How to serve custom DHCP configuration with OpenWRT’s dnsmasq

How to serve custom DHCP configuration with OpenWRT’s dnsmasq

There are times when you need to filter out what some hosts in the network can or cannot do. When you have a router running OpenWRT this can be done at the firewall level.

But if you’re not much into advanced configuration and just want to completely block out some network hosts from reaching the internet (and hence phoning home) then it’s a lot simpler to do this directly from the DHCP and simply leave them without a DNS and gateway configuration.

Start with editing /etc/config/dhcp to add the following tag definitions in the file (tag identifier can be any string, I chose these for clarity purposes):

config tag 'nodnsnogateway'
    list dhcp_option '3'
    list dhcp_option '6'

config tag 'nogateway'
    list dhcp_option '3'

config tag 'nodns'
    list dhcp_option '6'

These definitions stop the DHCP server from providing gateway and/or DNS information to the hosts they are applied to. To serve custom information instead include the IP addresses in the options definition, for example:

list dhcp_option '3,192.168.1.101'

list dhcp_option '6,192.168.1.128,1.2.3.4'

Then create mac-specific host configurations and add the tag attributes to the hosts that should receive the custom configuration:

config host
    option name 'host-without-dns'
    option dns '1'
    option ip '192.168.1.30'
    option mac '00:11:22:33:aa:bb'
    option leasetime '12h'
    option tag 'nodns'

config host
    option name 'lan-only-host'
    option dns '1'
    option ip '192.168.1.33'
    option mac '00:11:22:33:cc:dd'
    option leasetime '12h'
    option tag 'nodnsnogateway'

Save changes to the file (via SSH/SCP) and then reload and use Save & Apply on OpenWRT’s DHCP and DNS page to make the configuration changes apply.

Additional options

The dnsmasq DHCP server supports additional custom configuration values:

# dnsmasq --help dhcp
Known DHCP options:
  1 netmask
  2 time-offset
  3 router
  6 dns-server
  7 log-server
  9 lpr-server
 13 boot-file-size
 15 domain-name
 16 swap-server
 17 root-path
 18 extension-path
 19 ip-forward-enable
 20 non-local-source-routing
 21 policy-filter
 22 max-datagram-reassembly
 23 default-ttl
 26 mtu
 27 all-subnets-local
 31 router-discovery
 32 router-solicitation
 33 static-route
 34 trailer-encapsulation
 35 arp-timeout
 36 ethernet-encap
 37 tcp-ttl
 38 tcp-keepalive
 40 nis-domain
 41 nis-server
 42 ntp-server
 44 netbios-ns
 45 netbios-dd
 46 netbios-nodetype
 47 netbios-scope
 48 x-windows-fs
 49 x-windows-dm
 58 T1
 59 T2
 60 vendor-class
 64 nis+-domain
 65 nis+-server
 66 tftp-server
 67 bootfile-name
 68 mobile-ip-home
 69 smtp-server
 70 pop3-server
 71 nntp-server
 74 irc-server
 77 user-class
 80 rapid-commit
 93 client-arch
 94 client-interface-id
 97 client-machine-id
119 domain-search
120 sip-server
121 classless-static-route
125 vendor-id-encap
150 tftp-server-address
255 server-ip-address
# dnsmasq --help dhcp6
Known DHCPv6 options:
 21 sip-server-domain
 22 sip-server
 23 dns-server
 24 domain-search
 27 nis-server
 28 nis+-server
 29 nis-domain
 30 nis+-domain
 31 sntp-server
 32 information-refresh-time
 56 ntp-server
 59 bootfile-url
 60 bootfile-param

References

Leave a Reply