User Tools

Site Tools


doc:uci:dhcp

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:uci:dhcp [2014/08/01 22:06]
tolstyak Clarify that rDNS records are _not_ generated
doc:uci:dhcp [2014/12/22 21:01] (current)
pier4r [Several DNS servers]
Line 1: Line 1:
 ====== DNS and DHCP configuration ====== ====== DNS and DHCP configuration ======
  
-The //dnsmasq// and odhcpd ​configuration is located in ''/​etc/​config/​dhcp''​ and controls both DNS and DHCP server options on the device (both DHCP and DNS services are implemented using the same OpenWrt program, dnsmasq).+The //dnsmasq// and dhcpd configuration is located in ''/​etc/​config/​dhcp''​ and controls both DNS and DHCP server options on the device (both DHCP and DNS services are implemented using the same OpenWrt program, dnsmasq).
  
 In the default configuration this file contains one //common section// to specify DNS and daemon related options and one or more //DHCP pools// to define DHCP serving on network interfaces. In the default configuration this file contains one //common section// to specify DNS and daemon related options and one or more //DHCP pools// to define DHCP serving on network interfaces.
Line 57: Line 57:
 | ''​domain''​ | domain name | //(none)// | ''​-s''​ | DNS domain handed out to DHCP clients | | ''​domain''​ | domain name | //(none)// | ''​-s''​ | DNS domain handed out to DHCP clients |
 | ''​domainneeded''​ | boolean | ''​0''​ | ''​-D''​ | Tells //dnsmasq// never to forward queries for plain names, without dots or domain parts, to upstream nameservers. If the name is not known from /etc/hosts or DHCP then a "not found" answer is returned | | ''​domainneeded''​ | boolean | ''​0''​ | ''​-D''​ | Tells //dnsmasq// never to forward queries for plain names, without dots or domain parts, to upstream nameservers. If the name is not known from /etc/hosts or DHCP then a "not found" answer is returned |
 +| ''​dnssec''​ | boolean | ''​0''​ | <​code>​--dnssec</​code>​ | Validate DNS replies and cache DNSSEC data.\\ :!: Requires the //​dnsmasq-full//​ package. |
 +| ''​dnsseccheckunsigned''​ | boolean | ''​0''​ | <​code>​--dnssec-check-unsigned</​code>​ | Check the zones of unsigned replies to ensure that unsigned replies are allowed in those zones. This protects against an attacker forging unsigned replies for signed DNS zones, but is slower and requires that the nameservers upstream of //dnsmasq// are DNSSEC-capable.\\ :!: Requires the //​dnsmasq-full//​ package. |
 | ''​ednspacket_max''​ | integer | ''​1280''​ | ''​-P''​ | Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder | | ''​ednspacket_max''​ | integer | ''​1280''​ | ''​-P''​ | Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder |
 | ''​enable_tftp''​ | boolean | ''​0''​ | <​code>​--enable-tftp</​code>​ | Enable the builtin TFTP server | | ''​enable_tftp''​ | boolean | ''​0''​ | <​code>​--enable-tftp</​code>​ | Enable the builtin TFTP server |
Line 62: Line 64:
 | ''​filterwin2k''​ | boolean | ''​0''​ | ''​-f''​ | Do not forward requests that cannot be answered by public name servers | | ''​filterwin2k''​ | boolean | ''​0''​ | ''​-f''​ | Do not forward requests that cannot be answered by public name servers |
 | ''​fqdn''​ | boolean | ''​0''​ | <​code>​--dhcp-fqdn</​code>​ | Do not resolve unqualifed local hostnames. Needs ''​domain''​ to be set. | | ''​fqdn''​ | boolean | ''​0''​ | <​code>​--dhcp-fqdn</​code>​ | Do not resolve unqualifed local hostnames. Needs ''​domain''​ to be set. |
-| ''​interface''​ | list of interface names | //(all interfaces)//​ | ''​-i''​ | List of interfaces to listen on. If unspecified,​ //dnsmasq// will listen to all interfaces except those listed in ''​notinterface''​. |+| ''​interface''​ | list of interface names | //(all interfaces)//​ | ''​-i''​ | List of interfaces to listen on. If unspecified,​ //dnsmasq// will listen to all interfaces except those listed in ''​notinterface''​. Note that //dnsmasq// listens on loopback by default. |
 | ''​leasefile''​ | file path | //(none)// | ''​-l''​ (ell) | Store DHCP leases in this file | | ''​leasefile''​ | file path | //(none)// | ''​-l''​ (ell) | Store DHCP leases in this file |
 | ''​local''​ | string | //(none)// | ''​-S''​ | Look up DNS entries for this domain from ''/​etc/​hosts''​. This follows the same syntax as ''​server''​ entries, see the man page. | | ''​local''​ | string | //(none)// | ''​-S''​ | Look up DNS entries for this domain from ''/​etc/​hosts''​. This follows the same syntax as ''​server''​ entries, see the man page. |
Line 76: Line 78:
 | ''​queryport''​ | integer | //(none)// | ''​-Q''​ | Use a fixed port for outbound DNS queries | | ''​queryport''​ | integer | //(none)// | ''​-Q''​ | Use a fixed port for outbound DNS queries |
 | ''​readethers''​ | boolean | ''​0''​ | ''​-Z''​ | Read static lease entries from ''/​etc/​ethers'',​ re-read on SIGHUP | | ''​readethers''​ | boolean | ''​0''​ | ''​-Z''​ | Read static lease entries from ''/​etc/​ethers'',​ re-read on SIGHUP |
 +| ''​rebind_protection''​ | boolean | ''​1''​ | <​code>​--stop-dns-rebind</​code>​ | Enables DNS rebind attack protection by discarding upstream RFC1918 responses |
 +| ''​rebind_localhost''​ | boolean | ''​0''​ | <​code>​--rebind-localhost-ok</​code>​ | Allows upstream 127.0.0.0/8 responses, required for DNS based blacklist services, only takes effect if rebind protection is enabled |
 +| ''​rebind_domain''​ | list of domain names | //(none)// | <​code>​--rebind-domain-ok</​code>​ | List of domains to allow RFC1918 responses for, only takes effect if rebind protection is enabled |
 | ''​resolvfile''​ | file path | ''/​etc/​resolv.conf''​ | ''​-r''​ | Specifies an alternative resolv file | | ''​resolvfile''​ | file path | ''/​etc/​resolv.conf''​ | ''​-r''​ | Specifies an alternative resolv file |
 | ''​server''​ | list of strings | //(none)// | ''​-S''​ | List of DNS servers to forward requests to. See the //dnsmasq// man page for syntax details. | | ''​server''​ | list of strings | //(none)// | ''​-S''​ | List of DNS servers to forward requests to. See the //dnsmasq// man page for syntax details. |
 | ''​strictorder''​ | boolean | ''​0''​ | ''​-o''​ | Obey order of DNS servers in ''/​etc/​resolv.conf''​ | | ''​strictorder''​ | boolean | ''​0''​ | ''​-o''​ | Obey order of DNS servers in ''/​etc/​resolv.conf''​ |
-| ''​tftp_root''​ | directory path | //(none)// | --tftp-root | Specifies the TFTP root directory ​+| ''​tftp_root''​ | directory path | //(none)// | <​code>​--tftp-root</​code> ​| Specifies the TFTP root directory |
-| ''​rebind_protection''​ | boolean | ''​1''​ | --stop-dns-rebind | Enables DNS rebind attack protection by discarding upstream RFC1918 responses | +
-| ''​rebind_localhost''​ | boolean | ''​0''​ |--rebind-localhost-ok| Allows upstream 127.0.0.0/8 responses, required for DNS based blacklist services, only takes effect if rebind protection is enabled | +
-| ''​rebind_domain''​ | list of domain names | //(none)// | --rebind-domain-ok | List of domains to allow RFC1918 responses for, only takes effect if rebind protection is enabled ​|+
 </​sortable>​ </​sortable>​
  
Line 116: Line 118:
 | ''​force''​ | boolean | no | ''​0''​ | Forces DHCP serving on the specified interface even if another DHCP server is detected on the same network segment | | ''​force''​ | boolean | no | ''​0''​ | Forces DHCP serving on the specified interface even if another DHCP server is detected on the same network segment |
 | ''​ignore''​ | boolean | no | ''​0''​ | Specifies whether //dnsmasq// should ignore this pool if set to ''​1''​ | | ''​ignore''​ | boolean | no | ''​0''​ | Specifies whether //dnsmasq// should ignore this pool if set to ''​1''​ |
-| ''​dhcpv6''​ | string | no | ''​none''​ | Specifies whether DHCPv6 server should be enabled ''​server'',​ relayed ''​relay''​ or disabled ''​none''​ | +| ''​dhcpv6''​ | string | no | ''​none''​ | Specifies whether DHCPv6 server should be enabled ​(''​server''​), relayed ​(''​relay''​or disabled ​(''​disabled''​
-| ''​ra''​ | string | no | ''​none''​ | Specifies whether Router Advertisements should be enabled ''​server'',​ relayed ''​relay''​ or disabled ''​none''​ |+| ''​ra''​ | string | no | ''​none''​ | Specifies whether Router Advertisements should be enabled ​(''​server''​), relayed ​(''​relay''​or disabled ​(''​disabled''​|
 | ''​ndp''​ | string | no | ''​none''​ | Specifies whether NDP should be relayed ''​relay''​ or disabled ''​none''​ | | ''​ndp''​ | string | no | ''​none''​ | Specifies whether NDP should be relayed ''​relay''​ or disabled ''​none''​ |
 | ''​master''​ | boolean | no | 0 | Specifies whether DHCPv6, RA and NDP in relay mode is a master interface or not. | | ''​master''​ | boolean | no | 0 | Specifies whether DHCPv6, RA and NDP in relay mode is a master interface or not. |
Line 287: Line 289:
 Notes: Notes:
   * http://​answers.microsoft.com/​en-us/​windows/​forum/​windows_7-networking/​windows-7-refuses-dhcp-addresses-if-they-were/​1b72b289-0f58-492f-afb8-e76c80a81f00   * http://​answers.microsoft.com/​en-us/​windows/​forum/​windows_7-networking/​windows-7-refuses-dhcp-addresses-if-they-were/​1b72b289-0f58-492f-afb8-e76c80a81f00
 +
 +==== Only allow static leases ====
 +
 +If you want to distribute IPv4 addresses to known clients only (static leases), use:
 +
 +<​code>​
 +config dhcp '​lan'​
 +        ...
 +        option dynamicdhcp 0
 +</​code>​
 +
 +With this, dnsmasq will consider static leases defined in "​config host" blocks and in /​etc/​ethers,​ and refuse to hand out any IPv4 address to unknown clients.
 +
 +Note that you shouldn'​t use this as a security feature to prevent unwanted clients from connecting. ​ A client can simply configure a static IP in the right range to have access to the network.
  
 ==== Custom Domain ==== ==== Custom Domain ====
Line 293: Line 309:
  
 :!: Note that this currently only works for IPv4 addresses and that this functionality is not present in release prior to 8.09.2 . :!: Note that this currently only works for IPv4 addresses and that this functionality is not present in release prior to 8.09.2 .
 +
 :!: Note that reverse records are not properly generated at present. (Barrier Breaker 14.07-RC2) :!: Note that reverse records are not properly generated at present. (Barrier Breaker 14.07-RC2)
  
Line 423: Line 440:
 </​code>​ </​code>​
 Where 6=DNS, 3=Default Gateway, 44=WINS Where 6=DNS, 3=Default Gateway, 44=WINS
 +
 +Assign different dhcp-options to multiple hosts:
 +
 +<code bash>
 +config host
 +    option name '​j400'​
 +    option mac '​00:​21:​63:​75:​aa:​17'​
 +    option ip '​10.11.12.14'​
 +    option tag '​vpn' ​ # assign tag "​vpn"​ to this host
 +
 +config host
 +    option name '​j500'​
 +    option mac '​01:​22:​64:​76:​bb:​18'​
 +    option ip '​10.11.12.15'​
 +    option tag '​vpn' ​ # assign tag "​vpn"​ to this host
 +
 +config tag '​vpn' ​ # match tag "​vpn"​
 +    list dhcp_option '​6,​8.8.8.8,​8.8.4.4' ​ # assign arbritary extra dhcp options to this tag
 +</​code>​
  
 FIXME Convert to procd: etc/​init.d/​dnsmasq restart ​ FIXME Convert to procd: etc/​init.d/​dnsmasq restart ​
 +
 +==== Enabling DHCP without enabling DNS ====
 +
 +This is useful when you just want to hand out addresses to clients, without doing any DNS.
 +
 +<​code>​
 +config dnsmasq
 +       ...
 +       ​option port 0
 +       ​option domain ''​
 +</​code>​
 +
 +The second option prevents dnsmasq from giving out a domain name and DNS search list to clients: this is useless without DNS resolving.
 +
 +Of course, you will want to hand out the address of a DNS resolver to clients:
 +
 +<​code>​
 +config dhcp lan
 +       ​option interface lan
 +       ...
 +       list dhcp_option "​6,​80.67.188.188,​6,​80.67.169.12"​
 +       list dns         "​2001:​913::​8"​
 +       list dns         "​2001:​910:​800::​12" ​      
 +</​code>​
 +
 +The `dhcp_option` entry is meant for dnsmasq, while the more elegant `dns` entries are understood by odhcpd. ​ By default, odhcpd is only used for IPv6, but if you also use odhcpd for IPv4, you can just use `dns` entries for everything.
  
 ==== Enabling DNS without enabling DHCP ==== ==== Enabling DNS without enabling DHCP ====
Line 447: Line 509:
 This change will turn off just DHCP but leave DNS services available on the specified interface. This change will turn off just DHCP but leave DNS services available on the specified interface.
  
- +==== Several DNS servers ​==== 
-===== DNSSEC ===== +<​file>​ 
- +config dnsmasq 
-FIXME +        ​option domainneeded '​1'​ 
- +        ​option localise_queries '​1'​ 
-DNSSEC with DNSMASQ can be used in Barrier Breaker. +        ​option local '/lan/
- +        option domain '​lan'​ 
-  * [[https://dev.openwrt.org/changeset/36570|r36570]] : add proxydnssec +        option expandhosts '​1'​ 
-  * [[https://dev.openwrt.org/​changeset/​41244|r41244]] : DNSMASQ-full package +        option authoritative '​1'​ 
-  * [[https://dev.openwrt.org/changeset/41245|r41245]] : dnssec, dnsseccheckunsigned +        option readethers '​1'​ 
- +        option leasefile '/tmp/dhcp.leases'​ 
-<​code>​ +        ​option resolvfile '/tmp/resolv.conf.auto' 
-Option ​'dnssec':​ Activate DNSSEC validation +        list server '/subdomain.example.com/192.0.2.1' 
-Option ​'dnsseccheckunsigned': Ensure answers without DNSSEC are in +        list server '/example.com/208.67.222.222
-unsigned zones. +        ​option rebind_protection ​'0
-</code>+</file>
doc/uci/dhcp.1406923598.txt.bz2 · Last modified: 2014/08/01 22:06 by tolstyak