• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Q: Why does dnsmasq open UDP ports >1024 as well as port 53.
2   Is this a security problem/trojan/backdoor?
3
4A: The high ports that dnsmasq opens are for replies from the upstream
5   nameserver(s). Queries from dnsmasq to upstream nameservers are sent
6   from these ports and replies received to them. The reason for doing this is
7   that most firewall setups block incoming packets _to_ port 53, in order
8   to stop DNS queries from the outside world. If dnsmasq sent its queries
9   from port 53 the replies would be _to_ port 53 and get blocked.
10
11   This is not a security hole since dnsmasq will only accept replies to that
12   port: queries are  dropped. The replies must be to oustanding queries
13   which dnsmasq has forwarded, otherwise they are dropped too.
14
15   Addendum: dnsmasq now has the option "query-port" (-Q), which allows
16   you to specify the UDP port to be used for this purpose.  If not
17   specified, the operating system will select an available port number
18   just as it did before.
19
20   Second addendum: following the discovery of a security flaw in the
21   DNS protocol, dnsmasq from version 2.43 has changed behavior. It
22   now uses a new, randomly selected, port for each query. The old
23   default behaviour (use one port allocated by the OS) is available by
24   setting --query-port=0, and setting the query port to a positive
25   value is still works. You should think hard and know what you are
26   doing before using either of these options.
27
28Q: Why doesn't dnsmasq support DNS queries over TCP? Don't the RFC's specify
29   that?
30
31A: Update: from version 2.10, it does. There are a few limitations:
32   data obtained via TCP is not cached, and source-address
33   or query-port specifications are ignored for TCP.
34
35Q: When I send SIGUSR1 to dump the contents of the cache, some entries have
36   no IP address and are for names like mymachine.mydomain.com.mydomain.com.
37   What are these?
38
39A: They are negative entries: that's what the N flag means. Dnsmasq asked
40   an upstream nameserver to resolve that address and it replied "doesn't
41   exist, and won't exist for <n> hours" so dnsmasq saved that information so
42   that if _it_ gets asked the same question it can answer directly without
43   having to go back to the upstream server again. The strange repeated domains
44   result from the way resolvers search short names. See "man resolv.conf" for
45   details.
46
47
48Q: Will dnsmasq compile/run on non-Linux systems?
49
50A: Yes, there is explicit support for *BSD and MacOS X and Solaris.
51   There are start-up scripts for MacOS X Tiger and Panther
52   in /contrib. Dnsmasq will link with uclibc to provide small
53   binaries suitable for use in embedded systems such as
54   routers. (There's special code to support machines with flash
55   filesystems and no battery-backed RTC.)
56   If you encounter make errors with *BSD, try installing gmake from
57   ports and building dnsmasq with "make MAKE=gmake"
58   For other systems, try altering the settings in config.h.
59
60Q: My company's nameserver knows about some names which aren't in the
61   public DNS. Even though I put it first in /etc/resolv.conf, it
62   dosen't work: dnsmasq seems not to use the nameservers in the order
63   given. What am I doing wrong?
64
65A: By default, dnsmasq treats all the nameservers it knows about as
66   equal: it picks the one to use using an algorithm designed to avoid
67   nameservers which aren't responding. To make dnsmasq use the
68   servers in order, give it the -o flag. If you want some queries
69   sent to a special server, think about using the -S flag to give the
70   IP address of that server, and telling dnsmasq exactly which
71   domains to use the server for.
72
73Q: OK, I've got queries to a private nameserver working, now how about
74   reverse queries for a range of IP addresses?
75
76A: Use the standard DNS convention of <reversed address>.in-addr.arpa.
77   For instance to send reverse queries on the range 192.168.0.0 to
78   192.168.0.255 to a nameserver at 10.0.0.1 do
79   server=/0.168.192.in-addr.arpa/10.0.0.1
80   Note that the "bogus-priv" option take priority over this option,
81   so the above will not work when the bogus-priv option is set.
82
83Q: Dnsmasq fails to start with an error like this: "dnsmasq: bind
84   failed: Cannot assign requested address". What's the problem?
85
86A: This has been seen when a system is bringing up a PPP interface at
87   boot time: by the time dnsmasq start the interface has been
88   created, but not brought up and assigned an address. The easiest
89   solution is to use --interface flags to specify which interfaces
90   dnsmasq should listen on. Since you are unlikely to want dnsmasq to
91   listen on a PPP interface and offer DNS service to the world, the
92   problem is solved.
93
94Q: I'm running on BSD and dnsmasq won't accept long options on the
95   command line.
96
97A: Dnsmasq when built on some BSD systems doesn't use GNU getopt by
98   default. You can either just use the single-letter options or
99   change config.h and the Makefile to use getopt-long. Note that
100   options in /etc/dnsmasq.conf must always be the long form,
101   on all platforms.
102
103Q: Names on the internet are working fine, but looking up local names
104   from /etc/hosts or DHCP doesn't seem to work.
105
106A: Resolver code sometime does strange things when given names without
107   any dots in. Win2k and WinXP may not use the DNS at all and just
108   try and look up the name using WINS. On unix look at "options ndots:"
109   in "man resolv.conf" for details on this topic. Testing lookups
110   using "nslookup" or "dig" will work, but then attempting to run
111   "ping" will get a lookup failure, appending a dot to the end of the
112   hostname  will fix things. (ie "ping myhost" fails, but "ping
113   myhost." works. The solution is to make sure that all your hosts
114   have a domain set ("domain" in resolv.conf, or set a domain in
115   your DHCP server, see below fr Windows XP and Mac OS X).
116   Any domain  will do, but "localnet" is traditional. Now when you
117   resolve "myhost" the resolver will attempt to look up
118   "myhost.localnet" so you need to have dnsmasq reply to that name.
119   The way to do that is to include the domain in each name on
120   /etc/hosts  and/or to use the --expand-hosts and --domain options.
121
122Q: How do I set the DNS domain in Windows XP or MacOS X (ref: previous
123   question)?
124
125A: for XP, Control Panel > Network Connections > { Connection to gateway /
126   DNS } > Properties > { Highlight TCP/IP } > Properties > Advanced >
127   DNS Tab > DNS suffix for this connection:
128
129A: for OS X, System Preferences > Network > {Connection to gateway / DNS } >
130   Search domains:
131
132Q: Can I get dnsmasq to save the contents of its cache to disk when
133   I shut my machine down and re-load when it starts again?
134
135A: No, that facility is not provided. Very few names in the DNS have
136   their time-to-live set for longer than a few hours so most of the
137   cache entries would have expired after a shutdown. For longer-lived
138   names it's much cheaper to just reload them from the upstream
139   server. Note that dnsmasq is not shut down between PPP sessions so
140   go off-line and then on-line again will not lose the contents of
141   the cache.
142
143Q: Who are Verisign, what do they have to do with the bogus-nxdomain
144   option in dnsmasq and why should I wory about it?
145
146A: [note: this was written in September 2003, things may well change.]
147   Versign run the .com and .net top-level-domains. They have just
148   changed the configuration of their servers so that unknown .com and
149   .net domains, instead of returning an error code NXDOMAIN, (no such
150   domain) return the address of a host at Versign which runs a web
151   server showing a search page. Most right-thinking people regard
152   this new behaviour as broken :-).  You can test to see if you are
153   suffering Versign brokeness by run a command like
154
155   host jlsdajkdalld.com
156
157   If you get "jlsdajkdalld.com" does not exist, then all is fine, if
158   host returns an IP address, then the DNS is broken. (Try a few
159   different unlikely domains, just in case you picked a wierd one
160   which really _is_ registered.)
161
162   Assuming that your DNS is broken, and you want to fix it, simply
163   note the IP address being returned and pass it to dnsmasq using the
164   --bogus-nxdomain flag. Dnsmasq will check for results returning
165   that address and substitute an NXDOMAIN instead.
166
167   As of writing, the IP address in question for the .com and .net
168   domains is is 64.94.110.11. Various other, less prominent,
169   registries pull the same stunt; there is a list of them all, and
170   the addresses to block, at http://winware.org/bogus-domains.txt
171
172Q: This new DHCP server is well and good, but it doesn't work for me.
173   What's the problem?
174
175A: There are a couple of configuration gotchas which have been
176   encountered by people moving from the ISC dhcpd to the dnsmasq
177   integrated DHCP daemon. Both are related to differences in
178   in the way the two daemons bypass the IP stack to do "ground up"
179   IP configuration and can lead to the dnsmasq daemon failing
180   whilst the ISC one works.
181
182   The first thing to check is the broadcast address set for the
183   ethernet interface. This is normally the adddress on the connected
184   network with all ones in the host part. For instance if the
185   address of the ethernet interface is 192.168.55.7 and the netmask
186   is 255.255.255.0 then the broadcast address should be
187   192.168.55.255. Having a broadcast address which is not on the
188   network to which the interface is connected kills things stone
189   dead.
190
191   The second potential problem relates to firewall rules: since the ISC
192   daemon in some configurations bypasses the kernel firewall rules
193   entirely, the ability to run the ISC daemon does not indicate
194   that the current configuration is OK for the dnsmasq daemon.
195   For the dnsmasq daemon to operate it's vital that UDP packets to
196   and from ports 67 and 68 and broadcast packets with source
197   address 0.0.0.0 and destination address 255.255.255.255 are not
198   dropped by iptables/ipchains.
199
200Q: I'm running Debian, and my machines get an address fine with DHCP,
201   but their names are not appearing in the DNS.
202
203A: By default, none of the DHCP clients send the host-name when asking
204   for a lease. For most of the clients, you can set the host-name to
205   send with the "hostname" keyword in /etc/network/interfaces. (See
206   "man interfaces" for details.) That doesn't work for dhclient, were
207   you have to add something like "send host-name daisy" to
208   /etc/dhclient.conf [Update: the lastest dhcpcd packages _do_ send
209   the hostname by default.
210
211Q: I'm network booting my machines, and trying to give them static
212   DHCP-assigned addresses. The machine gets its correct address
213   whilst booting, but then the OS starts and it seems to get
214   allocated a different address.
215
216A: What is happening is this: The boot process sends a DHCP
217   request and gets allocated the static address corresponding to its
218   MAC address. The boot loader does not send a client-id. Then the OS
219   starts and repeats the DHCP process, but it it does send a
220   client-id. Dnsmasq cannot assume that the two requests are from the
221   same machine (since the client ID's don't match) and even though
222   the MAC address has a static allocation, that address is still in
223   use by the first incarnation of the machine (the one from the boot,
224   without a client ID.) dnsmasq therefore has to give the machine a
225   dynamic address from its pool. There are three ways to solve this:
226   (1) persuade your DHCP client not to send a client ID, or (2) set up
227   the static assignment to the client ID, not the MAC address. The
228   default client-id will be 01:<MAC address>, so change the dhcp-host
229   line from "dhcp-host=11:22:33:44:55:66,1.2.3.4" to
230   "dhcp-host=id:01:11:22:33:44:55:66,1.2.3.4" or (3) tell dnsmasq to
231   ignore client IDs for a particular MAC address, like this:
232   dhcp-host=11:22:33:44:55:66,id:*
233
234Q: What network types are supported by the DHCP server?
235
236A: Ethernet (and 802.11 wireless) are supported on all platforms. On
237   Linux all network types (including FireWire) are supported.
238
239Q: What is this strange "bind-interface" option?
240
241A: The DNS spec says that the reply to a DNS query must come from the
242   same address it was sent to. The traditional way to write an UDP
243   server to do this is to find all of the addresses belonging to the
244   machine (ie all the interfaces on the machine) and then create a
245   socket for each interface which is bound to the address of the
246   interface. Then when a packet is sent to address A, it is received
247   on the socket bound to address A and when the reply is also sent
248   via that socket, the source address is set to A by the kernel and
249   everything works. This is the how dnsmasq works when
250   "bind-interfaces" is set, with the obvious extension that is misses
251   out creating sockets for some interfaces depending on the
252   --interface, --address and --except-interface flags.  The
253   disadvantage of this approach is that it breaks if interfaces don't
254   exist or are not configured when the daemon starts and does the
255   socket creation step. In a hotplug-aware world this is a real
256   problem.
257
258   The alternative approach is to have only one socket, which is bound
259   to the correct port and the wildcard IP address (0.0.0.0). That
260   socket will receive _all_ packets sent to port 53, no matter what
261   destination address they have. This solves the problem of
262   interfaces which are created or reconfigured after daemon
263   start-up. To make this work is more complicated because of the
264   "reply source address" problem. When a UDP packet is sent by a
265   socket bound to 0.0.0.0 its source address will be set to the
266   address of one of the machine's interfaces, but which one is not
267   determined and can vary depending on the OS being run. To get round
268   this it is neccessary to use a scary advanced API to determine the
269   address to which a query was sent, and force that to be the source
270   address in the reply. For IPv4 this stuff in non-portable and quite
271   often not even available (It's different between FreeBSD 5.x and
272   Linux, for instance, and FreeBSD 4.x, Linux 2.0.x and OpenBSD don't
273   have it at all.) Hence "bind-interfaces" has to always be available
274   as a fall back. For IPv6 the API is standard and universally
275   available.
276
277   It could be argued that if the --interface or --address flags are
278   used then binding interfaces is more appropriate, but using
279   wildcard binding means that dnsmasq will quite happily start up
280   after being told to use interfaces which don't exist, but which are
281   created later. Wildcard binding breaks the scenario when dnsmasq is
282   listening on one interface and another server (most probably BIND)
283   is listening on another. It's not possible for BIND to bind to an
284   (address,port) pair when dnsmasq has bound (wildcard,port), hence
285   the ability to explicitly turn off wildcard binding.
286
287Q: Why doesn't Kerberos work/why can't I get sensible answers to
288   queries for SRV records.
289
290A: Probably because you have the "filterwin2k" option set. Note that
291   it was on by default in example configuration files included in
292   versions before 2.12, so you might have it set on without
293   realising.
294
295Q: Can I get email notification when a new version of dnsmasq is
296   released?
297
298A: Yes, new releases of dnsmasq are always announced through
299   freshmeat.net, and they allow you to subcribe to email alerts when
300   new versions of particular projects are released. New releases are
301   also announced in the dnsmasq-discuss mailing list, subscribe at
302   http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
303
304Q: What does the dhcp-authoritative option do?
305
306A: See http://www.isc.org/index.pl?/sw/dhcp/authoritative.php - that's
307   for the ISC daemon, but the same applies to dnsmasq.
308
309Q: Why does my Gentoo box pause for a minute before getting a new
310   lease?
311
312A: Because when a Gentoo box shuts down, it releases its lease with
313   the server but remembers it on the client; this seems to be a
314   Gentoo-specific patch to dhcpcd. On restart it tries to renew
315   a lease which is long gone, as far as dnsmasq is concerned, and
316   dnsmasq ignores it until is times out and restarts the process.
317   To fix this, set the dhcp-authoritative flag in dnsmasq.
318
319Q: My laptop has two network interfaces, a wired one and a wireless
320   one. I never use both interfaces at the same time, and I'd like the
321   same IP and configuration to be used irrespective of which
322   interface is in use. How can I do that?
323
324A: By default, the identity of a machine is determined by using the
325   MAC address, which is associated with interface hardware. Once an
326   IP is bound to the MAC address of one interface, it cannot be
327   associated with another MAC address until after the DHCP lease
328   expires. The solution to this is to use a client-id as the machine
329   identity rather than the MAC address. If you arrange for the same
330   client-id to sent when either interface is in use, the DHCP server
331   will recognise the same machine, and use the same address. The
332   method for setting the client-id varies with DHCP client software,
333   dhcpcd uses the "-I" flag. Windows uses a registry setting,
334   see http://www.jsiinc.com/SUBF/TIP2800/rh2845.htm
335Addendum:
336   From version 2.46, dnsmasq has a solution to this which doesn't
337   involve setting client-IDs. It's possible to put more than one MAC
338   address in a --dhcp-host configuration. This tells dnsmasq that it
339   should use the specified IP for any of the specified MAC addresses,
340   and furthermore it gives dnsmasq permission to sumarily abandon a
341   lease to one of the MAC addresses if another one comes along. Note
342   that this will work fine only as longer as only one interface is
343   up at any time. There is no way for dnsmasq to enforce this
344   constraint: if you configure multiple MAC addresses and violate
345   this rule, bad things will happen.
346
347Q: Can dnsmasq do DHCP on IP-alias interfaces?
348
349A: Yes, from version-2.21. The support is only available running under
350   Linux, on a kernel which provides the RT-netlink facility. All 2.4
351   and 2.6 kernels provide RT-netlink and it's an option in 2.2
352   kernels.
353
354   If a physical interface has more than one IP address or aliases
355   with extra IP addresses, then any dhcp-ranges corresponding to
356   these addresses can be used for address allocation. So if an
357   interface has addresses 192.168.1.0/24 and 192.68.2.0/24 and there
358   are DHCP ranges 192.168.1.100-192.168.1.200 and
359   192.168.2.100-192.168.2.200 then both ranges would be used for host
360   connected to the physical interface. A more typical use might be to
361   have one of the address-ranges as static-only, and have known
362   hosts allocated addresses on that subnet using dhcp-host options,
363   while  anonymous hosts go on the other.
364
365
366Q: Dnsmasq sometimes logs "nameserver xxx.xxx.xxx.xxx refused
367   to do a recursive query" and DNS stops working. What's going on?
368
369A: Probably the nameserver is an authoritative nameserver for a
370   particular domain, but is not configured to answer general DNS
371   queries for an arbitrary domain. It is not suitable for use by
372   dnsmasq as an upstream server and should be removed from the
373   configuration. Note that if you have more than one upstream
374   nameserver configured dnsmasq will load-balance across them and
375   it may be some time before dnsmasq gets around to using a
376   particular nameserver. This means that a particular configuration
377   may work for sometime with a broken upstream nameserver
378   configuration.
379
380
381Q: Does the dnsmasq DHCP server probe addresses before allocating
382   them, as recommended in RFC2131?
383
384A: Yes, dynmaically allocated IP addresses are checked by sending an
385   ICMP echo request (ping). If a reply is received, then dnsmasq
386   assumes that the address is in use, and attempts to allocate an
387   different address. The wait for a reply is between two and three
388   seconds. Because the DHCP server is not re-entrant, it cannot serve
389   other DHCP requests during this time. To avoid dropping requests,
390   the address probe may be skipped when dnsmasq is under heavy load.
391
392
393Q: I'm using dnsmasq on a machine with the Firestarter firewall, and
394   DHCP doesn't work. What's the problem?
395
396A: This a variant on the iptables problem. Explicit details on how to
397   proceed can be found at
398   http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2005q3/000431.html
399
400
401Q: I'm using dnsmasq on a machine with the shorewall firewall, and
402   DHCP doesn't work. What's the problem?
403
404A: This a variant on the iptables problem. Explicit details on how to
405   proceed can be found at
406   http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2007q4/001764.html
407
408
409Q: Dnsmasq fails to start up with a message about capabilities.
410   Why did that happen and what can do to fix it?
411
412A: Change your kernel configuration: either deselect CONFIG_SECURITY
413   _or_ select CONFIG_SECURITY_CAPABILITIES. Alternatively, you can
414   remove the need to set capabilities by running dnsmasq as root.
415
416Q: Where can I get .rpms Suitable for Suse?
417
418A: Dnsmasq is in Suse itself, and the latest releases are also
419   available at ftp://ftp.suse.com/pub/people/ug/
420
421
422Q: Can I run dnsmasq in a Linux vserver?
423
424A: Yes, as a DNS server, dnsmasq will just work in a vserver.
425   To use dnsmasq's DHCP function you need to give the vserver
426   extra system capabilities. Please note that doing so will lesser
427   the overall security of your system. The capabilities
428   required are NET_ADMIN and NET_RAW. NET_ADMIN is essential, NET_RAW
429   is required to do an ICMP "ping" check on newly allocated
430   addresses. If you don't need this check, you can disable it with
431   --no-ping and omit the NET_RAW capability.
432   Adding the capabilities is done by adding them, one per line, to
433   either /etc/vservers/<vservername>/ccapabilities for a 2.4 kernel or
434   /etc/vservers/<vservername>/bcapabilities for a 2.6 kernel (please
435   refer to the vserver documentation for more information).
436
437
438Q: What's the problem with syslog and dnsmasq?
439
440A: In almost all cases: none. If you have the normal arrangement with
441   local daemons logging to a local syslog, which then writes to disk,
442   then there's never a problem. If you use network logging, then
443   there's a potential problem with deadlock: the syslog daemon will
444   do DNS lookups so that it can log the source of log messages,
445   these lookups will (depending on exact configuration) go through
446   dnsmasq, which also sends log messages. With bad timing, you can
447   arrive at a situation where syslog is waiting for dnsmasq, and
448   dnsmasq is waiting for syslog; they will both wait forever. This
449   problem is fixed from dnsmasq-2.39, which introduces asynchronous
450   logging: dnsmasq no longer waits for syslog and the deadlock is
451   broken. There is a remaining problem in 2.39, where "log-queries"
452   is in use. In this case most DNS queries generate two log lines, if
453   these go to a syslog which is doing a DNS lookup for each log line,
454   then those queries will in turn generate two more log lines, and a
455   chain reaction runaway will occur. To avoid this, use syslog-ng
456   and turn on syslog-ng's dns-cache function.
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472