################################################################################## Interface Settings # Listen to interface # In this case it is the Softether bridge interface=tap_softether # Don't ever listen to anything on eth0, you wouldn't want that. except-interface=eth0 # In case you have bind on your server and doesn't want dnsmasq to use the default dns port #53: # port=5353 listen-address=10.0.13.1 bind-interfaces ################################################################################## Options # Let's give the connecting clients an internal IP dhcp-range=tap_softether,10.0.13.13,10.0.13.213,720h # Default route and dns dhcp-option=tap_softether,3,10.0.13.1 # enable dhcp dhcp-authoritative # enable IPv6 Route Advertisements enable-ra # have your simple hosts expanded to domain expand-hosts # Let dnsmasq use the dns servers in the order you chose. strict-order # Let's try not giving the same IP to all, right? dhcp-no-override # Let's assign a unique and real IPv6 address to all clients. # Here, we are using the IPv6 addresses from the he-ipv6 interface (Hurricane Electric ipv6 tunnel) # You should replace it with your own IP range. # This way even if you have only 1 shared IPv4 # All of your clients can have a real and unique IPv6 address. # you can try slaac,ra-only | slaac,ra-names | slaac,ra-stateless in case you have trouble connecting dhcp-range=tap_softether,2001:XXX:YYY:ZZZ:0000:0000:0000:0032,2001:XXX:YYY:ZZZ:0000:0000:0000:ffff,ra-advrouter,slaac,64,infinite # For tunnelbroker, assign your 1f14 ip address to the tunnel interface and use 1f15 routable addresses in softether and dnsmasq #dhcp-range=tap_softether,2001:0470:1f15:XXXX:0000:0000:000:0011,2001:0470:1f15:XXXX:0000:0000:0000:ffff,slaac,ra-stateless,64,2d # Let's advertise ourself as a DNSSec server. # Since we're running in the VPN network this shouldn't be any problem. # Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. # This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network # between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers. proxy-dnssec # The following directives prevent dnsmasq from forwarding plain names (without any dots) # or addresses in the non-routed address space to the parent nameservers. domain-needed # Never forward addresses in the non-routed address spaces bogus-priv # blocks probe-machines attack stop-dns-rebind rebind-localhost-ok # Set the maximum number of concurrent DNS queries. The default value is 150. Adjust to your needs. dns-forward-max=300 # stops dnsmasq from getting DNS server addresses from /etc/resolv.conf # but from below no-resolv no-poll # Prevent Windows 7 DHCPDISCOVER floods # http://brielle.sosdg.org/archives/522-Windows-7-flooding-DHCP-server-with-DHCPINFORM-messages.html dhcp-option=252,"\n" ################################################################################## External DNS Servers # Use this DNS servers for incoming DNS requests server=208.67.222.222 server=208.67.220.220 server=8.8.4.4 # Use these IPv6 DNS Servers for lookups/ Google and OpenDNS server=2620:0:ccd::2 server=2001:4860:4860::8888 server=2001:4860:4860::8844 ######################################### ################################################################################## Client DNS Servers # Let's send these DNS Servers to clients. # The first IP is the IPv4 and IPv6 addresses that are already assigned to the tap_softether # So that everything runs through us. # This is good for caching and adblocking. # Set IPv4 DNS server for client machines # option:6 dhcp-option=option:dns-server,10.0.13.1,208.67.222.222 # Set IPv6 DNS server for clients # You can change the first IP with the ipv6 address of your tap_softether if you # want all dns queries to go through your server... dhcp-option=option6:dns-server,[2620:0:ccd::2],[2001:4860:4860::8844] ######################################### ######################################### TTL & Caching options # How many DNS queries should we cache? By defaults this is 150 # Can go up to 10k. cache-size=10000 # Negative caching allows dnsmasq to remember 'no such domain' answers from the parent nameservers, # so it does not query for the same non-existent hostnames again and again. # This is probably useful for spam filters or MTA services. #no-negcache # The neg-ttl directive sets a default TTL value to add to negative replies from the parent nameservers, # in case these replies do not contain TTL information. # If neg-ttl is not set and a negative reply from a parent DNS server does not contain TTL information, # then dnsmasq will not cache the reply. neg-ttl=80000 local-ttl=3600 # TTL dhcp-option=23,64 ######################################### ################################################################################## MISC # Send microsoft-specific option to tell windows to release the DHCP lease # when it shuts down. Note the "i" flag, to tell dnsmasq to send the # value as a four-byte integer - that's what microsoft wants. See dhcp-option=vendor:MSFT,2,1i ######################################### ## 44-47 NetBIOS dhcp-option=44,10.0.13.1 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) dhcp-option=45,10.0.13.1 # netbios datagram distribution server dhcp-option=46,8 # netbios node type dhcp-option=47 # IF you want to give clients the same static internal IP, # you should create and use use /etc/ethers for static hosts; # same format as --dhcp-host # [] #read-ethers # Additional hosts, for adblocking. # You can create that file yourself or just download and run: # https://github.com/nomadturk/vpn-adblock/blob/master/updateHosts.sh addn-hosts=/etc/hosts.supp log-facility=/var/log/dnsmasq.log log-async=5 ################################################################################## Experimental log-dhcp quiet-dhcp6 #dhcp-option=option:router,10.0.13.1 #dhcp-option=option:ntp-server,10.0.13.1 # With settings below, you can ping other clients on your lan. #dhcp-option=option:domain-search,lan #dhcp-option=option6:domain-search,lan #domain=YOURDOMAINHERE # Gateway dhcp-option=3,10.0.13.1