version 1.1.1.1, 2013/07/29 19:37:40
|
version 1.1.1.3, 2016/11/02 09:57:01
|
Line 1
|
Line 1
|
|
version 2.76 |
|
Include 0.0.0.0/8 in DNS rebind checks. This range |
|
translates to hosts on the local network, or, at |
|
least, 0.0.0.0 accesses the local host, so could |
|
be targets for DNS rebinding. See RFC 5735 section 3 |
|
for details. Thanks to Stephen Röttger for the bug report. |
|
|
|
Enhance --add-subnet to allow arbitrary subnet addresses. |
|
Thanks to Ed Barsley for the patch. |
|
|
|
Respect the --no-resolv flag in inotify code. Fixes bug |
|
which caused dnsmasq to fail to start if a resolv-file |
|
was a dangling symbolic link, even of --no-resolv set. |
|
Thanks to Alexander Kurtz for spotting the problem. |
|
|
|
Fix crash when an A or AAAA record is defined locally, |
|
in a hosts file, and an upstream server sends a reply |
|
that the same name is empty. Thanks to Edwin Török for |
|
the patch. |
|
|
|
Fix failure to correctly calculate cache-size when |
|
reading a hosts-file fails. Thanks to André Glüpker |
|
for the patch. |
|
|
|
Fix wrong answer to simple name query when --domain-needed |
|
set, but no upstream servers configured. Dnsmasq returned |
|
REFUSED, in this case, when it should be the same as when |
|
upstream servers are configured - NOERROR. Thanks to |
|
Allain Legacy for spotting the problem. |
|
|
|
Return REFUSED when running out of forwarding table slots, |
|
not SERVFAIL. |
|
|
|
Add --max-port configuration. Thanks to Hans Dedecker for |
|
the patch. |
|
|
|
Add --script-arp and two new functions for the dhcp-script. |
|
These are "arp" and "arp-old" which announce the arrival and |
|
removal of entries in the ARP or nieghbour tables. |
|
|
|
Extend --add-mac to allow a new encoding of the MAC address |
|
as base64, by configurting --add-mac=base64 |
|
|
|
Add --add-cpe-id option. |
|
|
|
Don't crash with divide-by-zero if an IPv6 dhcp-range |
|
is declared as a whole /64. |
|
(ie xx::0 to xx::ffff:ffff:ffff:ffff) |
|
Thanks to Laurent Bendel for spotting this problem. |
|
|
|
Add support for a TTL parameter in --host-record and |
|
--cname. |
|
|
|
Add --dhcp-ttl option. |
|
|
|
Add --tftp-mtu option. Thanks to Patrick McLean for the |
|
initial patch. |
|
|
|
Check return-code of inet_pton() when parsing dhcp-option. |
|
Bad addresses could fail to generate errors and result in |
|
garbage dhcp-options being sent. Thanks to Marc Branchaud |
|
for spotting this. |
|
|
|
Fix wrong value for EDNS UDP packet size when using |
|
--servers-file to define upstream DNS servers. Thanks to |
|
Scott Bonar for the bug report. |
|
|
|
Move the dhcp_release and dhcp_lease_time tools from |
|
contrib/wrt to contrib/lease-tools. |
|
|
|
Add dhcp_release6 to contrib/lease-tools. Many thanks |
|
to Sergey Nechaev for this code. |
|
|
|
To avoid filling logs in configurations which define |
|
many upstream nameservers, don't log more that 30 servers. |
|
The number to be logged can be changed as SERVERS_LOGGED |
|
in src/config.h. |
|
|
|
Swap the values if BC_EFI and x86-64_EFI in --pxe-service. |
|
These were previously wrong due to an error in RFC 4578. |
|
If you're using BC_EFI to boot 64-bit EFI machines, you |
|
will need to update your config. |
|
|
|
Add ARM32_EFI and ARM64_EFI as valid architectures in |
|
--pxe-service. |
|
|
|
Fix PXE booting for UEFI architectures. Modify PXE boot |
|
sequence in this case to force the client to talk to dnsmasq |
|
over port 4011. This makes PXE and especially proxy-DHCP PXE |
|
work with these archictectures. |
|
|
|
Workaround problems with UEFI PXE clients. There exist |
|
in the wild PXE clients which have problems with PXE |
|
boot menus. To work around this, when there's a single |
|
--pxe-service which applies to client, then that target |
|
will be booted directly, rather then sending a |
|
single-item boot menu. |
|
|
|
Many thanks to Jarek Polok, Michael Kuron and Dreamcat4 |
|
for their work on the long-standing UEFI PXE problem. |
|
|
|
Subtle change in the semantics of "basename" in |
|
--pxe-service. The historical behaviour has always been |
|
that the actual filename downloaded from the TFTP server |
|
is <basename>.<layer> where <layer> is an integer which |
|
corresponds to the layer parameter supplied by the client. |
|
It's not clear what the function of the "layer" |
|
actually is in the PXE protocol, and in practise layer |
|
is always zero, so the filename is <basename>.0 |
|
The new behaviour is the same as the old, except when |
|
<basename> includes a file suffix, in which case |
|
the layer suffix is no longer added. This allows |
|
sensible suffices to be used, rather then the |
|
meaningless ".0". Only in the unlikely event that you |
|
have a config with a basename which already has a |
|
suffix, is this an incompatible change, since the file |
|
downloaded will change from name.suffix.0 to just |
|
name.suffix |
|
|
|
|
|
version 2.75 |
|
Fix reversion on 2.74 which caused 100% CPU use when a |
|
dhcp-script is configured. Thanks to Adrian Davey for |
|
reporting the bug and testing the fix. |
|
|
|
|
|
version 2.74 |
|
Fix reversion in 2.73 where --conf-file would attempt to |
|
read the default file, rather than no file. |
|
|
|
Fix inotify code to handle dangling symlinks better and |
|
not SEGV in some circumstances. |
|
|
|
DNSSEC fix. In the case of a signed CNAME generated by a |
|
wildcard which pointed to an unsigned domain, the wrong |
|
status would be logged, and some necessary checks omitted. |
|
|
|
|
|
version 2.73 |
|
Fix crash at startup when an empty suffix is supplied to |
|
--conf-dir, also trivial memory leak. Thanks to |
|
Tomas Hozza for spotting this. |
|
|
|
Remove floor of 4096 on advertised EDNS0 packet size when |
|
DNSSEC in use, the original rationale for this has long gone. |
|
Thanks to Anders Kaseorg for spotting this. |
|
|
|
Use inotify for checking on updates to /etc/resolv.conf and |
|
friends under Linux. This fixes race conditions when the files are |
|
updated rapidly and saves CPU by noy polling. To build |
|
a binary that runs on old Linux kernels without inotify, |
|
use make COPTS=-DNO_INOTIFY |
|
|
|
Fix breakage of --domain=<domain>,<subnet>,local - only reverse |
|
queries were intercepted. THis appears to have been broken |
|
since 2.69. Thanks to Josh Stone for finding the bug. |
|
|
|
Eliminate IPv6 privacy addresses and deprecated addresses from |
|
the answers given by --interface-name. Note that reverse queries |
|
(ie looking for names, given addresses) are not affected. |
|
Thanks to Michael Gorbach for the suggestion. |
|
|
|
Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids |
|
for the bug report. |
|
|
|
Add --ignore-address option. Ignore replies to A-record |
|
queries which include the specified address. No error is |
|
generated, dnsmasq simply continues to listen for another |
|
reply. This is useful to defeat blocking strategies which |
|
rely on quickly supplying a forged answer to a DNS |
|
request for certain domains, before the correct answer can |
|
arrive. Thanks to Glen Huang for the patch. |
|
|
|
Revisit the part of DNSSEC validation which determines if an |
|
unsigned answer is legit, or is in some part of the DNS |
|
tree which should be signed. Dnsmasq now works from the |
|
DNS root downward looking for the limit of signed |
|
delegations, rather than working bottom up. This is |
|
both more correct, and less likely to trip over broken |
|
nameservers in the unsigned parts of the DNS tree |
|
which don't respond well to DNSSEC queries. |
|
|
|
Add --log-queries=extra option, which makes logs easier |
|
to search automatically. |
|
|
|
Add --min-cache-ttl option. I've resisted this for a long |
|
time, on the grounds that disbelieving TTLs is never a |
|
good idea, but I've been persuaded that there are |
|
sometimes reasons to do it. (Step forward, GFW). |
|
To avoid misuse, there's a hard limit on the TTL |
|
floor of one hour. Thansk to RinSatsuki for the patch. |
|
|
|
Cope with multiple interfaces with the same link-local |
|
address. (IPv6 addresses are scoped, so this is allowed.) |
|
Thanks to Cory Benfield for help with this. |
|
|
|
Add --dhcp-hostsdir. This allows addition of new host |
|
configurations to a running dnsmasq instance much more |
|
cheaply than having dnsmasq re-read all its existing |
|
configuration each time. |
|
|
|
Don't reply to DHCPv6 SOLICIT messages if we're not |
|
configured to do stateful DHCPv6. Thanks to Win King Wan |
|
for the patch. |
|
|
|
Fix broken DNSSEC validation of ECDSA signatures. |
|
|
|
Add --dnssec-timestamp option, which provides an automatic |
|
way to detect when the system time becomes valid after |
|
boot on systems without an RTC, whilst allowing DNS |
|
queries before the clock is valid so that NTP can run. |
|
Thanks to Kevin Darbyshire-Bryant for developing this idea. |
|
|
|
Add --tftp-no-fail option. Thanks to Stefan Tomanek for |
|
the patch. |
|
|
|
Fix crash caused by looking up servers.bind, CHAOS text |
|
record, when more than about five --servers= lines are |
|
in the dnsmasq config. This causes memory corruption |
|
which causes a crash later. Thanks to Matt Coddington for |
|
sterling work chasing this down. |
|
|
|
Fix crash on receipt of certain malformed DNS requests. |
|
Thanks to Nick Sampanis for spotting the problem. |
|
Note that this is could allow the dnsmasq process's |
|
memory to be read by an attacker under certain |
|
circumstances, so it has a CVE, CVE-2015-3294 |
|
|
|
Fix crash in authoritative DNS code, if a .arpa zone |
|
is declared as authoritative, and then a PTR query which |
|
is not to be treated as authoritative arrived. Normally, |
|
directly declaring .arpa zone as authoritative is not |
|
done, so this crash wouldn't be seen. Instead the |
|
relevant .arpa zone should be specified as a subnet |
|
in the auth-zone declaration. Thanks to Johnny S. Lee |
|
for the bugreport and initial patch. |
|
|
|
Fix authoritative DNS code to correctly reply to NS |
|
and SOA queries for .arpa zones for which we are |
|
declared authoritative by means of a subnet in auth-zone. |
|
Previously we provided correct answers to PTR queries |
|
in such zones (including NS and SOA) but not direct |
|
NS and SOA queries. Thanks to Johnny S. Lee for |
|
pointing out the problem. |
|
|
|
Fix logging of DHCPREPLY which should be suppressed |
|
by quiet-dhcp6. Thanks to J. Pablo Abonia for |
|
spotting the problem. |
|
|
|
Try and handle net connections with broken fragmentation |
|
that lose large UDP packets. If a server times out, |
|
reduce the maximum UDP packet size field in the EDNS0 |
|
header to 1280 bytes. If it then answers, make that |
|
change permanent. |
|
|
|
Check IPv4-mapped IPv6 addresses when --stop-rebind |
|
is active. Thanks to Jordan Milne for spotting this. |
|
|
|
Allow DHCPv4 options T1 and T2 to be set using --dhcp-option. |
|
Thanks to Kevin Benton for patches and work on this. |
|
|
|
Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses |
|
in the correct subnet, even of not in dynamic address |
|
allocation range. Thanks to Steve Hirsch for spotting |
|
the problem. |
|
|
|
Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks |
|
to Nicolas Cavallari for the patch. |
|
|
|
Allow configuration of router advertisements without the |
|
"on-link" bit set. Thanks to Neil Jerram for the patch. |
|
|
|
Extend --bridge-interface to DHCPv6 and router |
|
advertisements. Thanks to Neil Jerram for the patch. |
|
|
|
|
|
version 2.72 |
|
Add ra-advrouter mode, for RFC-3775 mobile IPv6 support. |
|
|
|
Add support for "ipsets" in *BSD, using pf. Thanks to |
|
Sven Falempim for the patch. |
|
|
|
Fix race condition which could lock up dnsmasq when an |
|
interface goes down and up rapidly. Thanks to Conrad |
|
Kostecki for helping to chase this down. |
|
|
|
Add DBus methods SetFilterWin2KOption and SetBogusPrivOption |
|
Thanks to the Smoothwall project for the patch. |
|
|
|
Fix failure to build against Nettle-3.0. Thanks to Steven |
|
Barth for spotting this and finding the fix. |
|
|
|
When assigning existing DHCP leases to intefaces by comparing |
|
networks, handle the case that two or more interfaces have the |
|
same network part, but different prefix lengths (favour the |
|
longer prefix length.) Thanks to Lung-Pin Chang for the |
|
patch. |
|
|
|
Add a mode which detects and removes DNS forwarding loops, ie |
|
a query sent to an upstream server returns as a new query to |
|
dnsmasq, and would therefore be forwarded again, resulting in |
|
a query which loops many times before being dropped. Upstream |
|
servers which loop back are disabled and this event is logged. |
|
Thanks to Smoothwall for their sponsorship of this feature. |
|
|
|
Extend --conf-dir to allow filtering of files. So |
|
--conf-dir=/etc/dnsmasq.d,\*.conf |
|
will load all the files in /etc/dnsmasq.d which end in .conf |
|
|
|
Fix bug when resulted in NXDOMAIN answers instead of NODATA in |
|
some circumstances. |
|
|
|
Fix bug which caused dnsmasq to become unresponsive if it |
|
failed to send packets due to a network interface disappearing. |
|
Thanks to Niels Peen for spotting this. |
|
|
|
Fix problem with --local-service option on big-endian platforms |
|
Thanks to Richard Genoud for the patch. |
|
|
|
|
|
version 2.71 |
|
Subtle change to error handling to help DNSSEC validation |
|
when servers fail to provide NODATA answers for |
|
non-existent DS records. |
|
|
|
Tweak code which removes DNSSEC records from answers when |
|
not required. Fixes broken answers when additional section |
|
has real records in it. Thanks to Marco Davids for the bug |
|
report. |
|
|
|
Fix DNSSEC validation of ANY queries. Thanks to Marco Davids |
|
for spotting that too. |
|
|
|
Fix total DNS failure and 100% CPU use if cachesize set to zero, |
|
regression introduced in 2.69. Thanks to James Hunt and |
|
the Ubuntu crowd for assistance in fixing this. |
|
|
|
|
|
version 2.70 |
|
Fix crash, introduced in 2.69, on TCP request when dnsmasq |
|
compiled with DNSSEC support, but running without DNSSEC |
|
enabled. Thanks to Manish Sing for spotting that one. |
|
|
|
Fix regression which broke ipset functionality. Thanks to |
|
Wang Jian for the bug report. |
|
|
|
|
|
version 2.69 |
|
Implement dynamic interface discovery on *BSD. This allows |
|
the contructor: syntax to be used in dhcp-range for DHCPv6 |
|
on the BSD platform. Thanks to Matthias Andree for |
|
valuable research on how to implement this. |
|
|
|
Fix infinite loop associated with some --bogus-nxdomain |
|
configs. Thanks fogobogo for the bug report. |
|
|
|
Fix missing RA RDNS option with configuration like |
|
--dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer |
|
for spotting the problem. |
|
|
|
Add [fd00::] and [fe80::] as special addresses in DHCPv6 |
|
options, analogous to [::]. [fd00::] is replaced with the |
|
actual ULA of the interface on the machine running |
|
dnsmasq, [fe80::] with the link-local address. |
|
Thanks to Tsachi Kimeldorfer for championing this. |
|
|
|
DNSSEC validation and caching. Dnsmasq needs to be |
|
compiled with this enabled, with |
|
|
|
make dnsmasq COPTS=-DHAVE_DNSSEC |
|
|
|
this add dependencies on the nettle crypto library and the |
|
gmp maths library. It's possible to have these linked |
|
statically with |
|
|
|
make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' |
|
|
|
which bloats the dnsmasq binary, but saves the size of |
|
the shared libraries which are much bigger. |
|
|
|
To enable, DNSSEC, you will need a set of |
|
trust-anchors. Now that the TLDs are signed, this can be |
|
the keys for the root zone, and for convenience they are |
|
included in trust-anchors.conf in the dnsmasq |
|
distribution. You should of course check that these are |
|
legitimate and up-to-date. So, adding |
|
|
|
conf-file=/path/to/trust-anchors.conf |
|
dnssec |
|
|
|
to your config is all thats needed to get things |
|
working. The upstream nameservers have to be DNSSEC-capable |
|
too, of course. Many ISP nameservers aren't, but the |
|
Google public nameservers (8.8.8.8 and 8.8.4.4) are. |
|
When DNSSEC is configured, dnsmasq validates any queries |
|
for domains which are signed. Query results which are |
|
bogus are replaced with SERVFAIL replies, and results |
|
which are correctly signed have the AD bit set. In |
|
addition, and just as importantly, dnsmasq supplies |
|
correct DNSSEC information to clients which are doing |
|
their own validation, and caches DNSKEY, DS and RRSIG |
|
records, which significantly improve the performance of |
|
downstream validators. Setting --log-queries will show |
|
DNSSEC in action. |
|
|
|
If a domain is returned from an upstream nameserver without |
|
DNSSEC signature, dnsmasq by default trusts this. This |
|
means that for unsigned zone (still the majority) there |
|
is effectively no cost for having DNSSEC enabled. Of course |
|
this allows an attacker to replace a signed record with a |
|
false unsigned record. This is addressed by the |
|
--dnssec-check-unsigned flag, which instructs dnsmasq |
|
to prove that an unsigned record is legitimate, by finding |
|
a secure proof that the zone containing the record is not |
|
signed. Doing this has costs (typically one or two extra |
|
upstream queries). It also has a nasty failure mode if |
|
dnsmasq's upstream nameservers are not DNSSEC capable. |
|
Without --dnssec-check-unsigned using such an upstream |
|
server will simply result in not queries being validated; |
|
with --dnssec-check-unsigned enabled and a |
|
DNSSEC-ignorant upstream server, _all_ queries will fail. |
|
|
|
Note that DNSSEC requires that the local time is valid and |
|
accurate, if not then DNSSEC validation will fail. NTP |
|
should be running. This presents a problem for routers |
|
without a battery-backed clock. To set the time needs NTP |
|
to do DNS lookups, but lookups will fail until NTP has run. |
|
To address this, there's a flag, --dnssec-no-timecheck |
|
which disables the time checks (only) in DNSSEC. When dnsmasq |
|
is started and the clock is not synced, this flag should |
|
be used. As soon as the clock is synced, SIGHUP dnsmasq. |
|
The SIGHUP clears the cache of partially-validated data and |
|
resets the no-timecheck flag, so that all DNSSEC checks |
|
henceforward will be complete. |
|
|
|
The development of DNSSEC in dnsmasq was started by |
|
Giovanni Bajo, to whom huge thanks are owed. It has been |
|
supported by Comcast, whose techfund grant has allowed for |
|
an invaluable period of full-time work to get it to |
|
a workable state. |
|
|
|
Add --rev-server. Thanks to Dave Taht for suggesting this. |
|
|
|
Add --servers-file. Allows dynamic update of upstream servers |
|
full access to configuration. |
|
|
|
Add --local-service. Accept DNS queries only from hosts |
|
whose address is on a local subnet, ie a subnet for which |
|
an interface exists on the server. This option |
|
only has effect if there are no --interface --except-interface, |
|
--listen-address or --auth-server options. It is intended |
|
to be set as a default on installation, to allow |
|
unconfigured installations to be useful but also safe from |
|
being used for DNS amplification attacks. |
|
|
|
Fix crashes in cache_get_cname_target() when dangling CNAMEs |
|
encountered. Thanks to Andy and the rt-n56u project for |
|
find this and helping to chase it down. |
|
|
|
Fix wrong RCODE in authoritative DNS replies to PTR queries. The |
|
correct answer was included, but the RCODE was set to NXDOMAIN. |
|
Thanks to Craig McQueen for spotting this. |
|
|
|
Make statistics available as DNS queries in the .bind TLD as |
|
well as logging them. |
|
|
|
|
|
version 2.68 |
|
Use random addresses for DHCPv6 temporary address |
|
allocations, instead of algorithmically determined stable |
|
addresses. |
|
|
|
Fix bug which meant that the DHCPv6 DUID was not available |
|
in DHCP script runs during the lifetime of the dnsmasq |
|
process which created the DUID de-novo. Once the DUID was |
|
created and stored in the lease file and dnsmasq |
|
restarted, this bug disappeared. |
|
|
|
Fix bug introduced in 2.67 which could result in erroneous |
|
NXDOMAIN returns to CNAME queries. |
|
|
|
Fix build failures on MacOS X and openBSD. |
|
|
|
Allow subnet specifications in --auth-zone to be interface |
|
names as well as address literals. This makes it possible |
|
to configure authoritative DNS when local address ranges |
|
are dynamic and works much better than the previous |
|
work-around which exempted contructed DHCP ranges from the |
|
IP address filtering. As a consequence, that work-around |
|
is removed. Under certain circumstances, this change wil |
|
break existing configuration: if you're relying on the |
|
contructed-range exception, you need to change --auth-zone |
|
to specify the same interface as is used to construct your |
|
DHCP ranges, probably with a trailing "/6" like this: |
|
--auth-zone=example.com,eth0/6 to limit the addresses to |
|
IPv6 addresses of eth0. |
|
|
|
Fix problems when advertising deleted IPv6 prefixes. If |
|
the prefix is deleted (rather than replaced), it doesn't |
|
get advertised with zero preferred time. Thanks to Tsachi |
|
for the bug report. |
|
|
|
Fix segfault with some locally configured CNAMEs. Thanks |
|
to Andrew Childs for spotting the problem. |
|
|
|
Fix memory leak on re-reading /etc/hosts and friends, |
|
introduced in 2.67. |
|
|
|
Check the arrival interface of incoming DNS and TFTP |
|
requests via IPv6, even in --bind-interfaces mode. This |
|
isn't possible for IPv4 and can generate scary warnings, |
|
but as it's always possible for IPv6 (the API always |
|
exists) then we should do it always. |
|
|
|
Tweak the rules on prefix-lengths in --dhcp-range for |
|
IPv6. The new rule is that the specified prefix length |
|
must be larger than or equal to the prefix length of the |
|
corresponding address on the local interface. |
|
|
|
|
|
version 2.67 |
|
Fix crash if upstream server returns SERVFAIL when |
|
--conntrack in use. Thanks to Giacomo Tazzari for finding |
|
this and supplying the patch. |
|
|
|
Repair regression in 2.64. That release stopped sending |
|
lease-time information in the reply to DHCPINFORM |
|
requests, on the correct grounds that it was a standards |
|
violation. However, this broke the dnsmasq-specific |
|
dhcp_lease_time utility. Now, DHCPINFORM returns |
|
lease-time only if it's specifically requested |
|
(maintaining standards) and the dhcp_lease_time utility |
|
has been taught to ask for it (restoring functionality). |
|
|
|
Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass |
|
to work with BOOTP and well as DHCP. Thanks to Peter |
|
Korsgaard for spotting the problem. |
|
|
|
Add --synth-domain. Thanks to Vishvananda Ishaya for |
|
suggesting this. |
|
|
|
Fix failure to compile ipset.c if old kernel headers are |
|
in use. Thanks to Eugene Rudoy for pointing this out. |
|
|
|
Handle IPv4 interface-address labels in Linux. These are |
|
often used to emulate the old IP-alias addresses. Before, |
|
using --interface=eth0 would service all the addresses of |
|
eth0, including ones configured as aliases, which appear |
|
in ifconfig as eth0:0. Now, only addresses with the label |
|
eth0 are active. This is not backwards compatible: if you |
|
want to continue to bind the aliases too, you need to add |
|
eg. --interface=eth0:0 to the config. |
|
|
|
Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket |
|
operation on non-socket" error on startup with |
|
configurations which have exactly one --interface option |
|
and do RA but _not_ DHCPv6. Thanks to Trever Adams for the |
|
bug report. |
|
|
|
Generalise --interface-name to cope with IPv6 addresses |
|
and multiple addresses per interface per address family. |
|
|
|
Fix option parsing for --dhcp-host, which was generating a |
|
spurious error when all seven possible items were |
|
included. Thanks to Zhiqiang Wang for the bug report. |
|
|
|
Remove restriction on prefix-length in --auth-zone. Thanks |
|
to Toke Hoiland-Jorgensen for suggesting this. |
|
|
|
Log when the maximum number of concurrent DNS queries is |
|
reached. Thanks to Marcelo Salhab Brogliato for the patch. |
|
|
|
If wildcards are used in --interface, don't assume that |
|
there will only ever be one available interface for DHCP |
|
just because there is one at start-up. More may appear, so |
|
we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug |
|
report. |
|
|
|
Increase timeout/number of retries in TFTP to accomodate |
|
AudioCodes Voice Gateways doing streaming writes to flash. |
|
Thanks to Damian Kaczkowski for spotting the problem. |
|
|
|
Fix crash with empty DHCP string options when adding zero |
|
terminator. Thanks to Patrick McLean for the bug report. |
|
|
|
Allow hostnames to start with a number, as allowed in |
|
RFC-1123. Thanks to Kyle Mestery for the patch. |
|
|
|
Fixes to DHCP FQDN option handling: don't terminate FQDN |
|
if domain not known and allow a FQDN option with blank |
|
name to request that a FQDN option is returned in the |
|
reply. Thanks to Roy Marples for the patch. |
|
|
|
Make --clear-on-reload apply to setting upstream servers |
|
via DBus too. |
|
|
|
When the address which triggered the construction of an |
|
advertised IPv6 prefix disappears, continue to advertise |
|
the prefix for up to 2 hours, with the preferred lifetime |
|
set to zero. This satisfies RFC 6204 4.3 L-13 and makes |
|
things work better if a prefix disappears without being |
|
deprecated first. Thanks to Uwe Schindler for persuasively |
|
arguing for this. |
|
|
|
Fix MAC address enumeration on *BSD. Thanks to Brad Smith |
|
for the bug report. |
|
|
|
Support RFC-4242 information-refresh-time options in the |
|
reply to DHCPv6 information-request. The lease time of the |
|
smallest valid dhcp-range is sent. Thanks to Uwe Schindler |
|
for suggesting this. |
|
|
|
Make --listen-address higher priority than --except-interface |
|
in all circumstances. Thanks to Thomas Hood for the bugreport. |
|
|
|
Provide independent control over which interfaces get TFTP |
|
service. If enable-tftp is given a list of interfaces, then TFTP |
|
is provided on those. Without the list, the previous behaviour |
|
(provide TFTP to the same interfaces we provide DHCP to) |
|
is retained. Thanks to Lonnie Abelbeck for the suggestion. |
|
|
|
Add --dhcp-relay config option. Many thanks to vtsl.net |
|
for sponsoring this development. |
|
|
|
Fix crash with empty tag: in --dhcp-range. Thanks to |
|
Kaspar Schleiser for the bug report. |
|
|
|
Add "baseline" and "bloatcheck" makefile targets, for |
|
revealing size changes during development. Thanks to |
|
Vladislav Grishenko for the patch. |
|
|
|
Cope with DHCPv6 clients which send REQUESTs without |
|
address options - treat them as SOLICIT with rapid commit. |
|
|
|
Support identification of clients by MAC address in |
|
DHCPv6. When using a relay, the relay must support RFC |
|
6939 for this to work. It always works for directly |
|
connected clients. Thanks to Vladislav Grishenko |
|
for prompting this feature. |
|
|
|
Remove the rule for constructed DHCP ranges that the local |
|
address must be either the first or last address in the |
|
range. This was originally to avoid SLAAC addresses, but |
|
we now explicitly autoconfig and privacy addresses instead. |
|
|
|
Update Polish translation. Thanks to Jan Psota. |
|
|
|
Fix problem in DHCPv6 vendorclass/userclass matching |
|
code. Thanks to Tanguy Bouzeloc for the patch. |
|
|
|
Update Spanish transalation. Thanks to Vicente Soriano. |
|
|
|
Add --ra-param option. Thanks to Vladislav Grishenko for |
|
inspiration on this. |
|
|
|
Add --add-subnet configuration, to tell upstream DNS |
|
servers where the original client is. Thanks to DNSthingy |
|
for sponsoring this feature. |
|
|
|
Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to |
|
Kevin Darbyshire-Bryant for the initial patch. |
|
|
|
Allow A/AAAA records created by --interface-name to be the |
|
target of --cname. Thanks to Hadmut Danisch for the |
|
suggestion. |
|
|
|
Avoid treating a --dhcp-host which has an IPv6 address |
|
as eligable for use with DHCPv4 on the grounds that it has |
|
no address, and vice-versa. Thanks to Yury Konovalov for |
|
spotting the problem. |
|
|
|
Do a better job caching dangling CNAMEs. Thanks to Yves |
|
Dorfsman for spotting the problem. |
|
|
|
|
version 2.66 |
version 2.66 |
Add the ability to act as an authoritative DNS |
Add the ability to act as an authoritative DNS |
server. Dnsmasq can now answer queries from the wider 'net |
server. Dnsmasq can now answer queries from the wider 'net |