpd restart Disabling DNS role This is useful when you just want to hand out addresses to clients, without doing any DNS by dnsmasq. uci set dhcp.@dnsmasq[0].port="0" uci commit dhcp /etc/init.d/dnsmasq restart ln -f -s /tmp/resolv.conf.auto /tmp/resolv.conf Replacing dnsmasq with odhcpd and Unbound Remove dnsmasq and use odhcpd for both DHCP and DHCPv6. opkg update opkg remove dnsmasq odhcpd-ipv6only opkg install odhcpd uci -q delete dhcp.@dnsmasq[0] uci set dhcp.lan.dhcpv4="server" uci set dhcp.odhcpd.maindhcp="1" uci commit dhcp /etc/init.d/odhcpd restart Use Unbound for DNS. opkg update opkg install unbound-control unbound-daemon uci set unbound.@unbound[0].dhcp_link="odhcpd" uci set unbound.@unbound[0].unbound_control="1" uci commit unbound /etc/init.d/unbound restart uci set dhcp.odhcpd.leasetrigger="/usr/lib/unbound/odhcpd.sh" uci commit dhcp /etc/init.d/odhcpd restart Providing custom DNS with DHCP Send custom DNS servers with DHCP. # Configure dnsmasq uci -q delete dhcp.lan.dhcp_option uci add_list dhcp.lan.dhcp_option="6,8.8.8.8,8.8.4.4" # Configure odhcpd uci -q delete dhcp.lan.dns uci add_list dhcp.lan.dns="2001:4860:4860::8888" uci add_list dhcp.lan.dns="2001:4860:4860::8844" # Save and apply uci commit dhcp /etc/init.d/dnsmasq restart /etc/init.d/odhcpd restart Reconnect your clients to apply the changes. DNS forwarding Forward DNS queries to specific servers. uci -q delete dhcp.@dnsmasq[0].server uci add_list dhcp.@dnsmasq[0].server="8.8.8.8" uci add_list dhcp.@dnsmasq[0].server="8.8.4.4" uci commit dhcp /etc/init.d/dnsmasq restart Disable resolvfile option limiting upstream resolvers to server option. Also makes local system to not use dnsmasq. uci set dhcp.@dnsmasq[0].noresolv="1" uci commit dhcp /etc/init.d/dnsmasq restart Enforcing dnsmasq for local system Enforce local system to use dnsmasq if it is running with noresolv option. Beware of race condition with Adblock service when using DNS encryption. uci set dhcp.@dnsmasq[0].localuse="1" uci commit dhcp /etc/init.d/dnsmasq restart Selective DNS forwarding Forward DNS queries for a specific domain and all its subdomains to a different server. More specific domains take precedence over less specific domains allowing to combine with unconditional DNS forwarding from above. uci add_list dhcp.@dnsmasq[0].server="/example.com/192.168.2.1" uci commit dhcp /etc/init.d/dnsmasq restart DNS filtering Simple DNS-based content filtering. # Blacklist uci -q delete dhcp.@dnsmasq[0].server uci add_list dhcp.@dnsmasq[0].server="/example.com/" uci add_list dhcp.@dnsmasq[0].server="/example.net/" uci commit dhcp /etc/init.d/dnsmasq restart # Whitelist uci -q delete dhcp.@dnsmasq[0].server uci add_list dhcp.@dnsmasq[0].server="/example.com/#" uci add_list dhcp.@dnsmasq[0].server="/example.net/#" uci add_list dhcp.@dnsmasq[0].server="/#/" uci commit dhcp /etc/init.d/dnsmasq restart See also: Ad blocking, DNS-based firewall with IP sets Race conditions with sysntpd Resolve the race condition with sysntpd service. When running dnsmasq with noresolv and localuse options and using DNS encryption for local system. # Fetch peer DNS provider . /lib/functions/network.sh network_flush_cache network_find_wan NET_IF network_find_wan6 NET_IF6 network_get_dnsserver NET_DNS "${NET_IF}" network_get_dnsserver NET_DNS6 "${NET_IF6}" # Configure fallback DNS provider if [ -z "${NET_DNS}" ] then NET_DNS="8.8.8.8 8.8.4.4" fi if [ -z "${NET_DNS6}" ] then NET_DNS6="2001:4860:4860::8888 2001:4860:4860::8844" fi # Bypass DNS forwarding for NTP provider uci get system.ntp.server \ | sed -e "s/\s/\n/g" \ | sed -e "s/^[0-9]*\.//" \ | sort -u \ | while read -r NTP_DOMAIN do for DNS_SERV in ${NET_DNS} ${NET_DNS6} do uci add_list dhcp.@dnsmasq[0].server="/${NTP_DOMAIN}/${DNS_SERV}" done done uci commit dhcp /etc/init.d/dnsmasq restart Upstream DNS provider OpenWrt uses peer DNS servers as the upstream DNS provider for dnsmasq by default. These are typically provided by the upstream DHCP server. You can change them to any other DNS provider or even to a different local DNS server you have running already in your network. Make sure selected provider supports DNSSEC validation if required. Specify several servers to improve fault tolerance. # Configure DNS provider uci -q delete network.wan.dns uci add_list network.wan.dns="8.8.8.8" uci add_list network.wan.dns="8.8.4.4" # Configure DNS6 provider uci -q delete network.wan6.dns uci add_list network.wan6.dns="2001:4860:4860::8888" uci add_list network.wan6.dns="2001:4860:4860::8844" # Disable peer DNS uci set network.wan.peerdns="0" uci set network.wan6.peerdns="0" # Save and apply uci commit network /etc/init.d/network restart Multiple DNS providers The more DNS providers, the higher the fault tolerance of your DNS relative to DoS. Different DNS providers may return different answers to a DNS query due to differences in caching, synchronization, load balancing, content filtering, etc. To distinguish between correct and incorrect answers such as false-negatives you need to utilize DNSSEC which may affect performance. Peer DNS options Keep peer DNS enabled to improve your DNS fault tolerance. Disable peer DNS to prevent DNS leak if you have configured a VPN connection on OpenWrt. Disable peer DNS to actually change your DNS provider and receive more predictable DNS replies. This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2021/01/04 13:23by vgaetera