blob: 567ad2c4eb08d1f222d53ce6f5989f518d04f222 [file] [log] [blame]
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001Q: Why does dnsmasq open UDP ports >1024 as well as port 53.
2 Is this a security problem/trojan/backdoor?
3
Simon Kelley824af852008-02-12 20:43:05 +00004A: The high ports that dnsmasq opens are for replies from the upstream
Simon Kelley9e4abcb2004-01-22 19:47:41 +00005 nameserver(s). Queries from dnsmasq to upstream nameservers are sent
6 from these ports and replies received to them. The reason for doing this is
7 that most firewall setups block incoming packets _to_ port 53, in order
8 to stop DNS queries from the outside world. If dnsmasq sent its queries
9 from port 53 the replies would be _to_ port 53 and get blocked.
10
11 This is not a security hole since dnsmasq will only accept replies to that
12 port: queries are dropped. The replies must be to oustanding queries
13 which dnsmasq has forwarded, otherwise they are dropped too.
14
15 Addendum: dnsmasq now has the option "query-port" (-Q), which allows
16 you to specify the UDP port to be used for this purpose. If not
17 specified, the operating system will select an available port number
18 just as it did before.
Simon Kelley9009d742008-11-14 20:04:27 +000019
20 Second addendum: following the discovery of a security flaw in the
21 DNS protocol, dnsmasq from version 2.43 has changed behavior. It
22 now uses a new, randomly selected, port for each query. The old
23 default behaviour (use one port allocated by the OS) is available by
24 setting --query-port=0, and setting the query port to a positive
Simon Kelley3931a7b2013-04-15 14:31:52 +010025 value still works. You should think hard and know what you are
Simon Kelley9009d742008-11-14 20:04:27 +000026 doing before using either of these options.
Simon Kelley9e4abcb2004-01-22 19:47:41 +000027
28Q: Why doesn't dnsmasq support DNS queries over TCP? Don't the RFC's specify
29 that?
30
Simon Kelleyfeba5c12004-07-27 20:28:58 +010031A: Update: from version 2.10, it does. There are a few limitations:
Simon Kelley0a852542005-03-23 20:28:59 +000032 data obtained via TCP is not cached, and source-address
Simon Kelleyfeba5c12004-07-27 20:28:58 +010033 or query-port specifications are ignored for TCP.
Simon Kelley9e4abcb2004-01-22 19:47:41 +000034
35Q: When I send SIGUSR1 to dump the contents of the cache, some entries have
36 no IP address and are for names like mymachine.mydomain.com.mydomain.com.
37 What are these?
38
39A: They are negative entries: that's what the N flag means. Dnsmasq asked
40 an upstream nameserver to resolve that address and it replied "doesn't
41 exist, and won't exist for <n> hours" so dnsmasq saved that information so
42 that if _it_ gets asked the same question it can answer directly without
43 having to go back to the upstream server again. The strange repeated domains
44 result from the way resolvers search short names. See "man resolv.conf" for
45 details.
46
47
48Q: Will dnsmasq compile/run on non-Linux systems?
49
Simon Kelley824af852008-02-12 20:43:05 +000050A: Yes, there is explicit support for *BSD and MacOS X and Solaris.
51 There are start-up scripts for MacOS X Tiger and Panther
52 in /contrib. Dnsmasq will link with uclibc to provide small
Simon Kelley3d8df262005-08-29 12:19:27 +010053 binaries suitable for use in embedded systems such as
54 routers. (There's special code to support machines with flash
55 filesystems and no battery-backed RTC.)
Simon Kelley208b65c2006-08-05 21:41:37 +010056 If you encounter make errors with *BSD, try installing gmake from
57 ports and building dnsmasq with "make MAKE=gmake"
Simon Kelley9e4abcb2004-01-22 19:47:41 +000058 For other systems, try altering the settings in config.h.
Simon Kelley3d8df262005-08-29 12:19:27 +010059
Simon Kelley824af852008-02-12 20:43:05 +000060Q: My company's nameserver knows about some names which aren't in the
Simon Kelley9e4abcb2004-01-22 19:47:41 +000061 public DNS. Even though I put it first in /etc/resolv.conf, it
Josh Soref730c6742017-02-06 16:14:04 +000062 doesn't work: dnsmasq seems not to use the nameservers in the order
Simon Kelley9e4abcb2004-01-22 19:47:41 +000063 given. What am I doing wrong?
64
65A: By default, dnsmasq treats all the nameservers it knows about as
66 equal: it picks the one to use using an algorithm designed to avoid
67 nameservers which aren't responding. To make dnsmasq use the
68 servers in order, give it the -o flag. If you want some queries
69 sent to a special server, think about using the -S flag to give the
70 IP address of that server, and telling dnsmasq exactly which
71 domains to use the server for.
72
73Q: OK, I've got queries to a private nameserver working, now how about
74 reverse queries for a range of IP addresses?
75
76A: Use the standard DNS convention of <reversed address>.in-addr.arpa.
77 For instance to send reverse queries on the range 192.168.0.0 to
78 192.168.0.255 to a nameserver at 10.0.0.1 do
79 server=/0.168.192.in-addr.arpa/10.0.0.1
Simon Kelleyfeba5c12004-07-27 20:28:58 +010080 Note that the "bogus-priv" option take priority over this option,
81 so the above will not work when the bogus-priv option is set.
Simon Kelley9e4abcb2004-01-22 19:47:41 +000082
83Q: Dnsmasq fails to start with an error like this: "dnsmasq: bind
84 failed: Cannot assign requested address". What's the problem?
85
86A: This has been seen when a system is bringing up a PPP interface at
87 boot time: by the time dnsmasq start the interface has been
88 created, but not brought up and assigned an address. The easiest
89 solution is to use --interface flags to specify which interfaces
90 dnsmasq should listen on. Since you are unlikely to want dnsmasq to
91 listen on a PPP interface and offer DNS service to the world, the
92 problem is solved.
93
94Q: I'm running on BSD and dnsmasq won't accept long options on the
95 command line.
96
Simon Kelley3d8df262005-08-29 12:19:27 +010097A: Dnsmasq when built on some BSD systems doesn't use GNU getopt by
Simon Kelley9e4abcb2004-01-22 19:47:41 +000098 default. You can either just use the single-letter options or
99 change config.h and the Makefile to use getopt-long. Note that
100 options in /etc/dnsmasq.conf must always be the long form,
101 on all platforms.
102
103Q: Names on the internet are working fine, but looking up local names
104 from /etc/hosts or DHCP doesn't seem to work.
105
106A: Resolver code sometime does strange things when given names without
107 any dots in. Win2k and WinXP may not use the DNS at all and just
108 try and look up the name using WINS. On unix look at "options ndots:"
109 in "man resolv.conf" for details on this topic. Testing lookups
110 using "nslookup" or "dig" will work, but then attempting to run
111 "ping" will get a lookup failure, appending a dot to the end of the
112 hostname will fix things. (ie "ping myhost" fails, but "ping
113 myhost." works. The solution is to make sure that all your hosts
Simon Kelley3d8df262005-08-29 12:19:27 +0100114 have a domain set ("domain" in resolv.conf, or set a domain in
Simon Kelley3931a7b2013-04-15 14:31:52 +0100115 your DHCP server, see below for Windows XP and Mac OS X).
Simon Kelley3d8df262005-08-29 12:19:27 +0100116 Any domain will do, but "localnet" is traditional. Now when you
117 resolve "myhost" the resolver will attempt to look up
118 "myhost.localnet" so you need to have dnsmasq reply to that name.
119 The way to do that is to include the domain in each name on
120 /etc/hosts and/or to use the --expand-hosts and --domain options.
121
122Q: How do I set the DNS domain in Windows XP or MacOS X (ref: previous
123 question)?
124
125A: for XP, Control Panel > Network Connections > { Connection to gateway /
126 DNS } > Properties > { Highlight TCP/IP } > Properties > Advanced >
127 DNS Tab > DNS suffix for this connection:
128
129A: for OS X, System Preferences > Network > {Connection to gateway / DNS } >
130 Search domains:
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000131
132Q: Can I get dnsmasq to save the contents of its cache to disk when
Simon Kelleybb01cb92004-12-13 20:56:23 +0000133 I shut my machine down and re-load when it starts again?
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000134
135A: No, that facility is not provided. Very few names in the DNS have
136 their time-to-live set for longer than a few hours so most of the
137 cache entries would have expired after a shutdown. For longer-lived
138 names it's much cheaper to just reload them from the upstream
139 server. Note that dnsmasq is not shut down between PPP sessions so
140 go off-line and then on-line again will not lose the contents of
141 the cache.
142
143Q: Who are Verisign, what do they have to do with the bogus-nxdomain
144 option in dnsmasq and why should I wory about it?
145
146A: [note: this was written in September 2003, things may well change.]
Josh Soref730c6742017-02-06 16:14:04 +0000147 Verisign run the .com and .net top-level-domains. They have just
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000148 changed the configuration of their servers so that unknown .com and
149 .net domains, instead of returning an error code NXDOMAIN, (no such
Josh Soref730c6742017-02-06 16:14:04 +0000150 domain) return the address of a host at Verisign which runs a web
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000151 server showing a search page. Most right-thinking people regard
152 this new behaviour as broken :-). You can test to see if you are
Josh Soref730c6742017-02-06 16:14:04 +0000153 suffering Verisign brokenness by run a command like
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000154
155 host jlsdajkdalld.com
156
157 If you get "jlsdajkdalld.com" does not exist, then all is fine, if
158 host returns an IP address, then the DNS is broken. (Try a few
klemens43517fc2017-02-19 15:53:37 +0000159 different unlikely domains, just in case you picked a weird one
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000160 which really _is_ registered.)
161
162 Assuming that your DNS is broken, and you want to fix it, simply
163 note the IP address being returned and pass it to dnsmasq using the
164 --bogus-nxdomain flag. Dnsmasq will check for results returning
165 that address and substitute an NXDOMAIN instead.
166
167 As of writing, the IP address in question for the .com and .net
168 domains is is 64.94.110.11. Various other, less prominent,
169 registries pull the same stunt; there is a list of them all, and
170 the addresses to block, at http://winware.org/bogus-domains.txt
171
Simon Kelley1ab84e22004-01-29 16:48:35 +0000172Q: This new DHCP server is well and good, but it doesn't work for me.
173 What's the problem?
174
175A: There are a couple of configuration gotchas which have been
176 encountered by people moving from the ISC dhcpd to the dnsmasq
177 integrated DHCP daemon. Both are related to differences in
178 in the way the two daemons bypass the IP stack to do "ground up"
179 IP configuration and can lead to the dnsmasq daemon failing
180 whilst the ISC one works.
181
182 The first thing to check is the broadcast address set for the
Josh Soref730c6742017-02-06 16:14:04 +0000183 ethernet interface. This is normally the address on the connected
Simon Kelley1ab84e22004-01-29 16:48:35 +0000184 network with all ones in the host part. For instance if the
185 address of the ethernet interface is 192.168.55.7 and the netmask
186 is 255.255.255.0 then the broadcast address should be
187 192.168.55.255. Having a broadcast address which is not on the
188 network to which the interface is connected kills things stone
189 dead.
190
191 The second potential problem relates to firewall rules: since the ISC
192 daemon in some configurations bypasses the kernel firewall rules
193 entirely, the ability to run the ISC daemon does not indicate
194 that the current configuration is OK for the dnsmasq daemon.
195 For the dnsmasq daemon to operate it's vital that UDP packets to
196 and from ports 67 and 68 and broadcast packets with source
197 address 0.0.0.0 and destination address 255.255.255.255 are not
198 dropped by iptables/ipchains.
Simon Kelley33820b72004-04-03 21:10:00 +0100199
200Q: I'm running Debian, and my machines get an address fine with DHCP,
201 but their names are not appearing in the DNS.
202
203A: By default, none of the DHCP clients send the host-name when asking
204 for a lease. For most of the clients, you can set the host-name to
205 send with the "hostname" keyword in /etc/network/interfaces. (See
206 "man interfaces" for details.) That doesn't work for dhclient, were
207 you have to add something like "send host-name daisy" to
Josh Soref730c6742017-02-06 16:14:04 +0000208 /etc/dhclient.conf [Update: the latest dhcpcd packages _do_ send
Simon Kelley3be34542004-09-11 19:12:13 +0100209 the hostname by default.
Simon Kelley33820b72004-04-03 21:10:00 +0100210
211Q: I'm network booting my machines, and trying to give them static
212 DHCP-assigned addresses. The machine gets its correct address
213 whilst booting, but then the OS starts and it seems to get
214 allocated a different address.
215
216A: What is happening is this: The boot process sends a DHCP
217 request and gets allocated the static address corresponding to its
218 MAC address. The boot loader does not send a client-id. Then the OS
219 starts and repeats the DHCP process, but it it does send a
220 client-id. Dnsmasq cannot assume that the two requests are from the
221 same machine (since the client ID's don't match) and even though
222 the MAC address has a static allocation, that address is still in
223 use by the first incarnation of the machine (the one from the boot,
224 without a client ID.) dnsmasq therefore has to give the machine a
Simon Kelleyde379512004-06-22 20:23:33 +0100225 dynamic address from its pool. There are three ways to solve this:
Simon Kelley33820b72004-04-03 21:10:00 +0100226 (1) persuade your DHCP client not to send a client ID, or (2) set up
227 the static assignment to the client ID, not the MAC address. The
228 default client-id will be 01:<MAC address>, so change the dhcp-host
229 line from "dhcp-host=11:22:33:44:55:66,1.2.3.4" to
Simon Kelleyde379512004-06-22 20:23:33 +0100230 "dhcp-host=id:01:11:22:33:44:55:66,1.2.3.4" or (3) tell dnsmasq to
231 ignore client IDs for a particular MAC address, like this:
232 dhcp-host=11:22:33:44:55:66,id:*
Simon Kelley33820b72004-04-03 21:10:00 +0100233
234Q: What network types are supported by the DHCP server?
Simon Kelley1ab84e22004-01-29 16:48:35 +0000235
Simon Kelley33820b72004-04-03 21:10:00 +0100236A: Ethernet (and 802.11 wireless) are supported on all platforms. On
Simon Kelley9e038942008-05-30 20:06:34 +0100237 Linux all network types (including FireWire) are supported.
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000238
Simon Kelley8223cb12012-07-29 20:21:57 +0100239Q: What are these strange "bind-interface" and "bind-dynamic" options?
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000240
Simon Kelley8223cb12012-07-29 20:21:57 +0100241A: Dnsmasq from v2.63 can operate in one of three different "networking
242 modes". This is unfortunate as it requires users configuring dnsmasq
Josh Soref730c6742017-02-06 16:14:04 +0000243 to take into account some rather bizarre constraints and select the
Simon Kelley8223cb12012-07-29 20:21:57 +0100244 mode which best fits the requirements of a particular installation.
245 The origin of these are deficiencies in the Unix networking
246 model and APIs and each mode has different advantages and
247 problems. Just to add to the confusion, not all modes are available on
248 all platforms (due the to lack of supporting network APIs).To further
249 add to the confusion, the rules for the DHCP subsystem on dnsmasq are
250 different to the rules for the DNS and TFTP subsystems.
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000251
Simon Kelley8223cb12012-07-29 20:21:57 +0100252 The three modes are "wildcard", "bind-interfaces" and "bind-dynamic".
Simon Kelleyde379512004-06-22 20:23:33 +0100253
Simon Kelley8223cb12012-07-29 20:21:57 +0100254 In "wildcard" mode, dnsmasq binds the wildcard IP address (0.0.0.0 or
Josh Soref730c6742017-02-06 16:14:04 +0000255 ::). This allows it to receive all the packets sent to the server on
Simon Kelley8223cb12012-07-29 20:21:57 +0100256 the relevant port. Access control (--interface, --except-interface,
257 --listen-address, etc) is implemented by dnsmasq: it queries the
Josh Soref730c6742017-02-06 16:14:04 +0000258 kernel to determine the interface on which a packet was received and
Simon Kelley8223cb12012-07-29 20:21:57 +0100259 the address to which it was sent, and applies the configured
260 rules. Wildcard mode is the default if neither of the other modes are
261 specified.
262
263 In "bind-interfaces" mode, dnsmasq runs through all the network
264 interfaces available when it starts, finds the set of IP addresses on
265 those interfaces, filters that set using the access control
266 configuration, and then binds the set of IP addresses. Only packets
267 sent to the allowed addresses are delivered by the kernel to dnsmasq.
268
269 In "bind-dynamic" mode, access control filtering is done both by
270 binding individual IP addresses, as for bind-interfaces, and by
271 inspecting individual packets on arrival as for wildcard mode. In
272 addition, dnsmasq notices when new interfaces appear or new addresses
273 appear on existing interfaces, and the resulting IP addresses are
274 bound automatically without having to restart dnsmasq.
275
276 The mode chosen has four different effects: co-existence with other
277 servers, semantics of --interface access control, effect of new
278 interfaces, and legality of --interface specifications for
Josh Soref730c6742017-02-06 16:14:04 +0000279 non-existent interfaces. We will deal with these in order.
Simon Kelley8223cb12012-07-29 20:21:57 +0100280
281 A dnsmasq instance running in wildcard mode precludes a machine from
282 running a second instance of dnsmasq or any other DNS, TFTP or DHCP
283 server. Attempts to do so will fail with an "address in use" error.
284 Dnsmasq running in --bind-interfaces or bind-dynamic mode allow other
285 instances of dnsmasq or other servers, as long as no two servers are
286 configured to listen on the same interface address.
287
288 The semantics of --interface varies subtly between wildcard or
289 bind-dynamic mode and bind-interfaces mode. The situation where this
290 matters is a request which arrives via one interface (A), but with a
291 destination address of a second interface (B) and when dnsmasq is
292 configured to listen only on B. In wildcard or bind-dynamic mode, such
293 a request will be ignored, in bind-interfaces mode, it will be
294 accepted.
295
296 The creation of new network interfaces after dnsmasq starts is ignored
297 by dnsmasq when in --bind-interfaces mode. In wildcard or bind-dynamic
298 mode, such interfaces are handled normally.
299
300 A --interface specification for a non-existent interface is a fatal
301 error at start-up when in --bind-interfaces mode, by just generates a
302 warning in wildcard or bind-dynamic mode.
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000303
Simon Kelleyc1bb8502004-08-11 18:40:17 +0100304Q: Why doesn't Kerberos work/why can't I get sensible answers to
305 queries for SRV records.
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000306
Simon Kelleyc1bb8502004-08-11 18:40:17 +0100307A: Probably because you have the "filterwin2k" option set. Note that
308 it was on by default in example configuration files included in
309 versions before 2.12, so you might have it set on without
310 realising.
311
Simon Kelley3be34542004-09-11 19:12:13 +0100312Q: Can I get email notification when a new version of dnsmasq is
313 released?
314
315A: Yes, new releases of dnsmasq are always announced through
Josh Soref730c6742017-02-06 16:14:04 +0000316 freshmeat.net, and they allow you to subscribe to email alerts when
Simon Kelley3d8df262005-08-29 12:19:27 +0100317 new versions of particular projects are released. New releases are
318 also announced in the dnsmasq-discuss mailing list, subscribe at
319 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Simon Kelley3be34542004-09-11 19:12:13 +0100320
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100321Q: What does the dhcp-authoritative option do?
322
Simon Kelley54bb3632017-02-19 22:13:36 +0000323A: The DHCP spec says that when a DHCP server recieves a renewal request
324 from a client it has no knowledge of, it should just ignore it.
325 This is because it's supported to have more than one DHCP server
326 on a network, and another DHCP server may be dealing with the client.
327 This has the unfortunate effect that when _no_ DHCP replies to
328 the client, it takes some time for the client to time-out and start
329 to get a new lease. Setting this option makes dnsmasq violate the
330 standard to the extent that it will send a NAK reply to the client,
331 causing it to immediately start to get a new lease. This improves
332 behaviour when machines move networks, and in the case that the DHCP
333 lease database is lost. As long as there are not more tha one DHCP
334 server on the network, it's safe to enable the option.
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100335
336Q: Why does my Gentoo box pause for a minute before getting a new
337 lease?
338
339A: Because when a Gentoo box shuts down, it releases its lease with
340 the server but remembers it on the client; this seems to be a
341 Gentoo-specific patch to dhcpcd. On restart it tries to renew
342 a lease which is long gone, as far as dnsmasq is concerned, and
343 dnsmasq ignores it until is times out and restarts the process.
344 To fix this, set the dhcp-authoritative flag in dnsmasq.
345
Simon Kelleybb01cb92004-12-13 20:56:23 +0000346Q: My laptop has two network interfaces, a wired one and a wireless
347 one. I never use both interfaces at the same time, and I'd like the
Simon Kelley832af0b2007-01-21 20:01:28 +0000348 same IP and configuration to be used irrespective of which
Simon Kelley3d8df262005-08-29 12:19:27 +0100349 interface is in use. How can I do that?
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100350
Simon Kelleybb01cb92004-12-13 20:56:23 +0000351A: By default, the identity of a machine is determined by using the
352 MAC address, which is associated with interface hardware. Once an
353 IP is bound to the MAC address of one interface, it cannot be
354 associated with another MAC address until after the DHCP lease
355 expires. The solution to this is to use a client-id as the machine
356 identity rather than the MAC address. If you arrange for the same
357 client-id to sent when either interface is in use, the DHCP server
358 will recognise the same machine, and use the same address. The
359 method for setting the client-id varies with DHCP client software,
360 dhcpcd uses the "-I" flag. Windows uses a registry setting,
361 see http://www.jsiinc.com/SUBF/TIP2800/rh2845.htm
Simon Kelley54bb3632017-02-19 22:13:36 +0000362
Simon Kelley9009d742008-11-14 20:04:27 +0000363Addendum:
364 From version 2.46, dnsmasq has a solution to this which doesn't
365 involve setting client-IDs. It's possible to put more than one MAC
366 address in a --dhcp-host configuration. This tells dnsmasq that it
367 should use the specified IP for any of the specified MAC addresses,
Josh Soref730c6742017-02-06 16:14:04 +0000368 and furthermore it gives dnsmasq permission to summarily abandon a
Simon Kelley9009d742008-11-14 20:04:27 +0000369 lease to one of the MAC addresses if another one comes along. Note
370 that this will work fine only as longer as only one interface is
371 up at any time. There is no way for dnsmasq to enforce this
372 constraint: if you configure multiple MAC addresses and violate
373 this rule, bad things will happen.
Simon Kelley3be34542004-09-11 19:12:13 +0100374
Simon Kelley54bb3632017-02-19 22:13:36 +0000375Addendum-II: The link above is dead, the former contents of the link are:
376
377------------------------------------------------------------------------------
378How can I keep the same DHCP client reservation, if the MAC address changes?
379
380When you reserve an IP address for a DHCP client, you provide the
381MAC address of the client's NIC.
382
383It is possible to use a custom identifier, which is sent as
384option 61 in the client's DHCP Discover and Request packet.
385
386The DhcpClientIdentifier is a REG_DWORD value that is located at:
387
388Windows NT 4.0 SP2+
389
390HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<Adapter Name>'X'\Parameters\Tcpip
391
392where <Adapter Name> is the NIC driver name and 'X' is the number of the NIC.
393
394Windows 2000
395
396HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TcpIp\Parameters\Interfaces\<NIC GUID>
397
398where <NIC GUID> is the GUID of the NIC.
399
400The valid range of data is 0x0 - 0xFFFFFFFF. The custom identifier is send as 4 bytes,
4018 hexadecimal character, in groups of 2 hexadecimal characters, with the groups being
402sent in reverse order. If the custom identifier is less than 8 hexadeciaml characters,
403it is zero padded at the end. Examples:
404
405Custom Client Client Reservation
406Identifier on DHCP Server
40712345678 78563412
408123456 56341200
4091234 34120000
4101234567 67452301
41112345 45230100
412123 23010000
413A18F42 428FA100
414CF432 32F40C00
415C32D1BE BED1320C
416
417-------------------------------------------------------------------------------------------------------
418
419
Simon Kelley0a852542005-03-23 20:28:59 +0000420Q: Can dnsmasq do DHCP on IP-alias interfaces?
421
422A: Yes, from version-2.21. The support is only available running under
423 Linux, on a kernel which provides the RT-netlink facility. All 2.4
424 and 2.6 kernels provide RT-netlink and it's an option in 2.2
Simon Kelley3d8df262005-08-29 12:19:27 +0100425 kernels.
Simon Kelley0a852542005-03-23 20:28:59 +0000426
427 If a physical interface has more than one IP address or aliases
428 with extra IP addresses, then any dhcp-ranges corresponding to
Simon Kelley3d8df262005-08-29 12:19:27 +0100429 these addresses can be used for address allocation. So if an
Simon Kelley28866e92011-02-14 20:19:14 +0000430 interface has addresses 192.168.1.0/24 and 192.168.2.0/24 and there
Simon Kelley0a852542005-03-23 20:28:59 +0000431 are DHCP ranges 192.168.1.100-192.168.1.200 and
432 192.168.2.100-192.168.2.200 then both ranges would be used for host
433 connected to the physical interface. A more typical use might be to
434 have one of the address-ranges as static-only, and have known
435 hosts allocated addresses on that subnet using dhcp-host options,
436 while anonymous hosts go on the other.
437
Simon Kelley3d8df262005-08-29 12:19:27 +0100438
439Q: Dnsmasq sometimes logs "nameserver xxx.xxx.xxx.xxx refused
440 to do a recursive query" and DNS stops working. What's going on?
441
442A: Probably the nameserver is an authoritative nameserver for a
443 particular domain, but is not configured to answer general DNS
444 queries for an arbitrary domain. It is not suitable for use by
445 dnsmasq as an upstream server and should be removed from the
446 configuration. Note that if you have more than one upstream
447 nameserver configured dnsmasq will load-balance across them and
448 it may be some time before dnsmasq gets around to using a
449 particular nameserver. This means that a particular configuration
450 may work for sometime with a broken upstream nameserver
451 configuration.
452
Simon Kelleye17fb622006-01-14 20:33:46 +0000453
454Q: Does the dnsmasq DHCP server probe addresses before allocating
455 them, as recommended in RFC2131?
456
Simon Kelley7de060b2011-08-26 17:24:52 +0100457A: Yes, dynamically allocated IP addresses are checked by sending an
Simon Kelleye17fb622006-01-14 20:33:46 +0000458 ICMP echo request (ping). If a reply is received, then dnsmasq
459 assumes that the address is in use, and attempts to allocate an
460 different address. The wait for a reply is between two and three
461 seconds. Because the DHCP server is not re-entrant, it cannot serve
462 other DHCP requests during this time. To avoid dropping requests,
463 the address probe may be skipped when dnsmasq is under heavy load.
464
Simon Kelley309331f2006-04-22 15:05:01 +0100465
Simon Kelley5e9e0ef2006-04-17 14:24:29 +0100466Q: I'm using dnsmasq on a machine with the Firestarter firewall, and
467 DHCP doesn't work. What's the problem?
468
469A: This a variant on the iptables problem. Explicit details on how to
470 proceed can be found at
471 http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2005q3/000431.html
Simon Kelleye17fb622006-01-14 20:33:46 +0000472
Simon Kelley309331f2006-04-22 15:05:01 +0100473
Simon Kelley824af852008-02-12 20:43:05 +0000474Q: I'm using dnsmasq on a machine with the shorewall firewall, and
475 DHCP doesn't work. What's the problem?
476
477A: This a variant on the iptables problem. Explicit details on how to
478 proceed can be found at
479 http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2007q4/001764.html
480
481
Simon Kelley1a6bca82008-07-11 11:11:42 +0100482Q: Dnsmasq fails to start up with a message about capabilities.
483 Why did that happen and what can do to fix it?
Simon Kelley309331f2006-04-22 15:05:01 +0100484
485A: Change your kernel configuration: either deselect CONFIG_SECURITY
Simon Kelley1a6bca82008-07-11 11:11:42 +0100486 _or_ select CONFIG_SECURITY_CAPABILITIES. Alternatively, you can
487 remove the need to set capabilities by running dnsmasq as root.
Simon Kelley208b65c2006-08-05 21:41:37 +0100488
Simon Kelley208b65c2006-08-05 21:41:37 +0100489
Simon Kelley28866e92011-02-14 20:19:14 +0000490Q: Where can I get .rpms Suitable for openSUSE/SLES?
491
492A: Dnsmasq is in openSUSE itself, and the latest releases are also
493 available at http://download.opensuse.org/repositories/network/
Simon Kelley208b65c2006-08-05 21:41:37 +0100494
495
Simon Kelley832af0b2007-01-21 20:01:28 +0000496Q: Can I run dnsmasq in a Linux vserver?
497
498A: Yes, as a DNS server, dnsmasq will just work in a vserver.
499 To use dnsmasq's DHCP function you need to give the vserver
500 extra system capabilities. Please note that doing so will lesser
501 the overall security of your system. The capabilities
502 required are NET_ADMIN and NET_RAW. NET_ADMIN is essential, NET_RAW
503 is required to do an ICMP "ping" check on newly allocated
504 addresses. If you don't need this check, you can disable it with
505 --no-ping and omit the NET_RAW capability.
506 Adding the capabilities is done by adding them, one per line, to
507 either /etc/vservers/<vservername>/ccapabilities for a 2.4 kernel or
508 /etc/vservers/<vservername>/bcapabilities for a 2.6 kernel (please
509 refer to the vserver documentation for more information).
510
511
Simon Kelleyf2621c72007-04-29 19:47:21 +0100512Q: What's the problem with syslog and dnsmasq?
513
514A: In almost all cases: none. If you have the normal arrangement with
515 local daemons logging to a local syslog, which then writes to disk,
516 then there's never a problem. If you use network logging, then
517 there's a potential problem with deadlock: the syslog daemon will
518 do DNS lookups so that it can log the source of log messages,
519 these lookups will (depending on exact configuration) go through
520 dnsmasq, which also sends log messages. With bad timing, you can
521 arrive at a situation where syslog is waiting for dnsmasq, and
522 dnsmasq is waiting for syslog; they will both wait forever. This
523 problem is fixed from dnsmasq-2.39, which introduces asynchronous
524 logging: dnsmasq no longer waits for syslog and the deadlock is
525 broken. There is a remaining problem in 2.39, where "log-queries"
526 is in use. In this case most DNS queries generate two log lines, if
527 these go to a syslog which is doing a DNS lookup for each log line,
528 then those queries will in turn generate two more log lines, and a
529 chain reaction runaway will occur. To avoid this, use syslog-ng
530 and turn on syslog-ng's dns-cache function.
531
Simon Kelley832af0b2007-01-21 20:01:28 +0000532
Simon Kelley8ef5ada2010-06-03 19:42:45 +0100533Q: DHCP doesn't work with windows Vista, but everything else is fine.
534
535A: The DHCP client on windows Vista (and possibly later versions)
536 demands that the DHCP server send replies as broadcasts. Most other
537 clients don't do this. The broadcasts are send to
538 255.255.255.255. A badly configured firewall which blocks such
539 packets will show exactly these symptoms (Vista fails, others
540 work).
541
542
Simon Kelley03bfcf62012-01-07 14:37:37 +0000543Q: DHCP doesn't work with windows 7 but everything else is fine.
Simon Kelley832af0b2007-01-21 20:01:28 +0000544
Simon Kelley03bfcf62012-01-07 14:37:37 +0000545A: There seems to be a problem if Windows 7 doesn't get a value for
546 DHCP option 252 in DHCP packets it gets from the server. The
Josh Soref730c6742017-02-06 16:14:04 +0000547 symptoms have been variously reported as continual DHCPINFORM
Simon Kelley03bfcf62012-01-07 14:37:37 +0000548 requests in an attempt to get an option-252, or even ignoring DHCP
549 offers completely (and failing to get an IP address) if there is no
550 option-252 supplied. DHCP option 252 is for WPAD, WWW Proxy
551 Auto Detection and if you don't want or need to use that, then
552 simplest fix seems to be to supply an empty option with:
Simon Kelley832af0b2007-01-21 20:01:28 +0000553
Simon Kelley03bfcf62012-01-07 14:37:37 +0000554 dhcp-option=252,"\n"
Simon Kelley832af0b2007-01-21 20:01:28 +0000555
Simon Kelley208b65c2006-08-05 21:41:37 +0100556
557
Simon Kelley309331f2006-04-22 15:05:01 +0100558
Simon Kelley0a852542005-03-23 20:28:59 +0000559
560
561
562
563
Simon Kelleyc1bb8502004-08-11 18:40:17 +0100564
565