From a91553fc122628956bcb60f5a9638dfb3374e865 Mon Sep 17 00:00:00 2001 From: Juergen Borleis Date: Wed, 5 Jun 2019 14:54:08 +0200 Subject: dnsmasq: version bump 2.79 -> 2.80 Signed-off-by: Juergen Borleis Signed-off-by: Michael Olbrich --- projectroot/etc/dnsmasq.conf | 275 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 224 insertions(+), 51 deletions(-) (limited to 'projectroot') diff --git a/projectroot/etc/dnsmasq.conf b/projectroot/etc/dnsmasq.conf index 1856481d1..8548b43ed 100644 --- a/projectroot/etc/dnsmasq.conf +++ b/projectroot/etc/dnsmasq.conf @@ -4,17 +4,34 @@ # as the long options legal on the command line. See # "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. +# Listen on this specific port instead of the standard DNS port +# (53). Setting this to zero completely disables DNS function, +# leaving only DHCP and/or TFTP. +#port=5353 + # The following two options make you a better netizen, since they # tell dnsmasq to filter out queries which the public DNS cannot # answer, and which load the servers (especially the root servers) -# uneccessarily. If you have a dial-on-demand link they also stop -# these requests from bringing up the link uneccessarily. +# unnecessarily. If you have a dial-on-demand link they also stop +# these requests from bringing up the link unnecessarily. # Never forward plain names (without a dot or domain part) #domain-needed # Never forward addresses in the non-routed address spaces. #bogus-priv +# Uncomment these to enable DNSSEC validation and caching: +# (Requires dnsmasq to be built with DNSSEC option.) +#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf +#dnssec + +# Replies which are not DNSSEC signed may be legitimate, because the domain +# is unsigned, or may be forgeries. Setting this option tells dnsmasq to +# check that an unsigned reply is OK, by finding a secure proof that a DS +# record somewhere between the root and the domain does not exist. +# The cost of setting this is that even queries in unsigned domains will need +# one or more extra DNS queries to verify. +#dnssec-check-unsigned # Uncomment this to filter useless windows-originated DNS requests # which can trigger dial-on-demand links needlessly. @@ -57,21 +74,25 @@ #local=/localnet/ # Add domains which you want to force to an IP address here. -# The example below send any host in doubleclick.net to a local -# webserver. -#address=/doubleclick.net/127.0.0.1 +# The example below send any host in double-click.net to a local +# web-server. +#address=/double-click.net/127.0.0.1 # --address (and --server) work with IPv6 addresses too. #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 +# Add the IPs of all queries to yahoo.com, google.com, and their +# subdomains to the vpn and search ipsets: +#ipset=/yahoo.com/google.com/vpn,search + # You can control how dnsmasq talks to a server: this forces # queries to 10.1.2.3 to be routed via eth1 -# --server=10.1.2.3@eth1 +# server=10.1.2.3@eth1 # and this sets the source (ie local) address used to talk to -# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that +# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that # IP on the machine, obviously). -# --server=10.1.2.3@192.168.1.1#55 +# server=10.1.2.3@192.168.1.1#55 # If you want dnsmasq to change uid and gid to something other # than the default, edit the following lines. @@ -90,7 +111,7 @@ #listen-address= # If you want dnsmasq to provide only DNS service on an interface, # configure it as shown above, and then use the following line to -# disable DHCP on it. +# disable DHCP and TFTP on it. #no-dhcp-interface= # On systems which support it, dnsmasq binds the wildcard address, @@ -141,17 +162,68 @@ # don't need to worry about this. #dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h -# This is an example of a DHCP range with a network-id, so that +# This is an example of a DHCP range which sets a tag, so that # some DHCP options may be set only for this network. -#dhcp-range=red,192.168.0.50,192.168.0.150 +#dhcp-range=set:red,192.168.0.50,192.168.0.150 + +# Use this DHCP range only when the tag "green" is set. +#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h + +# Specify a subnet which can't be used for dynamic address allocation, +# is available for hosts with matching --dhcp-host lines. Note that +# dhcp-host declarations will be ignored unless there is a dhcp-range +# of some type for the subnet in question. +# In this case the netmask is implied (it comes from the network +# configuration on the machine running dnsmasq) it is possible to give +# an explicit netmask instead. +#dhcp-range=192.168.0.0,static + +# Enable DHCPv6. Note that the prefix-length does not need to be specified +# and defaults to 64 if missing/ +#dhcp-range=1234::2, 1234::500, 64, 12h + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +#dhcp-range=1234::, ra-only + +# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and +# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack +# hosts. Use the DHCPv4 lease to derive the name, network segment and +# MAC address and assume that the host will also have an +# IPv6 address calculated using the SLAAC algorithm. +#dhcp-range=1234::, ra-names + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) +#dhcp-range=1234::, ra-only, 48h + +# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA +# so that clients can use SLAAC addresses as well as DHCP ones. +#dhcp-range=1234::2, 1234::500, slaac + +# Do Router Advertisements and stateless DHCP for this subnet. Clients will +# not get addresses from DHCP, but they will get other configuration information. +# They will use SLAAC for addresses. +#dhcp-range=1234::, ra-stateless + +# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses +# from DHCPv4 leases. +#dhcp-range=1234::, ra-stateless, ra-names + +# Do router advertisements for all subnets where we're doing DHCPv6 +# Unless overridden by ra-stateless, ra-names, et al, the router +# advertisements will have the M and O bits set, so that the clients +# get addresses and configuration from DHCPv6, and the A bit reset, so the +# clients don't use SLAAC addresses. +#enable-ra # Supply parameters for specified hosts using DHCP. There are lots # of valid alternatives, so we will give examples of each. Note that # IP addresses DO NOT have to be in the range given above, they just # need to be on the same network. The order of the parameters in these -# do not matter, it's permissible to give name,address and MAC in any order +# do not matter, it's permissible to give name, address and MAC in any +# order. -# Always allocate the host with ethernet address 11:22:33:44:55:66 +# Always allocate the host with Ethernet address 11:22:33:44:55:66 # The IP address 192.168.0.60 #dhcp-host=11:22:33:44:55:66,192.168.0.60 @@ -159,13 +231,13 @@ # 11:22:33:44:55:66 to be "fred" #dhcp-host=11:22:33:44:55:66,fred -# Always give the host with ethernet address 11:22:33:44:55:66 +# Always give the host with Ethernet address 11:22:33:44:55:66 # the name fred and IP address 192.168.0.60 and lease time 45 minutes #dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m -# Give a host with ethernet address 11:22:33:44:55:66 or +# Give a host with Ethernet address 11:22:33:44:55:66 or # 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume -# that these two ethernet interfaces will never be in use at the same +# that these two Ethernet interfaces will never be in use at the same # time, and give the IP address to the second, even if it is already # in use by the first. Useful for laptops with wired and wireless # addresses. @@ -179,6 +251,13 @@ # the IP address 192.168.0.60 #dhcp-host=id:01:02:02:04,192.168.0.60 +# Always give the InfiniBand interface with hardware address +# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the +# ip address 192.168.0.61. The client id is derived from the prefix +# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of +# hex digits of the hardware address. +#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61 + # Always give the host with client identifier "marjorie" # the IP address 192.168.0.60 #dhcp-host=id:marjorie,192.168.0.60 @@ -188,41 +267,47 @@ # it asks for a DHCP lease. #dhcp-host=judge -# Never offer DHCP service to a machine whose ethernet +# Never offer DHCP service to a machine whose Ethernet # address is 11:22:33:44:55:66 #dhcp-host=11:22:33:44:55:66,ignore -# Ignore any client-id presented by the machine with ethernet +# Ignore any client-id presented by the machine with Ethernet # address 11:22:33:44:55:66. This is useful to prevent a machine # being treated differently when running under different OS's or # between PXE boot and OS boot. #dhcp-host=11:22:33:44:55:66,id:* # Send extra options which are tagged as "red" to -# the machine with ethernet address 11:22:33:44:55:66 -#dhcp-host=11:22:33:44:55:66,net:red +# the machine with Ethernet address 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,set:red # Send extra options which are tagged as "red" to -# any machine with ethernet address starting 11:22:33: -#dhcp-host=11:22:33:*:*:*,net:red +# any machine with Ethernet address starting 11:22:33: +#dhcp-host=11:22:33:*:*:*,set:red -# Ignore any clients which are specified in dhcp-host lines -# or /etc/ethers. Equivalent to ISC "deny unkown-clients". +# Give a fixed IPv6 address and name to client with +# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 +# Note the MAC addresses CANNOT be used to identify DHCPv6 clients. +# Note also that the [] around the IPv6 address are obligatory. +#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] + +# Ignore any clients which are not specified in dhcp-host lines +# or /etc/ethers. Equivalent to ISC "deny unknown-clients". # This relies on the special "known" tag which is set when # a host is matched. -#dhcp-ignore=#known +#dhcp-ignore=tag:!known # Send extra options which are tagged as "red" to any machine whose # DHCP vendorclass string includes the substring "Linux" -#dhcp-vendorclass=red,Linux +#dhcp-vendorclass=set:red,Linux # Send extra options which are tagged as "red" to any machine one # of whose DHCP userclass strings includes the substring "accounts" -#dhcp-userclass=red,accounts +#dhcp-userclass=set:red,accounts # Send extra options which are tagged as "red" to any machine whose # MAC address matches the pattern. -#dhcp-mac=red,00:60:8C:*:*:* +#dhcp-mac=set:red,00:60:8C:*:*:* # If this line is uncommented, dnsmasq will read /etc/ethers and act # on the ethernet-address/IP pairs found there just as if they had @@ -257,6 +342,24 @@ # Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 #dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 +# Send DHCPv6 option. Note [] around IPv6 addresses. +#dhcp-option=option6:dns-server,[1234::77],[1234::88] + +# Send DHCPv6 option for namservers as the machine running +# dnsmasq and another. +#dhcp-option=option6:dns-server,[::],[1234::88] + +# Ask client to poll for option changes every six hours. (RFC4242) +#dhcp-option=option6:information-refresh-time,6h + +# Set option 58 client renewal time (T1). Defaults to half of the +# lease time if not specified. (RFC2132) +#dhcp-option=option:T1,1m + +# Set option 59 rebinding time (T2). Defaults to 7/8 of the +# lease time if not specified. (RFC2132) +#dhcp-option=option:T2,2m + # Set the NTP time server address to be the same machine as # is running dnsmasq #dhcp-option=42,0.0.0.0 @@ -276,8 +379,8 @@ # Specify an option which will only be sent to the "red" network # (see dhcp-range for the declaration of the "red" network) -# Note that the net: part must precede the option: part. -#dhcp-option = net:red, option:ntp-server, 192.168.1.1 +# Note that the tag: part must precede the option: part. +#dhcp-option = tag:red, option:ntp-server, 192.168.1.1 # The following DHCP options set up dnsmasq in the same way as is specified # for the ISC dhcpcd in @@ -291,6 +394,9 @@ #dhcp-option=45,0.0.0.0 # netbios datagram distribution server #dhcp-option=46,8 # netbios node type +# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave. +#dhcp-option=252,"\n" + # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client # probably doesn't support this...... #dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com @@ -329,20 +435,23 @@ # Reboot time. (Note 'i' to send 32-bit value) #dhcp-option-force=211,30i -# Set the boot filename for BOOTP. You will only need -# this is you want to boot machines over the network and you will need -# a TFTP server; either dnsmasq's built in TFTP server or an +# Set the boot filename for netboot/PXE. You will only need +# this if you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built-in TFTP server or an # external one. (See below for how to enable the TFTP server.) #dhcp-boot=pxelinux.0 -# Boot for Etherboot gPXE. The idea is to send two different -# filenames, the first loads gPXE, and the second tells gPXE what to -# load. The dhcp-match sets the gpxe tag for requests from gPXE. -#dhcp-match=gpxe,175 # gPXE sends a 175 option. -#dhcp-boot=net:#gpxe,undionly.kpxe -#dhcp-boot=mybootimage +# The same as above, but use custom tftp-server instead machine running dnsmasq +#dhcp-boot=pxelinux,server.name,192.168.1.100 -# Encapsulated options for Etherboot gPXE. All the options are +# Boot for iPXE. The idea is to send two different +# filenames, the first loads iPXE, and the second tells iPXE what to +# load. The dhcp-match sets the ipxe tag for requests from iPXE. +#dhcp-boot=undionly.kpxe +#dhcp-match=set:ipxe,175 # iPXE sends a 175 option. +#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php + +# Encapsulated options for iPXE. All the options are # encapsulated within option 175 #dhcp-option=encap:175, 1, 5b # priority code #dhcp-option=encap:175, 176, 1b # no-proxydhcp @@ -358,22 +467,67 @@ #dhcp-match=hammers, option:client-arch, 6 #x86-64 #dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 +# Do real PXE, rather than just booting a single file, this is an +# alternative to dhcp-boot. +#pxe-prompt="What system shall I netboot?" +# or with timeout before first available action is taken: +#pxe-prompt="Press F8 for menu.", 60 + +# Available boot services. for PXE. +#pxe-service=x86PC, "Boot from local disk" + +# Loads /pxelinux.0 from dnsmasq TFTP server. +#pxe-service=x86PC, "Install Linux", pxelinux + +# Loads /pxelinux.0 from TFTP server at 1.2.3.4. +# Beware this fails on old PXE ROMS. +#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 + +# Use bootserver on network, found my multicast or broadcast. +#pxe-service=x86PC, "Install windows from RIS server", 1 + +# Use bootserver at a known IP address. +#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 + +# If you have multicast-FTP available, +# information for that can be passed in a similar way using options 1 +# to 5. See page 19 of +# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf + + # Enable dnsmasq's built-in TFTP server #enable-tftp -# Set the root directory for files availble via FTP. -#tftp-root=/var/ftpd +# Set the root directory for files available via FTP. +#tftp-root=/var/lib/misc/ftpd + +# Do not abort if the tftp-root is unavailable +#tftp-no-fail # Make the TFTP server more secure: with this set, only files owned by # the user dnsmasq is running as will be send over the net. #tftp-secure +# This option stops dnsmasq from negotiating a larger blocksize for TFTP +# transfers. It will slow things down, but may rescue some broken TFTP +# clients. +#tftp-no-blocksize + # Set the boot file name only when the "red" tag is set. -#dhcp-boot=net:red,pxelinux.red-net +#dhcp-boot=tag:red,pxelinux.red-net -# An example of dhcp-boot with an external server: the name and IP +# An example of dhcp-boot with an external TFTP server: the name and IP # address of the server are given after the filename. -#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 +# Can fail with old PXE ROMS. Overridden by --pxe-service. +#dhcp-boot=/var/lib/misc/ftpd/pxelinux.0,boothost,192.168.0.3 + +# If there are multiple external tftp servers having a same name +# (using /etc/hosts) then that name can be specified as the +# tftp_servername (the third option to dhcp-boot) and in that +# case dnsmasq resolves this name and returns the resultant IP +# addresses in round robin fashion. This facility can be used to +# load balance the tftp load among a set of servers. +#dhcp-boot=/var/lib/misc/ftpd/pxelinux.0,boothost,tftp_server_name # Set the limit on DHCP leases, the default is 150 #dhcp-lease-max=150 @@ -387,12 +541,20 @@ # and take over the lease for any client which broadcasts on the network, # whether it has a record of the lease or not. This avoids long timeouts # when a machine wakes up on a new network. DO NOT enable this if there's -# the slighest chance that you might end up accidentally configuring a DHCP +# the slightest chance that you might end up accidentally configuring a DHCP # server for your campus/company accidentally. The ISC server uses # the same option, and this URL provides more information: -# http://www.isc.org/index.pl?/sw/dhcp/authoritative.php +# http://www.isc.org/files/auth.html #dhcp-authoritative +# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039. +# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit +# option with a DHCPACK including a Rapid Commit option and fully committed address +# and configuration information. This must only be enabled if either the server is +# the only server for the subnet, or multiple servers are present and they each +# commit a binding for all clients. +#dhcp-rapid-commit + # Run an executable when a DHCP lease is created or destroyed. # The arguments sent to the script are "add" or "del", # then the MAC address, the IP address and finally the hostname @@ -405,7 +567,7 @@ # If you want to disable negative caching, uncomment this. #no-negcache -# Normally responses which come form /etc/hosts and the DHCP lease +# Normally responses which come from /etc/hosts and the DHCP lease # file have Time-To-Live set as zero, which conventionally means # do not cache further. If you are happy to trade lower load on the # server for potentially stale date, you can set a time-to-live (in @@ -456,11 +618,11 @@ # set for this to work.) # A SRV record sending LDAP for the example.com domain to -# ldapserver.example.com port 289 +# ldapserver.example.com port 389 #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 # A SRV record sending LDAP for the example.com domain to -# ldapserver.example.com port 289 (using domain=) +# ldapserver.example.com port 389 (using domain=) #domain=example.com #srv-host=_ldap._tcp,ldapserver.example.com,389 @@ -501,6 +663,17 @@ # Log lots of extra information about DHCP transactions. #log-dhcp -# Include a another lot of configuration options. +# Include another lot of configuration options. #conf-file=/etc/dnsmasq.more.conf #conf-dir=/etc/dnsmasq.d + +# Include all the files in a directory except those ending in .bak +#conf-dir=/etc/dnsmasq.d,.bak + +# Include all files in a directory which end in .conf +#conf-dir=/etc/dnsmasq.d/,*.conf + +# If a DHCP client claims that its name is "wpad", ignore that. +# This fixes a security hole. see CERT Vulnerability VU#598349 +#dhcp-name-match=set:wpad-ignore,wpad +#dhcp-ignore-names=tag:wpad-ignore -- cgit v1.2.3