User Tools

Site Tools


doc:uci:dhcp

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:uci:dhcp [2014/08/01 22:06]
tolstyak Clarify that rDNS records are _not_ generated
doc:uci:dhcp [2014/10/10 11:27] (current)
hashken Changed odhcpd to dhcp
Line 1: Line 1:
 ====== DNS and DHCP configuration ====== ====== DNS and DHCP configuration ======
  
-The //dnsmasq// and odhcpd ​configuration is located in ''/​etc/​config/​dhcp''​ and controls both DNS and DHCP server options on the device (both DHCP and DNS services are implemented using the same OpenWrt program, dnsmasq).+The //dnsmasq// and dhcpd configuration is located in ''/​etc/​config/​dhcp''​ and controls both DNS and DHCP server options on the device (both DHCP and DNS services are implemented using the same OpenWrt program, dnsmasq).
  
 In the default configuration this file contains one //common section// to specify DNS and daemon related options and one or more //DHCP pools// to define DHCP serving on network interfaces. In the default configuration this file contains one //common section// to specify DNS and daemon related options and one or more //DHCP pools// to define DHCP serving on network interfaces.
Line 57: Line 57:
 | ''​domain''​ | domain name | //(none)// | ''​-s''​ | DNS domain handed out to DHCP clients | | ''​domain''​ | domain name | //(none)// | ''​-s''​ | DNS domain handed out to DHCP clients |
 | ''​domainneeded''​ | boolean | ''​0''​ | ''​-D''​ | Tells //dnsmasq// never to forward queries for plain names, without dots or domain parts, to upstream nameservers. If the name is not known from /etc/hosts or DHCP then a "not found" answer is returned | | ''​domainneeded''​ | boolean | ''​0''​ | ''​-D''​ | Tells //dnsmasq// never to forward queries for plain names, without dots or domain parts, to upstream nameservers. If the name is not known from /etc/hosts or DHCP then a "not found" answer is returned |
 +| ''​dnssec''​ | boolean | ''​0''​ | <​code>​--dnssec</​code>​ | Validate DNS replies and cache DNSSEC data.\\ :!: Requires the //​dnsmasq-full//​ package. |
 +| ''​dnsseccheckunsigned''​ | boolean | ''​0''​ | <​code>​--dnssec-check-unsigned</​code>​ | Check the zones of unsigned replies to ensure that unsigned replies are allowed in those zones. This protects against an attacker forging unsigned replies for signed DNS zones, but is slower and requires that the nameservers upstream of //dnsmasq// are DNSSEC-capable.\\ :!: Requires the //​dnsmasq-full//​ package. |
 | ''​ednspacket_max''​ | integer | ''​1280''​ | ''​-P''​ | Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder | | ''​ednspacket_max''​ | integer | ''​1280''​ | ''​-P''​ | Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder |
 | ''​enable_tftp''​ | boolean | ''​0''​ | <​code>​--enable-tftp</​code>​ | Enable the builtin TFTP server | | ''​enable_tftp''​ | boolean | ''​0''​ | <​code>​--enable-tftp</​code>​ | Enable the builtin TFTP server |
Line 76: Line 78:
 | ''​queryport''​ | integer | //(none)// | ''​-Q''​ | Use a fixed port for outbound DNS queries | | ''​queryport''​ | integer | //(none)// | ''​-Q''​ | Use a fixed port for outbound DNS queries |
 | ''​readethers''​ | boolean | ''​0''​ | ''​-Z''​ | Read static lease entries from ''/​etc/​ethers'',​ re-read on SIGHUP | | ''​readethers''​ | boolean | ''​0''​ | ''​-Z''​ | Read static lease entries from ''/​etc/​ethers'',​ re-read on SIGHUP |
 +| ''​rebind_protection''​ | boolean | ''​1''​ | <​code>​--stop-dns-rebind</​code>​ | Enables DNS rebind attack protection by discarding upstream RFC1918 responses |
 +| ''​rebind_localhost''​ | boolean | ''​0''​ | <​code>​--rebind-localhost-ok</​code>​ | Allows upstream 127.0.0.0/8 responses, required for DNS based blacklist services, only takes effect if rebind protection is enabled |
 +| ''​rebind_domain''​ | list of domain names | //(none)// | <​code>​--rebind-domain-ok</​code>​ | List of domains to allow RFC1918 responses for, only takes effect if rebind protection is enabled |
 | ''​resolvfile''​ | file path | ''/​etc/​resolv.conf''​ | ''​-r''​ | Specifies an alternative resolv file | | ''​resolvfile''​ | file path | ''/​etc/​resolv.conf''​ | ''​-r''​ | Specifies an alternative resolv file |
 | ''​server''​ | list of strings | //(none)// | ''​-S''​ | List of DNS servers to forward requests to. See the //dnsmasq// man page for syntax details. | | ''​server''​ | list of strings | //(none)// | ''​-S''​ | List of DNS servers to forward requests to. See the //dnsmasq// man page for syntax details. |
 | ''​strictorder''​ | boolean | ''​0''​ | ''​-o''​ | Obey order of DNS servers in ''/​etc/​resolv.conf''​ | | ''​strictorder''​ | boolean | ''​0''​ | ''​-o''​ | Obey order of DNS servers in ''/​etc/​resolv.conf''​ |
-| ''​tftp_root''​ | directory path | //(none)// | --tftp-root | Specifies the TFTP root directory ​+| ''​tftp_root''​ | directory path | //(none)// | <​code>​--tftp-root</​code> ​| Specifies the TFTP root directory |
-| ''​rebind_protection''​ | boolean | ''​1''​ | --stop-dns-rebind | Enables DNS rebind attack protection by discarding upstream RFC1918 responses | +
-| ''​rebind_localhost''​ | boolean | ''​0''​ |--rebind-localhost-ok| Allows upstream 127.0.0.0/8 responses, required for DNS based blacklist services, only takes effect if rebind protection is enabled | +
-| ''​rebind_domain''​ | list of domain names | //(none)// | --rebind-domain-ok | List of domains to allow RFC1918 responses for, only takes effect if rebind protection is enabled ​|+
 </​sortable>​ </​sortable>​
  
Line 116: Line 118:
 | ''​force''​ | boolean | no | ''​0''​ | Forces DHCP serving on the specified interface even if another DHCP server is detected on the same network segment | | ''​force''​ | boolean | no | ''​0''​ | Forces DHCP serving on the specified interface even if another DHCP server is detected on the same network segment |
 | ''​ignore''​ | boolean | no | ''​0''​ | Specifies whether //dnsmasq// should ignore this pool if set to ''​1''​ | | ''​ignore''​ | boolean | no | ''​0''​ | Specifies whether //dnsmasq// should ignore this pool if set to ''​1''​ |
-| ''​dhcpv6''​ | string | no | ''​none''​ | Specifies whether DHCPv6 server should be enabled ''​server'',​ relayed ''​relay''​ or disabled ''​none''​ | +| ''​dhcpv6''​ | string | no | ''​none''​ | Specifies whether DHCPv6 server should be enabled ​(''​server''​), relayed ​(''​relay''​or disabled ​(''​disabled''​
-| ''​ra''​ | string | no | ''​none''​ | Specifies whether Router Advertisements should be enabled ''​server'',​ relayed ''​relay''​ or disabled ''​none''​ |+| ''​ra''​ | string | no | ''​none''​ | Specifies whether Router Advertisements should be enabled ​(''​server''​), relayed ​(''​relay''​or disabled ​(''​disabled''​|
 | ''​ndp''​ | string | no | ''​none''​ | Specifies whether NDP should be relayed ''​relay''​ or disabled ''​none''​ | | ''​ndp''​ | string | no | ''​none''​ | Specifies whether NDP should be relayed ''​relay''​ or disabled ''​none''​ |
 | ''​master''​ | boolean | no | 0 | Specifies whether DHCPv6, RA and NDP in relay mode is a master interface or not. | | ''​master''​ | boolean | no | 0 | Specifies whether DHCPv6, RA and NDP in relay mode is a master interface or not. |
Line 293: Line 295:
  
 :!: Note that this currently only works for IPv4 addresses and that this functionality is not present in release prior to 8.09.2 . :!: Note that this currently only works for IPv4 addresses and that this functionality is not present in release prior to 8.09.2 .
 +
 :!: Note that reverse records are not properly generated at present. (Barrier Breaker 14.07-RC2) :!: Note that reverse records are not properly generated at present. (Barrier Breaker 14.07-RC2)
  
Line 423: Line 426:
 </​code>​ </​code>​
 Where 6=DNS, 3=Default Gateway, 44=WINS Where 6=DNS, 3=Default Gateway, 44=WINS
 +
 +Assign different dhcp-options to multiple hosts:
 +
 +<code bash>
 +config host
 +    option name '​j400'​
 +    option mac '​00:​21:​63:​75:​aa:​17'​
 +    option ip '​10.11.12.14'​
 +    option tag '​vpn' ​ # assign tag "​vpn"​ to this host
 +
 +config host
 +    option name '​j500'​
 +    option mac '​01:​22:​64:​76:​bb:​18'​
 +    option ip '​10.11.12.15'​
 +    option tag '​vpn' ​ # assign tag "​vpn"​ to this host
 +
 +config tag '​vpn' ​ # match tag "​vpn"​
 +    list dhcp_option '​6,​8.8.8.8,​8.8.4.4' ​ # assign arbritary extra dhcp options to this tag
 +</​code>​
  
 FIXME Convert to procd: etc/​init.d/​dnsmasq restart ​ FIXME Convert to procd: etc/​init.d/​dnsmasq restart ​
Line 446: Line 468:
  
 This change will turn off just DHCP but leave DNS services available on the specified interface. This change will turn off just DHCP but leave DNS services available on the specified interface.
- 
- 
-===== DNSSEC ===== 
- 
-FIXME 
- 
-DNSSEC with DNSMASQ can be used in Barrier Breaker. 
- 
-  * [[https://​dev.openwrt.org/​changeset/​36570|r36570]] : add proxydnssec 
-  * [[https://​dev.openwrt.org/​changeset/​41244|r41244]] : DNSMASQ-full package 
-  * [[https://​dev.openwrt.org/​changeset/​41245|r41245]] : dnssec, dnsseccheckunsigned 
- 
-<​code>​ 
-Option '​dnssec':​ Activate DNSSEC validation 
-Option '​dnsseccheckunsigned':​ Ensure answers without DNSSEC are in 
-unsigned zones. 
-</​code>​ 
doc/uci/dhcp.1406923598.txt.bz2 · Last modified: 2014/08/01 22:06 by tolstyak