blob: c468de6278e6c75c84766260f1adfe0887160792 [file] [log] [blame]
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001Q: Why does dnsmasq open UDP ports >1024 as well as port 53.
2 Is this a security problem/trojan/backdoor?
3
4A: The high ports that dnsmasq opens is for replies from the upstream
5 nameserver(s). Queries from dnsmasq to upstream nameservers are sent
6 from these ports and replies received to them. The reason for doing this is
7 that most firewall setups block incoming packets _to_ port 53, in order
8 to stop DNS queries from the outside world. If dnsmasq sent its queries
9 from port 53 the replies would be _to_ port 53 and get blocked.
10
11 This is not a security hole since dnsmasq will only accept replies to that
12 port: queries are dropped. The replies must be to oustanding queries
13 which dnsmasq has forwarded, otherwise they are dropped too.
14
15 Addendum: dnsmasq now has the option "query-port" (-Q), which allows
16 you to specify the UDP port to be used for this purpose. If not
17 specified, the operating system will select an available port number
18 just as it did before.
19
20Q: Why doesn't dnsmasq support DNS queries over TCP? Don't the RFC's specify
21 that?
22
Simon Kelleyfeba5c12004-07-27 20:28:58 +010023A: Update: from version 2.10, it does. There are a few limitations:
Simon Kelley0a852542005-03-23 20:28:59 +000024 data obtained via TCP is not cached, and source-address
Simon Kelleyfeba5c12004-07-27 20:28:58 +010025 or query-port specifications are ignored for TCP.
Simon Kelley9e4abcb2004-01-22 19:47:41 +000026
27Q: When I send SIGUSR1 to dump the contents of the cache, some entries have
28 no IP address and are for names like mymachine.mydomain.com.mydomain.com.
29 What are these?
30
31A: They are negative entries: that's what the N flag means. Dnsmasq asked
32 an upstream nameserver to resolve that address and it replied "doesn't
33 exist, and won't exist for <n> hours" so dnsmasq saved that information so
34 that if _it_ gets asked the same question it can answer directly without
35 having to go back to the upstream server again. The strange repeated domains
36 result from the way resolvers search short names. See "man resolv.conf" for
37 details.
38
39
40Q: Will dnsmasq compile/run on non-Linux systems?
41
42A: Yes, there is explicit support for *BSD and Solaris.
43 For other systems, try altering the settings in config.h.
44
45A: Update for V2. Doing DHCP is rather non-portable, so there may be
46 a few teething troubles. The initial 2.0 release is known to work
47 on Linux 2.2.x, Linux 2.4.x and Linux 2.6.x with uclibc and glibc
48 2.3. It also works on FreeBSD 4.8. The crucial problem is sending
49 raw packets, bypassing the IP stack. Dnsmasq contains code to do
50 using PF_PACKET sockets (which is for Linux) and the Berkeley packet
51 filter (which works with BSD). If you are trying to port to another
52 Un*x, bpf is the most likeley candidate. See config.h
53
54Q: My companies' nameserver knows about some names which aren't in the
55 public DNS. Even though I put it first in /etc/resolv.conf, it
56 dosen't work: dnsmasq seems not to use the nameservers in the order
57 given. What am I doing wrong?
58
59A: By default, dnsmasq treats all the nameservers it knows about as
60 equal: it picks the one to use using an algorithm designed to avoid
61 nameservers which aren't responding. To make dnsmasq use the
62 servers in order, give it the -o flag. If you want some queries
63 sent to a special server, think about using the -S flag to give the
64 IP address of that server, and telling dnsmasq exactly which
65 domains to use the server for.
66
67Q: OK, I've got queries to a private nameserver working, now how about
68 reverse queries for a range of IP addresses?
69
70A: Use the standard DNS convention of <reversed address>.in-addr.arpa.
71 For instance to send reverse queries on the range 192.168.0.0 to
72 192.168.0.255 to a nameserver at 10.0.0.1 do
73 server=/0.168.192.in-addr.arpa/10.0.0.1
Simon Kelleyfeba5c12004-07-27 20:28:58 +010074 Note that the "bogus-priv" option take priority over this option,
75 so the above will not work when the bogus-priv option is set.
Simon Kelley9e4abcb2004-01-22 19:47:41 +000076
77Q: Dnsmasq fails to start with an error like this: "dnsmasq: bind
78 failed: Cannot assign requested address". What's the problem?
79
80A: This has been seen when a system is bringing up a PPP interface at
81 boot time: by the time dnsmasq start the interface has been
82 created, but not brought up and assigned an address. The easiest
83 solution is to use --interface flags to specify which interfaces
84 dnsmasq should listen on. Since you are unlikely to want dnsmasq to
85 listen on a PPP interface and offer DNS service to the world, the
86 problem is solved.
87
88Q: I'm running on BSD and dnsmasq won't accept long options on the
89 command line.
90
91A: Dnsmasq when built on BSD systems doesn't use GNU getopt by
92 default. You can either just use the single-letter options or
93 change config.h and the Makefile to use getopt-long. Note that
94 options in /etc/dnsmasq.conf must always be the long form,
95 on all platforms.
96
97Q: Names on the internet are working fine, but looking up local names
98 from /etc/hosts or DHCP doesn't seem to work.
99
100A: Resolver code sometime does strange things when given names without
101 any dots in. Win2k and WinXP may not use the DNS at all and just
102 try and look up the name using WINS. On unix look at "options ndots:"
103 in "man resolv.conf" for details on this topic. Testing lookups
104 using "nslookup" or "dig" will work, but then attempting to run
105 "ping" will get a lookup failure, appending a dot to the end of the
106 hostname will fix things. (ie "ping myhost" fails, but "ping
107 myhost." works. The solution is to make sure that all your hosts
108 have a domain set ("domain" in resolv.conf, the network applet in
109 windows, or set a domain in your DHCP server). Any domain will do,
110 but "localnet" is traditional. Now when you resolve "myhost" the
111 resolver will attempt to look up "myhost.localnet" so you need to
112 have dnsmasq reply to that name. The way to do that is to include
113 the domain in each name on /etc/hosts and/or to use the
Simon Kelley0a852542005-03-23 20:28:59 +0000114 --expand-hosts and --domain options.
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000115
116Q: Can I get dnsmasq to save the contents of its cache to disk when
Simon Kelleybb01cb92004-12-13 20:56:23 +0000117 I shut my machine down and re-load when it starts again?
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000118
119A: No, that facility is not provided. Very few names in the DNS have
120 their time-to-live set for longer than a few hours so most of the
121 cache entries would have expired after a shutdown. For longer-lived
122 names it's much cheaper to just reload them from the upstream
123 server. Note that dnsmasq is not shut down between PPP sessions so
124 go off-line and then on-line again will not lose the contents of
125 the cache.
126
127Q: Who are Verisign, what do they have to do with the bogus-nxdomain
128 option in dnsmasq and why should I wory about it?
129
130A: [note: this was written in September 2003, things may well change.]
131 Versign run the .com and .net top-level-domains. They have just
132 changed the configuration of their servers so that unknown .com and
133 .net domains, instead of returning an error code NXDOMAIN, (no such
134 domain) return the address of a host at Versign which runs a web
135 server showing a search page. Most right-thinking people regard
136 this new behaviour as broken :-). You can test to see if you are
137 suffering Versign brokeness by run a command like
138
139 host jlsdajkdalld.com
140
141 If you get "jlsdajkdalld.com" does not exist, then all is fine, if
142 host returns an IP address, then the DNS is broken. (Try a few
143 different unlikely domains, just in case you picked a wierd one
144 which really _is_ registered.)
145
146 Assuming that your DNS is broken, and you want to fix it, simply
147 note the IP address being returned and pass it to dnsmasq using the
148 --bogus-nxdomain flag. Dnsmasq will check for results returning
149 that address and substitute an NXDOMAIN instead.
150
151 As of writing, the IP address in question for the .com and .net
152 domains is is 64.94.110.11. Various other, less prominent,
153 registries pull the same stunt; there is a list of them all, and
154 the addresses to block, at http://winware.org/bogus-domains.txt
155
Simon Kelley1ab84e22004-01-29 16:48:35 +0000156Q: This new DHCP server is well and good, but it doesn't work for me.
157 What's the problem?
158
159A: There are a couple of configuration gotchas which have been
160 encountered by people moving from the ISC dhcpd to the dnsmasq
161 integrated DHCP daemon. Both are related to differences in
162 in the way the two daemons bypass the IP stack to do "ground up"
163 IP configuration and can lead to the dnsmasq daemon failing
164 whilst the ISC one works.
165
166 The first thing to check is the broadcast address set for the
167 ethernet interface. This is normally the adddress on the connected
168 network with all ones in the host part. For instance if the
169 address of the ethernet interface is 192.168.55.7 and the netmask
170 is 255.255.255.0 then the broadcast address should be
171 192.168.55.255. Having a broadcast address which is not on the
172 network to which the interface is connected kills things stone
173 dead.
174
175 The second potential problem relates to firewall rules: since the ISC
176 daemon in some configurations bypasses the kernel firewall rules
177 entirely, the ability to run the ISC daemon does not indicate
178 that the current configuration is OK for the dnsmasq daemon.
179 For the dnsmasq daemon to operate it's vital that UDP packets to
180 and from ports 67 and 68 and broadcast packets with source
181 address 0.0.0.0 and destination address 255.255.255.255 are not
182 dropped by iptables/ipchains.
Simon Kelley33820b72004-04-03 21:10:00 +0100183
184Q: I'm running Debian, and my machines get an address fine with DHCP,
185 but their names are not appearing in the DNS.
186
187A: By default, none of the DHCP clients send the host-name when asking
188 for a lease. For most of the clients, you can set the host-name to
189 send with the "hostname" keyword in /etc/network/interfaces. (See
190 "man interfaces" for details.) That doesn't work for dhclient, were
191 you have to add something like "send host-name daisy" to
Simon Kelley3be34542004-09-11 19:12:13 +0100192 /etc/dhclient.conf [Update: the lastest dhcpcd packages _do_ send
193 the hostname by default.
Simon Kelley33820b72004-04-03 21:10:00 +0100194
195Q: I'm network booting my machines, and trying to give them static
196 DHCP-assigned addresses. The machine gets its correct address
197 whilst booting, but then the OS starts and it seems to get
198 allocated a different address.
199
200A: What is happening is this: The boot process sends a DHCP
201 request and gets allocated the static address corresponding to its
202 MAC address. The boot loader does not send a client-id. Then the OS
203 starts and repeats the DHCP process, but it it does send a
204 client-id. Dnsmasq cannot assume that the two requests are from the
205 same machine (since the client ID's don't match) and even though
206 the MAC address has a static allocation, that address is still in
207 use by the first incarnation of the machine (the one from the boot,
208 without a client ID.) dnsmasq therefore has to give the machine a
Simon Kelleyde379512004-06-22 20:23:33 +0100209 dynamic address from its pool. There are three ways to solve this:
Simon Kelley33820b72004-04-03 21:10:00 +0100210 (1) persuade your DHCP client not to send a client ID, or (2) set up
211 the static assignment to the client ID, not the MAC address. The
212 default client-id will be 01:<MAC address>, so change the dhcp-host
213 line from "dhcp-host=11:22:33:44:55:66,1.2.3.4" to
Simon Kelleyde379512004-06-22 20:23:33 +0100214 "dhcp-host=id:01:11:22:33:44:55:66,1.2.3.4" or (3) tell dnsmasq to
215 ignore client IDs for a particular MAC address, like this:
216 dhcp-host=11:22:33:44:55:66,id:*
Simon Kelley33820b72004-04-03 21:10:00 +0100217
218Q: What network types are supported by the DHCP server?
Simon Kelley1ab84e22004-01-29 16:48:35 +0000219
Simon Kelley33820b72004-04-03 21:10:00 +0100220A: Ethernet (and 802.11 wireless) are supported on all platforms. On
221 Linux Token Ring is also supported.
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000222
Simon Kelleyde379512004-06-22 20:23:33 +0100223Q: What is this strange "bind-interface" option?
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000224
Simon Kelleyde379512004-06-22 20:23:33 +0100225A: The DNS spec says that the reply to a DNS query must come from the
226 same address it was sent to. The traditional way to write an UDP
227 server to do this is to find all of the addresses belonging to the
228 machine (ie all the interfaces on the machine) and then create a
229 socket for each interface which is bound to the address of the
230 interface. Then when a packet is sent to address A, it is received
231 on the socket bound to address A and when the reply is also sent
232 via that socket, the source address is set to A by the kernel and
233 everything works. This is the how dnsmasq works when
234 "bind-interfaces" is set, with the obvious extension that is misses
235 out creating sockets for some interfaces depending on the
236 --interface, --address and --except-interface flags. The
237 disadvantage of this approach is that it breaks if interfaces don't
238 exist or are not configured when the daemon starts and does the
239 socket creation step. In a hotplug-aware world this is a real
240 problem.
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000241
Simon Kelleyde379512004-06-22 20:23:33 +0100242 The alternative approach is to have only one socket, which is bound
243 to the correct port and the wildcard IP address (0.0.0.0). That
244 socket will receive _all_ packets sent to port 53, no matter what
245 destination address they have. This solves the problem of
246 interfaces which are created or reconfigured after daemon
247 start-up. To make this work is more complicated because of the
248 "reply source address" problem. When a UDP packet is sent by a
249 socket bound to 0.0.0.0 its source address will be set to the
250 address of one of the machine's interfaces, but which one is not
251 determined and can vary depending on the OS being run. To get round
252 this it is neccessary to use a scary advanced API to determine the
253 address to which a query was sent, and force that to be the source
254 address in the reply. For IPv4 this stuff in non-portable and quite
255 often not even available (It's different between FreeBSD 5.x and
256 Linux, for instance, and FreeBSD 4.x, Linux 2.0.x and OpenBSD don't
257 have it at all.) Hence "bind-interfaces" has to always be available
258 as a fall back. For IPv6 the API is standard and universally
259 available.
260
261 It could be argued that if the --interface or --address flags are
262 used then binding interfaces is more appropriate, but using
263 wildcard binding means that dnsmasq will quite happily start up
264 after being told to use interfaces which don't exist, but which are
265 created later. Wildcard binding breaks the scenario when dnsmasq is
266 listening on one interface and another server (most probably BIND)
267 is listening on another. It's not possible for BIND to bind to an
268 (address,port) pair when dnsmasq has bound (wildcard,port), hence
269 the ability to explicitly turn off wildcard binding.
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000270
Simon Kelleyc1bb8502004-08-11 18:40:17 +0100271Q: Why doesn't Kerberos work/why can't I get sensible answers to
272 queries for SRV records.
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000273
Simon Kelleyc1bb8502004-08-11 18:40:17 +0100274A: Probably because you have the "filterwin2k" option set. Note that
275 it was on by default in example configuration files included in
276 versions before 2.12, so you might have it set on without
277 realising.
278
Simon Kelley3be34542004-09-11 19:12:13 +0100279Q: Can I get email notification when a new version of dnsmasq is
280 released?
281
282A: Yes, new releases of dnsmasq are always announced through
283 freshmeat.net, and they allow you to subcribe to email alerts when
284 new versions of particular projects are released.
285
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100286Q: What does the dhcp-authoritative option do?
287
288A: See http://www.isc.org/index.pl?/sw/dhcp/authoritative.php - that's
289 for the ISC daemon, but the same applies to dnsmasq.
290
291Q: Why does my Gentoo box pause for a minute before getting a new
292 lease?
293
294A: Because when a Gentoo box shuts down, it releases its lease with
295 the server but remembers it on the client; this seems to be a
296 Gentoo-specific patch to dhcpcd. On restart it tries to renew
297 a lease which is long gone, as far as dnsmasq is concerned, and
298 dnsmasq ignores it until is times out and restarts the process.
299 To fix this, set the dhcp-authoritative flag in dnsmasq.
300
Simon Kelleybb01cb92004-12-13 20:56:23 +0000301Q: My laptop has two network interfaces, a wired one and a wireless
302 one. I never use both interfaces at the same time, and I'd like the
303 same IP and configuration to be used irrespcetive of which
304 interface is in use. How can I do that.
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100305
Simon Kelleybb01cb92004-12-13 20:56:23 +0000306A: By default, the identity of a machine is determined by using the
307 MAC address, which is associated with interface hardware. Once an
308 IP is bound to the MAC address of one interface, it cannot be
309 associated with another MAC address until after the DHCP lease
310 expires. The solution to this is to use a client-id as the machine
311 identity rather than the MAC address. If you arrange for the same
312 client-id to sent when either interface is in use, the DHCP server
313 will recognise the same machine, and use the same address. The
314 method for setting the client-id varies with DHCP client software,
315 dhcpcd uses the "-I" flag. Windows uses a registry setting,
316 see http://www.jsiinc.com/SUBF/TIP2800/rh2845.htm
Simon Kelley3be34542004-09-11 19:12:13 +0100317
Simon Kelley0a852542005-03-23 20:28:59 +0000318Q: Can dnsmasq do DHCP on IP-alias interfaces?
319
320A: Yes, from version-2.21. The support is only available running under
321 Linux, on a kernel which provides the RT-netlink facility. All 2.4
322 and 2.6 kernels provide RT-netlink and it's an option in 2.2
323 kernels. If dnsmasq is built under uclibc, even on Linux, then
324 the support is not included.
325
326 If a physical interface has more than one IP address or aliases
327 with extra IP addresses, then any dhcp-ranges corresponding to
328 these addresses can be used for address allocation. So is and
329 interface has addresses 192.168.1.0/24 and 192.68.2.0/24 and there
330 are DHCP ranges 192.168.1.100-192.168.1.200 and
331 192.168.2.100-192.168.2.200 then both ranges would be used for host
332 connected to the physical interface. A more typical use might be to
333 have one of the address-ranges as static-only, and have known
334 hosts allocated addresses on that subnet using dhcp-host options,
335 while anonymous hosts go on the other.
336
337
338
339
340
341
342
Simon Kelleyc1bb8502004-08-11 18:40:17 +0100343
344