version 1.1.1.2, 2014/06/15 16:31:38
|
version 1.1.1.4, 2021/03/17 00:56:46
|
Line 1
|
Line 1
|
|
version 2.83 |
|
Use the values of --min-port and --max-port in outgoing |
|
TCP connections to upstream DNS servers. |
|
|
|
Fix a remote buffer overflow problem in the DNSSEC code. Any |
|
dnsmasq with DNSSEC compiled in and enabled is vulnerable to this, |
|
referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 |
|
CVE-2020-25687. |
|
|
|
Be sure to only accept UDP DNS query replies at the address |
|
from which the query was originated. This keeps as much entropy |
|
in the {query-ID, random-port} tuple as possible, to help defeat |
|
cache poisoning attacks. Refer: CVE-2020-25684. |
|
|
|
Use the SHA-256 hash function to verify that DNS answers |
|
received are for the questions originally asked. This replaces |
|
the slightly insecure SHA-1 (when compiled with DNSSEC) or |
|
the very insecure CRC32 (otherwise). Refer: CVE-2020-25685. |
|
|
|
Handle multiple identical near simultaneous DNS queries better. |
|
Previously, such queries would all be forwarded |
|
independently. This is, in theory, inefficent but in practise |
|
not a problem, _except_ that is means that an answer for any |
|
of the forwarded queries will be accepted and cached. |
|
An attacker can send a query multiple times, and for each repeat, |
|
another {port, ID} becomes capable of accepting the answer he is |
|
sending in the blind, to random IDs and ports. The chance of a |
|
succesful attack is therefore multiplied by the number of repeats |
|
of the query. The new behaviour detects repeated queries and |
|
merely stores the clients sending repeats so that when the |
|
first query completes, the answer can be sent to all the |
|
clients who asked. Refer: CVE-2020-25686. |
|
|
|
|
|
version 2.82 |
|
Improve behaviour in the face of network interfaces which come |
|
and go and change index. Thanks to Petr Mensik for the patch. |
|
|
|
Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user |
|
to a warning. |
|
|
|
Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option. |
|
|
|
Fix crash under heavy TCP connection load introduced in 2.81. |
|
Thanks to Frank for good work chasing this down. |
|
|
|
Change default lease time for DHCPv6 to one day. |
|
|
|
Alter calculation of preferred and valid times in router |
|
advertisements, so that these do not have a floor applied |
|
of the lease time in the dhcp-range if this is not explicitly |
|
specified and is merely the default. |
|
Thanks to Martin-Éric Racine for suggestions on this. |
|
|
|
|
|
version 2.81 |
|
Improve cache behaviour for TCP connections. For ease of |
|
implementation, dnsmasq has always forked a new process to handle |
|
each incoming TCP connection. A side-effect of this is that |
|
any DNS queries answered from TCP connections are not cached: |
|
when TCP connections were rare, this was not a problem. |
|
With the coming of DNSSEC, it is now the case that some |
|
DNSSEC queries have answers which spill to TCP, and if, |
|
for instance, this applies to the keys for the root, then |
|
those never get cached, and performance is very bad. |
|
This fix passes cache entries back from the TCP child process to |
|
the main server process, and fixes the problem. |
|
|
|
Remove the NO_FORK compile-time option, and support for uclinux. |
|
In an era where everything has an MMU, this looks like |
|
an anachronism, and it adds to (Ok, multiplies!) the |
|
combinatorial explosion of compile-time options. Thanks to |
|
Kevin Darbyshire-Bryant for the patch. |
|
|
|
Fix line-counting when reading /etc/hosts and friends; for |
|
correct error messages. Thanks to Christian Rosentreter |
|
for reporting this. |
|
|
|
Fix bug in DNS non-terminal code, added in 2.80, which could |
|
sometimes cause a NODATA rather than an NXDOMAIN reply. |
|
Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski |
|
for spotting and diagnosing the bug and providing patches. |
|
|
|
Support TCP-fastopen (RFC-7413) on both incoming and |
|
outgoing TCP connections, if supported and enabled in the OS. |
|
|
|
Improve kernel-capability manipulation code under Linux. Dnsmasq |
|
now fails early if a required capability is not available, and |
|
tries not to request capabilities not required by its |
|
configuration. |
|
|
|
Add --shared-network config. This enables allocation of addresses |
|
by the DHCP server in subnets where the server (or relay) does not |
|
have an interface on the network in that subnet. Many thanks to |
|
kamp.de for sponsoring this feature. |
|
|
|
Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet |
|
validation check got borked in commit 2b38e382 and release 2.80. |
|
Thanks to Tomasz Szajner for spotting this. |
|
|
|
Fix compilation against nettle version 3.5 and later. |
|
|
|
Fix spurious DNSSEC validation failures when the auth section |
|
of a reply contains unsigned RRs from a signed zone, |
|
with the exception that NSEC and NSEC3 RRs must always be signed. |
|
Thanks to Tore Anderson for spotting and diagnosing the bug. |
|
|
|
Add --dhcp-ignore-clid. This disables reading of DHCP client |
|
identifier option (option 61), so clients are only identified by |
|
MAC addresses. |
|
|
|
Fix a bug which stopped --dhcp-name-match from working when a hostname |
|
is supplied in --dhcp-host. Thanks to James Feeney for spotting this. |
|
|
|
Fix bug which caused very rarely caused zero-length DHCPv6 packets. |
|
Thanks to Dereck Higgins for spotting this. |
|
|
|
Add --tftp-single-port option. |
|
|
|
Enhance --conf-dir to load files in a deterministic order. Thanks to |
|
Evgenii Seliavka for the suggestion and initial patch. |
|
|
|
In the router advert code, handle case where we have two |
|
different interfaces on the same IPv6 net, and we are doing |
|
RA/DHCP service on only one of them. Thanks to NIIBE Yutaka |
|
for spotting this case and making the initial patch. |
|
|
|
Support prefixed ranges of ipv6 addresses in dhcp-host. |
|
This eases problems chain-netbooting, where each link in the |
|
chain requests an address using a different UID. With a single |
|
address, only one gets the "static" address, but with this |
|
fix, enough addresses can be reserved for all the stages of the |
|
boot. Many thanks to Harald Jensås for his work on this idea and |
|
earlier patches. |
|
|
|
Add filtering by tag of --dhcp-host directives. Based on a patch |
|
by Harald Jensås. |
|
|
|
Allow empty server spec in --rev-server, to match --server. |
|
|
|
Remove DSA signature verification from DNSSEC, as specified in |
|
RFC 8624. Thanks to Loganaden Velvindron for the original patch. |
|
|
|
Add --script-on-renewal option. |
|
|
|
|
|
version 2.80 |
|
Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method |
|
for the initial patch and motivation. |
|
|
|
Alter the default for dnssec-check-unsigned. Versions of |
|
dnsmasq prior to 2.80 defaulted to not checking unsigned |
|
replies, and used --dnssec-check-unsigned to switch |
|
this on. Such configurations will continue to work as before, |
|
but those which used the default of no checking will need to be |
|
altered to explicitly select no checking. The new default is |
|
because switching off checking for unsigned replies is |
|
inherently dangerous. Not only does it open the possiblity of forged |
|
replies, but it allows everything to appear to be working even |
|
when the upstream namesevers do not support DNSSEC, and in this |
|
case no DNSSEC validation at all is occuring. |
|
|
|
Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip |
|
are set. Thanks to Daniel Miess for help with this. |
|
|
|
Add a facilty to store DNS packets sent/recieved in a |
|
pcap-format file for later debugging. The file location |
|
is given by the --dumpfile option, and a bitmap controlling |
|
which packets should be dumped is given by the --dumpmask |
|
option. |
|
|
|
Handle the case of both standard and constructed dhcp-ranges on the |
|
same interface better. We don't now contruct a dhcp-range if there's |
|
already one specified. This allows the specified interface to |
|
have different parameters and avoids advertising the same |
|
prefix twice. Thanks to Luis Marsano for spotting this case. |
|
|
|
Allow zone transfer in authoritative mode if auth-peer is specified, |
|
even if auth-sec-servers is not. Thanks to Raphaël Halimi for |
|
the suggestion. |
|
|
|
Fix bug which sometimes caused dnsmasq to wrongly return answers |
|
without DNSSEC RRs to queries with the do-bit set, but only when |
|
DNSSEC validation was not enabled. |
|
Thanks to Petr Menšík for spotting this. |
|
|
|
Fix missing fatal errors with some malformed options |
|
(server, local, address, rebind-domain-ok, ipset, alias). |
|
Thanks to Eugene Lozovoy for spotting the problem. |
|
|
|
Fix crash on startup with a --synth-domain which has no prefix. |
|
Introduced in 2.79. Thanks to Andreas Engel for the bug report. |
|
|
|
Fix missing EDNS0 section in some replies generated by local |
|
DNS configuration which confused systemd-resolvd. Thanks to |
|
Steve Dodd for characterising the problem. |
|
|
|
Add --dhcp-name-match config option. |
|
|
|
Add --caa-record config option. |
|
|
|
Implement --address=/example.com/# as (more efficient) syntactic |
|
sugar for --address=/example.com/0.0.0.0 and |
|
--address=/example.com/:: |
|
Returning null addresses is a useful technique for ad-blocking. |
|
Thanks to Peter Russell for the suggestion. |
|
|
|
Change anti cache-snooping behaviour with queries with the |
|
recursion-desired bit unset. Instead to returning SERVFAIL, we |
|
now always forward, and never answer from the cache. This |
|
allows "dig +trace" command to work. |
|
|
|
Include in the example config file a formulation which |
|
stops DHCP clients from claiming the DNS name "wpad". |
|
This is a fix for the CERT Vulnerability VU#598349. |
|
|
|
|
|
version 2.79 |
|
Fix parsing of CNAME arguments, which are confused by extra spaces. |
|
Thanks to Diego Aguirre for spotting the bug. |
|
|
|
Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind |
|
upstream servers to an interface, rather than SO_BINDTODEVICE. |
|
Thanks to Beniamino Galvani for the patch. |
|
|
|
Always return a SERVFAIL answer to DNS queries without the |
|
recursion desired bit set, UNLESS acting as an authoritative |
|
DNS server. This avoids a potential route to cache snooping. |
|
|
|
Add support for Ed25519 signatures in DNSSEC validation. |
|
|
|
No longer support RSA/MD5 signatures in DNSSEC validation, |
|
since these are not secure. This behaviour is mandated in |
|
RFC-6944. |
|
|
|
Fix incorrect error exit code from dhcp_release6 utility. |
|
Thanks Gaudenz Steinlin for the bug report. |
|
|
|
Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC |
|
time validation when --dnssec-no-timecheck is in use. |
|
Note that this is an incompatible change from earlier releases. |
|
|
|
Allow more than one --bridge-interface option to refer to an |
|
interface, so that we can use |
|
--bridge-interface=int1,alias1 |
|
--bridge-interface=int1,alias2 |
|
as an alternative to |
|
--bridge-interface=int1,alias1,alias2 |
|
Thanks to Neil Jerram for work on this. |
|
|
|
Fix for DNSSEC with wildcard-derived NSEC records. |
|
It's OK for NSEC records to be expanded from wildcards, |
|
but in that case, the proof of non-existence is only valid |
|
starting at the wildcard name, *.<domain> NOT the name expanded |
|
from the wildcard. Without this check it's possible for an |
|
attacker to craft an NSEC which wrongly proves non-existence. |
|
Thanks to Ralph Dolmans for finding this, and co-ordinating |
|
the vulnerability tracking and fix release. |
|
CVE-2017-15107 applies. |
|
|
|
Remove special handling of A-for-A DNS queries. These |
|
are no longer a significant problem in the global DNS. |
|
http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf |
|
Thanks to Mattias Hellström for the initial patch. |
|
|
|
Fix failure to delete dynamically created dhcp options |
|
from files in -dhcp-optsdir directories. Thanks to |
|
Lindgren Fredrik for the bug report. |
|
|
|
Add to --synth-domain the ability to create names using |
|
sequential numbers, as well as encodings of IP addresses. |
|
For instance, |
|
--synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-* |
|
creates 21 domain names of the form |
|
internal-4.thekelleys.org.uk over the address range given, with |
|
internal-0.thekelleys.org.uk being 192.168.0.50 and |
|
internal-20.thekelleys.org.uk being 192.168.0.70 |
|
Thanks to Andy Hawkins for the suggestion. |
|
|
|
Tidy up Crypto code, removing workarounds for ancient |
|
versions of libnettle. We now require libnettle 3. |
|
|
|
|
|
version 2.78 |
|
Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris |
|
Novakovic for the patch. |
|
|
|
Revert ping-check of address in DHCPDISCOVER if there |
|
already exists a lease for the address. Under some |
|
circumstances, and netbooted windows installation can reply |
|
to pings before if has a DHCP lease and block allocation |
|
of the address it already used during netboot. Thanks to |
|
Jan Psota for spotting this. |
|
|
|
Fix DHCP relaying, broken in 2.76 and 2.77 by commit |
|
ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to |
|
John Fitzgibbon for the diagnosis and patch. |
|
|
|
Try other servers if first returns REFUSED when |
|
--strict-order active. Thanks to Hans Dedecker |
|
for the patch |
|
|
|
Fix regression in 2.77, ironically added as a security |
|
improvement, which resulted in a crash when a DNS |
|
query exceeded 512 bytes (or the EDNS0 packet size, |
|
if different.) Thanks to Christian Kujau, Arne Woerner |
|
Juan Manuel Fernandez and Kevin Darbyshire-Bryant for |
|
chasing this one down. CVE-2017-13704 applies. |
|
|
|
Fix heap overflow in DNS code. This is a potentially serious |
|
security hole. It allows an attacker who can make DNS |
|
requests to dnsmasq, and who controls the contents of |
|
a domain, which is thereby queried, to overflow |
|
(by 2 bytes) a heap buffer and either crash, or |
|
even take control of, dnsmasq. |
|
CVE-2017-14491 applies. |
|
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana |
|
Kevin Hamacher and Ron Bowes of the Google Security Team for |
|
finding this. |
|
|
|
Fix heap overflow in IPv6 router advertisement code. |
|
This is a potentially serious security hole, as a |
|
crafted RA request can overflow a buffer and crash or |
|
control dnsmasq. Attacker must be on the local network. |
|
CVE-2017-14492 applies. |
|
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana |
|
and Kevin Hamacher of the Google Security Team for |
|
finding this. |
|
|
|
Fix stack overflow in DHCPv6 code. An attacker who can send |
|
a DHCPv6 request to dnsmasq can overflow the stack frame and |
|
crash or control dnsmasq. |
|
CVE-2017-14493 applies. |
|
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana |
|
Kevin Hamacher and Ron Bowes of the Google Security Team for |
|
finding this. |
|
|
|
Fix information leak in DHCPv6. A crafted DHCPv6 packet can |
|
cause dnsmasq to forward memory from outside the packet |
|
buffer to a DHCPv6 server when acting as a relay. |
|
CVE-2017-14494 applies. |
|
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana |
|
Kevin Hamacher and Ron Bowes of the Google Security Team for |
|
finding this. |
|
|
|
Fix DoS in DNS. Invalid boundary checks in the |
|
add_pseudoheader function allows a memcpy call with negative |
|
size An attacker which can send malicious DNS queries |
|
to dnsmasq can trigger a DoS remotely. |
|
dnsmasq is vulnerable only if one of the following option is |
|
specified: --add-mac, --add-cpe-id or --add-subnet. |
|
CVE-2017-14496 applies. |
|
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana |
|
Kevin Hamacher and Ron Bowes of the Google Security Team for |
|
finding this. |
|
|
|
Fix out-of-memory Dos vulnerability. An attacker which can |
|
send malicious DNS queries to dnsmasq can trigger memory |
|
allocations in the add_pseudoheader function |
|
The allocated memory is never freed which leads to a DoS |
|
through memory exhaustion. dnsmasq is vulnerable only |
|
if one of the following option is specified: |
|
--add-mac, --add-cpe-id or --add-subnet. |
|
CVE-2017-14495 applies. |
|
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana |
|
Kevin Hamacher and Ron Bowes of the Google Security Team for |
|
finding this. |
|
|
|
|
|
version 2.77 |
|
Generate an error when configured with a CNAME loop, |
|
rather than a crash. Thanks to George Metz for |
|
spotting this problem. |
|
|
|
Calculate the length of TFTP error reply packet |
|
correctly. This fixes a problem when the error |
|
message in a TFTP packet exceeds the arbitrary |
|
limit of 500 characters. The message was correctly |
|
truncated, but not the packet length, so |
|
extra data was appended. This is a possible |
|
security risk, since the extra data comes from |
|
a buffer which is also used for DNS, so that |
|
previous DNS queries or replies may be leaked. |
|
Thanks to Mozilla for funding the security audit |
|
which spotted this bug. |
|
|
|
Fix logic error in Linux netlink code. This could |
|
cause dnsmasq to enter a tight loop on systems |
|
with a very large number of network interfaces. |
|
Thanks to Ivan Kokshaysky for the diagnosis and |
|
patch. |
|
|
|
Fix problem with --dnssec-timestamp whereby receipt |
|
of SIGHUP would erroneously engage timestamp checking. |
|
Thanks to Kevin Darbyshire-Bryant for this work. |
|
|
|
Bump zone serial on reloading /etc/hosts and friends |
|
when providing authoritative DNS. Thanks to Harrald |
|
Dunkel for spotting this. |
|
|
|
Handle v4-mapped IPv6 addresses sanely in --synth-domain. |
|
These have standard representation like ::ffff:1.2.3.4 |
|
and are now converted to names like |
|
<prefix>--ffff-1-2-3-4.<domain> |
|
|
|
Handle binding upstream servers to an interface |
|
(--server=1.2.3.4@eth0) when the named interface |
|
is destroyed and recreated in the kernel. Thanks to |
|
Beniamino Galvani for the patch. |
|
|
|
Allow wildcard CNAME records in authoritative zones. |
|
For example --cname=*.example.com,default.example.com |
|
Thanks to Pro Backup for sponsoring this development. |
|
|
|
Bump the allowed backlog of TCP connections from 5 to 32, |
|
and make this a compile-time configurable option. Thanks |
|
to Donatas Abraitis for diagnosing this as a potential |
|
problem. |
|
|
|
Add DNSMASQ_REQUESTED_OPTIONS environment variable to the |
|
lease-change script. Thanks to ZHAO Yu for the patch. |
|
|
|
Fix foobar in rrfilter code, that could cause malformed |
|
replies, especially when DNSSEC validation on, and |
|
the upstream server returns answer with the RRs in a |
|
particular order. The only DNS server known to tickle |
|
this is Nominum's. Thanks to Dave Täht for spotting the |
|
bug and assisting in the fix. |
|
|
|
Fix the manpage which lied that only the primary address |
|
of an interface is used by --interface-name. |
|
|
|
Make --localise-queries apply to names from --interface-name. |
|
Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen |
|
for pushing this. |
|
|
|
Improve connection handling when talking to TCP upstream |
|
servers. Specifically, be prepared to open a new TCP |
|
connection when we want to make multiple queries |
|
but the upstream server accepts fewer queries per connection. |
|
|
|
Improve logging of upstream servers when there are a lot |
|
of "local addresses only" entries. Thanks to Hannu Nyman for |
|
the patch. |
|
|
|
Make --bogus-priv apply to IPv6, for the prefixes specified |
|
in RFC6303. Thanks to Kevin Darbyshire-Bryant for work on this. |
|
|
|
Allow use of MAC addresses with --tftp-unique-root. Thanks |
|
to Floris Bos for the patch. |
|
|
|
Add --dhcp-reply-delay option. Thanks to Floris Bos |
|
for the patch. |
|
|
|
Add mtu setting facility to --ra-param. Thanks to David |
|
Flamand for the patch. |
|
|
|
Capture STDOUT and STDERR output from dhcp-script and log |
|
it as part of the dnsmasq log stream. Makes life easier |
|
for diagnosing unexpected problems in scripts. |
|
Thanks to Petr Mensik for the patch. |
|
|
|
Generate fatal errors when failing to parse the output |
|
of the dhcp-script in "init" mode. Avoids strange errors |
|
when the script accidentally emits error messages. |
|
Thanks to Petr Mensik for the patch. |
|
|
|
Make --rev-server for an RFC1918 subnet work even in the |
|
presence of the --bogus-priv flag. Thanks to |
|
Vladislav Grishenko for the patch. |
|
|
|
Extend --ra-param mtu: field to allow an interface name. |
|
This allows the MTU of a WAN interface to be advertised on |
|
the internal interfaces of a router. Thanks to |
|
Vladislav Grishenko for the patch. |
|
|
|
Do ICMP-ping check for address-in-use for DHCPv4 when |
|
the client specifies an address in DHCPDISCOVER, and when |
|
an address in configured locally. Thanks to Alin Năstac |
|
for spotting the problem. |
|
|
|
Add new DHCP tag "known-othernet" which is set when only a |
|
dhcp-host exists for another subnet. Can be used to ensure |
|
that privileged hosts are not given "guest" addresses by |
|
accident. Thanks to Todd Sanket for the suggestion. |
|
|
|
Remove historic automatic inclusion of IDN support when |
|
building internationalisation support. This doesn't |
|
fit now there is a choice of IDN libraries. Be sure |
|
to include either -DHAVE_IDN or -DHAVE_LIBIDN2 for |
|
IDN support. |
|
|
|
|
|
version 2.76 |
|
Include 0.0.0.0/8 in DNS rebind checks. This range |
|
translates to hosts on the local network, or, at |
|
least, 0.0.0.0 accesses the local host, so could |
|
be targets for DNS rebinding. See RFC 5735 section 3 |
|
for details. Thanks to Stephen Röttger for the bug report. |
|
|
|
Enhance --add-subnet to allow arbitrary subnet addresses. |
|
Thanks to Ed Barsley for the patch. |
|
|
|
Respect the --no-resolv flag in inotify code. Fixes bug |
|
which caused dnsmasq to fail to start if a resolv-file |
|
was a dangling symbolic link, even of --no-resolv set. |
|
Thanks to Alexander Kurtz for spotting the problem. |
|
|
|
Fix crash when an A or AAAA record is defined locally, |
|
in a hosts file, and an upstream server sends a reply |
|
that the same name is empty. Thanks to Edwin Török for |
|
the patch. |
|
|
|
Fix failure to correctly calculate cache-size when |
|
reading a hosts-file fails. Thanks to André Glüpker |
|
for the patch. |
|
|
|
Fix wrong answer to simple name query when --domain-needed |
|
set, but no upstream servers configured. Dnsmasq returned |
|
REFUSED, in this case, when it should be the same as when |
|
upstream servers are configured - NOERROR. Thanks to |
|
Allain Legacy for spotting the problem. |
|
|
|
Return REFUSED when running out of forwarding table slots, |
|
not SERVFAIL. |
|
|
|
Add --max-port configuration. Thanks to Hans Dedecker for |
|
the patch. |
|
|
|
Add --script-arp and two new functions for the dhcp-script. |
|
These are "arp" and "arp-old" which announce the arrival and |
|
removal of entries in the ARP or neighbour tables. |
|
|
|
Extend --add-mac to allow a new encoding of the MAC address |
|
as base64, by configuring --add-mac=base64 |
|
|
|
Add --add-cpe-id option. |
|
|
|
Don't crash with divide-by-zero if an IPv6 dhcp-range |
|
is declared as a whole /64. |
|
(ie xx::0 to xx::ffff:ffff:ffff:ffff) |
|
Thanks to Laurent Bendel for spotting this problem. |
|
|
|
Add support for a TTL parameter in --host-record and |
|
--cname. |
|
|
|
Add --dhcp-ttl option. |
|
|
|
Add --tftp-mtu option. Thanks to Patrick McLean for the |
|
initial patch. |
|
|
|
Check return-code of inet_pton() when parsing dhcp-option. |
|
Bad addresses could fail to generate errors and result in |
|
garbage dhcp-options being sent. Thanks to Marc Branchaud |
|
for spotting this. |
|
|
|
Fix wrong value for EDNS UDP packet size when using |
|
--servers-file to define upstream DNS servers. Thanks to |
|
Scott Bonar for the bug report. |
|
|
|
Move the dhcp_release and dhcp_lease_time tools from |
|
contrib/wrt to contrib/lease-tools. |
|
|
|
Add dhcp_release6 to contrib/lease-tools. Many thanks |
|
to Sergey Nechaev for this code. |
|
|
|
To avoid filling logs in configurations which define |
|
many upstream nameservers, don't log more that 30 servers. |
|
The number to be logged can be changed as SERVERS_LOGGED |
|
in src/config.h. |
|
|
|
Swap the values if BC_EFI and x86-64_EFI in --pxe-service. |
|
These were previously wrong due to an error in RFC 4578. |
|
If you're using BC_EFI to boot 64-bit EFI machines, you |
|
will need to update your config. |
|
|
|
Add ARM32_EFI and ARM64_EFI as valid architectures in |
|
--pxe-service. |
|
|
|
Fix PXE booting for UEFI architectures. Modify PXE boot |
|
sequence in this case to force the client to talk to dnsmasq |
|
over port 4011. This makes PXE and especially proxy-DHCP PXE |
|
work with these architectures. |
|
|
|
Workaround problems with UEFI PXE clients. There exist |
|
in the wild PXE clients which have problems with PXE |
|
boot menus. To work around this, when there's a single |
|
--pxe-service which applies to client, then that target |
|
will be booted directly, rather then sending a |
|
single-item boot menu. |
|
|
|
Many thanks to Jarek Polok, Michael Kuron and Dreamcat4 |
|
for their work on the long-standing UEFI PXE problem. |
|
|
|
Subtle change in the semantics of "basename" in |
|
--pxe-service. The historical behaviour has always been |
|
that the actual filename downloaded from the TFTP server |
|
is <basename>.<layer> where <layer> is an integer which |
|
corresponds to the layer parameter supplied by the client. |
|
It's not clear what the function of the "layer" |
|
actually is in the PXE protocol, and in practise layer |
|
is always zero, so the filename is <basename>.0 |
|
The new behaviour is the same as the old, except when |
|
<basename> includes a file suffix, in which case |
|
the layer suffix is no longer added. This allows |
|
sensible suffices to be used, rather then the |
|
meaningless ".0". Only in the unlikely event that you |
|
have a config with a basename which already has a |
|
suffix, is this an incompatible change, since the file |
|
downloaded will change from name.suffix.0 to just |
|
name.suffix |
|
|
|
|
|
version 2.75 |
|
Fix reversion on 2.74 which caused 100% CPU use when a |
|
dhcp-script is configured. Thanks to Adrian Davey for |
|
reporting the bug and testing the fix. |
|
|
|
|
|
version 2.74 |
|
Fix reversion in 2.73 where --conf-file would attempt to |
|
read the default file, rather than no file. |
|
|
|
Fix inotify code to handle dangling symlinks better and |
|
not SEGV in some circumstances. |
|
|
|
DNSSEC fix. In the case of a signed CNAME generated by a |
|
wildcard which pointed to an unsigned domain, the wrong |
|
status would be logged, and some necessary checks omitted. |
|
|
|
|
|
version 2.73 |
|
Fix crash at startup when an empty suffix is supplied to |
|
--conf-dir, also trivial memory leak. Thanks to |
|
Tomas Hozza for spotting this. |
|
|
|
Remove floor of 4096 on advertised EDNS0 packet size when |
|
DNSSEC in use, the original rationale for this has long gone. |
|
Thanks to Anders Kaseorg for spotting this. |
|
|
|
Use inotify for checking on updates to /etc/resolv.conf and |
|
friends under Linux. This fixes race conditions when the files are |
|
updated rapidly and saves CPU by noy polling. To build |
|
a binary that runs on old Linux kernels without inotify, |
|
use make COPTS=-DNO_INOTIFY |
|
|
|
Fix breakage of --domain=<domain>,<subnet>,local - only reverse |
|
queries were intercepted. THis appears to have been broken |
|
since 2.69. Thanks to Josh Stone for finding the bug. |
|
|
|
Eliminate IPv6 privacy addresses and deprecated addresses from |
|
the answers given by --interface-name. Note that reverse queries |
|
(ie looking for names, given addresses) are not affected. |
|
Thanks to Michael Gorbach for the suggestion. |
|
|
|
Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids |
|
for the bug report. |
|
|
|
Add --ignore-address option. Ignore replies to A-record |
|
queries which include the specified address. No error is |
|
generated, dnsmasq simply continues to listen for another |
|
reply. This is useful to defeat blocking strategies which |
|
rely on quickly supplying a forged answer to a DNS |
|
request for certain domains, before the correct answer can |
|
arrive. Thanks to Glen Huang for the patch. |
|
|
|
Revisit the part of DNSSEC validation which determines if an |
|
unsigned answer is legit, or is in some part of the DNS |
|
tree which should be signed. Dnsmasq now works from the |
|
DNS root downward looking for the limit of signed |
|
delegations, rather than working bottom up. This is |
|
both more correct, and less likely to trip over broken |
|
nameservers in the unsigned parts of the DNS tree |
|
which don't respond well to DNSSEC queries. |
|
|
|
Add --log-queries=extra option, which makes logs easier |
|
to search automatically. |
|
|
|
Add --min-cache-ttl option. I've resisted this for a long |
|
time, on the grounds that disbelieving TTLs is never a |
|
good idea, but I've been persuaded that there are |
|
sometimes reasons to do it. (Step forward, GFW). |
|
To avoid misuse, there's a hard limit on the TTL |
|
floor of one hour. Thanks to RinSatsuki for the patch. |
|
|
|
Cope with multiple interfaces with the same link-local |
|
address. (IPv6 addresses are scoped, so this is allowed.) |
|
Thanks to Cory Benfield for help with this. |
|
|
|
Add --dhcp-hostsdir. This allows addition of new host |
|
configurations to a running dnsmasq instance much more |
|
cheaply than having dnsmasq re-read all its existing |
|
configuration each time. |
|
|
|
Don't reply to DHCPv6 SOLICIT messages if we're not |
|
configured to do stateful DHCPv6. Thanks to Win King Wan |
|
for the patch. |
|
|
|
Fix broken DNSSEC validation of ECDSA signatures. |
|
|
|
Add --dnssec-timestamp option, which provides an automatic |
|
way to detect when the system time becomes valid after |
|
boot on systems without an RTC, whilst allowing DNS |
|
queries before the clock is valid so that NTP can run. |
|
Thanks to Kevin Darbyshire-Bryant for developing this idea. |
|
|
|
Add --tftp-no-fail option. Thanks to Stefan Tomanek for |
|
the patch. |
|
|
|
Fix crash caused by looking up servers.bind, CHAOS text |
|
record, when more than about five --servers= lines are |
|
in the dnsmasq config. This causes memory corruption |
|
which causes a crash later. Thanks to Matt Coddington for |
|
sterling work chasing this down. |
|
|
|
Fix crash on receipt of certain malformed DNS requests. |
|
Thanks to Nick Sampanis for spotting the problem. |
|
Note that this is could allow the dnsmasq process's |
|
memory to be read by an attacker under certain |
|
circumstances, so it has a CVE, CVE-2015-3294 |
|
|
|
Fix crash in authoritative DNS code, if a .arpa zone |
|
is declared as authoritative, and then a PTR query which |
|
is not to be treated as authoritative arrived. Normally, |
|
directly declaring .arpa zone as authoritative is not |
|
done, so this crash wouldn't be seen. Instead the |
|
relevant .arpa zone should be specified as a subnet |
|
in the auth-zone declaration. Thanks to Johnny S. Lee |
|
for the bugreport and initial patch. |
|
|
|
Fix authoritative DNS code to correctly reply to NS |
|
and SOA queries for .arpa zones for which we are |
|
declared authoritative by means of a subnet in auth-zone. |
|
Previously we provided correct answers to PTR queries |
|
in such zones (including NS and SOA) but not direct |
|
NS and SOA queries. Thanks to Johnny S. Lee for |
|
pointing out the problem. |
|
|
|
Fix logging of DHCPREPLY which should be suppressed |
|
by quiet-dhcp6. Thanks to J. Pablo Abonia for |
|
spotting the problem. |
|
|
|
Try and handle net connections with broken fragmentation |
|
that lose large UDP packets. If a server times out, |
|
reduce the maximum UDP packet size field in the EDNS0 |
|
header to 1280 bytes. If it then answers, make that |
|
change permanent. |
|
|
|
Check IPv4-mapped IPv6 addresses when --stop-rebind |
|
is active. Thanks to Jordan Milne for spotting this. |
|
|
|
Allow DHCPv4 options T1 and T2 to be set using --dhcp-option. |
|
Thanks to Kevin Benton for patches and work on this. |
|
|
|
Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses |
|
in the correct subnet, even of not in dynamic address |
|
allocation range. Thanks to Steve Hirsch for spotting |
|
the problem. |
|
|
|
Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks |
|
to Nicolas Cavallari for the patch. |
|
|
|
Allow configuration of router advertisements without the |
|
"on-link" bit set. Thanks to Neil Jerram for the patch. |
|
|
|
Extend --bridge-interface to DHCPv6 and router |
|
advertisements. Thanks to Neil Jerram for the patch. |
|
|
|
|
|
version 2.72 |
|
Add ra-advrouter mode, for RFC-3775 mobile IPv6 support. |
|
|
|
Add support for "ipsets" in *BSD, using pf. Thanks to |
|
Sven Falempin for the patch. |
|
|
|
Fix race condition which could lock up dnsmasq when an |
|
interface goes down and up rapidly. Thanks to Conrad |
|
Kostecki for helping to chase this down. |
|
|
|
Add DBus methods SetFilterWin2KOption and SetBogusPrivOption |
|
Thanks to the Smoothwall project for the patch. |
|
|
|
Fix failure to build against Nettle-3.0. Thanks to Steven |
|
Barth for spotting this and finding the fix. |
|
|
|
When assigning existing DHCP leases to interfaces by comparing |
|
networks, handle the case that two or more interfaces have the |
|
same network part, but different prefix lengths (favour the |
|
longer prefix length.) Thanks to Lung-Pin Chang for the |
|
patch. |
|
|
|
Add a mode which detects and removes DNS forwarding loops, ie |
|
a query sent to an upstream server returns as a new query to |
|
dnsmasq, and would therefore be forwarded again, resulting in |
|
a query which loops many times before being dropped. Upstream |
|
servers which loop back are disabled and this event is logged. |
|
Thanks to Smoothwall for their sponsorship of this feature. |
|
|
|
Extend --conf-dir to allow filtering of files. So |
|
--conf-dir=/etc/dnsmasq.d,\*.conf |
|
will load all the files in /etc/dnsmasq.d which end in .conf |
|
|
|
Fix bug when resulted in NXDOMAIN answers instead of NODATA in |
|
some circumstances. |
|
|
|
Fix bug which caused dnsmasq to become unresponsive if it |
|
failed to send packets due to a network interface disappearing. |
|
Thanks to Niels Peen for spotting this. |
|
|
|
Fix problem with --local-service option on big-endian platforms |
|
Thanks to Richard Genoud for the patch. |
|
|
|
|
version 2.71 |
version 2.71 |
Subtle change to error handling to help DNSSEC validation | Subtle change to error handling to help DNSSEC validation |
when servers fail to provide NODATA answers for | when servers fail to provide NODATA answers for |
non-existent DS records. | non-existent DS records. |
|
|
Tweak code which removes DNSSEC records from answers when | Tweak code which removes DNSSEC records from answers when |
not required. Fixes broken answers when additional section | not required. Fixes broken answers when additional section |
has real records in it. Thanks to Marco Davids for the bug | has real records in it. Thanks to Marco Davids for the bug |
report. | report. |
|
|
Fix DNSSEC validation of ANY queries. Thanks to Marco Davids | Fix DNSSEC validation of ANY queries. Thanks to Marco Davids |
for spotting that too. | for spotting that too. |
|
|
Fix total DNS failure and 100% CPU use if cachesize set to zero, | Fix total DNS failure and 100% CPU use if cachesize set to zero, |
regression introduced in 2.69. Thanks to James Hunt and | regression introduced in 2.69. Thanks to James Hunt and |
the Ubuntu crowd for assistance in fixing this. | the Ubuntu crowd for assistance in fixing this. |
|
|
|
|
version 2.70 |
version 2.70 |
Fix crash, introduced in 2.69, on TCP request when dnsmasq | Fix crash, introduced in 2.69, on TCP request when dnsmasq |
compiled with DNSSEC support, but running without DNSSEC | compiled with DNSSEC support, but running without DNSSEC |
enabled. Thanks to Manish Sing for spotting that one. | enabled. Thanks to Manish Sing for spotting that one. |
|
|
Fix regression which broke ipset functionality. Thanks to | Fix regression which broke ipset functionality. Thanks to |
Wang Jian for the bug report. | Wang Jian for the bug report. |
|
|
|
|
version 2.69 |
version 2.69 |
Implement dynamic interface discovery on *BSD. This allows | Implement dynamic interface discovery on *BSD. This allows |
the contructor: syntax to be used in dhcp-range for DHCPv6 | the constructor: syntax to be used in dhcp-range for DHCPv6 |
on the BSD platform. Thanks to Matthias Andree for | on the BSD platform. Thanks to Matthias Andree for |
valuable research on how to implement this. | valuable research on how to implement this. |
|
|
Fix infinite loop associated with some --bogus-nxdomain | Fix infinite loop associated with some --bogus-nxdomain |
configs. Thanks fogobogo for the bug report. | configs. Thanks fogobogo for the bug report. |
|
|
Fix missing RA RDNS option with configuration like | Fix missing RA RDNS option with configuration like |
--dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer | --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer |
for spotting the problem. | for spotting the problem. |
|
|
Add [fd00::] and [fe80::] as special addresses in DHCPv6 | Add [fd00::] and [fe80::] as special addresses in DHCPv6 |
options, analogous to [::]. [fd00::] is replaced with the | options, analogous to [::]. [fd00::] is replaced with the |
actual ULA of the interface on the machine running | actual ULA of the interface on the machine running |
dnsmasq, [fe80::] with the link-local address. | dnsmasq, [fe80::] with the link-local address. |
Thanks to Tsachi Kimeldorfer for championing this. | Thanks to Tsachi Kimeldorfer for championing this. |
|
|
DNSSEC validation and caching. Dnsmasq needs to be | DNSSEC validation and caching. Dnsmasq needs to be |
compiled with this enabled, with | compiled with this enabled, with |
| |
make dnsmasq COPTS=-DHAVE_DNSSEC | |
| |
this add dependencies on the nettle crypto library and the | |
gmp maths library. It's possible to have these linked | |
statically with | |
| |
make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' | |
| |
which bloats the dnsmasq binary, but saves the size of | |
the shared libraries which are much bigger. | |
|
|
To enable, DNSSEC, you will need a set of | make dnsmasq COPTS=-DHAVE_DNSSEC |
trust-anchors. Now that the TLDs are signed, this can be | |
the keys for the root zone, and for convenience they are | |
included in trust-anchors.conf in the dnsmasq | |
distribution. You should of course check that these are | |
legitimate and up-to-date. So, adding | |
| |
conf-file=/path/to/trust-anchors.conf | |
dnssec | |
|
|
to your config is all thats needed to get things | this adds dependencies on the nettle crypto library and the |
working. The upstream nameservers have to be DNSSEC-capable | gmp maths library. It's possible to have these linked |
too, of course. Many ISP nameservers aren't, but the | statically with |
Google public nameservers (8.8.8.8 and 8.8.4.4) are. | |
When DNSSEC is configured, dnsmasq validates any queries | |
for domains which are signed. Query results which are | |
bogus are replaced with SERVFAIL replies, and results | |
which are correctly signed have the AD bit set. In | |
addition, and just as importantly, dnsmasq supplies | |
correct DNSSEC information to clients which are doing | |
their own validation, and caches DNSKEY, DS and RRSIG | |
records, which significantly improve the performance of | |
downstream validators. Setting --log-queries will show | |
DNSSEC in action. | |
|
|
If a domain is returned from an upstream nameserver without | make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' |
DNSSEC signature, dnsmasq by default trusts this. This | |
means that for unsigned zone (still the majority) there | |
is effectively no cost for having DNSSEC enabled. Of course | |
this allows an attacker to replace a signed record with a | |
false unsigned record. This is addressed by the | |
--dnssec-check-unsigned flag, which instructs dnsmasq | |
to prove that an unsigned record is legitimate, by finding | |
a secure proof that the zone containing the record is not | |
signed. Doing this has costs (typically one or two extra | |
upstream queries). It also has a nasty failure mode if | |
dnsmasq's upstream nameservers are not DNSSEC capable. | |
Without --dnssec-check-unsigned using such an upstream | |
server will simply result in not queries being validated; | |
with --dnssec-check-unsigned enabled and a | |
DNSSEC-ignorant upstream server, _all_ queries will fail. | |
|
|
Note that DNSSEC requires that the local time is valid and | which bloats the dnsmasq binary, but saves the size of |
accurate, if not then DNSSEC validation will fail. NTP | the shared libraries which are much bigger. |
should be running. This presents a problem for routers | |
without a battery-backed clock. To set the time needs NTP | |
to do DNS lookups, but lookups will fail until NTP has run. | |
To address this, there's a flag, --dnssec-no-timecheck | |
which disables the time checks (only) in DNSSEC. When dnsmasq | |
is started and the clock is not synced, this flag should | |
be used. As soon as the clock is synced, SIGHUP dnsmasq. | |
The SIGHUP clears the cache of partially-validated data and | |
resets the no-timecheck flag, so that all DNSSEC checks | |
henceforward will be complete. | |
| |
The development of DNSSEC in dnsmasq was started by | |
Giovanni Bajo, to whom huge thanks are owed. It has been | |
supported by Comcast, whose techfund grant has allowed for | |
an invaluable period of full-time work to get it to | |
a workable state. | |
| |
Add --rev-server. Thanks to Dave Taht for suggesting this. | |
| |
Add --servers-file. Allows dynamic update of upstream servers | |
full access to configuration. | |
|
|
Add --local-service. Accept DNS queries only from hosts | To enable, DNSSEC, you will need a set of |
whose address is on a local subnet, ie a subnet for which | trust-anchors. Now that the TLDs are signed, this can be |
an interface exists on the server. This option | the keys for the root zone, and for convenience they are |
only has effect if there are no --interface --except-interface, | included in trust-anchors.conf in the dnsmasq |
--listen-address or --auth-server options. It is intended | distribution. You should of course check that these are |
to be set as a default on installation, to allow | legitimate and up-to-date. So, adding |
unconfigured installations to be useful but also safe from | |
being used for DNS amplification attacks. | |
|
|
Fix crashes in cache_get_cname_target() when dangling CNAMEs | conf-file=/path/to/trust-anchors.conf |
encountered. Thanks to Andy and the rt-n56u project for | dnssec |
find this and helping to chase it down. | |
|
|
Fix wrong RCODE in authoritative DNS replies to PTR queries. The | to your config is all that's needed to get things |
correct answer was included, but the RCODE was set to NXDOMAIN. | working. The upstream nameservers have to be DNSSEC-capable |
Thanks to Craig McQueen for spotting this. | too, of course. Many ISP nameservers aren't, but the |
| Google public nameservers (8.8.8.8 and 8.8.4.4) are. |
| When DNSSEC is configured, dnsmasq validates any queries |
| for domains which are signed. Query results which are |
| bogus are replaced with SERVFAIL replies, and results |
| which are correctly signed have the AD bit set. In |
| addition, and just as importantly, dnsmasq supplies |
| correct DNSSEC information to clients which are doing |
| their own validation, and caches DNSKEY, DS and RRSIG |
| records, which significantly improve the performance of |
| downstream validators. Setting --log-queries will show |
| DNSSEC in action. |
|
|
Make statistics available as DNS queries in the .bind TLD as | If a domain is returned from an upstream nameserver without |
well as logging them. | DNSSEC signature, dnsmasq by default trusts this. This |
| means that for unsigned zone (still the majority) there |
| is effectively no cost for having DNSSEC enabled. Of course |
| this allows an attacker to replace a signed record with a |
| false unsigned record. This is addressed by the |
| --dnssec-check-unsigned flag, which instructs dnsmasq |
| to prove that an unsigned record is legitimate, by finding |
| a secure proof that the zone containing the record is not |
| signed. Doing this has costs (typically one or two extra |
| upstream queries). It also has a nasty failure mode if |
| dnsmasq's upstream nameservers are not DNSSEC capable. |
| Without --dnssec-check-unsigned using such an upstream |
| server will simply result in not queries being validated; |
| with --dnssec-check-unsigned enabled and a |
| DNSSEC-ignorant upstream server, _all_ queries will fail. |
|
|
|
Note that DNSSEC requires that the local time is valid and |
|
accurate, if not then DNSSEC validation will fail. NTP |
|
should be running. This presents a problem for routers |
|
without a battery-backed clock. To set the time needs NTP |
|
to do DNS lookups, but lookups will fail until NTP has run. |
|
To address this, there's a flag, --dnssec-no-timecheck |
|
which disables the time checks (only) in DNSSEC. When dnsmasq |
|
is started and the clock is not synced, this flag should |
|
be used. As soon as the clock is synced, SIGHUP dnsmasq. |
|
The SIGHUP clears the cache of partially-validated data and |
|
resets the no-timecheck flag, so that all DNSSEC checks |
|
henceforward will be complete. |
|
|
|
The development of DNSSEC in dnsmasq was started by |
|
Giovanni Bajo, to whom huge thanks are owed. It has been |
|
supported by Comcast, whose techfund grant has allowed for |
|
an invaluable period of full-time work to get it to |
|
a workable state. |
|
|
|
Add --rev-server. Thanks to Dave Taht for suggesting this. |
|
|
|
Add --servers-file. Allows dynamic update of upstream servers |
|
full access to configuration. |
|
|
|
Add --local-service. Accept DNS queries only from hosts |
|
whose address is on a local subnet, ie a subnet for which |
|
an interface exists on the server. This option |
|
only has effect if there are no --interface --except-interface, |
|
--listen-address or --auth-server options. It is intended |
|
to be set as a default on installation, to allow |
|
unconfigured installations to be useful but also safe from |
|
being used for DNS amplification attacks. |
|
|
|
Fix crashes in cache_get_cname_target() when dangling CNAMEs |
|
encountered. Thanks to Andy and the rt-n56u project for |
|
find this and helping to chase it down. |
|
|
|
Fix wrong RCODE in authoritative DNS replies to PTR queries. The |
|
correct answer was included, but the RCODE was set to NXDOMAIN. |
|
Thanks to Craig McQueen for spotting this. |
|
|
|
Make statistics available as DNS queries in the .bind TLD as |
|
well as logging them. |
|
|
|
|
version 2.68 |
version 2.68 |
Use random addresses for DHCPv6 temporary address | Use random addresses for DHCPv6 temporary address |
allocations, instead of algorithmically determined stable | allocations, instead of algorithmically determined stable |
addresses. | addresses. |
|
|
Fix bug which meant that the DHCPv6 DUID was not available | Fix bug which meant that the DHCPv6 DUID was not available |
in DHCP script runs during the lifetime of the dnsmasq | in DHCP script runs during the lifetime of the dnsmasq |
process which created the DUID de-novo. Once the DUID was | process which created the DUID de-novo. Once the DUID was |
created and stored in the lease file and dnsmasq | created and stored in the lease file and dnsmasq |
restarted, this bug disappeared. | restarted, this bug disappeared. |
|
|
Fix bug introduced in 2.67 which could result in erroneous | Fix bug introduced in 2.67 which could result in erroneous |
NXDOMAIN returns to CNAME queries. | NXDOMAIN returns to CNAME queries. |
|
|
Fix build failures on MacOS X and openBSD. | Fix build failures on MacOS X and openBSD. |
|
|
Allow subnet specifications in --auth-zone to be interface | Allow subnet specifications in --auth-zone to be interface |
names as well as address literals. This makes it possible | names as well as address literals. This makes it possible |
to configure authoritative DNS when local address ranges | to configure authoritative DNS when local address ranges |
are dynamic and works much better than the previous | are dynamic and works much better than the previous |
work-around which exempted contructed DHCP ranges from the | work-around which exempted constructed DHCP ranges from the |
IP address filtering. As a consequence, that work-around | IP address filtering. As a consequence, that work-around |
is removed. Under certain circumstances, this change wil | is removed. Under certain circumstances, this change wil |
break existing configuration: if you're relying on the | break existing configuration: if you're relying on the |
contructed-range exception, you need to change --auth-zone | constructed-range exception, you need to change --auth-zone |
to specify the same interface as is used to construct your | to specify the same interface as is used to construct your |
DHCP ranges, probably with a trailing "/6" like this: | DHCP ranges, probably with a trailing "/6" like this: |
--auth-zone=example.com,eth0/6 to limit the addresses to | --auth-zone=example.com,eth0/6 to limit the addresses to |
IPv6 addresses of eth0. | IPv6 addresses of eth0. |
|
|
Fix problems when advertising deleted IPv6 prefixes. If | Fix problems when advertising deleted IPv6 prefixes. If |
the prefix is deleted (rather than replaced), it doesn't | the prefix is deleted (rather than replaced), it doesn't |
get advertised with zero preferred time. Thanks to Tsachi | get advertised with zero preferred time. Thanks to Tsachi |
for the bug report. | for the bug report. |
|
|
Fix segfault with some locally configured CNAMEs. Thanks | Fix segfault with some locally configured CNAMEs. Thanks |
to Andrew Childs for spotting the problem. | to Andrew Childs for spotting the problem. |
|
|
Fix memory leak on re-reading /etc/hosts and friends, | Fix memory leak on re-reading /etc/hosts and friends, |
introduced in 2.67. | introduced in 2.67. |
|
|
Check the arrival interface of incoming DNS and TFTP | Check the arrival interface of incoming DNS and TFTP |
requests via IPv6, even in --bind-interfaces mode. This | requests via IPv6, even in --bind-interfaces mode. This |
isn't possible for IPv4 and can generate scary warnings, | isn't possible for IPv4 and can generate scary warnings, |
but as it's always possible for IPv6 (the API always | but as it's always possible for IPv6 (the API always |
exists) then we should do it always. | exists) then we should do it always. |
| |
Tweak the rules on prefix-lengths in --dhcp-range for | |
IPv6. The new rule is that the specified prefix length | |
must be larger than or equal to the prefix length of the | |
corresponding address on the local interface. | |
|
|
|
Tweak the rules on prefix-lengths in --dhcp-range for |
|
IPv6. The new rule is that the specified prefix length |
|
must be larger than or equal to the prefix length of the |
|
corresponding address on the local interface. |
|
|
|
|
version 2.67 |
version 2.67 |
Fix crash if upstream server returns SERVFAIL when | Fix crash if upstream server returns SERVFAIL when |
--conntrack in use. Thanks to Giacomo Tazzari for finding | --conntrack in use. Thanks to Giacomo Tazzari for finding |
this and supplying the patch. | this and supplying the patch. |
|
|
Repair regression in 2.64. That release stopped sending | Repair regression in 2.64. That release stopped sending |
lease-time information in the reply to DHCPINFORM | lease-time information in the reply to DHCPINFORM |
requests, on the correct grounds that it was a standards | requests, on the correct grounds that it was a standards |
violation. However, this broke the dnsmasq-specific | violation. However, this broke the dnsmasq-specific |
dhcp_lease_time utility. Now, DHCPINFORM returns | dhcp_lease_time utility. Now, DHCPINFORM returns |
lease-time only if it's specifically requested | lease-time only if it's specifically requested |
(maintaining standards) and the dhcp_lease_time utility | (maintaining standards) and the dhcp_lease_time utility |
has been taught to ask for it (restoring functionality). | has been taught to ask for it (restoring functionality). |
|
|
Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass | Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass |
to work with BOOTP and well as DHCP. Thanks to Peter | to work with BOOTP and well as DHCP. Thanks to Peter |
Korsgaard for spotting the problem. | Korsgaard for spotting the problem. |
|
|
Add --synth-domain. Thanks to Vishvananda Ishaya for | Add --synth-domain. Thanks to Vishvananda Ishaya for |
suggesting this. | suggesting this. |
|
|
Fix failure to compile ipset.c if old kernel headers are | Fix failure to compile ipset.c if old kernel headers are |
in use. Thanks to Eugene Rudoy for pointing this out. | in use. Thanks to Eugene Rudoy for pointing this out. |
|
|
Handle IPv4 interface-address labels in Linux. These are | Handle IPv4 interface-address labels in Linux. These are |
often used to emulate the old IP-alias addresses. Before, | often used to emulate the old IP-alias addresses. Before, |
using --interface=eth0 would service all the addresses of | using --interface=eth0 would service all the addresses of |
eth0, including ones configured as aliases, which appear | eth0, including ones configured as aliases, which appear |
in ifconfig as eth0:0. Now, only addresses with the label | in ifconfig as eth0:0. Now, only addresses with the label |
eth0 are active. This is not backwards compatible: if you | eth0 are active. This is not backwards compatible: if you |
want to continue to bind the aliases too, you need to add | want to continue to bind the aliases too, you need to add |
eg. --interface=eth0:0 to the config. | eg. --interface=eth0:0 to the config. |
| |
Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket | |
operation on non-socket" error on startup with | |
configurations which have exactly one --interface option | |
and do RA but _not_ DHCPv6. Thanks to Trever Adams for the | |
bug report. | |
|
|
Generalise --interface-name to cope with IPv6 addresses | Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket |
and multiple addresses per interface per address family. | operation on non-socket" error on startup with |
| configurations which have exactly one --interface option |
| and do RA but _not_ DHCPv6. Thanks to Trever Adams for the |
| bug report. |
|
|
Fix option parsing for --dhcp-host, which was generating a | Generalise --interface-name to cope with IPv6 addresses |
spurious error when all seven possible items were | and multiple addresses per interface per address family. |
included. Thanks to Zhiqiang Wang for the bug report. | |
|
|
Remove restriction on prefix-length in --auth-zone. Thanks | Fix option parsing for --dhcp-host, which was generating a |
to Toke Hoiland-Jorgensen for suggesting this. | spurious error when all seven possible items were |
| included. Thanks to Zhiqiang Wang for the bug report. |
|
|
Log when the maximum number of concurrent DNS queries is | Remove restriction on prefix-length in --auth-zone. Thanks |
reached. Thanks to Marcelo Salhab Brogliato for the patch. | to Toke Hoiland-Jorgensen for suggesting this. |
|
|
If wildcards are used in --interface, don't assume that | Log when the maximum number of concurrent DNS queries is |
there will only ever be one available interface for DHCP | reached. Thanks to Marcelo Salhab Brogliato for the patch. |
just because there is one at start-up. More may appear, so | |
we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug | |
report. | |
|
|
Increase timeout/number of retries in TFTP to accomodate | If wildcards are used in --interface, don't assume that |
AudioCodes Voice Gateways doing streaming writes to flash. | there will only ever be one available interface for DHCP |
Thanks to Damian Kaczkowski for spotting the problem. | just because there is one at start-up. More may appear, so |
| we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug |
| report. |
|
|
Fix crash with empty DHCP string options when adding zero | Increase timeout/number of retries in TFTP to accommodate |
terminator. Thanks to Patrick McLean for the bug report. | AudioCodes Voice Gateways doing streaming writes to flash. |
| Thanks to Damian Kaczkowski for spotting the problem. |
|
|
Allow hostnames to start with a number, as allowed in | Fix crash with empty DHCP string options when adding zero |
RFC-1123. Thanks to Kyle Mestery for the patch. | terminator. Thanks to Patrick McLean for the bug report. |
|
|
Fixes to DHCP FQDN option handling: don't terminate FQDN | Allow hostnames to start with a number, as allowed in |
if domain not known and allow a FQDN option with blank | RFC-1123. Thanks to Kyle Mestery for the patch. |
name to request that a FQDN option is returned in the | |
reply. Thanks to Roy Marples for the patch. | |
|
|
Make --clear-on-reload apply to setting upstream servers | Fixes to DHCP FQDN option handling: don't terminate FQDN |
via DBus too. | if domain not known and allow a FQDN option with blank |
| name to request that a FQDN option is returned in the |
| reply. Thanks to Roy Marples for the patch. |
|
|
When the address which triggered the construction of an | Make --clear-on-reload apply to setting upstream servers |
advertised IPv6 prefix disappears, continue to advertise | via DBus too. |
the prefix for up to 2 hours, with the preferred lifetime | |
set to zero. This satisfies RFC 6204 4.3 L-13 and makes | |
things work better if a prefix disappears without being | |
deprecated first. Thanks to Uwe Schindler for persuasively | |
arguing for this. | |
|
|
Fix MAC address enumeration on *BSD. Thanks to Brad Smith | When the address which triggered the construction of an |
for the bug report. | advertised IPv6 prefix disappears, continue to advertise |
| the prefix for up to 2 hours, with the preferred lifetime |
| set to zero. This satisfies RFC 6204 4.3 L-13 and makes |
| things work better if a prefix disappears without being |
| deprecated first. Thanks to Uwe Schindler for persuasively |
| arguing for this. |
|
|
Support RFC-4242 information-refresh-time options in the | Fix MAC address enumeration on *BSD. Thanks to Brad Smith |
reply to DHCPv6 information-request. The lease time of the | for the bug report. |
smallest valid dhcp-range is sent. Thanks to Uwe Schindler | |
for suggesting this. | |
|
|
Make --listen-address higher priority than --except-interface | Support RFC-4242 information-refresh-time options in the |
in all circumstances. Thanks to Thomas Hood for the bugreport. | reply to DHCPv6 information-request. The lease time of the |
| smallest valid dhcp-range is sent. Thanks to Uwe Schindler |
| for suggesting this. |
|
|
Provide independent control over which interfaces get TFTP | Make --listen-address higher priority than --except-interface |
service. If enable-tftp is given a list of interfaces, then TFTP | in all circumstances. Thanks to Thomas Hood for the bugreport. |
is provided on those. Without the list, the previous behaviour | |
(provide TFTP to the same interfaces we provide DHCP to) | |
is retained. Thanks to Lonnie Abelbeck for the suggestion. | |
|
|
Add --dhcp-relay config option. Many thanks to vtsl.net | Provide independent control over which interfaces get TFTP |
for sponsoring this development. | service. If enable-tftp is given a list of interfaces, then TFTP |
| is provided on those. Without the list, the previous behaviour |
| (provide TFTP to the same interfaces we provide DHCP to) |
| is retained. Thanks to Lonnie Abelbeck for the suggestion. |
|
|
Fix crash with empty tag: in --dhcp-range. Thanks to | Add --dhcp-relay config option. Many thanks to vtsl.net |
Kaspar Schleiser for the bug report. | for sponsoring this development. |
|
|
Add "baseline" and "bloatcheck" makefile targets, for | Fix crash with empty tag: in --dhcp-range. Thanks to |
revealing size changes during development. Thanks to | Kaspar Schleiser for the bug report. |
Vladislav Grishenko for the patch. | |
|
|
Cope with DHCPv6 clients which send REQUESTs without | Add "baseline" and "bloatcheck" makefile targets, for |
address options - treat them as SOLICIT with rapid commit. | revealing size changes during development. Thanks to |
| Vladislav Grishenko for the patch. |
|
|
Support identification of clients by MAC address in | Cope with DHCPv6 clients which send REQUESTs without |
DHCPv6. When using a relay, the relay must support RFC | address options - treat them as SOLICIT with rapid commit. |
6939 for this to work. It always works for directly | |
connected clients. Thanks to Vladislav Grishenko | |
for prompting this feature. | |
| |
Remove the rule for constructed DHCP ranges that the local | |
address must be either the first or last address in the | |
range. This was originally to avoid SLAAC addresses, but | |
we now explicitly autoconfig and privacy addresses instead. | |
|
|
Update Polish translation. Thanks to Jan Psota. | Support identification of clients by MAC address in |
| DHCPv6. When using a relay, the relay must support RFC |
| 6939 for this to work. It always works for directly |
| connected clients. Thanks to Vladislav Grishenko |
| for prompting this feature. |
|
|
Fix problem in DHCPv6 vendorclass/userclass matching | Remove the rule for constructed DHCP ranges that the local |
code. Thanks to Tanguy Bouzeloc for the patch. | address must be either the first or last address in the |
| range. This was originally to avoid SLAAC addresses, but |
| we now explicitly autoconfig and privacy addresses instead. |
|
|
Update Spanish transalation. Thanks to Vicente Soriano. | Update Polish translation. Thanks to Jan Psota. |
|
|
Add --ra-param option. Thanks to Vladislav Grishenko for | Fix problem in DHCPv6 vendorclass/userclass matching |
inspiration on this. | code. Thanks to Tanguy Bouzeloc for the patch. |
|
|
Add --add-subnet configuration, to tell upstream DNS | Update Spanish translation. Thanks to Vicente Soriano. |
servers where the original client is. Thanks to DNSthingy | |
for sponsoring this feature. | |
|
|
Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to | Add --ra-param option. Thanks to Vladislav Grishenko for |
Kevin Darbyshire-Bryant for the initial patch. | inspiration on this. |
|
|
Allow A/AAAA records created by --interface-name to be the | Add --add-subnet configuration, to tell upstream DNS |
target of --cname. Thanks to Hadmut Danisch for the | servers where the original client is. Thanks to DNSthingy |
suggestion. | for sponsoring this feature. |
|
|
Avoid treating a --dhcp-host which has an IPv6 address | Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to |
as eligable for use with DHCPv4 on the grounds that it has | Kevin Darbyshire-Bryant for the initial patch. |
no address, and vice-versa. Thanks to Yury Konovalov for | |
spotting the problem. | |
|
|
Do a better job caching dangling CNAMEs. Thanks to Yves | Allow A/AAAA records created by --interface-name to be the |
Dorfsman for spotting the problem. | target of --cname. Thanks to Hadmut Danisch for the |
| suggestion. |
|
|
| Avoid treating a --dhcp-host which has an IPv6 address |
| as eligible for use with DHCPv4 on the grounds that it has |
| no address, and vice-versa. Thanks to Yury Konovalov for |
| spotting the problem. |
| |
| Do a better job caching dangling CNAMEs. Thanks to Yves |
| Dorfsman for spotting the problem. |
| |
| |
version 2.66 |
version 2.66 |
Add the ability to act as an authoritative DNS | Add the ability to act as an authoritative DNS |
server. Dnsmasq can now answer queries from the wider 'net | server. Dnsmasq can now answer queries from the wider 'net |
with local data, as long as the correct NS records are set | with local data, as long as the correct NS records are set |
up. Only local data is provided, to avoid creating an open | up. Only local data is provided, to avoid creating an open |
DNS relay. Zone transfer is supported, to allow secondary | DNS relay. Zone transfer is supported, to allow secondary |
servers to be configured. | servers to be configured. |
|
|
Add "constructed DHCP ranges" for DHCPv6. This is intended | Add "constructed DHCP ranges" for DHCPv6. This is intended |
for IPv6 routers which get prefixes dynamically via prefix | for IPv6 routers which get prefixes dynamically via prefix |
delegation. With suitable configuration, stateful DHCPv6 | delegation. With suitable configuration, stateful DHCPv6 |
and RA can happen automatically as prefixes are delegated | and RA can happen automatically as prefixes are delegated |
and then deprecated, without having to re-write the | and then deprecated, without having to re-write the |
dnsmasq configuration file or restart the daemon. Thanks to | dnsmasq configuration file or restart the daemon. Thanks to |
Steven Barth for extensive testing and development work on | Steven Barth for extensive testing and development work on |
this idea. | this idea. |
|
|
Fix crash on startup on Solaris 11. Regression probably | Fix crash on startup on Solaris 11. Regression probably |
introduced in 2.61. Thanks to Geoff Johnstone for the | introduced in 2.61. Thanks to Geoff Johnstone for the |
patch. | patch. |
|
|
Add code to make behaviour for TCP DNS requests that same | Add code to make behaviour for TCP DNS requests that same |
as for UDP requests, when a request arrives for an allowed | as for UDP requests, when a request arrives for an allowed |
address, but via a banned interface. This change is only | address, but via a banned interface. This change is only |
active on Linux, since the relevant API is missing (AFAIK) | active on Linux, since the relevant API is missing (AFAIK) |
on other platforms. Many thanks to Tomas Hozza for | on other platforms. Many thanks to Tomas Hozza for |
spotting the problem, and doing invaluable discovery of | spotting the problem, and doing invaluable discovery of |
the obscure and undocumented API required for the solution. | the obscure and undocumented API required for the solution. |
|
|
Don't send the default DHCP option advertising dnsmasq as | Don't send the default DHCP option advertising dnsmasq as |
the local DNS server if dnsmasq is configured to not act | the local DNS server if dnsmasq is configured to not act |
as DNS server, or it's configured to a non-standard port. | as DNS server, or it's configured to a non-standard port. |
| |
Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBCRIBER_ID, | |
DNSMASQ_REMOTE_ID variables to the environment of the | |
lease-change script (and the corresponding Lua). These hold | |
information inserted into the DHCP request by a DHCP relay | |
agent. Thanks to Lakefield Communications for providing a | |
bounty for this addition. | |
| |
Fixed crash, introduced in 2.64, whilst handling DHCPv6 | |
information-requests with some common configurations. | |
Thanks to Robert M. Albrecht for the bug report and | |
chasing the problem. | |
|
|
Add --ipset option. Thanks to Jason A. Donenfeld for the | Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID, |
patch. | DNSMASQ_REMOTE_ID variables to the environment of the |
| lease-change script (and the corresponding Lua). These hold |
| information inserted into the DHCP request by a DHCP relay |
| agent. Thanks to Lakefield Communications for providing a |
| bounty for this addition. |
|
|
Don't erroneously reject some option names in --dhcp-match | Fixed crash, introduced in 2.64, whilst handling DHCPv6 |
options. Thanks to Benedikt Hochstrasser for the bug report. | information-requests with some common configurations. |
| Thanks to Robert M. Albrecht for the bug report and |
Allow a trailing '*' wildcard in all interface-name | chasing the problem. |
configurations. Thanks to Christian Parpart for the patch. | |
|
|
Handle the situation where libc headers define | Add --ipset option. Thanks to Jason A. Donenfeld for the |
SO_REUSEPORT, but the kernel in use doesn't, to cope with | patch. |
the introduction of this option to Linux. Thanks to Rich | |
Felker for the bug report. | |
|
|
Update Polish translation. Thanks to Jan Psota. | Don't erroneously reject some option names in --dhcp-match |
| options. Thanks to Benedikt Hochstrasser for the bug report. |
|
|
Fix crash if the configured DHCP lease limit is | Allow a trailing '*' wildcard in all interface-name |
reached. Regression occurred in 2.61. Thanks to Tsachi for | configurations. Thanks to Christian Parpart for the patch. |
the bug report. | |
| |
Update the French translation. Thanks to Gildas le Nadan. | |
|
|
| Handle the situation where libc headers define |
| SO_REUSEPORT, but the kernel in use doesn't, to cope with |
| the introduction of this option to Linux. Thanks to Rich |
| Felker for the bug report. |
| |
| Update Polish translation. Thanks to Jan Psota. |
| |
| Fix crash if the configured DHCP lease limit is |
| reached. Regression occurred in 2.61. Thanks to Tsachi for |
| the bug report. |
| |
| Update the French translation. Thanks to Gildas le Nadan. |
| |
| |
version 2.65 |
version 2.65 |
Fix regression which broke forwarding of queries sent via | Fix regression which broke forwarding of queries sent via |
TCP which are not for A and AAAA and which were directed to | TCP which are not for A and AAAA and which were directed to |
non-default servers. Thanks to Niax for the bug report. | non-default servers. Thanks to Niax for the bug report. |
|
|
Fix failure to build with DHCP support excluded. Thanks to | Fix failure to build with DHCP support excluded. Thanks to |
Gustavo Zacarias for the patch. | Gustavo Zacarias for the patch. |
| |
Fix nasty regression in 2.64 which completely broke cacheing. | |
|
|
|
Fix nasty regression in 2.64 which completely broke caching. |
|
|
|
|
version 2.64 |
version 2.64 |
Handle DHCP FQDN options with all flag bits zero and | Handle DHCP FQDN options with all flag bits zero and |
--dhcp-client-update set. Thanks to Bernd Krumbroeck for | --dhcp-client-update set. Thanks to Bernd Krumbroeck for |
spotting the problem. | spotting the problem. |
|
|
Finesse the check for /etc/hosts names which conflict with | Finesse the check for /etc/hosts names which conflict with |
DHCP names. Previously a name/address pair in /etc/hosts | DHCP names. Previously a name/address pair in /etc/hosts |
which didn't match the name/address of a DHCP lease would | which didn't match the name/address of a DHCP lease would |
generate a warning. Now that only happesn if there is not | generate a warning. Now that only happens if there is not |
also a match. This allows multiple addresses for a name in | also a match. This allows multiple addresses for a name in |
/etc/hosts with one of them assigned via DHCP. | /etc/hosts with one of them assigned via DHCP. |
|
|
Fix broken vendor-option processing for BOOTP. Thanks to | Fix broken vendor-option processing for BOOTP. Thanks to |
Hans-Joachim Baader for the bug report. | Hans-Joachim Baader for the bug report. |
|
|
Don't report spurious netlink errors, regression in | Don't report spurious netlink errors, regression in |
2.63. Thanks to Vladislav Grishenko for the patch. | 2.63. Thanks to Vladislav Grishenko for the patch. |
|
|
Flag DHCP or DHCPv6 in starup logging. Thanks to | Flag DHCP or DHCPv6 in startup logging. Thanks to |
Vladislav Grishenko for the patch. | Vladislav Grishenko for the patch. |
|
|
Add SetServersEx method in DBus interface. Thanks to Dan | Add SetServersEx method in DBus interface. Thanks to Dan |
Williams for the patch. | Williams for the patch. |
|
|
Add SetDomainServers method in DBus interface. Thanks to | Add SetDomainServers method in DBus interface. Thanks to |
Roy Marples for the patch. | Roy Marples for the patch. |
|
|
Fix build with later Lua libraries. Thansk to Cristian | Fix build with later Lua libraries. Thanks to Cristian |
Rodriguez for the patch. | Rodriguez for the patch. |
|
|
Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker | Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker |
for the patch. | for the patch. |
|
|
Fix breakage of --host-record parsing, resulting in | Fix breakage of --host-record parsing, resulting in |
infinte loop at startup. Regression in 2.63. Thanks to | infinite loop at startup. Regression in 2.63. Thanks to |
Haim Gelfenbeyn for spotting this. | Haim Gelfenbeyn for spotting this. |
|
|
Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6 | Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6 |
socket, this allows multiple instances of dnsmasq on a | socket, this allows multiple instances of dnsmasq on a |
single machine, in the same way as for DHCPv4. Thanks to | single machine, in the same way as for DHCPv4. Thanks to |
Gene Czarcinski and Vladislav Grishenko for work on this. | Gene Czarcinski and Vladislav Grishenko for work on this. |
|
|
Fix DHCPv6 to do access control correctly when it's | Fix DHCPv6 to do access control correctly when it's |
configured with --listen-address. Thanks to | configured with --listen-address. Thanks to |
Gene Czarcinski for sorting this out. | Gene Czarcinski for sorting this out. |
|
|
Add a "wildcard" dhcp-range which works for any IPv6 | Add a "wildcard" dhcp-range which works for any IPv6 |
subnet, --dhcp-range=::,static Useful for Stateless | subnet, --dhcp-range=::,static Useful for Stateless |
DHCPv6. Thanks to Vladislav Grishenko for the patch. | DHCPv6. Thanks to Vladislav Grishenko for the patch. |
|
|
Don't include lease-time in DHCPACK replies to DHCPINFORM | Don't include lease-time in DHCPACK replies to DHCPINFORM |
queries, since RFC-2131 says we shouldn't. Thanks to | queries, since RFC-2131 says we shouldn't. Thanks to |
Wouter Ibens for pointing this out. | Wouter Ibens for pointing this out. |
|
|
Makefile tweak to do dependency checking on header files. | Makefile tweak to do dependency checking on header files. |
Thanks to Johan Peeters for the patch. | Thanks to Johan Peeters for the patch. |
|
|
Check interface for outgoing unsolicited router | Check interface for outgoing unsolicited router |
advertisements, rather than relying on interface address | advertisements, rather than relying on interface address |
configuration. Thanks to Gene Czarinski for the patch. | configuration. Thanks to Gene Czarinski for the patch. |
|
|
Handle better attempts to transmit on interfaces which are | Handle better attempts to transmit on interfaces which are |
still doing DAD, and specifically do not just transmit | still doing DAD, and specifically do not just transmit |
without setting source address and interface, since this | without setting source address and interface, since this |
can cause very puzzling effects when a router | can cause very puzzling effects when a router |
advertisement goes astray. Thanks again to Gene Czarinski. | advertisement goes astray. Thanks again to Gene Czarinski. |
|
|
Get RA timers right when there is more than one | Get RA timers right when there is more than one |
dhcp-range on a subnet. | dhcp-range on a subnet. |
| |
|
|
|
|
version 2.63 |
version 2.63 |
Do duplicate dhcp-host address check in --test mode. | Do duplicate dhcp-host address check in --test mode. |
|
|
Check that tftp-root directories are accessible before | Check that tftp-root directories are accessible before |
start-up. Thanks to Daniel Veillard for the initial patch. | start-up. Thanks to Daniel Veillard for the initial patch. |
|
|
Allow more than one --tfp-root flag. The per-interface | Allow more than one --tfp-root flag. The per-interface |
stuff is pointless without that. | stuff is pointless without that. |
|
|
Add --bind-dynamic. A hybrid mode between the default and | Add --bind-dynamic. A hybrid mode between the default and |
--bind-interfaces which copes with dynamically created | --bind-interfaces which copes with dynamically created |
interfaces. | interfaces. |
| |
A couple of fixes to the build system for Android. Thanks | |
to Metin Kaya for the patches. | |
|
|
Remove the interface:<interface> argument in --dhcp-range, and | A couple of fixes to the build system for Android. Thanks |
the interface argument to --enable-tftp. These were a | to Metin Kaya for the patches. |
still-born attempt to allow automatic isolated | |
configuration by libvirt, but have never (to my knowledge) | |
been used, had very strange semantics, and have been | |
superceded by other mechanisms. | |
|
|
Fixed bug logging filenames when duplicate dhcp-host | Remove the interface:<interface> argument in --dhcp-range, and |
addresses are found. Thanks to John Hanks for the patch. | the interface argument to --enable-tftp. These were a |
| still-born attempt to allow automatic isolated |
| configuration by libvirt, but have never (to my knowledge) |
| been used, had very strange semantics, and have been |
| superseded by other mechanisms. |
|
|
Fix regression in 2.61 which broke caching of CNAME | Fixed bug logging filenames when duplicate dhcp-host |
chains. Thanks to Atul Gupta for the bug report. | addresses are found. Thanks to John Hanks for the patch. |
|
|
Allow the target of a --cname flag to be another --cname. | Fix regression in 2.61 which broke caching of CNAME |
| chains. Thanks to Atul Gupta for the bug report. |
|
|
Teach DHCPv6 about the RFC 4242 information-refresh-time | Allow the target of a --cname flag to be another --cname. |
option, and add parsing if the minutes, hours and days | |
format for options. Thanks to Francois-Xavier Le Bail for | |
the suggestion. | |
|
|
Allow "w" (for week) as multiplier in lease times, as well | Teach DHCPv6 about the RFC 4242 information-refresh-time |
as seconds, minutes, hours and days. Álvaro Gámez Machado | option, and add parsing if the minutes, hours and days |
spotted the ommission. | format for options. Thanks to Francois-Xavier Le Bail for |
| the suggestion. |
Update French translation. Thanks to Gildas Le Nadan. | |
|
|
Allow a DBus service name to be given with --enable-dbus | Allow "w" (for week) as multiplier in lease times, as well |
which overrides the default, | as seconds, minutes, hours and days. Álvaro Gámez Machado |
uk.org.thekelleys.dnsmasq. Thanks to Mathieu | spotted the omission. |
Trudel-Lapierre for the patch. | |
|
|
Set the "prefix on-link" bit in Router | Update French translation. Thanks to Gildas Le Nadan. |
Advertisements. Thanks to Gui Iribarren for the patch. | |
|
|
|
Allow a DBus service name to be given with --enable-dbus |
|
which overrides the default, |
|
uk.org.thekelleys.dnsmasq. Thanks to Mathieu |
|
Trudel-Lapierre for the patch. |
|
|
|
Set the "prefix on-link" bit in Router |
|
Advertisements. Thanks to Gui Iribarren for the patch. |
|
|
|
|
version 2.62 |
version 2.62 |
Update German translation. Thanks to Conrad Kostecki. | Update German translation. Thanks to Conrad Kostecki. |
|
|
Cope with router-solict packets wich don't have a valid | Cope with router-solict packets which don't have a valid |
source address. Thanks to Vladislav Grishenko for the patch. | source address. Thanks to Vladislav Grishenko for the patch. |
|
|
Fixed bug which caused missing periodic router | Fixed bug which caused missing periodic router |
advertisements with some configurations. Thanks to | advertisements with some configurations. Thanks to |
Vladislav Grishenko for the patch. | Vladislav Grishenko for the patch. |
|
|
Fixed bug which broke DHCPv6/RA with prefix lengths | Fixed bug which broke DHCPv6/RA with prefix lengths |
which are not divisible by 8. Thanks to Andre Coetzee | which are not divisible by 8. Thanks to Andre Coetzee |
for spotting this. | for spotting this. |
|
|
Fix non-response to router-solicitations when | Fix non-response to router-solicitations when |
router-advertisement configured, but DHCPv6 not | router-advertisement configured, but DHCPv6 not |
configured. Thanks to Marien Zwart for the patch. | configured. Thanks to Marien Zwart for the patch. |
|
|
Add --dns-rr, to allow arbitrary DNS resource records. | Add --dns-rr, to allow arbitrary DNS resource records. |
|
|
Fixed bug which broke RA scheduling when an interface had | Fixed bug which broke RA scheduling when an interface had |
two addresses in the same network. Thanks to Jim Bos for | two addresses in the same network. Thanks to Jim Bos for |
his help nailing this. | his help nailing this. |
|
|
version 2.61 |
version 2.61 |
Re-write interface discovery code on *BSD to use | Re-write interface discovery code on *BSD to use |
getifaddrs. This is more portable, more straightforward, | getifaddrs. This is more portable, more straightforward, |
and allows us to find the prefix length for IPv6 | and allows us to find the prefix length for IPv6 |
addresses. | addresses. |
|
|
Add ra-names, ra-stateless and slaac keywords for DHCPv6. | Add ra-names, ra-stateless and slaac keywords for DHCPv6. |
Dnsmasq can now synthesise AAAA records for dual-stack | Dnsmasq can now synthesise AAAA records for dual-stack |
hosts which get IPv6 addresses via SLAAC. It is also now | hosts which get IPv6 addresses via SLAAC. It is also now |
possible to use SLAAC and stateless DHCPv6, and to | possible to use SLAAC and stateless DHCPv6, and to |
tell clients to use SLAAC addresses as well as DHCP ones. | tell clients to use SLAAC addresses as well as DHCP ones. |
Thanks to Dave Taht for help with this. | Thanks to Dave Taht for help with this. |
|
|
Add --dhcp-duid to allow DUID-EN uids to be used. | Add --dhcp-duid to allow DUID-EN uids to be used. |
|
|
Explicity send DHCPv6 replies to the correct port, instead | Explicitly send DHCPv6 replies to the correct port, instead |
of relying on clients to send requests with the correct | of relying on clients to send requests with the correct |
source address, since at least one client in the wild gets | source address, since at least one client in the wild gets |
this wrong. Thanks to Conrad Kostecki for help tracking | this wrong. Thanks to Conrad Kostecki for help tracking |
this down. | this down. |
|
|
Send a preference value of 255 in DHCPv6 replies when | Send a preference value of 255 in DHCPv6 replies when |
--dhcp-authoritative is in effect. This tells clients not | --dhcp-authoritative is in effect. This tells clients not |
to wait around for other DHCP servers. | to wait around for other DHCP servers. |
|
|
Better logging of DHCPv6 options. | Better logging of DHCPv6 options. |
|
|
Add --host-record. Thanks to Rob Zwissler for the | Add --host-record. Thanks to Rob Zwissler for the |
suggestion. | suggestion. |
|
|
Invoke the DHCP script with action "tftp" when a TFTP file | Invoke the DHCP script with action "tftp" when a TFTP file |
transfer completes. The size of the file, address to which | transfer completes. The size of the file, address to which |
it was sent and complete pathname are supplied. Note that | it was sent and complete pathname are supplied. Note that |
version 2.60 introduced some script incompatibilties | version 2.60 introduced some script incompatibilities |
associated with DHCPv6, and this is a further change. To | associated with DHCPv6, and this is a further change. To |
be safe, scripts should ignore unknown actions, and if | be safe, scripts should ignore unknown actions, and if |
not IPv6-aware, should exit if the environment | not IPv6-aware, should exit if the environment |
variable DNSMASQ_IAID is set. The use-case for this is | variable DNSMASQ_IAID is set. The use-case for this is |
to track netboot/install. Suggestion from Shantanu | to track netboot/install. Suggestion from Shantanu |
Gadgil. | Gadgil. |
|
|
Update contrib/port-forward/dnsmasq-portforward to reflect | Update contrib/port-forward/dnsmasq-portforward to reflect |
the above. | the above. |
|
|
Set the environment variable DNSMASQ_LOG_DHCP when running | Set the environment variable DNSMASQ_LOG_DHCP when running |
the script id --log-dhcp is in effect, so that script can | the script id --log-dhcp is in effect, so that script can |
taylor their logging verbosity. Suggestion from Malte | taylor their logging verbosity. Suggestion from Malte |
Forkel. | Forkel. |
| |
Arrange that addresses specified with --listen-address | |
work even if there is no interface carrying the | |
address. This is chiefly useful for IPv4 loopback | |
addresses, where any address in 127.0.0.0/8 is a valid | |
loopback address, but normally only 127.0.0.1 appears on | |
the lo interface. Thanks to Mathieu Trudel-Lapierre for | |
the idea and initial patch. | |
|
|
Fix crash, introduced in 2.60, when a DHCPINFORM is | Arrange that addresses specified with --listen-address |
received from a network which has no valid dhcp-range. | work even if there is no interface carrying the |
Thanks to Stephane Glondu for the bug report. | address. This is chiefly useful for IPv4 loopback |
| addresses, where any address in 127.0.0.0/8 is a valid |
| loopback address, but normally only 127.0.0.1 appears on |
| the lo interface. Thanks to Mathieu Trudel-Lapierre for |
| the idea and initial patch. |
|
|
Add a new DHCP lease time keyword, "deprecated" for | Fix crash, introduced in 2.60, when a DHCPINFORM is |
--dhcp-range. This is only valid for IPv6, and sets the | received from a network which has no valid dhcp-range. |
preffered lease time for both DHCP and RA to zero. The | Thanks to Stephane Glondu for the bug report. |
effect is that clients can continue to use the address | |
for existing connections, but new connections will use | |
other addresses, if they exist. This makes hitless | |
renumbering at least possible. | |
|
|
Fix bug in address6_available() which caused DHCPv6 lease | Add a new DHCP lease time keyword, "deprecated" for |
aquisition to fail if more than one dhcp-range in use. | --dhcp-range. This is only valid for IPv6, and sets the |
| preferred lease time for both DHCP and RA to zero. The |
| effect is that clients can continue to use the address |
| for existing connections, but new connections will use |
| other addresses, if they exist. This makes hitless |
| renumbering at least possible. |
|
|
Provide RDNSS and DNSSL data in router advertisements, | Fix bug in address6_available() which caused DHCPv6 lease |
using the settings provided for DHCP options | acquisition to fail if more than one dhcp-range in use. |
option6:domain-search and option6:dns-server. | |
|
|
Tweak logo/favicon.ico to add some transparency. Thanks to | Provide RDNSS and DNSSL data in router advertisements, |
SamLT for work on this. | using the settings provided for DHCP options |
| option6:domain-search and option6:dns-server. |
Don't cache data from non-recursive nameservers, since it | |
may erroneously look like a valid CNAME to a non-exitant | |
name. Thanks to Ben Winslow for finding this. | |
|
|
Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP | Tweak logo/favicon.ico to add some transparency. Thanks to |
on exactly one interface and --bind-interfaces is set. This | SamLT for work on this. |
makes the OpenStack use-case of one dnsmasq per virtual | |
interface work. This is only available on Linux; it's not | |
supported on other platforms. Thanks to Vishvananda Ishaya | |
and the OpenStack team for the suggestion. | |
|
|
Updated French translation. Thanks to Gildas Le Nadan. | Don't cache data from non-recursive nameservers, since it |
| may erroneously look like a valid CNAME to a non-existent |
| name. Thanks to Ben Winslow for finding this. |
|
|
Give correct from-cache answers to explict CNAME queries. | Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP |
Thanks to Rob Zwissler for spotting this. | on exactly one interface and --bind-interfaces is set. This |
| makes the OpenStack use-case of one dnsmasq per virtual |
Add --tftp-lowercase option. Thanks to Oliver Rath for the | interface work. This is only available on Linux; it's not |
patch. | supported on other platforms. Thanks to Vishvananda Ishaya |
| and the OpenStack team for the suggestion. |
|
|
Ensure that the DBus DhcpLeaseUpdated events are generated | Updated French translation. Thanks to Gildas Le Nadan. |
when a lease goes through INIT_REBOOT state, even if the | |
dhcp-script is not in use. Thanks to Antoaneta-Ecaterina | |
Ene for the patch. | |
|
|
Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks | Give correct from-cache answers to explicit CNAME queries. |
to Brad Smith for spotting this. | Thanks to Rob Zwissler for spotting this. |
| |
|
|
|
Add --tftp-lowercase option. Thanks to Oliver Rath for the |
|
patch. |
|
|
|
Ensure that the DBus DhcpLeaseUpdated events are generated |
|
when a lease goes through INIT_REBOOT state, even if the |
|
dhcp-script is not in use. Thanks to Antoaneta-Ecaterina |
|
Ene for the patch. |
|
|
|
Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks |
|
to Brad Smith for spotting this. |
|
|
|
|
version 2.60 |
version 2.60 |
Fix compilation problem in Mac OS X Lion. Thanks to Olaf | Fix compilation problem in Mac OS X Lion. Thanks to Olaf |
Flebbe for the patch. | Flebbe for the patch. |
|
|
Fix DHCP when using --listen-address with an IP address | Fix DHCP when using --listen-address with an IP address |
which is not the primary address of an interface. | which is not the primary address of an interface. |
|
|
Add --dhcp-client-update option. | Add --dhcp-client-update option. |
|
|
Add Lua integration. Dnsmasq can now execute a DHCP | Add Lua integration. Dnsmasq can now execute a DHCP |
lease-change script written in Lua. This needs to be | lease-change script written in Lua. This needs to be |
enabled at compile time by setting HAVE_LUASCRIPT in | enabled at compile time by setting HAVE_LUASCRIPT in |
src/config.h or running "make COPTS=-DHAVE_LUASCRIPT" | src/config.h or running "make COPTS=-DHAVE_LUASCRIPT" |
Thanks to Jan-Piet Mens for the idea and proof-of-concept | Thanks to Jan-Piet Mens for the idea and proof-of-concept |
implementation. | implementation. |
| |
Tidied src/config.h to distinguish between | |
platform-dependent compile-time options which are selected | |
automatically, and builder-selectable compile time | |
options. Document the latter better, and describe how to | |
set them from the make command line. | |
|
|
Tidied up IPPROTO_IP/SOL_IP (and IPv6 equivalent) | Tidied src/config.h to distinguish between |
confusion. IPPROTO_IP works everywhere now. | platform-dependent compile-time options which are selected |
| automatically, and builder-selectable compile time |
Set TOS on DHCP sockets, this improves things on busy | options. Document the latter better, and describe how to |
wireless networks. Thanks to Dave Taht for the patch. | set them from the make command line. |
|
|
Determine VERSION automatically based on git magic: | Tidied up IPPROTO_IP/SOL_IP (and IPv6 equivalent) |
release tags or hash values. | confusion. IPPROTO_IP works everywhere now. |
|
|
Improve start-up speed when reading large hosts files | Set TOS on DHCP sockets, this improves things on busy |
containing many distinct addresses. | wireless networks. Thanks to Dave Taht for the patch. |
|
|
Fix problem if dnsmasq is started without the stdin, | Determine VERSION automatically based on git magic: |
stdout and stderr file descriptors open. This can manifest | release tags or hash values. |
itself as 100% CPU use. Thanks to Chris Moore for finding | |
this. | |
|
|
Fix shell-scripting bug in bld/pkg-wrapper. Thanks to | Improve start-up speed when reading large hosts files |
Mark Mitchell for the patch. | containing many distinct addresses. |
|
|
Allow the TFP server or boot server in --pxe-service, to | Fix problem if dnsmasq is started without the stdin, |
be a domain name instead of an IP address. This allows for | stdout and stderr file descriptors open. This can manifest |
round-robin to multiple servers, in the same way as | itself as 100% CPU use. Thanks to Chris Moore for finding |
--dhcp-boot. A good suggestion from Cristiano Cumer. | this. |
|
|
Support BUILDDIR variable in the Makefile. Allows builds | Fix shell-scripting bug in bld/pkg-wrapper. Thanks to |
for multiple archs from the same source tree with eg. | Mark Mitchell for the patch. |
make BUILDDIR=linux (relative to dnsmasq tree) | |
make BUILDDIR=/tmp/openbsd (absolute path) | |
If BUILDDIR is not set, compilation happens in the src | |
directory, as before. Suggestion from Mark Mitchell. | |
|
|
Support DHCPv6. Support is there for the sort of things | Allow the TFP server or boot server in --pxe-service, to |
the existing v4 server does, including tags, options, | be a domain name instead of an IP address. This allows for |
static addresses and relay support. Missing is prefix | round-robin to multiple servers, in the same way as |
delegation, which is probably not required in the dnsmasq | --dhcp-boot. A good suggestion from Cristiano Cumer. |
niche, and an easy way to accept prefix delegations from | |
an upstream DHCPv6 server, which is. Future plans include | |
support for DHCPv6 router option and MAC address option | |
(to make selecting clients by MAC address work like IPv4). | |
These will be added as the standards mature. | |
This code has been tested, but this is the first release, | |
so don't bet the farm on it just yet. Many thanks to all | |
testers who have got it this far. | |
|
|
Support IPv6 router advertisements. This is a | Support BUILDDIR variable in the Makefile. Allows builds |
simple-minded implementation, aimed at providing the | for multiple archs from the same source tree with eg. |
vestigial RA needed to go alongside IPv6. Is picks up | make BUILDDIR=linux (relative to dnsmasq tree) |
configuration from the DHCPv6 conf, and should just need | make BUILDDIR=/tmp/openbsd (absolute path) |
enabling with --enable-ra. | If BUILDDIR is not set, compilation happens in the src |
| directory, as before. Suggestion from Mark Mitchell. |
|
|
Fix long-standing wrinkle with --localise-queries that | Support DHCPv6. Support is there for the sort of things |
could result in wrong answers when DNS packets arrive | the existing v4 server does, including tags, options, |
via an interface other than the expected one. Thanks to | static addresses and relay support. Missing is prefix |
Lorenzo Milesi and John Hanks for spotting this one. | delegation, which is probably not required in the dnsmasq |
| niche, and an easy way to accept prefix delegations from |
Update French translation. Thanks to Gildas Le Nadan. | an upstream DHCPv6 server, which is. Future plans include |
| support for DHCPv6 router option and MAC address option |
| (to make selecting clients by MAC address work like IPv4). |
| These will be added as the standards mature. |
| This code has been tested, but this is the first release, |
| so don't bet the farm on it just yet. Many thanks to all |
| testers who have got it this far. |
|
|
Update Polish translation. Thanks to Jan Psota. | Support IPv6 router advertisements. This is a |
| simple-minded implementation, aimed at providing the |
| vestigial RA needed to go alongside IPv6. Is picks up |
| configuration from the DHCPv6 conf, and should just need |
| enabling with --enable-ra. |
|
|
|
Fix long-standing wrinkle with --localise-queries that |
|
could result in wrong answers when DNS packets arrive |
|
via an interface other than the expected one. Thanks to |
|
Lorenzo Milesi and John Hanks for spotting this one. |
|
|
|
Update French translation. Thanks to Gildas Le Nadan. |
|
|
|
Update Polish translation. Thanks to Jan Psota. |
|
|
|
|
version 2.59 |
version 2.59 |
Fix regression in 2.58 which caused failure to start up | Fix regression in 2.58 which caused failure to start up |
with some combinations of dnsmasq config and IPv6 kernel | with some combinations of dnsmasq config and IPv6 kernel |
network config. Thanks to Brielle Bruns for the bug | network config. Thanks to Brielle Bruns for the bug |
report. | report. |
|
|
Improve dnsmasq's behaviour when network interfaces are | Improve dnsmasq's behaviour when network interfaces are |
still doing duplicate address detection (DAD). Previously, | still doing duplicate address detection (DAD). Previously, |
dnsmasq would wait up to 20 seconds at start-up for the | dnsmasq would wait up to 20 seconds at start-up for the |
DAD state to terminate. This is broken for bridge | DAD state to terminate. This is broken for bridge |
interfaces on recent Linux kernels, which don't start DAD | interfaces on recent Linux kernels, which don't start DAD |
until the bridge comes up, and so can take arbitrary | until the bridge comes up, and so can take arbitrary |
time. The new behaviour lets dnsmasq poll for an arbitrary | time. The new behaviour lets dnsmasq poll for an arbitrary |
time whilst providing service on other interfaces. Thanks | time whilst providing service on other interfaces. Thanks |
to Stephen Hemminger for pointing out the problem. | to Stephen Hemminger for pointing out the problem. |
|
|
|
|
version 2.58 |
version 2.58 |
Provide a definition of the SA_SIZE macro where it's | Provide a definition of the SA_SIZE macro where it's |
missing. Fixes build failure on openBSD. | missing. Fixes build failure on openBSD. |
|
|
Don't include a zero terminator at the end of messages | Don't include a zero terminator at the end of messages |
sent to /dev/log when /dev/log is a datagram socket. | sent to /dev/log when /dev/log is a datagram socket. |
Thanks to Didier Rabound for spotting the problem. | Thanks to Didier Rabound for spotting the problem. |
|
|
Add --dhcp-sequential-ip flag, to force allocation of IP | Add --dhcp-sequential-ip flag, to force allocation of IP |
addresses in ascending order. Note that the default | addresses in ascending order. Note that the default |
pseudo-random mode is in general better but some | pseudo-random mode is in general better but some |
server-deployment applications need this. | server-deployment applications need this. |
|
|
Fix problem where a server-id of 0.0.0.0 is sent to a | Fix problem where a server-id of 0.0.0.0 is sent to a |
client when a dhcp-relay is in use if a client renews a | client when a dhcp-relay is in use if a client renews a |
lease after dnsmasq restart and before any clients on the | lease after dnsmasq restart and before any clients on the |
subnet get a new lease. Thanks to Mike Ruiz for assistance | subnet get a new lease. Thanks to Mike Ruiz for assistance |
in chasing this one down. | in chasing this one down. |
|
|
Don't return NXDOMAIN to an AAAA query if we have CNAME | Don't return NXDOMAIN to an AAAA query if we have CNAME |
which points to an A record only: NODATA is the correct | which points to an A record only: NODATA is the correct |
reply in this case. Thanks to Tom Fernandes for spotting | reply in this case. Thanks to Tom Fernandes for spotting |
the problem. | the problem. |
|
|
Relax the need to supply a netmask in --dhcp-range for | Relax the need to supply a netmask in --dhcp-range for |
networks which use a DHCP relay. Whilst this is still | networks which use a DHCP relay. Whilst this is still |
desireable, in the absence of a netmask dnsmasq will use | desirable, in the absence of a netmask dnsmasq will use |
a default based on the class (A, B, or C) of the address. | a default based on the class (A, B, or C) of the address. |
This should at least remove a cause of mysterious failure | This should at least remove a cause of mysterious failure |
for people using RFC1918 addresses and relays. | for people using RFC1918 addresses and relays. |
|
|
Add support for Linux conntrack connection marking. If | Add support for Linux conntrack connection marking. If |
enabled with --conntrack, the connection mark for incoming | enabled with --conntrack, the connection mark for incoming |
DNS queries will be copied to the outgoing connections | DNS queries will be copied to the outgoing connections |
used to answer those queries. This allows clever firewall | used to answer those queries. This allows clever firewall |
and accounting stuff. Only available if dnsmasq is | and accounting stuff. Only available if dnsmasq is |
compiled with HAVE_CONNTRACK and adds a dependency on | compiled with HAVE_CONNTRACK and adds a dependency on |
libnetfilter-conntrack. Thanks to Ed Wildgoose for the | libnetfilter-conntrack. Thanks to Ed Wildgoose for the |
initial idea, testing and sponsorship of this function. | initial idea, testing and sponsorship of this function. |
|
|
Provide a sane error message when someone attempts to | Provide a sane error message when someone attempts to |
match a tag in --dhcp-host. | match a tag in --dhcp-host. |
|
|
Tweak the behaviour of --domain-needed, to avoid problems | Tweak the behaviour of --domain-needed, to avoid problems |
with recursive nameservers downstream of dnsmasq. The new | with recursive nameservers downstream of dnsmasq. The new |
behaviour only stops A and AAAA queries, and returns | behaviour only stops A and AAAA queries, and returns |
NODATA rather than NXDOMAIN replies. | NODATA rather than NXDOMAIN replies. |
|
|
Efficiency fix for very large DHCP configurations, thanks | Efficiency fix for very large DHCP configurations, thanks |
to James Gartrell and Mike Ruiz for help with this. | to James Gartrell and Mike Ruiz for help with this. |
|
|
Allow the TFTP-server address in --dhcp-boot to be a | Allow the TFTP-server address in --dhcp-boot to be a |
domain-name which is looked up in /etc/hosts. This can | domain-name which is looked up in /etc/hosts. This can |
give multiple IP addresses which are used round-robin, | give multiple IP addresses which are used round-robin, |
thus doing TFTP server load-balancing. Thanks to Sushil | thus doing TFTP server load-balancing. Thanks to Sushil |
Agrawal for the patch. | Agrawal for the patch. |
|
|
When two tagged dhcp-options for a particular option | When two tagged dhcp-options for a particular option |
number are both valid, use the one which is valid without | number are both valid, use the one which is valid without |
a tag from the dhcp-range. Allows overriding of the value | a tag from the dhcp-range. Allows overriding of the value |
of a DHCP option for a particular host as well as | of a DHCP option for a particular host as well as |
per-network values. So | per-network values. So |
--dhcp-range=set:interface1,...... | --dhcp-range=set:interface1,...... |
--dhcp-host=set:myhost,..... | --dhcp-host=set:myhost,..... |
--dhcp-option=tag:interface1,option:nis-domain,"domain1" | --dhcp-option=tag:interface1,option:nis-domain,"domain1" |
--dhcp-option=tag:myhost,option:nis-domain,"domain2" | --dhcp-option=tag:myhost,option:nis-domain,"domain2" |
will set the NIS-domain to domain1 for hosts in the range, but | will set the NIS-domain to domain1 for hosts in the range, but |
override that to domain2 for a particular host. | override that to domain2 for a particular host. |
|
|
Fix bug which resulted in truncated files and timeouts for | Fix bug which resulted in truncated files and timeouts for |
some TFTP transfers. The bug only occurs with netascii | some TFTP transfers. The bug only occurs with netascii |
transfers and needs an unfortunate relationship between | transfers and needs an unfortunate relationship between |
file size, blocksize and the number of newlines in the | file size, blocksize and the number of newlines in the |
last block before it manifests itself. Many thanks to | last block before it manifests itself. Many thanks to |
Alkis Georgopoulos for spotting the problem and providing | Alkis Georgopoulos for spotting the problem and providing |
a comprehensive test-case. | a comprehensive test-case. |
|
|
Fix regression in TFTP server on *BSD platforms introduced | Fix regression in TFTP server on *BSD platforms introduced |
in version 2.56, due to confusion with sockaddr | in version 2.56, due to confusion with sockaddr |
length. Many thanks to Loic Pefferkorn for finding this. | length. Many thanks to Loic Pefferkorn for finding this. |
|
|
Support scope-ids in IPv6 addresses of nameservers from | Support scope-ids in IPv6 addresses of nameservers from |
/etc/resolv.conf and in --server options. Eg | /etc/resolv.conf and in --server options. Eg |
nameserver fe80::202:a412:4512:7bbf%eth0 or | nameserver fe80::202:a412:4512:7bbf%eth0 or |
server=fe80::202:a412:4512:7bbf%eth0. Thanks to | server=fe80::202:a412:4512:7bbf%eth0. Thanks to |
Michael Stapelberg for the suggestion. | Michael Stapelberg for the suggestion. |
|
|
Update Polish translation, thanks to Jan Psota. | Update Polish translation, thanks to Jan Psota. |
|
|
Update French translation. Thanks to Gildas Le Nadan. | Update French translation. Thanks to Gildas Le Nadan. |
|
|
|
|
version 2.57 |
version 2.57 |
Add patches to allow build under Android. | Add patches to allow build under Android. |
|
|
Provide our own header for the DNS protocol, rather than | Provide our own header for the DNS protocol, rather than |
relying on arpa/nameser.h. This has proved more or less | relying on arpa/nameser.h. This has proved more or less |
defective over the years and the final straw is that it's | defective over the years and the final straw is that it's |
effectively empty on Android. | effectively empty on Android. |
|
|
Fix regression in 2.56 which caused hex constants in | Fix regression in 2.56 which caused hex constants in |
configuration to be rejected if they contain the '*' | configuration to be rejected if they contain the '*' |
wildcard. | wildcard. |
|
|
Correct wrong casts of arguments to ctype.h functions, | Correct wrong casts of arguments to ctype.h functions, |
isdigit(), isxdigit() etc. Thanks to Matthias Andree for | isdigit(), isxdigit() etc. Thanks to Matthias Andree for |
spotting this. | spotting this. |
|
|
Allow build with IDN support independently from i18n. | Allow build with IDN support independently from i18n. |
IDN support continues to be included automatically | IDN support continues to be included automatically |
when i18n is included. | when i18n is included. |
'make COPTS=-DHAVE_IDN' is the magic incantation. | 'make COPTS=-DHAVE_IDN' is the magic incantation. |
|
|
Modify check on extraneous command line junk (added in | Modify check on extraneous command line junk (added in |
2.56) so that it doesn't complain about extra _empty_ | 2.56) so that it doesn't complain about extra _empty_ |
arguments. Otherwise this breaks libvirt. | arguments. Otherwise this breaks libvirt. |
|
|
|
|
version 2.56 |
version 2.56 |
Add a patch to allow dnsmasq to get interface names right in a | Add a patch to allow dnsmasq to get interface names right in a |
Solaris zone. Thanks to Dj Padzensky for this. | Solaris zone. Thanks to Dj Padzensky for this. |
|
|
Improve data-type parsing heuristics so that | Improve data-type parsing heuristics so that |
--dhcp-option=option:domain-search,. | --dhcp-option=option:domain-search,. |
treats the value as a string and not an IP address. | treats the value as a string and not an IP address. |
Thanks to Clemens Fischer for spotting that. | Thanks to Clemens Fischer for spotting that. |
|
|
Add IPv6 support to the TFTP server. Many thanks to Jan | Add IPv6 support to the TFTP server. Many thanks to Jan |
'RedBully' Seiffert for the patches. | 'RedBully' Seiffert for the patches. |
| |
Log DNS queries at level LOG_INFO, rather then | |
LOG_DEBUG. This makes things consistent with DHCP | |
logging. Thanks to Adam Pribyl for spotting the problem. | |
|
|
Ensure that dnsmasq terminates cleanly when using | Log DNS queries at level LOG_INFO, rather then |
--syslog-async even if it cannot make a connection to the | LOG_DEBUG. This makes things consistent with DHCP |
syslogd. | logging. Thanks to Adam Pribyl for spotting the problem. |
|
|
Add --add-mac option. This is to support currently | Ensure that dnsmasq terminates cleanly when using |
experimental DNS filtering facilities. Thanks to Benjamin | --syslog-async even if it cannot make a connection to the |
Petrin for the orignal patch. | syslogd. |
|
|
Fix bug which meant that tags were ignored in dhcp-range | Add --add-mac option. This is to support currently |
configuration specifying PXE-proxy service. Thanks to | experimental DNS filtering facilities. Thanks to Benjamin |
Cristiano Cumer for spotting this. | Petrin for the original patch. |
|
|
Raise an error if there is extra junk, not part of an | Fix bug which meant that tags were ignored in dhcp-range |
option, on the command line. | configuration specifying PXE-proxy service. Thanks to |
| Cristiano Cumer for spotting this. |
|
|
Flag a couple of log messages in cache.c as coming from | Raise an error if there is extra junk, not part of an |
the DHCP subsystem. Thanks to Olaf Westrik for the patch. | option, on the command line. |
|
|
Omit timestamps from logs when a) logging to stderr and | Flag a couple of log messages in cache.c as coming from |
b) --keep-in-forground is set. The logging facility on the | the DHCP subsystem. Thanks to Olaf Westrik for the patch. |
other end of stderr can be assumned to supply them. Thanks | |
to John Hallam for the patch. | |
|
|
Don't complain about strings longer than 255 characters in | Omit timestamps from logs when a) logging to stderr and |
--txt-record, just split the long strings into 255 | b) --keep-in-foreground is set. The logging facility on the |
character chunks instead. | other end of stderr can be assumed to supply them. Thanks |
| to John Hallam for the patch. |
|
|
Fix crash on double-free. This bug can only happen when | Don't complain about strings longer than 255 characters in |
dhcp-script is in use and then only in rare circumstances | --txt-record, just split the long strings into 255 |
triggered by high DHCP transaction rate and a slow | character chunks instead. |
script. Thanks to Ferenc Wagner for finding the problem. | |
|
|
Only log that a file has been sent by TFTP after the | Fix crash on double-free. This bug can only happen when |
transfer has completed succesfully. | dhcp-script is in use and then only in rare circumstances |
| triggered by high DHCP transaction rate and a slow |
| script. Thanks to Ferenc Wagner for finding the problem. |
|
|
A good suggestion from Ferenc Wagner: extend | Only log that a file has been sent by TFTP after the |
the --domain option to allow this sort of thing: | transfer has completed successfully. |
--domain=thekelleys.org.uk,192.168.0.0/24,local | |
which automatically creates | |
--local=/thekelleys.org.uk/ | |
--local=/0.168.192.in-addr.arpa/ | |
|
|
Tighten up syntax checking of hex contants in the config | A good suggestion from Ferenc Wagner: extend |
file. Thanks to Fred Damen for spotting this. | the --domain option to allow this sort of thing: |
| --domain=thekelleys.org.uk,192.168.0.0/24,local |
| which automatically creates |
| --local=/thekelleys.org.uk/ |
| --local=/0.168.192.in-addr.arpa/ |
|
|
Add dnsmasq logo/icon, contributed by Justin Swift. Many | Tighten up syntax checking of hex constants in the config |
thanks for that. | file. Thanks to Fred Damen for spotting this. |
|
|
Never cache DNS replies which have the 'cd' bit set, or | Add dnsmasq logo/icon, contributed by Justin Swift. Many |
which result from queries forwarded with the 'cd' bit | thanks for that. |
set. The 'cd' bit instructs a DNSSEC validating server | |
upstream to ignore signature failures and return replies | |
anyway. Without this change it's possible to pollute the | |
dnsmasq cache with bad data by making a query with the | |
'cd' bit set and subsequent queries would return this data | |
without its being marked as suspect. Thanks to Anders | |
Kaseorg for pointing out this problem. | |
|
|
Add --proxy-dnssec flag, for compliance with RFC | Never cache DNS replies which have the 'cd' bit set, or |
4035. Dnsmasq will now clear the 'ad' bit in answers returned | which result from queries forwarded with the 'cd' bit |
from upstream validating nameservers unless this option is | set. The 'cd' bit instructs a DNSSEC validating server |
set. | upstream to ignore signature failures and return replies |
| anyway. Without this change it's possible to pollute the |
| dnsmasq cache with bad data by making a query with the |
| 'cd' bit set and subsequent queries would return this data |
| without its being marked as suspect. Thanks to Anders |
| Kaseorg for pointing out this problem. |
|
|
Allow a filename of "-" for --conf-file to read | Add --proxy-dnssec flag, for compliance with RFC |
stdin. Suggestion from Timothy Redaelli. | 4035. Dnsmasq will now clear the 'ad' bit in answers returned |
| from upstream validating nameservers unless this option is |
| set. |
|
|
Rotate the order of SRV records in replies, to provide | Allow a filename of "-" for --conf-file to read |
round-robin load balancing when all the priorities are | stdin. Suggestion from Timothy Redaelli. |
equal. Thanks to Peter McKinney for the suggestion. | |
|
|
Edit | Rotate the order of SRV records in replies, to provide |
contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist | round-robin load balancing when all the priorities are |
so that it doesn't log all queries to a file by | equal. Thanks to Peter McKinney for the suggestion. |
default. Thanks again to Peter McKinney. | |
|
|
By default, setting an IPv4 address for a domain but not | Edit |
an IPv6 address causes dnsmasq to return | contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist |
an NODATA reply for IPv6 (or vice-versa). So | so that it doesn't log all queries to a file by |
--address=/google.com/1.2.3.4 stops IPv6 queries for | default. Thanks again to Peter McKinney. |
*google.com from being forwarded. Make it possible to | |
override this behaviour by defining the sematics if the | |
same domain appears in both --server and --address. | |
In that case, the --address has priority for the address | |
family in which is appears, but the --server has priority | |
of the address family which doesn't appear in --adddress | |
So: | |
--address=/google.com/1.2.3.4 | |
--server=/google.com/# | |
will return 1.2.3.4 for IPv4 queries for *.google.com but | |
forward IPv6 queries to the normal upstream nameserver. | |
Similarly when setting an IPv6 address | |
only this will allow forwarding of IPv4 queries. Thanks to | |
William for pointing out the need for this. | |
|
|
Allow more than one --dhcp-optsfile and --dhcp-hostsfile | By default, setting an IPv4 address for a domain but not |
and make them understand directories as arguments in the | an IPv6 address causes dnsmasq to return |
same way as --addn-hosts. Suggestion from John Hanks. | a NODATA reply for IPv6 (or vice-versa). So |
| --address=/google.com/1.2.3.4 stops IPv6 queries for |
| *google.com from being forwarded. Make it possible to |
| override this behaviour by defining the semantics if the |
| same domain appears in both --server and --address. |
| In that case, the --address has priority for the address |
| family in which is appears, but the --server has priority |
| of the address family which doesn't appear in --address |
| So: |
| --address=/google.com/1.2.3.4 |
| --server=/google.com/# |
| will return 1.2.3.4 for IPv4 queries for *.google.com but |
| forward IPv6 queries to the normal upstream nameserver. |
| Similarly when setting an IPv6 address |
| only this will allow forwarding of IPv4 queries. Thanks to |
| William for pointing out the need for this. |
|
|
Ignore rebinding requests for leases we don't know | Allow more than one --dhcp-optsfile and --dhcp-hostsfile |
about. Rebind is broadcast, so we might get to overhear a | and make them understand directories as arguments in the |
request meant for another DHCP server. NAKing this is | same way as --addn-hosts. Suggestion from John Hanks. |
wrong. Thanks to Brad D'Hondt for assistance with this. | |
|
|
Fix cosmetic bug which produced strange output when | Ignore rebinding requests for leases we don't know |
dumping cache statistics with some configurations. Thanks | about. Rebind is broadcast, so we might get to overhear a |
to Fedor Kozhevnikov for spotting this. | request meant for another DHCP server. NAKing this is |
| wrong. Thanks to Brad D'Hondt for assistance with this. |
|
|
|
Fix cosmetic bug which produced strange output when |
|
dumping cache statistics with some configurations. Thanks |
|
to Fedor Kozhevnikov for spotting this. |
|
|
|
|
version 2.55 |
version 2.55 |
Fix crash when /etc/ethers is in use. Thanks to | Fix crash when /etc/ethers is in use. Thanks to |
Gianluigi Tiesi for finding this. | Gianluigi Tiesi for finding this. |
|
|
Fix crash in netlink_multicast(). Thanks to Arno Wald for | Fix crash in netlink_multicast(). Thanks to Arno Wald for |
finding this one. | finding this one. |
|
|
Allow the empty domain "." in dhcp domain-search (119) | Allow the empty domain "." in dhcp domain-search (119) |
options. | options. |
|
|
|
|
version 2.54 |
version 2.54 |
There is no version 2.54 to avoid confusion with 2.53, | There is no version 2.54 to avoid confusion with 2.53, |
which incorrectly identifies itself as 2.54. | which incorrectly identifies itself as 2.54. |
|
|
|
|
version 2.53 |
version 2.53 |
Fix failure to compile on Debian/kFreeBSD. Thanks to | Fix failure to compile on Debian/kFreeBSD. Thanks to |
Axel Beckert and Petr Salinger. | Axel Beckert and Petr Salinger. |
|
|
Fix code to avoid scary strict-aliasing warnings | Fix code to avoid scary strict-aliasing warnings |
generated by gcc 4.4. | generated by gcc 4.4. |
| |
Added FAQ entry warning about DHCP failures with Vista | Added FAQ entry warning about DHCP failures with Vista |
when firewalls block 255.255.255.255. | when firewalls block 255.255.255.255. |
| |
Fixed bug which caused bad things to happen if a | Fixed bug which caused bad things to happen if a |
resolv.conf file which exists is subsequently removed. | resolv.conf file which exists is subsequently removed. |
Thanks to Nikolai Saoukh for the patch. | Thanks to Nikolai Saoukh for the patch. |
|
|
Rationalised the DHCP tag system. Every configuration item | Rationalised the DHCP tag system. Every configuration item |
which can set a tag does so by adding "set:<tag>" and | which can set a tag does so by adding "set:<tag>" and |
every configuration item which is conditional on a tag is | every configuration item which is conditional on a tag is |
made so by "tag:<tag>". The NOT operator changes to '!', | made so by "tag:<tag>". The NOT operator changes to '!', |
which is a bit more intuitive too. Dhcp-host directives | which is a bit more intuitive too. Dhcp-host directives |
can set more than one tag now. The old '#' NOT, | can set more than one tag now. The old '#' NOT, |
"net:" prefix and no-prefixes are still honoured, so | "net:" prefix and no-prefixes are still honoured, so |
no existing config file needs to be changed, but | no existing config file needs to be changed, but |
the documentation and new-style config files should be | the documentation and new-style config files should be |
much less confusing. | much less confusing. |
|
|
Added --tag-if to allow boolean operations on tags. | Added --tag-if to allow boolean operations on tags. |
This allows complicated logic to be clearer and more | This allows complicated logic to be clearer and more |
general. A great suggestion from Richard Voigt. | general. A great suggestion from Richard Voigt. |
|
|
Add broadcast/unicast information to DHCP logging. | Add broadcast/unicast information to DHCP logging. |
|
|
Allow --dhcp-broadcast to be unconditional. | Allow --dhcp-broadcast to be unconditional. |
|
|
Fixed incorrect behaviour with NOT <tag> conditionals in | Fixed incorrect behaviour with NOT <tag> conditionals in |
dhcp-options. Thanks to Max Turkewitz for assistance | dhcp-options. Thanks to Max Turkewitz for assistance |
finding this. | finding this. |
|
|
If we send vendor-class encapsulated options based on the | If we send vendor-class encapsulated options based on the |
vendor-class supplied by the client, and no explicit | vendor-class supplied by the client, and no explicit |
vendor-class option is given, echo back the vendor-class | vendor-class option is given, echo back the vendor-class |
from the client. | from the client. |
| |
Fix bug which stopped dnsmasq from matching both a | Fix bug which stopped dnsmasq from matching both a |
circuitid and a remoteid. Thanks to Ignacio Bravo for | circuitid and a remoteid. Thanks to Ignacio Bravo for |
finding this. | finding this. |
|
|
Add --dhcp-proxy, which makes it possible to configure | Add --dhcp-proxy, which makes it possible to configure |
dnsmasq to use a DHCP relay agent as a full proxy, with | dnsmasq to use a DHCP relay agent as a full proxy, with |
all DHCP messages passing through the proxy. This is | all DHCP messages passing through the proxy. This is |
useful if the relay adds extra information to the packets | useful if the relay adds extra information to the packets |
it forwards, but cannot be configured with the RFC 5107 | it forwards, but cannot be configured with the RFC 5107 |
server-override option. | server-override option. |
|
|
Added interface:<iface name> part to dhcp-range. The | Added interface:<iface name> part to dhcp-range. The |
semantics of this are very odd at first sight, but it | semantics of this are very odd at first sight, but it |
allows a single line of the form | allows a single line of the form |
dhcp-range=interface:virt0,192.168.0.4,192.168.0.200 | dhcp-range=interface:virt0,192.168.0.4,192.168.0.200 |
to be added to dnsmasq configuration which then supplies | to be added to dnsmasq configuration which then supplies |
DHCP and DNS services to that interface, without affecting | DHCP and DNS services to that interface, without affecting |
what services are supplied to other interfaces and | what services are supplied to other interfaces and |
irrespective of the existance or lack of | irrespective of the existence or lack of |
interface=<interface> | interface=<interface> |
lines elsewhere in the dnsmasq configuration. The idea is | lines elsewhere in the dnsmasq configuration. The idea is |
that such a line can be added automatically by libvirt | that such a line can be added automatically by libvirt |
or equivalent systems, without disturbing any manual | or equivalent systems, without disturbing any manual |
configuration. | configuration. |
|
|
Similarly to the above, allow --enable-tftp=<interface> | Similarly to the above, allow --enable-tftp=<interface> |
|
|
Allow a TFTP root to be set separately for requests via | Allow a TFTP root to be set separately for requests via |
different interfaces, --tftp-root=<path>,<interface> | different interfaces, --tftp-root=<path>,<interface> |
|
|
Correctly handle and log clashes between CNAMES and | Correctly handle and log clashes between CNAMES and |
DNS names being given to DHCP leases. This fixes a bug | DNS names being given to DHCP leases. This fixes a bug |
which caused nonsense IP addresses to be logged. Thanks to | which caused nonsense IP addresses to be logged. Thanks to |
Sergei Zhirikov for finding and analysing the problem. | Sergei Zhirikov for finding and analysing the problem. |
|
|
Tweak flush_log so as to avoid leaving the log | Tweak flush_log so as to avoid leaving the log |
file in non-blocking mode. O_NONBLOCK is a property of the | file in non-blocking mode. O_NONBLOCK is a property of the |
file, not the process/descriptor. | file, not the process/descriptor. |
|
|
Fix contrib/Solaris10/create_package | Fix contrib/Solaris10/create_package |
(/usr/man -> /usr/share/man) Thanks to Vita Batrla. | (/usr/man -> /usr/share/man) Thanks to Vita Batrla. |
|
|
Fix a problem where, if a client got a lease, then went | Fix a problem where, if a client got a lease, then went |
to another subnet and got another lease, then moved back, | to another subnet and got another lease, then moved back, |
it couldn't resume the old lease, but would instead get | it couldn't resume the old lease, but would instead get |
a new address. Thanks to Leonardo Rodrigues for spotting | a new address. Thanks to Leonardo Rodrigues for spotting |
this and testing the fix. | this and testing the fix. |
| |
Fix weird bug which sometimes omitted certain characters | |
from the start of quoted strings in dhcp-options. Thanks | |
to Dayton Turner for spotting the problem. | |
|
|
Add facility to redirect some domains to the standard | Fix weird bug which sometimes omitted certain characters |
upstream servers: this allows something like | from the start of quoted strings in dhcp-options. Thanks |
--server=/google.com/1.2.3.4 --server=/www.google.com/# | to Dayton Turner for spotting the problem. |
which will send queries for *.google.com to 1.2.3.4, | |
except *www.google.com which will be forwarded as usual. | |
Thanks to AJ Weber for prompting this addition. | |
| |
Improve the hash-algorithm used to generate IP addresses | |
from MAC addresses during initial DHCP address | |
allocation. This improves performance when large numbers | |
of hosts with similar MAC addresses all try and get an IP | |
address at the same time. Thanks to Paul Smith for his | |
work on this. | |
|
|
Tweak DHCP code so that --bridge-interface can be used to | Add facility to redirect some domains to the standard |
select which IP alias of an interface should be used for | upstream servers: this allows something like |
DHCP purposes on Linux. If eth0 has an alias eth0:dhcp | --server=/google.com/1.2.3.4 --server=/www.google.com/# |
then adding --bridge-interface=eth0:dhcp,eth0 will use | which will send queries for *.google.com to 1.2.3.4, |
the address of eth0:dhcp to determine the correct subnet | except *www.google.com which will be forwarded as usual. |
for DHCP address allocation. Thanks to Pawel Golaszewski | Thanks to AJ Weber for prompting this addition. |
for prompting this and Eric Cooper for further testing. | |
|
|
Add --dhcp-generate-names. Suggestion by Ferenc Wagner. | Improve the hash-algorithm used to generate IP addresses |
| from MAC addresses during initial DHCP address |
| allocation. This improves performance when large numbers |
| of hosts with similar MAC addresses all try and get an IP |
| address at the same time. Thanks to Paul Smith for his |
| work on this. |
|
|
Tweak DNS server selection algorithm when there is more | Tweak DHCP code so that --bridge-interface can be used to |
than one server available for a domain, eg. | select which IP alias of an interface should be used for |
--server=/mydomain/1.1.1.1 | DHCP purposes on Linux. If eth0 has an alias eth0:dhcp |
--server=/mydomain/2.2.2.2 | then adding --bridge-interface=eth0:dhcp,eth0 will use |
Thanks to Alberto Cuesta-Canada for spotting a weakness | the address of eth0:dhcp to determine the correct subnet |
here. | for DHCP address allocation. Thanks to Pawel Golaszewski |
| for prompting this and Eric Cooper for further testing. |
|
|
Add --max-ttl. Thanks to Fredrik Ringertz for the patch. | Add --dhcp-generate-names. Suggestion by Ferenc Wagner. |
|
|
Allow --log-facility=- to force all logging to | Tweak DNS server selection algorithm when there is more |
stderr. Suggestion from Clemens Fischer. | than one server available for a domain, eg. |
| --server=/mydomain/1.1.1.1 |
| --server=/mydomain/2.2.2.2 |
| Thanks to Alberto Cuesta-Canada for spotting a weakness |
| here. |
|
|
Fix regression which caused configuration like | Add --max-ttl. Thanks to Fredrik Ringertz for the patch. |
--address=/.domain.com/1.2.3.4 to be rejected. The dot to the | |
left of the domain has been implied and not required for a | |
long time, but it should be accepted for backward | |
compatibility. Thanks to Andrew Burcin for spotting this. | |
| |
Add --rebind-domain-ok and --rebind-localhost-ok. | |
Suggestion from Clemens Fischer. | |
|
|
Log replies to queries of type TXT, when --log-queries | Allow --log-facility=- to force all logging to |
is set. | stderr. Suggestion from Clemens Fischer. |
|
|
Fix compiler warnings when compiled with -DNO_DHCP. Thanks | Fix regression which caused configuration like |
to Shantanu Gadgil for the patch. | --address=/.domain.com/1.2.3.4 to be rejected. The dot to the |
| left of the domain has been implied and not required for a |
| long time, but it should be accepted for backward |
| compatibility. Thanks to Andrew Burcin for spotting this. |
|
|
Updated French translation. Thanks to Gildas Le Nadan. | Add --rebind-domain-ok and --rebind-localhost-ok. |
| Suggestion from Clemens Fischer. |
|
|
Updated Polish translation. Thanks to Jan Psota. | Log replies to queries of type TXT, when --log-queries |
| is set. |
|
|
Updated German translation. Thanks to Matthias Andree. | Fix compiler warnings when compiled with -DNO_DHCP. Thanks |
| to Shantanu Gadgil for the patch. |
|
|
Added contrib/static-arp, thanks to Darren Hoo. | Updated French translation. Thanks to Gildas Le Nadan. |
| |
Fix corruption of the domain when a name from /etc/hosts | |
overrides one supplied by a DHCP client. Thanks to Fedor | |
Kozhevnikov for spotting the problem. | |
|
|
Updated Spanish translation. Thanks to Chris Chatham. | Updated Polish translation. Thanks to Jan Psota. |
|
|
|
Updated German translation. Thanks to Matthias Andree. |
|
|
|
Added contrib/static-arp, thanks to Darren Hoo. |
|
|
|
Fix corruption of the domain when a name from /etc/hosts |
|
overrides one supplied by a DHCP client. Thanks to Fedor |
|
Kozhevnikov for spotting the problem. |
|
|
|
Updated Spanish translation. Thanks to Chris Chatham. |
|
|
|
|
version 2.52 |
version 2.52 |
Work around a Linux kernel bug which insists that the | Work around a Linux kernel bug which insists that the |
length of the option passed to setsockopt must be at least | length of the option passed to setsockopt must be at least |
sizeof(int) bytes, even if we're calling SO_BINDTODEVICE | sizeof(int) bytes, even if we're calling SO_BINDTODEVICE |
and the device name is "lo". Note that this is fixed | and the device name is "lo". Note that this is fixed |
in kernel 2.6.31, but the workaround is harmless and | in kernel 2.6.31, but the workaround is harmless and |
allows earlier kernels to be used. Also fix dnsmasq | allows earlier kernels to be used. Also fix dnsmasq |
bug which reported the wrong address when this failed. | bug which reported the wrong address when this failed. |
Thanks to Fedor for finding this. | Thanks to Fedor for finding this. |
|
|
The API for IPv6 PKTINFO changed around Linux kernel | The API for IPv6 PKTINFO changed around Linux kernel |
2.6.14. Workaround the case where dnsmasq is compiled | 2.6.14. Workaround the case where dnsmasq is compiled |
against newer headers, but then run on an old kernel: | against newer headers, but then run on an old kernel: |
necessary for some *WRT distros. | necessary for some *WRT distros. |
|
|
Re-read the set of network interfaces when re-loading | Re-read the set of network interfaces when re-loading |
/etc/resolv.conf if --bind-interfaces is not set. This | /etc/resolv.conf if --bind-interfaces is not set. This |
handles the case that loopback interfaces do not exist | handles the case that loopback interfaces do not exist |
when dnsmasq is first started. | when dnsmasq is first started. |
|
|
Tweak the PXE code to support port 4011. This should | Tweak the PXE code to support port 4011. This should |
reduce broadcasts and make things more reliable when other | reduce broadcasts and make things more reliable when other |
servers are around. It also improves inter-operability | servers are around. It also improves inter-operability |
with certain clients. | with certain clients. |
|
|
Make a pxe-service configuration with no filename or boot | Make a pxe-service configuration with no filename or boot |
service type legal: this does a local boot. eg. | service type legal: this does a local boot. eg. |
pxe-service=x86PC, "Local boot" | pxe-service=x86PC, "Local boot" |
|
|
Be more conservative in detecting "A for A" | Be more conservative in detecting "A for A" |
queries. Dnsmasq checks if the name in a type=A query looks | queries. Dnsmasq checks if the name in a type=A query looks |
like a dotted-quad IP address and answers the query itself | like a dotted-quad IP address and answers the query itself |
if so, rather than forwarding it. Previously dnsmasq | if so, rather than forwarding it. Previously dnsmasq |
relied in the library function inet_addr() to convert | relied in the library function inet_addr() to convert |
addresses, and that will accept some things which are | addresses, and that will accept some things which are |
confusing in this context, like 1.2.3 or even just | confusing in this context, like 1.2.3 or even just |
1234. Now we only do A for A processing for four decimal | 1234. Now we only do A for A processing for four decimal |
numbers delimited by dots. | numbers delimited by dots. |
|
|
A couple of tweaks to fix compilation on Solaris. Thanks | A couple of tweaks to fix compilation on Solaris. Thanks |
to Joel Macklow for help with this. | to Joel Macklow for help with this. |
|
|
Another Solaris compilation tweak, needed for Solaris | Another Solaris compilation tweak, needed for Solaris |
2009.06. Thanks to Lee Essen for that. | 2009.06. Thanks to Lee Essen for that. |
|
|
Added extract packaging stuff from Lee Essen to | Added extract packaging stuff from Lee Essen to |
contrib/Solaris10. | contrib/Solaris10. |
| |
Increased the default limit on number of leases to 1000 | |
(from 150). This is mainly a defence against DoS attacks, | |
and for the average "one for two class C networks" | |
installation, IP address exhaustion does that just as | |
well. Making the limit greater than the number of IP | |
addresses available in such an installation removes a | |
surprise which otherwise can catch people out. | |
|
|
Removed extraneous trailing space in the value of the | Increased the default limit on number of leases to 1000 |
DNSMASQ_TIME_REMAINING DNSMASQ_LEASE_LENGTH and | (from 150). This is mainly a defence against DoS attacks, |
DNSMASQ_LEASE_EXPIRES environment variables. Thanks to | and for the average "one for two class C networks" |
Gildas Le Nadan for spotting this. | installation, IP address exhaustion does that just as |
| well. Making the limit greater than the number of IP |
| addresses available in such an installation removes a |
| surprise which otherwise can catch people out. |
|
|
Provide the network-id tags for a DHCP transaction to | Removed extraneous trailing space in the value of the |
the lease-change script in the environment variable | DNSMASQ_TIME_REMAINING DNSMASQ_LEASE_LENGTH and |
DNSMASQ_TAGS. A good suggestion from Gildas Le Nadan. | DNSMASQ_LEASE_EXPIRES environment variables. Thanks to |
| Gildas Le Nadan for spotting this. |
|
|
Add support for RFC3925 "Vendor-Identifying Vendor | Provide the network-id tags for a DHCP transaction to |
Options". The syntax looks like this: | the lease-change script in the environment variable |
--dhcp-option=vi-encap:<enterprise number>, ......... | DNSMASQ_TAGS. A good suggestion from Gildas Le Nadan. |
|
|
Add support to --dhcp-match to allow matching against | Add support for RFC3925 "Vendor-Identifying Vendor |
RFC3925 "Vendor-Identifying Vendor Classes". The syntax | Options". The syntax looks like this: |
looks like this: | --dhcp-option=vi-encap:<enterprise number>, ......... |
--dhcp-match=tag,vi-encap<enterprise number>, <value> | |
| |
Add some application specific code to assist in | |
implementing the Broadband forum TR069 CPE-WAN | |
specification. The details are in contrib/CPE-WAN/README | |
|
|
Increase the default DNS packet size limit to 4096, as | Add support to --dhcp-match to allow matching against |
recommended by RFC5625 section 4.4.3. This can be | RFC3925 "Vendor-Identifying Vendor Classes". The syntax |
reconfigured using --edns-packet-max if needed. Thanks to | looks like this: |
Francis Dupont for pointing this out. | --dhcp-match=tag,vi-encap<enterprise number>, <value> |
|
|
Rewrite query-ids even for TSIG signed packets, since | Add some application specific code to assist in |
this is allowed by RFC5625 section 4.5. | implementing the Broadband forum TR069 CPE-WAN |
| specification. The details are in contrib/CPE-WAN/README |
Use getopt_long by default on OS X. It has been supported | |
since version 10.3.0. Thanks to Arek Dreyer for spotting | |
this. | |
|
|
Added up-to-date startup configuration for MacOSX/launchd | Increase the default DNS packet size limit to 4096, as |
in contrib/MacOSX-launchd. Thanks to Arek Dreyer for | recommended by RFC5625 section 4.4.3. This can be |
providing this. | reconfigured using --edns-packet-max if needed. Thanks to |
| Francis Dupont for pointing this out. |
|
|
Fix link error when including Dbus but excluding DHCP. | Rewrite query-ids even for TSIG signed packets, since |
Thanks to Oschtan for the bug report. | this is allowed by RFC5625 section 4.5. |
|
|
Updated French translation. Thanks to Gildas Le Nadan. | Use getopt_long by default on OS X. It has been supported |
| since version 10.3.0. Thanks to Arek Dreyer for spotting |
Updated Polish translation. Thanks to Jan Psota. | this. |
|
|
Updated Spanish translation. Thanks to Chris Chatham. | Added up-to-date startup configuration for MacOSX/launchd |
| in contrib/MacOSX-launchd. Thanks to Arek Dreyer for |
| providing this. |
|
|
Fixed confusion about domains, when looking up DHCP hosts | Fix link error when including Dbus but excluding DHCP. |
in /etc/hosts. This could cause spurious "Ignoring | Thanks to Oschtan for the bug report. |
domain..." messages. Thanks to Fedor Kozhevnikov for | |
finding and analysing the problem. | |
|
|
| Updated French translation. Thanks to Gildas Le Nadan. |
| |
| Updated Polish translation. Thanks to Jan Psota. |
| |
| Updated Spanish translation. Thanks to Chris Chatham. |
| |
| Fixed confusion about domains, when looking up DHCP hosts |
| in /etc/hosts. This could cause spurious "Ignoring |
| domain..." messages. Thanks to Fedor Kozhevnikov for |
| finding and analysing the problem. |
| |
| |
version 2.51 |
version 2.51 |
Add support for internationalised DNS. Non-ASCII characters | Add support for internationalised DNS. Non-ASCII characters |
in domain names found in /etc/hosts, /etc/ethers and | in domain names found in /etc/hosts, /etc/ethers and |
/etc/dnsmasq.conf will be correctly handled by translation to | /etc/dnsmasq.conf will be correctly handled by translation to |
punycode, as specified in RFC3490. This function is only | punycode, as specified in RFC3490. This function is only |
available if dnsmasq is compiled with internationalisation | available if dnsmasq is compiled with internationalisation |
support, and adds a dependency on GNU libidn. Without i18n | support, and adds a dependency on GNU libidn. Without i18n |
support, dnsmasq continues to be compilable with just | support, dnsmasq continues to be compilable with just |
standard tools. Thanks to Yves Dorfsman for the | standard tools. Thanks to Yves Dorfsman for the |
suggestion. | suggestion. |
|
|
Add two more environment variables for lease-change scripts: | Add two more environment variables for lease-change scripts: |
First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname | First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname |
supplied by a client, even if the actual hostname used is | supplied by a client, even if the actual hostname used is |
over-ridden by dhcp-host or dhcp-ignore-names directives. | over-ridden by dhcp-host or dhcp-ignore-names directives. |
Also DNSMASQ_RELAY_ADDRESS which gives the address of | Also DNSMASQ_RELAY_ADDRESS which gives the address of |
a DHCP relay, if used. | a DHCP relay, if used. |
Suggestions from Michael Rack. | Suggestions from Michael Rack. |
|
|
Fix regression which broke echo of relay-agent | Fix regression which broke echo of relay-agent |
options. Thanks to Michael Rack for spotting this. | options. Thanks to Michael Rack for spotting this. |
| |
Don't treat option 67 as being interchangeable with | |
dhcp-boot parameters if it's specified as | |
dhcp-option-force. | |
|
|
Make the code to call scripts on lease-change compile-time | Don't treat option 67 as being interchangeable with |
optional. It can be switched off by editing src/config.h | dhcp-boot parameters if it's specified as |
or building with "make COPTS=-DNO_SCRIPT". | dhcp-option-force. |
| |
Make the TFTP server cope with filenames from Windows/DOS | |
which use '\' as pathname separator. Thanks to Ralf for | |
the patch. | |
|
|
Updated Polish translation. Thanks to Jan Psota. | Make the code to call scripts on lease-change compile-time |
| optional. It can be switched off by editing src/config.h |
Warn if an IP address is duplicated in /etc/ethers. Thanks | or building with "make COPTS=-DNO_SCRIPT". |
to Felix Schwarz for pointing this out. | |
|
|
Teach --conf-dir to take an option list of file suffices | Make the TFTP server cope with filenames from Windows/DOS |
which will be ignored when scanning the directory. Useful | which use '\' as pathname separator. Thanks to Ralf for |
for backup files etc. Thanks to Helmut Hullen for the | the patch. |
suggestion. | |
|
|
Add new DHCP option named tftpserver-address, which | Updated Polish translation. Thanks to Jan Psota. |
corresponds to the third argument of dhcp-boot. This | |
allows the complete functionality of dhcp-boot to be | |
replicated with dhcp-option. Useful when using | |
dhcp-optsfile. | |
|
|
Test which upstream nameserver to use every 10 seconds | Warn if an IP address is duplicated in /etc/ethers. Thanks |
or 50 queries and not just when a query times out and | to Felix Schwarz for pointing this out. |
is retried. This should improve performance when there | |
is a slow nameserver in the list. Thanks to Joe for the | |
suggestion. | |
|
|
Don't do any PXE processing, even for clients with the | Teach --conf-dir to take an option list of file suffices |
correct vendorclass, unless at least one pxe-prompt or | which will be ignored when scanning the directory. Useful |
pxe-service option is given. This stops dnsmasq | for backup files etc. Thanks to Helmut Hullen for the |
interfering with proxy PXE subsystems when it is just | suggestion. |
the DHCP server. Thanks to Spencer Clark for spotting this. | |
|
|
Limit the blocksize used for TFTP transfers to a value | Add new DHCP option named tftpserver-address, which |
which avoids packet fragmentation, based on the MTU of the | corresponds to the third argument of dhcp-boot. This |
local interface. Many netboot ROMs can't cope with | allows the complete functionality of dhcp-boot to be |
fragmented packets. | replicated with dhcp-option. Useful when using |
| dhcp-optsfile. |
|
|
Honour dhcp-ignore configuration for PXE and proxy-PXE | Test which upstream nameserver to use every 10 seconds |
requests. Thanks to Niels Basjes for the bug report. | or 50 queries and not just when a query times out and |
| is retried. This should improve performance when there |
| is a slow nameserver in the list. Thanks to Joe for the |
| suggestion. |
|
|
Updated French translation. Thanks to Gildas Le Nadan. | Don't do any PXE processing, even for clients with the |
| correct vendorclass, unless at least one pxe-prompt or |
| pxe-service option is given. This stops dnsmasq |
| interfering with proxy PXE subsystems when it is just |
| the DHCP server. Thanks to Spencer Clark for spotting this. |
|
|
|
Limit the blocksize used for TFTP transfers to a value |
|
which avoids packet fragmentation, based on the MTU of the |
|
local interface. Many netboot ROMs can't cope with |
|
fragmented packets. |
|
|
|
Honour dhcp-ignore configuration for PXE and proxy-PXE |
|
requests. Thanks to Niels Basjes for the bug report. |
|
|
|
Updated French translation. Thanks to Gildas Le Nadan. |
|
|
|
|
version 2.50 |
version 2.50 |
Fix security problem which allowed any host permitted to | Fix security problem which allowed any host permitted to |
do TFTP to possibly compromise dnsmasq by remote buffer | do TFTP to possibly compromise dnsmasq by remote buffer |
overflow when TFTP enabled. Thanks to Core Security | overflow when TFTP enabled. Thanks to Core Security |
Technologies and Iván Arce, Pablo Hernán Jorge, Alejandro | Technologies and Iván Arce, Pablo Hernán Jorge, Alejandro |
Pablo Rodriguez, Martín Coco, Alberto Soliño Testa and | Pablo Rodriguez, Martín Coco, Alberto Soliño Testa and |
Pablo Annetta. This problem has Bugtraq id: 36121 | Pablo Annetta. This problem has Bugtraq id: 36121 |
and CVE: 2009-2957 | and CVE: 2009-2957 |
|
|
Fix a problem which allowed a malicious TFTP client to | Fix a problem which allowed a malicious TFTP client to |
crash dnsmasq. Thanks to Steve Grubb at Red Hat for | crash dnsmasq. Thanks to Steve Grubb at Red Hat for |
spotting this. This problem has Bugtraq id: 36120 and | spotting this. This problem has Bugtraq id: 36120 and |
CVE: 2009-2958 | CVE: 2009-2958 |
|
|
|
|
version 2.49 |
version 2.49 |
Fix regression in 2.48 which disables the lease-change | Fix regression in 2.48 which disables the lease-change |
script. Thanks to Jose Luis Duran for spotting this. | script. Thanks to Jose Luis Duran for spotting this. |
|
|
Log TFTP "file not found" errors. These were not logged, | Log TFTP "file not found" errors. These were not logged, |
since a normal PXELinux boot generates many of them, but | since a normal PXELinux boot generates many of them, but |
the lack of the messages seems to be more confusing than | the lack of the messages seems to be more confusing than |
routinely seeing them when there is no real error. | routinely seeing them when there is no real error. |
|
|
Update Spanish translation. Thanks to Chris Chatham. | Update Spanish translation. Thanks to Chris Chatham. |
| |
|
|
|
|
version 2.48 |
version 2.48 |
Archived the extensive, backwards, changelog to | Archived the extensive, backwards, changelog to |
CHANGELOG.archive. The current changelog now runs from | CHANGELOG.archive. The current changelog now runs from |
version 2.43 and runs conventionally. | version 2.43 and runs conventionally. |
|
|
Fixed bug which broke binding of servers to physical | Fixed bug which broke binding of servers to physical |
interfaces when interface names were longer than four | interfaces when interface names were longer than four |
characters. Thanks to MURASE Katsunori for the patch. | characters. Thanks to MURASE Katsunori for the patch. |
|
|
Fixed netlink code to check that messages come from the | Fixed netlink code to check that messages come from the |
correct source, and not another userspace process. Thanks | correct source, and not another userspace process. Thanks |
to Steve Grubb for the patch. | to Steve Grubb for the patch. |
|
|
Maintainability drive: removed bug and missing feature | Maintainability drive: removed bug and missing feature |
workarounds for some old platforms. Solaris 9, OpenBSD | workarounds for some old platforms. Solaris 9, OpenBSD |
older than 4.1, Glibc older than 2.2, Linux 2.2.x and | older than 4.1, Glibc older than 2.2, Linux 2.2.x and |
DBus older than 1.1.x are no longer supported. | DBus older than 1.1.x are no longer supported. |
|
|
Don't read included configuration files more than once: | Don't read included configuration files more than once: |
allows complex configuration structures without problems. | allows complex configuration structures without problems. |
|
|
Mark log messages from the various subsystems in dnsmasq: | Mark log messages from the various subsystems in dnsmasq: |
messages from the DHCP subsystem now have the ident string | messages from the DHCP subsystem now have the ident string |
"dnsmasq-dhcp" and messages from TFTP have ident | "dnsmasq-dhcp" and messages from TFTP have ident |
"dnsmasq-tftp". Thanks to Olaf Westrik for the patch. | "dnsmasq-tftp". Thanks to Olaf Westrik for the patch. |
|
|
Fix possible infinite DHCP protocol loop when an IP | Fix possible infinite DHCP protocol loop when an IP |
address nailed to a hostname (not a MAC address) and a | address nailed to a hostname (not a MAC address) and a |
host sometimes provides the name, sometimes not. | host sometimes provides the name, sometimes not. |
|
|
Allow --addn-hosts to take a directory: all the files | Allow --addn-hosts to take a directory: all the files |
in the directory are read. Thanks to Phil Cornelius for | in the directory are read. Thanks to Phil Cornelius for |
the suggestion. | the suggestion. |
|
|
Support --bridge-interface on all platforms, not just BSD. | Support --bridge-interface on all platforms, not just BSD. |
| |
Added support for advanced PXE functions. It's now | |
possible to define a prompt and menu options which will | |
be displayed when a client PXE boots. It's also possible to | |
hand-off booting to other boot servers. Proxy-DHCP, where | |
dnsmasq just supplies the PXE information and another DHCP | |
server does address allocation, is also allowed. See the | |
--pxe-prompt and --pxe-service keywords. Thanks to | |
Alkis Georgopoulos for the suggestion and Guilherme Moro | |
and Michael Brown for assistance. | |
|
|
Improvements to DHCP logging. Thanks to Tom Metro for | Added support for advanced PXE functions. It's now |
useful suggestions. | possible to define a prompt and menu options which will |
| be displayed when a client PXE boots. It's also possible to |
Add ability to build dnsmasq without DHCP support. To do | hand-off booting to other boot servers. Proxy-DHCP, where |
this, edit src/config.h or build with | dnsmasq just supplies the PXE information and another DHCP |
"make COPTS=-DNO_DHCP". Thanks to Mahavir Jain for the patch. | server does address allocation, is also allowed. See the |
| --pxe-prompt and --pxe-service keywords. Thanks to |
Added --test command-line switch - syntax check | Alkis Georgopoulos for the suggestion and Guilherme Moro |
configuration files only. | and Michael Brown for assistance. |
| |
Updated French translation. Thanks to Gildas Le Nadan. | |
|
|
|
Improvements to DHCP logging. Thanks to Tom Metro for |
|
useful suggestions. |
|
|
|
Add ability to build dnsmasq without DHCP support. To do |
|
this, edit src/config.h or build with |
|
"make COPTS=-DNO_DHCP". Thanks to Mahavir Jain for the patch. |
|
|
|
Added --test command-line switch - syntax check |
|
configuration files only. |
|
|
|
Updated French translation. Thanks to Gildas Le Nadan. |
|
|
|
|
version 2.47 |
version 2.47 |
Updated French translation. Thanks to Gildas Le Nadan. | Updated French translation. Thanks to Gildas Le Nadan. |
|
|
Fixed interface enumeration code to work on NetBSD | Fixed interface enumeration code to work on NetBSD |
5.0. Thanks to Roy Marples for the patch. | 5.0. Thanks to Roy Marples for the patch. |
|
|
Updated config.h to use the same location for the lease | Updated config.h to use the same location for the lease |
file on NetBSD as the other *BSD variants. Also allow | file on NetBSD as the other *BSD variants. Also allow |
LEASEFILE and CONFFILE symbols to be overriden in CFLAGS. | LEASEFILE and CONFFILE symbols to be overridden in CFLAGS. |
|
|
Handle duplicate address detection on IPv6 more | Handle duplicate address detection on IPv6 more |
intelligently. In IPv6, an interface can have an address | intelligently. In IPv6, an interface can have an address |
which is not usable, because it is still undergoing DAD | which is not usable, because it is still undergoing DAD |
(such addresses are marked "tentative"). Attempting to | (such addresses are marked "tentative"). Attempting to |
bind to an address in this state returns an error, | bind to an address in this state returns an error, |
EADDRNOTAVAIL. Previously, on getting such an error, | EADDRNOTAVAIL. Previously, on getting such an error, |
dnsmasq would silently abandon the address, and never | dnsmasq would silently abandon the address, and never |
listen on it. Now, it retries once per second for 20 | listen on it. Now, it retries once per second for 20 |
seconds before generating a fatal error. 20 seconds should | seconds before generating a fatal error. 20 seconds should |
be long enough for any DAD process to complete, but can be | be long enough for any DAD process to complete, but can be |
adjusted in src/config.h if necessary. Thanks to Martin | adjusted in src/config.h if necessary. Thanks to Martin |
Krafft for the bug report. | Krafft for the bug report. |
|
|
Add DBus introspection. Patch from Jeremy Laine. | Add DBus introspection. Patch from Jeremy Laine. |
|
|
Update Dbus configuration file. Patch from Colin Walters. | Update Dbus configuration file. Patch from Colin Walters. |
Fix for this bug: | Fix for this bug: |
http://bugs.freedesktop.org/show_bug.cgi?id=18961 | http://bugs.freedesktop.org/show_bug.cgi?id=18961 |
|
|
Support arbitrarily encapsulated DHCP options, suggestion | Support arbitrarily encapsulated DHCP options, suggestion |
and initial patch from Samium Gromoff. This is useful for | and initial patch from Samium Gromoff. This is useful for |
(eg) gPXE, which expect all its private options to be | (eg) iPXE, which expect all its private options to be |
encapsulated inside a single option 175. So, eg, | encapsulated inside a single option 175. So, eg, |
|
|
dhcp-option = encap:175, 190, "iscsi-client0" | dhcp-option = encap:175, 190, "iscsi-client0" |
dhcp-option = encap:175, 191, "iscsi-client0-secret" | dhcp-option = encap:175, 191, "iscsi-client0-secret" |
| |
will provide iSCSI parameters to gPXE. | |
|
|
Enhance --dhcp-match to allow testing of the contents of a | will provide iSCSI parameters to iPXE. |
client-sent option, as well as its presence. This | |
application in mind for this is RFC 4578 | |
client-architecture specifiers, but it's generally useful. | |
Joey Korkames suggested the enhancement. | |
|
|
Move from using the IP_XMIT_IF ioctl to IP_BOUND_IF on | Enhance --dhcp-match to allow testing of the contents of a |
OpenSolaris. Thanks to Bastian Machek for the heads-up. | client-sent option, as well as its presence. This |
| application in mind for this is RFC 4578 |
| client-architecture specifiers, but it's generally useful. |
| Joey Korkames suggested the enhancement. |
|
|
No longer complain about blank lines in | Move from using the IP_XMIT_IF ioctl to IP_BOUND_IF on |
/etc/ethers. Thanks to Jon Nelson for the patch. | OpenSolaris. Thanks to Bastian Machek for the heads-up. |
|
|
Fix binding of servers to physical devices, eg | No longer complain about blank lines in |
--server=/domain/1.2.3.4@eth0 which was broken from 2.43 | /etc/ethers. Thanks to Jon Nelson for the patch. |
onwards unless --query-port=0 set. Thanks to Peter Naulls | |
for the bug report. | |
|
|
Reply to DHCPINFORM requests even when the supplied ciaddr | Fix binding of servers to physical devices, eg |
doesn't fall in any dhcp-range. In this case it's not | --server=/domain/1.2.3.4@eth0 which was broken from 2.43 |
possible to supply a complete configuration, but | onwards unless --query-port=0 set. Thanks to Peter Naulls |
individually-configured options (eg PAC) may be useful. | for the bug report. |
|
|
Allow the source address of an alias to be a range: | Reply to DHCPINFORM requests even when the supplied ciaddr |
--alias=192.168.0.0,10.0.0.0,255.255.255.0 maps the whole | doesn't fall in any dhcp-range. In this case it's not |
subnet 192.168.0.0->192.168.0.255 to 10.0.0.0->10.0.0.255, | possible to supply a complete configuration, but |
as before. | individually-configured options (eg PAC) may be useful. |
--alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 | |
maps only the 192.168.0.10->192.168.0.40 region. Thanks to | |
Ib Uhrskov for the suggestion. | |
|
|
Don't dynamically allocate DHCP addresses which may break | Allow the source address of an alias to be a range: |
Windows. Addresses which end in .255 or .0 are broken in | --alias=192.168.0.0,10.0.0.0,255.255.255.0 maps the whole |
Windows even when using supernetting. | subnet 192.168.0.0->192.168.0.255 to 10.0.0.0->10.0.0.255, |
--dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0 means | as before. |
192.168.0.255 is a valid IP address, but not for Windows. | --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 |
See Microsoft KB281579. We therefore no longer allocate | maps only the 192.168.0.10->192.168.0.40 region. Thanks to |
these addresses to avoid hard-to-diagnose problems. | Ib Uhrskov for the suggestion. |
|
|
Update Polish translation. Thanks to Jan Psota. | Don't dynamically allocate DHCP addresses which may break |
| Windows. Addresses which end in .255 or .0 are broken in |
| Windows even when using supernetting. |
| --dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0 means |
| 192.168.0.255 is a valid IP address, but not for Windows. |
| See Microsoft KB281579. We therefore no longer allocate |
| these addresses to avoid hard-to-diagnose problems. |
|
|
Delete the PID-file when dnsmasq shuts down. Note that by | Update Polish translation. Thanks to Jan Psota. |
this time, dnsmasq is normally not running as root, so | |
this will fail if the PID-file is stored in a root-owned | |
directory; such failure is silently ignored. To take | |
advantage of this feature, the PID-file must be stored in a | |
directory owned and write-able by the user running | |
dnsmasq. | |
|
|
|
Delete the PID-file when dnsmasq shuts down. Note that by |
|
this time, dnsmasq is normally not running as root, so |
|
this will fail if the PID-file is stored in a root-owned |
|
directory; such failure is silently ignored. To take |
|
advantage of this feature, the PID-file must be stored in a |
|
directory owned and write-able by the user running |
|
dnsmasq. |
|
|
|
|
version 2.46 |
version 2.46 |
Allow --bootp-dynamic to take a netid tag, so that it may | Allow --bootp-dynamic to take a netid tag, so that it may |
be selectively enabled. Thanks to Olaf Westrik for the | be selectively enabled. Thanks to Olaf Westrik for the |
suggestion. | suggestion. |
|
|
Remove ISC-leasefile reading code. This has been | Remove ISC-leasefile reading code. This has been |
deprecated for a long time, and last time I removed it, it | deprecated for a long time, and last time I removed it, it |
ended up going back by request of one user. This time, | ended up going back by request of one user. This time, |
it's gone for good; otherwise it would need to be | it's gone for good; otherwise it would need to be |
re-worked to support multiple domains (see below). | re-worked to support multiple domains (see below). |
|
|
Support DHCP clients in multiple DNS domains. This is a | Support DHCP clients in multiple DNS domains. This is a |
long-standing request. Clients are assigned to a domain | long-standing request. Clients are assigned to a domain |
based in their IP address. | based in their IP address. |
|
|
Add --dhcp-fqdn flag, which changes behaviour if DNS names | Add --dhcp-fqdn flag, which changes behaviour if DNS names |
assigned to DHCP clients. When this is set, there must be | assigned to DHCP clients. When this is set, there must be |
a domain associated with each client, and only | a domain associated with each client, and only |
fully-qualified domain names are added to the DNS. The | fully-qualified domain names are added to the DNS. The |
advantage is that the only the FQDN needs to be unique, | advantage is that the only the FQDN needs to be unique, |
so that two or more DHCP clients can share a hostname, as | so that two or more DHCP clients can share a hostname, as |
long as they are in different domains. | long as they are in different domains. |
|
|
Set environment variable DNSMASQ_DOMAIN when invoking | Set environment variable DNSMASQ_DOMAIN when invoking |
lease-change script. This may be useful information to | lease-change script. This may be useful information to |
have now that it's variable. | have now that it's variable. |
|
|
Tighten up data-checking code for DNS packet | Tighten up data-checking code for DNS packet |
handling. Thanks to Steve Dodd who found certain illegal | handling. Thanks to Steve Dodd who found certain illegal |
packets which could crash dnsmasq. No memory overwrite was | packets which could crash dnsmasq. No memory overwrite was |
possible, so this is not a security issue beyond the DoS | possible, so this is not a security issue beyond the DoS |
potential. | potential. |
|
|
Update example config dhcp option 47, the previous | Update example config dhcp option 47, the previous |
suggestion generated an illegal, zero-length, | suggestion generated an illegal, zero-length, |
option. Thanks to Matthias Andree for finding this. | option. Thanks to Matthias Andree for finding this. |
|
|
Rewrite hosts-file reading code to remove the limit of | Rewrite hosts-file reading code to remove the limit of |
1024 characters per line. John C Meuser found this. | 1024 characters per line. John C Meuser found this. |
|
|
Create a net-id tag with the name of the interface on | Create a net-id tag with the name of the interface on |
which the DHCP request was received. | which the DHCP request was received. |
|
|
Fixed minor memory leak in DBus code, thanks to Jeremy | Fixed minor memory leak in DBus code, thanks to Jeremy |
Laine for the patch. | Laine for the patch. |
|
|
Emit DBus signals as the DHCP lease database | Emit DBus signals as the DHCP lease database |
changes. Thanks to Jeremy Laine for the patch. | changes. Thanks to Jeremy Laine for the patch. |
|
|
Allow for more that one MAC address in a dhcp-host | Allow for more that one MAC address in a dhcp-host |
line. This configuration tells dnsmasq that it's OK to | line. This configuration tells dnsmasq that it's OK to |
abandon a DHCP lease of the fixed address to one MAC | abandon a DHCP lease of the fixed address to one MAC |
address, if another MAC address in the dhcp-host statement | address, if another MAC address in the dhcp-host statement |
asks for an address. This is useful to give a fixed | asks for an address. This is useful to give a fixed |
address to a host which has two network interfaces | address to a host which has two network interfaces |
(say, a laptop with wired and wireless interfaces.) | (say, a laptop with wired and wireless interfaces.) |
It's very important to ensure that only one interface | It's very important to ensure that only one interface |
at a time is up, since dnsmasq abandons the first lease | at a time is up, since dnsmasq abandons the first lease |
and re-uses the address before the leased time has | and re-uses the address before the leased time has |
elapsed. John Gray suggested this. | elapsed. John Gray suggested this. |
|
|
Tweak the response to a DHCP request packet with a wrong | Tweak the response to a DHCP request packet with a wrong |
server-id when --dhcp-authoritative is set; dnsmasq now | server-id when --dhcp-authoritative is set; dnsmasq now |
returns a DHCPNAK, rather than silently ignoring the | returns a DHCPNAK, rather than silently ignoring the |
packet. Thanks to Chris Marget for spotting this | packet. Thanks to Chris Marget for spotting this |
improvement. | improvement. |
|
|
Add --cname option. This provides a limited alias | Add --cname option. This provides a limited alias |
function, usable for DHCP names. Thanks to AJ Weber for | function, usable for DHCP names. Thanks to AJ Weber for |
suggestions on this. | suggestions on this. |
|
|
Updated contrib/webmin with latest version from Neil | Updated contrib/webmin with latest version from Neil |
Fisher. | Fisher. |
|
|
Updated Polish translation. Thanks to Jan Psota. | Updated Polish translation. Thanks to Jan Psota. |
| |
Correct the text names for DHCP options 64 and 65 to be | |
"nis+-domain" and "nis+-servers". | |
|
|
Updated Spanish translation. Thanks to Chris Chatham. | Correct the text names for DHCP options 64 and 65 to be |
| "nis+-domain" and "nis+-servers". |
|
|
Force re-reading of /etc/resolv.conf when an "interface | Updated Spanish translation. Thanks to Chris Chatham. |
up" event occurs. | |
|
|
|
Force re-reading of /etc/resolv.conf when an "interface |
|
up" event occurs. |
|
|
|
|
version 2.45 |
version 2.45 |
Fix total DNS failure in release 2.44 unless --min-port | Fix total DNS failure in release 2.44 unless --min-port |
specified. Thanks to Steven Barth and Grant Coady for | specified. Thanks to Steven Barth and Grant Coady for |
bugreport. Also reject out-of-range port spec, which could | bugreport. Also reject out-of-range port spec, which could |
break things too: suggestion from Gilles Espinasse. | break things too: suggestion from Gilles Espinasse. |
| |
|
|
|
|
version 2.44 |
version 2.44 |
Fix crash when unknown client attempts to renew a DHCP | Fix crash when unknown client attempts to renew a DHCP |
lease, problem introduced in version 2.43. Thanks to | lease, problem introduced in version 2.43. Thanks to |
Carlos Carvalho for help chasing this down. | Carlos Carvalho for help chasing this down. |
|
|
Fix potential crash when a host which doesn't have a lease | Fix potential crash when a host which doesn't have a lease |
does DHCPINFORM. Again introduced in 2.43. This bug has | does DHCPINFORM. Again introduced in 2.43. This bug has |
never been reported in the wild. | never been reported in the wild. |
|
|
Fix crash in netlink code introduced in 2.43. Thanks to | Fix crash in netlink code introduced in 2.43. Thanks to |
Jean Wolter for finding this. | Jean Wolter for finding this. |
|
|
Change implementation of min_port to work even if min-port | Change implementation of min_port to work even if min-port |
is large. | is large. |
|
|
Patch to enable compilation of latest Mac OS X. Thanks to | Patch to enable compilation of latest Mac OS X. Thanks to |
David Gilman. | David Gilman. |
|
|
Update Spanish translation. Thanks to Christopher Chatham. | Update Spanish translation. Thanks to Christopher Chatham. |
|
|
|
|
version 2.43 |
version 2.43 |
Updated Polish translation. Thanks to Jan Psota. | Updated Polish translation. Thanks to Jan Psota. |
|
|
Flag errors when configuration options are repeated | Flag errors when configuration options are repeated |
illegally. | illegally. |
|
|
Further tweaks for GNU/kFreeBSD | Further tweaks for GNU/kFreeBSD |
|
|
Add --no-wrap to msgmerge call - provides nicer .po file | Add --no-wrap to msgmerge call - provides nicer .po file |
format. | format. |
|
|
Honour lease-time spec in dhcp-host lines even for | Honour lease-time spec in dhcp-host lines even for |
BOOTP. The user is assumed to known what they are doing in | BOOTP. The user is assumed to known what they are doing in |
this case. (Hosts without the time spec still get infinite | this case. (Hosts without the time spec still get infinite |
leases for BOOTP, over-riding the default in the | leases for BOOTP, over-riding the default in the |
dhcp-range.) Thanks to Peter Katzmann for uncovering this. | dhcp-range.) Thanks to Peter Katzmann for uncovering this. |
|
|
Fix problem matching relay-agent ids. Thanks to Michael | Fix problem matching relay-agent ids. Thanks to Michael |
Rack for the bug report. | Rack for the bug report. |
|
|
Add --naptr-record option. Suggestion from Johan | Add --naptr-record option. Suggestion from Johan |
Bergquist. | Bergquist. |
|
|
Implement RFC 5107 server-id-override DHCP relay agent | Implement RFC 5107 server-id-override DHCP relay agent |
option. | option. |
|
|
Apply patches from Stefan Kruger for compilation on | Apply patches from Stefan Kruger for compilation on |
Solaris 10 under Sun studio. | Solaris 10 under Sun studio. |
|
|
Yet more tweaking of Linux capability code, to suppress | Yet more tweaking of Linux capability code, to suppress |
pointless wingeing from kernel 2.6.25 and above. | pointless wingeing from kernel 2.6.25 and above. |
|
|
Improve error checking during startup. Previously, some | Improve error checking during startup. Previously, some |
errors which occurred during startup would be worked | errors which occurred during startup would be worked |
around, with dnsmasq still starting up. Some were logged, | around, with dnsmasq still starting up. Some were logged, |
some silent. Now, they all cause a fatal error and dnsmasq | some silent. Now, they all cause a fatal error and dnsmasq |
terminates with a non-zero exit code. The errors are those | terminates with a non-zero exit code. The errors are those |
associated with changing uid and gid, setting process | associated with changing uid and gid, setting process |
capabilities and writing the pidfile. Thanks to Uwe | capabilities and writing the pidfile. Thanks to Uwe |
Gansert and the Suse security team for pointing out | Gansert and the Suse security team for pointing out |
this improvement, and Bill Reimers for good implementation | this improvement, and Bill Reimers for good implementation |
suggestions. | suggestions. |
|
|
Provide NO_LARGEFILE compile option to switch off largefile | Provide NO_LARGEFILE compile option to switch off largefile |
support when compiling against versions of uclibc which | support when compiling against versions of uclibc which |
don't support it. Thanks to Stephane Billiart for the patch. | don't support it. Thanks to Stephane Billiart for the patch. |
| |
Implement random source ports for interactions with | |
upstream nameservers. New spoofing attacks have been found | |
against nameservers which do not do this, though it is not | |
clear if dnsmasq is vulnerable, since to doesn't implement | |
recursion. By default dnsmasq will now use a different | |
source port (and socket) for each query it sends | |
upstream. This behaviour can suppressed using the | |
--query-port option, and the old default behaviour | |
restored using --query-port=0. Explicit source-port | |
specifications in --server configs are still honoured. | |
|
|
Replace the random number generator, for better | Implement random source ports for interactions with |
security. On most BSD systems, dnsmasq uses the | upstream nameservers. New spoofing attacks have been found |
arc4random() RNG, which is secure, but on other platforms, | against nameservers which do not do this, though it is not |
it relied on the C-library RNG, which may be | clear if dnsmasq is vulnerable, since to doesn't implement |
guessable and therefore allow spoofing. This release | recursion. By default dnsmasq will now use a different |
replaces the libc RNG with the SURF RNG, from Daniel | source port (and socket) for each query it sends |
J. Berstein's DJBDNS package. | upstream. This behaviour can suppressed using the |
| --query-port option, and the old default behaviour |
| restored using --query-port=0. Explicit source-port |
| specifications in --server configs are still honoured. |
|
|
Don't attempt to change user or group or set capabilities | Replace the random number generator, for better |
if dnsmasq is run as a non-root user. Without this, the | security. On most BSD systems, dnsmasq uses the |
change from soft to hard errors when these fail causes | arc4random() RNG, which is secure, but on other platforms, |
problems for non-root daemons listening on high | it relied on the C-library RNG, which may be |
ports. Thanks to Patrick McLean for spotting this. | guessable and therefore allow spoofing. This release |
| replaces the libc RNG with the SURF RNG, from Daniel |
| J. Berstein's DJBDNS package. |
|
|
Updated French translation. Thanks to Gildas Le Nadan. | Don't attempt to change user or group or set capabilities |
| if dnsmasq is run as a non-root user. Without this, the |
| change from soft to hard errors when these fail causes |
| problems for non-root daemons listening on high |
| ports. Thanks to Patrick McLean for spotting this. |
|
|
|
Updated French translation. Thanks to Gildas Le Nadan. |
|
|
|
|
version 2.42 |
version 2.42 |
The changelog for version 2.42 and earlier is | The changelog for version 2.42 and earlier is |
available in CHANGELOG.archive. | available in CHANGELOG.archive. |