Dnsmasq.conf confusing SERVER entries

Can someone explain all these server lines in my dnsmasq config to me? I assume they are being executed top down?


The domain is 'lan'. If dnsmasq sends out an ip to host 'goofy', it will be changed to 'goofy.lan'.

If the server 'goofy.lan' sends out a dns lookup (example: google.com), it will go down the list? First it will query It finds nothing, it will try

What does this do?

If I query pool.ntp.org, it will redirect to That is what nslookup indicates.

If I want to use the google DNS, how about I just edit /etc/resolv.conf?

For how dnsmasq handles queries, http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html is the "authoritative" reference.

-S, --local, --server=[/[]/[domain/]][[#][@|[#]]

Specify IP address of upstream servers directly. Setting this flag does not suppress reading of /etc/resolv.conf, use -R to do that. If one or more optional domains are given, that server is used only for those domains and they are queried only using the specified server. This is intended for private nameservers: if you have a nameserver on your network which deals with names of the form xxx.internal.thekelleys.org.uk at then giving the flag -S /internal.thekelleys.org.uk/ will send all queries for internal machines to that nameserver, everything else will go to the servers in /etc/resolv.conf. DNSSEC validation is turned off for such private nameservers, UNLESS a --trust-anchor is specified for the domain in question. An empty domain specification, // has the special meaning of "unqualified names only" ie names without any dots in them.

A non-standard port may be specified as part of the IP address using a # character. More than one -S flag is allowed, with repeated domain or ipaddr parts as required.
More specific domains take precedence over less specific domains, so: --server=/google.com/ --server=/www.google.com/ will send queries for *.google.com to, except *www.google.com, which will go to

The special server address '#' means, "use the standard servers", so --server=/google.com/ --server=/www.google.com/# will send queries for *.google.com to, except *www.google.com which will be forwarded as usual.

Also permitted is a -S flag which gives a domain but no IP address; this tells dnsmasq that a domain is local and it may answer queries from /etc/hosts or DHCP but should never forward queries on that domain to any upstream servers. local is a synonym for server to make configuration files clearer in this case.

IPv6 addresses may include an %interface scope-id, eg fe80::202:a412:4512:7bbf%eth0.

The optional string after the @ character tells dnsmasq how to set the source of the queries to this nameserver. It can either be an ip-address, an interface name or both. The ip-address should belong to the machine on which dnsmasq is running, otherwise this server line will be logged and then ignored. If an interface name is given, then queries to the server will be forced via that interface; if an ip-address is given then the source address of the queries will be set to that address; and if both are given then a combination of ip-address and interface name will be used to steer requests to the server. The query-port flag is ignored for any servers which have a source address specified but the port may be specified directly as part of the source address. Forcing queries to an interface is not implemented on all platforms supported by dnsmasq.

/etc/resolv.conf, as configured by default, is a symlink to a non-persisted file that is written by UCI-based configuration. If you do decide to "hard-wire" your DNS and skip using dnsmasq entirely, you'd have to break that link and edit the file itself. Many people run either dnsmasq or unbound as a service for the clients on the "LAN" network. Without one of those running, those clients would have to go to an upstream DNS source directly.


WARNING AND FYI, in OpenWRT, the file you presented is created by the Unified Configuration Interface (UCI). You should not edit this file. The file to edit (per the manual) is actually: /etc/config/dhcp





No, that means that anytime that domain is queried, to use DNS server to make the lookup. Please provide a nslookup response that shows otherwise, as you may have another issue.

NO, "LAN." is the domain assigned to your Dnsmasq instance, therefore it's authoritative for the domain "LAN." and will append ".LAN" to any LAN hostname. You can also get PTR records for all DHCP clients because of this. I think you're making this Dnsmasq thing too hard. And if an IP is sent out, it's just that - an IP, NOT a hostname.

If you have deeper questions about how Dnsmasq works (since the the UCI is used with OpenWRT):

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.