Site Tools


advanced-dhcpdns

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
advanced-dhcpdns [2022/04/20 18:27] rs232advanced-dhcpdns [2023/08/05 19:13] (current) – [DHCP Client (WAN)] -condense hogwild
Line 1: Line 1:
-====== DHCP/DNS ======+====== DHCP/DNS/TFTP ====== 
 + 
 +The DHCP/DNS/TFTP menu allows you to configure advanced settings for the DHCP, DNS and TFTP services for both the LAN and WAN. Most of this functionality is provided by [[https://thekelleys.org.uk/|dnsmasq]]. 
  
-The Advanced / DHCP/DNS page allows you to configure advanced settings for the DHCP and DNS services for both LAN and WAN. Most of this functionality is provided by [[https://thekelleys.org.uk/|dnsmasq]]. 
 ===== DHCP Client (WAN) ===== ===== DHCP Client (WAN) =====
  
Line 10: Line 12:
 {{:pasted:20220119-170756.png}}\\  \\ {{:pasted:20220119-170756.png}}\\  \\
  
-**Enable DNSSEC support: ** DNSSEC is a way to secure DNS by introducing authentication for DNS servers. This prevents DNS hacking and poisoning. To make it backward compatible with traditional DNS, there is no encryption. If the authoritative DNS server is DNSSEC-enabled, enabling DNSSEC ensure that queries you make are answered by that authoritative DNS server, and not an imposter. Enable this if your chosen DNS server supports it for enhanced security.+**Enable DNSSEC support: ** DNSSEC is a way to secure DNS by introducing authentication for DNS servers. This prevents DNS hacking and poisoning. If the authoritative DNS server has DNSSEC, enabling DNSSEC ensures your DNS queries are answered by that DNS server, and not an imposter.
  
-**Use dnscrypt-proxy:  **DNSCrypt works to encrypt DNS resolutionWhen a DNSCrypt-enabled server is chosen, a unique key pair is generated and regenerated every hour. Queries are then encrypted using the generated key pair before they are sent to the server, usually on TCP port 443. The reply is similarly encrypted. Checking //Use dnscrypt-proxy// enables FreshTomato' built-in dnscrypt proxy client. The dnscrypt module and Stubby cannot both be used at the same time.+DNSSEC is not encrypted, to keep it backward-compatible with traditional DNS. Enable this if your chosen DNS server supports it for enhanced security.
  
-When dnscrypt-proxy is checked, the following options/fields are revealed:+**Use dnscrypt-proxy:  **DNSCrypt encrypts DNS resolution. When a DNSCrypt-enabled server is chosen, a unique key pair is generated and regenerated every hour. Queries are then encrypted using the generated key pair before being sent to the server, usually on TCP port 443. The reply is similarly encrypted. Checking //Use dnscrypt-proxy// enables the built-in dnscrypt proxy client. The dnscrypt module and Stubby cannot be used at the same time. 
 + 
 + \\ When dnscrypt-proxy is checked, the following options/fields are revealed: 
 + 
 + \\ 
 + 
 +  * Ephemeral Keys - If checked, a new key pair is generated for each DNS query. Use this with care. It is very cpu-intensive, \\ so it may slow DNS resolution.
  
-  * Ephemeral Keys - If checked, a new key pair is generated for each DNS query. Use with care, this is very cpu-intensive. It may slow DNS resolution. \\  
   * Manual Entry - If enabled, 3 more fields are displayed:    * Manual Entry - If enabled, 3 more fields are displayed: 
-    * Resolver Address - The IP address of the dnscrypt-enabled DNS server, for example 1.2.3.4; +    * Resolver Address - This is The IP address of the dnscrypt-enabled DNS server. 
-    * Provider Name - The name of the DNS provider, for instance FreshTomato +    * Provider Name - This is the name of the DNS provider, for instance FreshTomato. 
-    * Provider Public Key - public key provided by the DNSCRYPT-enabled DNS provider used to generate a valid key pair \\ e.g. 0000:1111:2222:3333:4444:5555:6666:7777:8888:9999:AAAA:BBBB:CCCC:DDDD:EEEE:FFFF +    * Provider Public Key - The public key provided by the DNSCRYPT-enabled DNS provider (to generate a key pair)
-  * Resolver - This dropdown list currently contains about 200 DNS servers. Some support DNSSEC. Some don't log queries. Some are filtered. To help you choose a DNSCrypt DNS provider, import the file /etc/dnscrypt-resolvers.csv in a spreadsheet. Once chosen, the server's IP address, provider name, and public key can be extracted from that file. +
-  * Priority - Leave this at //no-resolv// to prevent DNS leaks!  This should never be a choice when using DNSCRYPT. To prevent leaks, also enable //Intercept DNS port// on this page. +
-  * Local Port - Specifies the port on which dnscrypt-proxy communicates with FreshTomato's DNS. Leave this at 40 unless you know why to change it. Do NOT set it to 53, it might create a loop. +
-  * Log Level - This sets the level of messages logged in syslog (when activated).+
  
-**Use Stubby (DNS-over-TLS):** This enhances DNS privacyChecking this enables Stubby, a DNS Stub resolverDNS over TLS (or "DoT") sends DNS queries over a secure connection, encrypted with TLSTLS is the same technology that encrypts secure Web traffic. This prevents third parties from seeing your DNS queries.+  Resolver - This dropdown list currently contains about 200 DNS servers. 
 +    * Some support DNSSEC 
 +    * Some don't log queries.  
 +    * Some are filtered.
  
-When Stubby is enabled some extra options are appearing on your configuration:+  * Priority - This should be left at //no-resolv// to prevent DNS leaks.  This should never be a choice when using DNSCRYPT. \\ Also, to prevent leaks, enable //Intercept DNS port//. 
 + 
 +  * Local Port - Specifies the port on which dnscrypt-proxy communicates with FreshTomato DNS. Leave this at 40 \\ unless you're a highly advanced user. Do NOT set it to 53, as doing so may create a loop. 
 + 
 + \\   \\ To help you choose a DNSCrypt DNS provider, import the file /etc/dnscrypt-resolvers.csv in a spreadsheet. Once chosen, \\ the server's IP address, provider name, and public key can be taken from that file. 
 + 
 +**Use Stubby (DNS-over-TLS):** This enhances DNS privacy. Checking this enables Stubby, a DNS Stub resolver. \\ DNS over TLS (or "DoT") sends DNS queries over a secure connection, encrypted with TLS. TLS is the same technology \\ that encrypts secure Web traffic. This prevents third parties from seeing your DNS queries. 
 + 
 + \\ 
 + 
 +When Stubby is enabledsome further options appear:
  
 {{:pasted:20220420-181042.png}} {{:pasted:20220420-181042.png}}
  
-** Upstream resolvers:** You can specify here the upstream servers responsible to perform the actual name resolution.+ \\
  
-** Priority:** +**Upstream resolvers:** Here, specify the upstream servers responsible for performing the actual name resolution.
-  * Strict-Order = prefer Stubby but if this is experiencing issue fail back to "other way of resolve names" e.g. standard DNS resolution +
-  * No-Resolv = If Stubby fails or has issue you will want DNS resolution not to be failed back anywhere. A.k.a. Stubby or nothing. +
-  * None = This option adds stubby as a resolution method for the build in dnsmasq. Note this doesn't guarantee encryption by itself.+
  
-** Local Port:** The port number where Stubby is serving clients. Also note the only client for Stubby will actually be dnsmasq and this latter serves the end clients.+**Priority:**
  
-** Log Level:** Define here the log verbosity needed.+  Strict-Order - Stubby is tried first, but if issues aries, fallback will occur to other name resolution methods, like standard DNS. 
 +  No-Resolv - If Stubby fails or has issues, there will be no fallback to other DNS resolution methods. 
 +  None - This adds Stubby as a resolution method for dnsmasq. This alone does not guarantee.
  
-** Force TLS1.3:** Impose the usage of the latest TLS version for encryption (must be supported by the upstream).+ \\ 
 + 
 +**Local Port:** This is the port number on which Stubby serves clients. Dnsmasq will be the only client for Stubby, \\ but it is dnsmasq that serves clients. 
 + 
 +**Log Level:** Here, you can choose what level of details is written in log entries. 
 + 
 +**Force TLS1.3:**  Enforces usage of the latest TLS version for encryption. This must be supported upstream.
  
-**WINS (for DHCP):** Here, you can specify the IP address of a WINS Server which will be given to DHCP clients. This does NOT actually enable the WINS service. FreshTomato's WINS Server function is enabled on the //USB and NAS/[[:nas-samba|File Sharing]]// menu.+**WINS (for DHCP):** Here, specify the IP address of a WINS Server to be be given to DHCP clients. This doesn'actually enable WINS. FreshTomato's WINS Server function is enabled on the [[:nas-samba|File Sharing]] menu.
  
-Windows Internet Name Service (WINS) is a legacy name registration and resolution service which maps computer NetBIOS names to IP addresses. Officially, WINS is outdated and largely obsolete. DNS was supposed to have replaced WINS functionality. However, Microsoft has not officially deprecated WINS. WINS may still be necessary for some Windows LAN browsing functions, especially on old Windows versions.+Windows Internet Name Service (WINS) is a legacy name resolution service that maps NetBIOS names to IP addresses. Officially, it'outdated and largely obsolete. DNS was supposed to replace WINS functionality. However, Microsoft has not officially deprecated WINS. WINS may still be necessary for some Windows LAN browsing functions on old Windows versions.
  
 **DHCPC Options:**  In this field you can enter custom configuration settings for the dhcp client. **DHCPC Options:**  In this field you can enter custom configuration settings for the dhcp client.
  
-**Reduce Packet Size:** //udhcpc// (the DHCP client FreshTomato uses to obtain a WAN IP address) has a problem. It has a DHCP discovery packet size 590 bytes long. However, DHCP relay servers can only handle DHCP discovery packets up to 576 bytes. If there are DHCP relay servers between your FreshTomato router and your Internet provider's DHCP server, FreshTomato might fail to acquire a DHCP lease on the WAN interface.  The extra bytes appeared to be entirely padding, and not necessary.  FreshTomato developers eliminated the padding, which reduced udhcpc's DHCP discovery packet size to only 331 bytes. This 331 byte size eventually became FreshTomato'default setting. This way, udhcpc can successfully obtain a DHCP lease from a provider which might have DHCP relays. However, some users may not be able to obtain a WAN IP address unless they disable this feature. (Default: Enabled).+**Reduce Packet Size:** //udhcpc// (the DHCP client FreshTomato uses to obtain a WAN IP address) has a problem. It has a DHCP discovery packet size 590 bytes long. However, DHCP relay servers can only handle DHCP discovery packets up to 576 bytes. If there are DHCP relay servers between your FreshTomato router and your Internet provider's DHCP server, FreshTomato might fail to acquire a DHCP lease on the WAN interface. 
 + 
 +The extra bytes were entirely padding, and therefore, unnecessary.  FreshTomato developers eliminated the padding, reducing udhcpc's DHCP discovery packet size to 331 bytes. This 331 byte size eventually became the default setting. As a result, udhcpc can successfully obtain a DHCP lease from an ISP with DHCP relays. However, some users may not be able to obtain a WAN IP address unless they disable this feature. (Default: Enabled).
  
  
 ===== DHCP / DNS Server (LAN) ===== ===== DHCP / DNS Server (LAN) =====
 +
 + \\
  
 {{:pasted:20220119-171212.png}}\\  \\ {{:pasted:20220119-171212.png}}\\  \\
Line 62: Line 87:
 **Debug mode:** Checking this makes FreshTomato write detailed information to the log file. **Debug mode:** Checking this makes FreshTomato write detailed information to the log file.
  
-**Use received DNS with user-entered DNS: **Add DNS servers received from DHCP on your WAN connection to the manual DNS server list. See Basic/Network for more information. (Default: Disabled).+**Use received DNS with user-entered DNS: **Add DNS servers received from DHCP on your WAN connection to the manual DNS server list. Please See the [[basic-network|Network]] menu for more information. (Default: Disabled).
  
-**Intercept DNS port:** Any DNS requests/packets sent out on UDP/TCP port 53 are redirected to the internal DNS server. Only IPv4 DNS requests are intercepted. (Default: Disabled).+**Intercept DNS port:** Configures any DNS requests/packets sent on UDP/TCP port 53 to be redirected to the internal DNS server. Only IPv4 DNS requests are intercepted. (Default: Disabled).
  
-**Use user-entered gateway if WAN is disabled**: DHCP will assign the router's IP address as the default gateway on the LAN. (Default:Disabled)+**Use user-entered gateway if WAN is disabled**: Enabling this will makes DHCP assign the router's IP address as the default gateway on the LAN. (Default:Disabled)
  
-**Ignore DHCP requests from unknown devices**: dnsmasq will ignore DHCP requests from MAC addresses not listed on the [[:dhcp_reservation|DHCP Reservation]] page. These clients won't be able to obtain an IP address through DHCP. Note that this setting is also available on the DHCP Reservation page. (Default: Disabled).+**Ignore DHCP requests from unknown devices**: Enabling this makes dnsmasq ignore DHCP requests from MAC addresses not listed in [[:dhcp_reservation|DHCP Reservation]]. These clients will not obtain an IP address via DHCP.  This setting is also available in the DHCP Reservation menu. (Default: Disabled).
  
-**Generate a name for DHCP clients which do not otherwise have one**: If the hostname in the device list is not reported, this will generate an automatic name based on the device'mac address.+**Generate a name for DHCP clients which do not otherwise have one**: If hostname in the device list is not reported, this will automatically generate name for it, based on the device'MAC address.
  
  \\  \\
Line 78: Line 103:
  \\  \\
  
-**Solve .onion using Tor** (Enable Tor first): As the option suggests the otherwise unsolvable TLD .onion would failEnabling this allows proper DNS resolution using the Tor network.+**Solve .onion using Tor:** If Tor is enabled, this option causes it to resolve ".onion" domainsThis allows proper DNS resolution on the Tor network.
  
-**Maximum active DHCP leases:** Maximum allowed active DHCP leases at one time(Default: 255).+FreshTomato has a built-in Tor clientFor more information about this, see the [[advanced-tor|TOR]] page.
  
-**Static lease time:** The absolute maximum valid time for any DHCP lease.+**Maximum active DHCP leases:** Sets the maximum allowed active DHCP leases at one time. (Default: 255).
  
-  Same as Normal Lease Time\\ The Static lease time is the same as the normal (1440 minute) lease time. (Default.) +**Static lease time:** Sets the absolute maximum valid time for any DHCP lease.
-  * Infinite\\ The Static lease time is infinity +
-  * Custom\\ This allows you to enter a custom Static DHCP lease time.+
  
-**Announce IPv6 on LAN (SLAAC): **Enabling this turns on router advertisements for IPv6 //Stateless Address Autoconfiguration (SLAAC)//  protocol. This allows hosts to self-configure an IP address with minimal contact with a server. The client sends out an RS (router solicitation) ICMP packet. The nearest router responds with a RA (router advertisement) packet. The client uses the IPv6 prefix provided in the RA packet as the first 64 bits of its address. It then derives the last 64 bits of its address using the EUI-64 process or randomization algorithm.+  Same as Normal Lease Time\\ Static lease time is the same as normal (1440 minutelease time. (Default.) 
 +  * Infinite\\ Static lease time is infinity 
 +  * Custom\\ This setting allows you to enter custom Static DHCP lease time.
  
-**Announce IPv6 on LAN (DHCP):**  Enabling this makes FreshTomato turn on router advertisements using IPv6 DHCP.+To retain leases after rebooting the router, please see this [[retain_dhcp_lease_info_after_a_reboot|HOWTO]] for additional information on non-volatile DHCP leases. 
 + 
 +**Announce IPv6 on LAN (SLAAC): **Enabling this turns on router advertisements for IPv6 //(SLAAC)//  protocol. This protocol allows hosts to self-configure an IPv6 address with minimal contact with a server. 
 + 
 +  - The client sends out an RS (router solicitation) ICMP packet.  
 +  - The nearest router responds with an RA (router advertisement) packet.  
 +  - The client uses the IPv6 prefix from the RA packet as the first 64 bits of its address. It then derives the last 64 bits \\ of its address using the EUI-64 process or a randomization algorithm. 
 + 
 +**Announce IPv6 on LAN (DHCP):**  Checking this makes FreshTomato enable router advertisements using IPv6 DHCP.
  
 **Fast RA mode**: Forces dnsmasq to be always in frequent RA mode. **Fast RA mode**: Forces dnsmasq to be always in frequent RA mode.
Line 98: Line 131:
 **Mute dhcpv4 logging:**  Enabling this stops FreshTomato from logging IPv4 dhcp activity. (Default: Disabled). **Mute dhcpv4 logging:**  Enabling this stops FreshTomato from logging IPv4 dhcp activity. (Default: Disabled).
  
-**Mute dhcpv6 logging: **Enabling this stops FreshTomato from logging IPv6 dhcp activity. (Default: Disabled).+**Mute dhcpv6 logging:  **Enabling this stops FreshTomato from logging IPv6 dhcp activity. (Default: Disabled).
  
-**Mute RA logging:**  This prevents logging of Router Advertisement activity.+**Mute RA logging:**  Enabling this prevents logging of Router Advertisement activity.
  
  \\  \\
Line 106: Line 139:
 {{:pasted:20220119-172400.png}}\\  \\ {{:pasted:20220119-172400.png}}\\  \\
  
-**Prevent client auto DoH**: Modern browsers such as Firefox have built-in function called DNS Over HTTP(s). When DoH is enabled, a browser can completely bypass the sytem's DNS server. Enabling the Prevent client auto DOH option prevents DoH communication. This is often helpful for getting FreshTomato'Adblock function to work properly, since the Adblock function relies on unencrypted DNS resolution.+**Prevent client auto DoH**:  Modern browsers include a function called DNS Over HTTP(s). When DoH is enabled, a browser can bypass the system's DNS server. Enabling this option prevents DoH communication. This is helpful for getting the Adblock function to work properly, since Adblock relies on unencrypted DNS resolution.
  
-**Enable DNS Rebind protection**DNS rebinding protection is a type of malicious attack affecting domain resolution. Please note that enabling this may have secondary effects. (Default: Enabled).+**Enable DNS Rebind protection:**  DNS rebind is a type of malicious attack against domain resolution. Enabling this may have secondary effects. (Default: Enabled).
  
-**Forward local domain queries to the upstream DNS**Enabling this forwards local domains to the router's upstream DNS server. You would probably not want this unless you have a fully (publicly)-registered domain in use on your LAN.+**Forward local domain queries to the upstream DNS:**  Enabling this forwards local domains to the router's upstream DNS server. Avoid using this unless you have a fully (publicly)-registered domain on your LAN.
  
-**Enable multicast DNS** (Avahi mDNS): FIXME+**Enable multicast DNS:**  Checking this enables an implementation of Avahi mDNS
 + 
 +Avahi is system that enables programs to publish and discover services and hosts running on a LAN. It is a zero-configuration implementation which includes multicast service discovery via the mDNS/DNS-SD protocol suite. "Bonjour" (in Apple MacOS Xand "Zeroconf" are technologies compatible with Avahi.
  
 **Enable reflector** FIXME **Enable reflector** FIXME
  
-**Custom configuration: **This features allows you to add extra (customoptions to the dnsmasq configuration file.+**Custom configuration: ** In this field,** **you can to add custom options to the dnsmasq configuration file
 + 
 + 
 +===== TFTP Server ===== 
 + 
 +**Enable TFTP**: Enabling this starts dnsmasq's TFTP server with the "--tftp-no-fail" options enabled by default. This prevents dnsmasq issues, for example, if TFTP root becomes unavailable. 
 + 
 +**TFTP root path**: Text entered here defines where TFTP root is located in the filesystem. 
 + 
 +**PXE on LANx (brx)**: Enbables PXE (Pre Boot eXecution Environment) on one or more bridges. PXE was designed for diskless clients. A PXE client can obtain an IP address via DHCP and, once obtained, download boot code via a TFTP location. Syslinux is a good example of this in action.
  
  
-===== DHCP / DNS Notes =====+===== DHCP/DNS/TFTP Notes =====
  
-  *  Do not use results from: [[https://1.1.1.1/help|https://1.1.1.1/help]]. That webpage is likely to provide wrong results. Instead, it is suggested that you use:  [[https://rootcanary.org/test.html|https://rootcanary.org/test.html]]+  * Do not use results from Cloudflare's site: [[https://1.1.1.1/help|https://1.1.1.1/help]]. That webpage is likely to provide invalid results. Instead, use: [[https://rootcanary.org/test.html|https://rootcanary.org/test.html]]
  
-  *  DNSSEC and DNSCrypt / Stubby complement each other.+  * DNSSEC and DNSCrypt / Stubby complement each other. DNSSEC provides authentication, DNSCrypt provides encryption.
  
  
advanced-dhcpdns.1650475646.txt.gz · Last modified: 2022/04/20 18:27 by rs232