[OpenWrt Wiki] DNS and DHCP examples
source link: https://openwrt.org/docs/guide-user/base-system/dhcp_configuration
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
DNS and DHCP examples
Introduction
This how-to provides most common dnsmasq and odhcpd tuning scenarios adapted for OpenWrt.
Instructions
Static leases
LuCI → DHCP and DNS → Static Leases
Add a fixed IPv4 address 192.168.1.22
and name mydesktop
for a machine with the MAC address 00:11:22:33:44:55
.
uci add dhcp host uci set dhcp.@host[-1].name="mydesktop" uci set dhcp.@host[-1].mac="00:11:22:33:44:55" uci set dhcp.@host[-1].ip="192.168.1.22" uci commit dhcp /etc/init.d/dnsmasq restart
Add a fixed IPv4 address 192.168.1.23
, IPv6 interface identifier (address suffix) 23
and name mylaptop
for a machine with the MAC address 11:22:33:44:55:66
or aa:bb:cc:dd:ee:ff
and DUID 000100004fd454041c6f65d26f43
.
uci add dhcp host uci set dhcp.@host[-1].name="mylaptop" uci add_list dhcp.@host[-1].mac="11:22:33:44:55:66" uci add_list dhcp.@host[-1].mac="aa:bb:cc:dd:ee:ff" uci set dhcp.@host[-1].ip="192.168.1.23" uci set dhcp.@host[-1].duid="000100004fd454041c6f65d26f43" uci set dhcp.@host[-1].hostid="23" uci commit dhcp /etc/init.d/dnsmasq restart /etc/init.d/odhcpd restart
Reconnect your clients to apply the changes.
Using multiple MACs per host entry is unreliable, add a separate host entry for each MAC if the host has more than one interface connected simultaneously.
Create persistent DNS records for the configured static lease.
uci set dhcp.@host[-1].dns="1" uci commit dhcp /etc/init.d/dnsmasq restart
See also: odhcpd leases
MAC filtering
Ignore DHCP requests from specific clients.
uci add dhcp host uci set dhcp.@host[-1].name="mydesktop" uci set dhcp.@host[-1].mac="00:11:22:33:44:55" uci set dhcp.@host[-1].ip="ignore" uci commit dhcp /etc/init.d/dnsmasq restart
Ignore all DHCP requests except the ones from known clients configured with static leases or /etc/ethers
.
uci set dhcp.lan.dynamicdhcp="0" uci commit dhcp /etc/init.d/dnsmasq restart
Avoid using this as a security measure since the client can still access the network with a static IP.
Race conditions with netifd
Resolve the race condition with netifd service.
uci set dhcp.lan.force="1" uci commit dhcp /etc/init.d/dnsmasq restart
Missing public prefix
Suppress warnings about missing GUA prefix.
uci set dhcp.odhcpd.loglevel="3" uci commit dhcp /etc/init.d/odhcpd restart
Providing default IPv6 route with DHCP
Announce the default IPv6 route with no GUA.
uci set dhcp.lan.ra_default="1" uci commit dhcp /etc/init.d/odhcpd restart
DHCP options
DHCP options can be configured under the DHCP pool section via dhcp_option
.
Use an alternative default gateway, DNS server and NTP server, disable WINS.
uci add_list dhcp.lan.dhcp_option="3,192.168.1.2" uci add_list dhcp.lan.dhcp_option="6,172.16.60.64" uci add_list dhcp.lan.dhcp_option="42,172.16.60.64" uci add_list dhcp.lan.dhcp_option="44" uci commit dhcp /etc/init.d/dnsmasq restart
Client classifying and individual options
Use the tag
classifier to assign individual DHCP options to the tagged hosts.
Specify custom DNS and possibly other DHCP options.
uci set dhcp.tag1="tag" uci set dhcp.tag1.dhcp_option="6,8.8.8.8,8.8.4.4" uci add dhcp host uci set dhcp.@host[-1].name="j400" uci set dhcp.@host[-1].mac="00:21:63:75:aa:17" uci set dhcp.@host[-1].ip="10.11.12.14" uci set dhcp.@host[-1].tag="tag1" uci add dhcp host uci set dhcp.@host[-1].name="j500" uci set dhcp.@host[-1].mac="01:22:64:76:bb:18" uci set dhcp.@host[-1].ip="10.11.12.15" uci set dhcp.@host[-1].tag="tag1" uci commit dhcp /etc/init.d/dnsmasq restart
Use the mac
classifier to create a tagged network to assign different DHCP options.
Disable default gateway and specify custom DNS.
uci set dhcp.mac1="mac" uci set dhcp.mac1.mac="00:FF:*:*:*:*" uci set dhcp.mac1.networkid="vpn" uci add_list dhcp.mac1.dhcp_option="3" uci add_list dhcp.mac1.dhcp_option="6,192.168.1.3" uci commit dhcp /etc/init.d/dnsmasq restart
DHCP pool for a large network
10.0.0.0
- network address255.0.0.0
- network mask10.22.0.1
- pool start10.22.0.254
- pool end$((22*2**16+1))
- start offset253
- limit offset
# ipcalc.sh 10.0.0.0 255.0.0.0 $((22*2**16+1)) 253 IP=10.0.0.0 NETMASK=255.0.0.0 BROADCAST=10.255.255.255 NETWORK=10.0.0.0 PREFIX=8 START=10.22.0.1 END=10.22.0.254 uci set dhcp.lan.start="$((22*2**16+1))" uci set dhcp.lan.limit="253" uci commit dhcp /etc/init.d/dnsmasq restart
Hostnames
LuCI → Network → Hostnames
This is an implementation of the --host-record
option.
Define a custom domain name and the corresponding PTR record - assigns the IPv4 address 192.168.1.23
and IPv6 address fdce::23
to the domain name mylaptop
and construct an appropriate reverse records.
You can also use this to rebind domain names.
It works like an entry in /etc/hosts
but more flexible and integrated.
uci add dhcp domain uci set dhcp.@domain[-1].name="mylaptop" uci set dhcp.@domain[-1].ip="192.168.1.23" uci add dhcp domain uci set dhcp.@domain[-1].name="mylaptop" uci set dhcp.@domain[-1].ip="fdce::23" uci commit dhcp /etc/init.d/dnsmasq restart
Make sure to set up static leases to avoid possible collisions due to race conditions.
A and AAAA RR
This is an implementation of the --address
option.
Return 10.10.10.1
on query domain home
and subdomain *.home
.
uci add_list dhcp.@dnsmasq[0].address="/home/10.10.10.1" uci commit dhcp /etc/init.d/dnsmasq restart
SRV RR
This is an implementation of the --srv-host
option.
Define an SRV record for SIP over UDP, with the default port of 5060
on the host pbx.mydomain.com
, with a class of 0
and a weight of 10
.
uci add dhcp srvhost uci set dhcp.@srvhost[-1].srv="_sip._udp.mydomain.com" uci set dhcp.@srvhost[-1].target="pbx.mydomain.com" uci set dhcp.@srvhost[-1].port="5060" uci set dhcp.@srvhost[-1].class="0" uci set dhcp.@srvhost[-1].weight="10" uci commit dhcp /etc/init.d/dnsmasq restart
CNAME RR
This is an implementation of the --cname
option.
A Canonical Name record specifies that a domain name is an alias for another domain, the “canonical” domain.
Specify that the FTP server is on the same host as the web server.
uci add dhcp cname uci set dhcp.@cname[-1].cname="ftp.example.com" uci set dhcp.@cname[-1].target="www.example.com" uci commit dhcp /etc/init.d/dnsmasq restart
Make sure to set up hostnames since CNAME depends on it.
This is an implementation of the --mx-host
option.
If you're running the mail server for your domain behind a firewall (and therefore, with split-horizon for your own domain) then you might need to convince that mailer that it's actually authoritative for your domain.
If sendmail complains about non-existent domain of sender address, it likely cannot find an MX record to confirm that the domain is an MX relay.
Mitigate the issues caused by split-horizon:
uci add dhcp mxhost uci set dhcp.@mxhost[-1].domain="yyy.zzz" uci set dhcp.@mxhost[-1].relay="my.host.com" uci set dhcp.@mxhost[-1].pref="10" uci commit dhcp /etc/init.d/dnsmasq restart
TFTP boot
Direct BOOTP requests to the TFTP server.
Tell the client to load pxelinux.0
from the server at 192.168.1.2
, and mount root from /data/netboot/root
on the same server.
uci set dhcp.linux="boot" uci set dhcp.linux.filename="/tftpboot/pxelinux.0" uci set dhcp.linux.serveraddress="192.168.1.2" uci set dhcp.linux.servername="fileserver" uci add_list dhcp.linux.dhcp_option="option:root-path,192.168.1.2:/data/netboot/root" uci commit dhcp /etc/init.d/dnsmasq restart
Multiple DHCP/DNS server/forwarder instances
If you need multiple DNS forwarders with different configurations or DHCP server with different sets of lease files.
Running multiple dnsmasq instances as DNS forwarder and/or DHCPv4 server, each having their own configuration and lease list can be configured by creating multiple dnsmasq sections.
Typically in such configs each dnsmasq section will be bound to a specific interface by using the interface list; assigning sections like dhcp
, host
, etc. to a specific dnsmasq instance is done by the instance
option.
By default dnsmasq adds the loopback interface to the interface list to listen when the --interface
option is used; therefore the loopback interface needs to be excluded in one of the dnsmasq instances by using the notinterface list.
These are example settings for multiple dnsmasq instances each having their own dhcp section.
dnsmasq instance lan_dns
is bound to the lan
interface while the dnsmasq instance guest_dns
is bound to the guest
interface.
# Remove default instances while uci -q delete dhcp.@dnsmasq[0]; do :; done while uci -q delete dhcp.@dhcp[0]; do :; done # Use network interface names for DHCP/DNS instance names for INST in lan guest do uci set dhcp.${INST}_dns="dnsmasq" uci set dhcp.${INST}_dns.domainneeded="1" uci set dhcp.${INST}_dns.boguspriv="1" uci set dhcp.${INST}_dns.filterwin2k="0" uci set dhcp.${INST}_dns.localise_queries="1" uci set dhcp.${INST}_dns.rebind_protection="1" uci set dhcp.${INST}_dns.rebind_localhost="1" uci set dhcp.${INST}_dns.local="/${INST}/" uci set dhcp.${INST}_dns.domain="${INST}" uci set dhcp.${INST}_dns.expandhosts="1" uci set dhcp.${INST}_dns.nonegcache="0" uci set dhcp.${INST}_dns.authoritative="1" uci set dhcp.${INST}_dns.readethers="1" uci set dhcp.${INST}_dns.leasefile="/tmp/dhcp.leases.${INST}" uci set dhcp.${INST}_dns.resolvfile="/etc/resolv.conf.${INST}" uci set dhcp.${INST}_dns.nonwildcard="1" uci add_list dhcp.${INST}_dns.interface="${INST}" uci add_list dhcp.${INST}_dns.notinterface="loopback" uci set dhcp.${INST}="dhcp" uci set dhcp.${INST}.instance="${INST}_dns" uci set dhcp.${INST}.interface="${INST}" uci set dhcp.${INST}.start="100" uci set dhcp.${INST}.limit="150" uci set dhcp.${INST}.leasetime="12h" ln -f -s /tmp/resolv.conf.auto /etc/resolv.conf.${INST} done uci -q delete dhcp.@dnsmasq[0].notinterface uci commit dhcp /etc/init.d/dnsmasq restart
The LuCI web interface has not been updated to support multiple dnsmasq instances.
Logging DNS queries
Log DNS queries for troubleshooting.
uci set dhcp.@dnsmasq[0].logqueries="1" uci commit dhcp /etc/init.d/dnsmasq restart
Disabling DHCP role
This change turns off DHCP on the specified interface but leaves DNS services available.
uci set dhcp.lan.ignore="1" uci commit dhcp /etc/init.d/dnsmasq restart /etc/init.d/odhcpd restart
Disabling DNS role
This is useful when you just want to hand out addresses to clients, without doing any DNS by dnsmasq.
/etc/init.d/dnsmasq stop uci set dhcp.@dnsmasq[0].localuse="0" uci set dhcp.@dnsmasq[0].port="0" uci commit dhcp /etc/init.d/dnsmasq start
Replacing dnsmasq with odhcpd and Unbound
Remove dnsmasq and use odhcpd for both DHCP and DHCPv6.
opkg update opkg remove dnsmasq odhcpd-ipv6only opkg install odhcpd uci -q delete dhcp.@dnsmasq[0] uci set dhcp.lan.dhcpv4="server" uci set dhcp.odhcpd.maindhcp="1" uci commit dhcp /etc/init.d/odhcpd restart
Use Unbound for DNS.
opkg update opkg install unbound-control unbound-daemon uci set unbound.@unbound[0].dhcp_link="odhcpd" uci set unbound.@unbound[0].unbound_control="1" uci commit unbound /etc/init.d/unbound restart uci set dhcp.odhcpd.leasetrigger="/usr/lib/unbound/odhcpd.sh" uci commit dhcp /etc/init.d/odhcpd restart
Providing custom DNS with DHCP
Announce custom DNS servers with DHCP.
# Configure dnsmasq uci -q delete dhcp.lan.dhcp_option uci add_list dhcp.lan.dhcp_option="6,8.8.8.8,8.8.4.4" uci commit dhcp /etc/init.d/dnsmasq restart # Configure odhcpd uci -q delete dhcp.lan.dns uci add_list dhcp.lan.dns="2001:4860:4860::8888" uci add_list dhcp.lan.dns="2001:4860:4860::8844" uci commit dhcp /etc/init.d/odhcpd restart
Reconnect your clients to apply the changes.
Providing ISP DNS with DHCP
Announce ISP DNS servers with DHCP. Fetch the settings dynamically with DHCP client scripts.
cat << "EOF" > /etc/udhcpc.user DHCP_POOLS="lan" DHCPC_EVENT="${1}" DNS_SERVS="${dns}" case ${DHCPC_EVENT} in (bound|renew) ;; (*) exit 0 ;; esac for DHCP_POOL in ${DHCP_POOLS} do DHCP_OPTS="$(uci -q get dhcp.${DHCP_POOL}.dhcp_option)" for DHCP_OPT in ${DHCP_OPTS} do if [ "${DHCP_OPT%%,*}" = "6" ] then uci del_list dhcp.${DHCP_POOL}.dhcp_option="${DHCP_OPT}" fi done uci add_list dhcp.${DHCP_POOL}.dhcp_option="6,${DNS_SERVS// /,}" done uci commit dhcp /etc/init.d/dnsmasq restart EOF cat << "EOF" > /etc/odhcp6c.user DHCP_POOLS="lan" DHCPC_EVENT="${2}" DNS_SERVS="${RA_DNS} ${RDNSS}" case ${DHCPC_EVENT} in (bound|informed|updated|rebound|ra-updated) ;; (*) exit 0 ;; esac for DHCP_POOL in ${DHCP_POOLS} do uci -q delete dhcp.${DHCP_POOL}.dns for DNS_SERV in ${DNS_SERVS} do uci add_list dhcp.${DHCP_POOL}.dns="${DNS_SERV}" done done uci commit dhcp /etc/init.d/odhcpd restart EOF
Reconnect your clients to apply the changes.
Providing DNS for non-local networks
Answer DNS queries arriving from non-local networks. This can be useful to provide DNS for VPN clients.
uci set dhcp.@dnsmasq[0].localservice="0" uci commit dhcp /etc/init.d/dnsmasq restart
DNS forwarding
Forward DNS queries to specific servers.
uci -q delete dhcp.@dnsmasq[0].server uci add_list dhcp.@dnsmasq[0].server="8.8.8.8" uci add_list dhcp.@dnsmasq[0].server="8.8.4.4" uci commit dhcp /etc/init.d/dnsmasq restart
Disable resolvfile
option limiting upstream resolvers to server
option.
Also makes local system to not use dnsmasq.
/etc/init.d/dnsmasq stop uci set dhcp.@dnsmasq[0].noresolv="1" uci commit dhcp /etc/init.d/dnsmasq start
Enforcing dnsmasq for local system
Enforce local system to use dnsmasq if it is running with noresolv
option.
Beware of race condition with Adblock service when using DNS encryption.
uci set dhcp.@dnsmasq[0].localuse="1" uci commit dhcp /etc/init.d/dnsmasq restart
Selective DNS forwarding
Forward DNS queries for a specific domain and all its subdomains to a different server. More specific domains take precedence over less specific domains allowing to combine with unconditional DNS forwarding from above.
uci add_list dhcp.@dnsmasq[0].server="/example.com/192.168.2.1" uci commit dhcp /etc/init.d/dnsmasq restart
DNS filtering
Simple DNS-based content filtering.
# Blacklist uci add_list dhcp.@dnsmasq[0].server="/example.com/" uci add_list dhcp.@dnsmasq[0].server="/example.net/" uci commit dhcp /etc/init.d/dnsmasq restart # Whitelist uci add_list dhcp.@dnsmasq[0].server="/example.com/#" uci add_list dhcp.@dnsmasq[0].server="/example.net/#" uci add_list dhcp.@dnsmasq[0].server="/#/" uci commit dhcp /etc/init.d/dnsmasq restart
See also: Ad blocking, DNS-based firewall with IP sets
Race conditions with sysntpd
Resolve the race condition with sysntpd service.
When running dnsmasq with noresolv
and localuse
options and using DNS encryption for local system.
# Fetch peer DNS provider . /lib/functions/network.sh network_flush_cache network_find_wan NET_IF network_find_wan6 NET_IF6 network_get_dnsserver NET_DNS "${NET_IF}" network_get_dnsserver NET_DNS6 "${NET_IF6}" # Configure fallback DNS provider if [ -z "${NET_DNS}" ] then NET_DNS="8.8.8.8 8.8.4.4" fi if [ -z "${NET_DNS6}" ] then NET_DNS6="2001:4860:4860::8888 2001:4860:4860::8844" fi # Bypass DNS forwarding for NTP provider uci get system.ntp.server \ | sed -e "s/\s/\n/g" \ | sed -e "s/^[0-9]*\.//" \ | sort -u \ | while read -r NTP_DOMAIN do for DNS_SERV in ${NET_DNS} ${NET_DNS6} do uci add_list dhcp.@dnsmasq[0].server="/${NTP_DOMAIN}/${DNS_SERV}" done done uci commit dhcp /etc/init.d/dnsmasq restart
Upstream DNS provider
OpenWrt uses peer DNS as the upstream resolvers for dnsmasq by default. These are typically provided by the ISP upstream DHCP server. You can change it to any other DNS provider or a local DNS server running on another host. Make sure selected resolvers support DNSSEC validation if required. Specify several resolvers to improve fault tolerance.
# Configure DNS provider uci -q delete network.wan.dns uci add_list network.wan.dns="8.8.8.8" uci add_list network.wan.dns="8.8.4.4" # Configure DNSv6 provider uci -q delete network.wan6.dns uci add_list network.wan6.dns="2001:4860:4860::8888" uci add_list network.wan6.dns="2001:4860:4860::8844" # Disable peer DNS uci set network.wan.peerdns="0" uci set network.wan6.peerdns="0" # Save and apply uci commit network /etc/init.d/network restart
General notes
- Resolvers from all active interfaces are combined in a single runtime configuration indiscriminately.
- If the interface is down, its resolvers are not used, so it's reasonable to specify resolvers only on interfaces they are reachable from.
- Dnsmasq periodically queries all the listed resolvers and then uses the fastest one for a period of time.
Multiple DNS providers
- The more DNS providers, the higher the fault tolerance of your DNS relative to DoS.
- Different DNS providers may return different answers to a DNS query due to differences in caching, synchronization, load balancing, content filtering, etc.
- To distinguish between correct and incorrect answers such as false-negatives, you need to utilize DNSSEC which may negatively impact fault tolerance and performance.
Peer DNS options
- Keep peer DNS enabled to improve your DNS fault tolerance.
- Disable peer DNS to prevent DNS leak if you have configured a VPN connection on OpenWrt.
- Disable peer DNS to actually change your DNS provider and receive more predictable DNS replies.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK