Provided by: dnsmasq_2.25-1_i386
dnsmasq - A lightweight DHCP and caching DNS server.
dnsmasq is a lightweight DNS and DHCP server. It is intended to provide
coupled DNS and DHCP service to a LAN.
Dnsmasq accepts DNS queries and either answers them from a small,
local, cache or forwards them to a real, recursive, DNS server. It
loads the contents of /etc/hosts so that local hostnames which do not
appear in the global DNS can be resolved and also answers DNS queries
for DHCP configured hosts.
The dnsmasq DHCP server supports static address assignments, multiple
networks, DHCP-relay and RFC3011 subnet specifiers. It automatically
sends a sensible default set of DHCP options, and can be configured to
send any desired set of DHCP options. It also supports BOOTP.
Dnsmasq supports IPv6.
Note that in general missing parameters are allowed and switch off
functions, for instance "--pid-file=" disables writing a PID file. On
BSD, unless the GNU getopt library is linked, the long form of the
options does not work on the command line; it is still recognised in
the configuration file.
Don’t read the hostnames in /etc/hosts.
Additional hosts file. Read the specified file as well as
/etc/hosts. If -h is given, read only the specified file. This
option may be repeated for more than one additional hosts file.
When replying with information from /etc/hosts or the DHCP
leases file dnsmasq by default sets the time-to-live field to
zero, meaning that the requestor should not itself cache the
information. This is the correct thing to do in almost all
situations. This option allows a time-to-live (in seconds) to be
given for these replies. This will reduce the load on the server
at the expense of clients using stale data under some
Do not go into the background at startup but otherwise run as
normal. This is intended for use when dnsmasq is run under
daemontools or launchd.
Debug mode: don’t fork to the background, don’t write a pid
file, don’t change user id, generate a complete cache dump on
receipt on SIGUSR1, log to stderr as well as syslog, don’t fork
new processes to handle TCP queries.
Log the results of DNS queries handled by dnsmasq. Enable a full
cache dump on receipt of SIGUSR1.
Specify an alternate path for dnsmasq to record its process-id
in. Normally /var/run/dnsmasq.pid.
Specify the userid to which dnsmasq will change after startup.
Dnsmasq must normally be started as root, but it will drop root
privileges after startup by changing id to another user.
Normally this user is "nobody" but that can be over-ridden with
Specify the group which dnsmasq will run as. The defaults to
"dip", if available, to facilitate access to
/etc/ppp/resolv.conf which is not normally world readable.
Print the version number.
Listen on <port> instead of the standard DNS port (53). Useful
mainly for debugging.
Specify the largest EDNS.0 UDP packet which is supported by the
DNS forwarder. Defaults to 1280, which is the
RFC2671-recommended maximum for ethernet.
Send outbound DNS queries from, and listen for their replies on,
the specific UDP port <query_port> instead of using one chosen
at runtime. Useful to simplify your firewall rules; without
this, your firewall would have to allow connections from outside
DNS servers to a range of UDP ports, or dynamically adapt to the
port being used by the current dnsmasq instance.
-i, --interface=<interface name>
Listen only on the specified interface(s). Dnsmasq automatically
adds the loopback (local) interface to the list of interfaces to
use when the --interface option is used. If no --interface or
--listen-address options are given dnsmasq listens on all
available interfaces except any given in --except-interface
options. If IP alias interfaces (eg "eth1:0") are used with
--interface or --except-interface options, then the --bind-
interfaces option will be automatically set. This is required
for deeply boring sockets-API reasons.
-I, --except-interface=<interface name>
Do not listen on the specified interface. Note that the order of
--listen-address --interface and --except-interface options does
not matter and that --except-interface options always override
-2, --no-dhcp-interface=<interface name>
Do not provide DHCP on the specified interface, but do provide
Listen on the given IP address(es). Both --interface and
--listen-address options may be given, in which case the set of
both interfaces and addresses is used. Note that if no
--interface option is given, but --listen-address is, dnsmasq
will not automatically listen on the loopback interface. To
achieve this, its IP address, 127.0.0.1, must be explicitly
given as a --listen-address option.
On systems which support it, dnsmasq binds the wildcard address,
even when it is listening on only some interfaces. It then
discards requests that it shouldn’t reply to. This has the
advantage of working even when interfaces come and go and change
address. This option forces dnsmasq to really bind only the
interfaces it is listening on. About the only time when this is
useful is when running another nameserver (or another instance
of dnsmasq) on the same machine or when using IP alias.
Specifying interfaces with IP alias automatically turns this
option on. Setting this option also enables multiple instances
of dnsmasq which provide DHCP service to run in the same
Return answers to DNS queries from /etc/hosts which depend on
the interface over which the query was received. If a name in
/etc/hosts has more than one address associated with it, and at
least one of those addresses is on the same subnet as the
interface to which the query was sent, then return only the
address(es) on that subnet. This allows for a server to have
multiple addresses in /etc/hosts corresponding to each of its
interfaces, and hosts will get the correct address based on
which network they are attached to. Currently this facility is
limited to IPv4.
Bogus private reverse lookups. All reverse lookups for private
IP ranges (ie 192.168.x.x, etc) which are not found in
/etc/hosts or the DHCP leases file are answered with "no such
domain" rather than being forwarded upstream.
Modify IPv4 addresses returned from upstream nameservers; old-ip
is replaced by new-ip. If the optional mask is given then any
address which matches the masked old-ip will be re-written. So,
for instance --alias=220.127.116.11,18.104.22.168,255.255.255.0 will map
22.214.171.124 to 126.96.36.199 and 188.8.131.52 to 184.108.40.206. This is what
Cisco PIX routers call "DNS doctoring".
Transform replies which contain the IP address given into "No
such domain" replies. This is intended to counteract a devious
move made by Verisign in September 2003 when they started
returning the address of an advertising web page in response to
queries for unregistered names, instead of the correct NXDOMAIN
response. This option tells dnsmasq to fake the correct response
when it sees this behaviour. As at Sept 2003 the IP address
being returned by Verisign is 220.127.116.11
Later versions of windows make periodic DNS requests which don’t
get sensible answers from the public DNS and can cause problems
by triggering dial-on-demand links. This flag turns on an option
to filter such requests. The requests blocked are for records of
types SOA and SRV, and type ANY where the requested name has
underscores, to catch LDAP requests.
Read the IP addresses of the upstream nameservers from <file>,
instead of /etc/resolv.conf. For the format of this file see
resolv.conf(5) the only lines relevant to dnsmasq are nameserver
ones. Dnsmasq can be told to poll more than one resolv.conf
file, the first file name specified overrides the default,
subsequent ones add to the list. This is only allowed when
polling; the file with the currently latest modification time is
the one used.
Don’t read /etc/resolv.conf. Get upstream servers only from the
command line or the dnsmasq configuration file.
Allow dnsmasq configuration to be updated via DBus method calls.
The configuration which can be changed is upstream DNS servers
(and corresponding domains) and cache clear. Requires that
dnsmasq has been built with DBus support.
By default, dnsmasq will send queries to any of the upstream
servers it knows about and tries to favour servers to are known
to be up. Setting this flag forces dnsmasq to try each query
with each server strictly in the order they appear in
Don’t poll /etc/resolv.conf for changes.
Tells dnsmasq to never forward queries for plain names, without
dots or domain parts, to upstream nameservers. If the name is
not known from /etc/hosts or DHCP then a "not found" answer is
Specify IP address of upstream severs directly. Setting this
flag does not suppress reading of /etc/resolv.conf, use -R to do
that. If one or more optional domains are given, that server is
used only for those domains and they are queried only using the
specified server. This is intended for private nameservers: if
you have a nameserver on your network which deals with names of
the form xxx.internal.thekelleys.org.uk at 192.168.1.1 then
giving the flag -S /internal.thekelleys.org.uk/192.168.1.1 will
send all queries for internal machines to that nameserver,
everything else will go to the servers in /etc/resolv.conf. An
empty domain specification, // has the special meaning of
"unqualified names only" ie names without any dots in them. A
non-standard port may be specified as part of the IP address
using a # character. More than one -S flag is allowed, with
repeated domain or ipaddr parts as required.
Also permitted is a -S flag which gives a domain but no IP
address; this tells dnsmasq that a domain is local and it may
answer queries from /etc/hosts or DHCP but should never forward
queries on that domain to any upstream servers. local is a
synonym for server to make configuration files clearer in this
The optional second IP address after the @ character tells
dnsmasq how to set the source address of the queries to this
nameserver. It should be an address belonging to the machine on
which dnsmasq is running otherwise this server line will be
logged and then ignored. The query-port flag is ignored for any
servers which have a source address specified but the port may
be specified directly as part of the source address.
Specify an IP address to return for any host in the given
domains. Queries in the domains are never forwarded and always
replied to with the specified IP address which may be IPv4 or
IPv6. To give both IPv4 and IPv6 addresses for a domain, use
repeated -A flags. Note that /etc/hosts and DHCP leases
override this for individual names. A common use of this is to
redirect the entire doubleclick.net domain to some friendly
local web server to avoid banner ads. The domain specification
works in the same was as for --server, with the additional
facility that /#/ matches any domain. Thus --address=/#/18.104.22.168
will always return 22.214.171.124 for any query not answered from
/etc/hosts or DHCP and not sent to an upstream nameserver by a
more specific --server directive.
-m, --mx-host=<mx name>[[,<hostname>],<preference>]
Return an MX record named <mx name> pointing to the given
hostname (if given), or the host specified in the --mx-target
switch or, if that switch is not given, the host on which
dnsmasq is running. The default is useful for directing mail
from systems on a LAN to a central server. The preference value
is optional, and defaults to 1 if not given. More than one MX
record may be given for a host.
Specify the default target for the MX record returned by
dnsmasq. See --mx-host. If --mx-target is given, but not --mx-
host, then dnsmasq returns a MX record containing the MX target
for MX queries on the hostname of the machine on which dnsmasq
Return an MX record pointing to itself for each local machine.
Local machines are those in /etc/hosts or with DHCP leases.
Return an MX record pointing to the host given by mx-target (or
the machine on which dnsmasq is running) for each local machine.
Local machines are those in /etc/hosts or with DHCP leases.
Return a SRV DNS record. See RFC2782 for details. If not
supplied, the domain defaults to that given by --domain. The
default for the target domain is empty, and the default for port
is one and the defaults for weight and priority are zero. Be
careful if transposing data from BIND zone files: the port,
weight and priority numbers are in a different order. More than
one SRV record for a given service/domain is allowed, all that
match are returned.
Return a TXT DNS record. The value of TXT record is a set of
strings, so any number may be included, split by commas.
Set the size of dnsmasq’s cache. The default is 150 names.
Setting the cache size to zero disables caching.
Disable negative caching. Negative caching allows dnsmasq to
remember "no such domain" answers from upstream nameservers and
answer identical queries without forwarding them again. This
flag disables negative caching.
addr>[[,<netmask>],<broadcast>][,<default lease time>]
Enable the DHCP server. Addresses will be given out from the
range <start-addr> to <end-addr> and from statically defined
addresses given in dhcp-host options. If the lease time is
given, then leases will be given for that length of time. The
lease time is in seconds, or minutes (eg 45m) or hours (eg 1h)
or the literal "infinite". This option may be repeated, with
different addresses, to enable DHCP service to more than one
network. For directly connected networks (ie, networks on which
the machine running dnsmasq has an interface) the netmask is
optional. It is, however, required for networks which receive
DHCP service via a relay agent. The broadcast address is always
optional. On some broken systems, dnsmasq can listen on only one
interface when using DHCP, and the name of that interface must
be given using the interface option. This limitation currently
affects OpenBSD. It is always allowed to have more than one
dhcp-range in a single subnet. The optional network-id is a
alphanumeric label which marks this network so that dhcp options
may be specified on a per-network basis. When it is prefixed
with ’net:’ then its meaning changes from setting a tag to
matching it. The end address may be replaced by the keyword
static which tells dnsmasq to enable DHCP for the network
specified, but not to dynamically allocate IP addresses. Only
hosts which have static addresses given via dhcp-host or from
/etc/ethers will be served.
Specify per host parameters for the DHCP server. This allows a
machine with a particular hardware address to be always
allocated the same hostname, IP address and lease time. A
hostname specified like this overrides any supplied by the DHCP
client on the machine. It is also allowable to ommit the
hardware address and include the hostname, in which case the IP
address and lease times will apply to any machine claiming that
name. For example --dhcp-host=00:20:e0:3b:13:af,wap,infinite
tells dnsmasq to give the machine with ethernet address
00:20:e0:3b:13:af the name wap, and an infinite DHCP lease.
--dhcp-host=lap,192.168.0.199 tells dnsmasq to always allocate
the machine lap the IP address 192.168.0.199. Addresses
allocated like this are not constrained to be in the range given
by the --dhcp-range option, but they must be on the network
being served by the DHCP server. It is allowed to use client
identifiers rather than hardware addresses to identify hosts by
prefixing with ’id:’. Thus: --dhcp-host=id:01:02:03:04,.....
refers to the host with client identifier 01:02:03:04. It is
also allowed to specify the client ID as text, like this:
--dhcp-host=id:clientidastext,..... The special option id:*
means "ignore any client-id and use MAC addresses only." This is
useful when a client presents a client-id sometimes but not
others. If a name appears in /etc/hosts, the associated address
can be allocated to a DHCP lease, but only if a --dhcp-host
option specifying the name also exists. The special keyword
"ignore" tells dnsmasq to never offer a DHCP lease to a machine.
The machine can be specified by hardware address, client ID or
hostname, for instance --dhcp-host=00:20:e0:3b:13:af,ignore This
is useful when there is another DHCP server on the network which
should be used by some machines. The net:<network-id> sets the
network-id tag whenever this dhcp-host directive is in use.
This can be used to selectively send DHCP options just for this
host. Ethernet addresses (but not client-ids) may have wildcard
bytes, so for example --dhcp-host=00:20:e0:3b:13:*,ignore will
cause dnsmasq to ignore a range of ethernet addresses. Note that
the "*" will need to be escaped or quoted on a command line, but
not in the configuration file.
Read /etc/ethers for information about hosts for the DHCP
server. The format of /etc/ethers is a hardware address,
followed by either a hostname or dotted-quad IP address. When
read by dnsmasq these lines have exactly the same effect as
--dhcp-host options containing the same information.
Specify different or extra options to DHCP clients. By default,
dnsmasq sends some standard options to DHCP clients, the netmask
and broadcast address are set to the same as the host running
dnsmasq, and the DNS server and default route are set to the
address of the machine running dnsmasq. If the domain name
option has been set, that is sent. This option allows these
defaults to be overridden, or other options specified. The <opt>
is the number of the option, as specified in RFC2132. For
example, to set the default route option to 192.168.4.4, do
--dhcp-option=3,192.168.4.4 and to set the time-server address
to 192.168.0.4, do --dhcp-option=42,192.168.0.4 The special
address 0.0.0.0 is taken to mean "the address of the machine
running dnsmasq". Data types allowed are comma separated dotted-
quad IP addresses, a decimal number, colon-separated hex digits
and a text string. If the optional network-ids are given then
this option is only sent when all the network-ids are matched.
Be careful: no checking is done that the correct type of data
for the option number is sent, it is quite possible to persuade
dnsmasq to generate illegal DHCP packets with injudicious use of
this flag. When the value is a decimal number, dnsmasq must
determine how large the data item is. It does this by examining
the option number and/or the value, but can be overridden by
appending a single letter flag as follows: b = one byte, s = two
bytes, i = four bytes. This is mainly useful with encapsulated
vendor class options (see below) where dnsmasq cannot determine
data size from the option number. Option data which consists
solely of periods and digits will be interpreted by dnsmasq as
an IP address, and inserted into an option as such. To force a
literal string, use quotes. For instance when using option 66 to
send a literal IP address as TFTP server name, it is necessary
to do --dhcp-option=66,"126.96.36.199"
Encapsulated Vendor-class options may also be specified using
--dhcp-option: for instance --dhcp-
option=vendor:PXEClient,1,0.0.0.0 sends the vendor class
"PXEClient" and the encapsulated vendor class-specific option
"mftp-address=0.0.0.0" Only one vendor class is allowed for any
host, but multiple options are allowed, provided they all have
the same vendor class. The address 0.0.0.0 is not treated
specially in encapsulated vendor class options.
Map from a vendor-class string to a network id. Most DHCP
clients provide a "vendor class" which represents, in some
sense, the type of host. This option maps vendor classes to
network ids, so that DHCP options may be selectively delivered
to different classes of hosts. For example dhcp-
vendorclass=printers,Hewlett-Packard JetDirect will allow
options to be set only for HP printers like so: --dhcp-
option=printers,3,192.168.4.4 The vendor-class string is
substring matched against the vendor-class supplied by the
client, to allow fuzzy matching.
Map from a user-class string to a network id (with substring
matching, like vendor classes). Most DHCP clients provide a
"user class" which is configurable. This option maps user
classes to network ids, so that DHCP options may be selectively
delivered to different classes of hosts. It is possible, for
instance to use this to set a different printer server for hosts
in the class "accounts" than for hosts in the class
When all the given network-ids match the set of network-ids
derived from the net, host, vendor and user classes, ignore the
host and do not allocate it a DHCP lease.
Set BOOTP options to be returned by the DHCP server. These are
needed for machines which network boot, and tell the machine
where to collect its initial configuration. If the optional
network-id(s) are given, they must match for this configuration
to be sent. Note that network-ids are prefixed by "net:" to
Limits dnsmasq to the specified maximum number of DHCP leases.
The default is 150. This limit is to prevent DoS attacks from
hosts which create thousands of leases and use lots of memory in
the dnsmasq process.
Should be set when dnsmasq is definately the only DHCP server on
a network. It changes the behaviour from strict RFC compliance
so that DHCP requests on unknown leases from unknown hosts are
not ignored. This allows new hosts to get a lease without a
tedious timeout under all circumstances.
Enable dynamic allocation of IP addresses to BOOTP clients. Use
this with care, since each address allocated to a BOOTP client
is leased forever, and therefore becomes permanently unavailable
for re-use by other hosts.
Use the specified file to store DHCP lease information. If this
option is given but no dhcp-range option is given then dnsmasq
version 1 behaviour is activated. The file given is assumed to
be an ISC dhcpd lease file and parsed for leases which are then
added to the DNS system if they have a hostname. This
functionality may have been excluded from dnsmasq at compile
time, in which case an error will occur.
Specifies the domain for the DHCP server. This has two effects;
firstly it causes the DHCP server to return the domain to any
hosts which request it, and secondly it sets the domain which it
is legal for DHCP-configured hosts to claim. The intention is to
constrain hostnames so that an untrusted host on the LAN cannot
advertise it’s name via dhcp as e.g. "microsoft.com" and capture
traffic not meant for it. If no domain suffix is specified, then
any DHCP hostname with a domain part (ie with a period) will be
disallowed and logged. If suffix is specified, then hostnames
with a domain part are allowed, provided the domain part matches
the suffix. In addition, when a suffix is set then hostnames
without a domain part have the suffix added as an optional
domain part. Eg on my network I can set
--domain=thekelleys.org.uk and have a machine whose DHCP
hostname is "laptop". The IP address for that machine is
available from dnsmasq both as "laptop" and
"laptop.thekelleys.org.uk". If the domain is given as "#" then
the domain is read from the first "search" directive in
/etc/resolv.conf (or equivalent).
Add the domain to simple names (without a period) in /etc/hosts
in the same way as for DHCP-derived names.
Specify a different configuration file. The conf-file option is
also allowed in configuration files, to include multiple
configuration files. Only one level of nesting is allowed.
At startup, dnsmasq reads /etc/dnsmasq.conf, if it exists. (On FreeBSD,
the file is /usr/local/etc/dnsmasq.conf ) (but see the -C option.) The
format of this file consists of one option per line, exactly as the
long options detailed in the OPTIONS section but without the leading
"--". Lines starting with # are comments and ignored. For options which
may only be specified once, the configuration file overrides the
command line. Quoting is allowed in a config file: between " quotes
the special meanings of ,:. and # are removed and the following escapes
are allowed: \\ \" \t \a \b \r and \n. The later corresponding to tab,
bell, backspace, return and newline.
When it receives a SIGHUP, dnsmasq clears its cache and then re-loads
/etc/hosts. If --no-poll is set SIGHUP also re-reads /etc/resolv.conf.
SIGHUP does NOT re-read the configuration file.
When it receives a SIGUSR1, dnsmasq writes cache statistics to the
system log. It writes the cache size, the number of names which have
had to removed from the cache before they expired in order to make room
for new names and the total number of names that have been inserted
into the cache. In --no-daemon mode or when full logging is enabled
(-q), a complete dump of the contents of the cache is made.
Dnsmasq is a DNS query forwarder: it it not capable of recursively
answering arbitrary queries starting from the root servers but forwards
such queries to a fully recursive upstream DNS server which is
typically provided by an ISP. By default, dnsmasq reads
/etc/resolv.conf to discover the IP addresses of the upstream
nameservers it should use, since the information is typically stored
there. Unless --no-poll is used, dnsmasq checks the modification time
of /etc/resolv.conf (or equivalent if --resolv-file is used) and re-
reads it if it changes. This allows the DNS servers to be set
dynamically by PPP or DHCP since both protocols provide the
information. Absence of /etc/resolv.conf is not an error since it may
not have been created before a PPP connection exists. Dnsmasq simply
keeps checking in case /etc/resolv.conf is created at any time. Dnsmasq
can be told to parse more than one resolv.conf file. This is useful on
a laptop, where both PPP and DHCP may be used: dnsmasq can be set to
poll both /etc/ppp/resolv.conf and /etc/dhcpc/resolv.conf and will use
the contents of whichever changed last, giving automatic switching
between DNS servers.
Upstream servers may also be specified on the command line or in the
configuration file. These server specifications optionally take a
domain name which tells dnsmasq to use that server only to find names
in that particular domain.
In order to configure dnsmasq to act as cache for the host on which it
is running, put "nameserver 127.0.0.1" in /etc/resolv.conf to force
local processes to send queries to dnsmasq. Then either specify the
upstream servers directly to dnsmasq using --server options or put
their addresses real in another file, say /etc/resolv.dnsmasq and run
dnsmasq with the -r /etc/resolv.dnsmasq option. This second technique
allows for dynamic update of the server addresses by PPP or DHCP.
Addresses in /etc/hosts will "shadow" different addresses for the same
names in the upstream DNS, so "mycompany.com 188.8.131.52" in /etc/hosts
will ensure that queries for "mycompany.com" always return 184.108.40.206 even
if queries in the upstream DNS would otherwise return a different
address. There is one exception to this: if the upstream DNS contains a
CNAME which points to a shadowed name, then looking up the CNAME
through dnsmasq will result in the unshadowed address associated with
the target of the CNAME. To work around this, add the CNAME to
/etc/hosts so that the CNAME is shadowed too.
The network-id system works as follows: For each DHCP request, dnsmasq
collects a set of valid network-id tags, one from the dhcp-range used
to allocate the address, one from any matching dhcp-host and possibly
many from matching vendor classes and user classes sent by the DHCP
client. Any dhcp-option which has network-id tags will be used in
preference to an untagged dhcp-option, provided that _all_ the tags
match somewhere in the set collected as described above. The prefix ’#’
on a tag means ’not’ so --dhcp=option=#purple,3,220.127.116.11 sends the
option when the network-id tag purple is not in the set of valid tags.
If the network-id in a dhcp-range is prefixed with ’net:’ then its
meaning changes from setting a tag to matching it. Thus if there is
more than dhcp-range on a subnet, and one is tagged with a network-id
which is set (for instance from a vendorclass option) then hosts which
set the netid tag will be allocated addresses in the tagged range.
The DHCP server in dnsmasq will function as a BOOTP server also,
provided that the MAC address and IP address for clients are given,
either using dhcp-host configurations or in /etc/ethers , and a dhcp-
range configuration option is present to activate the DHCP server on a
particular network. (Setting --bootp-dynamic removes the need for
static address mappings.) The filename parameter in a BOOTP request is
matched against netids in dhcp-option configurations, allowing some
control over the options returned to different classes of hosts.
This manual page was written by Simon Kelley <email@example.com>.