This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
advanced-dhcpdns [2024/11/10 19:09] – [DHCP / DNS Server (LAN)] -Insert link to eibgrad forum tutorial hogwild | advanced-dhcpdns [2025/08/13 03:53] (current) – [DHCP Client (WAN)] hogwild | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== DHCP/ | ====== DHCP/ | ||
- | This menu let you configure advanced settings for the DHCP, DNS and TFTP services for both the LAN and WAN. Most of this functionality is provided by [[https:// | + | Here, you can configure advanced settings for the DHCP, DNS and TFTP services for both LAN and WAN. Most of this functionality is provided by [[https:// |
Line 12: | Line 12: | ||
{{: | {{: | ||
- | **Enable DNSSEC support: ** Enables | + | **Enable DNSSEC support: **enables |
DNSSEC secures DNS by authenticating its servers. It prevents DNS hacking and poisoning. If the authoritative DNS server has DNSSEC, enabling it ensures DNS queries are answered by // | DNSSEC secures DNS by authenticating its servers. It prevents DNS hacking and poisoning. If the authoritative DNS server has DNSSEC, enabling it ensures DNS queries are answered by // | ||
Line 20: | Line 20: | ||
\\ | \\ | ||
- | **Use dnscrypt-proxy: | + | **Use dnscrypt-proxy: |
When a DNSCrypt-enabled server is chosen, a unique key pair is generated every hour. Queries are then encrypted using this key pair before being sent to the server, usually on TCP port 443. The reply is also encrypted. Checking //Use dnscrypt-proxy// | When a DNSCrypt-enabled server is chosen, a unique key pair is generated every hour. Queries are then encrypted using this key pair before being sent to the server, usually on TCP port 443. The reply is also encrypted. Checking //Use dnscrypt-proxy// | ||
Line 30: | Line 30: | ||
* Ephemeral Keys - if checked, a new key pair is generated for each \\ DNS query. Use this with care, as it's very cpu-intensive, | * Ephemeral Keys - if checked, a new key pair is generated for each \\ DNS query. Use this with care, as it's very cpu-intensive, | ||
- | * Manual Entry - if enabled, 3 more fields | + | * Manual Entry - if enabled, 3 more fields |
- | * Resolver Address - the IP address | + | * Resolver Address - the IP of the dnscrypt-enabled DNS server. |
- | * Provider Name - the name of the DNS provider, | + | * Provider Name - the DNS provider |
- | * Provider Public Key - the public key given by the DNSCRYPT-enabled \\ DNS provider | + | * Provider Public Key - the public key from the DNSCRYPT-enabled \\ DNS provider (to generate a key pair) |
- | * Resolver - a dropdown list currently containung | + | * Resolver - a dropdown list of about 200 DNS servers. |
* Some support DNSSEC. | * Some support DNSSEC. | ||
* Some don't log queries. | * Some don't log queries. | ||
* Some are filtered. | * Some are filtered. | ||
- | * Priority - should be left at // | + | * Priority - should be left at // |
- | * Local Port - the port on which dnscrypt-proxy | + | * Local Port - the port on which dnscrypt-proxy |
| | ||
Line 48: | Line 48: | ||
\\ | \\ | ||
- | **Use Stubby (DNS-over-TLS): | + | **Use Stubby** (DNS-over-TLS)**:** enables the Stubby DNS Stub resolver, to enhance DNS privacy. |
DNS over TLS (" | DNS over TLS (" | ||
- | \\ | + | * **Show/Hide Servers**: checking this displays a table of possible Stubby servers to be used. \\ Unchecking this hides the table. |
- | When Stubby is enabled, further options appear: | + | |
{{: | {{: | ||
Line 60: | Line 60: | ||
\\ | \\ | ||
- | **Upstream resolvers: | + | **Upstream resolvers: |
+ | |||
+ | Mousing over the name of any upstream resolver displays the following about about that server: | ||
+ | |||
+ | \\ | ||
+ | |||
+ | {{:: | ||
+ | |||
+ | - The IP versions supported | ||
+ | - The server' | ||
+ | - Authorized domain - (the domain name used for \\ authentication between your Stubby client and \\ an upstream DNS server that \\ supports encrypted queries. | ||
+ | - The port used | ||
+ | |||
+ | \\ | ||
\\ | \\ | ||
Line 88: | Line 101: | ||
**WINS (for DHCP):** the IP address of a WINS Server to give to DHCP clients. | **WINS (for DHCP):** the IP address of a WINS Server to give to DHCP clients. | ||
- | This doesn' | + | This doesn' |
- | + | ||
- | WINS is an old name resolution service to map NetBIOS names to IP addresses. It's mostly obsolete. DNS was supposed to replace WINS. However, WINS may still be necessary for some LAN browsing functions on old Windows versions. | + | |
\\ | \\ | ||
Line 102: | Line 113: | ||
//udhcpc// (the DHCP client FreshTomato uses to obtain a WAN IP address) has a problem. It has a DHCP discovery packet size 590 bytes long. However, DHCP relay servers can handle only DHCP discovery packets up to 576 bytes. If there are DHCP relay servers between FreshTomato and your ISP's DHCP server, FreshTomato might fail to acquire a DHCP lease on the WAN interface. | //udhcpc// (the DHCP client FreshTomato uses to obtain a WAN IP address) has a problem. It has a DHCP discovery packet size 590 bytes long. However, DHCP relay servers can handle only DHCP discovery packets up to 576 bytes. If there are DHCP relay servers between FreshTomato and your ISP's DHCP server, FreshTomato might fail to acquire a DHCP lease on the WAN interface. | ||
- | The extra bytes were all padding, and thus unnecessary. | + | The extra bytes were padding, and thus unnecessary. |
Some users may not be able to obtain a WAN IP address unless they disable this setting. (Default: Enabled). | Some users may not be able to obtain a WAN IP address unless they disable this setting. (Default: Enabled). | ||
Line 113: | Line 124: | ||
{{: | {{: | ||
- | **Use internal DNS: | + | **Use internal DNS: |
DHCP clients receive the router' | DHCP clients receive the router' | ||
Line 147: | Line 158: | ||
\\ | \\ | ||
- | **Generate a name for DHCP clients which do not otherwise have one**: if FreshTomato can't find a hostname for a client' | + | **Generate a name for DHCP clients which do not otherwise have one**: if FreshTomato can't find a hostname for a client' |
\\ | \\ | ||
Line 223: | Line 234: | ||
\\ | \\ | ||
- | **Enable DNS Rebind protection: | + | **Enable DNS Rebind protection: |
Using this may have side effects. (Default: Enabled). | Using this may have side effects. (Default: Enabled). | ||
Line 271: | Line 282: | ||
===== DHCP/ | ===== DHCP/ | ||
- | * Do not use results from Cloudflare' | + | Do not use results from Cloudflare' |
- | * DNSSEC and DNSCrypt / Stubby complement each other. | + | |
- | * DNSSEC provides authentication. | + | |
- | * DNSCrypt provides encryption. | + | * DNSCrypt provides encryption. |