FreshTomato Wiki

User Tools

Site Tools

Trace:
advanced-dhcpdns

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
advanced-dhcpdns [2023/02/07 19:48] – [DHCP / DNS Server (LAN)] rs232advanced-dhcpdns [2023/04/29 20:42] – [DHCP Client (WAN)] -format hogwild
Line 1: Line 1:
-====== DHCP/DNS ======+====== DHCP/DNS/TFTP ====== 
 + 
 +The DHCP/DNS/TFTP menu allows you to configure advanced settings for the DHCP, DNS and TFTP services for both the LAN and WAN. Most of this functionality is provided by [[https://thekelleys.org.uk/|dnsmasq]]. 
  
-The Advanced / DHCP/DNS page allows you to configure advanced settings for the DHCP and DNS services for both LAN and WAN. Most of this functionality is provided by [[https://thekelleys.org.uk/|dnsmasq]]. 
 ===== DHCP Client (WAN) ===== ===== DHCP Client (WAN) =====
  
Line 10: Line 12:
 {{:pasted:20220119-170756.png}}\\  \\ {{:pasted:20220119-170756.png}}\\  \\
  
-**Enable DNSSEC support: ** DNSSEC is a way to secure DNS by introducing authentication for DNS servers. This prevents DNS hacking and poisoning. To make it backward compatible with traditional DNS, there is no encryption. If the authoritative DNS server is DNSSEC-enabled, enabling DNSSEC ensure that queries you make are answered by that authoritative DNS server, and not an imposter. Enable this if your chosen DNS server supports it for enhanced security.+**Enable DNSSEC support: ** DNSSEC is a way to secure DNS by introducing authentication for DNS servers. This prevents DNS hacking and poisoning. DNSSEC is not encrypted, to keep it backward-compatible with traditional DNS. If the authoritative DNS server is DNSSEC-enabled, enabling DNSSEC ensures your DNS queries are answered by that authoritative DNS server, and not an imposter. Enable this if your chosen DNS server supports it for enhanced security.
  
-**Use dnscrypt-proxy:  **DNSCrypt works to encrypt DNS resolution. When a DNSCrypt-enabled server is chosen, a unique key pair is generated and regenerated every hour. Queries are then encrypted using the generated key pair before they are sent to the server, usually on TCP port 443. The reply is similarly encrypted. Checking //Use dnscrypt-proxy// enables FreshTomato' built-in dnscrypt proxy client. The dnscrypt module and Stubby cannot both be used at the same time.+**Use dnscrypt-proxy:  **DNSCrypt works to encrypt DNS resolution. When a DNSCrypt-enabled server is chosen, a unique key pair is generated and regenerated every hour. Queries are then encrypted using the generated key pair before being sent to the server, usually on TCP port 443. The reply is similarly encrypted. Checking //Use dnscrypt-proxy// enables FreshTomato'built-in dnscrypt proxy client. The dnscrypt module and Stubby cannot both be used at the same time. 
 + 
 + \\
  
 When dnscrypt-proxy is checked, the following options/fields are revealed: When dnscrypt-proxy is checked, the following options/fields are revealed:
  
-  * Ephemeral Keys - If checked, a new key pair is generated for each DNS query. Use with care, this is very cpu-intensive. It may slow DNS resolution. \\ +  * Ephemeral Keys - If checked, a new key pair is generated for each DNS query. Use with care, as this is very cpu-intensive. It may slow DNS resolution.
   * Manual Entry - If enabled, 3 more fields are displayed:    * Manual Entry - If enabled, 3 more fields are displayed: 
     * Resolver Address - The IP address of the dnscrypt-enabled DNS server, for example 1.2.3.4;     * Resolver Address - The IP address of the dnscrypt-enabled DNS server, for example 1.2.3.4;
Line 23: Line 27:
   * Resolver - This dropdown list currently contains about 200 DNS servers. Some support DNSSEC. Some don't log queries. Some are filtered. To help you choose a DNSCrypt DNS provider, import the file /etc/dnscrypt-resolvers.csv in a spreadsheet. Once chosen, the server's IP address, provider name, and public key can be extracted from that file.   * Resolver - This dropdown list currently contains about 200 DNS servers. Some support DNSSEC. Some don't log queries. Some are filtered. To help you choose a DNSCrypt DNS provider, import the file /etc/dnscrypt-resolvers.csv in a spreadsheet. Once chosen, the server's IP address, provider name, and public key can be extracted from that file.
   * Priority - Leave this at //no-resolv// to prevent DNS leaks!  This should never be a choice when using DNSCRYPT. To prevent leaks, also enable //Intercept DNS port// on this page.   * Priority - Leave this at //no-resolv// to prevent DNS leaks!  This should never be a choice when using DNSCRYPT. To prevent leaks, also enable //Intercept DNS port// on this page.
-  * Local Port - Specifies the port on which dnscrypt-proxy communicates with FreshTomato'DNS. Leave this at 40 unless you know why to change it. Do NOT set it to 53, it might create a loop. +  * Local Port - Specifies the port on which dnscrypt-proxy communicates with FreshTomato DNS. It is recommended that you leave this at 40 unless you know why you're changing it. Do NOT set it to 53, or it might create a loop. 
-  * Log Level - This sets the level of messages logged in syslog (when activated).+  * Log Level - When enabled, this sets the level of messages logged to the system log.
  
 **Use Stubby (DNS-over-TLS):** This enhances DNS privacy. Checking this enables Stubby, a DNS Stub resolver. DNS over TLS (or "DoT") sends DNS queries over a secure connection, encrypted with TLS. TLS is the same technology that encrypts secure Web traffic. This prevents third parties from seeing your DNS queries. **Use Stubby (DNS-over-TLS):** This enhances DNS privacy. Checking this enables Stubby, a DNS Stub resolver. DNS over TLS (or "DoT") sends DNS queries over a secure connection, encrypted with TLS. TLS is the same technology that encrypts secure Web traffic. This prevents third parties from seeing your DNS queries.
  
 When Stubby is enabled some extra options are appearing on your configuration: When Stubby is enabled some extra options are appearing on your configuration:
 +
 + \\
  
 {{:pasted:20220420-181042.png}} {{:pasted:20220420-181042.png}}
  
-** Upstream resolvers:** You can specify here the upstream servers responsible to perform the actual name resolution.+ \\ 
 + 
 +**Upstream resolvers:** You can specify here the upstream servers responsible to perform the actual name resolution. 
 + 
 +**Priority:**
  
-** Priority:** 
   * Strict-Order = prefer Stubby but if this is experiencing issue fail back to "other way of resolve names" e.g. standard DNS resolution   * Strict-Order = prefer Stubby but if this is experiencing issue fail back to "other way of resolve names" e.g. standard DNS resolution
   * No-Resolv = If Stubby fails or has issue you will want DNS resolution not to be failed back anywhere. A.k.a. Stubby or nothing.   * No-Resolv = If Stubby fails or has issue you will want DNS resolution not to be failed back anywhere. A.k.a. Stubby or nothing.
   * None = This option adds stubby as a resolution method for the build in dnsmasq. Note this doesn't guarantee encryption by itself.   * None = This option adds stubby as a resolution method for the build in dnsmasq. Note this doesn't guarantee encryption by itself.
  
-** Local Port:** The port number where Stubby is serving clients. Also note the only client for Stubby will actually be dnsmasq and this latter serves the end clients.+**Local Port:** The port number where Stubby is serving clients. Also note the only client for Stubby will actually be dnsmasq and this latter serves the end clients.
  
-** Log Level:** Define here the log verbosity needed.+**Log Level:** Define here the log verbosity needed.
  
-** Force TLS1.3:** Impose the usage of the latest TLS version for encryption (must be supported by the upstream).+**Force TLS1.3:** Impose the usage of the latest TLS version for encryption (must be supported by the upstream).
  
 **WINS (for DHCP):** Here, you can specify the IP address of a WINS Server which will be given to DHCP clients. This does NOT actually enable the WINS service. FreshTomato's WINS Server function is enabled on the //USB and NAS/[[:nas-samba|File Sharing]]// menu. **WINS (for DHCP):** Here, you can specify the IP address of a WINS Server which will be given to DHCP clients. This does NOT actually enable the WINS service. FreshTomato's WINS Server function is enabled on the //USB and NAS/[[:nas-samba|File Sharing]]// menu.
Line 88: Line 97:
   * Custom\\ This allows you to enter a custom Static DHCP lease time.   * Custom\\ This allows you to enter a custom Static DHCP lease time.
  
-For more information on how to make a DHCP lease database survive a reboot please consult the relevant [[retain_dhcp_lease_info_after_a_reboot|howto]].+Retaining leases after rebooting router: Please read this [[retain_dhcp_lease_info_after_a_reboot|howto]] for additional information on optional non-volatile dhcp leases.
  
 **Announce IPv6 on LAN (SLAAC): **Enabling this turns on router advertisements for IPv6 //Stateless Address Autoconfiguration (SLAAC)//  protocol. This allows hosts to self-configure an IP address with minimal contact with a server. The client sends out an RS (router solicitation) ICMP packet. The nearest router responds with a RA (router advertisement) packet. The client uses the IPv6 prefix provided in the RA packet as the first 64 bits of its address. It then derives the last 64 bits of its address using the EUI-64 process or a randomization algorithm. **Announce IPv6 on LAN (SLAAC): **Enabling this turns on router advertisements for IPv6 //Stateless Address Autoconfiguration (SLAAC)//  protocol. This allows hosts to self-configure an IP address with minimal contact with a server. The client sends out an RS (router solicitation) ICMP packet. The nearest router responds with a RA (router advertisement) packet. The client uses the IPv6 prefix provided in the RA packet as the first 64 bits of its address. It then derives the last 64 bits of its address using the EUI-64 process or a randomization algorithm.
Line 120: Line 129:
 **Custom configuration: **This features allows you to add extra (custom) options to the dnsmasq configuration file. **Custom configuration: **This features allows you to add extra (custom) options to the dnsmasq configuration file.
  
 +===== TFTP Server =====
 +
 +{{:pasted:20230425-142248.png}}
 +
 +**Enable TFTP**: Starts the dnsmasq's internal TFTP server with --tftp-no-fail enabled by default (to prevent dnsmasq issues in case e.g. TFTP root becomes unavailable).
 +
 +**TFTP root path**: Defines where the TFTP root is located in the filesystem
  
 +**PXE on LANx (brx)**: Allows PXE (Pre Boot Execution) on one or more bridges. PXE is designed for diskless clients where a PXE client can just obtain an IP via DHCP and a TFTP location where the booting code is to be found (syslinux is for example a good application for this).
 ===== DHCP / DNS Notes ===== ===== DHCP / DNS Notes =====
  
-  *  Do not use results from: [[https://1.1.1.1/help|https://1.1.1.1/help]]. That webpage is likely to provide wrong results. Instead, it is suggested that you use:  [[https://rootcanary.org/test.html|https://rootcanary.org/test.html]]+  * Do not use results from: [[https://1.1.1.1/help|https://1.1.1.1/help]]. That webpage is likely to provide wrong results. Instead, it is suggested that you use: [[https://rootcanary.org/test.html|https://rootcanary.org/test.html]]
  
-  *  DNSSEC and DNSCrypt / Stubby complement each other.+  * DNSSEC and DNSCrypt / Stubby complement each other.
  
  
advanced-dhcpdns.txt · Last modified: 2023/08/05 19:13 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki