Linux for Network Engineers: Read-only TFTP with Dnsmasq

By November 13, 2019Linux

In a previous post we talked about dnsmasq’s DNS caching capabilities. Here we’ll talk about the Trivial File Transfer Protocol server included in the dnsmasq utility. Note that this is a read-only TFTP server, and the reason it’s included in dnsmasq is that if you combine it with its  DHCP functionality you can set up a PXE server.

Configuration

All the required configuration can be done through the configuration file /etc/dnsmasq.conf. As soon as you install and start the dnsmasq process the DNS caching functionality launches. If you want to disable that and use just the TFTP part of dnsmasq you have to set the port value to 0 as follows in the configuration file:

port=0

The TFTP configuration has five options which I am pasting here with the corresponding comments:

# Enable dnsmasq's built-in TFTP server
enable-tftp

# Set the root directory for files available via FTP.
tftp-root=/var/ftpd

# Do not abort if the tftp-root is unavailable
tftp-no-fail

# Make the TFTP server more secure: with this set, only files owned by
# the user dnsmasq is running as will be send over the net.
tftp-secure

# This option stops dnsmasq from negotiating a larger blocksize for TFTP
# transfers. It will slow things down, but may rescue some broken TFTP
# clients.
tftp-no-blocksize

You can enable the options that make sense for your use case, but at the bare minimum you have to enable tftp (enable-tftp) and specify a root directory (tftp-root).

Once you are done you need to restart the dnsmasq daemon in order to pick up the new options:

systemctl restart dnsmasq

Examples

We need to create the directory /var/ftpd that we specified as the tftp-root directory in the configuration file with:

mkdir /var/ftpd

If you put a file in that directory (e.g. file_server.txt) it will be downloadable by an TFTP client that has access to this server. Here is an example of downloading that file:

tftp> connect 172.31.0.144
tftp> get file_server.txt
Received 19 bytes in 0.0 seconds
tftp>

If you try to upload a file to the dnsmasq TFTP server you will get an error:

tftp> connect 172.31.0.144
tftp> put file_client.txt
Error code 4: unsupported request from 172.31.0.25

As we said, the dnsmasq TFTP server is read only, and can’t accept any files.

If you enabled the tftp-secure option in the configuration file, then you have to make sure that the owner of the files that can be downloaded is the same as the user that dnsmasq runs as. Dnsmasq runs as user dnsmasq, so any files (e.g. file_server.txt) have to be owned by dnsmasq. Here is the command you can set that up with:

chown dnsmasq file_server.txt
$> ls -l
total 4
-rw-r--r-- 1 dnsmasq root 18 Nov 11 11:52 file_server.txt

That’s it for dnsmasq’s TFTP. It’s a fairly easy set up (like most TFTP servers), but it’s read-only – reason being, for PXE booting you only need to read from the TFTP server. Stay tuned, the next couple of Linux-related blog posts will be about dnsmasq’s DHCP and PXE.