FreshTomato Wiki

User Tools

Site Tools

Trace: bwm-weekly ipt-graphs tools-iperf bwm-daily adblock_dns_filtering status-overview basic-ipv6 tools-ping admin-scripts
advanced-dhcpdns

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
advanced-dhcpdns [2024/11/06 00:40] – [DHCP / DNS Server (LAN)] -Condense hogwildadvanced-dhcpdns [2025/03/29 20:57] (current) – [DHCP Client (WAN)] -Formatting hogwild
Line 1: Line 1:
 ====== DHCP/DNS/TFTP ====== ====== DHCP/DNS/TFTP ======
  
-This menu let you configure advanced settings for the DHCP, DNS and TFTP services for both the LAN and WAN. Most of this functionality is provided by [[https://thekelleys.org.uk/|dnsmasq]].+Here, you can configure advanced settings for the DHCP, DNS and TFTP services for both LAN and WAN. Most of this functionality is provided by [[https://thekelleys.org.uk/|dnsmasq]].
  
  
Line 12: Line 12:
 {{:pasted:20220119-170756.png}}\\  \\ {{:pasted:20220119-170756.png}}\\  \\
  
-**Enable DNSSEC support: ** Enables support for DNS Security.+**Enable DNSSEC support: **enables support for DNS Security.
  
 DNSSEC secures DNS by authenticating its servers. It prevents DNS hacking and poisoning. If the authoritative DNS server has DNSSEC, enabling it ensures DNS queries are answered by //that//  DNS server, and not an imposter. DNSSEC secures DNS by authenticating its servers. It prevents DNS hacking and poisoning. If the authoritative DNS server has DNSSEC, enabling it ensures DNS queries are answered by //that//  DNS server, and not an imposter.
Line 20: Line 20:
  \\  \\
  
-**Use dnscrypt-proxy:  **enables DNSCrypt to encrypt DNS resolution.+**Use dnscrypt-proxy: **enables DNSCrypt to encrypt DNS resolution.
  
 When a DNSCrypt-enabled server is chosen, a unique key pair is generated every hour. Queries are then encrypted using this key pair before being sent to the server, usually on TCP port 443. The reply is also encrypted. Checking //Use dnscrypt-proxy// enables the built-in dnscrypt proxy client. Dnscrypt-proxy and Stubby cannot be used at the same time. When a DNSCrypt-enabled server is chosen, a unique key pair is generated every hour. Queries are then encrypted using this key pair before being sent to the server, usually on TCP port 443. The reply is also encrypted. Checking //Use dnscrypt-proxy// enables the built-in dnscrypt proxy client. Dnscrypt-proxy and Stubby cannot be used at the same time.
Line 30: Line 30:
   * Ephemeral Keys - if checked, a new key pair is generated for each  \\ DNS query. Use this with care, as it's very cpu-intensive, and may\\ slow DNS resolution.   * Ephemeral Keys - if checked, a new key pair is generated for each  \\ DNS query. Use this with care, as it's very cpu-intensive, and may\\ slow DNS resolution.
  
-  * Manual Entry - if enabled, 3 more fields are displayed:  +  * Manual Entry - if enabled, 3 more fields appear:  
-    * Resolver Address - the IP address of the dnscrypt-enabled DNS server. +    * Resolver Address - the IP of the dnscrypt-enabled DNS server. 
-    * Provider Name - the name of the DNS provider, for instance FreshTomato. +    * Provider Name - the DNS provider name(e.g. "FreshTomato")
-    * Provider Public Key - the public key given by the DNSCRYPT-enabled \\ DNS provider \\ (to generate a key pair)+    * Provider Public Key - the public key from the DNSCRYPT-enabled \\ DNS provider (to generate a key pair)
  
-  * Resolver - a dropdown list currently containung about 200 DNS servers.+  * Resolver - a dropdown list of about 200 DNS servers.
     * Some support DNSSEC.      * Some support DNSSEC. 
     * Some don't log queries.      * Some don't log queries. 
     * Some are filtered.     * Some are filtered.
  
-  * Priority - should be left at //no-resolv// to prevent DNS leaks. This should  \\ neve be selected if using DNSCRYPT. Also, to prevent leaks, enable \\ //Intercept DNS port//.+  * Priority - should be left at //no-resolv// to prevent DNS leaks. \\ This should never be selected if DNSCRYPT is enabled\\ To prevent leaks, enable //Intercept DNS port//.
  
-  * Local Port - the port on which dnscrypt-proxy communicates with \\ FreshTomato DNS. \\ Leave at 40 unless you're an advanced user. Don't set it to 53, it could create a loop.+  * Local Port - the port on which dnscrypt-proxy speaks with \\ FreshTomato DNS. Leave this at 40 unless you're advanced. \\ Don't set it to 53, it could create a loop.
  
  \\   \\ To help choose a DNSCrypt DNS provider, import the file /etc/dnscrypt-resolvers.csv in a spreadsheet. Once chosen, \\ the server's IP address, provider name, and public key can be taken from that file.  \\   \\ To help choose a DNSCrypt DNS provider, import the file /etc/dnscrypt-resolvers.csv in a spreadsheet. Once chosen, \\ the server's IP address, provider name, and public key can be taken from that file.
Line 60: Line 60:
  \\  \\
  
-**Upstream resolvers:** here, choose the upstream servers responsible for performing name resolution.+**Upstream resolvers:** selects the upstream servers responsible for performing name resolution.
  
  \\  \\
Line 88: Line 88:
 **WINS (for DHCP):** the IP address of a WINS Server to give to DHCP clients. **WINS (for DHCP):** the IP address of a WINS Server to give to DHCP clients.
  
-This doesn't enable WINS. WINS is enabled in the [[:nas-samba|File Sharing]] menu. +This doesn't enable WINS. WINS is enabled in the [[:nas-samba|File Sharing]] menu. WINS is an old name resolution service to map NetBIOS names to IP addresses. It's mostly obsolete. DNS was supposed to replace WINS. However, WINS may still be necessary for some LAN browsing functions on old Windows versions.
- +
-Windows Internet Name Service is an old name resolution service to map NetBIOS names to IP addresses. It's mostly obsolete. DNS was supposed to replace WINS. However, WINS may still be necessary for some LAN browsing functions on old Windows versions.+
  
  \\  \\
Line 113: Line 111:
 {{:pasted:20220119-171212.png}}\\  \\ {{:pasted:20220119-171212.png}}\\  \\
  
-**Use internal DNS:** Uses dnsmasq as the LAN DNS server.+**Use internal DNS:** causes dnsmasq to be used as the LAN DNS server.
  
 DHCP clients receive the router's LAN IP as the DNS server address. (Default: Enabled). DHCP clients receive the router's LAN IP as the DNS server address. (Default: Enabled).
Line 123: Line 121:
  \\  \\
  
-**Use received DNS with user-entered DNS: **adds DNS servers from the DHCP Server on the WAN to the manual DNS server list.+**Use received DNS with user-entered DNS: **adds DNS servers from the WAN'DHCP Server to the manual DNS server list.
  
 See the [[basic-network|Network]] menu for details. (Default: Disabled). See the [[basic-network|Network]] menu for details. (Default: Disabled).
Line 147: Line 145:
  \\  \\
  
-**Generate a name for DHCP clients which do not otherwise have one**: if a hostname in Device List isn't reportedFreshTomato generates a name for it, based on its MAC address.+**Generate a name for DHCP clients which do not otherwise have one**: if FreshTomato can't find a hostname for a client's DHCP/MAC combinationit generates one for display, based on its MAC address.
  
  \\  \\
Line 223: Line 221:
  \\  \\
  
-**Enable DNS Rebind protection:**  Helps prevent DNS Rebind DNS resolution attcks.+**Enable DNS Rebind protection:**  helps prevent DNS Rebind DNS resolution attcks.
  
 Using this may have side effects. (Default: Enabled). Using this may have side effects. (Default: Enabled).
Line 237: Line 235:
 **Enable multicast DNS:**  checking this enables an implementation of Avahi mDNS. **Enable multicast DNS:**  checking this enables an implementation of Avahi mDNS.
  
-Avahi lets programs publish/discover services and hosts running on a LAN. This zero-configuration service includes multicast service discovery via the mDNS/DNS-SD protocol suite. "Bonjour" (Mac OS X) and "Zeroconf" technologies are Avahi-compatible.+Avahi lets programs publish/discover services and hosts running on a LAN. Its zero-configuration service includes multicast service discovery via mDNS/DNS-SD. "Bonjour" (Mac OS X) and "Zeroconf" technologies are Avahi-compatible.
  
  \\  \\
  
-**Enable reflector:** FIXME+**Enable reflector:** enables the Avahi mDNS repeater mode. 
 + 
 +This makes Avahi re-transmit / re-multicast queries and responses via multiple interfaces. This allows the router to bridge multicast DNS networks. 
 + 
 +For details, see this tutorial: [[https://www.linksysinfo.org/index.php?threads/avahi-tutorial-configuring-a-reflector-aka-mdns-repeater.75706/|Tomato Forum: avahi tutorial configuring a reflector aka mdns repeater]]
  
  \\  \\
  
-**Custom configuration: ** here  you can add custom options to the dnsmasq configuration.+**Custom configuration: ** hereyou can add custom options to the dnsmasq configuration.
  
  
 ===== TFTP Server ===== ===== TFTP Server =====
  
-**Enable TFTP**: Enabling this starts dnsmasq's TFTP server with the "--tftp-no-fail" options enabled by default. This prevents dnsmasq issues, for example, if TFTP root becomes unavailable.+**Enable TFTP**: starts dnsmasq's TFTP server with the "--tftp-no-fail" option enabled by default. 
 + 
 +This prevents dnsmasq issues, for example, if TFTP root becomes unavailable.
  
  \\  \\
  
-**TFTP root path**: Text entered here defines where TFTP root is located in the filesystem.+**TFTP root path**: text here defines where TFTP root is located in the filesystem.
  
  \\  \\
  
-**PXE on LANx (brx)**: Enbables Pre Boot eXecution Environment on the bridge(s). PXE was designed for diskless clients. A PXE client can obtain an IP address via DHCP, then download boot code via a TFTP source. Syslinux is an example of this.+**PXE on LANx (brx)**: enables Pre Boot eXecution Environment on the bridge(s). 
 + 
 +PXE was designed for diskless clients. A PXE client can obtain an IP address via DHCP, then download boot code via a TFTP source. Syslinux is an example of this.
  
  
 ===== DHCP/DNS/TFTP Notes ===== ===== DHCP/DNS/TFTP Notes =====
  
-  * Do not use results from Cloudflare's site: [[https://1.1.1.1/help|https://1.1.1.1/help]]. That webpage is likely to provide invalid results. Instead, use: [[https://rootcanary.org/test.html|https://rootcanary.org/test.html]]+Do not use results from Cloudflare's site: [[https://1.1.1.1/help|https://1.1.1.1/help]]. That webpage is likely to provide invalid results.  \\ Instead, use: [[https://rootcanary.org/test.html|https://rootcanary.org/test.html]] \\  \\ DNSSEC and DNSCrypt / Stubby complement each other.
  
-  * DNSSEC and DNSCrypt / Stubby complement each other.  +  * DNSSEC provides authentication. 
-    * DNSSEC provides authentication. +  * DNSCrypt provides encryption.
-    * DNSCrypt provides encryption.+
  
  
advanced-dhcpdns.1730853634.txt.gz · Last modified: 2024/11/06 00:40 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki