This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
advanced-dhcpdns [2023/02/08 07:39] – [DHCP / DNS Server (LAN)] rs232 | advanced-dhcpdns [2023/06/10 01:44] – [DHCP / DNS Server (LAN)] -condense, formatting hogwild | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== DHCP/DNS ====== | + | ====== DHCP/DNS/TFTP ====== |
+ | |||
+ | The DHCP/ | ||
- | The Advanced / DHCP/DNS page allows you to configure advanced settings for the DHCP and DNS services for both LAN and WAN. Most of this functionality is provided by [[https:// | ||
===== DHCP Client (WAN) ===== | ===== DHCP Client (WAN) ===== | ||
Line 10: | Line 12: | ||
{{: | {{: | ||
- | **Enable DNSSEC support: ** DNSSEC is a way to secure DNS by introducing authentication for DNS servers. This prevents DNS hacking and poisoning. To make it backward compatible with traditional DNS, there is no encryption. If the authoritative DNS server | + | **Enable DNSSEC support: ** DNSSEC is a way to secure DNS by introducing authentication for DNS servers. This prevents DNS hacking and poisoning. If the authoritative DNS server |
- | **Use dnscrypt-proxy: | + | DNSSEC is not encrypted, to keep it backward-compatible with traditional |
- | When dnscrypt-proxy is checked, the following options/ | + | **Use dnscrypt-proxy: |
+ | |||
+ | | ||
+ | |||
+ | \\ | ||
+ | |||
+ | * Ephemeral Keys - If checked, a new key pair is generated for each DNS query. Use this with care. It is very cpu-intensive, | ||
- | * Ephemeral Keys - If checked, a new key pair is generated for each DNS query. Use with care, this is very cpu-intensive. It may slow DNS resolution. \\ | ||
* Manual Entry - If enabled, 3 more fields are displayed: | * Manual Entry - If enabled, 3 more fields are displayed: | ||
- | * Resolver Address - The IP address of the dnscrypt-enabled DNS server, for example 1.2.3.4; | + | * Resolver Address - This is The IP address of the dnscrypt-enabled DNS server. |
- | * Provider Name - The name of the DNS provider, for instance FreshTomato; | + | * Provider Name - This is the name of the DNS provider, for instance FreshTomato. |
- | * Provider Public Key - A public key provided by the DNSCRYPT-enabled DNS provider | + | * Provider Public Key - The public key provided by the DNSCRYPT-enabled DNS provider |
- | * Resolver - This dropdown list currently contains about 200 DNS servers. Some support DNSSEC. Some don't log queries. Some are filtered. To help you choose a DNSCrypt DNS provider, import the file / | + | |
- | * Priority - Leave this at // | + | |
- | * Local Port - Specifies the port on which dnscrypt-proxy communicates with FreshTomato' | + | |
- | * Log Level - This sets the level of messages logged in syslog (when activated). | + | |
- | **Use Stubby (DNS-over-TLS): | + | |
+ | * Some support DNSSEC. | ||
+ | * Some don't log queries. | ||
+ | * Some are filtered. | ||
- | When Stubby is enabled some extra options | + | * Priority - This should be left at // |
+ | |||
+ | * Local Port - Specifies the port on which dnscrypt-proxy communicates with FreshTomato DNS. Leave this at 40 \\ unless you're a highly advanced user. Do NOT set it to 53, as doing so may create a loop. | ||
+ | |||
+ | | ||
+ | |||
+ | **Use Stubby (DNS-over-TLS): | ||
+ | |||
+ | \\ | ||
+ | |||
+ | When Stubby is enabled, some further | ||
{{: | {{: | ||
- | ** Upstream resolvers: | + | \\ |
- | ** Priority:** | + | **Upstream resolvers:** Here, you specify the upstream servers responsible |
- | * Strict-Order = prefer Stubby but if this is experiencing issue fail back to "other way of resolve names" e.g. standard DNS resolution | + | |
- | * No-Resolv = If Stubby fails or has issue you will want DNS resolution not to be failed back anywhere. A.k.a. Stubby or nothing. | + | |
- | * None = This option adds stubby as a resolution method | + | |
- | ** Local Port:** The port number where Stubby is serving clients. Also note the only client for Stubby will actually be dnsmasq and this latter serves the end clients. | + | **Priority:** |
- | ** Log Level:** Define here the log verbosity needed. | + | |
+ | | ||
+ | | ||
- | ** Force TLS1.3: | + | \\ |
+ | |||
+ | **Local Port:** This is the port number on which Stubby serves clients. Dnsmasq will be the only client for Stubby, \\ but it is dnsmasq that serves clients. | ||
+ | |||
+ | **Log Level:** Here, you can choose what level of details is written in log entries. | ||
+ | |||
+ | **Force TLS1.3: | ||
- | **WINS (for DHCP):** Here, you can specify the IP address of a WINS Server | + | **WINS (for DHCP):** Here you specify the IP address of a WINS Server |
- | Windows Internet Name Service (WINS) is a legacy name registration and resolution service | + | Windows Internet Name Service (WINS) is a legacy name resolution service |
**DHCPC Options: | **DHCPC Options: | ||
- | <del>**Reduce Packet Size:** //udhcpc// (the DHCP client FreshTomato uses to obtain a WAN IP address) has a problem. It has a DHCP discovery packet size 590 bytes long. However, DHCP relay servers can only handle DHCP discovery packets up to 576 bytes. If there are DHCP relay servers between your FreshTomato router and your Internet provider' | + | **Reduce Packet Size:** //udhcpc// (the DHCP client FreshTomato uses to obtain a WAN IP address) has a problem. It has a DHCP discovery packet size 590 bytes long. However, DHCP relay servers can only handle DHCP discovery packets up to 576 bytes. If there are DHCP relay servers between your FreshTomato router and your Internet provider' |
+ | |||
+ | The extra bytes appeared to be entirely padding, and therefore unnecessary. FreshTomato developers eliminated the padding, | ||
===== DHCP / DNS Server (LAN) ===== | ===== DHCP / DNS Server (LAN) ===== | ||
+ | |||
+ | \\ | ||
{{: | {{: | ||
Line 62: | Line 87: | ||
**Debug mode:** Checking this makes FreshTomato write detailed information to the log file. | **Debug mode:** Checking this makes FreshTomato write detailed information to the log file. | ||
- | **Use received DNS with user-entered DNS: **Add DNS servers received from DHCP on your WAN connection to the manual DNS server list. See Basic/Network for more information. (Default: Disabled). | + | **Use received DNS with user-entered DNS: **Add DNS servers received from DHCP on your WAN connection to the manual DNS server list. Please |
- | **Intercept DNS port: | + | **Intercept DNS port: |
- | **Use user-entered gateway if WAN is disabled**: | + | **Use user-entered gateway if WAN is disabled**: |
- | **Ignore DHCP requests from unknown devices**: dnsmasq | + | **Ignore DHCP requests from unknown devices**: |
- | **Generate a name for DHCP clients which do not otherwise have one**: If the hostname in the device list is not reported, this will generate | + | **Generate a name for DHCP clients which do not otherwise have one**: If a hostname in the device list is not reported, this will automatically |
\\ | \\ | ||
Line 78: | Line 103: | ||
\\ | \\ | ||
- | **Solve .onion using Tor** (Enable | + | **Solve .onion using Tor:** If Tor is enabled, this option |
- | **Maximum active DHCP leases:** Maximum allowed active DHCP leases at one time. (Default: 255). | + | FreshTomato has a built-in Tor client. For more information about this, see the [[advanced-tor|TOR]] page. |
- | **Static lease time:** The absolute | + | **Maximum active DHCP leases:** Sets the maximum |
- | | + | **Static lease time:** Sets the absolute maximum valid time for any DHCP lease. |
- | * Infinite\\ The Static lease time is infinity | + | |
- | * Custom\\ This allows you to enter a custom Static | + | |
- | Retaining leases after rebooting router: Please read this [[retain_dhcp_lease_info_after_a_reboot|howto]] for additional information on optional non-volatile dhcp leases. | + | * Same as Normal Lease Time\\ Static lease time is the same as normal (1440 minute) lease time. (Default.) |
+ | * Infinite\\ Static lease time is infinity | ||
+ | * Custom\\ This setting allows you to enter a custom Static DHCP lease time. | ||
- | **Announce IPv6 on LAN (SLAAC): **Enabling | + | To retain leases after rebooting the router, please see this [[retain_dhcp_lease_info_after_a_reboot|HOWTO]] for additional information |
- | **Announce IPv6 on LAN (DHCP): | + | **Announce IPv6 on LAN (SLAAC): **Enabling this turns on router advertisements for IPv6 // |
+ | |||
+ | - The client sends out an RS (router solicitation) ICMP packet. | ||
+ | - The nearest router responds with an RA (router advertisement) packet. | ||
+ | - The client uses the IPv6 prefix from the RA packet as the first 64 bits of its address. It then derives the last 64 bits \\ of its address using the EUI-64 process or a randomization algorithm. | ||
+ | |||
+ | **Announce IPv6 on LAN (DHCP): | ||
**Fast RA mode**: Forces dnsmasq to be always in frequent RA mode. | **Fast RA mode**: Forces dnsmasq to be always in frequent RA mode. | ||
Line 100: | Line 131: | ||
**Mute dhcpv4 logging: | **Mute dhcpv4 logging: | ||
- | **Mute dhcpv6 logging: **Enabling this stops FreshTomato from logging IPv6 dhcp activity. (Default: Disabled). | + | **Mute dhcpv6 logging: |
- | **Mute RA logging: | + | **Mute RA logging: |
\\ | \\ | ||
Line 108: | Line 139: | ||
{{: | {{: | ||
- | **Prevent client auto DoH**: Modern browsers | + | **Prevent client auto DoH**: |
- | **Enable DNS Rebind protection**: DNS rebinding protection | + | **Enable DNS Rebind protection:** DNS rebind |
- | **Forward local domain queries to the upstream DNS**: Enabling this forwards local domains to the router' | + | **Forward local domain queries to the upstream DNS:** Enabling this forwards local domains to the router' |
- | **Enable multicast DNS** (Avahi mDNS): FIXME | + | **Enable multicast DNS:** |
+ | |||
+ | Avahi is system that enables programs to publish and discover services and hosts running on a LAN. It is a zero-configuration implementation which includes multicast service discovery via the mDNS/DNS-SD protocol suite. " | ||
**Enable reflector** FIXME | **Enable reflector** FIXME | ||
- | **Custom configuration: | + | **Custom configuration: |
+ | |||
+ | |||
+ | ===== TFTP Server ===== | ||
+ | |||
+ | **Enable TFTP**: Enabling this starts dnsmasq' | ||
+ | |||
+ | **TFTP root path**: Text entered here defines where TFTP root is located in the filesystem. | ||
+ | |||
+ | **PXE on LANx (brx)**: Enbables PXE (Pre Boot eXecution Environment) on one or more bridges. PXE was designed for diskless clients. A PXE client can obtain an IP address via DHCP and, once obtained, download boot code via a TFTP location. Syslinux is a good example of these principles/ | ||
===== DHCP / DNS Notes ===== | ===== DHCP / DNS Notes ===== | ||
- | * Do not use results from: [[https:// | + | * Do not use results from Cloudflare' |
- | * DNSSEC and DNSCrypt / Stubby complement each other. | + | * DNSSEC and DNSCrypt / Stubby complement each other. DNSSEC provides authentication, |