Jabber and Multiple DNS Domains

Similar Messages

• LDAP supporting multiple DNS domains

  I have an environment with multiple DNS domains, and am configuring a Directory server (DS 6.3.1) to centralize various OS configuration maps including user authentication. None of the DNS domains have unique data, so I'd like to do something like storing all the real data in one suffix, then somehow have all clients look to that primary suffix. I am aware that the Solaris Native LDAP client wants to bind to a nisDomainObject that matches its DNS domain. I'm just having a hard time believing that I really need to manage all those individual suffixes when they don't have unique data requirements.
  Take as an example the following domains to be supported: foo.example.com, bar.example.com, dev.example.com, qa.example.com, prd.example.com (no hosts are actually in "example.com", they are all in subdomains). Again, all share common configuration data, same user IDs, etc - no unique maps are required.
  I created a suffix, "dc=example, dc=com", set it up with idsconfig. All is well there.
  [A] My first thought is to bind all Solaris clients, regardless of their DNS domain, to the baseDN of "dc=example, dc=com" in order to avoid having a separate suffix for each DNS domain. I tried to do this using "-a defaultSearchPath=dc=example,dc=com" with ldapclient init, but it failed with an error indicating it wants to see the nisDomainObject of its real DNS domain.
  The second though I had, which I don't believe is possible, is to find some sort of a LDAP equivalent of a symbolic link so that I could actually have an object for each DNS domain, but it would simply point back to "dc=example,dc=com". I can't find anything in the documentation which suggests this is possible, but I'd love to be wrong!
  [C] Perhaps this could be somehow done with a rats nest of SSDs, but that really seems unwieldy, right? I plan on using a fair amount of the available objects, so it would be many SSDs per suffix. Yuck.
  Can anyone comment on my above thoughts, or provide how they would go about supporting multiple DNS domains that have common configuration data?
  Thank you,
  Chris

  Ok, I answered my own question. Turns out it's pretty easy. Just use the "-a domainName=example.com" option with `ldapclient` then make sure that the FQDN of the LDAP server is available (or use its IP address). My problem was that the ldapclient overwriting nsswotch.conf was clobbering the SSL session because I used the FQDN which couldn't resolve.
  This leaves an interesting condition of having the output of "domainname" not match the DNS domain. I'm testing now to see if this causes any unexpected issues with our environmnet, but I suspect it's not a problem.

• Multiple DNS Domain support in Single instance of Portal

  Can BEA portal support multiple DNS domains in a single instance of BEA Portal.
  For example can I setup portal to respond as bothe www.xxx.com and www.yyy.com
  and keep those urls as trhough the entire portal?

  Hi,
  thanks for your quick response. You mean we should run only one copy of the package I mentioned and seperate the plants and machines by logic implemented in the package? Well, I think this is critical in case of deploying a new version, since all machines at all sites won't have the system available at the same time. At the moment we do not have things in the system that are needed to go on with production, but we have planned to implement some things that will be indispensable and in this stage we need a clear seperation of the plants to minimize the risk of a simultaneous stand at all plants.
  Thanks for your suggestion and best regards,
  Matthias

• Difference between 006 DNS Servers and 015 DNS Domain Name

  hi,
  what's difference between 006 DNS Servers and 015 DNS Domain Name?
  please guide me.

  Hi
  Option 006 DNS servers           = IP Address of your DNS Server, e.g, 10.10.10.1
  Option 015 DNS Domain Name       = test.local, your domain name.
  Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• SGD and multiple AD domains - hosting apps in multi tenancy model

  Hi folks,
  is it possible to use one SGD installation to authenticate on several Active Directory Domains?
  Documentation says that SGD allows multiple authentication methods...
  If this would not be possible out-of-the-box, please think about how we could implement that? I thought about specifying the DCs in the krb.conf for the different realms....
  Thanks
  Julian

  Currently SGD supports only one LDAP / AD Directory tree.
  What we did is an local LDAP proxy on the SSGD Server, The proxy itsself request multible repositories, With this solution DSI works as well, and you can also mix LDAP/AD trees.
  The current problem with this is, the passwort change mechanisem.

• GetDesktopURL() problem with multiple DNS domains

  Hello,
  I use PS6.1 on a server with more domain names. If I login to one domain many portal links are directed to other domain.
  I suppose that there is something wrong in function/tag getDesktopURL(). The domains are swaped sometimes after server restart. (I clear all cookies between tests).
  For examle:
  Page URL:
  www.d1.com/portal/dt
  In channel JSP:
  <dtpc:getDeskpc.geDesktopURL/> -> www.d2.com/portal/dt
  pc.getDesktopURL(null) -> www.d2.com/portal/dt
  pc.getDesktopURL(request) -> www.d2.com/portal/dt
  but:
  request.getServerName() -> www.d1.com
  request.getHeader("host") -> www.d1.com
  Thank you for any hint, M.C.

  You should give Apple a call and ask to speak to the iPhone enterprise group. They should be able to help you get your network setup properly.

• ASA and Multiple AD Domains

  Hello,
  I am having difficulties with configuring my ASA5510 to authenticate against two different Active Directory domains with LDAP for a Remote Access VPN. From what I can see, the authentication process goes as far as checking the first server, seeing that the user doesn't belong to that domain and then it bombs out.
  I read some technote which specified that if the DC was set up as a Global Catalog that this would be a non-issue - sadly, this doesn't appear to be the case.
  Can anyone shed any light on this?
  Thanks
  Keith

  Hi Keith
  First of all the behavior you describe is correct and expected. If you configure 2 aaa servers (regardless of whether it's radius, ldap, etc.) then the ASA will consider them as having identical user DB's, and so will only use the 2nd when the 1st is unreachable.
  So the solution would indeed consist of having a global catalog server (GCS) that can search both domains, and point the ASA to that server (or set of servers). The downside is that the global catalog server may not have information  about local groups which may be needed for authorization and or DAP.
  Having said that, there may be an alternative if you are using (or willing to change to) double authentication (i.e. certificate based authentication + username/password) or if you are ok to use certificate based authentication with LDAP authorization (i.e. only the cert is used to log in, the ldap attributes are only used to override settings in the group-policy).
  In that case you can use tunnel group mapping (i.e. have certificates from one domain land on a certain group, and another domain on another group). Since each group has its own aaa-server config, you can point them to different ldap servers.
  hth
  Herbert

• Recursive and authoritative DNS - DDOS attack

  We are using Windows Server DNS as our external DNS server which is available from internet and used to resolve our domain names. It is placed in DMZ. It is configured as recursive and authoritative. In internal company network we have
  4 Windows DNS servers which have forwarders configured for this DNS server in DMZ. If some attacker from the internet will try to use our DNS server placed in DMZ and available from internet for a lot of recursive queries it could result in denial of service.
  What is the best practice to avoid such attack?

  Actually, there's a rather complex algorithm that's used that's similar to, if not the same as, what the client side resolver on any machine (Windows and non-Windows) uses. It's an industry standard based on RFC definitions.
  More specifics in the following links, if you want to read up on it. And to one's surprise, it doesn't exactly work as one would like it to. The idea is to keep both up and the other one as a backup in case you fully lose the first one.
  DNS Client side Resolver Service and DNS Forwarders Query Algorithm
  http://blogs.msmvps.com/acefekay/2014/03/29/dns-client-side-resolver-service-and-dns-forwarders-query-algorithm/
  This blog discusses:
  WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB). Troubleshooting the browser service.
  Client side resolution process chart.
  The DNS Client Side Resolver algorithm.
  If one DC or DNS goes down, does a client logon to another DC or use the other DNS server in the NIC?
  DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders or more than one IP in the NIC's DNS list)
  Client side resolution process chart
  http://blogs.msmvps.com/acefekay/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm/
  DNS Clients and Timeouts (Part 1 & Part 2), karammasri [MSFT] Dec 2011 6:18 AM
  http://blogs.technet.com/b/stdqry/archive/2011/12/02/dns-clients-and-timeouts-part-1.aspx
  http://blogs.technet.com/b/stdqry/archive/2011/12/15/dns-clients-and-timeouts-part-2.aspx
  DOMAIN NAMES - CONCEPTS AND FACILITIES - Dicusses local resolvers.
  http://tools.ietf.org/html/rfc882
  ==
  To add on how the client resolver picks a nameserver, below is a link to a discussion that points out the following - and please note, the operative point in the first bullet point indicates "equivalent," meaning that all DNS servers you enter into
  a NIC, must all reference the same exact data, so you can't mix nameserver with different data and expect the client to try all of them.
  •by RFC, all nameservers in a zone's delegation are equivalent
  •they are indistinguishable to the client
  •clients are allowed to choose the NS to query with whichever policy they wish
  •if any picked server fails to respond (e.g. "ns3"), then the next server is picked among the remaining set (e.g. ns1 and ns2) according to the policy
  •often clients use sophisticated policies that "score" servers and pick more often the ones that replied faster
  •as a by-product, in practice this policy makes caches favor "nearest" servers
  Above list was quoted from:
  When is a secondary nameserver hit?
  http://serverfault.com/questions/130608/when-is-a-secondary-nameserver-hit
  I hope that helps to understand it better.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• "short" urls and multiple domain files

  In http://discussions.apple.com/thread.jspa?threadID=655367&tstart=0,
  Apnewbie said:
  "If you have separate sites with separate Domain files and published separately to .Mac, they will be listed on your iDisk in alphabetical order and your short .Mac url will point to the one at the top of the list on the iDisk."
  I'm thinking about splitting my domain file, as my sites are growing large and it is time consuming for iWeb to recreate all the pages when I've only changed one site. I'd like to keep a particular "site" (consisting of one page with links to my other "real" sites) at the top of the list so it is always what appears when folks go to my short url. Are than any non-alphanumeric characters that I can use at the begin that won't cause problems for browsers?
  Does this mean that if my preferred "top site" is in domain file A and I publish domain file B after I've published domain A, the "top site" will still be the site at the short url?
  Also, can somebody please remind me again how to use a link in the forums here but have text other than the full url show up? I think I've done it before, but I've forgotten.
  iBook G4 14 in   Mac OS X (10.4.7)   iMac 400 MHz G3 OS 9.2.2

  Apnewbie said:
  "If you have separate sites with separate Domain
  files and published separately to .Mac, they will be
  listed on your iDisk in alphabetical order and your
  short .Mac url will point to the one at the top of
  the list on the iDisk."
  I spoke too soon on this and a correction is needed. When you publish to .Mac using individual Domain files, your short url will point to the most recently published index.html file, which will then take you to your most recently published site. I tested this just prior to that last statement in that post and my browser cache tripped me up here.
  I'm thinking about splitting my domain file, as my
  sites are growing large and it is time consuming for
  iWeb to recreate all the pages when I've only changed
  one site. I'd like to keep a particular "site"
  (consisting of one page with links to my other "real"
  sites) at the top of the list so it is always what
  appears when folks go to my short url. Are than any
  non-alphanumeric characters that I can use at the
  begin that won't cause problems for browsers?
  I don't think that's necessary; you can keep a copy of the index.html file which points to your preferred site and place it back on your iDisk after publishing any site to force your short url to point to the site of your choice.
  Does this mean that if my preferred "top site" is in
  domain file A and I publish domain file B
  after I've published domain A, the "top site"
  will still be the site at the short url?
  Again, the short url will point to the most recently published index.html file in .Mac. Sorry for the confusion.

• Hosting Multiple Mail Domains in SL server on a Mac Mini

  So I have been trying to find out the answer to this question, and I keep getting conflicting information, and I am hoping someone here can help me solve this.
  We are running two very small business with two different Domains (@company1 & @Company2) Each company has a website, and corporate email. All I want to do is bring all of this in-house onto one Mac Mini server. The calendars and contacts will be shared between the two principle owners of each company (my bosses) as they support each other in there individual business.
  The Apple "Genius" says this is not possible, I believe and have been told by a few people and after reading posts on here that it is possible to have multiple domains on one Mac Mini Server. I would like to figure this out quickly as the companies have a need to move off the current email provider as fast as possible due to complications with iOS4 and the iPads.
  Any Help from people who are doing this, or know it to be possible or impossible would be greatly appreciated!

  This is entirely possible, and supported by the Server Admin user interface for the mail server.
  Start with the [Mac OS X Server Mail Services Administration Manual|http://images.apple.com/server/macosx/docs/MailService_Adminv10.6.pdf], page 73
  Quoth the Book Of Mail:
  A Mail Service Virtual Host
  Virtual hosting is a method you can use to host more than one domain name on the same
  computer and IP address, with overlapping mail user names.
  For example, a mail server can receive mail transfer requests for two domains,
  mail.example1.com and mail.example2.com, both of which resolve to the same IP
  address. For mail.example1.com, the server delivers mail to “[email protected]”
  to a user mailbox for “bob,” while it also delivers mail to “[email protected]” to
  a different user mailbox. Virtual hosts are essentially the converse of local host aliases.
  One subtlety here is that the domains sharing the same mail server and all co-resident on the IP address will all tend to have the same public host name listed as their MX (mail exchange) server of record in the public DNS. This so that forward and reverse DNS and MX server all line up for the mail server for all the domains involved.

• Multiple DNS Search Suffixes

  Does anyone know whether it is possible to set more than one DNS search domain for a dial in VPN user?
  We currently have a group policy setting below and would like to add domain-b.co.uk to the list of search domains
  group-policy RemoteUsers attributes
  wins-server value x.x.x.x y.y.y.y
  dns-server value a.a.a.a b.b.b.b
  vpn-idle-timeout 30
  vpn-session-timeout 300
  vpn-filter value vpn-filter
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value RemoteUsers_splitTunnelAcl
  default-domain value domain-a.co.uk

  Hi,
  According to your description, my understanding is that tool SIEM prompts multiple DNS error NO SUCH NAME for Local IP.
  I am wondering which SIEM tool have you used. If it is a 3rd-party tool, I recommend you to contact the vendor/supporter for detailed information about this error.
  I am not sure about the environment you have configured and which version of OS used. In general, for windows system, we may use built-in tool, such as event viewer, performance monitor to collect detailed information about error or warning. Besides, monitor
  tool such as Network Monitor(http://www.microsoft.com/en-us/download/details.aspx?id=4865) is also helpful to capture packets for further troubleshooting.
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• CUPS 8.6 - Supporting Multiple SIP Domains on a per-user basis

  Working on a CUPS 8.6 PoC with a customer who currently is running a deployed OCS environment. 
  Users all sign into a single domain internally but have multiple SMTP domains for email as this customer has many different companies they have aquired.
  OCS  is able to support and route multiple SIP domains by specifing the SIP address under AD User settings such that two users both signed into the same OCS server can send IM's to each other even though they have different SIP addresses.  sip:[email protected] , sip:[email protected]
  CUPS on the other hand does not seem to allow this on a per-user basis.  It places every user in the sip domain that the server is a member of.
  The Jabber client allows you to specify a domain but I am not how this is used as the actual user account in CUPS is only ever the one domain and if you try and specify a different domain in the Jabber Connection Settings, it will not allow you to login.
  It is not a big deal for internal communications if everyone is on the same domain, but where it is important is for future B2B IM.  Users need to be able to give out THEIR IM address with THEIR respective domain.
  Does anyone else know for a fact that I will only be able to have one domain per CUP cluster?
  Any thoughts on this design?

  Not sure on the design perspective but as for CUPS Domain, we can only have single domain per cluster. As you have already found out that for any user licensed for CUPS, their IM address would be userid@CUPSDomain
  CUPS does have funtionality of federating with foreign domains such as AOL/GoogleTalk/WebEx Connect.

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• DNS Domain name ISE 1.2

  Question:  Can the DNS domain name in ISE 1.2 be differnt from the AD domain that ISE is joined to?
  Situation:  I have an internal AD domain 'mydomain.local'.  Currently ISE is setup with mydomain.local as it's dns domain it's FQDN is isebox.mydomain.local, it is also joined to that domain.  The problem comes with the certificate for HTTPS sites (management, guest, etc...) specifically guest.  If I use a certificate for isebox.mydomain.local, guest users (that do not have our internal ca) will get a certificate error.  The certificate used for HTTPS sites in ISE has to match the hostname of ISE.  This seems to me to be an unresolvable problem.  I have to have mydomain.local as the DNS domain, so that I can join ISE to mydomain.local.  But if I use that domain then I can't issue a public cert for the ISE box, because I can't get a public cert for a .local domain.
  My idea was to define the DNS domain as a public domain (abc123.com) but still join it to my internal domain (mydomain.local).  I have found some vauge references to this not being a supported configuration, and even that it doesn't work at all.  Could someone please tell me if this works?  Or better yet, some better/easer way to solve this prolem.
  Thanks!

  Hello John
  Cisco ISE supports integration with a single Active Directory identity source. Cisco ISE uses this Active Directory identity source to join itself to an Active Directory domain. If this Active Directory source has a multidomain forest, trust relationships must exist between its domain and the other domains in order for Cisco ISE to retrieve information from all domains within the forest.
  However, you may create multiple instances for LDAP. Cisco ISE can communicate via LDAP to Active Directory servers in an untrusted domain. The only limitation you would see with LDAP being a database that it doesn't support PEAP MSCHAPv2 ( native microsoft supplicant). However it does suppport EAP-TLS.
  For more information you may go through the below listed link
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_45_multiple_active_directories.pdf

• Resolve.conf, dnsmasq and external DNS servers

  I am using dnsmasq to filter out ad urls, so my  /etc/resolv.conf looks like that:
  # Generated by dhcpcd from wlan0
  nameserver 127.0.0.1
  domain home
  nameserver 192.168.1.254
  # /etc/resolv.conf.tail can replace this line
  However, it looks like after getting through the url filtration layer of dnsmasq, the URLs are being resolved by a DNS sever of whatever Access Point I am connected to. This create problems, because they often render me unable to connect to services like sourceforge.net, etc.
  So, instead of that, I would like my system to fall back to Google and OpenDNS after filtering urls through dnsmasq.
  But how can I do that? This is a specific case and wiki does not cover it.
  Last edited by Lockheed (2013-05-19 16:50:43)

  $ cat /etc/resolv.conf
  # Generated by dhcpcd from wlan0
  nameserver 127.0.0.1
  nameserver 8.8.8.8
  domain home
  # /etc/resolv.conf.tail can replace this line
  The google DNS is what I put in there earlier to be able to use internet after dnsmasq stopped starting.
  $ cat /etc/resolvconf.conf
  # Configuration for resolvconf(8)
  # See resolvconf.conf(5) for details
  resolv_conf=/etc/resolv.conf
  # If you run a local name server, you should uncomment the below line and
  # configure your subscribers configuration files below.
  name_servers=127.0.0.1
  # Write out dnsmasq extended configuration and resolv files
  dnsmasq_conf=/etc/dnsmasq-conf.conf
  dnsmasq_resolv=/etc/dnsmasq-resolv.conf
  $ cat /etc/dnsmasq.conf
  # Configuration file for dnsmasq.
  # Format is one option per line, legal options are the same
  # as the long options legal on the command line. See
  # "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
  # Listen on this specific port instead of the standard DNS port
  # (53). Setting this to zero completely disables DNS function,
  # leaving only DHCP and/or TFTP.
  #port=5353
  # The following two options make you a better netizen, since they
  # tell dnsmasq to filter out queries which the public DNS cannot
  # answer, and which load the servers (especially the root servers)
  # unnecessarily. If you have a dial-on-demand link they also stop
  # these requests from bringing up the link unnecessarily.
  # Never forward plain names (without a dot or domain part)
  #domain-needed
  # Never forward addresses in the non-routed address spaces.
  #bogus-priv
  # Uncomment this to filter useless windows-originated DNS requests
  # which can trigger dial-on-demand links needlessly.
  # Note that (amongst other things) this blocks all SRV requests,
  # so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
  # This option only affects forwarding, SRV records originating for
  # dnsmasq (via srv-host= lines) are not suppressed by it.
  #filterwin2k
  # Change this line if you want dns to get its upstream servers from
  # somewhere other that /etc/resolv.conf
  #resolv-file=/etc/resolv-dnsmasq.conf
  # By default, dnsmasq will send queries to any of the upstream
  # servers it knows about and tries to favour servers to are known
  # to be up. Uncommenting this forces dnsmasq to try each query
  # with each server strictly in the order they appear in
  # /etc/resolv.conf
  strict-order
  # If you don't want dnsmasq to read /etc/resolv.conf or any other
  # file, getting its servers from this file instead (see below), then
  # uncomment this.
  #no-resolv
  # If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
  # files for changes and re-read them then uncomment this.
  #no-poll
  # Add other name servers here, with domain specs if they are for
  # non-public domains.
  #server=/localnet/192.168.0.1
  server=208.67.222.222
  server=208.67.220.220
  # Example of routing PTR queries to nameservers: this will send all
  # address->name queries for 192.168.3/24 to nameserver 10.1.2.3
  #server=/3.168.192.in-addr.arpa/10.1.2.3
  # Add local-only domains here, queries in these domains are answered
  # from /etc/hosts or DHCP only.
  #local=/localnet/
  # Add domains which you want to force to an IP address here.
  # The example below send any host in double-click.net to a local
  # web-server.
  #address=/double-click.net/127.0.0.1
  # --address (and --server) work with IPv6 addresses too.
  #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
  # You can control how dnsmasq talks to a server: this forces
  # queries to 10.1.2.3 to be routed via eth1
  # server=10.1.2.3@eth1
  # and this sets the source (ie local) address used to talk to
  # 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
  # IP on the machine, obviously).
  # [email protected]#55
  # If you want dnsmasq to change uid and gid to something other
  # than the default, edit the following lines.
  #user=
  #group=
  # If you want dnsmasq to listen for DHCP and DNS requests only on
  # specified interfaces (and the loopback) give the name of the
  # interface (eg eth0) here.
  # Repeat the line for more than one interface.
  #interface=lo
  # Or you can specify which interface _not_ to listen on
  #except-interface=
  # Or which to listen on by address (remember to include 127.0.0.1 if
  # you use this.)
  #listen-address=127.0.0.1
  # If you want dnsmasq to provide only DNS service on an interface,
  # configure it as shown above, and then use the following line to
  # disable DHCP and TFTP on it.
  #no-dhcp-interface=
  # On systems which support it, dnsmasq binds the wildcard address,
  # even when it is listening on only some interfaces. It then discards
  # requests that it shouldn't reply to. This has the advantage of
  # working even when interfaces come and go and change address. If you
  # want dnsmasq to really bind only the interfaces it is listening on,
  # uncomment this option. About the only time you may need this is when
  # running another nameserver on the same machine.
  #bind-interfaces
  # If you don't want dnsmasq to read /etc/hosts, uncomment the
  # following line.
  #no-hosts
  # or if you want it to read another file, as well as /etc/hosts, use
  # this.
  addn-hosts=/etc/hosts.block
  #hostsfile=/etc/hosts.block
  # Set this (and domain: see below) if you want to have a domain
  # automatically added to simple names in a hosts-file.
  #expand-hosts
  # Set the domain for dnsmasq. this is optional, but if it is set, it
  # does the following things.
  # 1) Allows DHCP hosts to have fully qualified domain names, as long
  # as the domain part matches this setting.
  # 2) Sets the "domain" DHCP option thereby potentially setting the
  # domain of all systems configured by DHCP
  # 3) Provides the domain part for "expand-hosts"
  #domain=thekelleys.org.uk
  # Set a different domain for a particular subnet
  #domain=wireless.thekelleys.org.uk,192.168.2.0/24
  # Same idea, but range rather then subnet
  #domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
  # Uncomment this to enable the integrated DHCP server, you need
  # to supply the range of addresses available for lease and optionally
  # a lease time. If you have more than one network, you will need to
  # repeat this for each network on which you want to supply DHCP
  # service.
  #dhcp-range=192.168.0.50,192.168.0.150,12h
  # This is an example of a DHCP range where the netmask is given. This
  # is needed for networks we reach the dnsmasq DHCP server via a relay
  # agent. If you don't know what a DHCP relay agent is, you probably
  # don't need to worry about this.
  #dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
  # This is an example of a DHCP range which sets a tag, so that
  # some DHCP options may be set only for this network.
  #dhcp-range=set:red,192.168.0.50,192.168.0.150
  # Use this DHCP range only when the tag "green" is set.
  #dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
  # Specify a subnet which can't be used for dynamic address allocation,
  # is available for hosts with matching --dhcp-host lines. Note that
  # dhcp-host declarations will be ignored unless there is a dhcp-range
  # of some type for the subnet in question.
  # In this case the netmask is implied (it comes from the network
  # configuration on the machine running dnsmasq) it is possible to give
  # an explicit netmask instead.
  #dhcp-range=192.168.0.0,static
  # Enable DHCPv6. Note that the prefix-length does not need to be specified
  # and defaults to 64 if missing/
  #dhcp-range=1234::2, 1234::500, 64, 12h
  # Do Router Advertisements, BUT NOT DHCP for this subnet.
  #dhcp-range=1234::, ra-only
  # Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
  # add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
  # hosts. Use the DHCPv4 lease to derive the name, network segment and
  # MAC address and assume that the host will also have an
  # IPv6 address calculated using the SLAAC alogrithm.
  #dhcp-range=1234::, ra-names
  # Do Router Advertisements, BUT NOT DHCP for this subnet.
  # Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
  #dhcp-range=1234::, ra-only, 48h
  # Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
  # so that clients can use SLAAC addresses as well as DHCP ones.
  #dhcp-range=1234::2, 1234::500, slaac
  # Do Router Advertisements and stateless DHCP for this subnet. Clients will
  # not get addresses from DHCP, but they will get other configuration information.
  # They will use SLAAC for addresses.
  #dhcp-range=1234::, ra-stateless
  # Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
  # from DHCPv4 leases.
  #dhcp-range=1234::, ra-stateless, ra-names
  # Do router advertisements for all subnets where we're doing DHCPv6
  # Unless overriden by ra-stateless, ra-names, et al, the router
  # advertisements will have the M and O bits set, so that the clients
  # get addresses and configuration from DHCPv6, and the A bit reset, so the
  # clients don't use SLAAC addresses.
  #enable-ra
  # Supply parameters for specified hosts using DHCP. There are lots
  # of valid alternatives, so we will give examples of each. Note that
  # IP addresses DO NOT have to be in the range given above, they just
  # need to be on the same network. The order of the parameters in these
  # do not matter, it's permissible to give name, address and MAC in any
  # order.
  # Always allocate the host with Ethernet address 11:22:33:44:55:66
  # The IP address 192.168.0.60
  #dhcp-host=11:22:33:44:55:66,192.168.0.60
  # Always set the name of the host with hardware address
  # 11:22:33:44:55:66 to be "fred"
  #dhcp-host=11:22:33:44:55:66,fred
  # Always give the host with Ethernet address 11:22:33:44:55:66
  # the name fred and IP address 192.168.0.60 and lease time 45 minutes
  #dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
  # Give a host with Ethernet address 11:22:33:44:55:66 or
  # 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
  # that these two Ethernet interfaces will never be in use at the same
  # time, and give the IP address to the second, even if it is already
  # in use by the first. Useful for laptops with wired and wireless
  # addresses.
  #dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
  # Give the machine which says its name is "bert" IP address
  # 192.168.0.70 and an infinite lease
  #dhcp-host=bert,192.168.0.70,infinite
  # Always give the host with client identifier 01:02:02:04
  # the IP address 192.168.0.60
  #dhcp-host=id:01:02:02:04,192.168.0.60
  # Always give the host with client identifier "marjorie"
  # the IP address 192.168.0.60
  #dhcp-host=id:marjorie,192.168.0.60
  # Enable the address given for "judge" in /etc/hosts
  # to be given to a machine presenting the name "judge" when
  # it asks for a DHCP lease.
  #dhcp-host=judge
  # Never offer DHCP service to a machine whose Ethernet
  # address is 11:22:33:44:55:66
  #dhcp-host=11:22:33:44:55:66,ignore
  # Ignore any client-id presented by the machine with Ethernet
  # address 11:22:33:44:55:66. This is useful to prevent a machine
  # being treated differently when running under different OS's or
  # between PXE boot and OS boot.
  #dhcp-host=11:22:33:44:55:66,id:*
  # Send extra options which are tagged as "red" to
  # the machine with Ethernet address 11:22:33:44:55:66
  #dhcp-host=11:22:33:44:55:66,set:red
  # Send extra options which are tagged as "red" to
  # any machine with Ethernet address starting 11:22:33:
  #dhcp-host=11:22:33:*:*:*,set:red
  # Give a fixed IPv6 address and name to client with
  # DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
  # Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
  # Note also the they [] around the IPv6 address are obilgatory.
  #dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
  # Ignore any clients which are not specified in dhcp-host lines
  # or /etc/ethers. Equivalent to ISC "deny unknown-clients".
  # This relies on the special "known" tag which is set when
  # a host is matched.
  #dhcp-ignore=tag:!known
  # Send extra options which are tagged as "red" to any machine whose
  # DHCP vendorclass string includes the substring "Linux"
  #dhcp-vendorclass=set:red,Linux
  # Send extra options which are tagged as "red" to any machine one
  # of whose DHCP userclass strings includes the substring "accounts"
  #dhcp-userclass=set:red,accounts
  # Send extra options which are tagged as "red" to any machine whose
  # MAC address matches the pattern.
  #dhcp-mac=set:red,00:60:8C:*:*:*
  # If this line is uncommented, dnsmasq will read /etc/ethers and act
  # on the ethernet-address/IP pairs found there just as if they had
  # been given as --dhcp-host options. Useful if you keep
  # MAC-address/host mappings there for other purposes.
  #read-ethers
  # Send options to hosts which ask for a DHCP lease.
  # See RFC 2132 for details of available options.
  # Common options can be given to dnsmasq by name:
  # run "dnsmasq --help dhcp" to get a list.
  # Note that all the common settings, such as netmask and
  # broadcast address, DNS server and default route, are given
  # sane defaults by dnsmasq. You very likely will not need
  # any dhcp-options. If you use Windows clients and Samba, there
  # are some options which are recommended, they are detailed at the
  # end of this section.
  # Override the default route supplied by dnsmasq, which assumes the
  # router is the same machine as the one running dnsmasq.
  #dhcp-option=3,1.2.3.4
  # Do the same thing, but using the option name
  #dhcp-option=option:router,1.2.3.4
  # Override the default route supplied by dnsmasq and send no default
  # route at all. Note that this only works for the options sent by
  # default (1, 3, 6, 12, 28) the same line will send a zero-length option
  # for all other option numbers.
  #dhcp-option=3
  # Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
  #dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
  # Send DHCPv6 option. Note [] around IPv6 addresses.
  #dhcp-option=option6:dns-server,[1234::77],[1234::88]
  # Send DHCPv6 option for namservers as the machine running
  # dnsmasq and another.
  #dhcp-option=option6:dns-server,[::],[1234::88]
  # Ask client to poll for option changes every six hours. (RFC4242)
  #dhcp-option=option6:information-refresh-time,6h
  # Set the NTP time server address to be the same machine as
  # is running dnsmasq
  #dhcp-option=42,0.0.0.0
  # Set the NIS domain name to "welly"
  #dhcp-option=40,welly
  # Set the default time-to-live to 50
  #dhcp-option=23,50
  # Set the "all subnets are local" flag
  #dhcp-option=27,1
  # Send the etherboot magic flag and then etherboot options (a string).
  #dhcp-option=128,e4:45:74:68:00:00
  #dhcp-option=129,NIC=eepro100
  # Specify an option which will only be sent to the "red" network
  # (see dhcp-range for the declaration of the "red" network)
  # Note that the tag: part must precede the option: part.
  #dhcp-option = tag:red, option:ntp-server, 192.168.1.1
  # The following DHCP options set up dnsmasq in the same way as is specified
  # for the ISC dhcpcd in
  # http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
  # adapted for a typical dnsmasq installation where the host running
  # dnsmasq is also the host running samba.
  # you may want to uncomment some or all of them if you use
  # Windows clients and Samba.
  #dhcp-option=19,0 # option ip-forwarding off
  #dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
  #dhcp-option=45,0.0.0.0 # netbios datagram distribution server
  #dhcp-option=46,8 # netbios node type
  # Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
  #dhcp-option=252,"\n"
  # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
  # probably doesn't support this......
  #dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
  # Send RFC-3442 classless static routes (note the netmask encoding)
  #dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
  # Send vendor-class specific options encapsulated in DHCP option 43.
  # The meaning of the options is defined by the vendor-class so
  # options are sent only when the client supplied vendor class
  # matches the class given here. (A substring match is OK, so "MSFT"
  # matches "MSFT" and "MSFT 5.0"). This example sets the
  # mtftp address to 0.0.0.0 for PXEClients.
  #dhcp-option=vendor:PXEClient,1,0.0.0.0
  # Send microsoft-specific option to tell windows to release the DHCP lease
  # when it shuts down. Note the "i" flag, to tell dnsmasq to send the
  # value as a four-byte integer - that's what microsoft wants. See
  # http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
  #dhcp-option=vendor:MSFT,2,1i
  # Send the Encapsulated-vendor-class ID needed by some configurations of
  # Etherboot to allow is to recognise the DHCP server.
  #dhcp-option=vendor:Etherboot,60,"Etherboot"
  # Send options to PXELinux. Note that we need to send the options even
  # though they don't appear in the parameter request list, so we need
  # to use dhcp-option-force here.
  # See http://syslinux.zytor.com/pxe.php#special for details.
  # Magic number - needed before anything else is recognised
  #dhcp-option-force=208,f1:00:74:7e
  # Configuration file name
  #dhcp-option-force=209,configs/common
  # Path prefix
  #dhcp-option-force=210,/tftpboot/pxelinux/files/
  # Reboot time. (Note 'i' to send 32-bit value)
  #dhcp-option-force=211,30i
  # Set the boot filename for netboot/PXE. You will only need
  # this is you want to boot machines over the network and you will need
  # a TFTP server; either dnsmasq's built in TFTP server or an
  # external one. (See below for how to enable the TFTP server.)
  #dhcp-boot=pxelinux.0
  # The same as above, but use custom tftp-server instead machine running dnsmasq
  #dhcp-boot=pxelinux,server.name,192.168.1.100
  # Boot for Etherboot gPXE. The idea is to send two different
  # filenames, the first loads gPXE, and the second tells gPXE what to
  # load. The dhcp-match sets the gpxe tag for requests from gPXE.
  #dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
  #dhcp-boot=tag:!gpxe,undionly.kpxe
  #dhcp-boot=mybootimage
  # Encapsulated options for Etherboot gPXE. All the options are
  # encapsulated within option 175
  #dhcp-option=encap:175, 1, 5b # priority code
  #dhcp-option=encap:175, 176, 1b # no-proxydhcp
  #dhcp-option=encap:175, 177, string # bus-id
  #dhcp-option=encap:175, 189, 1b # BIOS drive code
  #dhcp-option=encap:175, 190, user # iSCSI username
  #dhcp-option=encap:175, 191, pass # iSCSI password
  # Test for the architecture of a netboot client. PXE clients are
  # supposed to send their architecture as option 93. (See RFC 4578)
  #dhcp-match=peecees, option:client-arch, 0 #x86-32
  #dhcp-match=itanics, option:client-arch, 2 #IA64
  #dhcp-match=hammers, option:client-arch, 6 #x86-64
  #dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
  # Do real PXE, rather than just booting a single file, this is an
  # alternative to dhcp-boot.
  #pxe-prompt="What system shall I netboot?"
  # or with timeout before first available action is taken:
  #pxe-prompt="Press F8 for menu.", 60
  # Available boot services. for PXE.
  #pxe-service=x86PC, "Boot from local disk"
  # Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
  #pxe-service=x86PC, "Install Linux", pxelinux
  # Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
  # Beware this fails on old PXE ROMS.
  #pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
  # Use bootserver on network, found my multicast or broadcast.
  #pxe-service=x86PC, "Install windows from RIS server", 1
  # Use bootserver at a known IP address.
  #pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
  # If you have multicast-FTP available,
  # information for that can be passed in a similar way using options 1
  # to 5. See page 19 of
  # http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
  # Enable dnsmasq's built-in TFTP server
  #enable-tftp
  # Set the root directory for files available via FTP.
  #tftp-root=/var/ftpd
  # Make the TFTP server more secure: with this set, only files owned by
  # the user dnsmasq is running as will be send over the net.
  #tftp-secure
  # This option stops dnsmasq from negotiating a larger blocksize for TFTP
  # transfers. It will slow things down, but may rescue some broken TFTP
  # clients.
  #tftp-no-blocksize
  # Set the boot file name only when the "red" tag is set.
  #dhcp-boot=net:red,pxelinux.red-net
  # An example of dhcp-boot with an external TFTP server: the name and IP
  # address of the server are given after the filename.
  # Can fail with old PXE ROMS. Overridden by --pxe-service.
  #dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
  # If there are multiple external tftp servers having a same name
  # (using /etc/hosts) then that name can be specified as the
  # tftp_servername (the third option to dhcp-boot) and in that
  # case dnsmasq resolves this name and returns the resultant IP
  # addresses in round robin fasion. This facility can be used to
  # load balance the tftp load among a set of servers.
  #dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
  # Set the limit on DHCP leases, the default is 150
  #dhcp-lease-max=150
  # The DHCP server needs somewhere on disk to keep its lease database.
  # This defaults to a sane location, but if you want to change it, use
  # the line below.
  #dhcp-leasefile=/var/lib/misc/dnsmasq.leases
  # Set the DHCP server to authoritative mode. In this mode it will barge in
  # and take over the lease for any client which broadcasts on the network,
  # whether it has a record of the lease or not. This avoids long timeouts
  # when a machine wakes up on a new network. DO NOT enable this if there's
  # the slightest chance that you might end up accidentally configuring a DHCP
  # server for your campus/company accidentally. The ISC server uses
  # the same option, and this URL provides more information:
  # http://www.isc.org/files/auth.html
  #dhcp-authoritative
  # Run an executable when a DHCP lease is created or destroyed.
  # The arguments sent to the script are "add" or "del",
  # then the MAC address, the IP address and finally the hostname
  # if there is one.
  #dhcp-script=/bin/echo
  # Set the cachesize here.
  #cache-size=150
  # If you want to disable negative caching, uncomment this.
  #no-negcache
  # Normally responses which come from /etc/hosts and the DHCP lease
  # file have Time-To-Live set as zero, which conventionally means
  # do not cache further. If you are happy to trade lower load on the
  # server for potentially stale date, you can set a time-to-live (in
  # seconds) here.
  #local-ttl=
  # If you want dnsmasq to detect attempts by Verisign to send queries
  # to unregistered .com and .net hosts to its sitefinder service and
  # have dnsmasq instead return the correct NXDOMAIN response, uncomment
  # this line. You can add similar lines to do the same for other
  # registries which have implemented wildcard A records.
  #bogus-nxdomain=64.94.110.11
  # If you want to fix up DNS results from upstream servers, use the
  # alias option. This only works for IPv4.
  # This alias makes a result of 1.2.3.4 appear as 5.6.7.8
  #alias=1.2.3.4,5.6.7.8
  # and this maps 1.2.3.x to 5.6.7.x
  #alias=1.2.3.0,5.6.7.0,255.255.255.0
  # and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
  #alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
  # Change these lines if you want dnsmasq to serve MX records.
  # Return an MX record named "maildomain.com" with target
  # servermachine.com and preference 50
  #mx-host=maildomain.com,servermachine.com,50
  # Set the default target for MX records created using the localmx option.
  #mx-target=servermachine.com
  # Return an MX record pointing to the mx-target for all local
  # machines.
  #localmx
  # Return an MX record pointing to itself for all local machines.
  #selfmx
  # Change the following lines if you want dnsmasq to serve SRV
  # records. These are useful if you want to serve ldap requests for
  # Active Directory and other windows-originated DNS requests.
  # See RFC 2782.
  # You may add multiple srv-host lines.
  # The fields are <name>,<target>,<port>,<priority>,<weight>
  # If the domain part if missing from the name (so that is just has the
  # service and protocol sections) then the domain given by the domain=
  # config option is used. (Note that expand-hosts does not need to be
  # set for this to work.)
  # A SRV record sending LDAP for the example.com domain to
  # ldapserver.example.com port 389
  #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
  # A SRV record sending LDAP for the example.com domain to
  # ldapserver.example.com port 389 (using domain=)
  #domain=example.com
  #srv-host=_ldap._tcp,ldapserver.example.com,389
  # Two SRV records for LDAP, each with different priorities
  #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
  #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
  # A SRV record indicating that there is no LDAP server for the domain
  # example.com
  #srv-host=_ldap._tcp.example.com
  # The following line shows how to make dnsmasq serve an arbitrary PTR
  # record. This is useful for DNS-SD. (Note that the
  # domain-name expansion done for SRV records _does_not
  # occur for PTR records.)
  #ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
  # Change the following lines to enable dnsmasq to serve TXT records.
  # These are used for things like SPF and zeroconf. (Note that the
  # domain-name expansion done for SRV records _does_not
  # occur for TXT records.)
  #Example SPF.
  #txt-record=example.com,"v=spf1 a -all"
  #Example zeroconf
  #txt-record=_http._tcp.example.com,name=value,paper=A4
  # Provide an alias for a "local" DNS name. Note that this _only_ works
  # for targets which are names from DHCP or /etc/hosts. Give host
  # "bert" another name, bertrand
  #cname=bertand,bert
  # For debugging purposes, log each DNS query as it passes through
  # dnsmasq.
  #log-queries
  # Log lots of extra information about DHCP transactions.
  #log-dhcp
  # Include a another lot of configuration options.
  #conf-file=/etc/dnsmasq-resolvconf.conf
  #conf-dir=/etc/dnsmasq.d
  domain-needed
  interface=lo
  # If dnsmasq is compiled for DBus then we can take
  # advantage of not having to restart dnsmasq.
  enable-dbus
  conf-file=/etc/dnsmasq-conf.conf
  resolv-file=/etc/dnsmasq-resolv.conf
  Logs:
  May 23 00:01:06 panzor systemd[1]: Failed to start A lightweight DHCP and caching DNS server.
  May 23 00:01:10 panzor dhcpcd[27267]: dhcpcd not running
  May 23 00:01:10 panzor kernel: [ 7771.282756] iwl4965 0000:03:00.0: Can't stop Rx DMA.
  May 23 00:01:10 panzor dhcpcd[27294]: dhcpcd not running
  May 23 00:01:11 panzor dhcpcd[27330]: dhcpcd not running
  May 23 00:01:14 panzor dhcpcd[27373]: wlan0: sendmsg: Cannot assign requested address
  May 23 00:01:18 panzor dhcpcd[27373]: wlan0: sendmsg: Operation not permitted
  May 23 00:01:22 panzor dhcpcd[27395]: wlan0: sendmsg: Operation not permitted
  May 23 00:01:26 panzor dhcpcd[27395]: wlan0: sendmsg: Operation not permitted
  For domain filtration, if I remember correctly, I am using this
  https://bbs.archlinux.org/viewtopic.php?id=139784