|
version 1.1.1.2, 2014/06/15 16:31:38
|
version 1.1.1.3, 2016/11/02 09:57:01
|
|
Line 1
|
Line 1
|
| |
version 2.76 |
| |
Include 0.0.0.0/8 in DNS rebind checks. This range |
| |
translates to hosts on the local network, or, at |
| |
least, 0.0.0.0 accesses the local host, so could |
| |
be targets for DNS rebinding. See RFC 5735 section 3 |
| |
for details. Thanks to Stephen Röttger for the bug report. |
| |
|
| |
Enhance --add-subnet to allow arbitrary subnet addresses. |
| |
Thanks to Ed Barsley for the patch. |
| |
|
| |
Respect the --no-resolv flag in inotify code. Fixes bug |
| |
which caused dnsmasq to fail to start if a resolv-file |
| |
was a dangling symbolic link, even of --no-resolv set. |
| |
Thanks to Alexander Kurtz for spotting the problem. |
| |
|
| |
Fix crash when an A or AAAA record is defined locally, |
| |
in a hosts file, and an upstream server sends a reply |
| |
that the same name is empty. Thanks to Edwin Török for |
| |
the patch. |
| |
|
| |
Fix failure to correctly calculate cache-size when |
| |
reading a hosts-file fails. Thanks to André Glüpker |
| |
for the patch. |
| |
|
| |
Fix wrong answer to simple name query when --domain-needed |
| |
set, but no upstream servers configured. Dnsmasq returned |
| |
REFUSED, in this case, when it should be the same as when |
| |
upstream servers are configured - NOERROR. Thanks to |
| |
Allain Legacy for spotting the problem. |
| |
|
| |
Return REFUSED when running out of forwarding table slots, |
| |
not SERVFAIL. |
| |
|
| |
Add --max-port configuration. Thanks to Hans Dedecker for |
| |
the patch. |
| |
|
| |
Add --script-arp and two new functions for the dhcp-script. |
| |
These are "arp" and "arp-old" which announce the arrival and |
| |
removal of entries in the ARP or nieghbour tables. |
| |
|
| |
Extend --add-mac to allow a new encoding of the MAC address |
| |
as base64, by configurting --add-mac=base64 |
| |
|
| |
Add --add-cpe-id option. |
| |
|
| |
Don't crash with divide-by-zero if an IPv6 dhcp-range |
| |
is declared as a whole /64. |
| |
(ie xx::0 to xx::ffff:ffff:ffff:ffff) |
| |
Thanks to Laurent Bendel for spotting this problem. |
| |
|
| |
Add support for a TTL parameter in --host-record and |
| |
--cname. |
| |
|
| |
Add --dhcp-ttl option. |
| |
|
| |
Add --tftp-mtu option. Thanks to Patrick McLean for the |
| |
initial patch. |
| |
|
| |
Check return-code of inet_pton() when parsing dhcp-option. |
| |
Bad addresses could fail to generate errors and result in |
| |
garbage dhcp-options being sent. Thanks to Marc Branchaud |
| |
for spotting this. |
| |
|
| |
Fix wrong value for EDNS UDP packet size when using |
| |
--servers-file to define upstream DNS servers. Thanks to |
| |
Scott Bonar for the bug report. |
| |
|
| |
Move the dhcp_release and dhcp_lease_time tools from |
| |
contrib/wrt to contrib/lease-tools. |
| |
|
| |
Add dhcp_release6 to contrib/lease-tools. Many thanks |
| |
to Sergey Nechaev for this code. |
| |
|
| |
To avoid filling logs in configurations which define |
| |
many upstream nameservers, don't log more that 30 servers. |
| |
The number to be logged can be changed as SERVERS_LOGGED |
| |
in src/config.h. |
| |
|
| |
Swap the values if BC_EFI and x86-64_EFI in --pxe-service. |
| |
These were previously wrong due to an error in RFC 4578. |
| |
If you're using BC_EFI to boot 64-bit EFI machines, you |
| |
will need to update your config. |
| |
|
| |
Add ARM32_EFI and ARM64_EFI as valid architectures in |
| |
--pxe-service. |
| |
|
| |
Fix PXE booting for UEFI architectures. Modify PXE boot |
| |
sequence in this case to force the client to talk to dnsmasq |
| |
over port 4011. This makes PXE and especially proxy-DHCP PXE |
| |
work with these archictectures. |
| |
|
| |
Workaround problems with UEFI PXE clients. There exist |
| |
in the wild PXE clients which have problems with PXE |
| |
boot menus. To work around this, when there's a single |
| |
--pxe-service which applies to client, then that target |
| |
will be booted directly, rather then sending a |
| |
single-item boot menu. |
| |
|
| |
Many thanks to Jarek Polok, Michael Kuron and Dreamcat4 |
| |
for their work on the long-standing UEFI PXE problem. |
| |
|
| |
Subtle change in the semantics of "basename" in |
| |
--pxe-service. The historical behaviour has always been |
| |
that the actual filename downloaded from the TFTP server |
| |
is <basename>.<layer> where <layer> is an integer which |
| |
corresponds to the layer parameter supplied by the client. |
| |
It's not clear what the function of the "layer" |
| |
actually is in the PXE protocol, and in practise layer |
| |
is always zero, so the filename is <basename>.0 |
| |
The new behaviour is the same as the old, except when |
| |
<basename> includes a file suffix, in which case |
| |
the layer suffix is no longer added. This allows |
| |
sensible suffices to be used, rather then the |
| |
meaningless ".0". Only in the unlikely event that you |
| |
have a config with a basename which already has a |
| |
suffix, is this an incompatible change, since the file |
| |
downloaded will change from name.suffix.0 to just |
| |
name.suffix |
| |
|
| |
|
| |
version 2.75 |
| |
Fix reversion on 2.74 which caused 100% CPU use when a |
| |
dhcp-script is configured. Thanks to Adrian Davey for |
| |
reporting the bug and testing the fix. |
| |
|
| |
|
| |
version 2.74 |
| |
Fix reversion in 2.73 where --conf-file would attempt to |
| |
read the default file, rather than no file. |
| |
|
| |
Fix inotify code to handle dangling symlinks better and |
| |
not SEGV in some circumstances. |
| |
|
| |
DNSSEC fix. In the case of a signed CNAME generated by a |
| |
wildcard which pointed to an unsigned domain, the wrong |
| |
status would be logged, and some necessary checks omitted. |
| |
|
| |
|
| |
version 2.73 |
| |
Fix crash at startup when an empty suffix is supplied to |
| |
--conf-dir, also trivial memory leak. Thanks to |
| |
Tomas Hozza for spotting this. |
| |
|
| |
Remove floor of 4096 on advertised EDNS0 packet size when |
| |
DNSSEC in use, the original rationale for this has long gone. |
| |
Thanks to Anders Kaseorg for spotting this. |
| |
|
| |
Use inotify for checking on updates to /etc/resolv.conf and |
| |
friends under Linux. This fixes race conditions when the files are |
| |
updated rapidly and saves CPU by noy polling. To build |
| |
a binary that runs on old Linux kernels without inotify, |
| |
use make COPTS=-DNO_INOTIFY |
| |
|
| |
Fix breakage of --domain=<domain>,<subnet>,local - only reverse |
| |
queries were intercepted. THis appears to have been broken |
| |
since 2.69. Thanks to Josh Stone for finding the bug. |
| |
|
| |
Eliminate IPv6 privacy addresses and deprecated addresses from |
| |
the answers given by --interface-name. Note that reverse queries |
| |
(ie looking for names, given addresses) are not affected. |
| |
Thanks to Michael Gorbach for the suggestion. |
| |
|
| |
Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids |
| |
for the bug report. |
| |
|
| |
Add --ignore-address option. Ignore replies to A-record |
| |
queries which include the specified address. No error is |
| |
generated, dnsmasq simply continues to listen for another |
| |
reply. This is useful to defeat blocking strategies which |
| |
rely on quickly supplying a forged answer to a DNS |
| |
request for certain domains, before the correct answer can |
| |
arrive. Thanks to Glen Huang for the patch. |
| |
|
| |
Revisit the part of DNSSEC validation which determines if an |
| |
unsigned answer is legit, or is in some part of the DNS |
| |
tree which should be signed. Dnsmasq now works from the |
| |
DNS root downward looking for the limit of signed |
| |
delegations, rather than working bottom up. This is |
| |
both more correct, and less likely to trip over broken |
| |
nameservers in the unsigned parts of the DNS tree |
| |
which don't respond well to DNSSEC queries. |
| |
|
| |
Add --log-queries=extra option, which makes logs easier |
| |
to search automatically. |
| |
|
| |
Add --min-cache-ttl option. I've resisted this for a long |
| |
time, on the grounds that disbelieving TTLs is never a |
| |
good idea, but I've been persuaded that there are |
| |
sometimes reasons to do it. (Step forward, GFW). |
| |
To avoid misuse, there's a hard limit on the TTL |
| |
floor of one hour. Thansk to RinSatsuki for the patch. |
| |
|
| |
Cope with multiple interfaces with the same link-local |
| |
address. (IPv6 addresses are scoped, so this is allowed.) |
| |
Thanks to Cory Benfield for help with this. |
| |
|
| |
Add --dhcp-hostsdir. This allows addition of new host |
| |
configurations to a running dnsmasq instance much more |
| |
cheaply than having dnsmasq re-read all its existing |
| |
configuration each time. |
| |
|
| |
Don't reply to DHCPv6 SOLICIT messages if we're not |
| |
configured to do stateful DHCPv6. Thanks to Win King Wan |
| |
for the patch. |
| |
|
| |
Fix broken DNSSEC validation of ECDSA signatures. |
| |
|
| |
Add --dnssec-timestamp option, which provides an automatic |
| |
way to detect when the system time becomes valid after |
| |
boot on systems without an RTC, whilst allowing DNS |
| |
queries before the clock is valid so that NTP can run. |
| |
Thanks to Kevin Darbyshire-Bryant for developing this idea. |
| |
|
| |
Add --tftp-no-fail option. Thanks to Stefan Tomanek for |
| |
the patch. |
| |
|
| |
Fix crash caused by looking up servers.bind, CHAOS text |
| |
record, when more than about five --servers= lines are |
| |
in the dnsmasq config. This causes memory corruption |
| |
which causes a crash later. Thanks to Matt Coddington for |
| |
sterling work chasing this down. |
| |
|
| |
Fix crash on receipt of certain malformed DNS requests. |
| |
Thanks to Nick Sampanis for spotting the problem. |
| |
Note that this is could allow the dnsmasq process's |
| |
memory to be read by an attacker under certain |
| |
circumstances, so it has a CVE, CVE-2015-3294 |
| |
|
| |
Fix crash in authoritative DNS code, if a .arpa zone |
| |
is declared as authoritative, and then a PTR query which |
| |
is not to be treated as authoritative arrived. Normally, |
| |
directly declaring .arpa zone as authoritative is not |
| |
done, so this crash wouldn't be seen. Instead the |
| |
relevant .arpa zone should be specified as a subnet |
| |
in the auth-zone declaration. Thanks to Johnny S. Lee |
| |
for the bugreport and initial patch. |
| |
|
| |
Fix authoritative DNS code to correctly reply to NS |
| |
and SOA queries for .arpa zones for which we are |
| |
declared authoritative by means of a subnet in auth-zone. |
| |
Previously we provided correct answers to PTR queries |
| |
in such zones (including NS and SOA) but not direct |
| |
NS and SOA queries. Thanks to Johnny S. Lee for |
| |
pointing out the problem. |
| |
|
| |
Fix logging of DHCPREPLY which should be suppressed |
| |
by quiet-dhcp6. Thanks to J. Pablo Abonia for |
| |
spotting the problem. |
| |
|
| |
Try and handle net connections with broken fragmentation |
| |
that lose large UDP packets. If a server times out, |
| |
reduce the maximum UDP packet size field in the EDNS0 |
| |
header to 1280 bytes. If it then answers, make that |
| |
change permanent. |
| |
|
| |
Check IPv4-mapped IPv6 addresses when --stop-rebind |
| |
is active. Thanks to Jordan Milne for spotting this. |
| |
|
| |
Allow DHCPv4 options T1 and T2 to be set using --dhcp-option. |
| |
Thanks to Kevin Benton for patches and work on this. |
| |
|
| |
Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses |
| |
in the correct subnet, even of not in dynamic address |
| |
allocation range. Thanks to Steve Hirsch for spotting |
| |
the problem. |
| |
|
| |
Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks |
| |
to Nicolas Cavallari for the patch. |
| |
|
| |
Allow configuration of router advertisements without the |
| |
"on-link" bit set. Thanks to Neil Jerram for the patch. |
| |
|
| |
Extend --bridge-interface to DHCPv6 and router |
| |
advertisements. Thanks to Neil Jerram for the patch. |
| |
|
| |
|
| |
version 2.72 |
| |
Add ra-advrouter mode, for RFC-3775 mobile IPv6 support. |
| |
|
| |
Add support for "ipsets" in *BSD, using pf. Thanks to |
| |
Sven Falempim for the patch. |
| |
|
| |
Fix race condition which could lock up dnsmasq when an |
| |
interface goes down and up rapidly. Thanks to Conrad |
| |
Kostecki for helping to chase this down. |
| |
|
| |
Add DBus methods SetFilterWin2KOption and SetBogusPrivOption |
| |
Thanks to the Smoothwall project for the patch. |
| |
|
| |
Fix failure to build against Nettle-3.0. Thanks to Steven |
| |
Barth for spotting this and finding the fix. |
| |
|
| |
When assigning existing DHCP leases to intefaces by comparing |
| |
networks, handle the case that two or more interfaces have the |
| |
same network part, but different prefix lengths (favour the |
| |
longer prefix length.) Thanks to Lung-Pin Chang for the |
| |
patch. |
| |
|
| |
Add a mode which detects and removes DNS forwarding loops, ie |
| |
a query sent to an upstream server returns as a new query to |
| |
dnsmasq, and would therefore be forwarded again, resulting in |
| |
a query which loops many times before being dropped. Upstream |
| |
servers which loop back are disabled and this event is logged. |
| |
Thanks to Smoothwall for their sponsorship of this feature. |
| |
|
| |
Extend --conf-dir to allow filtering of files. So |
| |
--conf-dir=/etc/dnsmasq.d,\*.conf |
| |
will load all the files in /etc/dnsmasq.d which end in .conf |
| |
|
| |
Fix bug when resulted in NXDOMAIN answers instead of NODATA in |
| |
some circumstances. |
| |
|
| |
Fix bug which caused dnsmasq to become unresponsive if it |
| |
failed to send packets due to a network interface disappearing. |
| |
Thanks to Niels Peen for spotting this. |
| |
|
| |
Fix problem with --local-service option on big-endian platforms |
| |
Thanks to Richard Genoud for the patch. |
| |
|
| |
|
| version 2.71 |
version 2.71 |
| Subtle change to error handling to help DNSSEC validation |
Subtle change to error handling to help DNSSEC validation |
| when servers fail to provide NODATA answers for |
when servers fail to provide NODATA answers for |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to CHANGELOG CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq