How to set DHCP Option 6

This has probably been talked about and may be somewhere on the forum. Truth is i’m used to a dnsmasq dhcp server. Ipfrie is using dhcpd server. And some are mutable and not easily set.

In older versions of ipfire I was able to set dhcp option 6
Common DHCP options.

the dns-name-server with a long list of ip ex.
192.168.1.10,192.168.1.1,8.8.8.8

The reason I’m bring this up again is that i need a min of 3 dns servers sent to my DHCP clients. There are some device “IOT” such as kindles as an example that i cant’ go in and manualy set a dns server.

If I run pihole, ad guard, lan cache and have my routes predefined I need the fail over from top to bottom to be as such

When i go to list golbal dhcp option It is no longer in the list.
While i can set 2 via the webui:

image805×12 2.17 KB

I though this could be acomplished by editing the dhcpd conf but need a reliable way to add this option. and potentail fix the option in the config if edited.

This was editable and used to work with the “EOL” ICS DHCP. Not sure if IPfire is using the new ICS KEA DHCP.

Also Not sure why option 6 was removed, nor where I should add the option to the config to set it manual. my understanding that the dhcp.conf is located in /var/ipfire

Example:

option domain-name-servers 10.0.0.1, 8.8.8.8, 8.8.4.4;

Can it be found here. in the WUI.

image972×1851 143 KB

I’m not sure why you need more than 1.
Devices with fixed DNS will use that.
Unless you block them or redirect them to IPFire.
I would redirect everyone to IPFire DNS per the WIKI.

It used to be in that list in an older core version, it is no longer in the list. (good 2-5years ago) I have set this option before in the past.

the option was literally

domain-name-servers
type string.
list of ip address.

Form other firewall types i see a weird setting string they use to get around it.

RFC 2132 3.8 says use option “6”, minimum length is 4 octets, and length must always be a multiple of 4 [octets]. Servers should be listed in order of preference.

Convert the individual IP addresses you want with a Hex to IP converter
e.g:
192.168.0.1 = c0:a8:00:01
192.168.0.2 = c0:a8:00:02
192.168.0.3 = c0:a8:00:03
Some tools use periods[.] instead of colons[:]. Ensure you replace any symbol with colon[:]
In the order of server preference, concatenate the hex values together using colon[:] as the separator, e.g.
192.168.0.1 + 192.168.0.2 + 192.168.0.3 =
c0:a8:00:01:c0:a8:00:02:c0:a8:00:03

I used IP to Hex Converter - Convert IP to Hexadecimal - Online - Browserling Web Developer Tools

This would require the dns fields empty and use the concatenated string into value, e.g. c0:a8:00:01:c0:a8:00:02:c0:a8:00:03

But this was after some deep weed dive into dhcpd config file.
^Not sure this would work in ipfire…

A comment first.

1. RFC 2132 specifies the option fields in DHCP packets, not the config.
2. The fields in option 6 ( Domain Name Server Option ) are defined as IPs of name servers, not the MACs.
3. dnsmasq is a combined DHCP/DNS server; IPFire uses dhcpd ( DHCP server ) and unbound ( DNS server )

The standard process of specifying DNS servers by DHCP in IPFire is as follows:

1. set the DNS server fields in WUI ( two per interface )
2. saving the settings converts them to entries in dhcpd.conf ( in case of ISC dhcpd for example to option-domain-servers <IP1>[,<IP2>]; )
3. dhcpd handles the DHCP communication and sends option 6 with the defined values in a response packet

The name server option is defined in the subnet declarations.

As @hvacguy said, it is preferable to use the internal DNS server ( unbound ) of IPFire. I don’t know why local devices should use their ‘private’ DNS servers. The servers documented in the wiki are checked to be save ( no tracking, DNSSEC for security, … ). I don’t trust a special DNS server; DNS is a well-defined global name resolution protocol ( does a special server deliver special answers? ).

I have checked in Core Update 120 (6 years ago), Core Update 105 (7 years ago, when dnsmasq was being used) and in Core Update 30 (14 years ago) and that option is not in the advoptions-list in any of them.

I then searched the repo for commits to advoptions-list and there have been two.
Dec 2021 with the addition of classless static routes and Apr 2022 with the addition of domain-search.
There have been no other commits to the advoptions-list so I am afraid that domain-name-servers has never ben included.

IPFire is still using the ICS DHCP. We will migrate to the ICS KEA system once we have figured out how to do that for all existing dhcp configurations without breaking anything.

Nearly. It is located in /var/ipfire/dhcp/

However don’t use the dhcp.conf file. Any manual changes to that file will be overwritten when you do an update on the DHCP WUI page. Also if there is any change to the dhcp coding at a Core Update then likely your modifications will be cleared.

In that same directory there is a file dhcp.conf.local You should use that for any manual modifications and they will be added to the end of the dhcp.conf file.

https://www.ipfire.org/docs/configuration/network/dhcp#specify-settings

Thank you. I swear that i have set this option in the web ui in the past, it was a long time ago when I first stumbled onto IPfire. Wish i saved alot of my documentation when I was a kid…

A randomg google search showed me option 6 and setup in ipfire yearas past. lost to time… It did show in the list maybe as namesever/namservers… the context to added to the web ui.

I was able to accomplish this by adding it to dhcp.conf.local
example:

option domain-name-servers 10.0.0.1, 8.8.8.8, 8.8.4.4;

it needed subneted per link www.ipfire.org - DHCP Server

eg.
subnet 10.0.0.1 netmask 255.0.0.0 #GREEN
{
range 10.1.0.1 10.1.255.254;
option subnet-mask 255.0.0.0;
option domain-name “int.company.com”;
option routers 10.0.0.1;
option domain-name-servers 10.11.0.2;
default-lease-time 600;
max-lease-time 1200;
} #GREEN

That was not done via the dhcp options section.

I took the advoptions-list from Core Update 30 (14 years ago and the first core update created in this IPFire git repo) and ran a diff against the same file from Core Update 186 (the current release).

The following is the diff result

— Desktop/advoptions-cu30 2024-07-03 21:23:47.793304883 +0200
+++ Desktop/advoptions-cu186 2024-07-03 21:22:22.094644441 +0200
@@ -7,6 +7,7 @@
option default-ip-ttl uint8;
option default-tcp-ttl uint8;
option dhcp-client-identifier data-string;
+option domain-search domain-list;
option finger-server ip-address [, ip-address… ];
option font-servers ip-address [, ip-address… ];
option host-name string;
@@ -22,6 +23,7 @@
option max-dgram-reassembly uint16;
option merit-dump string;
option mobile-ip-home-agent ip-address [, ip-address… ];
+option ms-classless-static-routes string;
option netbios-dd-server ip-address [, ip-address… ];
option netbios-node-type uint8;
option netbios-scope string;
@@ -38,6 +40,7 @@
option policy-filter ip-address ip-address [, ip-address ip-address… ];
option pop-server ip-address [, ip-address… ];
option resource-location-servers ip-address [, ip-address… ];
+option rfc3442-classless-static-routes string;
option root-path string;
option router-discovery flag;
option router-solicitation-address ip-address;

As you can see the only differences are the classless static routes options and the domain search option from 2021 and 2022.

No other diffs. Also no nameserver entries and looking through the list nothing that looks to be related to the domain-name-servers option.

Can you provide a link to that search result, because UI am unable to find any evidence of domain-najme-servers ever being in the config/cfgroot/advoptions-list file in the IPFire repo.

Core Update 186 version

Core Update 30 version

Glad that worked for you.

How did you do this exactly?
Is it possible to extent the subnet definitions from dhcpd.conf in dhcp.conf.local? Have you checked the DHCP responses of dhcpd in IPFire?

Once more, why do you need this? Unbound is a powerful enough DNS server with DNSSEC and ability to communicate per TLS with the global name space. Therefore one domain-name-server option ( pointing to IPFire ) should be enough. The second DNS entry in the WUI could point to a separate name server ( in your local network ).

BTW: Looking at the IPv4 settings of Windows, there are two DNS server entries only also.

Just for completeness

In the advanced settings, you can add more DNS addresses.

Regards

Sorry, for not looking so deeply.

But nevertheless, I can’t see a reason for using that feature, yet.

I can’t type and have been informed by other that my spelling is atrocious… My apologies… As there are a lot to respond to hear (tired to do the multiple reply option…) so here are my finally thoughts, notes and words. As i’m leaving the ipfire platform… Hit to many cons to justify my use with the os. I’m currently using opensense. Rather not be on freebsd for other reason but open sense atm is hitting all my check boxes.

I don’t know how to use this forum and have moved away from the project due to other issues within ipfire. It will always be my go to for a quick temp gap solution as it just works and quickest to setup. But overall for my use case it is not the platform to be on.

So this will be my last post probably on the forum. As I was originally was trying to figure out Hardware vulnerability. And as I have set this option before in the past, I thought to ask to see… IDC of your sources the point being that this was done before in the past on this platform, I wish i had the old documentation and knew what core update i was on I would love to visit the old source codes with you regarding that…

Regardless, As I was able to set this before in the web UI. The web link to do so is gone and it is no longer in the web ui. IDC… As there are many ways to apply the same options yes this can be checked via pc:

Config /all and dig/nslookup to individual ip with other monitoring and Wireshark This is a staple DHCP option as the server tells the clients when they go for a lease what DNS server they want. Some IOT device and other Cell phone use privates mac and api DNS to circumvent it. I can confirm when dhcp option 6 is set that some of these device will still follow the dhcp server configurations. Which is what I’m trying to set.

Doing so as example in another one of my labs/workshops:

Second, as said earlier, as I need a min of 3 DNS Sent to a client upon the DHCP Server Lease renewal to static set 3.

AS I Said earlier, I run multiple DNS systems and other proxy systems that use DNS. So I have to have a strict use this DNS server, and it fails us the next in line.

If you must know my network diagram: (and this use case)
ISP Modem(fiber media connector) > Ipfire(dhcp server/firewall) > lan Switch> Services:

For ME, my DNS must follow: (Ideally) in this order…

192.168.2.10 - pihole >> 192.168.2.7 - LanCache >> 192.168.2.2 - webProxy >> 192.168.2.1 - firewall dns/unbound >> 208.222.222.67 - public opendns

For items in network, I can’t just set the dns manual on each device. THE DHCP SERVER SHOULD BE DOING THIS ANYWAY!!!

By default, I can only set 2 DNS ips via the web UI. and was able to set a DHCP option in the past. But I have been in and out of this between different service, so I don’t remember the exact command used …

Example of some IOT devices that are deployed on my network that I can’t set manual dns… Which is why this option exists… Amazon Alexa devices, smart home tools(lightbulbs/picture frames), Kindles. ETC… As stated earlier Some IOT device won’t use the list anyway This is why the test bed to check. But option dhcp 6 is a staple!

These devices to use my services such as lan cache and web proxy to help isolate them… need to grab a specific set of dns servers in list. The web proxy get the dns server and use them via the dhcp list when th option is set.

I have tested this and used this setup on many different OS firewall router OS(ddwrt, pfsense, opensense, openwrt, ubuntu(make shift firewall), Firewalla using lattest ubnutu 22)

With many other projects to test and see use case… my next look at a firewall is vyos…

This DHCP option 6 disappeared from the webUI years ago in this platform(it clear that those niche cases that needed atleast 3 DNS Server or more sent by the DHCP server are no longer using IPfrie…). It is also not clear with how IOT and non UI network device with out being able to set client side networking will handle this in the future.

With other info and search under my belt with a bit more understanding I tried to toke a crack at it via the config hence this post. found mutable cofs and was looking to apply and get more info to what happened to the wub UI option.

So How did I get it to work:

SSH/Terminal to the device.
The way I got was subnetting the existing subnet since I only have 25 or so total device and the start of my dhcp range was 2.2 I subnet with in my subnet and have a duplicate a bit janky setup that accomplished this.

This is my notes when setting up as I’m no longer on the platform I couldn’t grab the completed config. this is data that was saved in my documentation discord and notepad ++ memory…

So in dhcp.conf.local

{
range 192.168.2.2 192.168.2.50;
option subnet-mask 255.255.255.0;
option routers 192.168.2.1;
option domain-name-servers 192.168.2.10,192.168.2.2,192.168.2.1;
default-lease-time 600;
} #GREEN

AS far as I know as I have used ipfire a total of 4-5 time throughout the years its was probaly using dhcp option 6 with out bing int he list of global options… It was a random forum when searching for option 6 that had a guide (for ipfire that wasn’t this forum!) to use it and set more then 2 dns servers via dhcp.

Thank you [Adolf Belk] As you have been a huge help in guiding me to the correct documentation and broadening my understanding.