Nexapp - DNS & DHCP

DNS & DHCP

NexappOS can provide DNS and DHCP services for every configured local network.
The DNS & DHCP section is organized into the following tabs:

DHCP and MAC binding
Static leases
Dynamic leases
DNS
DNS records
Scan network

DHCP and MAC Binding

This tab lets you enable and manage a DHCP server for each local (trusted) interface.
Each local interface is shown as a separate card. Click Edit on an interface card to enable or modify DHCP settings.

MAC Binding

MAC-IP binding ensures that devices use only their assigned IP addresses.

Available options:

Status
Enable or disable MAC-IP binding on the selected interface.
Type
Choose one of two modes:
- Soft binding
  Devices without reservations are allowed.
  Devices with mismatched IP/MAC are blocked.
  
  Example:
  A BYOD office network, where guest and employee devices change often.
  Soft binding allows flexibility while preventing IP spoofing.
- Strict binding
  Only devices with a reservation are allowed.
  All others are blocked.
  
  Example:
  A corporate environment requiring strict endpoint control.
  Strict binding prevents unauthorized devices from taking reserved IPs.

DHCP

Enable DHCP
Turn DHCP service on/off for this interface.
Range IP start
First IP in the DHCP pool.
Range IP end
Last IP in the DHCP pool.
Lease time
Duration of each lease (default: 1 hour).

DHCP Advanced Settings

Force DHCP server start
On boot, NexappOS checks for other DHCP servers.
- If disabled, DHCP will not start if another DHCP server is detected.
- If enabled, DHCP starts even if another DHCP server exists.
DHCP options
Add or override specific DHCP options (DNS servers, TFTP, routers, etc.).
Multiple values can be separated by commas.

Example: Override DNS for clients
- option: dns-server
- value: 1.1.1.1,8.8.8.8

Static Leases

Static leases assign a fixed IP address and hostname to a device identified by its MAC address.

Click Add reservation to create one.

Available fields:

Hostname
Name mapped to the IP.
IP address
Fixed IP to assign.
Must be inside the DHCP range.
MAC address
Device MAC to reserve IP for.
Reservation name (optional)
Free-text label for easier identification.

Dynamic Leases

Dynamic leases are IPs currently assigned by DHCP.
This tab lists all active leases in real time.

Default Behavior

By default, DHCP limits to 1000 concurrent leases to reduce DoS risk.
To increase this value, set dhcpleasemax:

uci set dhcp.@dnsmasq[0].dhcpleasemax='2500'
uci commit dhcp
reload_config

Non-Standard Custom DHCP Options

In addition to standard DHCP options, NexappOS supports custom options such as Option 82.

To configure a custom option from CLI:

uci add_list dhcp.lan.dhcp_option='82,myvalue'
uci commit dhcp
reload_config

Custom options set via CLI remain preserved even if the UI is later used. Avoid editing advanced custom options directly in UI unless required.

DNS

NexappOS uses Dnsmasq as a downstream caching DNS server. It resolves DNS locally and forwards external queries upstream.

By default, upstream DNS is taken from WAN DHCP, but you can override this.

DNS Settings

DNS forwarding servers Click Add DNS Server to define one or more upstream servers.
DNS domain Local DNS suffix (queries matching this domain are resolved locally).
Log DNS queries Enable if you want DNS queries logged.

When Forwarding Servers Are Required

You only need to set manual forwarders if WAN interfaces use static IPs. If WAN uses DHCP, NexappOS automatically imports DNS from the ISP.

Auto-imported DNS list is visible at:

/tmp/resolv.conf.d/resolv.conf.auto

Domain-Specific DNS Servers

You can route specific domain queries to specific upstream DNS servers.

Syntax:

/DOMAIN/IP_ADDRESS#PORT

IP_ADDRESS is mandatory
#PORT is optional
empty domain (//) matches unqualified names

Supported patterns:

// → matches names without dots
/google.com/ → exact domain + subdomains
/*google.com/ → any domain containing google.com

Examples

Send google.com queries to 1.2.3.4 /google.com/1.2.3.4
Send unqualified names to 10.0.0.1 //10.0.0.1
Send ad.example.org to internal resolver /ad.example.org/192.168.1.1

More specific rules always take priority over broader ones.

DNS Rebind Protection

DNS Rebind Protection blocks public domains from resolving to private IP ranges. It prevents DNS rebinding attacks that can target internal devices.

Enabled by default
Usually no impact
May affect split-DNS scenarios

Possible log message:

possible DNS-rebind attack detected: example.org

Fix Rebind Issues

Solution 1: Whitelist the domain (recommended)

uci add_list dhcp.@dnsmasq[0].rebind_domain="example.org"
uci commit dhcp
/etc/init.d/dnsmasq restart

Solution 2: Disable protection (not recommended)

uci set dhcp.@dnsmasq[0].rebind_protection='0'
uci commit dhcp
/etc/init.d/dnsmasq restart

Enable/Re-Enable Protection

If protection was disabled earlier:

uci set dhcp.@dnsmasq[0].rebind_protection='1'
uci set dhcp.@dnsmasq[0].rebind_localhost='1'
uci commit dhcp
/etc/init.d/dnsmasq restart

rebind_localhost allows safe upstream responses in 127.0.0.0/8, useful for DNS blacklist services.

DNS Records

NexappOS supports local DNS host records.

Resolution order:

Local DNS records
Upstream DNS servers

Note Local DNS records always override upstream answers.

Click Add DNS record.

Fields:

Hostname Local DNS name
IP address Mapped address
Name (optional) Label for clarity
Wildcard DNS record Enable to match all undefined subdomains.

Scan Network

This tab scans configured local networks (WAN excluded).

For each local network:

Click Scan network
NexappOS performs discovery
Results appear in a host table

Scan Results Include

IP address
MAC address
Hostname (if detected)
Description

Using the host menu (⋮), you can:

create a DNS record
create a DHCP reservation

Note Scanning supports networks up to /20 (255.255.240.0) Maximum supported hosts per scan: 4094 Larger networks are not supported.

Previous page: Network Interfaces Next page: Firewall Rules

::contentReference[oaicite:0]{index=0}