Provided by: dnsmasq-base-lua_2.90-5_amd64 bug

NAME

       dnsmasq - A lightweight DHCP and caching DNS server.

SYNOPSIS

       dnsmasq [OPTION]...

DESCRIPTION

       dnsmasq  is  a  lightweight  DNS,  TFTP,  PXE, router advertisement and DHCP server. It is
       intended to provide coupled DNS and DHCP service to a LAN.

       Dnsmasq accepts DNS queries and either answers them from a small, local, cache or forwards
       them  to  a real, recursive, DNS server. It loads the contents of /etc/hosts so that local
       hostnames which do not appear in the global DNS can  be  resolved  and  also  answers  DNS
       queries for DHCP configured hosts. It can also act as the authoritative DNS server for one
       or more domains, allowing local names to appear in the global DNS. It can be configured to
       do DNSSEC validation.

       The  dnsmasq  DHCP  server  supports  static address assignments and multiple networks. It
       automatically sends a sensible default set of DHCP options, and can be configured to  send
       any  desired  set  of  DHCP  options, including vendor-encapsulated options. It includes a
       secure, read-only, TFTP server to allow net/PXE boot  of  DHCP  hosts  and  also  supports
       BOOTP.  The  PXE  support  is  full featured, and includes a proxy mode which supplies PXE
       information to clients whilst DHCP address allocation is done by another server.

       The dnsmasq DHCPv6 server provides the same set of features as the DHCPv4 server,  and  in
       addition,  it  includes  router  advertisements and a neat feature which allows naming for
       clients which use DHCPv4 and stateless  autoconfiguration  only  for  IPv6  configuration.
       There  is support for doing address allocation (both DHCPv6 and RA) from subnets which are
       dynamically delegated via DHCPv6 prefix delegation.

       Dnsmasq is coded with small embedded systems in mind. It aims for  the  smallest  possible
       memory  footprint  compatible with the supported functions,  and allows unneeded functions
       to be omitted from the compiled binary.

OPTIONS

       Note that in general missing parameters are allowed and switch off functions, for instance
       "--pid-file" disables writing a PID file. On BSD, unless the GNU getopt library is linked,
       the long form of the options does not work on the command line; it is still recognised  in
       the configuration file.

       --test Read  and  syntax  check configuration file(s). Exit with code 0 if all is OK, or a
              non-zero code otherwise. Do not start up dnsmasq.

       -w, --help
              Display  all  command-line  options.   --help  dhcp  will  display   known   DHCPv4
              configuration options, and --help dhcp6 will display DHCPv6 options.

       -h, --no-hosts
              Don't read the hostnames in /etc/hosts.

       -H, --addn-hosts=<file>
              Additional hosts file. Read the specified file as well as /etc/hosts. If --no-hosts
              is given, read only the specified file. This option may be repeated for  more  than
              one  additional  hosts  file.  If  a  directory  is  given, then read all the files
              contained in that directory in alphabetical order.

       --hostsdir=<path>
              Read all the hosts files contained in the directory. New or changed files are  read
              automatically  and  modified  and  deleted files have removed records automatically
              deleted.

       -E, --expand-hosts
              Add the domain to simple names (without a period) in /etc/hosts in the same way  as
              for  DHCP-derived  names.  Note that this does not apply to domain names in cnames,
              PTR records, TXT records etc.

       -T, --local-ttl=<time>
              When replying with information from /etc/hosts or configuration or the DHCP  leases
              file  dnsmasq  by  default  sets  the  time-to-live field to zero, meaning that the
              requester should not itself cache the information. This is the correct thing to  do
              in  almost  all  situations.  This  option allows a time-to-live (in seconds) to be
              given for these replies. This will reduce the load on the server at the expense  of
              clients using stale data under some circumstances.

       --dhcp-ttl=<time>
              As  for --local-ttl, but affects only replies with information from DHCP leases. If
              both are given, --dhcp-ttl  applies  for  DHCP  information,  and  --local-ttl  for
              others. Setting this to zero eliminates the effect of --local-ttl for DHCP.

       --neg-ttl=<time>
              Negative replies from upstream servers normally contain time-to-live information in
              SOA records which dnsmasq uses for caching. If the replies  from  upstream  servers
              omit  this  information,  dnsmasq  does  not  cache  the reply. This option gives a
              default value for time-to-live (in seconds) which dnsmasq uses  to  cache  negative
              replies even in the absence of an SOA record.

       --max-ttl=<time>
              Set  a  maximum TTL value that will be handed out to clients. The specified maximum
              TTL will be given to clients instead of the true TTL value if it is lower. The true
              TTL value is however kept in the cache to avoid flooding the upstream DNS servers.

       --max-cache-ttl=<time>
              Set a maximum TTL value for entries in the cache.

       --min-cache-ttl=<time>
              Extend short TTL values to the time given when caching them. Note that artificially
              extending TTL values is in general a bad idea, do not do it unless you have a  good
              reason, and understand what you are doing.  Dnsmasq limits the value of this option
              to one hour, unless recompiled.

       --auth-ttl=<time>
              Set the TTL value returned in answers from the authoritative server.

       --fast-dns-retry=[<initial retry delay in ms>[,<time to continue retries in ms>]]
              Under normal circumstances, dnsmasq relies on DNS clients to do  retries;  it  does
              not generate timeouts itself. Setting this option instructs dnsmasq to generate its
              own retries starting after  a  delay  which  defaults  to  1000ms.  If  the  second
              parameter  is  given this controls how long the retries will continue for otherwise
              this defaults to 10000ms. Retries are repeated with exponential backoff. Using this
              option increases memory usage and network bandwidth.

       -k, --keep-in-foreground
              Do  not  go  into  the  background  at startup but otherwise run as normal. This is
              intended for use when dnsmasq is run under daemontools or launchd.

       -d, --no-daemon
              Debug mode: don't fork to the background, don't write a pid file, don't change user
              id,  generate a complete cache dump on receipt on SIGUSR1, log to stderr as well as
              syslog, don't fork new processes to handle TCP queries. Note that  this  option  is
              for  use  in debugging only, to stop dnsmasq daemonising in production, use --keep-
              in-foreground.

       -q, --log-queries
              Log the results of DNS queries handled by dnsmasq. Enable  a  full  cache  dump  on
              receipt  of  SIGUSR1.  If  the argument "extra" is supplied, ie --log-queries=extra
              then the log has extra information at the start of each line.  This consists  of  a
              serial  number  which  ties  together  the  log lines associated with an individual
              query, and the IP address of the requestor.

       -8, --log-facility=<facility>
              Set the facility to which dnsmasq  will  send  syslog  entries,  this  defaults  to
              DAEMON,  and  to  LOCAL0  when  debug  mode  is in operation. If the facility given
              contains at least one '/' character, it is taken to be a filename, and dnsmasq logs
              to  the  given file, instead of syslog. If the facility is '-' then dnsmasq logs to
              stderr.  (Errors whilst reading configuration will still  go  to  syslog,  but  all
              output  from  a  successful  startup,  and  all  output  whilst  running,  will  go
              exclusively to the file.) When logging to a file, dnsmasq will close and reopen the
              file  when  it  receives  SIGUSR2.  This  allows the log file to be rotated without
              stopping dnsmasq.

       --log-debug
              Enable extra logging intended for debugging rather than information.

       --log-async[=<lines>]
              Enable asynchronous logging and optionally set the limit on  the  number  of  lines
              which  will  be  queued by dnsmasq when writing to the syslog is slow.  Dnsmasq can
              log asynchronously: this allows it to continue functioning without being blocked by
              syslog,  and allows syslog to use dnsmasq for DNS queries without risking deadlock.
              If the queue of log-lines becomes full, dnsmasq will  log  the  overflow,  and  the
              number  of  messages   lost.  The  default queue length is 5, a sane value would be
              5-25, and a maximum limit of 100 is imposed.

       -x, --pid-file=<path>
              Specify an alternate path  for  dnsmasq  to  record  its  process-id  in.  Normally
              /var/run/dnsmasq.pid.

       -u, --user=<username>
              Specify  the  userid  to  which  dnsmasq  will  change  after startup. Dnsmasq must
              normally be started as root, but it will drop  root  privileges  after  startup  by
              changing  id  to another user. Normally this user is "nobody" but that can be over-
              ridden with this switch.

       -g, --group=<groupname>
              Specify the group which dnsmasq will run as. The default is "dip", if available, to
              facilitate access to /etc/ppp/resolv.conf which is not normally world readable.

       -v, --version
              Print the version number.

       -p, --port=<port>
              Listen  on  <port>  instead  of  the  standard  DNS port (53). Setting this to zero
              completely disables DNS function, leaving only DHCP and/or TFTP.

       -P, --edns-packet-max=<size>
              Specify the largest EDNS.0 UDP packet which is  supported  by  the  DNS  forwarder.
              Defaults to 1232, which is the recommended size following the DNS flag day in 2020.
              Only increase if you know what you are doing.

       -Q, --query-port=<query_port>
              Send outbound DNS queries from, and listen for their replies on, the  specific  UDP
              port  <query_port>  instead of using random ports. NOTE that using this option will
              make dnsmasq less secure against DNS spoofing attacks but it may be faster and  use
              less  resources.   Setting  this  option  to  zero  makes dnsmasq use a single port
              allocated to it by the OS: this was the default  behaviour  in  versions  prior  to
              2.43.

       --port-limit=<#ports>
              By  default,  when sending a query via random ports to multiple upstream servers or
              retrying a query dnsmasq will use a single random port for all  the  tries/retries.
              This  option  allows  a  larger  number  of  ports  to  be used, which can increase
              robustness in certain network configurations. Note that  increasing  this  to  more
              than  two  or  three can have security and resource implications and should only be
              done with understanding of those.

       --min-port=<port>
              Do not use ports less than that given as source for outbound DNS  queries.  Dnsmasq
              picks  random  ports as source for outbound queries: when this option is given, the
              ports used will always be larger than that specified.  Useful  for  systems  behind
              firewalls. If not specified, defaults to 1024.

       --max-port=<port>
              Use  ports lower than that given as source for outbound DNS queries.  Dnsmasq picks
              random ports as source for outbound queries: when this option is given,  the  ports
              used will always be lower than that specified. Useful for systems behind firewalls.

       -i, --interface=<interface name>
              Listen  only on the specified interface(s). Dnsmasq automatically adds the loopback
              (local) interface to the list of interfaces to use when the --interface option   is
              used.  If  no  --interface or --listen-address options are given dnsmasq listens on
              all available interfaces except any given in --except-interface options. On  Linux,
              when  --bind-interfaces  or --bind-dynamic are in effect, IP alias interface labels
              (eg "eth1:0") are checked, rather than interface names. In the degenerate case when
              an  interface has one address, this amounts to the same thing but when an interface
              has multiple addresses  it  allows  control  over  which  of  those  addresses  are
              accepted.  The same effect is achievable in default mode by using --listen-address.
              A simple wildcard, consisting of a trailing '*', can be  used  in  --interface  and
              --except-interface options.

       -I, --except-interface=<interface name>
              Do  not  listen on the specified interface. Note that the order of --listen-address
              --interface and --except-interface options  does  not  matter  and  that  --except-
              interface  options  always override the others. The comments about interface labels
              for --listen-address apply here.

       --auth-server=<domain>,[<interface>|<ip-address>...]
              Enable DNS authoritative mode for queries arriving at an interface or address. Note
              that  the  interface  or  address need not be mentioned in --interface or --listen-
              address configuration, indeed --auth-server  will  override  these  and  provide  a
              different  DNS  service  on  the  specified  interface.  The  <domain> is the "glue
              record". It should resolve in the global DNS to  an  A  and/or  AAAA  record  which
              points  to  the address dnsmasq is listening on. When an interface is specified, it
              may be qualified with "/4" or "/6" to specify  only  the  IPv4  or  IPv6  addresses
              associated  with  the  interface.  Since  any  defined authoritative zones are also
              available as part of the normal recusive DNS service supplied by  dnsmasq,  it  can
              make  sense to have an --auth-server declaration with no interfaces or address, but
              simply specifying the primary external nameserver.

       --local-service[=net|host]
              Without parameter or with net parameter, restricts service  to  connected  network.
              Accept  DNS queries only from hosts whose address is on a local subnet, ie a subnet
              for which an interface exists on the server. With host parameter, listens  only  on
              lo  interface  and accepts queries from localhost only. This option only has effect
              if there are no --interface, --except-interface, --listen-address or  --auth-server
              options.  It  is  intended  to  be  set  as  a  default  on  installation, to allow
              unconfigured installations to be useful but also  safe  from  being  used  for  DNS
              amplification attacks.

       -2, --no-dhcp-interface=<interface name>
              Do  not  provide DHCP, TFTP or router advertisement on the specified interface, but
              do provide DNS service.

       --no-dhcpv4-interface=<interface name>
              Disable only IPv4 DHCP on the specified interface.

       --no-dhcpv6-interface=<interface name>
              Disable IPv6 DHCP and router advertisement on the specified interface.

       -a, --listen-address=<ipaddr>
              Listen on the given IP address(es). Both --interface and  --listen-address  options
              may  be given, in which case the set of both interfaces and addresses is used. Note
              that if no --interface option is given, but --listen-address is, dnsmasq  will  not
              automatically  listen  on  the loopback interface. To achieve this, its IP address,
              127.0.0.1, must be explicitly given as a --listen-address option.

       -z, --bind-interfaces
              On systems which support it, dnsmasq binds the wildcard address, even  when  it  is
              listening  on  only  some  interfaces.  It then discards requests that it shouldn't
              reply to. This has the advantage of working even when interfaces come  and  go  and
              change address. This option forces dnsmasq to really bind only the interfaces it is
              listening on. About the only time when this  is  useful  is  when  running  another
              nameserver  (or  another  instance  of  dnsmasq)  on the same machine. Setting this
              option also enables multiple instances of dnsmasq which provide DHCP service to run
              in the same machine.

       --bind-dynamic
              Enable  a network mode which is a hybrid between --bind-interfaces and the default.
              Dnsmasq binds the address  of  individual  interfaces,  allowing  multiple  dnsmasq
              instances,  but  if new interfaces or addresses appear, it automatically listens on
              those (subject to any access-control configuration). This makes dynamically created
              interfaces  work  in the same way as the default. Implementing this option requires
              non-standard networking APIs and  it  is  only  available  under  Linux.  On  other
              platforms it falls-back to --bind-interfaces mode.

       -y, --localise-queries
              Return  answers  to DNS queries from /etc/hosts and --interface-name and --dynamic-
              host which depend on the interface over which the query was received. If a name has
              more than one address associated with it, and at least one of those addresses is on
              the same subnet as the interface to which the query was sent, then return only  the
              address(es)  on that subnet and return all the available addresses otherwise.  This
              allows for a server  to have multiple addresses in /etc/hosts corresponding to each
              of  its  interfaces,  and hosts will get the correct address based on which network
              they are attached to. Currently this facility is limited to IPv4.

       -b, --bogus-priv
              Bogus private reverse lookups. All  reverse  lookups  for  private  IP  ranges  (ie
              192.168.x.x,  etc)  which  are  not found in /etc/hosts or the DHCP leases file are
              answered with "no such domain" rather than being forwarded  upstream.  The  set  of
              prefixes affected is the list given in RFC6303, for IPv4 and IPv6.

       -V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>]
              Modify  IPv4  addresses  returned  from upstream nameservers; old-ip is replaced by
              new-ip. If the optional mask is given then any address  which  matches  the  masked
              old-ip  will  be re-written. So, for instance --alias=1.2.3.0,6.7.8.0,255.255.255.0
              will map 1.2.3.56 to 6.7.8.56 and 1.2.3.67 to 6.7.8.67.  This  is  what  Cisco  PIX
              routers  call "DNS doctoring". If the old IP is given as range, then only addresses
              in   the   range,   rather   than   a   whole   subnet,    are    re-written.    So
              --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0                       maps
              192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40

       -B, --bogus-nxdomain=<ipaddr>[/prefix]
              Transform replies which contain the specified  address  or  subnet  into  "No  such
              domain"  replies.  IPv4  and  IPv6  are supported. This is intended to counteract a
              devious move made by Verisign in September 2003 when  they  started  returning  the
              address  of  an advertising web page in response to queries for unregistered names,
              instead of the correct NXDOMAIN response. This option tells  dnsmasq  to  fake  the
              correct  response when it sees this behaviour. As at Sept 2003 the IP address being
              returned by Verisign is 64.94.110.11

       --ignore-address=<ipaddr>[/prefix]
              Ignore replies to A or AAAA queries which include the specified address or  subnet.
              No  error is generated, dnsmasq simply continues to listen for another reply.  This
              is useful to defeat blocking strategies which rely on quickly  supplying  a  forged
              answer to a DNS request for certain domain, before the correct answer can arrive.

       -f, --filterwin2k
              Later  versions  of  windows  make  periodic  DNS requests which don't get sensible
              answers from the public DNS and can cause  problems  by  triggering  dial-on-demand
              links.  This  flag turns on an option to filter such requests. The requests blocked
              are for records of type ANY where the requested name has underscores, to catch LDAP
              requests, and for all records of types SOA and SRV.

       --filter-A
              Remove A records from answers. No IPv4 addresses will be returned.

       --filter-AAAA
              Remove AAAA records from answers. No IPv6 addresses will be returned.

       --filter-rr=<rrtype>[,<rrtype>...]
              Remove  records  of  the  specified type(s) from answers. The otherwise-nonsensical
              --filter-rr=ANY has a special meaning: it filters replies to queries for type  ANY.
              Everything  other than A, AAAA, MX and CNAME records are removed. Since ANY queries
              with forged source addresses can be used in DNS amplification attacks  (replies  to
              ANY  queries  can  be large) this defangs such attacks, whilst still supporting the
              one remaining possible use of ANY queries. See RFC 8482 para 4.3 for details.

       --cache-rr=<rrtype>[,<rrtype>...]
              By default, dnsmasq caches A, AAAA, CNAME and SRV DNS record  types.   This  option
              adds  other  record  types to the cache. The RR-type can be given as a name such as
              TXT or MX or a decimal number.  A  single  --cache-rr  option  can  take  a  comma-
              separated  list  of  RR-types  and  more than one --cache-rr option is allowed. Use
              --cache-rr=ANY to enable caching for all RR-types.

       -r, --resolv-file=<file>
              Read the  IP  addresses  of  the  upstream  nameservers  from  <file>,  instead  of
              /etc/resolv.conf.  For  the format of this file see resolv.conf(5).  The only lines
              relevant to dnsmasq are nameserver ones. Dnsmasq can be told to poll more than  one
              resolv.conf  file, the first file name  specified overrides the default, subsequent
              ones add to the list. This  is  only  allowed  when  polling;  the  file  with  the
              currently latest modification time is the one used.

       -R, --no-resolv
              Don't read /etc/resolv.conf. Get upstream servers only from the command line or the
              dnsmasq configuration file.

       -1, --enable-dbus[=<service-name>]
              Allow dnsmasq configuration to be updated via DBus method calls. The  configuration
              which  can be changed is upstream DNS servers (and corresponding domains) and cache
              clear. Requires that dnsmasq has been built with DBus support. If the service  name
              is  given,  dnsmasq provides service at that name, rather than the default which is
              uk.org.thekelleys.dnsmasq

       --enable-ubus[=<service-name>]
              Enable dnsmasq UBus interface. It sends  notifications  via  UBus  on  DHCPACK  and
              DHCPRELEASE events. Furthermore it offers metrics and allows configuration of Linux
              connection track mark based filtering.  When DNS query  filtering  based  on  Linux
              connection  track  marks  is  enabled  UBus  notifications  are  generated for each
              resolved or filtered DNS query.  Requires that dnsmasq has  been  built  with  UBus
              support.  If the service name is given, dnsmasq provides service at that namespace,
              rather than the default which is dnsmasq

       -o, --strict-order
              By default, dnsmasq will send queries to any of the upstream servers it knows about
              and  tries  to  favour  servers  that  are known to be up. Setting this flag forces
              dnsmasq to try each query with each server strictly in the  order  they  appear  in
              /etc/resolv.conf

       --all-servers
              By  default, when dnsmasq has more than one upstream server available, it will send
              queries to just one server. Setting this flag forces dnsmasq to send all queries to
              all  available  servers.  The  reply  from  the  server which answers first will be
              returned to the original requester.

       --dns-loop-detect
              Enable code to detect DNS forwarding loops; ie the situation where a query sent  to
              one  of  the  upstream  server  eventually  returns  as  a new query to the dnsmasq
              instance. The process works by generating TXT queries of the  form  <hex>.test  and
              sending  them  to each upstream server. The hex is a UID which encodes the instance
              of dnsmasq sending the query and the upstream server to which it was sent.  If  the
              query  returns  to the server which sent it, then the upstream server through which
              it was sent is disabled and this event is logged. Each time  the  set  of  upstream
              servers  changes,  the  test  is  re-run  on all of them, including ones which were
              previously disabled.

       --stop-dns-rebind
              Reject (and log) addresses from upstream  nameservers  which  are  in  the  private
              ranges.  This  blocks  an attack where a browser behind a firewall is used to probe
              machines on the local network. For IPv6, the private range covers  the  IPv4-mapped
              addresses in private space plus all link-local (LL) and site-local (ULA) addresses.

       --rebind-localhost-ok
              Exempt 127.0.0.0/8 and ::1 from rebinding checks. This address range is returned by
              realtime black hole servers, so blocking it may disable these services.

       --rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
              Do not detect and block dns-rebind on queries to these domains. The argument may be
              either  a  single  domain, or multiple domains surrounded by '/', like the --server
              syntax, eg.  --rebind-domain-ok=/domain1/domain2/domain3/

       -n, --no-poll
              Don't poll /etc/resolv.conf for changes.

       --clear-on-reload
              Whenever /etc/resolv.conf is re-read or the upstream  servers  are  set  via  DBus,
              clear  the  DNS cache.  This is useful when new nameservers may have different data
              than that held in cache.

       -D, --domain-needed
              Tells dnsmasq to never forward A or AAAA queries for plain names, without  dots  or
              domain  parts, to upstream nameservers. If the name is not known from /etc/hosts or
              DHCP then a "not found" answer is returned.

       -S,  --local,  --server=[/[<domain>]/[domain/]][<server>[#<port>]][@<interface>][@<source-
       ip>[#<port>]]
              Specify  upstream  servers directly. Setting this flag does not suppress reading of
              /etc/resolv.conf, use --no-resolv to do that. If one or more optional  domains  are
              given,  that  server is used only for those domains and they are queried only using
              the specified server. This is intended for  private  nameservers:  if  you  have  a
              nameserver    on    your   network   which   deals   with   names   of   the   form
              xxx.internal.thekelleys.org.uk   at   192.168.1.1    then    giving     the    flag
              --server=/internal.thekelleys.org.uk/192.168.1.1 will send all queries for internal
              machines  to  that  nameserver,  everything  else  will  go  to  the   servers   in
              /etc/resolv.conf.  DNSSEC  validation  is  turned off for such private nameservers,
              UNLESS a --trust-anchor is specified for the domain in question.  An  empty  domain
              specification,  //  has  the  special  meaning of "unqualified names only" ie names
              without any dots in them. A non-standard port may be specified as part  of  the  IP
              address using a # character.  More than one --server flag is allowed, with repeated
              domain or ipaddr parts as required.

              More  specific  domains  take  precedence   over   less   specific   domains,   so:
              --server=/google.com/1.2.3.4 --server=/www.google.com/2.3.4.5 will send queries for
              google.com and gmail.google.com to 1.2.3.4, but www.google.com will go to 2.3.4.5

              Matching of domains is normally done on complete labels,  so  /google.com/  matches
              google.com  and www.google.com but NOT supergoogle.com. This can be overridden with
              a * at the start of  a  pattern  only:  /*google.com/  will  match  google.com  and
              www.google.com  AND  supergoogle.com.  The  non-wildcard  form  has priority, so if
              /google.com/  and  /*google.com/   are   both   specified   then   google.com   and
              www.google.com   will   match   /google.com/  and  /*google.com/  will  only  match
              supergoogle.com.

              For historical reasons, the pattern /.google.com/ is equivalent to /google.com/  if
              you  wish  to  match  any  subdomain  of  google.com but NOT google.com itself, use
              /*.google.com/

              The  special  server  address  '#'  means,   "use   the   standard   servers",   so
              --server=/google.com/1.2.3.4   --server=/www.google.com/#  will  send  queries  for
              google.com  and  its  subdomains  to  1.2.3.4,  except  www.google.com   (and   its
              subdomains) which will be forwarded as usual.

              Also  permitted  is  a  -S  flag which gives a domain but no IP address; this tells
              dnsmasq that a domain is local and it may answer queries from  /etc/hosts  or  DHCP
              but  should  never forward queries on that domain to any upstream servers.  --local
              is a synonym for --server to make configuration files clearer in this case.

              IPv6     addresses     may     include     an     %interface      scope-id,      eg
              fe80::202:a412:4512:7bbf%eth0.

              The  optional  string  after the @ character tells dnsmasq how to set the source of
              the queries to this nameserver. It can either be an ip-address, an  interface  name
              or  both.  The ip-address should belong to the machine on which dnsmasq is running,
              otherwise this server line will be logged and then ignored. If an interface name is
              given,  then  queries  to  the  server will be forced via that interface; if an ip-
              address is given then the source address  of  the  queries  will  be  set  to  that
              address;  and if both are given then a combination of ip-address and interface name
              will be used to steer requests to the server.  The query-port flag is  ignored  for
              any  servers  which  have  a source address specified but the port may be specified
              directly as part of the source address. Forcing queries  to  an  interface  is  not
              implemented on all platforms supported by dnsmasq.

              Upstream  servers  may  be specified with a hostname rather than an IP address.  In
              this case, dnsmasq will try to use the system resolver to get the IP address  of  a
              server  during  startup. If name resolution fails, starting dnsmasq fails, too.  If
              the system's configuration is such that  the  system  resolver  sends  DNS  queries
              through the dnsmasq instance which is starting up then this will time-out and fail.

       --rev-server=<ip-address>[/<prefix-len>][,<server>][#<port>][@<interface>][@<source-
       ip>[#<port>]]
              This is functionally the same as --server, but provides  some  syntactic  sugar  to
              make    specifying    address-to-name    queries   easier.   For   example   --rev-
              server=1.2.3.0/24,192.168.0.1  is   exactly   equivalent   to   --server=/3.2.1.in-
              addr.arpa/192.168.0.1  Allowed  prefix lengths are 1-32 (IPv4) and 1-128 (IPv6). If
              the prefix length is omitted, dnsmasq substitutes either 32 (IPv4) or 128 (IPv6).

       -A, --address=/<domain>[/<domain>...]/[<ipaddr>]
              Specify an IP address to return for any host in the given  domains.   A  (or  AAAA)
              queries in the domains are never forwarded and always replied to with the specified
              IP address which may be IPv4 or IPv6. To give multiple addresses or both  IPv4  and
              IPv6  addresses  for  a domain, use repeated --address flags.  Note that /etc/hosts
              and DHCP leases override this for individual names. A common  use  of  this  is  to
              redirect  the  entire  doubleclick.net  domain to some friendly local web server to
              avoid banner ads. The domain specification works in the same way as  for  --server,
              with the additional facility that /#/ matches any domain. Thus --address=/#/1.2.3.4
              will always return 1.2.3.4 for any query not answered from /etc/hosts or  DHCP  and
              not  sent  to  an upstream nameserver by a more specific --server directive. As for
              --server, one or more domains with no address returns a no-such-domain  answer,  so
              --address=/example.com/   is   equivalent  to  --server=/example.com/  and  returns
              NXDOMAIN for example.com and all  its  subdomains.  An  address  specified  as  '#'
              translates  to  the  NULL  address  of  0.0.0.0  and  its  IPv6 equivalent of :: so
              --address=/example.com/#  will  return  NULL  addresses  for  example.com  and  its
              subdomains.  This  is partly syntactic sugar for --address=/example.com/0.0.0.0 and
              --address=/example.com/:: but  is  also  more  efficient  than  including  both  as
              separate  configuration  lines.  Note that NULL addresses normally work in the same
              way as localhost, so beware that clients looking up these names are likely  to  end
              up talking to themselves.

              Note that the behaviour for queries which don't match the specified address literal
              changed   in   version   2.86.    Previous   versions,   configured    with    (eg)
              --address=/example.com/1.2.3.4  and  then  queried for a RR type other than A would
              return a NoData answer. From  2.86, the query is  sent  upstream.  To  restore  the
              pre-2.86    behaviour,   use   the   configuration   --address=/example.com/1.2.3.4
              --local=/example.com/

       --ipset=/<domain>[/<domain>...]/<ipset>[,<ipset>...]
              Places the resolved IP addresses  of  queries  for  one  or  more  domains  in  the
              specified  Netfilter IP set. If multiple setnames are given, then the addresses are
              placed in each of them, subject to the limitations of an  IP  set  (IPv4  addresses
              cannot  be  stored  in  an IPv6 IP set and vice versa).  Domains and subdomains are
              matched in the same way as --address.   These  IP  sets  must  already  exist.  See
              ipset(8) for more details.

       --nftset=/<domain>[/<domain>...]/[(6|4)#[<family>#]<table>#<set>[,[(6|4)#[<family>#]<table>#<set>]...]
              Similar to the --ipset option, but accepts one or more  nftables  sets  to  add  IP
              addresses  into.   These  sets must already exist. See nft(8) for more details. The
              family, table and set are passed directly to the nft. If the spec starts with 4# or
              6#  then  only A or AAAA records respectively are added to the set. Since an nftset
              can hold only IPv4 or IPv6 addresses, this avoids errors being logged for addresses
              of the wrong type.

       --connmark-allowlist-enable[=<mask>]
              Enables  filtering  of  incoming DNS queries with associated Linux connection track
              marks according to individual allowlists configured via  a  series  of  --connmark-
              allowlist  options.  Disallowed queries are not forwarded; they are rejected with a
              REFUSED error code.  DNS queries are only allowed if they do not have an associated
              Linux  connection  track  mark,  or if the queried domains match the configured DNS
              patterns for the associated  Linux  connection  track  mark.  If  no  allowlist  is
              configured  for a Linux connection track mark, all DNS queries associated with that
              mark are rejected.  If a mask is specified, Linux connection track marks are  first
              bitwise ANDed with the given mask before being processed.

       --connmark-allowlist=<connmark>[/<mask>][,<pattern>[/<pattern>...]]
              Configures  the  DNS  patterns  that are allowed in DNS queries associated with the
              given Linux connection track mark.  If a mask is specified, Linux connection  track
              marks  are  first bitwise ANDed with the given mask before they are compared to the
              given connection track  mark.   Patterns  follow  the  syntax  of  DNS  names,  but
              additionally  allow  the wildcard character "*" to be used up to twice per label to
              match 0 or more characters within that label. Note that the wildcard never  matches
              a    dot    (e.g.,    "*.example.com"    matches    "api.example.com"    but    not
              "api.us.example.com"). Patterns must be fully qualified, i.e., consist of at  least
              two  labels. The final label must not be fully numeric, and must not be the "local"
              pseudo-TLD. A pattern must end with at least  two  literal  (non-wildcard)  labels.
              Instead  of  a  pattern,  "*" can be specified to disable allowlist filtering for a
              given Linux connection track mark entirely.

       -m, --mx-host=<mx name>[[,<hostname>],<preference>]
              Return an MX record named <mx name> pointing to the given hostname (if  given),  or
              the  host  specified in the --mx-target switch or, if that switch is not given, the
              host on which dnsmasq is running. The default is useful  for  directing  mail  from
              systems  on  a  LAN  to  a  central  server.  The preference value is optional, and
              defaults to 1 if not given. More than one MX record may be given for a host.

       -t, --mx-target=<hostname>
              Specify the default target for the MX record returned by  dnsmasq.  See  --mx-host.
              If  --mx-target  is  given,  but  not  --mx-host,  then dnsmasq returns a MX record
              containing the MX target for MX queries on the hostname of  the  machine  on  which
              dnsmasq is running.

       -e, --selfmx
              Return  an  MX record pointing to itself for each local machine. Local machines are
              those in /etc/hosts or with DHCP leases.

       -L, --localmx
              Return an MX record pointing to the host given by --mx-target (or  the  machine  on
              which  dnsmasq  is  running)  for  each  local machine. Local machines are those in
              /etc/hosts or with DHCP leases.

       -W, --srv-host=<_service>.<_prot>.[<domain>],[<target>[,<port>[,<priority>[,<weight>]]]]
              Return a SRV DNS record. See RFC2782 for  details.  If  not  supplied,  the  domain
              defaults  to  that  given by --domain.  The default for the target domain is empty,
              and the default for port is one and the defaults for weight and priority are  zero.
              Be  careful if transposing data from BIND zone files: the port, weight and priority
              numbers  are  in  a  different  order.  More  than  one  SRV  record  for  a  given
              service/domain is allowed, all that match are returned.

       --host-record=<name>[,<name>....],[<IPv4-address>],[<IPv6-address>][,<TTL>]
              Add A, AAAA and PTR records to the DNS. This adds one or more names to the DNS with
              associated IPv4 (A) and IPv6 (AAAA) records. A name may appear  in  more  than  one
              --host-record  and  therefore  be  assigned  more  than one address. Only the first
              address creates a PTR record linking the address to the name. This is the same rule
              as  is  used  reading hosts-files.  --host-record options are considered to be read
              before host-files, so a name appearing there inhibits  PTR-record  creation  if  it
              appears  in  hosts-file also. Unlike hosts-files, names are not expanded, even when
              --expand-hosts is in effect. Short and long names may appear in  the  same  --host-
              record, eg.  --host-record=laptop,laptop.thekelleys.org,192.168.0.1,1234::100

              If  the time-to-live is given, it overrides the default, which is zero or the value
              of --local-ttl. The value is a positive  integer  and  gives  the  time-to-live  in
              seconds.

       --dynamic-host=<name>,[IPv4-address],[IPv6-address],<interface>
              Add  A,  AAAA  and  PTR  records  to  the  DNS  in the same subnet as the specified
              interface. The address is derived from the network part of each address  associated
              with  the  interface,  and  the  host  part from the specified address. For example
              --dynamic-host=example.com,0.0.0.8,eth0   will,   when   eth0   has   the   address
              192.168.78.x  and  netmask  255.255.255.0 give the name example.com an A record for
              192.168.78.8. The same principle  applies  to  IPv6  addresses.  Note  that  if  an
              interface  has  more  than  one  address,  more  than  one A or AAAA record will be
              created. The TTL of the records is  always  zero,  and  any  changes  to  interface
              addresses will be immediately reflected in them.

       -Y, --txt-record=<name>[[,<text>],<text>]
              Return  a  TXT  DNS  record.  The  value of TXT record is a set of strings, so  any
              number may be included, delimited by commas;  use  quotes  to  put  commas  into  a
              string.  Note  that the maximum length of a single string is 255 characters, longer
              strings are split into 255 character chunks.

       --ptr-record=<name>[,<target>]
              Return a PTR DNS record.

       --naptr-record=<name>,<order>,<preference>,<flags>,<service>,<regexp>[,<replacement>]
              Return an NAPTR DNS record, as specified in RFC3403.

       --caa-record=<name>,<flags>,<tag>,<value>
              Return a CAA DNS record, as specified in RFC6844.

       --cname=<cname>,[<cname>,]<target>[,<TTL>]
              Return a CNAME record which indicates that <cname> is really <target>. There  is  a
              significant  limitation  on  the  target; it must be a DNS record which is known to
              dnsmasq and NOT a DNS record which comes from an upstream server. The cname must be
              unique,  but  it  is  permissible  to have more than one cname pointing to the same
              target. Indeed it's possible to declare multiple cnames to a  target  in  a  single
              line, like so: --cname=cname1,cname2,target

              If  the time-to-live is given, it overrides the default, which is zero or the value
              of --local-ttl. The value is a positive  integer  and  gives  the  time-to-live  in
              seconds.

       --dns-rr=<name>,<RR-number>,[<hex data>]
              Return  an  arbitrary  DNS  Resource  Record.  The number is the type of the record
              (which is always in the C_IN class). The value of the record is given  by  the  hex
              data,  which  may  be  of the form 01:23:45 or 01 23 45 or 012345 or any mixture of
              these.

       --interface-name=<name>,<interface>[/4|/6]
              Return DNS  records  associating  the  name  with  the  address(es)  of  the  given
              interface.  This  flag specifies an A or AAAA record for the given name in the same
              way as an /etc/hosts line, except that the address is not constant, but taken  from
              the  given interface. The interface may be followed by "/4" or "/6" to specify that
              only IPv4 or IPv6 addresses of the interface should be used. If  the  interface  is
              down, not configured or non-existent, an empty record is returned. The matching PTR
              record is also created, mapping the interface address to the name.  More  than  one
              name  may  be  associated  with an interface address by repeating the flag; in that
              case the first instance is used for the reverse address-to-name mapping. Note  that
              a name used in --interface-name may not appear in /etc/hosts.

       --synth-domain=<domain>,<address range>[,<prefix>[*]]
              Create  artificial  A/AAAA and PTR records for an address range. The records either
              seqential numbers or the address, with periods (or colons for IPv6)  replaced  with
              dashes.

              An   examples  should  make  this  clearer.  First  sequential  numbers.   --synth-
              domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-* results in  the  name
              internal-0.thekelleys.org.uk.  returning 192.168.0.50, internal-1.thekelleys.org.uk
              returning 192.168.0.51 and so on. (note the *) The same principle applies  to  IPv6
              addresses  (where  the  numbers may be very large). Reverse lookups from address to
              name behave as expected.

              Second,  --synth-domain=thekelleys.org.uk,192.168.0.0/24,internal-  (no   *)   will
              result   in   a   query   for   internal-192-168-0-56.thekelleys.org.uk   returning
              192.168.0.56 and a reverse query vice versa. The same applies  to  IPv6,  but  IPv6
              addresses may start with '::' but DNS labels may not start with '-' so in this case
              if no prefix is configured a zero is added in front of the label. ::1 becomes 0--1.

              V4 mapped IPv6 addresses, which  have  a  representation  like  ::ffff:1.2.3.4  are
              handled specially, and become like 0--ffff-1-2-3-4

              The  address  range  can  be  of  the  form  <start  address>,<end  address> or <ip
              address>/<prefix-length> in both forms of the option. For IPv6 the  start  and  end
              addresses  must fall in the same /64 network, or prefix-length must be greater than
              or equal to 64 except that shorter prefix lengths than 64 are allowed only if  non-
              sequential names are in use.

       --dumpfile=<path/to/file>
              Specify  the  location  of  a pcap-format file which dnsmasq uses to dump copies of
              network packets for debugging purposes. If the file exists when dnsmasq starts,  it
              is not deleted; new packets are added to the end.

       --dumpmask=<mask>
              Specify which types of packets should be added to the dumpfile. The argument should
              be the OR of the bitmasks for each type of packet to be dumped: it can be specified
              in  hex  by  preceding the number with 0x in  the normal way. Each time a packet is
              written to the dumpfile, dnsmasq logs the packet sequence and the mask representing
              its  type.  The  current  types  are: 0x0001 - DNS queries from clients, 0x0002 DNS
              replies to clients, 0x0004 - DNS queries to upstream, 0x0008  -  DNS  replies  from
              upstream, 0x0010 - queries send upstream for DNSSEC validation, 0x0020 - replies to
              queries for DNSSEC validation, 0x0040 - replies to client queries which fail DNSSEC
              validation,  0x0080 replies to queries for DNSSEC validation which fail validation,
              0x1000 - DHCPv4, 0x2000 - DHCPv6, 0x4000 - Router advertisement, 0x8000 - TFTP.

       --add-mac[=base64|text]
              Add the MAC address of the requestor to DNS queries which are  forwarded  upstream.
              This  may be used to DNS filtering by the upstream server. The MAC address can only
              be added if the requestor is on the same subnet as the dnsmasq  server.  Note  that
              the  mechanism  used  to achieve this (an EDNS0 option) is not yet standardised, so
              this should be considered experimental. Also note that exposing  MAC  addresses  in
              this  way  may  have  security  and privacy implications. The warning about caching
              given for --add-subnet applies to --add-mac too. An  alternative  encoding  of  the
              MAC,  as  base64,  is enabled by adding the "base64" parameter and a human-readable
              encoding of hex-and-colons is enabled by added the "text" parameter.

       --strip-mac
              Remove any MAC address information already in downstream queries before  forwarding
              upstream.

       --add-cpe-id=<string>
              Add an arbitrary identifying string to DNS queries which are forwarded upstream.

       --add-subnet[[=[<IPv4   address>/]<IPv4  prefix  length>][,[<IPv6  address>/]<IPv6  prefix
       length>]]
              Add a subnet address to the DNS queries which are forwarded upstream. If an address
              is  specified in the flag, it will be used, otherwise, the address of the requestor
              will be used. The amount of the address forwarded  depends  on  the  prefix  length
              parameter:  32  (128 for IPv6) forwards the whole address, zero forwards none of it
              but still marks the request so that no upstream nameserver will add client  address
              information  either. The default is zero for both IPv4 and IPv6. Note that upstream
              nameservers  may  be  configured  to  return  different  results  based   on   this
              information,  but  the  dnsmasq  cache  does not take account. Caching is therefore
              disabled for such replies, unless the subnet address being added is constant.

              For example, --add-subnet=24,96 will add the /24 and /96 subnets of  the  requestor
              for  IPv4  and  IPv6  requestors,  respectively.   --add-subnet=1.2.3.4/24 will add
              1.2.3.0/24  for  IPv4  requestors   and   ::/0   for   IPv6   requestors.    --add-
              subnet=1.2.3.4/24,1.2.3.4/24 will add 1.2.3.0/24 for both IPv4 and IPv6 requestors.

       --strip-subnet
              Remove  any  subnet address already present in a downstream query before forwarding
              it upstream. If --add-subnet is set this also ensures that any  downstream-provided
              subnet is replaced by the one added by dnsmasq. Otherwise, dnsmasq will NOT replace
              an existing subnet in the query.

       --umbrella[=[deviceid:<deviceid>][,orgid:<orgid>][,assetid:<id>]]
              Embeds the requestor's IP address in DNS queries forwarded upstream.  If device  id
              or,  asset  id or organization id are specified, the information is included in the
              forwarded queries and may be able to be used in filtering policies  and  reporting.
              The  order  of  the  id  attributes  is irrelevant, but they must be separated by a
              comma. Deviceid is a sixteen digit  hexadecimal  number,  org  and  asset  ids  are
              decimal numbers.

       -c, --cache-size=<cachesize>
              Set  the  size of dnsmasq's cache. The default is 150 names. Setting the cache size
              to zero disables caching. Note: huge cache size impacts performance.

       -N, --no-negcache
              Disable negative caching. Negative caching allows  dnsmasq  to  remember  "no  such
              domain"  answers  from  upstream  nameservers  and answer identical queries without
              forwarding them again.

       --no-round-robin
              Dnsmasq normally permutes the order of A or AAAA  records  for  the  same  name  on
              successive  queries, for load-balancing. This turns off that behaviour, so that the
              records are always returned in the order that they are received from upstream.

       --use-stale-cache[=<max TTL excess in s>]
              When set, if a DNS name exists in the cache,  but  its  time-to-live  has  expired,
              dnsmasq  will  return  the  data  anyway.  (It attempts to refresh the data with an
              upstream query after  returning  the  stale  data.)  This  can  improve  speed  and
              reliability.  It  comes  at the expense of sometimes returning out-of-date data and
              less efficient cache utilisation, since old data cannot be  flushed  when  its  TTL
              expires, so the cache becomes mostly least-recently-used. To mitigate issues caused
              by massively outdated DNS replies, the maximum overaging of cached records  can  be
              specified in seconds (defaulting to not serve anything older than one day). Setting
              the TTL excess time to zero will serve stale cache data regardless how long it  has
              expired.

       -0, --dns-forward-max=<queries>
              Set  the  maximum number of concurrent DNS queries. The default value is 150, which
              should be fine for most setups. The only known situation where  this  needs  to  be
              increased  is  when  using  web-server log file resolvers, which can generate large
              numbers of concurrent queries. This  parameter  actually  controls  the  number  of
              concurrent  queries  per server group, where a server group is the set of server(s)
              associated with  a  single  domain.  So  if  a  domain  has  it's  own  server  via
              --server=/example.com/1.2.3.4  and  1.2.3.4  is  not  responding,  but  queries for
              *.example.com cannot go elsewhere, then other queries  will  not  be  affected.  On
              configurations  with  many  such  server groups and tight resources, this value may
              need to be reduced.

       --dnssec
              Validate DNS replies and cache DNSSEC data. When forwarding  DNS  queries,  dnsmasq
              requests  the  DNSSEC  records  needed  to  validate  the  replies. The replies are
              validated and the result returned as the Authenticated Data bit in the DNS  packet.
              In  addition  the  DNSSEC  records  are  stored  in the cache, making validation by
              clients more efficient. Note that validation by clients is the most  secure  DNSSEC
              mode,  but for clients unable to do validation, use of the AD bit set by dnsmasq is
              useful, provided that the network between the dnsmasq  server  and  the  client  is
              trusted.  Dnsmasq  must  be  compiled  with  HAVE_DNSSEC  enabled, and DNSSEC trust
              anchors provided, see --trust-anchor.  Because the DNSSEC validation  process  uses
              the  cache,  it  is  not  permitted to reduce the cache size below the default when
              DNSSEC is enabled. The nameservers upstream of dnsmasq must be  DNSSEC-capable,  ie
              capable  of  returning DNSSEC records with data. If they are not, then dnsmasq will
              not be able to determine the trusted status of answers  and  this  means  that  DNS
              service will be entirely broken.

       --trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-type>,<digest>
              Provide  DS  records  to act a trust anchors for DNSSEC validation. Typically these
              will be the DS record(s) for Key Signing key(s) (KSK) of the root zone,  but  trust
              anchors  for limited domains are also possible. The current root-zone trust anchors
              may be downloaded from https://data.iana.org/root-anchors/root-anchors.xml

       --dnssec-check-unsigned[=no]
              As a default, dnsmasq checks that unsigned DNS replies are legitimate: this entails
              possible  extra  queries  even  for the majority of DNS zones which are not, at the
              moment, signed. If --dnssec-check-unsigned=no appears in  the  configuration,  then
              such  replies  they  are  assumed to be valid and passed on (without the "authentic
              data" bit set, of course). This  does  not  protect  against  an  attacker  forging
              unsigned replies for signed DNS zones, but it is fast.

              Versions  of  dnsmasq prior to 2.80 defaulted to not checking unsigned replies, and
              used --dnssec-check-unsigned to switch this on. Such configurations  will  continue
              to  work as before, but those which used the default of no checking will need to be
              altered to explicitly select no checking. The new default is because switching  off
              checking  for  unsigned  replies is inherently dangerous. Not only does it open the
              possiblity of forged replies, but it allows everything to appear to be working even
              when  the  upstream  namesevers  do  not support DNSSEC, and in this case no DNSSEC
              validation at all is occurring.

       --dnssec-no-timecheck
              DNSSEC signatures are only valid for specified time windows, and should be rejected
              outside  those  windows.  This generates an interesting chicken-and-egg problem for
              machines which don't have a  hardware  real  time  clock.  For  these  machines  to
              determine  the  correct  time  typically requires use of NTP and therefore DNS, but
              validating DNS requires that the correct time is already known. Setting  this  flag
              removes  the  time-window  checks (but not other DNSSEC validation.) only until the
              dnsmasq process receives SIGINT. The intention is that dnsmasq  should  be  started
              with  this  flag  when  the platform determines that reliable time is not currently
              available. As soon as reliable time is established, a  SIGINT  should  be  sent  to
              dnsmasq,  which  enables  time  checking, and purges the cache of DNS records which
              have not been thoroughly checked.

              Earlier versions of dnsmasq overloaded SIGHUP (which re-reads  much  configuration)
              to also enable time validation.

              If  dnsmasq  is  run in debug mode (--no-daemon flag) then SIGINT retains its usual
              meaning of terminating the dnsmasq process.

       --dnssec-timestamp=<path>
              Enables an alternative way of checking the validity of the system time  for  DNSSEC
              (see  --dnssec-no-timecheck).  In  this  case,  the system time is considered to be
              valid once it becomes later than the timestamp on the specified file. The  file  is
              created  and its timestamp set automatically by dnsmasq. The file must be stored on
              a persistent filesystem, so that it and its mtime are carried over system restarts.
              The  timestamp  file  is created after dnsmasq has dropped root, so it must be in a
              location writable by the unprivileged user that dnsmasq runs as.

       --proxy-dnssec
              Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients.
              This  is  an  alternative  to having dnsmasq validate DNSSEC, but it depends on the
              security of  the  network  between  dnsmasq  and  the  upstream  servers,  and  the
              trustworthiness  of  the upstream servers. Note that caching the Authenticated Data
              bit correctly in all cases is not technically possible. If the  AD  bit  is  to  be
              relied  upon  when  using  this  option,  then  the  cache should be disabled using
              --cache-size=0. In most cases, enabling  DNSSEC  validation  within  dnsmasq  is  a
              better option. See --dnssec for details.

       --dnssec-limits=<limit>[,<limit>.......]
              Override  the  default  resource limits applied to DNSSEC validation. Cryptographic
              operations are expensive and crafted domains can DoS a DNSSEC validator by  forcing
              it  to  do  hundreds  of  thousands  of such operations. To avoid this, the dnsmasq
              validation code applies limits on how much work will be expended in validation.  If
              any  of the limits are exceeded, the validation will fail and the domain treated as
              BOGUS. There are  four  limits,  in  order(default  values  in  parens):  number  a
              signature  validation fails per RRset(20), number of signature validations and hash
              computations per query(200), number of sub-queries to fetch DS  and  DNSKEY  RRsets
              per  query(40),  and  the number of iterations in a NSEC3 record(150).  The maximum
              values reached during validation are stored,  and  dumped  as  part  of  the  stats
              generated  by SIGUSR1. Supplying a limit value of 0 leaves the default in place, so
              --dnssec-limits=0,0,20 sets the number of sub-queries  to  20  whilst  leaving  the
              other limits at default values.

       --dnssec-debug
              Set  debugging  mode  for  the  DNSSEC validation, set the Checking Disabled bit on
              upstream queries, and don't convert replies which do not validate to responses with
              a  return  code of SERVFAIL. Note that setting this may affect DNS behaviour in bad
              ways, it is not an extra-logging flag and should not be set in production.

       --auth-zone=<domain>[,<subnet>[/<prefix                        length>][,<subnet>[/<prefix
       length>].....][,exclude:<subnet>[/<prefix length>]].....]
              Define  a  DNS zone for which dnsmasq acts as authoritative server. Locally defined
              DNS records which are in the domain will be served. If subnet(s) are given,  A  and
              AAAA records must be in one of the specified subnets.

              As  alternative  to directly specifying the subnets, it's possible to give the name
              of an interface, in which case the subnets implied by that  interface's  configured
              addresses and netmask/prefix-length are used; this is useful when using constructed
              DHCP ranges as the actual  address  is  dynamic  and  not  known  when  configuring
              dnsmasq.  The  interface  addresses  may  be  confined to only IPv6 addresses using
              <interface>/6 or to only IPv4 using <interface>/4. This is useful when an interface
              has  dynamically  determined global IPv6 addresses which should appear in the zone,
              but RFC1918 IPv4 addresses which should not.   Interface-name  and  address-literal
              subnet specifications may be used freely in the same --auth-zone declaration.

              It's  possible  to  exclude certain IP addresses from responses. It can be used, to
              make sure that answers contain only global routeable  IP  addresses  (by  excluding
              loopback, RFC1918 and ULA addresses).

              The  subnet(s)  are also used to define in-addr.arpa and ip6.arpa domains which are
              served for reverse-DNS queries. If not specified, the prefix length defaults to  24
              for  IPv4  and 64 for IPv6.  For IPv4 subnets, the prefix length should be have the
              value 8, 16 or 24 unless you are familiar with RFC 2317 and have arranged  the  in-
              addr.arpa  delegation  accordingly.  Note that if no subnets are specified, then no
              reverse queries are answered.

       --auth-soa=<serial>[,<hostmaster>[,<refresh>[,<retry>[,<expiry>]]]]
              Specify fields in the SOA record associated with  authoritative  zones.  Note  that
              this is optional, all the values are set to sane defaults.

       --auth-sec-servers=<domain>[,<domain>[,<domain>...]]
              Specify  any secondary servers for a zone for which dnsmasq is authoritative. These
              servers must be configured to get zone data from  dnsmasq  by  zone  transfer,  and
              answer queries for the same authoritative zones as dnsmasq.

       --auth-peer=<ip-address>[,<ip-address>[,<ip-address>...]]
              Specify  the  addresses  of  secondary  servers  which are allowed to initiate zone
              transfer (AXFR) requests for zones for which  dnsmasq  is  authoritative.  If  this
              option  is not given but --auth-sec-servers is, then AXFR requests will be accepted
              from any secondary. Specifying --auth-peer without --auth-sec-servers enables  zone
              transfer but does not advertise the secondary in NS records returned by dnsmasq.

       --conntrack
              Read  the  Linux connection track mark associated with incoming DNS queries and set
              the same mark value on upstream traffic used to answer those queries.  This  allows
              traffic  generated  by  dnsmasq  to  be associated with the queries which cause it,
              useful for bandwidth  accounting  and  firewalling.  Dnsmasq  must  have  conntrack
              support  compiled  in  and  the  kernel  must  have  conntrack support included and
              configured. This option cannot be combined with --query-port.

       -F,                   --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-
       addr>|<mode>[,<netmask>[,<broadcast>]]][,<lease time>]

       -F,               --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-IPv6addr>[,<end-
       IPv6addr>|constructor:<interface>][,<mode>][,<prefix-len>][,<lease time>]

              Enable the DHCP server. Addresses will be given out from the range <start-addr>  to
              <end-addr>  and  from statically defined addresses given in --dhcp-host options. If
              the lease time is given, then leases will be given for that  length  of  time.  The
              lease  time  is  in  seconds,  or minutes (eg 45m) or hours (eg 1h) or days (2d) or
              weeks (1w) or "infinite". If not given, the default lease time is one hour for IPv4
              and  one  day for IPv6. The minimum lease time is two minutes. For IPv6 ranges, the
              lease time maybe "deprecated"; this sets the preferred  lifetime  sent  in  a  DHCP
              lease or router advertisement to zero, which causes clients to use other addresses,
              if available, for new connections as a prelude to renumbering.

              This option may be repeated, with different addresses, to enable  DHCP  service  to
              more  than  one network. For directly connected networks (ie, networks on which the
              machine running dnsmasq has an interface) the netmask  is  optional:  dnsmasq  will
              determine  it  from  the  interface  configuration. For networks which receive DHCP
              service via a relay agent, dnsmasq cannot  determine  the  netmask  itself,  so  it
              should be specified, otherwise dnsmasq will have to guess, based on the class (A, B
              or C) of the network address. The broadcast  address  is  always  optional.  It  is
              always allowed to have more than one --dhcp-range in a single subnet.

              For  IPv6,  the parameters are slightly different: instead of netmask and broadcast
              address, there is an optional prefix length which must be equal to or  larger  then
              the prefix length on the local interface. If not given, this defaults to 64. Unlike
              the IPv4 case, the prefix length is not automatically derived  from  the  interface
              configuration. The minimum size of the prefix length is 64.

              IPv6 (only) supports another type of range. In this, the start address and optional
              end address contain only the network  part  (ie  ::1)  and  they  are  followed  by
              constructor:<interface>.   This  forms  a  template  which  describes how to create
              ranges, based on the addresses assigned to the interface. For instance

              --dhcp-range=::1,::400,constructor:eth0

              will look for addresses on eth0 and  then  create  a  range  from  <network>::1  to
              <network>::400.  If  the  interface  is  assigned  more  than one network, then the
              corresponding ranges will be automatically created, and then deprecated and finally
              removed again as the address is deprecated and then deleted. The interface name may
              have a final "*" wildcard. Note that just any address on eth0 will not do: it  must
              not be an autoconfigured or privacy address, or be deprecated.

              If  a  --dhcp-range  is  only  being used for stateless DHCP and/or SLAAC, then the
              address can be simply ::

              --dhcp-range=::,constructor:eth0

              The optional set:<tag> sets an alphanumeric label which marks this network so  that
              DHCP  options  may  be  specified on a per-network basis.  When it is prefixed with
              'tag:' instead, then its meaning changes from setting a tag to  matching  it.  Only
              one tag may be set, but more than one tag may be matched.

              The  optional  <mode>  keyword may be static which tells dnsmasq to enable DHCP for
              the network specified, but not to dynamically allocate  IP  addresses:  only  hosts
              which  have  static  addresses  given  via  --dhcp-host or from /etc/ethers will be
              served. A static-only subnet with address all zeros may be used  as  a  "catch-all"
              address  to  enable replies to all Information-request packets on a subnet which is
              provided with stateless DHCPv6, ie --dhcp-range=::,static

              For IPv4, the <mode> may be proxy in which case dnsmasq will provide proxy-DHCP  on
              the specified subnet. (See --pxe-prompt and --pxe-service for details.)

              For  IPv6,  the  mode  may  be  some  combination  of ra-only, slaac, ra-names, ra-
              stateless, ra-advrouter, off-link.

              ra-only tells dnsmasq to offer Router Advertisement only on this  subnet,  and  not
              DHCP.

              slaac  tells  dnsmasq to offer Router Advertisement on this subnet and to set the A
              bit in the router advertisement, so that the client will use SLAAC addresses.  When
              used  with  a  DHCP  range or static DHCP address this results in the client having
              both a DHCP-assigned and a SLAAC address.

              ra-stateless sends router advertisements with the O and A bits set, and provides  a
              stateless DHCP service. The client will use a SLAAC address, and use DHCP for other
              configuration information.

              ra-names enables a mode which gives DNS names to dual-stack hosts  which  do  SLAAC
              for  IPv6.  Dnsmasq  uses the host's IPv4 lease to derive the name, network segment
              and MAC address and assumes that the host will also have an IPv6 address calculated
              using  the SLAAC algorithm, on the same network segment. The address is pinged, and
              if a reply is received, an AAAA record is added to the DNS for this  IPv6  address.
              Note that this is only happens for directly-connected networks, (not one doing DHCP
              via a relay) and it will not work if a host is using privacy extensions.   ra-names
              can be combined  with ra-stateless and slaac.

              ra-advrouter  enables  a  mode  where router address(es) rather than prefix(es) are
              included in the advertisements.  This is described in RFC-3775 section 7.2  and  is
              used  in  mobile  IPv6.  In  this  mode  the  interval  option is also included, as
              described in RFC-3775 section 7.3.

              off-link tells dnsmasq to advertise the prefix without the on-link (aka L) bit set.

       -G,                                                                                --dhcp-
       host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,tag:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
              Specify per host parameters for the DHCP server.  This  allows  a  machine  with  a
              particular  hardware  address  to be always allocated the same hostname, IP address
              and lease time. A hostname specified like this overrides any supplied by  the  DHCP
              client  on  the  machine.  It  is  also  allowable to omit the hardware address and
              include the hostname, in which case the IP address and lease times  will  apply  to
              any      machine      claiming      that      name.     For     example     --dhcp-
              host=00:20:e0:3b:13:af,wap,infinite tells dnsmasq to give the machine with hardware
              address  00:20:e0:3b:13:af  the  name  wap,  and  an  infinite DHCP lease.  --dhcp-
              host=lap,192.168.0.199 tells dnsmasq to always allocate  the  machine  lap  the  IP
              address 192.168.0.199.

              Addresses  allocated  like this are not constrained to be in the range given by the
              --dhcp-range option, but they must be in the same subnet as some valid  dhcp-range.
              For  subnets  which  don't  need a pool of dynamically allocated addresses, use the
              "static" keyword in the --dhcp-range declaration.

              It is allowed to use client identifiers (called client DUID  in  IPv6-land)  rather
              than  hardware  addresses  to identify hosts by prefixing with 'id:'. Thus: --dhcp-
              host=id:01:02:03:04,.....  refers to the host with client  identifier  01:02:03:04.
              It  is  also  allowed  to  specify  the  client  ID  as  text,  like  this: --dhcp-
              host=id:clientidastext,.....

              A single --dhcp-host may contain an IPv4 address or one or more IPv6 addresses,  or
              both.   IPv6   addresses  must  be  bracketed  by  square  brackets  thus:  --dhcp-
              host=laptop,[1234::56] IPv6 addresses may contain only  the  host-identifier  part:
              --dhcp-host=laptop,[::56]  in  which case they act as wildcards in constructed DHCP
              ranges, with the appropriate network  part  inserted.  For  IPv6,  an  address  may
              include  a  prefix  length:  --dhcp-host=laptop,[1234:50/126]  which (in this case)
              specifies four addresses, 1234::50 to 1234::53. This (an  the  ability  to  specify
              multiple  addresses)  is  useful  when  a host presents either a consistent name or
              hardware-ID, but varying DUIDs, since  it  allows  dnsmasq  to  honour  the  static
              address  allocation  but  assign a different adddress for each DUID. This typically
              occurs when chain netbooting, as each stage of the chain gets in turn allocates  an
              address.

              Note  that  in  IPv6  DHCP,  the  hardware  address may not be available, though it
              normally is for direct-connected  clients,  or  clients  using  DHCP  relays  which
              support RFC 6939.

              For  DHCPv4,  the   special  option  id:*  means  "ignore any client-id and use MAC
              addresses only." This is useful when a client presents a  client-id  sometimes  but
              not others.

              If  a name appears in /etc/hosts, the associated address can be allocated to a DHCP
              lease, but only if a --dhcp-host option specifying the name also exists.  Only  one
              hostname  can  be  given in a --dhcp-host option, but aliases are possible by using
              CNAMEs. (See --cname ). Note that /etc/hosts is NOT used when the DNS  server  side
              of dnsmasq is disabled by setting the DNS server port to zero.

              More than one --dhcp-host can be associated (by name, hardware address or UID) with
              a host. Which one is used (and therefore which address is  allocated  by  DHCP  and
              appears  in  the  DNS) depends on the subnet on which the host last obtained a DHCP
              lease: the --dhcp-host with an address within the subnet is used. If more than  one
              address  is within the subnet, the result is undefined. A corollary to this is that
              the name associated with a host using --dhcp-host does not appear in the DNS  until
              the host obtains a DHCP lease.

              The  special  keyword  "ignore"  tells  dnsmasq  to  never  offer a DHCP lease to a
              machine. The machine can be specified by hardware address, client ID  or  hostname,
              for  instance  --dhcp-host=00:20:e0:3b:13:af,ignore  This  is  useful when there is
              another DHCP server on the network which should be used by some machines.

              The set:<tag> construct sets the tag whenever this --dhcp-host directive is in use.
              This can be used to selectively send DHCP options just for this host. More than one
              tag can be  set  in  a  --dhcp-host  directive  (but  not  in  other  places  where
              "set:<tag>"  is  allowed).  When  a  host matches any --dhcp-host directive (or one
              implied by /etc/ethers) then the special tag "known" is set. This allows dnsmasq to
              be   configured   to   ignore   requests   from   unknown  machines  using  --dhcp-
              ignore=tag:!known If the host matches only a --dhcp-host directive which cannot  be
              used  because it specifies an address on different subnet, the tag "known-othernet"
              is set.

              The tag:<tag> construct filters which dhcp-host directives are used; more than  one
              can be provided, in this case the request must match all of them. Tagged directives
              are used in preference to untagged ones. Note that one of <hwaddr>, <client_id>  or
              <hostname> still needs to be specified (can be a wildcard).

              Ethernet  addresses  (but  not  client-ids) may have wildcard bytes, so for example
              --dhcp-host=00:20:e0:3b:13:*,ignore  will  cause  dnsmasq  to  ignore  a  range  of
              hardware  addresses.  Note  that  the  "*"  will  need to be escaped or quoted on a
              command line, but not in the configuration file.

              Hardware addresses normally match any network (ARP) type, but  it  is  possible  to
              restrict them to a single ARP type by preceding them with the ARP-type (in HEX) and
              "-". so  --dhcp-host=06-00:20:e0:3b:13:af,1.2.3.4  will  only  match  a  Token-Ring
              hardware address, since the ARP-address type for token ring is 6.

              As  a  special  case,  in  DHCPv4, it is possible to include more than one hardware
              address.   eg:   --dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2   This
              allows  an  IP address to be associated with multiple hardware addresses, and gives
              dnsmasq permission to abandon a DHCP lease to one of the  hardware  addresses  when
              another  one asks for a lease. Beware that this is a dangerous thing to do, it will
              only work reliably if only one of the hardware addresses is active at any time  and
              there  is  no  way  for  dnsmasq  to  enforce  this. It is, for instance, useful to
              allocate a stable IP address  to  a  laptop  which  has  both  wired  and  wireless
              interfaces.

       --dhcp-hostsfile=<path>
              Read  DHCP  host information from the specified file. If a directory is given, then
              read all the files contained in that directory  in  alphabetical  order.  The  file
              contains  information  about one host per line. The format of a line is the same as
              text to the right of '='  in  --dhcp-host.  The  advantage  of  storing  DHCP  host
              information in this file is that it can be changed without re-starting dnsmasq: the
              file will be re-read when dnsmasq receives SIGHUP.

       --dhcp-optsfile=<path>
              Read DHCP option information from the specified file.  If  a  directory  is  given,
              then  read  all  the  files  contained in that directory in alphabetical order. The
              advantage of using this option is the same as  for  --dhcp-hostsfile:  the  --dhcp-
              optsfile  will be re-read when dnsmasq receives SIGHUP. Note that it is possible to
              encode the information in a --dhcp-boot flag as DHCP  options,  using  the  options
              names  bootfile-name,  server-ip-address  and  tftp-server. This allows these to be
              included in a --dhcp-optsfile.

       --dhcp-hostsdir=<path>
              This is equivalent to --dhcp-hostsfile, except for the following. The path MUST  be
              a  directory, and not an individual file. Changed or new files within the directory
              are read automatically, without the need to send SIGHUP.  If a file is  deleted  or
              changed  after  it has been read by dnsmasq, then the host record it contained will
              remain until dnsmasq receives a SIGHUP, or is restarted; ie host records  are  only
              added  dynamically.  The  order  in  which the files in a directory are read is not
              defined.

       --dhcp-optsdir=<path>
              This is equivalent to --dhcp-optsfile,  with  the  differences  noted  for  --dhcp-
              hostsdir.

       -Z, --read-ethers
              Read  /etc/ethers  for  information  about hosts for the DHCP server. The format of
              /etc/ethers is a hardware address, followed by either a hostname or dotted-quad  IP
              address.  When  read by dnsmasq these lines have exactly the same effect as --dhcp-
              host options containing the same information. /etc/ethers is re-read  when  dnsmasq
              receives SIGHUP. IPv6 addresses are NOT read from /etc/ethers.

       -O,                               --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-
       encap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-
       name>|option6:<opt>|option6:<opt-name>],[<value>[,<value>]]
              Specify  different or extra options to DHCP clients. By default, dnsmasq sends some
              standard options to DHCP clients, the netmask and broadcast address are set to  the
              same  as  the host running dnsmasq, and the DNS server and default route are set to
              the address of the machine running dnsmasq. (Equivalent rules apply for  IPv6.)  If
              the domain name option has been set, that is sent.  This configuration allows these
              defaults to be overridden, or other options specified. The option, to be  sent  may
              be  given  as  a decimal number or as "option:<option-name>" The option numbers are
              specified in RFC2132 and subsequent RFCs. The set of option-names known by  dnsmasq
              can  be  discovered  by  running  "dnsmasq  --help  dhcp".  For example, to set the
              default route option to  192.168.4.4,  do  --dhcp-option=3,192.168.4.4  or  --dhcp-
              option  =  option:router,  192.168.4.4  and  to  set  the  time-server  address  to
              192.168.0.4, do --dhcp-option  =  42,192.168.0.4  or  --dhcp-option  =  option:ntp-
              server,  192.168.0.4  The  special address 0.0.0.0 is taken to mean "the address of
              the machine running dnsmasq".

              An option without data is valid, and includes just the option without data.  (There
              is  only  one  option  with  a zero length data field currently defined for DHCPv4,
              80:rapid commit, so this feature is not very useful in practice). Options for which
              dnsmasq  normally  provides  default  values can be ommitted by defining the option
              with no data. These are netmask, broadcast,  router,  DNS  server,  domainname  and
              hostname.  Thus,  for DHCPv4 --dhcp-option = option:router will result in no router
              option being sent, rather than the default of the host on which dnsmasq is running.
              For DHCPv6, the same is true of the options DNS server and refresh time.

              Data  types allowed are comma separated dotted-quad IPv4 addresses, []-wrapped IPv6
              addresses, a decimal number, colon-separated hex digits and a text string.  If  the
              optional  tags  are  given  then  this  option  is  only sent when all the tags are
              matched.

              Special processing is done on a text argument for option 119, to conform  with  RFC
              3397.  Text  or  dotted-quad IP addresses as arguments to option 120 are handled as
              per RFC 3361. Dotted-quad IP addresses which are followed by a  slash  and  then  a
              netmask size are encoded as described in RFC 3442.

              IPv6  options  are  specified  using  the  option6: keyword, followed by the option
              number or option name. The IPv6 option name space is disjoint from the IPv4  option
              name  space.  IPv6 addresses in options must be bracketed with square brackets, eg.
              --dhcp-option=option6:ntp-server,[1234::56]  For  IPv6,  [::]  means  "the   global
              address  of the machine running dnsmasq", whilst [fd00::] is replaced with the ULA,
              if it exists, and [fe80::] with the link-local address.

              Be careful: no checking is done that the correct type of data for the option number
              is  sent, it is quite possible to persuade dnsmasq to generate illegal DHCP packets
              with injudicious use of this flag. When the value is a decimal number, dnsmasq must
              determine  how  large the data item is. It does this by examining the option number
              and/or the value, but can be overridden  by  appending  a  single  letter  flag  as
              follows:  b  =  one byte, s = two bytes, i = four bytes. This is mainly useful with
              encapsulated vendor class options (see below) where dnsmasq cannot  determine  data
              size  from  the   option  number.  Option data which consists solely of periods and
              digits will be interpreted by dnsmasq as an IP address, and inserted into an option
              as  such.  To force a literal string, use quotes. For instance when using option 66
              to send a literal IP address as TFTP server name, it is  necessary  to  do  --dhcp-
              option=66,"1.2.3.4"

              Encapsulated  Vendor-class  options may also be specified (IPv4 only) using --dhcp-
              option:   for   instance   --dhcp-option=vendor:PXEClient,1,0.0.0.0    sends    the
              encapsulated  vendor  class-specific  option  "mftp-address=0.0.0.0"  to any client
              whose vendor-class matches "PXEClient".  The  vendor-class  matching  is  substring
              based (see --dhcp-vendorclass for details). If a vendor-class option (number 60) is
              sent by dnsmasq, then that is used for selecting encapsulated options in preference
              to  any  sent  by  the  client.  It is possible to omit the vendorclass completely;
              --dhcp-option=vendor:,1,0.0.0.0 in which case the  encapsulated  option  is  always
              sent.

              Options  may be encapsulated (IPv4 only) within other options: for instance --dhcp-
              option=encap:175, 190, iscsi-client0 will send option  175,  within  which  is  the
              option  190.  If  multiple  options  are given which are encapsulated with the same
              option number then they will be correctly combined into  one  encapsulated  option.
              encap: and vendor: are may not both be set in the same --dhcp-option.

              The final variant on encapsulated options is "Vendor-Identifying Vendor Options" as
              specified by RFC3925. These are denoted like  this:  --dhcp-option=vi-encap:2,  10,
              text  The  number  in  the  vi-encap: section is the IANA enterprise number used to
              identify this option. This form of encapsulation is supported in IPv6.

              The address 0.0.0.0 is not treated specially in encapsulated options.

       --dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-
       encap:<enterprise>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
              This  works  in  exactly  the same way as --dhcp-option except that the option will
              always be sent, even if the client does not ask for it  in  the  parameter  request
              list. This is sometimes needed, for example when sending options to PXELinux.

       --dhcp-no-override
              (IPv4  only)  Disable  re-use  of  the DHCP servername and filename fields as extra
              option space. If it can, dnsmasq moves the boot  server  and  filename  information
              (from --dhcp-boot) out of their dedicated fields into DHCP options. This make extra
              space available in the DHCP packet for options but  can,  rarely,  confuse  old  or
              broken  clients.  This flag forces "simple and safe" behaviour to avoid problems in
              such a case.

       --dhcp-relay=<local address>[,<server address>[#<server port>]][,<interface]
              Configure dnsmasq to do DHCP relay. The local address is an address allocated to an
              interface on the host running dnsmasq. All DHCP requests arriving on that interface
              will we relayed to a remote DHCP server at the server address. It  is  possible  to
              relay  from  a  single  local  address to multiple remote servers by using multiple
              --dhcp-relay configs with the same local address and different server addresses.  A
              server  address  must  be  an  IP literal address, not a domain name. If the server
              address is omitted, the request will be forwarded by broadcast (IPv4) or  multicast
              (IPv6).  In  this  case the interface must be given and not be wildcard. The server
              address may specify a non-standard port to relay to. If this is used  then  --dhcp-
              proxy  should likely also be set, otherwise parts of the DHCP conversation which do
              not pass through the relay will be delivered to the wrong port.

              Access control for DHCP clients has the same rules as  for  the  DHCP  server,  see
              --interface,  --except-interface,  etc.  The optional interface name in the --dhcp-
              relay config has a different function: it controls on which interface DHCP  replies
              from  the  server  will be accepted. This is intended for configurations which have
              three interfaces: one being relayed from, a second connecting the DHCP server,  and
              a  third untrusted network, typically the wider internet. It avoids the possibility
              of spoof replies arriving via this third interface.

              It is allowed to have dnsmasq act as a DHCP server on one  set  of  interfaces  and
              relay  from  a disjoint set of interfaces. Note that whilst it is quite possible to
              write configurations which appear to act as a  server  and  a  relay  on  the  same
              interface, this is not supported: the relay function will take precedence.

              Both  DHCPv4  and DHCPv6 relay is supported. It's not possible to relay DHCPv4 to a
              DHCPv6 server or vice-versa.

              The DHCP relay function for IPv6 includes the ability  to  snoop  prefix-delegation
              from relayed DHCP transactions. See --dhcp-script for details.

       -U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise number>,]<vendor-class>
              Map from a vendor-class string to a tag. Most DHCP clients provide a "vendor class"
              which represents, in some sense, the type of host. This option maps vendor  classes
              to  tags, so that DHCP options may be selectively delivered to different classes of
              hosts. For example --dhcp-vendorclass=set:printers,Hewlett-Packard  JetDirect  will
              allow   options   to   be   set   only   for   HP   printers   like   so:   --dhcp-
              option=tag:printers,3,192.168.4.4 The  vendor-class  string  is  substring  matched
              against  the vendor-class supplied by the client, to allow fuzzy matching. The set:
              prefix is optional but allowed for consistency.

              Note that in  IPv6  only,  vendorclasses  are  namespaced  with  an  IANA-allocated
              enterprise  number.  This is given with enterprise: keyword and specifies that only
              vendorclasses matching the specified number should be searched.

       -j, --dhcp-userclass=set:<tag>,<user-class>
              Map from a user-class string  to  a  tag  (with  substring  matching,  like  vendor
              classes).  Most  DHCP  clients  provide  a "user class" which is configurable. This
              option maps user classes to tags, so that DHCP options may be selectively delivered
              to  different  classes  of hosts. It is possible, for instance to use this to set a
              different printer server for hosts in the class "accounts" than for  hosts  in  the
              class "engineering".

       -4, --dhcp-mac=set:<tag>,<MAC address>
              Map from a MAC address to a tag. The MAC address may include wildcards. For example
              --dhcp-mac=set:3com,01:34:23:*:*:* will set the tag "3com" for any host  whose  MAC
              address matches the pattern.

       --dhcp-circuitid=set:<tag>,<circuit-id>, --dhcp-remoteid=set:<tag>,<remote-id>
              Map  from  RFC3046  relay  agent options to tags. This data may be provided by DHCP
              relay agents. The circuit-id or remote-id is normally given as colon-separated hex,
              but  is  also  allowed to be a simple string. If an exact match is achieved between
              the circuit or agent ID and one provided by a relay agent, the tag is set.

              --dhcp-remoteid (but not --dhcp-circuitid) is supported in IPv6.

       --dhcp-subscrid=set:<tag>,<subscriber-id>
              (IPv4 and IPv6) Map from RFC3993 subscriber-id relay agent options to tags.

       --dhcp-proxy[=<ip addr>]......
              (IPv4 only) A normal DHCP relay agent is only used to forward the initial parts  of
              a DHCP interaction to the DHCP server. Once a client is configured, it communicates
              directly with the server. This is undesirable if the relay agent  is  adding  extra
              information  to the DHCP packets, such as that used by --dhcp-circuitid and --dhcp-
              remoteid.  A full relay implementation  can  use  the  RFC  5107  serverid-override
              option  to force the DHCP server to use the relay as a full proxy, with all packets
              passing through it. This flag provides an alternative  method  of  doing  the  same
              thing,  for  relays  which  don't support RFC 5107. Given alone, it manipulates the
              server-id for all interactions via relays. If a list of IP addresses is given, only
              interactions via relays at those addresses are affected.

       --dhcp-match=set:<tag>,<option               number>|option:<option              name>|vi-
       encap:<enterprise>[,<value>]
              Without a value, set the tag if the client sends a DHCP option of the given  number
              or  name. When a value is given, set the tag only if the option is sent and matches
              the value. The value may be of the form "01:ff:*:02" in which case the  value  must
              match  (apart  from wildcards) but the option sent may have unmatched data past the
              end of the value. The value may also be of the same form  as  in  --dhcp-option  in
              which  case  the option sent is treated as an array, and one element must match, so
              --dhcp-match=set:efi-ia32,option:client-arch,6 will set the tag "efi-ia32"  if  the
              the  number 6 appears in the list of architectures sent by the client in option 93.
              (See RFC 4578 for details.)  If the value is a string, substring matching is used.

              The  special  form  with  vi-encap:<enterprise  number>  matches  against   vendor-
              identifying  vendor  classes  for the specified enterprise. Please see RFC 3925 for
              more details of these rare and interesting beasts.

       --dhcp-name-match=set:<tag>,<name>[*]
              Set the tag if the given name is supplied by a DHCP client. There may be  a  single
              trailing  wildcard  *,  which  has  the usual meaning. Combined with dhcp-ignore or
              dhcp-ignore-names this gives the ability to ignore  certain  clients  by  name,  or
              disallow certain hostnames from being claimed by a client.

       --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
              Perform  boolean  operations  on tags. Any tag appearing as set:<tag> is set if all
              the tags which appear as tag:<tag> are set, (or unset when tag:!<tag> is  used)  If
              no  tag:<tag>  appears  set:<tag> tags are set unconditionally.  Any number of set:
              and tag: forms may appear, in any order.  --tag-if lines are executed in order,  so
              if  the  tag in tag:<tag> is a tag set by another --tag-if, the line which sets the
              tag must precede the one which tests it.

              As an extension, the tag:<tag> clauses support limited wildcard  matching,  similar
              to  the  matching  in  the  --interface directive.  This allows, for example, using
              --tag-if=set:ppp,tag:ppp* to set the tag 'ppp' for all  requests  received  on  any
              matching  interface  (ppp0,  ppp1,  etc).  This can be used in conjunction with the
              tag:!<tag> format meaning that no tag matching the wildcard may be set.

       -J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
              When all the given tags appear in the tag set ignore the host and do  not  allocate
              it a DHCP lease.

       --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
              When  all the given tags appear in the tag set, ignore any hostname provided by the
              host. Note that, unlike --dhcp-ignore, it is permissible  to  supply  no  tags,  in
              which  case  DHCP-client  supplied hostnames are always ignored, and DHCP hosts are
              added to the DNS using only --dhcp-host configuration in dnsmasq and  the  contents
              of /etc/hosts and /etc/ethers.

       --dhcp-generate-names=tag:<tag>[,tag:<tag>]
              (IPv4 only) Generate a name for DHCP clients which do not otherwise have one, using
              the MAC address expressed in hex, separated by dashes. Note that if a host provides
              a name, it will be used by preference to this, unless --dhcp-ignore-names is set.

       --dhcp-broadcast[=tag:<tag>[,tag:<tag>]]
              (IPv4  only) When all the given tags appear in the tag set, always use broadcast to
              communicate with the host when it is unconfigured. It is permissible to  supply  no
              tags,  in  which case this is unconditional. Most DHCP clients which need broadcast
              replies set a flag in their requests so that this happens automatically,  some  old
              BOOTP clients do not.

       -M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server address>|<tftp_servername>]]
              (IPv4  only)  Set  BOOTP options to be returned by the DHCP server. Server name and
              address are optional: if not provided, the name is left empty, and the address  set
              to  the  address  of  the  machine  running dnsmasq. If dnsmasq is providing a TFTP
              service (see --enable-tftp ) then only the filename  is  required  here  to  enable
              network  booting.   If  the  optional  tag(s)  are  given, they must match for this
              configuration to be sent.  Instead of an IP address, the TFTP server address can be
              given  as  a  domain  name  which  is  looked  up  in  /etc/hosts. This name can be
              associated in /etc/hosts with multiple IP addresses, which  are  used  round-robin.
              This facility can be used to load balance the tftp load among a set of servers.

       --dhcp-sequential-ip
              Dnsmasq  is  designed  to  choose IP addresses for DHCP clients using a hash of the
              client's MAC address. This normally allows a  client's  address  to  remain  stable
              long-term,  even  if the client  sometimes allows its DHCP lease to expire. In this
              default mode IP addresses are distributed pseudo-randomly over the entire available
              address  range.  There  are  sometimes  circumstances (typically server deployment)
              where it is more convenient to have IP addresses allocated  sequentially,  starting
              from  the  lowest  available address, and setting this flag enables this mode. Note
              that in the sequential mode, clients which allow a lease to expire  are  much  more
              likely to move IP address; for this reason it should not be generally used.

       --dhcp-ignore-clid
              Dnsmasq  is  reading  'client  identifier'  (RFC  2131)  option sent by clients (if
              available) to identify clients. This allow to serve same  IP  address  for  a  host
              using  several  interfaces. Use this option to disable 'client identifier' reading,
              i.e. to always identify a host using the MAC address.

       --pxe-service=[tag:<tag>,]<CSA>,<menu        text>[,<basename>|<bootservicetype>][,<server
       address>|<server_name>]
              Most  uses of PXE boot-ROMS simply allow the PXE system to obtain an IP address and
              then download the file specified by --dhcp-boot and execute  it.  However  the  PXE
              system  is  capable  of  more  complex  functions when supported by a suitable DHCP
              server.

              This specifies a boot option which may appear in a PXE boot menu. <CSA>  is  client
              system  type,  only  services  of the correct type will appear in a menu. The known
              types are x86PC,  PC98,  IA64_EFI,  Alpha,  Arc_x86,  Intel_Lean_Client,  IA32_EFI,
              x86-64_EFI, Xscale_EFI, BC_EFI, ARM32_EFI and ARM64_EFI; an integer may be used for
              other types. The parameter after the menu text may be a file name,  in  which  case
              dnsmasq  acts  as  a boot server and directs the PXE client to download the file by
              TFTP, either from itself ( --enable-tftp must be set for this to work)  or  another
              TFTP  server  if  the  final  server  address/name is given.  Note that the "layer"
              suffix (normally ".0") is supplied by PXE, and need not be added to  the  basename.
              Alternatively,  the basename may be a filename, complete with suffix, in which case
              no layer suffix is added. If an integer boot service type, rather than  a  basename
              is given, then the PXE client will search for a suitable boot service for that type
              on the network. This search may be done by broadcast, or direct to a server if  its
              IP address/name is provided.  If no boot service type or filename is provided (or a
              boot service type of 0 is specified) then the menu entry will abort  the  net  boot
              procedure and continue booting from local media. The server address can be given as
              a domain name which is looked up in /etc/hosts. This  name  can  be  associated  in
              /etc/hosts with multiple IP addresses, which are used round-robin.

       --pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>]
              Setting  this  provides  a prompt to be displayed after PXE boot. If the timeout is
              given then after the  timeout  has  elapsed  with  no  keyboard  input,  the  first
              available  menu  option will be automatically executed. If the timeout is zero then
              the first available menu item will be  executed  immediately.  If  --pxe-prompt  is
              omitted  the  system  will  wait  for user input if there are multiple items in the
              menu, but boot immediately if there is only one. See --pxe-service for  details  of
              menu items.

              Dnsmasq  supports PXE "proxy-DHCP", in this case another DHCP server on the network
              is responsible for  allocating  IP  addresses,  and  dnsmasq  simply  provides  the
              information  given in --pxe-prompt and --pxe-service to allow netbooting. This mode
              is enabled using the proxy keyword in --dhcp-range.

       --dhcp-pxe-vendor=<vendor>[,...]
              According to UEFI and PXE specifications, DHCP  packets  between  PXE  clients  and
              proxy  PXE  servers should have PXEClient in their vendor-class field. However, the
              firmware of computers from a  few  vendors  is  customized  to  carry  a  different
              identifier  in  that  field. This option is used to consider such identifiers valid
              for identifying PXE clients. For instance

              --dhcp-pxe-vendor=PXEClient,HW-Client

              will enable dnsmasq to also provide proxy PXE service to those PXE clients with HW-
              Client in as their identifier.

       -X, --dhcp-lease-max=<number>
              Limits dnsmasq to the specified maximum number of DHCP leases. The default is 1000.
              This limit is to prevent DoS attacks from hosts which create  thousands  of  leases
              and use lots of memory in the dnsmasq process.

       -K, --dhcp-authoritative
              Should  be  set  when dnsmasq is definitely the only DHCP server on a network.  For
              DHCPv4, it changes the behaviour from strict RFC compliance so that  DHCP  requests
              on  unknown leases from unknown hosts are not ignored. This allows new hosts to get
              a lease without a tedious timeout under all circumstances. It also  allows  dnsmasq
              to  rebuild its lease database without each client needing to reacquire a lease, if
              the database is lost. For DHCPv6 it sets  the  priority  in  replies  to  255  (the
              maximum) instead of 0 (the minimum).

       --dhcp-rapid-commit
              Enable DHCPv4 Rapid Commit Option specified in RFC 4039. When enabled, dnsmasq will
              respond to a DHCPDISCOVER message including a Rapid Commit option  with  a  DHCPACK
              including  a  Rapid  Commit  option  and  fully committed address and configuration
              information. Should only be enabled if either the server is  the  only  server  for
              the  subnet, or multiple servers are present and they each commit a binding for all
              clients.

       --dhcp-alternate-port[=<server port>[,<client port>]]
              (IPv4 only) Change the ports used for DHCP from the  default.  If  this  option  is
              given  alone,  without arguments, it changes the ports used for DHCP from 67 and 68
              to 1067 and 1068. If a single argument is given, that port number is used  for  the
              server  and the port number plus one used for the client. Finally, two port numbers
              allows arbitrary specification of both server and client ports for DHCP.

       -3, --bootp-dynamic[=<network-id>[,<network-id>]]
              (IPv4 only) Enable dynamic allocation of IP addresses to BOOTP  clients.  Use  this
              with  care,  since  each address allocated to a BOOTP client is leased forever, and
              therefore becomes permanently unavailable for re-use by other  hosts.  if  this  is
              given  without tags, then it unconditionally enables dynamic allocation. With tags,
              only when the tags are all set. It may be repeated with different tag sets.

       -5, --no-ping
              (IPv4 only) By default, the DHCP server will attempt to ensure that an  address  is
              not  in  use  before  allocating it to a host. It does this by sending an ICMP echo
              request (aka "ping") to the address in question. If  it  gets  a  reply,  then  the
              address  must  already  be  in  use,  and another is tried. This flag disables this
              check. Use with caution.

       --log-dhcp
              Extra logging for DHCP: log all the options sent to DHCP clients and the tags  used
              to determine them.

       --quiet-dhcp, --quiet-dhcp6, --quiet-ra, --quiet-tftp
              Suppress  logging  of the routine operation of these protocols. Errors and problems
              will still be logged. --quiet-tftp does not consider file not found to be an error.
              --quiet-dhcp and quiet-dhcp6 are over-ridden by --log-dhcp.

       -l, --dhcp-leasefile=<path>
              Use the specified file to store DHCP lease information.

       --dhcp-duid=<enterprise-id>,<uid>
              (IPv6  only)  Specify  the  server persistent UID which the DHCPv6 server will use.
              This option is not normally required as dnsmasq creates a DUID  automatically  when
              it  is  first needed. When given, this option provides dnsmasq the data required to
              create a DUID-EN type DUID. Note that once set, the DUID is  stored  in  the  lease
              database,  so  to  change  between DUID-EN and automatically created DUIDs or vice-
              versa, the lease database must be re-initialised. The enterprise-id is assigned  by
              IANA, and the uid is a string of hex octets unique to a particular device.

       -6 --dhcp-script=<path>
              Whenever  a  new  DHCP  lease  is  created, or an old one destroyed, or a TFTP file
              transfer completes, the executable specified by this option is run.  <path> must be
              an  absolute  pathname,  no  PATH  search occurs.  The arguments to the process are
              "add", "old" or "del", the MAC address of the host (or DUID  for  IPv6)  ,  the  IP
              address,  and  the  hostname, if known. "add" means a lease has been created, "del"
              means it has been destroyed, "old" is a notification  of  an  existing  lease  when
              dnsmasq  starts  or a change to MAC address or hostname of an existing lease (also,
              lease length or expiry and client-id, if --leasefile-ro is set and lease expiry  if
              --script-on-renewal  is set).  If the MAC address is from a network type other than
              ethernet, it will have the network type prepended,  eg  "06-01:23:45:67:89:ab"  for
              token ring. The process is run as root (assuming that dnsmasq was originally run as
              root) even if dnsmasq is configured to change UID to an unprivileged user.

              The environment is inherited from the invoker of dnsmasq, with some or all  of  the
              following variables added

              For both IPv4 and IPv6:

              DNSMASQ_DOMAIN if the fully-qualified domain name of the host is known, this is set
              to the  domain part. (Note that the hostname passed to the script as an argument is
              never fully-qualified.)

              If the client provides a hostname, DNSMASQ_SUPPLIED_HOSTNAME

              If the client provides user-classes, DNSMASQ_USER_CLASS0..DNSMASQ_USER_CLASSn

              If  dnsmasq  was  compiled  with  HAVE_BROKEN_RTC, then the length of the lease (in
              seconds) is stored in DNSMASQ_LEASE_LENGTH, otherwise the time of lease  expiry  is
              stored in DNSMASQ_LEASE_EXPIRES. The number of seconds until lease expiry is always
              stored in DNSMASQ_TIME_REMAINING.

              DNSMASQ_DATA_MISSING is  set  to  "1"  during  "old"  events  for  existing  leases
              generated  at  startup  to  indicate  that  data not stored in the persistent lease
              database will not be present. This comprises  everything  other  than  IP  address,
              hostname, MAC address, DUID, IAID and lease length or expiry time.

              If  a  lease used to have a hostname, which is removed, an "old" event is generated
              with the new state of the lease, ie no name, and the former name is provided in the
              environment variable DNSMASQ_OLD_HOSTNAME.

              DNSMASQ_INTERFACE  stores  the  name of the interface on which the request arrived;
              this is not set for "old" actions when dnsmasq restarts.

              DNSMASQ_RELAY_ADDRESS is set if the client used a DHCP relay to contact dnsmasq and
              the IP address of the relay is known.

              DNSMASQ_TAGS  contains  all  the tags set during the DHCP transaction, separated by
              spaces.

              DNSMASQ_LOG_DHCP is set if --log-dhcp is in effect.

              DNSMASQ_REQUESTED_OPTIONS a string containing the decimal values in  the  Parameter
              Request  List  option,  comma  separated,  if  the parameter request list option is
              provided by the client.

              DNSMASQ_MUD_URL the Manufacturer Usage Description URL if provided by  the  client.
              (See RFC8520 for details.)

              For IPv4 only:

              DNSMASQ_CLIENT_ID if the host provided a client-id.

              DNSMASQ_CIRCUIT_ID,  DNSMASQ_SUBSCRIBER_ID, DNSMASQ_REMOTE_ID if a DHCP relay-agent
              added any of these options.

              If the client provides vendor-class, DNSMASQ_VENDOR_CLASS.

              For IPv6 only:

              If the client provides vendor-class, DNSMASQ_VENDOR_CLASS_ID, containing  the  IANA
              enterprise  id  for the class, and DNSMASQ_VENDOR_CLASS0..DNSMASQ_VENDOR_CLASSn for
              the data.

              DNSMASQ_SERVER_DUID containing the DUID of the server: this is the same  for  every
              call to the script.

              DNSMASQ_IAID  containing  the  IAID  for  the  lease.  If  the lease is a temporary
              allocation, this is prefixed to 'T'.

              DNSMASQ_MAC containing the MAC address of the client, if known.

              Note that the supplied hostname, vendorclass and userclass data is  only   supplied
              for  "add"  actions  or  "old" actions when a host resumes an existing lease, since
              these data are not held in dnsmasq's lease database.

              All file descriptors are closed except stdin,  which  is  open  to  /dev/null,  and
              stdout  and  stderr  which  capture output for logging by dnsmasq.  (In debug mode,
              stdio, stdout and stderr file are left as  those  inherited  from  the  invoker  of
              dnsmasq).

              The  script is not invoked concurrently: at most one instance of the script is ever
              running (dnsmasq waits for an instance of script to exit before running the  next).
              Changes to the lease database are which require the script to be invoked are queued
              awaiting exit of a running  instance.   If  this  queueing  allows  multiple  state
              changes  occur  to  a single lease before the script can be run then earlier states
              are discarded and the current state of that lease  is  reflected  when  the  script
              finally runs.

              At  dnsmasq startup, the script will be invoked for all existing leases as they are
              read from the lease file. Expired leases will be called with "del" and others  with
              "old".  When dnsmasq receives a HUP signal, the script will be invoked for existing
              leases with an "old" event.

              There are five further actions which may  appear  as  the  first  argument  to  the
              script,  "init", "arp-add", "arp-del", "relay-snoop" and "tftp".  More may be added
              in the future, so scripts should be written to ignore unknown  actions.  "init"  is
              described below in --leasefile-ro

              The "tftp" action is invoked when a TFTP file transfer completes: the arguments are
              the file size in bytes, the address to which the file was sent,  and  the  complete
              pathname of the file.

              The  "relay-snoop" action is invoked when dnsmasq is configured as a DHCP relay for
              DHCPv6 and it relays a prefx delegation to a client. The arguments are the name  of
              the  interface  where  the  client  is  conected,  its (link-local) address on that
              interface and the delegated prefix.  This  information  is  sufficient  to  install
              routes  to  the  delegated prefix of a router. See --dhcp-relay for more details on
              configuring DHCP relay.

              The "arp-add" and "arp-del" actions are only called if  enabled  with  --script-arp
              They  are  are  supplied  with a MAC address and IP address as arguments. "arp-add"
              indicates the arrival of a new entry in the ARP or neighbour table,  and  "arp-del"
              indicates the deletion of same.

       --dhcp-luascript=<path>
              Specify  a  script  written in Lua, to be run when leases are created, destroyed or
              changed. To use this option, dnsmasq must be compiled with the correct support. The
              Lua  interpreter is initialised once, when dnsmasq starts, so that global variables
              persist between lease events. The Lua code must define a lease  function,  and  may
              provide  init  and  shutdown  functions,  which  are called, without arguments when
              dnsmasq starts up and terminates. It may also provide a tftp function.

              The lease function receives the information detailed in --dhcp-script.  It gets two
              arguments, firstly the action, which is a string containing, "add", "old" or "del",
              and secondly a table of  tag  value  pairs.  The  tags  mostly  correspond  to  the
              environment  variables detailed above, for instance the tag "domain" holds the same
              data as the environment variable DNSMASQ_DOMAIN. There are a few extra  tags  which
              hold  the  data  supplied  as  arguments  to --dhcp-script.  These are mac_address,
              ip_address and hostname for IPv4, and  client_duid,  ip_address  and  hostname  for
              IPv6.

              The  tftp  function  is called in the same way as the lease function, and the table
              holds the tags destination_address, file_name and file_size.

              The arp and arp-old functions are called only when enabled  with  --script-arp  and
              have a table which holds the tags mac_address and client_address.

       --dhcp-scriptuser
              Specify  the  user  as  which  to  run  the lease-change script or Lua script. This
              defaults to root, but can be changed to another user using this flag.

       --script-arp
              Enable the "arp" and "arp-old" functions in the --dhcp-script and --dhcp-luascript.

       -9, --leasefile-ro
              Completely suppress use of the lease database file. The file will not  be  created,
              read,  or  written.  Change the way the lease-change script (if one is provided) is
              called, so that the lease database may be maintained in  external  storage  by  the
              script.  In  addition  to  the invocations  given in --dhcp-script the lease-change
              script is called once, at dnsmasq startup, with the single  argument  "init".  When
              called  like this the script should write the saved state of the lease database, in
              dnsmasq leasefile format, to stdout and exit with  zero  exit  code.  Setting  this
              option  also forces the leasechange script to be called on changes to the client-id
              and lease length and expiry time.

       --script-on-renewal
              Call the DHCP script when the lease expiry time  changes,  for  instance  when  the
              lease is renewed.

       --bridge-interface=<interface>,<alias>[,<alias>]
              Treat  DHCP (v4 and v6) requests and IPv6 Router Solicit packets arriving at any of
              the <alias> interfaces as if they had arrived at <interface>.  This  option  allows
              dnsmasq  to  provide  DHCP  and  RA service over unaddressed and unbridged Ethernet
              interfaces, e.g. on an OpenStack compute host where each such interface  is  a  TAP
              interface  to a VM, or as in "old style bridging" on BSD platforms.  A trailing '*'
              wildcard can be used in each <alias>.

              It is permissible to add more than one alias using more than one --bridge-interface
              option   since   --bridge-interface=int1,alias1,alias2  is  exactly  equivalent  to
              --bridge-interface=int1,alias1 --bridge-interface=int1,alias2

       --shared-network=<interface>,<addr>
       --shared-network=<addr>,<addr>
              The DHCP server determines which DHCP ranges are useable for allocating an  address
              to  a DHCP client based on the network from which the DHCP request arrives, and the
              IP configuration of the server's interface  on  that  network.  The  shared-network
              option extends the available subnets (and therefore DHCP ranges) beyond the subnets
              configured on the arrival interface.

              The first argument is either the name of  an  interface,  or  an  address  that  is
              configured  on  a  local  interface,  and  the  second argument is an address which
              defines another subnet on which addresses can be allocated.

              To be useful, there must be a suitable dhcp-range which allows  address  allocation
              on this subnet and this dhcp-range MUST include the netmask.

              Using  shared-network  also  needs extra consideration of routing. Dnsmasq does not
              have the usual information that it uses to determine  the  default  route,  so  the
              default  route  option  (or  other routing) MUST be configured manually. The client
              must have a route to the server: if the two-address form of shared-network is used,
              this  needs  to be to the first specified address. If the interface,address form is
              used, there must be a route to all of the addresses configured on the interface.

              The two-address form of shared-network is also usable with a DHCP relay: the  first
              address  is  the address of the relay and the second, as before, specifies an extra
              subnet which addresses may be allocated from.

       -s, --domain=<domain>[[,<address range>[,local]]|<interface>]
              Specifies DNS domains for the DHCP server. Domains may be be given  unconditionally
              (without  the  IP range) or for limited IP ranges. This has two effects; firstly it
              causes the DHCP server to return the domain to any  hosts  which  request  it,  and
              secondly  it  sets the domain which it is legal for DHCP-configured hosts to claim.
              The intention is to constrain hostnames so that an untrusted host on the LAN cannot
              advertise  its  name via DHCP as e.g. "microsoft.com" and capture traffic not meant
              for it. If no domain suffix is specified, then any DHCP hostname with a domain part
              (ie  with  a  period)  will  be disallowed and logged. If suffix is specified, then
              hostnames with a domain part are allowed, provided  the  domain  part  matches  the
              suffix. In addition, when a suffix is set then hostnames without a domain part have
              the suffix added  as  an  optional  domain  part.  Eg  on  my  network  I  can  set
              --domain=thekelleys.org.uk  and have a machine whose DHCP hostname is "laptop". The
              IP address for that  machine  is  available  from  dnsmasq  both  as  "laptop"  and
              "laptop.thekelleys.org.uk".  If  the domain is given as "#" then the domain is read
              from the first "search" directive in /etc/resolv.conf (or equivalent).

              The  address  range  can  be  of  the  form  <ip  address>,<ip  address>   or   <ip
              address>/<netmask>  or just a single <ip address>. See --dhcp-fqdn which can change
              the behaviour of dnsmasq with domains.

              If the address range is given as ip-address/network-size, then  a  additional  flag
              "local"  may  be  supplied  which has the effect of adding --local declarations for
              forward          and          reverse          DNS           queries.           Eg.
              --domain=thekelleys.org.uk,192.168.0.0/24,local        is        identical       to
              --domain=thekelleys.org.uk,192.168.0.0/24               --local=/thekelleys.org.uk/
              --local=/0.168.192.in-addr.arpa/

              The  address range can also be given as a network interface name, in which case all
              of the subnets currently assigned  to  the  interface  are  used  in  matching  the
              address.  This  allows  hosts  on  different physical subnets to be given different
              domains in a way which updates automatically as the interface addresses change.

       --dhcp-fqdn
              In the default mode, dnsmasq inserts the unqualified names of DHCP clients into the
              DNS.  For this reason, the names must be unique, even if two clients which have the
              same name are in different domains. If a second DHCP client appears which  has  the
              same  name  as  an  existing  client, the name is transferred to the new client. If
              --dhcp-fqdn is set, this behaviour changes: the unqualified name is no  longer  put
              in  the  DNS, only the qualified name. Two DHCP clients with the same name may both
              keep the name, provided that the domain part is different (ie the  fully  qualified
              names  differ.) To ensure that all names have a domain part, there must be at least
              --domain without an address specified when --dhcp-fqdn is set.

       --dhcp-client-update
              Normally, when giving a DHCP lease, dnsmasq sets flags in the FQDN option  to  tell
              the  client  not  to  attempt  a  DDNS update with its name and IP address. This is
              because the name-IP pair is automatically added into dnsmasq's DNS view. This  flag
              suppresses  that  behaviour, this is useful, for instance, to allow Windows clients
              to update Active Directory servers. See RFC 4702 for details.

       --enable-ra
              Enable dnsmasq's IPv6 Router Advertisement feature. DHCPv6 doesn't handle  complete
              network  configuration  in  the same way as DHCPv4. Router discovery and (possibly)
              prefix discovery for  autonomous  address  creation  are  handled  by  a  different
              protocol.  When  DHCP  is  in use, only a subset of this is needed, and dnsmasq can
              handle it, using existing DHCP configuration to  provide  most  data.  When  RA  is
              enabled, dnsmasq will advertise a prefix for each --dhcp-range, with default router
              as the relevant link-local address on the machine running dnsmasq. By default,  the
              "managed  address"  bits  are  set,  and  the "use SLAAC" bit is reset. This can be
              changed for individual subnets with the mode keywords  described  in  --dhcp-range.
              RFC6106 DNS parameters are included in the advertisements. By default, the relevant
              link-local address of the machine running dnsmasq is sent as recursive DNS  server.
              If  provided,  the DHCPv6 options dns-server and domain-search are used for the DNS
              server (RDNSS) and the domain search list (DNSSL).

       --ra-param=<interface>,[mtu:<integer>|<interface>|off,][high,|low,]<ra-interval>[,<router
       lifetime>]
              Set  non-default  values  for  router  advertisements  sent  via  an interface. The
              priority field for the router may be altered from the default  of  medium  with  eg
              --ra-param=eth0,high.   The  interval  between router advertisements may be set (in
              seconds) with --ra-param=eth0,60.  The lifetime of the route may be changed or  set
              to  zero,  which  allows a router to advertise prefixes but not a route via itself.
              --ra-param=eth0,0,0 (A value of zero for the interval means the default value.) All
              four parameters may be set at once.  --ra-param=eth0,mtu:1280,low,60,1200

              The interface field may include a wildcard.

              The  mtu: parameter may be an arbitrary interface name, in which case the MTU value
              for that interface is used. This is useful for (eg) advertising the MTU  of  a  WAN
              interface on the other interfaces of a router.

       --dhcp-reply-delay=[tag:<tag>,]<integer>
              Delays sending DHCPOFFER and PROXYDHCP replies for at least the specified number of
              seconds.  This can be used as workaround for bugs in PXE boot  firmware  that  does
              not  function  properly  when  receiving  an instant reply.  This option takes into
              account the time already spent waiting (e.g. performing ping check) if any.

       --enable-tftp[=<interface>[,<interface>]]
              Enable the TFTP server function. This is deliberately limited  to  that  needed  to
              net-boot  a  client.  Only reading is allowed; the tsize and blksize extensions are
              supported (tsize is only supported in octet mode). Without an  argument,  the  TFTP
              service  is provided to the same set of interfaces as DHCP service.  If the list of
              interfaces is provided, that defines which interfaces receive TFTP service.

       --tftp-root=<directory>[,<interface>]
              Look for files to transfer using TFTP relative to the given directory. When this is
              set,  TFTP  paths  which include ".." are rejected, to stop clients getting outside
              the specified root.  Absolute paths (starting with /) are allowed, but they must be
              within the tftp-root. If the optional interface argument is given, the directory is
              only used for TFTP requests via that interface.

       --tftp-no-fail
              Do not abort startup if specified tftp root directories are inaccessible.

       --tftp-unique-root[=ip|mac]
              Add the IP or hardware address of the TFTP client as a path component on the end of
              the  TFTP-root.  Only  valid  if  a  --tftp-root  is  set and the directory exists.
              Defaults to adding IP address (in standard dotted-quad format).  For  instance,  if
              --tftp-root is "/tftp" and client 1.2.3.4 requests file "myfile" then the effective
              path  will  be  "/tftp/1.2.3.4/myfile"  if  /tftp/1.2.3.4  exists  or  /tftp/myfile
              otherwise.   When "=mac" is specified it will append the MAC address instead, using
              lowercase zero padded digits separated by dashes, e.g.: 01-02-03-04-aa-bb Note that
              resolving  MAC  addresses is only possible if the client is in the local network or
              obtained a DHCP lease from us.

       --tftp-secure
              Enable TFTP secure mode: without this, any file which is readable  by  the  dnsmasq
              process  under  normal  unix  access-control  rules is available via TFTP. When the
              --tftp-secure flag is given, only files owned  by  the  user  running  the  dnsmasq
              process  are  accessible.  If  dnsmasq is being run as root, different rules apply:
              --tftp-secure has no effect, but only files which have the world-readable  bit  set
              are accessible. It is not recommended to run dnsmasq as root with TFTP enabled, and
              certainly not without specifying  --tftp-root.  Doing  so  can  expose  any  world-
              readable file on the server to any host on the net.

       --tftp-lowercase
              Convert  filenames  in  TFTP requests to all lowercase. This is useful for requests
              from Windows machines, which have case-insensitive filesystems  and  tend  to  play
              fast-and-loose  with  case  in  filenames.   Note that dnsmasq's tftp server always
              converts "\" to "/" in filenames.

       --tftp-max=<connections>
              Set the maximum number of concurrent TFTP connections allowed. This defaults to 50.
              When serving a large number of TFTP connections, per-process file descriptor limits
              may be encountered. Dnsmasq needs one file  descriptor  for  each  concurrent  TFTP
              connection  and one file descriptor per unique file (plus a few others). So serving
              the same file simultaneously to n clients will  use  require  about  n  +  10  file
              descriptors, serving different files simultaneously to n clients will require about
              (2*n) + 10 descriptors. If --tftp-port-range is given, that can affect  the  number
              of concurrent connections.

       --tftp-mtu=<mtu size>
              Use  size  as  the  ceiling  of  the  MTU supported by the intervening network when
              negotiating TFTP blocksize, overriding the MTU setting of the local  interface   if
              it is larger.

       --tftp-no-blocksize
              Stop  the  TFTP  server from negotiating the "blocksize" option with a client. Some
              buggy clients request this option but then behave badly when it is granted.

       --tftp-port-range=<start>,<end>
              A TFTP server listens on a well-known port (69) for connection initiation,  but  it
              also  uses  a  dynamically-allocated  port  for each connection. Normally these are
              allocated by the OS, but this option specifies a range of ports  for  use  by  TFTP
              transfers.  This  can  be useful when TFTP has to traverse a firewall. The start of
              the range cannot be lower than 1025 unless dnsmasq is running as root.  The  number
              of concurrent TFTP connections is limited by the size of the port range.

       --tftp-single-port
              Run  in a mode where the TFTP server uses ONLY the well-known port (69) for its end
              of the TFTP transfer. This allows TFTP to work  when  there  in  NAT  is  the  path
              between  client  and server. Note that this is not strictly compliant with the RFCs
              specifying the TFTP protocol: use at your own risk.

       -C, --conf-file=<file>
              Specify a configuration file. The  presence  of  this  option  stops  dnsmasq  from
              reading the default configuration file (normally /etc/dnsmasq.conf). Multiple files
              may be specified by  repeating  the  option  either  on  the  command  line  or  in
              configuration  files.  A  filename of "-" causes dnsmasq to read configuration from
              stdin.

       -7, --conf-dir=<directory>[,<file-extension>......],
              Read all the files in the given directory as configuration files.  If  extension(s)
              are  given,  any  files  which end in those extensions are skipped. Any files whose
              names end in ~ or start with . or start and end with # are always skipped.  If  the
              extension  starts  with  * then only files which have that extension are loaded. So
              --conf-dir=/path/to/dir,*.conf  loads  all  files  with   the   suffix   .conf   in
              /path/to/dir.  This  flag  may  be  given on the command line or in a configuration
              file. If giving it on the command line, be sure to escape * characters.  Files  are
              loaded in alphabetical order of filename.

       --servers-file=<file>
              A special case of --conf-file which differs in two respects. Firstly, only --server
              and --rev-server are allowed in the configuration file included. Secondly, the file
              is re-read and the configuration therein is updated when dnsmasq receives SIGHUP.

       --conf-script=<file>[ <arg]
              Execute  <file>,  and  treat  what  it  emits  to  stdout  as  the  contents  of  a
              configuration file.  If the script exits with a non-zero exit code, dnsmasq  treats
              this  as  a  fatal error.  The script can be passed arguments, space seperated from
              the filename and each other so, for  instance  --conf-dir="/etc/dnsmasq-uncompress-
              ads /share/ads-domains.gz"

              with /etc/dnsmasq-uncompress-ads containing

              set -e

              zcat ${1} | sed -e "s:^:address=/:" -e "s:$:/:"

              exit 0

              and  /share/ads-domains.gz  containing  a compressed list of ad server domains will
              save disk space with large ad-server blocklists.

       --no-ident
              Do not respond to class CHAOS and type TXT in domain bind queries.

              Without this option being set, the cache statistics are also available in  the  DNS
              as  answers to queries of class CHAOS and type TXT in domain bind. The domain names
              are  cachesize.bind,  insertions.bind,  evictions.bind,   misses.bind,   hits.bind,
              auth.bind  and  servers.bind unless disabled at compile-time. An example command to
              query this, using the dig utility would be

              dig +short chaos txt cachesize.bind

       --max-tcp-connections=<number>
              The maximum number of concurrent TCP connections. The application forks  to  handle
              each TCP request. The default maximum is 20.

CONFIG FILE

       At  startup,  dnsmasq  reads  /etc/dnsmasq.conf,  if  it  exists. (On FreeBSD, the file is
       /usr/local/etc/dnsmasq.conf ) (but see the --conf-file and --conf-dir options.) The format
       of  this file consists of one option per line, exactly as the long options detailed in the
       OPTIONS section but without the leading "--". Lines  starting  with  #  are  comments  and
       ignored.  For  options  which may only be specified once, the configuration file overrides
       the command line.  Quoting is allowed in a config  file:  between  "  quotes  the  special
       meanings of ,:. and # are removed and the following escapes are allowed: \\ \" \t \e \b \r
       and \n. The later corresponding to tab, escape, backspace, return and newline.

NOTES

       When it receives a SIGHUP, dnsmasq clears its  cache  and  then  re-loads  /etc/hosts  and
       /etc/ethers  and  any  file  given  by --dhcp-hostsfile, --dhcp-hostsdir, --dhcp-optsfile,
       --dhcp-optsdir, --addn-hosts or --hostsdir.  The DHCP lease change script  is  called  for
       all  existing  DHCP  leases.  If  --no-poll  is set SIGHUP also re-reads /etc/resolv.conf.
       SIGHUP does NOT re-read the configuration file.

       When it receives a SIGUSR1, dnsmasq writes statistics to the system  log.  It  writes  the
       cache  size,  the  number  of  names  which have had to removed from the cache before they
       expired in order to make room for new names and the total number of names that  have  been
       inserted  into  the  cache.  The  number  of  cache  hits  and  misses  and  the number of
       authoritative queries answered are also given. For  each  upstream  server  it  gives  the
       number  of  queries  sent,  and  the  number  which  resulted  in  an error. It also gives
       information on the number of forks for TCP connections. In --no-daemon mode or  when  full
       logging is enabled (--log-queries), a complete dump of the contents of the cache is made.

       When  it receives SIGUSR2 and it is logging direct to a file (see --log-facility ) dnsmasq
       will close and reopen the log file. Note that during this operation, dnsmasq will  not  be
       running  as  root.  When it first creates the logfile dnsmasq changes the ownership of the
       file to the non-root user it will run as. Logrotate should be configured to create  a  new
       log file with the ownership which matches the existing one before sending SIGUSR2.  If TCP
       DNS queries are in progress, the old logfile will remain open in child processes which are
       handling  TCP  queries  and  may  continue to be written. There is a limit of 150 seconds,
       after which all existing TCP processes will have expired: for this reason, it is not  wise
       to  configure  logfile  compression  for  logfiles  which  have  just  been rotated. Using
       logrotate, the required options are create and delaycompress.

       Dnsmasq is a DNS query forwarder: it is not capable  of  recursively  answering  arbitrary
       queries  starting  from  the  root  servers but forwards such queries to a fully recursive
       upstream DNS server which is typically provided by  an  ISP.  By  default,  dnsmasq  reads
       /etc/resolv.conf  to  discover the IP addresses of the upstream nameservers it should use,
       since the information is typically stored there. Unless --no-poll is used, dnsmasq  checks
       the modification time of /etc/resolv.conf (or equivalent if --resolv-file is used) and re-
       reads it if it changes. This allows the DNS servers to be set dynamically by PPP  or  DHCP
       since both protocols provide the information.  Absence of /etc/resolv.conf is not an error
       since it may not have been created before a PPP connection exists.  Dnsmasq  simply  keeps
       checking  in  case  /etc/resolv.conf  is created at any time. Dnsmasq can be told to parse
       more than one resolv.conf file. This is useful on a laptop, where both PPP and DHCP may be
       used:  dnsmasq can be set to poll both /etc/ppp/resolv.conf and /etc/dhcpc/resolv.conf and
       will use the contents of whichever changed last, giving automatic  switching  between  DNS
       servers.

       Upstream  servers  may also be specified on the command line or in the configuration file.
       These server specifications optionally take a domain name which tells dnsmasq to use  that
       server only to find names in that particular domain.

       In  order  to  configure  dnsmasq to act as cache for the host on which it is running, put
       "nameserver 127.0.0.1" in /etc/resolv.conf to force local processes  to  send  queries  to
       dnsmasq.  Then  either  specify  the  upstream  servers directly to dnsmasq using --server
       options or put their addresses real in  another  file,  say  /etc/resolv.dnsmasq  and  run
       dnsmasq  with  the  --resolv-file /etc/resolv.dnsmasq option. This second technique allows
       for dynamic update of the server addresses by PPP or DHCP.

       Addresses in /etc/hosts will "shadow" different  addresses  for  the  same  names  in  the
       upstream  DNS,  so  "mycompany.com  1.2.3.4"  in  /etc/hosts  will ensure that queries for
       "mycompany.com" always return 1.2.3.4 even if queries in the upstream DNS would  otherwise
       return a different address. There is one exception to this: if the upstream DNS contains a
       CNAME which points to a shadowed name, then looking up  the  CNAME  through  dnsmasq  will
       result  in  the unshadowed address associated with the target of the CNAME. To work around
       this, add the CNAME to /etc/hosts so that the CNAME is shadowed too.

       The tag system works as follows: For each DHCP request, dnsmasq collects a  set  of  valid
       tags  from  active  configuration  lines  which  include set:<tag>, including one from the
       --dhcp-range used to allocate the address, one from any matching --dhcp-host (and  "known"
       or  "known-othernet"  if a --dhcp-host matches) The tag "bootp" is set for BOOTP requests,
       and a tag whose name is the name of the interface on which the  request  arrived  is  also
       set.

       Any  configuration lines which include one or more tag:<tag> constructs will only be valid
       if all that tags are matched in the set derived above. Typically  this  is  --dhcp-option.
       --dhcp-option  which  has  tags  will be used in preference  to an untagged --dhcp-option,
       provided that _all_ the tags match somewhere in the set collected as described above.  The
       prefix  '!'  on  a tag means 'not' so --dhcp-option=tag:!purple,3,1.2.3.4 sends the option
       when the tag purple is not in the set of valid tags. (If using  this  in  a  command  line
       rather than a configuration file, be sure to escape !, which is a shell metacharacter)

       When  selecting  --dhcp-options, a tag from --dhcp-range is second class relative to other
       tags,  to  make  it  easy  to  override  options  for   individual   hosts,   so   --dhcp-
       range=set:interface1,......              --dhcp-host=set:myhost,.....              --dhcp-
       option=tag:interface1,option:nis-domain,"domain1"     --dhcp-option=tag:myhost,option:nis-
       domain,"domain2"  will  set the NIS-domain to domain1 for hosts in the range, but override
       that to domain2 for a particular host.

       Note that for --dhcp-range both tag:<tag> and set:<tag> are allowed, to  both  select  the
       range in use based on (eg) --dhcp-host, and to affect the options sent, based on the range
       selected.

       This system evolved from an earlier, more  limited  one  and  for  backward  compatibility
       "net:"  may  be  used instead of "tag:" and "set:" may be omitted. (Except in --dhcp-host,
       where "net:" may be used instead of "set:".) For the same reason, '#' may be used  instead
       of '!' to indicate NOT.

       The  DHCP  server  in  dnsmasq will function as a BOOTP server also, provided that the MAC
       address and IP address for clients are given, either using --dhcp-host  configurations  or
       in  /etc/ethers  , and a --dhcp-range configuration option is present to activate the DHCP
       server on a particular network. (Setting  --bootp-dynamic  removes  the  need  for  static
       address  mappings.)  The filename parameter in a BOOTP request is used as a tag, as is the
       tag "bootp", allowing some control over the  options  returned  to  different  classes  of
       hosts.

AUTHORITATIVE CONFIGURATION

       Configuring  dnsmasq to act as an authoritative DNS server is complicated by the fact that
       it involves configuration of external DNS servers to  provide  delegation.  We  will  walk
       through three scenarios of increasing complexity. Prerequisites for all of these scenarios
       are a globally accessible IP address, an A or AAAA record pointing to that address, and an
       external  DNS  server  capable  of doing delegation of the zone in question. For the first
       part of this explanation, we will call the A (or AAAA) record for the globally  accessible
       address server.example.com, and the zone for which dnsmasq is authoritative our.zone.com.

       The simplest configuration consists of two lines of dnsmasq configuration; something like

       --auth-server=server.example.com,eth0
       --auth-zone=our.zone.com,1.2.3.0/24

       and two records in the external DNS

       server.example.com       A    192.0.43.10
       our.zone.com            NS    server.example.com

       eth0  is  the  external network interface on which dnsmasq is listening, and has (globally
       accessible) address 192.0.43.10.

       Note that the external IP address may well be dynamic (ie assigned from an ISP by DHCP  or
       PPP)  If  so,  the  A record must be linked to this dynamic assignment by one of the usual
       dynamic-DNS systems.

       A more complex, but practically useful  configuration  has  the  address  record  for  the
       globally  accessible  IP  address  residing  in  the  authoritative  zone which dnsmasq is
       serving, typically at the root. Now we have

       --auth-server=our.zone.com,eth0
       --auth-zone=our.zone.com,1.2.3.0/24

       our.zone.com             A    1.2.3.4
       our.zone.com            NS    our.zone.com

       The A record for our.zone.com has now become a glue record, it solves the  chicken-and-egg
       problem  of finding the IP address of the nameserver for our.zone.com when the A record is
       within that zone. Note that this is the only role  of  this  record:  as  dnsmasq  is  now
       authoritative  from  our.zone.com it too must provide this record. If the external address
       is static, this can be done with an /etc/hosts entry or --host-record.

       --auth-server=our.zone.com,eth0
       --host-record=our.zone.com,1.2.3.4
       --auth-zone=our.zone.com,1.2.3.0/24

       If the external address is dynamic, the  address  associated  with  our.zone.com  must  be
       derived  from  the  address of the relevant interface. This is done using --interface-name
       Something like:

       --auth-server=our.zone.com,eth0
       --interface-name=our.zone.com,eth0
       --auth-zone=our.zone.com,1.2.3.0/24,eth0

       (The "eth0" argument in --auth-zone adds the subnet containing eth0's dynamic  address  to
       the zone, so that the --interface-name returns the address in outside queries.)

       Our  final  configuration builds on that above, but also adds a secondary DNS server. This
       is another DNS server which learns the DNS data for the zone by doing zones transfer,  and
       acts  as  a backup should the primary server become inaccessible. The configuration of the
       secondary is beyond the scope of this man-page, but the extra configuration of dnsmasq  is
       simple:

       --auth-sec-servers=secondary.myisp.com

       and

       our.zone.com           NS    secondary.myisp.com

       Adding  auth-sec-servers  enables  zone  transfer  in  dnsmasq,  to allow the secondary to
       collect the DNS data. If you wish to restrict this data to particular hosts then

       --auth-peer=<IP address of secondary>

       will do so.

       Dnsmasq acts as an authoritative server for  in-addr.arpa and ip6.arpa domains  associated
       with  the  subnets given in --auth-zone declarations, so reverse (address to name) lookups
       can be simply configured with a suitable NS record, for instance in this example, where we
       allow 1.2.3.0/24 addresses.

        3.2.1.in-addr.arpa  NS    our.zone.com

       Note  that at present, reverse (in-addr.arpa and ip6.arpa) zones are not available in zone
       transfers, so there is no point arranging secondary servers for reverse lookups.

       When dnsmasq is configured to act as an authoritative server, the following data  is  used
       to populate the authoritative zone.

       --mx-host,  --srv-host,  --dns-rr,  --txt-record, --naptr-record, --caa-record, as long as
       the record names are in the authoritative domain.

       --synth-domain as long as the domain is in the authoritative zone and, for  reverse  (PTR)
       queries, the address is in the relevant subnet.

       --cname  as  long as the record name is in  the authoritative domain. If the target of the
       CNAME is unqualified, then it  is qualified with the authoritative zone name.  CNAME  used
       in this way (only) may be wildcards, as in

       --cname=*.example.com,default.example.com

       IPv4  and  IPv6  addresses  from  /etc/hosts  (and  --addn-hosts  )  and --host-record and
       --interface-name and ---dynamic-host provided the address falls into one  of  the  subnets
       specified in the --auth-zone.

       Addresses  of DHCP leases, provided the address falls into one of the subnets specified in
       the --auth-zone.  (If constructed DHCP ranges are is use,  which  depend  on  the  address
       dynamically  assigned  to an interface, then the form of --auth-zone which defines subnets
       by the dynamic address of an interface should be used to ensure this condition is met.)

       In the default mode, where a DHCP lease has an unqualified name, and possibly a  qualified
       name  constructed  using  --domain  then the name in the authoritative zone is constructed
       from the unqualified name and the zone's domain. This may or may not equal that  specified
       by  --domain.   If --dhcp-fqdn is set, then the fully qualified names associated with DHCP
       leases are used, and must match the zone's domain.

EXIT CODES

       0  -  Dnsmasq  successfully  forked  into  the  background,  or  terminated  normally   if
       backgrounding is not enabled.

       1 - A problem with configuration was detected.

       2  -  A  problem  with  network access occurred (address in use, attempt to use privileged
       ports without permission).

       3 - A problem occurred with a filesystem operation (missing file/directory, permissions).

       4 - Memory allocation failure.

       5 - Other miscellaneous problem.

       11 or greater - a non zero return code was received from the lease-script  process  "init"
       call or a --conf-script file. The exit code from dnsmasq is the script's exit code with 10
       added.

LIMITS

       The default values  for  resource  limits  in  dnsmasq  are  generally  conservative,  and
       appropriate  for  embedded router type devices with slow processors and limited memory. On
       more capable hardware, it is possible  to  increase  the  limits,  and  handle  many  more
       clients. The following applies to dnsmasq-2.37: earlier versions did not scale as well.

       Dnsmasq  is  capable  of  handling  DNS and DHCP for at least a thousand clients. The DHCP
       lease times should not be very short (less than one hour). The value of  --dns-forward-max
       can  be  increased: start with it equal to the number of clients and increase if DNS seems
       slow.  Note  that  DNS  performance  depends  too  on  the  performance  of  the  upstream
       nameservers. The size of the DNS cache may be increased: the hard limit is 10000 names and
       the default (150) is very low. Sending SIGUSR1 to dnsmasq makes it log  information  which
       is useful for tuning the cache size. See the NOTES section for details.

       The  built-in  TFTP  server  is  capable of many simultaneous file transfers: the absolute
       limit is related to the number of file-handles allowed to a process and the ability of the
       select()  system  call to cope with large numbers of file handles. If the limit is set too
       high using --tftp-max it will be scaled down and the actual limit logged at start-up. Note
       that  more transfers are possible when the same file is being sent than when each transfer
       sends a different file.

       It is possible to use dnsmasq to block Web advertising by using a list of known  banner-ad
       servers, all resolving to 127.0.0.1 or 0.0.0.0, in /etc/hosts or an additional hosts file.
       The list can be very long, dnsmasq has been tested successfully with  one  million  names.
       That size file needs a 1GHz processor and about 60Mb of RAM.

INTERNATIONALISATION

       Dnsmasq  can  be  compiled  to  support internationalisation. To do this, the make targets
       "all-i18n" and "install-i18n" should be used instead of the  standard  targets  "all"  and
       "install".  When internationalisation is compiled in, dnsmasq will produce log messages in
       the local language and support internationalised  domain  names  (IDN).  Domain  names  in
       /etc/hosts,  /etc/ethers  and /etc/dnsmasq.conf which contain non-ASCII characters will be
       translated to the DNS-internal punycode representation. Note that dnsmasq determines  both
       the  language  for  messages and the assumed charset for configuration files from the LANG
       environment variable. This should be set to the system default value by the  script  which
       is  responsible  for starting dnsmasq. When editing the configuration files, be careful to
       do so using only the system-default locale and not user-specific one, since dnsmasq has no
       direct  way  of  determining  the  charset  in  use, and must assume that it is the system
       default.

FILES

       /etc/dnsmasq.conf

       /usr/local/etc/dnsmasq.conf

       /etc/resolv.conf /var/run/dnsmasq/resolv.conf /etc/ppp/resolv.conf /etc/dhcpc/resolv.conf

       /etc/hosts

       /etc/ethers

       /var/lib/misc/dnsmasq.leases

       /var/db/dnsmasq.leases

       /var/run/dnsmasq.pid

SEE ALSO

       hosts(5), resolver(5)

AUTHOR

       This manual page was written by Simon Kelley <simon@thekelleys.org.uk>.

                                            2021-08-16                                 DNSMASQ(8)