Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 1 | Q: Why does dnsmasq open UDP ports >1024 as well as port 53. |
| 2 | Is this a security problem/trojan/backdoor? |
| 3 | |
| 4 | A: The high ports that dnsmasq opens is for replies from the upstream |
| 5 | nameserver(s). Queries from dnsmasq to upstream nameservers are sent |
| 6 | from these ports and replies received to them. The reason for doing this is |
| 7 | that most firewall setups block incoming packets _to_ port 53, in order |
| 8 | to stop DNS queries from the outside world. If dnsmasq sent its queries |
| 9 | from port 53 the replies would be _to_ port 53 and get blocked. |
| 10 | |
| 11 | This is not a security hole since dnsmasq will only accept replies to that |
| 12 | port: queries are dropped. The replies must be to oustanding queries |
| 13 | which dnsmasq has forwarded, otherwise they are dropped too. |
| 14 | |
| 15 | Addendum: dnsmasq now has the option "query-port" (-Q), which allows |
| 16 | you to specify the UDP port to be used for this purpose. If not |
| 17 | specified, the operating system will select an available port number |
| 18 | just as it did before. |
| 19 | |
| 20 | Q: Why doesn't dnsmasq support DNS queries over TCP? Don't the RFC's specify |
| 21 | that? |
| 22 | |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 23 | A: Update: from version 2.10, it does. There are a few limitations: |
Simon Kelley | 0a85254 | 2005-03-23 20:28:59 +0000 | [diff] [blame] | 24 | data obtained via TCP is not cached, and source-address |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 25 | or query-port specifications are ignored for TCP. |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 26 | |
| 27 | Q: When I send SIGUSR1 to dump the contents of the cache, some entries have |
| 28 | no IP address and are for names like mymachine.mydomain.com.mydomain.com. |
| 29 | What are these? |
| 30 | |
| 31 | A: They are negative entries: that's what the N flag means. Dnsmasq asked |
| 32 | an upstream nameserver to resolve that address and it replied "doesn't |
| 33 | exist, and won't exist for <n> hours" so dnsmasq saved that information so |
| 34 | that if _it_ gets asked the same question it can answer directly without |
| 35 | having to go back to the upstream server again. The strange repeated domains |
| 36 | result from the way resolvers search short names. See "man resolv.conf" for |
| 37 | details. |
| 38 | |
| 39 | |
| 40 | Q: Will dnsmasq compile/run on non-Linux systems? |
| 41 | |
| 42 | A: Yes, there is explicit support for *BSD and Solaris. |
| 43 | For other systems, try altering the settings in config.h. |
| 44 | |
| 45 | A: Update for V2. Doing DHCP is rather non-portable, so there may be |
| 46 | a few teething troubles. The initial 2.0 release is known to work |
| 47 | on Linux 2.2.x, Linux 2.4.x and Linux 2.6.x with uclibc and glibc |
| 48 | 2.3. It also works on FreeBSD 4.8. The crucial problem is sending |
| 49 | raw packets, bypassing the IP stack. Dnsmasq contains code to do |
| 50 | using PF_PACKET sockets (which is for Linux) and the Berkeley packet |
| 51 | filter (which works with BSD). If you are trying to port to another |
| 52 | Un*x, bpf is the most likeley candidate. See config.h |
| 53 | |
| 54 | Q: My companies' nameserver knows about some names which aren't in the |
| 55 | public DNS. Even though I put it first in /etc/resolv.conf, it |
| 56 | dosen't work: dnsmasq seems not to use the nameservers in the order |
| 57 | given. What am I doing wrong? |
| 58 | |
| 59 | A: By default, dnsmasq treats all the nameservers it knows about as |
| 60 | equal: it picks the one to use using an algorithm designed to avoid |
| 61 | nameservers which aren't responding. To make dnsmasq use the |
| 62 | servers in order, give it the -o flag. If you want some queries |
| 63 | sent to a special server, think about using the -S flag to give the |
| 64 | IP address of that server, and telling dnsmasq exactly which |
| 65 | domains to use the server for. |
| 66 | |
| 67 | Q: OK, I've got queries to a private nameserver working, now how about |
| 68 | reverse queries for a range of IP addresses? |
| 69 | |
| 70 | A: Use the standard DNS convention of <reversed address>.in-addr.arpa. |
| 71 | For instance to send reverse queries on the range 192.168.0.0 to |
| 72 | 192.168.0.255 to a nameserver at 10.0.0.1 do |
| 73 | server=/0.168.192.in-addr.arpa/10.0.0.1 |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 74 | Note that the "bogus-priv" option take priority over this option, |
| 75 | so the above will not work when the bogus-priv option is set. |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 76 | |
| 77 | Q: Dnsmasq fails to start with an error like this: "dnsmasq: bind |
| 78 | failed: Cannot assign requested address". What's the problem? |
| 79 | |
| 80 | A: This has been seen when a system is bringing up a PPP interface at |
| 81 | boot time: by the time dnsmasq start the interface has been |
| 82 | created, but not brought up and assigned an address. The easiest |
| 83 | solution is to use --interface flags to specify which interfaces |
| 84 | dnsmasq should listen on. Since you are unlikely to want dnsmasq to |
| 85 | listen on a PPP interface and offer DNS service to the world, the |
| 86 | problem is solved. |
| 87 | |
| 88 | Q: I'm running on BSD and dnsmasq won't accept long options on the |
| 89 | command line. |
| 90 | |
| 91 | A: Dnsmasq when built on BSD systems doesn't use GNU getopt by |
| 92 | default. You can either just use the single-letter options or |
| 93 | change config.h and the Makefile to use getopt-long. Note that |
| 94 | options in /etc/dnsmasq.conf must always be the long form, |
| 95 | on all platforms. |
| 96 | |
| 97 | Q: Names on the internet are working fine, but looking up local names |
| 98 | from /etc/hosts or DHCP doesn't seem to work. |
| 99 | |
| 100 | A: Resolver code sometime does strange things when given names without |
| 101 | any dots in. Win2k and WinXP may not use the DNS at all and just |
| 102 | try and look up the name using WINS. On unix look at "options ndots:" |
| 103 | in "man resolv.conf" for details on this topic. Testing lookups |
| 104 | using "nslookup" or "dig" will work, but then attempting to run |
| 105 | "ping" will get a lookup failure, appending a dot to the end of the |
| 106 | hostname will fix things. (ie "ping myhost" fails, but "ping |
| 107 | myhost." works. The solution is to make sure that all your hosts |
| 108 | have a domain set ("domain" in resolv.conf, the network applet in |
| 109 | windows, or set a domain in your DHCP server). Any domain will do, |
| 110 | but "localnet" is traditional. Now when you resolve "myhost" the |
| 111 | resolver will attempt to look up "myhost.localnet" so you need to |
| 112 | have dnsmasq reply to that name. The way to do that is to include |
| 113 | the domain in each name on /etc/hosts and/or to use the |
Simon Kelley | 0a85254 | 2005-03-23 20:28:59 +0000 | [diff] [blame] | 114 | --expand-hosts and --domain options. |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 115 | |
| 116 | Q: Can I get dnsmasq to save the contents of its cache to disk when |
Simon Kelley | bb01cb9 | 2004-12-13 20:56:23 +0000 | [diff] [blame] | 117 | I shut my machine down and re-load when it starts again? |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 118 | |
| 119 | A: No, that facility is not provided. Very few names in the DNS have |
| 120 | their time-to-live set for longer than a few hours so most of the |
| 121 | cache entries would have expired after a shutdown. For longer-lived |
| 122 | names it's much cheaper to just reload them from the upstream |
| 123 | server. Note that dnsmasq is not shut down between PPP sessions so |
| 124 | go off-line and then on-line again will not lose the contents of |
| 125 | the cache. |
| 126 | |
| 127 | Q: Who are Verisign, what do they have to do with the bogus-nxdomain |
| 128 | option in dnsmasq and why should I wory about it? |
| 129 | |
| 130 | A: [note: this was written in September 2003, things may well change.] |
| 131 | Versign run the .com and .net top-level-domains. They have just |
| 132 | changed the configuration of their servers so that unknown .com and |
| 133 | .net domains, instead of returning an error code NXDOMAIN, (no such |
| 134 | domain) return the address of a host at Versign which runs a web |
| 135 | server showing a search page. Most right-thinking people regard |
| 136 | this new behaviour as broken :-). You can test to see if you are |
| 137 | suffering Versign brokeness by run a command like |
| 138 | |
| 139 | host jlsdajkdalld.com |
| 140 | |
| 141 | If you get "jlsdajkdalld.com" does not exist, then all is fine, if |
| 142 | host returns an IP address, then the DNS is broken. (Try a few |
| 143 | different unlikely domains, just in case you picked a wierd one |
| 144 | which really _is_ registered.) |
| 145 | |
| 146 | Assuming that your DNS is broken, and you want to fix it, simply |
| 147 | note the IP address being returned and pass it to dnsmasq using the |
| 148 | --bogus-nxdomain flag. Dnsmasq will check for results returning |
| 149 | that address and substitute an NXDOMAIN instead. |
| 150 | |
| 151 | As of writing, the IP address in question for the .com and .net |
| 152 | domains is is 64.94.110.11. Various other, less prominent, |
| 153 | registries pull the same stunt; there is a list of them all, and |
| 154 | the addresses to block, at http://winware.org/bogus-domains.txt |
| 155 | |
Simon Kelley | 1ab84e2 | 2004-01-29 16:48:35 +0000 | [diff] [blame] | 156 | Q: This new DHCP server is well and good, but it doesn't work for me. |
| 157 | What's the problem? |
| 158 | |
| 159 | A: There are a couple of configuration gotchas which have been |
| 160 | encountered by people moving from the ISC dhcpd to the dnsmasq |
| 161 | integrated DHCP daemon. Both are related to differences in |
| 162 | in the way the two daemons bypass the IP stack to do "ground up" |
| 163 | IP configuration and can lead to the dnsmasq daemon failing |
| 164 | whilst the ISC one works. |
| 165 | |
| 166 | The first thing to check is the broadcast address set for the |
| 167 | ethernet interface. This is normally the adddress on the connected |
| 168 | network with all ones in the host part. For instance if the |
| 169 | address of the ethernet interface is 192.168.55.7 and the netmask |
| 170 | is 255.255.255.0 then the broadcast address should be |
| 171 | 192.168.55.255. Having a broadcast address which is not on the |
| 172 | network to which the interface is connected kills things stone |
| 173 | dead. |
| 174 | |
| 175 | The second potential problem relates to firewall rules: since the ISC |
| 176 | daemon in some configurations bypasses the kernel firewall rules |
| 177 | entirely, the ability to run the ISC daemon does not indicate |
| 178 | that the current configuration is OK for the dnsmasq daemon. |
| 179 | For the dnsmasq daemon to operate it's vital that UDP packets to |
| 180 | and from ports 67 and 68 and broadcast packets with source |
| 181 | address 0.0.0.0 and destination address 255.255.255.255 are not |
| 182 | dropped by iptables/ipchains. |
Simon Kelley | 33820b7 | 2004-04-03 21:10:00 +0100 | [diff] [blame] | 183 | |
| 184 | Q: I'm running Debian, and my machines get an address fine with DHCP, |
| 185 | but their names are not appearing in the DNS. |
| 186 | |
| 187 | A: By default, none of the DHCP clients send the host-name when asking |
| 188 | for a lease. For most of the clients, you can set the host-name to |
| 189 | send with the "hostname" keyword in /etc/network/interfaces. (See |
| 190 | "man interfaces" for details.) That doesn't work for dhclient, were |
| 191 | you have to add something like "send host-name daisy" to |
Simon Kelley | 3be3454 | 2004-09-11 19:12:13 +0100 | [diff] [blame] | 192 | /etc/dhclient.conf [Update: the lastest dhcpcd packages _do_ send |
| 193 | the hostname by default. |
Simon Kelley | 33820b7 | 2004-04-03 21:10:00 +0100 | [diff] [blame] | 194 | |
| 195 | Q: I'm network booting my machines, and trying to give them static |
| 196 | DHCP-assigned addresses. The machine gets its correct address |
| 197 | whilst booting, but then the OS starts and it seems to get |
| 198 | allocated a different address. |
| 199 | |
| 200 | A: What is happening is this: The boot process sends a DHCP |
| 201 | request and gets allocated the static address corresponding to its |
| 202 | MAC address. The boot loader does not send a client-id. Then the OS |
| 203 | starts and repeats the DHCP process, but it it does send a |
| 204 | client-id. Dnsmasq cannot assume that the two requests are from the |
| 205 | same machine (since the client ID's don't match) and even though |
| 206 | the MAC address has a static allocation, that address is still in |
| 207 | use by the first incarnation of the machine (the one from the boot, |
| 208 | without a client ID.) dnsmasq therefore has to give the machine a |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 209 | dynamic address from its pool. There are three ways to solve this: |
Simon Kelley | 33820b7 | 2004-04-03 21:10:00 +0100 | [diff] [blame] | 210 | (1) persuade your DHCP client not to send a client ID, or (2) set up |
| 211 | the static assignment to the client ID, not the MAC address. The |
| 212 | default client-id will be 01:<MAC address>, so change the dhcp-host |
| 213 | line from "dhcp-host=11:22:33:44:55:66,1.2.3.4" to |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 214 | "dhcp-host=id:01:11:22:33:44:55:66,1.2.3.4" or (3) tell dnsmasq to |
| 215 | ignore client IDs for a particular MAC address, like this: |
| 216 | dhcp-host=11:22:33:44:55:66,id:* |
Simon Kelley | 33820b7 | 2004-04-03 21:10:00 +0100 | [diff] [blame] | 217 | |
| 218 | Q: What network types are supported by the DHCP server? |
Simon Kelley | 1ab84e2 | 2004-01-29 16:48:35 +0000 | [diff] [blame] | 219 | |
Simon Kelley | 33820b7 | 2004-04-03 21:10:00 +0100 | [diff] [blame] | 220 | A: Ethernet (and 802.11 wireless) are supported on all platforms. On |
| 221 | Linux Token Ring is also supported. |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 222 | |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 223 | Q: What is this strange "bind-interface" option? |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 224 | |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 225 | A: The DNS spec says that the reply to a DNS query must come from the |
| 226 | same address it was sent to. The traditional way to write an UDP |
| 227 | server to do this is to find all of the addresses belonging to the |
| 228 | machine (ie all the interfaces on the machine) and then create a |
| 229 | socket for each interface which is bound to the address of the |
| 230 | interface. Then when a packet is sent to address A, it is received |
| 231 | on the socket bound to address A and when the reply is also sent |
| 232 | via that socket, the source address is set to A by the kernel and |
| 233 | everything works. This is the how dnsmasq works when |
| 234 | "bind-interfaces" is set, with the obvious extension that is misses |
| 235 | out creating sockets for some interfaces depending on the |
| 236 | --interface, --address and --except-interface flags. The |
| 237 | disadvantage of this approach is that it breaks if interfaces don't |
| 238 | exist or are not configured when the daemon starts and does the |
| 239 | socket creation step. In a hotplug-aware world this is a real |
| 240 | problem. |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 241 | |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 242 | The alternative approach is to have only one socket, which is bound |
| 243 | to the correct port and the wildcard IP address (0.0.0.0). That |
| 244 | socket will receive _all_ packets sent to port 53, no matter what |
| 245 | destination address they have. This solves the problem of |
| 246 | interfaces which are created or reconfigured after daemon |
| 247 | start-up. To make this work is more complicated because of the |
| 248 | "reply source address" problem. When a UDP packet is sent by a |
| 249 | socket bound to 0.0.0.0 its source address will be set to the |
| 250 | address of one of the machine's interfaces, but which one is not |
| 251 | determined and can vary depending on the OS being run. To get round |
| 252 | this it is neccessary to use a scary advanced API to determine the |
| 253 | address to which a query was sent, and force that to be the source |
| 254 | address in the reply. For IPv4 this stuff in non-portable and quite |
| 255 | often not even available (It's different between FreeBSD 5.x and |
| 256 | Linux, for instance, and FreeBSD 4.x, Linux 2.0.x and OpenBSD don't |
| 257 | have it at all.) Hence "bind-interfaces" has to always be available |
| 258 | as a fall back. For IPv6 the API is standard and universally |
| 259 | available. |
| 260 | |
| 261 | It could be argued that if the --interface or --address flags are |
| 262 | used then binding interfaces is more appropriate, but using |
| 263 | wildcard binding means that dnsmasq will quite happily start up |
| 264 | after being told to use interfaces which don't exist, but which are |
| 265 | created later. Wildcard binding breaks the scenario when dnsmasq is |
| 266 | listening on one interface and another server (most probably BIND) |
| 267 | is listening on another. It's not possible for BIND to bind to an |
| 268 | (address,port) pair when dnsmasq has bound (wildcard,port), hence |
| 269 | the ability to explicitly turn off wildcard binding. |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 270 | |
Simon Kelley | c1bb850 | 2004-08-11 18:40:17 +0100 | [diff] [blame] | 271 | Q: Why doesn't Kerberos work/why can't I get sensible answers to |
| 272 | queries for SRV records. |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 273 | |
Simon Kelley | c1bb850 | 2004-08-11 18:40:17 +0100 | [diff] [blame] | 274 | A: Probably because you have the "filterwin2k" option set. Note that |
| 275 | it was on by default in example configuration files included in |
| 276 | versions before 2.12, so you might have it set on without |
| 277 | realising. |
| 278 | |
Simon Kelley | 3be3454 | 2004-09-11 19:12:13 +0100 | [diff] [blame] | 279 | Q: Can I get email notification when a new version of dnsmasq is |
| 280 | released? |
| 281 | |
| 282 | A: Yes, new releases of dnsmasq are always announced through |
| 283 | freshmeat.net, and they allow you to subcribe to email alerts when |
| 284 | new versions of particular projects are released. |
| 285 | |
Simon Kelley | fd9fa48 | 2004-10-21 20:24:00 +0100 | [diff] [blame] | 286 | Q: What does the dhcp-authoritative option do? |
| 287 | |
| 288 | A: See http://www.isc.org/index.pl?/sw/dhcp/authoritative.php - that's |
| 289 | for the ISC daemon, but the same applies to dnsmasq. |
| 290 | |
| 291 | Q: Why does my Gentoo box pause for a minute before getting a new |
| 292 | lease? |
| 293 | |
| 294 | A: Because when a Gentoo box shuts down, it releases its lease with |
| 295 | the server but remembers it on the client; this seems to be a |
| 296 | Gentoo-specific patch to dhcpcd. On restart it tries to renew |
| 297 | a lease which is long gone, as far as dnsmasq is concerned, and |
| 298 | dnsmasq ignores it until is times out and restarts the process. |
| 299 | To fix this, set the dhcp-authoritative flag in dnsmasq. |
| 300 | |
Simon Kelley | bb01cb9 | 2004-12-13 20:56:23 +0000 | [diff] [blame] | 301 | Q: My laptop has two network interfaces, a wired one and a wireless |
| 302 | one. I never use both interfaces at the same time, and I'd like the |
| 303 | same IP and configuration to be used irrespcetive of which |
| 304 | interface is in use. How can I do that. |
Simon Kelley | fd9fa48 | 2004-10-21 20:24:00 +0100 | [diff] [blame] | 305 | |
Simon Kelley | bb01cb9 | 2004-12-13 20:56:23 +0000 | [diff] [blame] | 306 | A: By default, the identity of a machine is determined by using the |
| 307 | MAC address, which is associated with interface hardware. Once an |
| 308 | IP is bound to the MAC address of one interface, it cannot be |
| 309 | associated with another MAC address until after the DHCP lease |
| 310 | expires. The solution to this is to use a client-id as the machine |
| 311 | identity rather than the MAC address. If you arrange for the same |
| 312 | client-id to sent when either interface is in use, the DHCP server |
| 313 | will recognise the same machine, and use the same address. The |
| 314 | method for setting the client-id varies with DHCP client software, |
| 315 | dhcpcd uses the "-I" flag. Windows uses a registry setting, |
| 316 | see http://www.jsiinc.com/SUBF/TIP2800/rh2845.htm |
Simon Kelley | 3be3454 | 2004-09-11 19:12:13 +0100 | [diff] [blame] | 317 | |
Simon Kelley | 0a85254 | 2005-03-23 20:28:59 +0000 | [diff] [blame] | 318 | Q: Can dnsmasq do DHCP on IP-alias interfaces? |
| 319 | |
| 320 | A: Yes, from version-2.21. The support is only available running under |
| 321 | Linux, on a kernel which provides the RT-netlink facility. All 2.4 |
| 322 | and 2.6 kernels provide RT-netlink and it's an option in 2.2 |
| 323 | kernels. If dnsmasq is built under uclibc, even on Linux, then |
| 324 | the support is not included. |
| 325 | |
| 326 | If a physical interface has more than one IP address or aliases |
| 327 | with extra IP addresses, then any dhcp-ranges corresponding to |
| 328 | these addresses can be used for address allocation. So is and |
| 329 | interface has addresses 192.168.1.0/24 and 192.68.2.0/24 and there |
| 330 | are DHCP ranges 192.168.1.100-192.168.1.200 and |
| 331 | 192.168.2.100-192.168.2.200 then both ranges would be used for host |
| 332 | connected to the physical interface. A more typical use might be to |
| 333 | have one of the address-ranges as static-only, and have known |
| 334 | hosts allocated addresses on that subnet using dhcp-host options, |
| 335 | while anonymous hosts go on the other. |
| 336 | |
| 337 | |
| 338 | |
| 339 | |
| 340 | |
| 341 | |
| 342 | |
Simon Kelley | c1bb850 | 2004-08-11 18:40:17 +0100 | [diff] [blame] | 343 | |
| 344 | |