|
<% ident(); %> |
DHCP / DNS Client (WAN)
DHCP / DNS Server (LAN)
TFTP Server
Custom Configuration
DHCP / DNS Client (WAN):
- Enable DNSSEC support - Ensures that DNS lookups haven't been hijacked by a malicious third party when querying a DNSSEC-enabled domain. Make sure your WAN/ISP/Stubby/dnscrypt-proxy DNS are DNSSEC-compatible, otherwise DNS lookups will always fail.
- Use dnscrypt-proxy - Wraps unmodified DNS traffic between a client and a DNS resolver in a cryptographic construction in order to detect forgery. Uses the DNSCrypt (v1/v2) protocol. You can use your own custom config file (/etc/dnscrypt-resolvers-alt.csv)
- Use Stubby - Acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent to a DNS Privacy resolver increasing end user privacy. You can use your own custom config file (/etc/stubby/stubby_alt.yml)
- WINS (for DHCP) - The Windows Internet Naming Service manages interaction of each PC with the Internet. If you use a WINS server, enter IP Address of server here.
- DHCPC Options - Extra options for the DHCP client.
- Reduce packet size - Self-explanatory.
DHCP / DNS Server (LAN):
- Use internal DNS - Allow dnsmasq to be your DNS server on LAN.
- Use received DNS with user-entered DNS - Add DNS servers received from your WAN connection to the static DNS server list (see Network configuration).
- Intercept DNS port - Any DNS requests/packets sent out to UDP/TCP port 53 are redirected to the internal DNS server. Currently only IPv4 DNS is intercepted.
- Use user-entered gateway if WAN is disabled - DHCP will use the IP address of the router as the default gateway on each LAN.
- Ignore DHCP requests (...) - Dnsmasq will ignore DHCP requests to only MAC addresses listed on the Static DHCP/ARP page won't be able to obtain an IP address through DHCP.
- Static lease time - Absolute maximum amount of time allowed for any DHCP lease to be valid.
- Fast RA mode - Forces dnsmasq to be always in frequent RA mode. (Recommendation: enable also "Mute RA logging" option)
- IPv6 DNS Server - Send DHCPv6 option6 dns-server (RDNSS). (Default (empty) will use the global address of the router if SLAAC and/or DHCPv6 is enabled!)
- Prevent client auto DoH - Some clients like Firefox or Windows' Discovery of Designated Resolver support can automatically switch to DNS over HTTPS, bypassing your preferred DNS servers. This option may prevent that.
- Enable DNS Rebind protection - Enabling this will protect your LAN against DNS rebind attacks, however it will prevent upstream DNS servers from resolving queries to any non-routable IP (for example, 192.168.1.1).
- Enable multicast DNS (Avahi mDNS) - You will probably also want to add some LAN access rules (by default all communication between bridges is blocked) and/or use Firewall script to add your own rules, ie. (br0 = private network, br1 = IOT): iptables -I FORWARD -i br0 -o br+ -j ACCEPT and iptables -I INPUT -i br1 -p udp --dport 5353 -j ACCEPT. Alternative config file is available (/etc/avahi/avahi-daemon_alt.conf).
- Custom configuration - Extra options to be added to the Dnsmasq configuration file.
Other relevant notes/hints:
- The contents of file /etc/dnsmasq.custom are also added to the end of Dnsmasq's configuration file (if it exists). Parameters names need to be defined without leading dashes e.g. cache-size=4096
|