This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
advanced-dhcpdns [2023/05/01 22:10] – [DHCP Client (WAN)] hogwild | advanced-dhcpdns [2023/08/05 19:13] (current) – [DHCP Client (WAN)] -condense hogwild | ||
---|---|---|---|
Line 12: | Line 12: | ||
{{: | {{: | ||
- | **Enable DNSSEC support: ** DNSSEC is a way to secure DNS by introducing authentication for DNS servers. This prevents DNS hacking and poisoning. DNSSEC is not encrypted, to keep it backward-compatible with traditional DNS. If the authoritative DNS server | + | **Enable DNSSEC support: ** DNSSEC is a way to secure DNS by introducing authentication for DNS servers. This prevents DNS hacking and poisoning. If the authoritative DNS server |
- | **Use dnscrypt-proxy: | + | DNSSEC is not encrypted, to keep it backward-compatible with traditional DNS. Enable this if your chosen DNS server supports it for enhanced security. |
+ | |||
+ | **Use dnscrypt-proxy: | ||
+ | |||
+ | \\ When dnscrypt-proxy is checked, the following options/ | ||
\\ | \\ | ||
- | When dnscrypt-proxy is checked, | + | * Ephemeral Keys - If checked, |
- | * Ephemeral Keys - If checked, a new key pair is generated for each DNS query. Use with care, as this is very cpu-intensive. It may slow DNS resolution. | ||
- | | ||
* Manual Entry - If enabled, 3 more fields are displayed: | * Manual Entry - If enabled, 3 more fields are displayed: | ||
- | * Resolver Address - This is The IP address of the dnscrypt-enabled DNS server | + | * Resolver Address - This is The IP address of the dnscrypt-enabled DNS server. |
- | * Provider Name - This is the name of the DNS provider, for instance FreshTomato | + | * Provider Name - This is the name of the DNS provider, for instance FreshTomato. |
* Provider Public Key - The public key provided by the DNSCRYPT-enabled DNS provider (to generate a key pair) | * Provider Public Key - The public key provided by the DNSCRYPT-enabled DNS provider (to generate a key pair) | ||
- | | + | |
* Resolver - This dropdown list currently contains about 200 DNS servers. | * Resolver - This dropdown list currently contains about 200 DNS servers. | ||
* Some support DNSSEC. | * Some support DNSSEC. | ||
* Some don't log queries. | * Some don't log queries. | ||
* Some are filtered. | * Some are filtered. | ||
- | | ||
- | * Priority - This should be left at // | ||
- | | ||
- | * Local Port - Specifies the port on which dnscrypt-proxy communicates with FreshTomato DNS. Leave this at 40 unless you are certain why you're changing it. Do NOT set it to 53, as you might create a loop. | ||
- | \\ | ||
- | To help you choose a DNSCrypt DNS provider, import the file /etc/dnscrypt-resolvers.csv in a spreadsheet. Once chosen, the server' | + | * Priority - This should be left at //no-resolv// to prevent DNS leaks. This should never be a choice when using DNSCRYPT. \\ Also, to prevent leaks, enable //Intercept DNS port//. |
- | **Use Stubby (DNS-over-TLS): | + | * Local Port - Specifies the port on which dnscrypt-proxy communicates with FreshTomato DNS. Leave this at 40 \\ unless you're a highly advanced user. Do NOT set it to 53, as doing so may create a loop. |
+ | |||
+ | | ||
+ | |||
+ | **Use Stubby (DNS-over-TLS): | ||
\\ | \\ | ||
Line 49: | Line 50: | ||
\\ | \\ | ||
- | **Upstream resolvers: | + | **Upstream resolvers: |
**Priority: | **Priority: | ||
- | * Strict-Order: | + | * Strict-Order |
- | * No-Resolv: | + | * No-Resolv |
- | * None: | + | * None - This adds Stubby |
- | **Local Port:** The port number on which Stubby will serve clients. Note that dnsmasq will be the only client for Stubby, but it is dnsmasq that serves clients. | + | \\ |
- | **Log Level: | + | **Local Port:** This is the port number on which Stubby serves clients. Dnsmasq will be the only client for Stubby, \\ but it is dnsmasq that serves clients. |
+ | |||
+ | **Log Level: | ||
**Force TLS1.3: | **Force TLS1.3: | ||
- | **WINS (for DHCP):** Here you specify the IP address of a WINS Server | + | **WINS (for DHCP):** Here, specify the IP address of a WINS Server |
- | Windows Internet Name Service (WINS) is a legacy name registration and resolution service that maps computer | + | Windows Internet Name Service (WINS) is a legacy name resolution service that maps NetBIOS names to IP addresses. Officially, |
**DHCPC Options: | **DHCPC Options: | ||
- | **Reduce Packet Size:** //udhcpc// (the DHCP client FreshTomato uses to obtain a WAN IP address) has a problem. It has a DHCP discovery packet size 590 bytes long. However, DHCP relay servers can only handle DHCP discovery packets up to 576 bytes. If there are DHCP relay servers between your FreshTomato router and your Internet provider' | + | **Reduce Packet Size:** //udhcpc// (the DHCP client FreshTomato uses to obtain a WAN IP address) has a problem. It has a DHCP discovery packet size 590 bytes long. However, DHCP relay servers can only handle DHCP discovery packets up to 576 bytes. If there are DHCP relay servers between your FreshTomato router and your Internet provider' |
+ | |||
+ | The extra bytes were entirely padding, and therefore, unnecessary. FreshTomato developers eliminated the padding, | ||
Line 98: | Line 103: | ||
\\ | \\ | ||
- | **Solve .onion using Tor** This option will cause Tor to resolve " | + | **Solve .onion using Tor:** If Tor is enabled, this option causes it to resolve " |
+ | |||
+ | FreshTomato has a built-in Tor client. For more information about this, see the [[advanced-tor|TOR]] page. | ||
**Maximum active DHCP leases:** Sets the maximum allowed active DHCP leases at one time. (Default: 255). | **Maximum active DHCP leases:** Sets the maximum allowed active DHCP leases at one time. (Default: 255). | ||
Line 104: | Line 111: | ||
**Static lease time:** Sets the absolute maximum valid time for any DHCP lease. | **Static lease time:** Sets the absolute maximum valid time for any DHCP lease. | ||
- | * Same as Normal Lease Time\\ Static lease time remains | + | * Same as Normal Lease Time\\ Static lease time is the same as normal (1440 minute) lease time. (Default.) |
* Infinite\\ Static lease time is infinity | * Infinite\\ Static lease time is infinity | ||
* Custom\\ This setting allows you to enter a custom Static DHCP lease time. | * Custom\\ This setting allows you to enter a custom Static DHCP lease time. | ||
- | To retain leases after rebooting the router, please see this [[retain_dhcp_lease_info_after_a_reboot|HOWTO]] for additional information on non-volatile | + | To retain leases after rebooting the router, please see this [[retain_dhcp_lease_info_after_a_reboot|HOWTO]] for additional information on non-volatile |
- | **Announce IPv6 on LAN (SLAAC): **Enabling this turns on router advertisements for IPv6 //Stateless Address Autoconfiguration | + | **Announce IPv6 on LAN (SLAAC): **Enabling this turns on router advertisements for IPv6 // |
- The client sends out an RS (router solicitation) ICMP packet. | - The client sends out an RS (router solicitation) ICMP packet. | ||
- The nearest router responds with an RA (router advertisement) packet. | - The nearest router responds with an RA (router advertisement) packet. | ||
- | - The client uses the IPv6 prefix from the RA packet as the first 64 bits of its address. It then derives the last 64 bits of its address using the EUI-64 process or a randomization algorithm. | + | - The client uses the IPv6 prefix from the RA packet as the first 64 bits of its address. It then derives the last 64 bits \\ of its address using the EUI-64 process or a randomization algorithm. |
**Announce IPv6 on LAN (DHCP): | **Announce IPv6 on LAN (DHCP): | ||
Line 124: | Line 131: | ||
**Mute dhcpv4 logging: | **Mute dhcpv4 logging: | ||
- | **Mute dhcpv6 logging: **Enabling this stops FreshTomato from logging IPv6 dhcp activity. (Default: Disabled). | + | **Mute dhcpv6 logging: |
**Mute RA logging: | **Mute RA logging: | ||
Line 132: | Line 139: | ||
{{: | {{: | ||
- | **Prevent client auto DoH**: Modern browsers | + | **Prevent client auto DoH**: |
- | **Enable DNS Rebind protection**: DNS rebind | + | **Enable DNS Rebind protection:** DNS rebind is a type of malicious attack against domain resolution. |
- | **Forward local domain queries to the upstream DNS**: Enabling this forwards local domains to the router' | + | **Forward local domain queries to the upstream DNS:** Enabling this forwards local domains to the router' |
- | **Enable multicast DNS:** Checking this enables an implementation of Avahi mDNS. Avahi is system that enables programs to publish and discover services and hosts running on a LAN. It is a zero-configuration implementation which includes multicast service discovery via the mDNS/DNS-SD protocol suite. " | + | **Enable multicast DNS: |
+ | |||
+ | Avahi is system that enables programs to publish and discover services and hosts running on a LAN. It is a zero-configuration implementation which includes multicast service discovery via the mDNS/DNS-SD protocol suite. " | ||
**Enable reflector** FIXME | **Enable reflector** FIXME | ||
- | **Custom configuration: | + | **Custom configuration: |
===== TFTP Server ===== | ===== TFTP Server ===== | ||
- | |||
- | \\ | ||
- | |||
- | {{: | ||
- | |||
- | \\ | ||
**Enable TFTP**: Enabling this starts dnsmasq' | **Enable TFTP**: Enabling this starts dnsmasq' | ||
Line 157: | Line 160: | ||
**TFTP root path**: Text entered here defines where TFTP root is located in the filesystem. | **TFTP root path**: Text entered here defines where TFTP root is located in the filesystem. | ||
- | **PXE on LANx (brx)**: Enbables PXE (Pre Boot eXecution Environment) on one or more bridges. PXE was designed for diskless clients. A PXE client can obtain an IP address via DHCP and, once obtained, download boot code via a TFTP location. Syslinux is a good example of how these principles/ | + | **PXE on LANx (brx)**: Enbables PXE (Pre Boot eXecution Environment) on one or more bridges. PXE was designed for diskless clients. A PXE client can obtain an IP address via DHCP and, once obtained, download boot code via a TFTP location. Syslinux is a good example of this in action. |
- | ===== DHCP / DNS Notes ===== | + | ===== DHCP/DNS/TFTP Notes ===== |
* Do not use results from Cloudflare' | * Do not use results from Cloudflare' |