Filewatcher File Search File Search
Content Search
» » » » » dnsmasq-base_2.45-1~bpo40+1_i386.deb » Content »
pkg://dnsmasq-base_2.45-1~bpo40+1_i386.deb:249688/usr/share/man/man8/  info  control  downloads

dnsmasq-base - A small caching DNS proxy and DHCP/TFTP server…  more info»


DNSMASQ(8)                                                DNSMASQ(8)

       dnsmasq - A lightweight DHCP and caching DNS server.

       dnsmasq [OPTION]...

       dnsmasq  is  a  lightweight  DNS, TFTP and DHCP server. It is
       intended to provide coupled DNS and DHCP service to a LAN.

       Dnsmasq accepts DNS queries and either answers  them  from  a
       small,  local,  cache  or forwards them to a real, recursive,
       DNS server. It loads the contents of /etc/hosts so that local
       hostnames  which  do  not  appear  in  the  global DNS can be
       resolved and also answers DNS  queries  for  DHCP  configured

       The  dnsmasq DHCP server supports static address assignments,
       multiple networks, DHCP-relay and RFC3011 subnet  specifiers.
       It  automatically  sends  a  sensible  default  set  of  DHCP
       options, and can be configured to send  any  desired  set  of
       DHCP   options,  including  vendor-encapsulated  options.  It
       includes a secure, read-only, TFTP server  to  allow  net/PXE
       boot of DHCP hosts and also supports BOOTP.

       Dnsmasq supports IPv6 for DNS, but not DHCP.

       Note  that  in  general  missing  parameters  are allowed and
       switch off  functions,  for  instance  "--pid-file"  disables
       writing  a PID file. On BSD, unless the GNU getopt library is
       linked, the long form of the options does  not  work  on  the
       command  line;  it  is  still recognised in the configuration

       -h, --no-hosts
              Don't read the hostnames in /etc/hosts.

       -H, --addn-hosts=<file>
              Additional hosts file. Read the specified file as well
              as /etc/hosts. If -h is given, read only the specified
              file. This option may be repeated for  more  than  one
              additional hosts file.

       -E, --expand-hosts
              Add  the  domain to simple names (without a period) in
              /etc/hosts in the same way as for DHCP-derived names.

       -T, --local-ttl=<time>
              When replying with information from /etc/hosts or  the
              DHCP  leases file dnsmasq by default sets the time-to-
              live field to zero, meaning that the requestor  should
              not  itself cache the information. This is the correct
              thing to do in  almost  all  situations.  This  option
              allows  a  time-to-live  (in  seconds) to be given for
              these replies. This will reduce the load on the server
              at  the expense of clients using stale data under some

              Negative replies from upstream servers  normally  con‐
              tain  time-to-live  information  in  SOA records which
              dnsmasq uses for caching. If the replies from upstream
              servers  omit this information, dnsmasq does not cache
              the reply. This option gives a default value for time-
              to-live (in seconds) which dnsmasq uses to cache nega‐
              tive replies even in the absence of an SOA record.

       -k, --keep-in-foreground
              Do not go into the background at startup but otherwise
              run  as  normal. This is intended for use when dnsmasq
              is run under daemontools or launchd.

       -d, --no-daemon
              Debug mode: don't fork to the background, don't  write
              a  pid file, don't change user id, generate a complete
              cache dump on receipt on SIGUSR1,  log  to  stderr  as
              well as syslog, don't fork new processes to handle TCP

       -q, --log-queries
              Log the results of DNS  queries  handled  by  dnsmasq.
              Enable a full cache dump on receipt of SIGUSR1.

       -8, --log-facility=<facility>
              Set  the  facility  to  which dnsmasq will send syslog
              entries, this defaults to DAEMON, and to  LOCAL0  when
              debug mode is in operation. If the facility given con‐
              tains at least one '/' character, it is taken to be  a
              filename,  and dnsmasq logs to the given file, instead
              of syslog. (Errors whilst reading  configuration  will
              still  go  to syslog, but all output from a successful
              startup, and all output whilst running, will go exclu‐
              sively  to  the file.) When logging to a file, dnsmasq
              will close  and  reopen  the  file  when  it  receives
              SIGUSR2.  This allows the log file to be rotated with‐
              out stopping dnsmasq.

              Enable asynchronous logging  and  optionally  set  the
              limit  on  the number of lines which will be queued by
              dnsmasq when writing to the syslog is  slow.   Dnsmasq
              can  log  asynchronously:  this  allows it to continue
              functioning  without  being  blocked  by  syslog,  and
              allows  syslog  to use dnsmasq for DNS queries without
              risking deadlock.  If the queue of  log-lines  becomes
              full, dnsmasq will log the overflow, and the number of
              messages  lost. The default queue length is 5, a  sane
              value  would  be  5-25,  and a maximum limit of 100 is

       -x, --pid-file=<path>
              Specify an alternate path for dnsmasq  to  record  its
              process-id in. Normally /var/run/

       -u, --user=<username>
              Specify  the userid to which dnsmasq will change after
              startup. Dnsmasq must normally be started as root, but
              it will drop root privileges after startup by changing
              id to another user. Normally this user is "nobody" but
              that can be over-ridden with this switch.

       -g, --group=<groupname>
              Specify  the  group  which  dnsmasq  will  run as. The
              defaults to "dip", if available, to facilitate  access
              to  /etc/ppp/resolv.conf  which  is not normally world

       -v, --version
              Print the version number.

       -p, --port=<port>
              Listen on <port> instead  of  the  standard  DNS  port
              (53).  Setting  this  to  zero completely disables DNS
              function, leaving only DHCP and/or TFTP.

       -P, --edns-packet-max=<size>
              Specify the largest EDNS.0 UDP packet  which  is  sup‐
              ported  by  the DNS forwarder. Defaults to 1280, which
              is the RFC2671-recommended maximum for ethernet.

       -Q, --query-port=<query_port>
              Send outbound DNS queries from, and listen  for  their
              replies on, the specific UDP port <query_port> instead
              of using random ports. NOTE  that  using  this  option
              will  make  dnsmasq  less  secure against DNS spoofing
              attacks but it may be faster and use  less  resources.
              Setting this option to zero makes dnsmasq use a single
              port allocated to it by the OS: this was  the  default
              behaviour in versions prior to 2.43.

              Do  not  use  ports less than that given as source for
              outbound DNS queries. Dnsmasq picks  random  ports  as
              source  for  outbound  queries:  when  this  option is
              given, the ports used will always to larger than  that
              specified. Useful for systems behind firewalls.

       -i, --interface=<interface name>
              Listen  only  on  the  specified interface(s). Dnsmasq
              automatically adds the loopback (local)  interface  to
              the  list  of  interfaces  to use when the --interface
              option  is used. If no --interface or --listen-address
              options  are  given  dnsmasq  listens on all available
              interfaces  except  any  given  in  --except-interface
              options.  IP  alias interfaces (eg "eth1:0") cannot be
              used with --interface or  --except-interface  options,
              use --listen-address instead.

       -I, --except-interface=<interface name>
              Do  not  listen  on the specified interface. Note that
              the  order   of   --listen-address   --interface   and
              --except-interface  options  does  not matter and that
              --except-interface options always override the others.

       -2, --no-dhcp-interface=<interface name>
              Do not provide DHCP or TFTP on  the  specified  inter‐
              face, but do provide DNS service.

       -a, --listen-address=<ipaddr>
              Listen  on  the given IP address(es). Both --interface
              and --listen-address options may be  given,  in  which
              case the set of both interfaces and addresses is used.
              Note that if  no  --interface  option  is  given,  but
              --listen-address  is,  dnsmasq  will not automatically
              listen on the loopback interface. To achieve this, its
              IP  address,, must be explicitly given as a
              --listen-address option.

       -z, --bind-interfaces
              On systems which support it, dnsmasq binds  the  wild‐
              card  address,  even when it is listening on only some
              interfaces.  It  then  discards   requests   that   it
              shouldn't  reply to. This has the advantage of working
              even when interfaces come and go and  change  address.
              This  option  forces  dnsmasq  to really bind only the
              interfaces it is listening on.  About  the  only  time
              when this is useful is when running another nameserver
              (or another instance of dnsmasq) on the same  machine.
              Setting this option also enables multiple instances of
              dnsmasq which provide DHCP service to run in the  same

       -y, --localise-queries
              Return  answers  to  DNS queries from /etc/hosts which
              depend on the  interface  over  which  the  query  was
              received.  If  a  name in /etc/hosts has more than one
              address associated with it, and at least one of  those
              addresses  is  on  the same subnet as the interface to
              which  the  query  was  sent,  then  return  only  the
              address(es)  on  that subnet. This allows for a server
              to have multiple addresses in /etc/hosts corresponding
              to each of its interfaces, and hosts will get the cor‐
              rect address based on which network they are  attached
              to. Currently this facility is limited to IPv4.

       -b, --bogus-priv
              Bogus private reverse lookups. All reverse lookups for
              private IP ranges (ie 192.168.x.x, etc) which are  not
              found  in  /etc/hosts  or  the  DHCP  leases  file are
              answered with "no such domain" rather than being  for‐
              warded upstream.

       -V, --alias=<old-ip>,<new-ip>[,<mask>]
              Modify  IPv4  addresses  returned  from upstream name‐
              servers; old-ip is replaced by new-ip. If the optional
              mask  is  given  then  any  address  which matches the
              masked old-ip will be  re-written.  So,  for  instance
              --alias=,,     will     map
     to and to This is
              what Cisco PIX routers call "DNS doctoring".

       -B, --bogus-nxdomain=<ipaddr>
              Transform  replies  which contain the IP address given
              into "No such domain" replies.  This  is  intended  to
              counteract  a devious move made by Verisign in Septem‐
              ber 2003 when they started returning the address of an
              advertising web page in response to queries for unreg‐
              istered  names,  instead  of  the   correct   NXDOMAIN
              response.  This  option tells dnsmasq to fake the cor‐
              rect response when it sees this behaviour. As at  Sept
              2003  the  IP  address  being  returned by Verisign is

       -f, --filterwin2k
              Later versions of windows make periodic  DNS  requests
              which  don't  get sensible answers from the public DNS
              and can cause problems  by  triggering  dial-on-demand
              links.  This  flag  turns  on an option to filter such
              requests. The requests  blocked  are  for  records  of
              types  SOA  and  SRV, and type ANY where the requested
              name has underscores, to catch LDAP requests.

       -r, --resolv-file=<file>
              Read the IP addresses of the upstream nameservers from
              <file>, instead of /etc/resolv.conf. For the format of
              this file see resolv.conf(5) the only  lines  relevant
              to dnsmasq are nameserver ones. Dnsmasq can be told to
              poll more than one resolv.conf file,  the  first  file
              name  specified overrides the default, subsequent ones
              add to the list. This is only  allowed  when  polling;
              the  file  with the currently latest modification time
              is the one used.

       -R, --no-resolv
              Don't read /etc/resolv.conf. Get upstream servers only
              from  the  command  line  or the dnsmasq configuration

       -1, --enable-dbus
              Allow dnsmasq configuration to  be  updated  via  DBus
              method  calls.  The configuration which can be changed
              is upstream DNS servers  (and  corresponding  domains)
              and  cache clear. Requires that dnsmasq has been built
              with DBus support.

       -o, --strict-order
              By default, dnsmasq will send queries to  any  of  the
              upstream  servers  it  knows about and tries to favour
              servers that are known to be  up.  Setting  this  flag
              forces  dnsmasq  to  try  each  query with each server
              strictly in the order they appear in /etc/resolv.conf

              By default, when dnsmasq has more  than  one  upstream
              server  available,  it  will  send queries to just one
              server. Setting this flag forces dnsmasq to  send  all
              queries  to  all available servers. The reply from the
              server which answers first will  be  returned  to  the
              original requestor.

              Reject  (and  log) addresses from upstream nameservers
              which are in the private IP  ranges.  This  blocks  an
              attack  where  a  browser behind a firewall is used to
              probe machines on the local network.

       -n, --no-poll
              Don't poll /etc/resolv.conf for changes.

              Whenever /etc/resolv.conf is re-read,  clear  the  DNS
              cache.   This  is useful when new nameservers may have
              different data than that held in cache.

       -D, --domain-needed
              Tells dnsmasq  to  never  forward  queries  for  plain
              names, without dots or domain parts, to upstream name‐
              servers. If the name is not known from  /etc/hosts  or
              DHCP then a "not found" answer is returned.

       -S,                                                  --local,
              Specify  IP address of upstream servers directly. Set‐
              ting  this  flag  does   not   suppress   reading   of
              /etc/resolv.conf,  use  -R  to do that. If one or more
              optional domains are given, that server is  used  only
              for  those domains and they are queried only using the
              specified server. This is intended for  private  name‐
              servers:  if  you  have  a  nameserver on your network
              which  deals  with  names  of  the   form   xxx.inter‐
      at then giving  the
              flag -S  /  will
              send  all  queries for internal machines to that name‐
              server, everything else will  go  to  the  servers  in
              /etc/resolv.conf.  An  empty  domain specification, //
              has the special meaning of "unqualified names only" ie
              names  without  any  dots in them. A non-standard port
              may be specified as part of the IP address using  a  #
              character.   More  than  one  -S flag is allowed, with
              repeated domain or ipaddr parts as required.

              Also permitted is a -S flag which gives a  domain  but
              no  IP  address;  this  tells dnsmasq that a domain is
              local and it may answer  queries  from  /etc/hosts  or
              DHCP  but  should never forward queries on that domain
              to any upstream  servers.   local  is  a  synonym  for
              server  to  make  configuration  files clearer in this

              The optional string after the @ character  tells  dns‐
              masq  how  to  set  the  source of the queries to this
              nameserver. It should be an ip-address,  which  should
              belong to the machine on which dnsmasq is running oth‐
              erwise this  server  line  will  be  logged  and  then
              ignored, or an interface name. If an interface name is
              given, then queries to the server will be  forced  via
              that  interface;  if  an  ip-address is given then the
              source address of the queries  will  be  set  to  that
              address.   The  query-port  flag  is  ignored  for any
              servers which have a source address specified but  the
              port  may  be specified directly as part of the source
              address. Forcing queries to an interface is not imple‐
              mented on all platforms supported by dnsmasq.

       -A, --address=/<domain>/[domain/]<ipaddr>
              Specify  an  IP  address to return for any host in the
              given domains.  Queries in the domains are never  for‐
              warded  and  always  replied  to with the specified IP
              address which may be IPv4 or IPv6. To give  both  IPv4
              and  IPv6  addresses  for  a  domain,  use repeated -A
              flags.  Note that /etc/hosts and DHCP leases  override
              this  for individual names. A common use of this is to
              redirect the entire  domain  to  some
              friendly  local  web  server  to avoid banner ads. The
              domain specification works in  the  same  was  as  for
              --server,   with  the  additional  facility  that  /#/
              matches any  domain.  Thus  --address=/#/  will
              always  return for any query not answered from
              /etc/hosts or DHCP and not sent to an  upstream  name‐
              server by a more specific --server directive.

       -m, --mx-host=<mx name>[[,<hostname>],<preference>]
              Return  an  MX  record named <mx name> pointing to the
              given hostname (if given), or the  host  specified  in
              the  --mx-target  switch  or,  if  that  switch is not
              given, the host  on  which  dnsmasq  is  running.  The
              default is useful for directing mail from systems on a
              LAN to a  central  server.  The  preference  value  is
              optional,  and  defaults  to 1 if not given. More than
              one MX record may be given for a host.

       -t, --mx-target=<hostname>
              Specify the default target for the MX record  returned
              by  dnsmasq.  See --mx-host.  If --mx-target is given,
              but not --mx-host, then dnsmasq returns  a  MX  record
              containing  the  MX target for MX queries on the host‐
              name of the machine on which dnsmasq is running.

       -e, --selfmx
              Return an MX record pointing to itself for each  local
              machine.  Local  machines  are  those in /etc/hosts or
              with DHCP leases.

       -L, --localmx
              Return an MX record pointing to the host given by  mx-
              target  (or  the  machine on which dnsmasq is running)
              for each local machine. Local machines  are  those  in
              /etc/hosts or with DHCP leases.

       -W,           --srv-host=<_service>.<_prot>.[<domain>],[<tar‐
              Return a SRV DNS record. See RFC2782 for  details.  If
              not  supplied,  the  domain  defaults to that given by
              --domain.  The default for the target domain is empty,
              and  the  default for port is one and the defaults for
              weight and priority are zero. Be careful if  transpos‐
              ing  data  from  BIND zone files: the port, weight and
              priority numbers are in a different order.  More  than
              one  SRV record for a given service/domain is allowed,
              all that match are returned.

       -Y, --txt-record=<name>[[,<text>],<text>]
              Return a TXT DNS record. The value of TXT record is  a
              set  of strings, so  any number may be included, split
              by commas.

              Return a PTR DNS record.

              Return an NAPTR DNS record, as specified in RFC3403.

              Return a DNS record associating the name with the pri‐
              mary address on the given interface. This flag  speci‐
              fies an A record for the given name in the same way as
              an /etc/hosts line, except that  the  address  is  not
              constant,  but  taken from the given interface. If the
              interface is down, not configured or non-existent,  an
              empty  record  is returned. The matching PTR record is
              also created, mapping the  interface  address  to  the
              name.  More  than  one  name may be associated with an
              interface address by repeating the flag; in that  case
              the first instance is used for the reverse address-to-
              name mapping.

       -c, --cache-size=<cachesize>
              Set the size of dnsmasq's cache. The  default  is  150
              names.   Setting  the  cache  size  to  zero  disables

       -N, --no-negcache
              Disable negative caching. Negative caching allows dns‐
              masq   to  remember  "no  such  domain"  answers  from
              upstream  nameservers  and  answer  identical  queries
              without forwarding them again.

       -0, --dns-forward-max=<queries>
              Set  the maximum number of concurrent DNS queries. The
              default value is 150, which should be  fine  for  most
              setups.  The  only known situation where this needs to
              be  increased  is  when  using  web-server  log   file
              resolvers, which can generate large numbers of concur‐
              rent queries.

       -F,        --dhcp-range=[[net:]network-id,]<start-addr>,<end-
       addr>[[,<netmask>],<broadcast>][,<default lease time>]
              Enable  the  DHCP  server. Addresses will be given out
              from the range <start-addr>  to  <end-addr>  and  from
              statically   defined   addresses  given  in  dhcp-host
              options. If the lease time is given, then leases  will
              be given for that length of time. The lease time is in
              seconds, or minutes (eg 45m) or hours (eg 1h)  or  the
              literal "infinite". The minimum lease time is two min‐
              utes. This option  may  be  repeated,  with  different
              addresses,  to  enable  DHCP  service to more than one
              network. For directly connected networks (ie, networks
              on which the machine running dnsmasq has an interface)
              the netmask is optional. It is, however, required  for
              networks which receive DHCP service via a relay agent.
              The broadcast address is always optional. On some bro‐
              ken  systems, dnsmasq can listen on only one interface
              when using DHCP, and the name of that  interface  must
              be  given  using the interface option. This limitation
              currently affects OpenBSD before version  4.0.  It  is
              always  allowed  to have more than one dhcp-range in a
              single subnet. The optional network-id is  a  alphanu‐
              meric  label  which  marks  this  network so that dhcp
              options may be specified on a per-network basis.  When
              it  is  prefixed  with 'net:' then its meaning changes
              from setting a tag to matching it. Only one tag may be
              set,  but  more  than one tag may be matched.  The end
              address may be replaced by the  keyword  static  which
              tells  dnsmasq  to  enable DHCP for the network speci‐
              fied, but not to dynamically  allocate  IP  addresses.
              Only hosts which have static addresses given via dhcp-
              host or from /etc/ethers will be served.

       -G,                                                   --dhcp-
              Specify per host parameters for the DHCP server.  This
              allows a machine with a particular hardware address to
              be always allocated the same hostname, IP address  and
              lease  time.  A hostname specified like this overrides
              any supplied by the DHCP client on the machine. It  is
              also  allowable  to  ommit  the  hardware  address and
              include the hostname, in which case the IP address and
              lease  times  will  apply to any machine claiming that
              name.          For           example           --dhcp-
              host=00:20:e0:3b:13:af,wap,infinite  tells  dnsmasq to
              give    the    machine    with    hardware     address
              00:20:e0:3b:13:af  the  name wap, and an infinite DHCP
              lease.  --dhcp-host=lap, tells dnsmasq to
              always   allocate  the  machine  lap  the  IP  address
     Addresses allocated like this  are  not
              constrained  to  be  in the range given by the --dhcp-
              range option, but they must be on  the  network  being
              served by the DHCP server. It is allowed to use client
              identifiers rather than hardware addresses to identify
              hosts   by   prefixing   with   'id:'.  Thus:  --dhcp-
              host=id:01:02:03:04,.....  refers  to  the  host  with
              client  identifier  01:02:03:04. It is also allowed to
              specify the client ID  as  text,  like  this:  --dhcp-
              host=id:clientidastext,.....   The special option id:*
              means "ignore any  client-id  and  use  MAC  addresses
              only." This is useful when a client presents a client-
              id sometimes but not others.  If  a  name  appears  in
              /etc/hosts, the associated address can be allocated to
              a DHCP lease, but only if a --dhcp-host option  speci‐
              fying  the  name  also  exists.  The  special  keyword
              "ignore" tells dnsmasq to never offer a DHCP lease  to
              a  machine.  The  machine can be specified by hardware
              address, client ID or hostname, for  instance  --dhcp-
              host=00:20:e0:3b:13:af,ignore   This  is  useful  when
              there is another DHCP  server  on  the  network  which
              should  be used by some machines. The net:<network-id>
              sets the network-id tag whenever this dhcp-host direc‐
              tive  is  in  use.This can be used to selectively send
              DHCP options just for this host. When a  host  matches
              any   dhcp-host   directive   (or   one   implied   by
              /etc/ethers) then the special network-id  tag  "known"
              is set. This allows dnsmasq to be configured to ignore
              requests   from   unknown   machines   using   --dhcp-
              ignore=#known  Ethernet addresses (but not client-ids)
              may  have  wildcard  bytes,  so  for  example  --dhcp-
              host=00:20:e0:3b:13:*,ignore  will  cause  dnsmasq  to
              ignore a range of hardware addresses.  Note  that  the
              "*"  will  need  to  be escaped or quoted on a command
              line, but not  in  the  configuration  file.  Hardware
              addresses  normally  match any network (ARP) type, but
              it is possible to restrict them to a single  ARP  type
              by  preceding them with the ARP-type (in HEX) and "-".
              so --dhcp-host=06-00:20:e0:3b:13:af, will  only
              match  a  Token-Ring  hardware address, since the ARP-
              address type for token ring is 6.

              Read DHCP host information from  the  specified  file.
              The file contains information about one host per line.
              The format of a line is the same as text to the  right
              of  '='  in --dhcp-host. The advantage of storing DHCP
              host information in  this  file  is  that  it  can  be
              changed  without re-starting dnsmasq: the file will be
              re-read when dnsmasq receives SIGHUP.

              Read DHCP option information from the specified  file.
              The  advantage of using this option is the same as for
              --dhcp-hostsfile: the dhcp-optsfile  will  be  re-read
              when dnsmasq receives SIGHUP.

       -Z, --read-ethers
              Read  /etc/ethers  for information about hosts for the
              DHCP server. The format of /etc/ethers is  a  hardware
              address,  followed by either a hostname or dotted-quad
              IP address. When read  by  dnsmasq  these  lines  have
              exactly  the  same  effect as --dhcp-host options con‐
              taining the same information. /etc/ethers  is  re-read
              when dnsmasq receives SIGHUP.

       -O,         --dhcp-option=[<network-id>,[<network-id>,]][ven‐
              Specify different or extra options to DHCP clients. By
              default, dnsmasq sends some standard options  to  DHCP
              clients,  the netmask and broadcast address are set to
              the same as the host  running  dnsmasq,  and  the  DNS
              server and default route are set to the address of the
              machine running dnsmasq. If the domain name option has
              been  set,  that  is  sent.  This configuration allows
              these defaults to  be  overridden,  or  other  options
              specified.  The  option,  to be sent may be given as a
              decimal number or as "option:<option-name>" The option
              numbers  are specified in RFC2132 and subsequent RFCs.
              The set of option-names known by dnsmasq can  be  dis‐
              covered  by  running "dnsmasq --help dhcp".  For exam‐
              ple, to set the default route option  to,
              do   --dhcp-option=3,  or  --dhcp-option  =
              option:router, and to set the  time-server
              address    to,   do   --dhcp-option   =
              42, or --dhcp-option  =  option:ntp-server,
      The  special  address is taken to
              mean "the address of  the  machine  running  dnsmasq".
              Data  types allowed are comma separated dotted-quad IP
              addresses, a decimal number, colon-separated hex  dig‐
              its and a text string. If the optional network-ids are
              given then this option is only sent when all the  net‐
              work-ids are matched.

              Special  processing  is  done  on  a text argument for
              option 119, to conform with RFC 3397. Text or  dotted-
              quad  IP addresses as arguments to option 120 are han‐
              dled as per RFC 3361. Dotted-quad IP  addresses  which
              are  followed  by  a slash and then a netmask size are
              encoded as described in RFC 3442.

              Be careful: no checking is done that the correct  type
              of  data  for  the  option number is sent, it is quite
              possible to persuade dnsmasq to generate illegal  DHCP
              packets  with  injudicious  use of this flag. When the
              value is a decimal number, dnsmasq must determine  how
              large  the data item is. It does this by examining the
              option number and/or the value, but can be  overridden
              by  appending a single letter flag as follows: b = one
              byte, s = two bytes, i = four bytes.  This  is  mainly
              useful  with  encapsulated  vendor  class options (see
              below) where dnsmasq cannot determine data  size  from
              the   option number. Option data which consists solely
              of periods and digits will be interpreted  by  dnsmasq
              as an IP address, and inserted into an option as such.
              To force a literal string, use  quotes.  For  instance
              when  using  option 66 to send a literal IP address as
              TFTP server  name,  it  is  necessary  to  do  --dhcp-

              Encapsulated  Vendor-class  options may also be speci‐
              fied  using  --dhcp-option:   for   instance   --dhcp-
              option=vendor:PXEClient,1,  sends  the encapsu‐
              lated    vendor    class-specific    option     "mftp-
              address="  to  any  client  whose  vendor-class
              matches "PXEClient". The vendor-class matching is sub‐
              string  based (see --dhcp-vendorclass for details). If
              a vendor-class option (number 60) is sent by  dnsmasq,
              then  that  is used for selecting encapsulated options
              in preference to any sent by the client. It is  possi‐
              ble   to  omit  the  vendorclass  completely;  --dhcp-
              option=vendor:,1, in which  case  the  encapsu‐
              lated  option  is always sent.  The address is
              not treated specially  in  encapsulated  vendor  class

              This works in exactly the same  way  as  --dhcp-option
              except  that  the  option will always be sent, even if
              the client does  not  ask  for  it  in  the  parameter
              request  list.  This  is sometimes needed, for example
              when sending options to PXELinux.

              Disable re-use of the  DHCP  servername  and  filename
              fields as extra option space. If it can, dnsmasq moves
              the boot server and filename information  (from  dhcp-
              boot) out of their dedicated fields into DHCP options.
              This make extra space available in the DHCP packet for
              options   but  can,  rarely,  confuse  old  or  broken
              clients. This flag forces "simple and safe"  behaviour
              to avoid problems in such a case.

       -U, --dhcp-vendorclass=<network-id>,<vendor-class>
              Map  from  a  vendor-class string to a network id tag.
              Most DHCP clients provide a "vendor class" which  rep‐
              resents,  in some sense, the type of host. This option
              maps vendor classes to tags, so that DHCP options  may
              be  selectively  delivered  to  different  classes  of
              hosts. For example  dhcp-vendorclass=printers,Hewlett-
              Packard  JetDirect  will  allow options to be set only
              for  HP   printers   like   so:   --dhcp-option=print‐
              ers,3, The vendor-class string is substring
              matched  against  the  vendor-class  supplied  by  the
              client, to allow fuzzy matching.

       -j, --dhcp-userclass=<network-id>,<user-class>
              Map from a user-class string to a network id tag (with
              substring matching, like vendor  classes).  Most  DHCP
              clients  provide a "user class" which is configurable.
              This option maps user classes to tags,  so  that  DHCP
              options  may  be  selectively  delivered  to different
              classes of hosts. It is possible, for instance to  use
              this  to  set  a different printer server for hosts in
              the class "accounts"  than  for  hosts  in  the  class

       -4, --dhcp-mac=<network-id>,<MAC address>
              Map  from  a  MAC address to a network-id tag. The MAC
              address may include  wildcards.  For  example  --dhcp-
              mac=3com,01:34:23:*:*:*  will  set  the tag "3com" for
              any host whose MAC address matches the pattern.

       --dhcp-circuitid=<network-id>,<circuit-id>,           --dhcp-
              Map  from  RFC3046  relay  agent options to network-id
              tags. This data may be provided by DHCP relay  agents.
              The  circuit-id  or  remote-id  is  normally  given as
              colon-separated hex, but is also allowed to be a  sim‐
              ple  string. If an exact match is achieved between the
              circuit or agent ID and one provided by a relay agent,
              the network-id tag is set.

              Map  from RFC3993 subscriber-id relay agent options to
              network-id tags.

       --dhcp-match=<network-id>,<option number>
              Set the network-id tag if  the  client  sends  a  DHCP
              option  of the given number. This can be used to iden‐
              tify particular clients which send  information  using
              private option numbers.

       -J, --dhcp-ignore=<network-id>[,<network-id>]
              When  all  the given network-ids match the set of net‐
              work-ids derived from the net, host, vendor  and  user
              classes, ignore the host and do not allocate it a DHCP

              When all the given network-ids match the set  of  net‐
              work-ids  derived  from the net, host, vendor and user
              classes, ignore any hostname  provided  by  the  host.
              Note  that,  unlike  dhcp-ignore, it is permissible to
              supply no netid tags, in which case  DHCP-client  sup‐
              plied hostnames are always ignored, and DHCP hosts are
              added to the DNS using only dhcp-host configuration in
              dnsmasq   and   the   contents   of   /etc/hosts   and

              When all the given network-ids match the set  of  net‐
              work-ids  derived  from the net, host, vendor and user
              classes, always use broadcast to communicate with  the
              host  when it is unconfigured. Most DHCP clients which
              need broadcast replies set a flag in their requests so
              that   this  happens  automatically,  some  old  BOOTP
              clients do not.

       -M,       --dhcp-boot=[net:<network-id>,]<filename>,[<server‐
       name>[,<server address>]]
              Set  BOOTP  options to be returned by the DHCP server.
              Server name and address are optional: if not provided,
              the  name  is  left  empty, and the address set to the
              address of the machine running dnsmasq. If dnsmasq  is
              providing  a  TFTP  service  (see --enable-tftp ) then
              only the filename is required here to  enable  network
              booting.   If  the  optional  network-id(s) are given,
              they must match for this  configuration  to  be  sent.
              Note  that  network-ids are prefixed by "net:" to dis‐
              tinguish them.

       -X, --dhcp-lease-max=<number>
              Limits dnsmasq to the specified maximum number of DHCP
              leases.  The  default is 150. This limit is to prevent
              DoS attacks  from  hosts  which  create  thousands  of
              leases and use lots of memory in the dnsmasq process.

       -K, --dhcp-authoritative
              Should be set when dnsmasq is definitely the only DHCP
              server on a network.  It changes  the  behaviour  from
              strict RFC compliance so that DHCP requests on unknown
              leases from unknown hosts are not ignored. This allows
              new  hosts  to  get  a lease without a tedious timeout
              under all circumstances. It  also  allows  dnsmasq  to
              rebuild its lease database without each client needing
              to reacquire a lease, if the database is lost.

       --dhcp-alternate-port[=<server port>[,<client port>]]
              Change the ports used for DHCP from  the  default.  If
              this  option  is  given  alone,  without arguments, it
              changes the ports used for DHCP from 67 and 68 to 1067
              and  1068.  If  a  single argument is given, that port
              number is used for the server and the port number plus
              one  used  for  the  client. Finally, two port numbers
              allows arbitrary  specification  of  both  server  and
              client ports for DHCP.

       -3, --bootp-dynamic
              Enable  dynamic  allocation  of  IP addresses to BOOTP
              clients. Use this with care, since each address  allo‐
              cated  to a BOOTP client is leased forever, and there‐
              fore becomes permanently  unavailable  for  re-use  by
              other hosts.

       -5, --no-ping
              By  default,  the  DHCP  server will attempt to ensure
              that an address in not in use before allocating it  to
              a  host.  It does this by sending an ICMP echo request
              (aka "ping") to the address in question. If it gets  a
              reply,  then  the  address must already be in use, and
              another is tried. This flag disables this  check.  Use
              with caution.

              Extra  logging  for  DHCP: log all the options sent to
              DHCP clients and the  netid  tags  used  to  determine

       -l, --dhcp-leasefile=<path>
              Use  the  specified  file to store DHCP lease informa‐
              tion. If this option is given but no dhcp-range option
              is  given  then  dnsmasq  version 1 behaviour is acti‐
              vated. The file given is assumed to be  an  ISC  dhcpd
              lease  file and parsed for leases which are then added
              to the DNS system if they have a hostname. This  func‐
              tionality  may have been excluded from dnsmasq at com‐
              pile time, in which case an error will occur.  In  any
              case  note  that ISC leasefile integration is a depre‐
              cated feature. It should not be used in new  installa‐
              tions, and will be removed in a future release.

       -6 --dhcp-script=<path>
              Whenever  a  new  DHCP lease is created, or an old one
              destroyed, the binary specified by this option is run.
              The  arguments  to  the  process  are  "add", "old" or
              "del", the MAC address of the host (or "<null>"),  the
              IP  address, and the hostname, if known. "add" means a
              lease has  been  created,  "del"  means  it  has  been
              destroyed,  "old"  is  a  notification  of an existing
              lease when dnsmasq starts or a change to  MAC  address
              or  hostname  of an existing lease (also, lease length
              or expiry and client-id, if leasefile-ro is set).  The
              process  is  run  as  root  (assuming that dnsmasq was
              originally run as root) even if dnsmasq is  configured
              to  change  UID to an unprivileged user.  The environ‐
              ment is inherited from the invoker of dnsmasq, and  if
              the  host  provided a client-id, this is stored in the
              environment variable DNSMASQ_CLIENT_ID. If the  client
              provides vendor-class or user-class information, these
              are  provided   in   DNSMASQ_VENDOR_CLASS   and   DNS‐
              MASQ_USER_CLASS0..DNSMASQ_USER_CLASSn  variables,  but
              only for "add" actions or "old" actions  when  a  host
              resumes  an  existing  lease, since these data are not
              held in dnsmasq's lease database. If dnsmasq was  com‐
              piled  with  HAVE_BROKEN_RTC,  then  the length of the
              lease (in seconds) is stored in  DNSMASQ_LEASE_LENGTH,
              otherwise  the  time of lease expiry is stored in DNS‐
              MASQ_LEASE_EXPIRES. The number of seconds until  lease
              expiry is always stored in DNSMASQ_TIME_REMAINING.  If
              a lease used to have a hostname, which is removed,  an
              "old"  event  is  generated  with the new state of the
              lease, ie no name, and the former name is provided  in
              the  environment  variable  DNSMASQ_OLD_HOSTNAME. DNS‐
              MASQ_INTERFACE stores the name  of  the  interface  on
              which  the  request arrived; this is not set for "old"
              actions when dnsmasq restarts.  All  file  descriptors
              are  closed  except stdin, stdout and stderr which are
              open to /dev/null (except in debug mode).  The  script
              is  not  invoked  concurrently:  if  subsequent  lease
              changes occur, the script is not invoked  again  until
              any existing invocation exits. At dnsmasq startup, the
              script will be invoked for all existing leases as they
              are  read  from the lease file. Expired leases will be
              called with "del" and others with "old".  <path>  must
              be  an  absolute pathname, no PATH search occurs. When
              dnsmasq receives a HUP  signal,  the  script  will  be
              invoked for existing leases with an "old " event.

              Specify  the  user  as  which  to run the lease-change
              script. This defaults to root, but can be  changed  to
              another user using this flag.

       -9, --leasefile-ro
              Completely  suppress  use  of the lease database file.
              The file will not be created, read, or written. Change
              the  way  the lease-change script (if one is provided)
              is called, so that the lease  database  may  be  main‐
              tained  in external storage by the script. In addition
              to the invocations  given in --dhcp-script the  lease-
              change script is called once, at dnsmasq startup, with
              the single argument "init". When called like this  the
              script should write the saved state of the lease data‐
              base, in dnsmasq leasefile format, to stdout and  exit
              with  zero  exit code. Setting this option also forces
              the leasechange script to be called on changes to  the
              client-id and lease length and expiry time.

              Treat  DHCP  request  packets  arriving  at any of the
              <alias> interfaces as if they had arrived  at  <inter‐
              face>. This option is only available on BSD platforms,
              and is necessary  when  using  "old  style"  bridging,
              since  packets  arrive  at  tap interfaces which don't
              have an IP address.

       -s, --domain=<domain>
              Specifies the domain for the DHCP server. This has two
              effects;  firstly  it causes the DHCP server to return
              the domain to any hosts which request it, and secondly
              it  sets the domain which it is legal for DHCP-config‐
              ured hosts to claim. The  intention  is  to  constrain
              hostnames  so that an untrusted host on the LAN cannot
              advertise its name via dhcp  as  e.g.  ""
              and  capture  traffic  not  meant for it. If no domain
              suffix is specified, then any  DHCP  hostname  with  a
              domain  part (ie with a period) will be disallowed and
              logged. If suffix is specified, then hostnames with  a
              domain  part  are  allowed,  provided  the domain part
              matches the suffix. In addition, when a suffix is  set
              then  hostnames  without a domain part have the suffix
              added as an optional domain part. Eg on my  network  I
              can  set and have a machine
              whose DHCP hostname is "laptop". The  IP  address  for
              that  machine  is available from dnsmasq both as "lap‐
              top" and "". If the domain  is
              given  as  "#"  then the domain is read from the first
              "search" directive  in  /etc/resolv.conf  (or  equiva‐

              Enable  the TFTP server function. This is deliberately
              limited to that needed  to  net-boot  a  client.  Only
              reading  is  allowed; the tsize and blksize extensions
              are supported (tsize is only supported in octet mode).

              Look for files to transfer using TFTP relative to  the
              given  directory.  When  this is set, TFTP paths which
              include ".." are rejected,  to  stop  clients  getting
              outside  the specified root.  Absolute paths (starting
              with /) are allowed, but they must be within the tftp-

              Add the IP address of the TFTP client as a path compo‐
              nent on the end of the TFTP-root (in standard  dotted-
              quad format). Only valid if a tftp-root is set and the
              directory  exists.  For  instance,  if  tftp-root   is
              "/tftp" and client requests file "myfile" then
              the effective path will be  "/tftp/"  if
              /tftp/ exists or /tftp/myfile otherwise.

              Enable  TFTP secure mode: without this, any file which
              is readable by the dnsmasq process under  normal  unix
              access-control  rules  is available via TFTP. When the
              --tftp-secure flag is given, only files owned  by  the
              user  running  the  dnsmasq process are accessible. If
              dnsmasq is being run as root, different  rules  apply:
              --tftp-secure has no effect, but only files which have
              the world-readable bit set are accessible. It  is  not
              recommended  to run dnsmasq as root with TFTP enabled,
              and  certainly  not  without  specifying  --tftp-root.
              Doing  so  can  expose  any world-readable file on the
              server to any host on the net.

              Set the maximum number of concurrent TFTP  connections
              allowed.  This  defaults  to  50. When serving a large
              number of TFTP connections, per-process file  descrip‐
              tor  limits may be encountered. Dnsmasq needs one file
              descriptor for each concurrent TFTP connection and one
              file  descriptor  per unique file (plus a few others).
              So serving the same file simultaneously to  n  clients
              will  use require about n + 10 file descriptors, serv‐
              ing different files simultaneously to n  clients  will
              require  about (2*n) + 10 descriptors. If --tftp-port-
              range is given, that can affect the number of  concur‐
              rent connections.

              Stop  the TFTP server from negotiating the "blocksize"
              option with a client. Some buggy clients request  this
              option but then behave badly when it is granted.

              A  TFTP  server  listens on a well-known port (69) for
              connection initiation, but it also uses a dynamically-
              allocated port for each connection. Normally these are
              allocated by the OS, but this option specifies a range
              of ports for use by TFTP transfers. This can be useful
              when TFTP has to traverse a firewall. The start of the
              range cannot be lower than 1025 unless dnsmasq is run‐
              ning as root. The number of  concurrent  TFTP  connec‐
              tions is limited by the size of the port range.

       -C, --conf-file=<file>
              Specify  a different configuration file. The conf-file
              option is also  allowed  in  configuration  files,  to
              include multiple configuration files.

       -7, --conf-dir=<directory>
              Read  all the files in the given directory as configu‐
              ration files. Files whose names end in ~ or start with
              .  or  start and end with # are skipped. This flag may
              be given on the command line  or  in  a  configuration

       At  startup,  dnsmasq  reads /etc/dnsmasq.conf, if it exists.
       (On FreeBSD, the file is /usr/local/etc/dnsmasq.conf  )  (but
       see  the -C and -7 options.) The format of this file consists
       of one option per line, exactly as the long options  detailed
       in  the  OPTIONS  section but without the leading "--". Lines
       starting with # are comments and ignored. For  options  which
       may  only be specified once, the configuration file overrides
       the command line.  Quoting  is  allowed  in  a  config  file:
       between  "  quotes  the  special  meanings  of  ,:. and # are
       removed and the following escapes are allowed: \\ \" \t \e \b
       \r and \n. The later corresponding to tab, escape, backspace,
       return and newline.

       When it receives a SIGHUP, dnsmasq clears its cache and  then
       re-loads  /etc/hosts  and  /etc/ethers  and any file given by
       --dhcp-hostsfile, --dhcp-optsfile or --addn-hosts.  The  dhcp
       lease  change  script is called for all existing DHCP leases.
       If --no-poll is set SIGHUP  also  re-reads  /etc/resolv.conf.
       SIGHUP does NOT re-read the configuration file.

       When  it receives a SIGUSR1, dnsmasq writes statistics to the
       system log. It writes the cache size,  the  number  of  names
       which  have had to removed from the cache before they expired
       in order to make room for new names and the total  number  of
       names  that  have  been  inserted  into  the  cache. For each
       upstream server it gives the number of queries sent, and  the
       number  which  resulted  in  an error. In --no-daemon mode or
       when full logging is enabled (-q), a  complete  dump  of  the
       contents of the cache is made.

       When  it  receives SIGUSR2 and it is logging direct to a file
       (see --log-facility ) dnsmasq will close and reopen  the  log
       file.  Note  that  during this operation, dnsmasq will not be
       running as root. When it first creates  the  logfile  dnsmasq
       changes  the  ownership  of  the file to the non-root user it
       will run as. Logrotate should be configured to create  a  new
       log  file  with  the ownership which matches the existing one
       before sending SIGUSR2.  If TCP DNS queries are in  progress,
       the old logfile will remain open in child processes which are
       handling TCP queries and may continue to be written. There is
       a  limit  of  150  seconds, after which all existing TCP pro‐
       cesses will have expired: for this reason, it is not wise  to
       configure  logfile  compression  for logfiles which have just
       been rotated. Using logrotate, the required options are  cre‐
       ate and delaycompress.

       Dnsmasq is a DNS query forwarder: it it not capable of recur‐
       sively answering arbitrary queries  starting  from  the  root
       servers  but  forwards  such  queries  to  a  fully recursive
       upstream DNS server which is typically provided by an ISP. By
       default,  dnsmasq  reads  /etc/resolv.conf to discover the IP
       addresses of the upstream nameservers it  should  use,  since
       the  information  is typically stored there. Unless --no-poll
       is  used,   dnsmasq   checks   the   modification   time   of
       /etc/resolv.conf (or equivalent if --resolv-file is used) and
       re-reads it if it changes. This allows the DNS servers to  be
       set  dynamically  by PPP or DHCP since both protocols provide
       the information.  Absence of /etc/resolv.conf is not an error
       since  it  may  not have been created before a PPP connection
       exists.   Dnsmasq   simply    keeps    checking    in    case
       /etc/resolv.conf  is created at any time. Dnsmasq can be told
       to parse more than one resolv.conf file. This is useful on  a
       laptop,  where  both PPP and DHCP may be used: dnsmasq can be
       set     to     poll     both     /etc/ppp/resolv.conf     and
       /etc/dhcpc/resolv.conf and will use the contents of whichever
       changed last, giving automatic switching between DNS servers.

       Upstream servers may also be specified on the command line or
       in   the  configuration  file.  These  server  specifications
       optionally take a domain name which tells dnsmasq to use that
       server only to find names in that particular domain.

       In order to configure dnsmasq to act as cache for the host on
       which  it  is  running,   put   "nameserver"   in
       /etc/resolv.conf  to force local processes to send queries to
       dnsmasq. Then either specify the upstream servers directly to
       dnsmasq using --server options or put their addresses real in
       another file, say /etc/resolv.dnsmasq and  run  dnsmasq  with
       the  -r  /etc/resolv.dnsmasq  option.  This  second technique
       allows for dynamic update of the server addresses by  PPP  or

       Addresses in /etc/hosts will "shadow" different addresses for
       the  same  names  in  the  upstream  DNS,  so  ""   in   /etc/hosts   will  ensure  that  queries  for
       "" always return even if queries in  the
       upstream  DNS  would  otherwise  return  a different address.
       There is one exception to this: if the upstream DNS  contains
       a  CNAME which points to a shadowed name, then looking up the
       CNAME through dnsmasq will result in the  unshadowed  address
       associated with the target of the CNAME. To work around this,
       add the CNAME to /etc/hosts so that  the  CNAME  is  shadowed

       The  network-id  system  works  as  follows:  For  each  DHCP
       request, dnsmasq collects a set of valid network-id tags, one
       from  the  dhcp-range  used to allocate the address, one from
       any matching dhcp-host and possibly many from matching vendor
       classes  and  user classes sent by the DHCP client. Any dhcp-
       option which has network-id tags will be used  in  preference
       to  an  untagged  dhcp-option,  provided  that _all_ the tags
       match somewhere in the set collected as described above.  The
       prefix  '#'  on  a  tag  means  'not'  so --dhcp=option=#pur‐
       ple,3, sends the option when the network-id tag purple
       is not in the set of valid tags.

       If  the  network-id  in  a dhcp-range is prefixed with 'net:'
       then its meaning changes from setting a tag to  matching  it.
       Thus if there is more than dhcp-range on a subnet, and one is
       tagged with a network-id which is set (for  instance  from  a
       vendorclass  option)  then hosts which set the netid tag will
       be allocated addresses in the tagged range.

       The DHCP server in dnsmasq will function as  a  BOOTP  server
       also,  provided  that  the  MAC  address  and  IP address for
       clients are given, either using dhcp-host  configurations  or
       in  /etc/ethers  ,  and  a dhcp-range configuration option is
       present to activate the DHCP server on a particular  network.
       (Setting  --bootp-dynamic removes the need for static address
       mappings.) The filename  parameter  in  a  BOOTP  request  is
       matched  against  netids in dhcp-option configurations, as is
       the tag "bootp",  allowing  some  control  over  the  options
       returned to different classes of hosts.

       0  - Dnsmasq successfully forked into the background, or ter‐
       minated normally if backgrounding is not enabled.

       1 - A problem with configuration was detected.

       2 - A problem with network access occurred (address  in  use,
       attempt to use privileged ports without permission).

       3  -  A problem occurred with a filesystem operation (missing
       file/directory, permissions).

       4 - Memory allocation failure.

       5 - Other miscellaneous problem.

       11 or greater - a non zero return code was received from  the
       lease-script  process "init" call. The exit code from dnsmasq
       is the script's exit code with 10 added.

       The default values for resource limits in dnsmasq are  gener‐
       ally  conservative,  and appropriate for embedded router type
       devices with slow processors  and  limited  memory.  On  more
       capable  hardware, it is possible to increase the limits, and
       handle many more  clients.  The  following  applies  to  dns‐
       masq-2.37: earlier versions did not scale as well.

       Dnsmasq  is  capable  of handling DNS and DHCP for at least a
       thousand clients. Clearly to do this  the  value  of  --dhcp-
       lease-max  must  be  increased, and lease times should not be
       very short (less than one hour). The value of  --dns-forward-
       max  can  be  increased: start with it equal to the number of
       clients and increase if DNS seems slow. Note that DNS perfor‐
       mance  depends  too  on the performance of the upstream name‐
       servers. The size of the DNS cache may be increased: the hard
       limit is 10000 names and the default (150) is very low. Send‐
       ing SIGUSR1 to dnsmasq makes it log information which is use‐
       ful  for  tuning  the  cache  size. See the NOTES section for

       The built-in TFTP server is capable of many simultaneous file
       transfers:  the  absolute  limit  is related to the number of
       file-handles allowed to a process  and  the  ability  of  the
       select()  system call to cope with large numbers of file han‐
       dles. If the limit is set too high using --tftp-max  it  will
       be  scaled down and the actual limit logged at start-up. Note
       that more tran
Results 1 - 1 of 1
Help - FTP Sites List - Software Dir.
Search over 15 billion files
© 1997-2017