/
dnsmasq-ipv4-only.conf
140 lines (101 loc) · 4.55 KB
/
dnsmasq-ipv4-only.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
################################################################################## Interface Settings
# Listen to interface
# In this case it is the Softether bridge
interface=tap_softether
# Don't ever listen to anything on eth0, you wouldn't want that.
except-interface=eth0
# In case you have bind on your server and doesn't want dnsmasq to use the default dns port #53:
# port=5353
listen-address=10.0.13.1
bind-interfaces
################################################################################## Options
# Let's give the connecting clients an internal IP
dhcp-range=tap_softether,10.0.13.13,10.0.13.213,720h
# Default route and dns
dhcp-option=tap_softether,3,10.0.13.1
# enable dhcp
dhcp-authoritative
# have your simple hosts expanded to domain
expand-hosts
# Let dnsmasq use the dns servers in the order you chose.
strict-order
# Let's try not giving the same IP to all, right?
dhcp-no-override
# Let's advertise ourself as a DNSSec server.
# Since we're running in the VPN network this shouldn't be any problem.
# Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it.
# This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network
# between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.
proxy-dnssec
# The following directives prevent dnsmasq from forwarding plain names (without any dots)
# or addresses in the non-routed address space to the parent nameservers.
domain-needed
# Never forward addresses in the non-routed address spaces
bogus-priv
# blocks probe-machines attack
stop-dns-rebind
rebind-localhost-ok
# Set the maximum number of concurrent DNS queries. The default value is 150. Adjust to your needs.
dns-forward-max=300
# stops dnsmasq from getting DNS server addresses from /etc/resolv.conf
# but from below
no-resolv
no-poll
# Prevent Windows 7 DHCPDISCOVER floods
# http://brielle.sosdg.org/archives/522-Windows-7-flooding-DHCP-server-with-DHCPINFORM-messages.html
dhcp-option=252,"\n"
################################################################################## External DNS Servers
# Use this DNS servers for incoming DNS requests
server=208.67.222.222
server=208.67.220.220
server=8.8.4.4
#########################################
################################################################################## Client DNS Servers
# Let's send these DNS Servers to clients.
# The first IP is the IPv4 address that are already assigned to the tap_softether
# So that everything runs through us.
# This is good for caching and adblocking.
# Set IPv4 DNS server for client machines
dhcp-option=option:dns-server,10.0.13.1,208.67.222.222
#########################################
######################################### TTL & Caching options
# How many DNS queries should we cache? By defaults this is 150
# Can go up to 10k.
cache-size=10000
# Negative caching allows dnsmasq to remember 'no such domain' answers from the parent nameservers,
# so it does not query for the same non-existent hostnames again and again.
# This is probably useful for spam filters or MTA services.
#no-negcache
# The neg-ttl directive sets a default TTL value to add to negative replies from the parent nameservers,
# in case these replies do not contain TTL information.
# If neg-ttl is not set and a negative reply from a parent DNS server does not contain TTL information,
# then dnsmasq will not cache the reply.
neg-ttl=80000
local-ttl=3600
# TTL
dhcp-option=23,64
#########################################
################################################################################## MISC
# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
dhcp-option=vendor:MSFT,2,1i
#########################################
## 44-47 NetBIOS
dhcp-option=44,10.0.13.1 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
dhcp-option=45,10.0.13.1 # netbios datagram distribution server
dhcp-option=46,8 # netbios node type
dhcp-option=47
# IF you want to give clients the same static internal IP,
# you should create and use use /etc/ethers for static hosts;
# same format as --dhcp-host
# <hwaddr> [<hostname>] <ipaddr>
#read-ethers
# Additional hosts, for adblocking.
# You can create that file yourself or just download and run:
# https://github.com/nomadturk/vpn-adblock/blob/master/updateHosts.sh
addn-hosts=/etc/hosts.supp
log-facility=/var/log/dnsmasq.log
log-async=5
### Experimental
log-dhcp