The dns configuration is located in
/etc/config/dhcp and controls both DNS and DHCP server options on the device (both DHCP and DNS services are implemented using dnsmasq).
In the default configuration this file contains one common section to specify DNS and daemon related options and one or more DHCP pools to define DHCP serving on network interfaces.
Possible section types of the
dhcp configuration file are defined below. Not all types may appear in the file and most of them are only needed for special configurations. The common ones are the Common Options, the DHCP Pools and Static Leases.
The config section type
dnsmasq determines values and options relevant to the overall operation of dnsmasq
and the DHCP options on all interfaces served. The following table lists all available options, their default value,
as well as the corresponding dnsmasq command line option. See the dnsmasq man page for further details.
These are the default settings for the common options:
config 'dnsmasq' option local '/lan/' option domain 'lan' option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.auto' option domainneeded 1 option boguspriv 1 option filterwin2k 0 option localise_queries 1 option rebind_protection 1 option rebind_localhost 0 option expandhosts 1 option nonegcache 0 option authoritative 1 option readethers 1
domainenable dnsmasq to serve entries in
/etc/hosts, as well as DHCP client's names if configured under lan domain.
expandhostsensure requests for local host names are not forwarded to upstream DNS servers.
authoritativemakes router the only DHCP server on this network; clients get their IP lease a lot faster this way.
leasefilestores leases in a file so they can be picked up again if dnsmasq is restarted.
resolvfiletells dnsmasq to use this file to find upstream name servers; it gets created by the WAN DHCP or PPP client.
tftp_rootturn on the TFTP server and serve files from tftp_root.
setenv serverip 192.168.1.10).
| ||boolean|| ||Add the local domain as search directive in resolv.conf.|
| ||boolean|| || Add A, AAAA, & PTR records only on DHCP served LAN.
enhanced function available on Trunk with option
| ||integer|| || Add A, AAAA, & PTR records only on DHCP served LAN.
| ||integer|| || Labels WAN interfaces like
| ||list of file paths||(none)|| ||Additional host files to read for serving DNS responses|
| ||boolean|| || ||Force dnsmasq into authoritative mode. This speeds up DHCP leasing. Used if this is the only server on the network|
| ||list of IP addresses||(none)|| ||IP addresses to convert into NXDOMAIN responses (to counteract “helpful” upstream DNS servers that never return NXDOMAIN).|
| ||boolean|| || || Reject reverse lookups to private IP ranges where no corresponding entry exists in
| ||boolean|| || When set to
| ||integer|| || ||Size of dnsmasq query cache.|
| ||boolean|| || || Enable DBus messaging for dnsmasq.
Standard builds of dnsmasq on OpenWrt do not include DBus support.
| ||string||(none)|| || Specifies BOOTP options, in most cases just the file name. You can also use: “
| ||file path||(none)|| ||Specify an external file with per host DHCP options|
| ||integer|| || ||Maximum number of DHCP leases|
| ||integer|| || ||Maximum number of concurrent connections|
| ||domain name||(none)|| ||DNS domain handed out to DHCP clients|
| ||boolean|| || ||Tells dnsmasq never to forward queries for plain names, without dots or domain parts, to upstream nameservers. If the name is not known from /etc/hosts or DHCP then a “not found” answer is returned|
| ||boolean|| || || Validate DNS replies and cache DNSSEC data.
Requires the dnsmasq-full package.
| ||boolean|| || || Check the zones of unsigned replies to ensure that unsigned replies are allowed in those zones. This protects against an attacker forging unsigned replies for signed DNS zones, but is slower and requires that the nameservers upstream of dnsmasq are DNSSEC-capable.
Requires the dnsmasq-full package.
Caution: If you use this option on a device that doesn't have a hardware clock, dns resolution may break after a reboot of the device due to an incorrect system time.
| ||integer|| || ||Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder|
| ||boolean|| || ||Enable the builtin TFTP server|
| ||boolean|| || || Add the local domain part to names found in
| ||boolean|| || ||Do not forward requests that cannot be answered by public name servers|
| ||boolean|| || || Do not resolve unqualifed local hostnames. Needs
| ||list of interface names||(all interfaces)|| || List of interfaces to listen on. If unspecified, dnsmasq will listen to all interfaces except those listed in
| ||file path||(none)|| ||Store DHCP leases in this file|
| ||string||(none)|| || Look up DNS entries for this domain from
| ||boolean|| || || Choose IP address to match the incoming interface if multiple addresses are assigned to a host name in
| ||boolean|| || ||Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server.|
| ||boolean|| || ||Log the results of DNS queries, dump cache on SIGUSR1|
| ||boolean|| || ||Don't daemonize the dnsmasq process|
| ||boolean|| || || Don't read DNS names from
| ||boolean|| || ||Disable caching of negative “no such domain” responses|
| ||boolean|| || || Don't read upstream servers from
| ||list of interface names||(none)|| ||Interfaces dnsmasq should not listen on.|
| ||boolean|| || ||Bind only configured interface addresses, instead of the wildcard address.|
| ||port number|| || || Listening port for DNS queries, disables DNS server functionality if set to
| ||integer||(none)|| ||Use a fixed port for outbound DNS queries|
| ||boolean|| || || Read static lease entries from
| ||boolean|| || ||Enables DNS rebind attack protection by discarding upstream RFC1918 responses|
| ||boolean|| || ||Allows upstream 127.0.0.0/8 responses, required for DNS based blacklist services, only takes effect if rebind protection is enabled|
| ||list of domain names||(none)|| ||List of domains to allow RFC1918 responses for, only takes effect if rebind protection is enabled|
| ||file path|| || ||Specifies an alternative resolv file|
| ||list of strings||(none)|| ||List of DNS servers to forward requests to. See the dnsmasq man page for syntax details.|
| ||boolean|| || || Obey order of DNS servers in
| ||directory path||(none)|| ||Specifies the TFTP root directory|
It is possible to mix the traditional
/etc/dnsmasq.conf configuration file with the options found in
dnsmasq.conf file does not exist by default but will be processed by dnsmasq on startup if it is present.
/etc/config/dhcptake precendence over
dnsmasq.confsince they are translated to command line arguments.
You can have dnsmasq execute a script on every action:
dhcp-script = /sbin/action.sh
Define a custom domain name and the corresponding PTR record - assigns the IP address
192.168.1.140 to the domain name
typhoon and construct an appropriate reverse record
220.127.116.11.in-addr.arpa. It works like an entry in
/etc/hosts but more flexible
Note that this currently only works for IPv4 addresses and that this functionality is not present in release prior to 8.09.2 .
Note that reverse records are not properly generated at present. (Barrier Breaker 14.07-RC2)
config 'domain' option name 'typhoon' option ip 192.168.1.140
another example: redirect www.facebook.com
# www.facebook.com resolves to 18.104.22.168 config 'domain' option name 'www.facebook.com' option ip 22.214.171.124
To define an SRV record for SIP over UDP, with the default port of 5060 on the host pbx.mydomain.com, with a class of 0 and a weight of 10 one would use:
config 'srvhost' option srv '_sip._udp.mydomain.com' option target 'pbx.mydomain.com' option port 5060 option class 0 option weight 10
A Canonical Name record specifes that a domain name is an alias for another domain, the “canonical” domain. To specify that the web server also doubles as the FTP server, one might use:
config 'cname' option cname 'ftp.example.com' option target 'www.example.com'
Note that it is necessary to use fully qualified domain names.
If you're running the mail server for your domain behind a firewall (and therefore, with split-horizon for your own domain) then you might need to convince that mailer that it's actually authoritative for your domain.
If sendmail tells you “Domain of sender address email@example.com does not exist” this is because it isn't finding an MX record confirming that it's an MX relay for that domain.
config 'mxhost' option domain 'yyy.zzz' option relay 'my.host.com' option pref 10
will mitigate the issues caused by split-horizon.
Direct BOOTP requests to the TFTP server at the IP address
192.168.1.2 and use
/tftpboot/pxelinux.0 as boot file name.
config 'boot' option filename 'pxelinux.0' option servername 'data' option serveraddress 192.168.1.2
If you need multiple DNS forwarders with different configurations or DHCP server with different sets of lease files, have a look at this: multiple_dhcpdns_serverforwarder_instances
The web interface (luci) has not been updated for this PR yet.
dnsmasq can be used to provide clients with a DNS server, but not with DHCP (for example, if DHCP is already supplied by a separate server).
This change will turn off just DHCP but leave DNS services available on the specified interface.
# NOTE: # Some options should be absent, or set to 0, to allow # forwarding towards private networks ('boguspriv') # See: http://en.wikipedia.org/wiki/Private_network config dnsmasq option local '/lan/' option domain 'lan' option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.auto' list server '/subdomain.example.com/192.0.2.1' list server '/example.com/126.96.36.199' option domainneeded 1 option localise_queries 1 option expandhosts 1 option authoritative 1 option readethers 1 option rebind_protection 0
server = /remote.local/10.25.11.2
listen-address = 127.0.0.1
cache-size = 0
# Define Domain and Domain Controller IPs via 'list server' config dnsmasq option domain 'example.local' option leasefile '/tmp/dhcp.leases' option resolvfile '/etc/resolv.conf' option local '/example.local/192.168.1.X' list server '/0.openwrt.pool.ntp.org/188.8.131.52' list server '/1.openwrt.pool.ntp.org/184.108.40.206' list server '/2.openwrt.pool.ntp.org/220.127.116.11' list server '/3.openwrt.pool.ntp.org/18.104.22.168' option localise_queries 1 option rebind_protection 0 option authoritative 1 option localservice 1 option dnssec 0 option cachesize 0 option readethers 1 option logqueries 1 option fliterwin2k 1 option boguspriv 1 config dhcp 'lan' option interface 'lan' option start 100 option limit 150 option leasetime '12h'
Now on to the finalization of the /etc/resolv.conf Traditionally /etc/resolv.conf is populated via symlink based on interface settings which get inserted via script into /tmp/resolv.conf. We're going to disable this symlink because without doing so it would override our static settings.
You'll want to remove /etc/resolv.conf That will remove the resolv.conf symlink. Then we will add the ip address of the secondary DNS and external resolving address inside the /etc/resolv.conf file finally establishing conditional forwarding, something that should be specified for easy configuration via the GUI.
rm /etc/resolv.conf echo "domain example.local" >> /etc/resolv.conf echo "nameserver 127.0.0.1" >> /etc/resolv.conf echo "nameserver 22.214.171.124" >> /etc/resolv.conf
# Define Domain & Public DNS below. domain example.local nameserver 127.0.0.1 nameserver 126.96.36.199