DNSMasq as DHCP server

From DD-WRT Wiki

Jump to: navigation, search


NOTICE: While there is plenty of relevant information in this wiki article, certain content is now deprecated.


NOTE: In DD-WRT releases r39469 and newer, the busybox udhcpd applet has been removed and DNSMasq is the only DHCP server in DD-WRT.
NOTE: Busybox udhcpd applet, the former default DHCP server (daemon), is not to be confused with the udhcpc applet, the DHCP client.

  • Most setups require that the router run udhcpc to acquire DHCP leases for the WAN interface.


Contents


[edit] Introduction

DD-WRT supports using DNSMasq as a local DNS server (as well as a local DHCP server). DNSMasq can intelligently add DHCP leases to its DNS database, providing local name lookups for any DHCP client, static or dynamic.


There are two ways to enable the DNSMasq dhcp server.

  • Using the Web-Interface (most options are configurable here)
  • Using DNSMasq parameters (for advanced users who can understand dnsmasq.conf file layout, and know where to find the manual page for it)

You can NOT use both

[edit] Configuration

[edit] Using Web-Admin

This is the easiest way to setup DNSMasq as DHCP Server

  • Go to your Web-Interface and log in
  • Go to Setup->Basic Setup
    • Make sure that
      • DHCP Type = DHCP Server
      • DHCP Server = Enable
      • Use DNSMasq for DHCP = Checked (only present if running a build < 39350)
      • Use DNSMasq for DNS = Checked (allows resolving local DHCP client names through DNS, but not strictly required for DHCP only)

Image:DHCP Using DNSMasq Basic Settings.png

Make sure that the maximum number of DHCP leases that you set is appropriate for your netmask; otherwise, DNSMasq will not start.

  • Go to Administration->Services
    • Make sure that
      • LAN Domain = <chosen LAN domain>
      • DNSMasq = Enabled
      • Local DNS = Enabled
      • Additional DNSMasq Options = Add your domain as a local search domain, add expand-hosts option. See screenshot.
  • You can add static allocations the same way as when you're using DHCPd. These settings should end up in /tmp/dnsmasq.conf.

Update: For DNSMasq Options, I found the explanation below confusing; it's much simpler than it sounds. Assuming your LAN domain is called 'lan', put the following lines in the "additional DNSMasq options" field:

domain=lan
local=/lan/
expand-hosts

--Mjrpes 07:53, 31 August 2010 (CEST)

In the below screenshot, there are a couple of mistakes. In order for expand-hosts to work, you need a domain=local line in there as well. But "local" is not a good idea for a local domain, because multicast / ZeroConf uses ".local" for its own purposes. You can get strange results like nslookup working while pings fail. Pick something other than ".local" for your domain.

--Towelie 15:57, 23 November 2010 (CEST)

For me (with WRT350N-15508std) the above description didn't work (could resolve names in LAN only - you may check my topic). The problem is: If you use DNSMasq as DHCP Server the LAN Domain is already written into DNSMasq conf and if you add it to Additional DNSMasq Options it's been added twice and (quoting frater:) the thing goes berserk. So the cleanest solution is setting Used Domain to LAN/WLAN and don't add the domain-entry into Additional DNSMasq Options.

Image:Local_DNS_Config_DNSMasq_Options_Leases.png

Use NVRAM for client lease DB enabled DNSmasq does not start, did not check log for error, disable it operates correctly. Incorrect addition of DHCP maximum number of users and number of reservations within the scope; i.e: 25 max + 5 reservations within scope yields 30 user max and if it is at the high end of the subnet it will push the upper boundary of addresses outside of limit and DHCP will not run. WRT54GSv5 Firmware: DD-WRT v24-sp1 (07/27/08) micro

[edit] DNSMasq DHCP Parameters

As of v24, DNSMasq respects the settings of the DHCP server on the "Setup" page and static leases set on the "Services" page

[edit] TFTP (option 66)

If would like to use a DHCP support for a TFTP (TFTP Server Address) server

dhcp-option=66,"192.168.1.100"

where 192.168.1.100 is the tftp server address. You need quotes around the server address for option 66.

  • This option is needed e.g. if you use Cisco IP phone systems to configure.

[edit] Old Way

This provides access to more functionality at the expense of not being able to use the structured web interface.

Following steps are necessary:

  • Deactivate the DHCPD service on the "Setup" page.

[Comment: above step deactivated all DHCP for me and wasn't needed anyway - andmalc 4/2008]

  • Under the "Administration" tab in the "Services" sub tab, you will find a "DNSMasq" section. Under "Additional DNS Options", you need to set some parameters.
 * To setup the default options for Dynamic IP Allocation, add:
   dhcp-range=192.168.1.100,192.168.1.150,255.255.255.0,24h 
 * To setup machines to have a Static IP assigned by the router, add either:
   dhcp-host=AB:CD:EF:11:22:33,192.168.1.10,24h
   or
   dhcp-host=computername,192.168.1.10,24h

AB:CD:EF:11:22:33 is the MAC of the network, computername is the NetBIOS name of the computer on the network, 192.168.1.10 indicates the desired IP, and finally 24h the DHCP lease of 24 hours, however if you wish to have the lease for the machine never expire, you may do so by changing 24h to infinite.

If it's not possible to assign an IP with DNSMasq and you want to identify devices via name resolution, you must add the following lines:

no-hosts
addn-hosts=/tmp/hosts 

You must also add this computer to /tmp/hosts:

192.168.0.5 printers drucker.lan

[Comment: In v23-SP2 (and possibly other versions) /etc/hosts is simply a softlink to /tmp/hosts. To get the last part to work you need to remove the no-hosts part and specify a separate hosts file for the static assignments. --Wishyou 22:57, 19 June 2008 (CEST) ]

[edit] Extra DNSMasq options

There are some extra options in the web interface for DNSMasq that you can set by entering them in Additional DNSMasq Options on the "Services" tab.


[edit] listen-address directive

The listen-address directive tells Dnsmasq which interface or interfaces to listen on. Always use listen-address because you don't want Dnsmasq exposed to the wrong networks, and especially not the Internet. Always include the loopback address. You could use the interface= directive instead, for example interface=eth0, but the Linux kernel doesn't always bring up network interfaces with the same names after reboot. If you have more than one NIC the names could get changed, and then your name services will be messed up.

listen-address=127.0.0.1,192.168.1.1


[edit] ISP DNS-Servers

If you wish to pass through the DNS servers from your ISP, you can use the following parameters:

dhcp-option=6, x.x.x.x, y.y.y.y

where
x.x.x.x = DNS1
y.y.y.y = DNS2

[edit] DNS Strict Order

Image:Strict_order.png

Enabling this option on the GUI forces dnsmasq to do queries with first nameserver in /tmp/resolv.dnsmasq. You will notice that builds since early 2018 contains upstream server list with more then 3 nameservers in /tmp/resolv.dnsmasq. Few extra (from your ISP) were added by ddwrt as a security measure. ISPs nameservers are used only if your own dns is not available. They will be ignored until all your user defined dns servers are not responding. There were some problems in older DNSMasq versions with this option. It is recomended to enable this option in newer builds.


[edit] --no-resolv directive

no-resolv
server=8.8.8.8
server=8.8.4.4

In newer builds (since early 2018) redudant nameservers were added to /tmp/resolv.dnsmasq file. So, if you have entered 3 nameservers on index.asp page, you will probably have 5 in /tmp/resolv.dnsmasq file. Two more (from your ISP) were added for redudancy. If you want to avoid such behaviour you can use --no-resolv directive. Such way DNSMasq won't read /tmp/resolv.dnsmasq and will use upstream servers only from the command line or the dnsmasq configuration file.

[edit] Assign an alternate Gateway

By default, dd-wrt will hand out via DHCP its own IP as the Gateway. You can specify an alternate one like so:

dhcp-option=br0,3,w.x.y.z 

or

dhcp-option=br0,option:router,w.x.y.z 

A related but different solution is to create a DHCP setting that gives a static IP address to a certain MAC, but with a different Gateway address than the rest.

dhcp-range=net:2,172.16.51.0,255.255.255.0,static 
dhcp-option=net:2,3,172.16.51.2 

Then use:

dhcp-host=<hwaddr>, net:2, <ipaddr>

click here for more details...

[edit] Static Route

Instead of having a default router set up on the router, you can push a static route to client computers. This is useful, for instance, if you have a VPN server that is NOT the DD-WRT router. This will offload the router from having to redirect packets to the correct destination and will take one hop off the traffic path.

***Remember that the static route will not show up on the client computers UNTIL they request a new ip***

To accomplish this, we use DHCP option 121 (which replaced option 33) and allows you to use the netmask:

dhcp-option=121,x.x.x.x/yy,z.z.z.z

Where x.x.x.x is the destination LAN, yy is the CIDR notation (usually /24), and z.z.z.z is the host which will do the routing.

[edit] Denying DHCP service to specific MAC addresses

You can ignore requests from specific MAC addresses, so that no IP address will be leased to those specific MAC addresses/machines

dhcp-host=11:22:33:44:55:66,ignore

11:22:33:44:55:66 = MAC address of the machine you wish to ignore


Or, you can do it this way:

dhcp-host=11:22:33:44:55:66,set:known 
dhcp-ignore=tag:!known

First directive will send extra options tagged as "known" to machine with Ethernet address 11:22:33:44:55:66. The other directive will ignore any clients which are not specified in dhcp-host lines. Equivalent to ISC "deny unknown-clients". This relies on the special "known" tag which is set when a host is matched. On linux (!) means NOT.

[edit] Enable TFTP server

You can start a tftp server serving files from "/opt/tftpboot". This may prove useful for upgrading firmwares for embedded devices. Due to space constraints this feature is currently not supported. Use the optware package instead and disable the built-in dnsmasq service.

enable-tftp
tftp-root=/opt/tftpboot

[edit] Provide clock information

Many VoIP phones have a clock and some will display the current date and time synced from an NTP server on your network. Some wall clocks are wireless and will also sync to an NTP server. Besides the IP address of the NTP server they will also need an offset from GMT to display the correct time. The offset is the number of seconds from GMT. DO NOT SET pool.ntp.org AS THE NTP SERVER FOR A BUNCH OF PHONES! Instead, set a SINGLE local device as an NTP server slaved to pool.ntp.org (such as a Linux box) then slave all of your phones, printers, and other clients to that.

Note that not all phones process the offset correctly. Some code versions of Grandstream VoIP phones treat an offset of 0 as -12 GMT and UTC as a 12hr offset. Polycom phones DO process the offset correctly

The offset does NOT pass Daylight Savings Time. Instead, the IETF deprecated Option 2 and replaced it with option 100 and 101, in RFC4833. A phone MAY process this INSTEAD of Option 2. Or a phone may pull it's DST or GMT offset from it's configuration and use the DHCP server option for the NTP server. For example Valcom institutional wall clocks use the new method.

For example if your NTP server is 172.16.1.1 and your timezone is US/Pacific (-8 hours offset from GMT) you would use:

dhcp-option=42, 172.16.1.1 # NTP Server
dhcp-option=2, -28800 #Time Offset

If your Timezone was Pacific/Auckland using the new options:

# Option 100 - POSIX TZ Code
dhcp-option=100,"NZST-12NZDT,M9.5.0/2,M4.1.0/3"
# Option 101 - TCode
dhcp-option=101,"Pacific/Auckland"

[edit] Disable NetBIOS over TCP/IP

Since DNSMasq acting as a local DNS server suitably takes care of host name resolution, disabling NetBT on appropriately configured Microsoft DHCP clients, such as Windows 2000 and XP, can be accomplished with the following:

dhcp-option=43,01:04:00:00:00:02

[edit] Using DNSMasq for Router advertisements (IPv6)

The dnsmasq DHCPv6 server provides the same set of features as the DHCPv4 server, and in addition, it includes router advertisements and a neat feature which allows nameing for clients which use DHCPv4 and stateless autoconfiguration only for IPv6 configuration. There is support for doing address allocation (both DHCPv6 and RA) from subnets which are dynamically delegated via DHCPv6 prefix delegation.

This could be used to create dnsmasq conf entries such as:

interface=br0 
dhcp-range=::1000,::FFFF,constructor:br0,ra-stateless,5m
dhcp-option=option6:dns-server,[::ffff:d043:dede],[::ffff:d043:dcdc]  
ra-param=br0,10,300 
enable-ra 
quiet-ra 
quiet-dhcp 
quiet-dhcp6
dhcp-host=AA:AA:AA:AA:AA:AA,myserver,[::400],5m
where eg
[::ffff:d043:dede],[::ffff:d043:dcdc]
are OpenDNS servers and
dhcp-host=AA:AA:AA:AA:AA:AA,myserver,[::400],5m
is static lease

[edit] Troubleshooting

It's possible to verify that the options you set in the web interface match those being passed to DNSMasq. telnet to your router's IP address and log in as root with your usual password. Then:

cat /tmp/dnsmasq.conf

The options should match the command-line format specified in the DNSMasq man page.

You should also make sure that DNSMasq is running at all. To do so, while in telnet issue

/bin/ps | grep [d]nsmasq

The output should look like:

  144 root       772 S    dnsmasq --conf-file=/tmp/dnsmasq.conf

If the line is missing, DNSMasq isn't running and may have been unable to start due to one of its options being set incorrectly.

To find out why DNSmasq is failing; you can find out what the error return code is by issuing DNSmasq from the command line:

# dnsmasq -t --conf-file=/tmp/dnsmasq
# echo $?
1
#

Most likely it's RC=1 and that means something is wrong with the config file. It could be something as simple as having the same command twice in the config file, to have DNSmasq fail.

EXIT CODES

0 - DNSmasq successfully forked into the background, or terminated normally if backgrounding is not enabled.

1 - A problem with configuration was detected.

2 - A problem with network access occurred (address in use, attempt to use privileged ports without permission).

3 - A problem occurred with a file system operation (missing file/directory, permissions).

4 - Memory allocation failure.

5 - Other miscellaneous problem.

11 or greater - a non zero return code was received from the lease-script process "init" call. The exit code from DNSmasq is the script's exit code with 10 added.

[edit] See also

Additional DNSMasq Options

[edit] External Links

http://www.faqs.org/rfcs/rfc2132.html Options on MAC addresses

http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xml DHCP Option Parameters

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob_plain;f=dnsmasq.conf.example