User Tools

Site Tools


doc:uci:dhcp

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:uci:dhcp [2014/08/01 22:06]
tolstyak Clarify that rDNS records are _not_ generated
doc:uci:dhcp [2015/08/29 07:17] (current)
TurtleTech [Conditional DNS Forwarding for Windows Active Directory Domains / DNS Dependent Directory Based Authentication Services]
Line 1: Line 1:
 ====== DNS and DHCP configuration ====== ====== DNS and DHCP configuration ======
  
-The //dnsmasq// and odhcpd ​configuration is located in ''/​etc/​config/​dhcp''​ and controls both DNS and DHCP server options on the device (both DHCP and DNS services are implemented using the same OpenWrt program, dnsmasq).+The //dnsmasq// and dhcpd configuration is located in ''/​etc/​config/​dhcp''​ and controls both DNS and DHCP server options on the device (both DHCP and DNS services are implemented using the same OpenWrt program, dnsmasq).
  
 In the default configuration this file contains one //common section// to specify DNS and daemon related options and one or more //DHCP pools// to define DHCP serving on network interfaces. In the default configuration this file contains one //common section// to specify DNS and daemon related options and one or more //DHCP pools// to define DHCP serving on network interfaces.
Line 57: Line 57:
 | ''​domain''​ | domain name | //(none)// | ''​-s''​ | DNS domain handed out to DHCP clients | | ''​domain''​ | domain name | //(none)// | ''​-s''​ | DNS domain handed out to DHCP clients |
 | ''​domainneeded''​ | boolean | ''​0''​ | ''​-D''​ | Tells //dnsmasq// never to forward queries for plain names, without dots or domain parts, to upstream nameservers. If the name is not known from /etc/hosts or DHCP then a "not found" answer is returned | | ''​domainneeded''​ | boolean | ''​0''​ | ''​-D''​ | Tells //dnsmasq// never to forward queries for plain names, without dots or domain parts, to upstream nameservers. If the name is not known from /etc/hosts or DHCP then a "not found" answer is returned |
 +| ''​dnssec''​ | boolean | ''​0''​ | <​code>​--dnssec</​code>​ | Validate DNS replies and cache DNSSEC data.\\ :!: Requires the //​dnsmasq-full//​ package. |
 +| ''​dnsseccheckunsigned''​ | boolean | ''​0''​ | <​code>​--dnssec-check-unsigned</​code>​ | Check the zones of unsigned replies to ensure that unsigned replies are allowed in those zones. This protects against an attacker forging unsigned replies for signed DNS zones, but is slower and requires that the nameservers upstream of //dnsmasq// are DNSSEC-capable.\\ :!: Requires the //​dnsmasq-full//​ package. |
 | ''​ednspacket_max''​ | integer | ''​1280''​ | ''​-P''​ | Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder | | ''​ednspacket_max''​ | integer | ''​1280''​ | ''​-P''​ | Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder |
 | ''​enable_tftp''​ | boolean | ''​0''​ | <​code>​--enable-tftp</​code>​ | Enable the builtin TFTP server | | ''​enable_tftp''​ | boolean | ''​0''​ | <​code>​--enable-tftp</​code>​ | Enable the builtin TFTP server |
Line 62: Line 64:
 | ''​filterwin2k''​ | boolean | ''​0''​ | ''​-f''​ | Do not forward requests that cannot be answered by public name servers | | ''​filterwin2k''​ | boolean | ''​0''​ | ''​-f''​ | Do not forward requests that cannot be answered by public name servers |
 | ''​fqdn''​ | boolean | ''​0''​ | <​code>​--dhcp-fqdn</​code>​ | Do not resolve unqualifed local hostnames. Needs ''​domain''​ to be set. | | ''​fqdn''​ | boolean | ''​0''​ | <​code>​--dhcp-fqdn</​code>​ | Do not resolve unqualifed local hostnames. Needs ''​domain''​ to be set. |
-| ''​interface''​ | list of interface names | //(all interfaces)//​ | ''​-i''​ | List of interfaces to listen on. If unspecified,​ //dnsmasq// will listen to all interfaces except those listed in ''​notinterface''​. |+| ''​interface''​ | list of interface names | //(all interfaces)//​ | ''​-i''​ | List of interfaces to listen on. If unspecified,​ //dnsmasq// will listen to all interfaces except those listed in ''​notinterface''​. Note that //dnsmasq// listens on loopback by default. |
 | ''​leasefile''​ | file path | //(none)// | ''​-l''​ (ell) | Store DHCP leases in this file | | ''​leasefile''​ | file path | //(none)// | ''​-l''​ (ell) | Store DHCP leases in this file |
 | ''​local''​ | string | //(none)// | ''​-S''​ | Look up DNS entries for this domain from ''/​etc/​hosts''​. This follows the same syntax as ''​server''​ entries, see the man page. | | ''​local''​ | string | //(none)// | ''​-S''​ | Look up DNS entries for this domain from ''/​etc/​hosts''​. This follows the same syntax as ''​server''​ entries, see the man page. |
 | ''​localise_queries''​ | boolean | ''​0''​ | ''​-y''​ | Choose IP address to match the incoming interface if multiple addresses are assigned to a host name in ''/​etc/​hosts''​. :!: Note well the spelling of this option. | | ''​localise_queries''​ | boolean | ''​0''​ | ''​-y''​ | Choose IP address to match the incoming interface if multiple addresses are assigned to a host name in ''/​etc/​hosts''​. :!: Note well the spelling of this option. |
 +| ''​localservice''​ | boolean | ''​0''​ | <​code>​--local-service</​code>​ | Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server. |
 | ''​logqueries''​ | boolean | ''​0''​ | ''​-q''​ | Log the results of DNS queries, dump cache on SIGUSR1 | | ''​logqueries''​ | boolean | ''​0''​ | ''​-q''​ | Log the results of DNS queries, dump cache on SIGUSR1 |
 | ''​nodaemon''​ | boolean | ''​0''​ | ''​-d''​ | Don't daemonize the //dnsmasq// process | | ''​nodaemon''​ | boolean | ''​0''​ | ''​-d''​ | Don't daemonize the //dnsmasq// process |
Line 76: Line 79:
 | ''​queryport''​ | integer | //(none)// | ''​-Q''​ | Use a fixed port for outbound DNS queries | | ''​queryport''​ | integer | //(none)// | ''​-Q''​ | Use a fixed port for outbound DNS queries |
 | ''​readethers''​ | boolean | ''​0''​ | ''​-Z''​ | Read static lease entries from ''/​etc/​ethers'',​ re-read on SIGHUP | | ''​readethers''​ | boolean | ''​0''​ | ''​-Z''​ | Read static lease entries from ''/​etc/​ethers'',​ re-read on SIGHUP |
 +| ''​rebind_protection''​ | boolean | ''​1''​ | <​code>​--stop-dns-rebind</​code>​ | Enables DNS rebind attack protection by discarding upstream RFC1918 responses |
 +| ''​rebind_localhost''​ | boolean | ''​0''​ | <​code>​--rebind-localhost-ok</​code>​ | Allows upstream 127.0.0.0/8 responses, required for DNS based blacklist services, only takes effect if rebind protection is enabled |
 +| ''​rebind_domain''​ | list of domain names | //(none)// | <​code>​--rebind-domain-ok</​code>​ | List of domains to allow RFC1918 responses for, only takes effect if rebind protection is enabled |
 | ''​resolvfile''​ | file path | ''/​etc/​resolv.conf''​ | ''​-r''​ | Specifies an alternative resolv file | | ''​resolvfile''​ | file path | ''/​etc/​resolv.conf''​ | ''​-r''​ | Specifies an alternative resolv file |
 | ''​server''​ | list of strings | //(none)// | ''​-S''​ | List of DNS servers to forward requests to. See the //dnsmasq// man page for syntax details. | | ''​server''​ | list of strings | //(none)// | ''​-S''​ | List of DNS servers to forward requests to. See the //dnsmasq// man page for syntax details. |
 | ''​strictorder''​ | boolean | ''​0''​ | ''​-o''​ | Obey order of DNS servers in ''/​etc/​resolv.conf''​ | | ''​strictorder''​ | boolean | ''​0''​ | ''​-o''​ | Obey order of DNS servers in ''/​etc/​resolv.conf''​ |
-| ''​tftp_root''​ | directory path | //(none)// | --tftp-root | Specifies the TFTP root directory ​+| ''​tftp_root''​ | directory path | //(none)// | <​code>​--tftp-root</​code> ​| Specifies the TFTP root directory |
-| ''​rebind_protection''​ | boolean | ''​1''​ | --stop-dns-rebind | Enables DNS rebind attack protection by discarding upstream RFC1918 responses | +
-| ''​rebind_localhost''​ | boolean | ''​0''​ |--rebind-localhost-ok| Allows upstream 127.0.0.0/8 responses, required for DNS based blacklist services, only takes effect if rebind protection is enabled | +
-| ''​rebind_domain''​ | list of domain names | //(none)// | --rebind-domain-ok | List of domains to allow RFC1918 responses for, only takes effect if rebind protection is enabled ​|+
 </​sortable>​ </​sortable>​
  
Line 103: Line 106:
  
   * ''​lan''​ specifies the OpenWrt interface that is served by this DHCP pool   * ''​lan''​ specifies the OpenWrt interface that is served by this DHCP pool
-  * ''​100''​ is the offset from the network address, in the default configuration ''​192.168.1.100''​ +  * ''​100''​ is the offset from the network address, in the default configuration ​this would mean start leasing addresses from ''​192.168.1.100''​ 
-  * ''​150''​ is the maximum number of addresses that may be leased, in the default configuration ''​192.168.1.250''​+  * ''​150''​ is the maximum number of addresses that may be leased, in the default configuration ​this would mean leasing addresses up to ''​192.168.1.250''​
   * ''​12h''​ specifies the time to live for handed out leases, twelve hours in this example   * ''​12h''​ specifies the time to live for handed out leases, twelve hours in this example
   * ''​server''​ defines the mode for IPv6 configuration (RA & DHCPv6)   * ''​server''​ defines the mode for IPv6 configuration (RA & DHCPv6)
Line 116: Line 119:
 | ''​force''​ | boolean | no | ''​0''​ | Forces DHCP serving on the specified interface even if another DHCP server is detected on the same network segment | | ''​force''​ | boolean | no | ''​0''​ | Forces DHCP serving on the specified interface even if another DHCP server is detected on the same network segment |
 | ''​ignore''​ | boolean | no | ''​0''​ | Specifies whether //dnsmasq// should ignore this pool if set to ''​1''​ | | ''​ignore''​ | boolean | no | ''​0''​ | Specifies whether //dnsmasq// should ignore this pool if set to ''​1''​ |
-| ''​dhcpv6''​ | string | no | ''​none''​ | Specifies whether DHCPv6 server should be enabled ''​server'',​ relayed ''​relay''​ or disabled ''​none''​ | +| ''​dhcpv6''​ | string | no | ''​none''​ | Specifies whether DHCPv6 server should be enabled ​(''​server''​), relayed ​(''​relay''​or disabled ​(''​disabled''​
-| ''​ra''​ | string | no | ''​none''​ | Specifies whether Router Advertisements should be enabled ''​server'',​ relayed ''​relay''​ or disabled ''​none''​ |+| ''​ra''​ | string | no | ''​none''​ | Specifies whether Router Advertisements should be enabled ​(''​server''​), relayed ​(''​relay''​or disabled ​(''​disabled''​|
 | ''​ndp''​ | string | no | ''​none''​ | Specifies whether NDP should be relayed ''​relay''​ or disabled ''​none''​ | | ''​ndp''​ | string | no | ''​none''​ | Specifies whether NDP should be relayed ''​relay''​ or disabled ''​none''​ |
 | ''​master''​ | boolean | no | 0 | Specifies whether DHCPv6, RA and NDP in relay mode is a master interface or not. | | ''​master''​ | boolean | no | 0 | Specifies whether DHCPv6, RA and NDP in relay mode is a master interface or not. |
Line 147: Line 150:
 <​code>​config host <​code>​config host
         option ip       '​192.168.1.3'​         option ip       '​192.168.1.3'​
-        option mac      '​11:​22:​33:​44:​55:​66,aa:​bb:​cc:​dd:​ee:​ff'​+        option mac      '​11:​22:​33:​44:​55:​66 aa:​bb:​cc:​dd:​ee:​ff'​
         option name     '​mylaptop'​         option name     '​mylaptop'​
 </​code>​ </​code>​
Line 178: Line 181:
 ==== Booting Options ==== ==== Booting Options ====
  
-Some hosts support booting over the network. DHCP/BOOTP is used to tell the host which file to boot and the server to load it from. Each client can only receive one set of filename and server address options. If different hosts should boot different files, or boot from different servers, you can use //​network-ids//​ to map options to each client.+Some hosts support booting over the network ​(PXE booting). DHCP/BOOTP is used to tell the host which file to boot and the server to load it from. Each client can only receive one set of filename and server address options. If different hosts should boot different files, or boot from different servers, you can use //​network-ids//​ to map options to each client.
  
 Usually, you need to set additional DHCP options (through ''​dhcp_option''​) for further stages of the boot process. See the //dnsmasq// man page for details on the syntax of the ''​O''​ option. Usually, you need to set additional DHCP options (through ''​dhcp_option''​) for further stages of the boot process. See the //dnsmasq// man page for details on the syntax of the ''​O''​ option.
  
 The configuration options in this section are used to construct a ''​-M''​ option for //​dnsmasq//​. The configuration options in this section are used to construct a ''​-M''​ option for //​dnsmasq//​.
 +
 +*Note*: odhcp currently lacks support root-path specification. If you need this functionality,​ disable odhcpd and use dnsmasq instead.
  
 <​code>​config boot linux <​code>​config boot linux
Line 198: Line 203:
 | ''​serveraddress''​ | string | yes | //(none)// | The IP address of the boot server. | | ''​serveraddress''​ | string | yes | //(none)// | The IP address of the boot server. |
 | ''​servername''​ | string | yes | //(none)// | The hostname of the boot server. | | ''​servername''​ | string | yes | //(none)// | The hostname of the boot server. |
 +| ''​force''​ | bool | no | //(none)// | dhcp-option will always be sent, even if the client does not ask for it in the parameter request list. This is sometimes needed, for example when sending options to PXELinux. |
 </​sortable>​ </​sortable>​
  
Line 241: Line 247:
  
 //​DHCP-option//​ adds a DHCP option for this //​network-id//​. See the //dnsmsq// man page for a complete explanation of the syntax of the ''​-O''​ option. //​DHCP-option//​ adds a DHCP option for this //​network-id//​. See the //dnsmsq// man page for a complete explanation of the syntax of the ''​-O''​ option.
 +
 +//force// is a bool option. ​ It forces dhcp-option to always be sent, even if the client does not ask for it in the parameter request list. This is sometimes needed, for example when sending options to PXELinux.
  
  
Line 287: Line 295:
 Notes: Notes:
   * http://​answers.microsoft.com/​en-us/​windows/​forum/​windows_7-networking/​windows-7-refuses-dhcp-addresses-if-they-were/​1b72b289-0f58-492f-afb8-e76c80a81f00   * http://​answers.microsoft.com/​en-us/​windows/​forum/​windows_7-networking/​windows-7-refuses-dhcp-addresses-if-they-were/​1b72b289-0f58-492f-afb8-e76c80a81f00
 +  * //force// is a bool option that will force dhcp-option to always be sent, even if the client does not ask for it in the parameter request list. This is sometimes needed, for example when sending options to PXELinux.
 +==== Only allow static leases ====
 +
 +If you want to distribute IPv4 addresses to known clients only (static leases), use:
 +
 +<​code>​
 +config dhcp '​lan'​
 +        ...
 +        option dynamicdhcp 0
 +</​code>​
 +
 +With this, dnsmasq will consider static leases defined in "​config host" blocks and in /​etc/​ethers,​ and refuse to hand out any IPv4 address to unknown clients.
 +
 +Note that you shouldn'​t use this as a security feature to prevent unwanted clients from connecting. ​ A client can simply configure a static IP in the right range to have access to the network.
  
 ==== Custom Domain ==== ==== Custom Domain ====
  
-Define a custom domain name and the corresponding PTR record - assigns the IP address ''​192.168.1.140''​ to the domain name ''​typhoon''​ and construct an appropriate reverse record ''​140.1.168.192.in-addr.arpa''​.+Define a custom domain name and the corresponding PTR record - assigns the IP address ''​192.168.1.140''​ to the domain name ''​typhoon''​ and construct an appropriate reverse record ''​140.1.168.192.in-addr.arpa''​. It works like an entry in ''/​etc/​hosts''​ but more flexible 
 +and integrated.
  
 :!: Note that this currently only works for IPv4 addresses and that this functionality is not present in release prior to 8.09.2 . :!: Note that this currently only works for IPv4 addresses and that this functionality is not present in release prior to 8.09.2 .
 +
 :!: Note that reverse records are not properly generated at present. (Barrier Breaker 14.07-RC2) :!: Note that reverse records are not properly generated at present. (Barrier Breaker 14.07-RC2)
  
Line 299: Line 323:
  option '​ip' ​  '​192.168.1.140'</​code>​  option '​ip' ​  '​192.168.1.140'</​code>​
  
 +
 +another example: redirect www.facebook.com
 +<​file>​
 +config '​domain'​
 + option '​name'​ '​www.facebook.com'​
 + option '​ip' ​  '​1.2.3.4'​
 +        #the request to www.facebook.com will end to 1.2.3.4
 +</​file>​
 ==== SRV RR for SIP ==== ==== SRV RR for SIP ====
  
Line 423: Line 455:
 </​code>​ </​code>​
 Where 6=DNS, 3=Default Gateway, 44=WINS Where 6=DNS, 3=Default Gateway, 44=WINS
 +
 +Assign different dhcp-options to multiple hosts:
 +
 +<code bash>
 +config host
 +    option name '​j400'​
 +    option mac '​00:​21:​63:​75:​aa:​17'​
 +    option ip '​10.11.12.14'​
 +    option tag '​vpn' ​ # assign tag "​vpn"​ to this host
 +
 +config host
 +    option name '​j500'​
 +    option mac '​01:​22:​64:​76:​bb:​18'​
 +    option ip '​10.11.12.15'​
 +    option tag '​vpn' ​ # assign tag "​vpn"​ to this host
 +
 +config tag '​vpn' ​ # match tag "​vpn"​
 +    list dhcp_option '​6,​8.8.8.8,​8.8.4.4' ​ # assign arbritary extra dhcp options to this tag
 +    option force '​1' ​             #​dhcp-option will always be sent, even if the client does not ask for it in the parameter request list. This is sometimes needed, for example when sending options to PXELinux.
 +</​code>​
 +
 +:!: Generally, specifying a dhcp option without any value, would disable that option. so for example you can use:
 +<​code>​list dhcp_option '​3'</​code>​
 +to disable sending a default gateway to a specific client
  
 FIXME Convert to procd: etc/​init.d/​dnsmasq restart ​ FIXME Convert to procd: etc/​init.d/​dnsmasq restart ​
 +==== Enabling DHCP without enabling DNS ====
 +
 +This is useful when you just want to hand out addresses to clients, without doing any DNS.
 +
 +<​code>​
 +config dnsmasq
 +       ...
 +       ​option port 0
 +       ​option domain ''​
 +</​code>​
 +
 +The second option prevents dnsmasq from giving out a domain name and DNS search list to clients: this is useless without DNS resolving.
 +
 +Of course, you will want to hand out the address of a DNS resolver to clients:
 +
 +<​code>​
 +config dhcp lan
 +       ​option interface lan
 +       ...
 +       list dhcp_option "​6,​80.67.188.188,​6,​80.67.169.12"​
 +       list dns         "​2001:​913::​8"​
 +       list dns         "​2001:​910:​800::​12" ​      
 +</​code>​
 +
 +The `dhcp_option` entry is meant for dnsmasq, while the more elegant `dns` entries are understood by odhcpd. ​ By default, odhcpd is only used for IPv6, but if you also use odhcpd for IPv4, you can just use `dns` entries for everything.
  
 ==== Enabling DNS without enabling DHCP ==== ==== Enabling DNS without enabling DHCP ====
Line 447: Line 528:
 This change will turn off just DHCP but leave DNS services available on the specified interface. This change will turn off just DHCP but leave DNS services available on the specified interface.
  
 +==== Several DNS servers ====
 +<​file>​
 +config dnsmasq
 +        option domainneeded '​1'​
 +        option localise_queries '​1'​
 +        option local '/​lan/'​
 +        option domain '​lan'​
 +        option expandhosts '​1'​
 +        option authoritative '​1'​
 +        option readethers '​1'​
 +        option leasefile '/​tmp/​dhcp.leases'​
 +        option resolvfile '/​tmp/​resolv.conf.auto'​
 +        list server '/​subdomain.example.com/​192.0.2.1'​
 +          #be careful that some options should be absent (or set to False)
 +          #to allow the forwarding towards the "so defined"​ private networks
 +          #​http://​en.wikipedia.org/​wiki/​Private_network
 +          # likely '​bogusprivat'​
 +        list server '/​example.com/​208.67.222.222'​
 +        option rebind_protection '​0'​
 +</​file>​
  
-===== DNSSEC ===== 
  
-FIXME 
  
-DNSSEC with DNSMASQ can be used in Barrier Breaker.+==== Conditional DNS Forwarding for Windows Active Directory Domains / DNS Dependent Directory Based Authentication Services ====
  
-  * [[https://​dev.openwrt.org/changeset/36570|r36570]] : add proxydnssec + 
-  * [[https://dev.openwrt.org/changeset/41244|r41244]] : DNSMASQ-full package + 
-  * [[https://dev.openwrt.org/changeset/41245|r41245]] : dnssec, dnsseccheckunsigned+ 
 +1Install dnsmasq using your local package manager 
 + 
 +2Edit /etc/dnsmasq.conf 
 + 
 +# Tells dnsmasq to forward anything with the domain of remote.local to dns server 10.25.11.2 
 +server=/remote.local/10.25.11.2 
 + 
 +# Listen to requests only coming from the local machine 
 +listen-address=127.0.0.1 
 + 
 +# Do not cache anything 
 +# A decent dns server will already cache for your local network 
 +cache-size=0 
 +3. Edit /etc/resolv.conf 
 + 
 +# Local LAN Domain 
 +domain ion.lan 
 + 
 +# local dnsmasq server 
 +nameserver 127.0.0.1 
 + 
 +# Your main dns server (dnsmasq will forward all requests to this server) 
 +nameserver 10.20.1.1 
 +4. Start dnsmasq 
 + 
 +5. Test – ping a local server and remote server using the FQDN 
 + 
 +All dns requests will be forwarded to 10.20.1.1 except any matching ​*.remote.local. server.remote.local will be forwarded to 10.25.11.2 
 + 
 +Credit:  ​[[http://pyther.net/2010/​12/​dns-conditional-forwarding-dnsmasq/]]
  
 <​code>​ <​code>​
-Option ​'​dnssec'​: Activate DNSSEC validation + 
-Option ​'dnsseccheckunsigned': Ensure answers ​without ​DNSSEC are in +cat /​etc/​config/​dhcp  
-unsigned zones.+ 
 +config dnsmasq 
 +        option localise_queries ​'1' 
 +        option rebind_protection '​0'​ 
 +        option authoritative '​1'​ 
 +        option leasefile '/​tmp/​dhcp.leases'​ 
 +        option localservice '​1'​ 
 +        option ​dnssec '0' 
 +        ​option cachesize ​'0' 
 +        option domain '​example.local'​ 
 +        option readethers '​1'​ 
 +        option logqueries '​1'​ 
 +        option fliterwin2k '​0'​ 
 +        #Define your Domain and Domain Controllers IP address here.        
 +        option local '/​example.local/​192.168.1.X'​** 
 +        list server '/​0.openwrt.pool.ntp.org/​8.8.8.8'​ 
 +        list server '/​1.openwrt.pool.ntp.org/​8.8.8.8'​ 
 +        list server '/​2.openwrt.pool.ntp.org/​8.8.8.8'​ 
 +        list server '/​3.openwrt.pool.ntp.org/​8.8.8.8'​ 
 +        option resolvfile '/​etc/​resolv.conf'​ 
 +        option boguspriv '​1'​ 
 + 
 +config dhcp '​lan'​ 
 +        option interface '​lan'​ 
 +        option start '​100'​ 
 +        option limit '​150'​ 
 +        option leasetime '​12h'​ 
 +</​code>​ 
 +Almost completed, Now on to the finalization of the /​etc/​resolv.conf ​ Traditionally /​etc/​resolv.conf is populated via symlink based on interface settings which get inserted via script into /​tmp/​resolv.conf. We're going to disable this symlink because ​without ​doing so it would override our static settings.  ​ 
 + 
 +You'll want to remove /etc/resolv.conf 
 +That will remove the resolv.conf symlink. Then we will add the ip address of the secondary DNS and external resolving address inside the /​etc/​resolv.conf file finally establishing conditional forwarding, something that should be specified for easy configuration via the GUI.  
 + 
 +<​code>​ 
 +rm /​etc/​resolv.conf 
 +echo "​domain example.local">>/​etc/​resolv.conf 
 +echo "​nameserver 127.0.0.1">>/​etc/​resolv.conf 
 +echo "​nameserver 208.67.220.220">>/​etc/​resolv.conf 
 + 
 +</​code>​ 
 + 
 +<​code>​ 
 + 
 + cat /​etc/​resolv.conf 
 +#Define your Domain Below  & Public DNS you desire.  
 + 
 +domain example.local 
 +nameserver 127.0.0.1 
 +nameserver 208.67.220.220 
 </​code>​ </​code>​
doc/uci/dhcp.1406923598.txt.bz2 · Last modified: 2014/08/01 22:06 by tolstyak