version 1.1.1.2, 2014/06/15 16:31:38
|
version 1.1.1.3, 2016/11/02 09:57:01
|
Line 1
|
Line 1
|
|
version 2.76 |
|
Include 0.0.0.0/8 in DNS rebind checks. This range |
|
translates to hosts on the local network, or, at |
|
least, 0.0.0.0 accesses the local host, so could |
|
be targets for DNS rebinding. See RFC 5735 section 3 |
|
for details. Thanks to Stephen Röttger for the bug report. |
|
|
|
Enhance --add-subnet to allow arbitrary subnet addresses. |
|
Thanks to Ed Barsley for the patch. |
|
|
|
Respect the --no-resolv flag in inotify code. Fixes bug |
|
which caused dnsmasq to fail to start if a resolv-file |
|
was a dangling symbolic link, even of --no-resolv set. |
|
Thanks to Alexander Kurtz for spotting the problem. |
|
|
|
Fix crash when an A or AAAA record is defined locally, |
|
in a hosts file, and an upstream server sends a reply |
|
that the same name is empty. Thanks to Edwin Török for |
|
the patch. |
|
|
|
Fix failure to correctly calculate cache-size when |
|
reading a hosts-file fails. Thanks to André Glüpker |
|
for the patch. |
|
|
|
Fix wrong answer to simple name query when --domain-needed |
|
set, but no upstream servers configured. Dnsmasq returned |
|
REFUSED, in this case, when it should be the same as when |
|
upstream servers are configured - NOERROR. Thanks to |
|
Allain Legacy for spotting the problem. |
|
|
|
Return REFUSED when running out of forwarding table slots, |
|
not SERVFAIL. |
|
|
|
Add --max-port configuration. Thanks to Hans Dedecker for |
|
the patch. |
|
|
|
Add --script-arp and two new functions for the dhcp-script. |
|
These are "arp" and "arp-old" which announce the arrival and |
|
removal of entries in the ARP or nieghbour tables. |
|
|
|
Extend --add-mac to allow a new encoding of the MAC address |
|
as base64, by configurting --add-mac=base64 |
|
|
|
Add --add-cpe-id option. |
|
|
|
Don't crash with divide-by-zero if an IPv6 dhcp-range |
|
is declared as a whole /64. |
|
(ie xx::0 to xx::ffff:ffff:ffff:ffff) |
|
Thanks to Laurent Bendel for spotting this problem. |
|
|
|
Add support for a TTL parameter in --host-record and |
|
--cname. |
|
|
|
Add --dhcp-ttl option. |
|
|
|
Add --tftp-mtu option. Thanks to Patrick McLean for the |
|
initial patch. |
|
|
|
Check return-code of inet_pton() when parsing dhcp-option. |
|
Bad addresses could fail to generate errors and result in |
|
garbage dhcp-options being sent. Thanks to Marc Branchaud |
|
for spotting this. |
|
|
|
Fix wrong value for EDNS UDP packet size when using |
|
--servers-file to define upstream DNS servers. Thanks to |
|
Scott Bonar for the bug report. |
|
|
|
Move the dhcp_release and dhcp_lease_time tools from |
|
contrib/wrt to contrib/lease-tools. |
|
|
|
Add dhcp_release6 to contrib/lease-tools. Many thanks |
|
to Sergey Nechaev for this code. |
|
|
|
To avoid filling logs in configurations which define |
|
many upstream nameservers, don't log more that 30 servers. |
|
The number to be logged can be changed as SERVERS_LOGGED |
|
in src/config.h. |
|
|
|
Swap the values if BC_EFI and x86-64_EFI in --pxe-service. |
|
These were previously wrong due to an error in RFC 4578. |
|
If you're using BC_EFI to boot 64-bit EFI machines, you |
|
will need to update your config. |
|
|
|
Add ARM32_EFI and ARM64_EFI as valid architectures in |
|
--pxe-service. |
|
|
|
Fix PXE booting for UEFI architectures. Modify PXE boot |
|
sequence in this case to force the client to talk to dnsmasq |
|
over port 4011. This makes PXE and especially proxy-DHCP PXE |
|
work with these archictectures. |
|
|
|
Workaround problems with UEFI PXE clients. There exist |
|
in the wild PXE clients which have problems with PXE |
|
boot menus. To work around this, when there's a single |
|
--pxe-service which applies to client, then that target |
|
will be booted directly, rather then sending a |
|
single-item boot menu. |
|
|
|
Many thanks to Jarek Polok, Michael Kuron and Dreamcat4 |
|
for their work on the long-standing UEFI PXE problem. |
|
|
|
Subtle change in the semantics of "basename" in |
|
--pxe-service. The historical behaviour has always been |
|
that the actual filename downloaded from the TFTP server |
|
is <basename>.<layer> where <layer> is an integer which |
|
corresponds to the layer parameter supplied by the client. |
|
It's not clear what the function of the "layer" |
|
actually is in the PXE protocol, and in practise layer |
|
is always zero, so the filename is <basename>.0 |
|
The new behaviour is the same as the old, except when |
|
<basename> includes a file suffix, in which case |
|
the layer suffix is no longer added. This allows |
|
sensible suffices to be used, rather then the |
|
meaningless ".0". Only in the unlikely event that you |
|
have a config with a basename which already has a |
|
suffix, is this an incompatible change, since the file |
|
downloaded will change from name.suffix.0 to just |
|
name.suffix |
|
|
|
|
|
version 2.75 |
|
Fix reversion on 2.74 which caused 100% CPU use when a |
|
dhcp-script is configured. Thanks to Adrian Davey for |
|
reporting the bug and testing the fix. |
|
|
|
|
|
version 2.74 |
|
Fix reversion in 2.73 where --conf-file would attempt to |
|
read the default file, rather than no file. |
|
|
|
Fix inotify code to handle dangling symlinks better and |
|
not SEGV in some circumstances. |
|
|
|
DNSSEC fix. In the case of a signed CNAME generated by a |
|
wildcard which pointed to an unsigned domain, the wrong |
|
status would be logged, and some necessary checks omitted. |
|
|
|
|
|
version 2.73 |
|
Fix crash at startup when an empty suffix is supplied to |
|
--conf-dir, also trivial memory leak. Thanks to |
|
Tomas Hozza for spotting this. |
|
|
|
Remove floor of 4096 on advertised EDNS0 packet size when |
|
DNSSEC in use, the original rationale for this has long gone. |
|
Thanks to Anders Kaseorg for spotting this. |
|
|
|
Use inotify for checking on updates to /etc/resolv.conf and |
|
friends under Linux. This fixes race conditions when the files are |
|
updated rapidly and saves CPU by noy polling. To build |
|
a binary that runs on old Linux kernels without inotify, |
|
use make COPTS=-DNO_INOTIFY |
|
|
|
Fix breakage of --domain=<domain>,<subnet>,local - only reverse |
|
queries were intercepted. THis appears to have been broken |
|
since 2.69. Thanks to Josh Stone for finding the bug. |
|
|
|
Eliminate IPv6 privacy addresses and deprecated addresses from |
|
the answers given by --interface-name. Note that reverse queries |
|
(ie looking for names, given addresses) are not affected. |
|
Thanks to Michael Gorbach for the suggestion. |
|
|
|
Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids |
|
for the bug report. |
|
|
|
Add --ignore-address option. Ignore replies to A-record |
|
queries which include the specified address. No error is |
|
generated, dnsmasq simply continues to listen for another |
|
reply. This is useful to defeat blocking strategies which |
|
rely on quickly supplying a forged answer to a DNS |
|
request for certain domains, before the correct answer can |
|
arrive. Thanks to Glen Huang for the patch. |
|
|
|
Revisit the part of DNSSEC validation which determines if an |
|
unsigned answer is legit, or is in some part of the DNS |
|
tree which should be signed. Dnsmasq now works from the |
|
DNS root downward looking for the limit of signed |
|
delegations, rather than working bottom up. This is |
|
both more correct, and less likely to trip over broken |
|
nameservers in the unsigned parts of the DNS tree |
|
which don't respond well to DNSSEC queries. |
|
|
|
Add --log-queries=extra option, which makes logs easier |
|
to search automatically. |
|
|
|
Add --min-cache-ttl option. I've resisted this for a long |
|
time, on the grounds that disbelieving TTLs is never a |
|
good idea, but I've been persuaded that there are |
|
sometimes reasons to do it. (Step forward, GFW). |
|
To avoid misuse, there's a hard limit on the TTL |
|
floor of one hour. Thansk to RinSatsuki for the patch. |
|
|
|
Cope with multiple interfaces with the same link-local |
|
address. (IPv6 addresses are scoped, so this is allowed.) |
|
Thanks to Cory Benfield for help with this. |
|
|
|
Add --dhcp-hostsdir. This allows addition of new host |
|
configurations to a running dnsmasq instance much more |
|
cheaply than having dnsmasq re-read all its existing |
|
configuration each time. |
|
|
|
Don't reply to DHCPv6 SOLICIT messages if we're not |
|
configured to do stateful DHCPv6. Thanks to Win King Wan |
|
for the patch. |
|
|
|
Fix broken DNSSEC validation of ECDSA signatures. |
|
|
|
Add --dnssec-timestamp option, which provides an automatic |
|
way to detect when the system time becomes valid after |
|
boot on systems without an RTC, whilst allowing DNS |
|
queries before the clock is valid so that NTP can run. |
|
Thanks to Kevin Darbyshire-Bryant for developing this idea. |
|
|
|
Add --tftp-no-fail option. Thanks to Stefan Tomanek for |
|
the patch. |
|
|
|
Fix crash caused by looking up servers.bind, CHAOS text |
|
record, when more than about five --servers= lines are |
|
in the dnsmasq config. This causes memory corruption |
|
which causes a crash later. Thanks to Matt Coddington for |
|
sterling work chasing this down. |
|
|
|
Fix crash on receipt of certain malformed DNS requests. |
|
Thanks to Nick Sampanis for spotting the problem. |
|
Note that this is could allow the dnsmasq process's |
|
memory to be read by an attacker under certain |
|
circumstances, so it has a CVE, CVE-2015-3294 |
|
|
|
Fix crash in authoritative DNS code, if a .arpa zone |
|
is declared as authoritative, and then a PTR query which |
|
is not to be treated as authoritative arrived. Normally, |
|
directly declaring .arpa zone as authoritative is not |
|
done, so this crash wouldn't be seen. Instead the |
|
relevant .arpa zone should be specified as a subnet |
|
in the auth-zone declaration. Thanks to Johnny S. Lee |
|
for the bugreport and initial patch. |
|
|
|
Fix authoritative DNS code to correctly reply to NS |
|
and SOA queries for .arpa zones for which we are |
|
declared authoritative by means of a subnet in auth-zone. |
|
Previously we provided correct answers to PTR queries |
|
in such zones (including NS and SOA) but not direct |
|
NS and SOA queries. Thanks to Johnny S. Lee for |
|
pointing out the problem. |
|
|
|
Fix logging of DHCPREPLY which should be suppressed |
|
by quiet-dhcp6. Thanks to J. Pablo Abonia for |
|
spotting the problem. |
|
|
|
Try and handle net connections with broken fragmentation |
|
that lose large UDP packets. If a server times out, |
|
reduce the maximum UDP packet size field in the EDNS0 |
|
header to 1280 bytes. If it then answers, make that |
|
change permanent. |
|
|
|
Check IPv4-mapped IPv6 addresses when --stop-rebind |
|
is active. Thanks to Jordan Milne for spotting this. |
|
|
|
Allow DHCPv4 options T1 and T2 to be set using --dhcp-option. |
|
Thanks to Kevin Benton for patches and work on this. |
|
|
|
Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses |
|
in the correct subnet, even of not in dynamic address |
|
allocation range. Thanks to Steve Hirsch for spotting |
|
the problem. |
|
|
|
Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks |
|
to Nicolas Cavallari for the patch. |
|
|
|
Allow configuration of router advertisements without the |
|
"on-link" bit set. Thanks to Neil Jerram for the patch. |
|
|
|
Extend --bridge-interface to DHCPv6 and router |
|
advertisements. Thanks to Neil Jerram for the patch. |
|
|
|
|
|
version 2.72 |
|
Add ra-advrouter mode, for RFC-3775 mobile IPv6 support. |
|
|
|
Add support for "ipsets" in *BSD, using pf. Thanks to |
|
Sven Falempim for the patch. |
|
|
|
Fix race condition which could lock up dnsmasq when an |
|
interface goes down and up rapidly. Thanks to Conrad |
|
Kostecki for helping to chase this down. |
|
|
|
Add DBus methods SetFilterWin2KOption and SetBogusPrivOption |
|
Thanks to the Smoothwall project for the patch. |
|
|
|
Fix failure to build against Nettle-3.0. Thanks to Steven |
|
Barth for spotting this and finding the fix. |
|
|
|
When assigning existing DHCP leases to intefaces by comparing |
|
networks, handle the case that two or more interfaces have the |
|
same network part, but different prefix lengths (favour the |
|
longer prefix length.) Thanks to Lung-Pin Chang for the |
|
patch. |
|
|
|
Add a mode which detects and removes DNS forwarding loops, ie |
|
a query sent to an upstream server returns as a new query to |
|
dnsmasq, and would therefore be forwarded again, resulting in |
|
a query which loops many times before being dropped. Upstream |
|
servers which loop back are disabled and this event is logged. |
|
Thanks to Smoothwall for their sponsorship of this feature. |
|
|
|
Extend --conf-dir to allow filtering of files. So |
|
--conf-dir=/etc/dnsmasq.d,\*.conf |
|
will load all the files in /etc/dnsmasq.d which end in .conf |
|
|
|
Fix bug when resulted in NXDOMAIN answers instead of NODATA in |
|
some circumstances. |
|
|
|
Fix bug which caused dnsmasq to become unresponsive if it |
|
failed to send packets due to a network interface disappearing. |
|
Thanks to Niels Peen for spotting this. |
|
|
|
Fix problem with --local-service option on big-endian platforms |
|
Thanks to Richard Genoud for the patch. |
|
|
|
|
version 2.71 |
version 2.71 |
Subtle change to error handling to help DNSSEC validation |
Subtle change to error handling to help DNSSEC validation |
when servers fail to provide NODATA answers for |
when servers fail to provide NODATA answers for |