|
version 1.1.1.4, 2021/03/17 00:56:46
|
version 1.1.1.5, 2023/09/27 11:02:07
|
|
Line 1
|
Line 1
|
| |
version 2.90 |
| |
Fix reversion in --rev-server introduced in 2.88 which |
| |
caused breakage if the prefix length is not exactly divisible |
| |
by 8 (IPv4) or 4 (IPv6). |
| |
|
| |
Fix possible SEGV when there server(s) for a particular |
| |
domain are configured, but no server which is not qualified |
| |
for a particular domain. Thanks to Daniel Danzberger for |
| |
spotting this bug. |
| |
|
| |
|
| |
version 2.89 |
| |
Fix bug introduced in 2.88 (commit fe91134b) which can result |
| |
in corruption of the DNS cache internal data structures and |
| |
logging of "cache internal error". This has only been seen |
| |
in one place in the wild, and it took considerable effort |
| |
to even generate a test case to reproduce it, but there's |
| |
no way to be sure it won't strike, and the effect is to break |
| |
the cache badly. Installations with DNSSEC enabled are more |
| |
likely to see the problem, but not running DNSSEC does not |
| |
guarantee that it won't happen. Thanks to Timo van Roermund |
| |
for reporting the bug and for his great efforts in chasing |
| |
it down. |
| |
|
| |
|
| |
version 2.88 |
| |
Fix bug in --dynamic-host when an interface has /16 IPv4 |
| |
address. Thanks to Mark Dietzer for spotting this. |
| |
|
| |
Add --fast-dns-retry option. This gives dnsmasq the ability |
| |
to originate retries for upstream DNS queries itself, rather |
| |
than relying on the downstream client. This is most useful |
| |
when doing DNSSEC over unreliable upstream networks. It comes |
| |
with some cost in memory usage and network bandwidth. |
| |
|
| |
Add --use-stale-cache option. When set, if a DNS name exists |
| |
in the cache, but its time-to-live has expired, dnsmasq will |
| |
return the data anyway. (It attempts to refresh the |
| |
data with an upstream query after returning the stale data.) |
| |
This can improve speed and reliability. It comes |
| |
at the expense of sometimes returning out-of-date data and |
| |
less efficient cache utilisation, since old data cannot be |
| |
flushed when its TTL expires, so the cache becomes |
| |
strictly least-recently-used. |
| |
|
| |
Add --port-limit option which allows tuning for robustness in |
| |
the face of some upstream network errors. Thanks to |
| |
Prashant Kumar Singh, Ravi Nagayach and Mike Danilov, |
| |
all of Amazon Web Services, for their efforts in developing this |
| |
and the stale-cache and fast-retry options. |
| |
|
| |
Make --hostsdir (but NOT --dhcp-hostsdir and --dhcp-optsdir) |
| |
handle removal of whole files or entries within files. |
| |
Thanks to Dominik Derigs for the initial patches for this. |
| |
|
| |
Fix bug, introduced in 2.87, which could result in DNS |
| |
servers being removed from the configuration when reloading |
| |
server configuration from DBus, or re-reading /etc/resolv.conf |
| |
Only servers from the same source should be replaced, but some |
| |
servers from other sources (i.e., hard coded or another dynamic source) |
| |
could mysteriously disappear. Thanks to all reporting this, |
| |
but especially Christopher J. Madsen who reduced the problem |
| |
to an easily reproducible case which saved much labour in |
| |
finding it. |
| |
|
| |
Add --no-round-robin option. |
| |
|
| |
Allow domain names as well as IP addresses when specifying |
| |
upstream DNS servers. There are some gotchas associated with this |
| |
(it will mysteriously fail to work if the dnsmasq instance |
| |
being started is in the path from the system resolver to the DNS), |
| |
and a seemingly sensible configuration like |
| |
--server=domain.name@1.2.3.4 is unactionable if domain.name |
| |
only resolves to an IPv6 address). There are, however, |
| |
cases where is can be useful. Thanks to Dominik Derigs for |
| |
the patch. |
| |
|
| |
Handle DS records for unsupported crypto algorithms correctly. |
| |
Such a DS, as long as it is validated, should allow answers |
| |
in the domain it attests to be returned as unvalidated, and not |
| |
as a validation error. |
| |
|
| |
Optimise reading large numbers of --server options. When re-reading |
| |
upstream servers from /etc/resolv.conf or other sources that |
| |
can change dnsmasq tries to avoid memory fragmentation by re-using |
| |
existing records that are being re-read unchanged. This involves |
| |
seaching all the server records for each new one installed. |
| |
During startup this search is pointless, and can cause long |
| |
start times with thousands of --server options because the work |
| |
needed is O(n^2). Handle this case more intelligently. |
| |
Thanks to Ye Zhou for spotting the problem and an initial patch. |
| |
|
| |
If we detect that a DNS reply from upstream is malformed don't |
| |
return it to the requestor; send a SEVFAIL rcode instead. |
| |
|
| |
|
| |
version 2.87 |
| |
Allow arbitrary prefix lengths in --rev-server and |
| |
--domain=....,local |
| |
|
| |
Replace --address=/#/..... functionality which got |
| |
missed in the 2.86 domain search rewrite. |
| |
|
| |
Add --nftset option, like --ipset but for the newer nftables. |
| |
Thanks to Chen Zhenge for the patch. |
| |
|
| |
Add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6 |
| |
addresses from DNS answers. |
| |
|
| |
Fix crash doing netbooting when --port is set to zero |
| |
to disable the DNS server. Thanks to Drexl Johannes |
| |
for the bug report. |
| |
|
| |
Generalise --dhcp-relay. Sending via broadcast/multicast is |
| |
now supported for both IPv4 and IPv6 and the configuration |
| |
syntax made easier (but backwards compatible). |
| |
|
| |
Add snooping of IPv6 prefix-delegations to the DHCP-relay system. |
| |
|
| |
Finesse parsing of --dhcp-remoteid and --dhcp-subscrid. To be treated |
| |
as hex, the pattern must consist of only hex digits AND contain |
| |
at least one ':'. Thanks to Bengt-Erik Sandstrom who tripped |
| |
over a pattern consisting of a decimal number which was interpreted |
| |
surprisingly. |
| |
|
| |
Include client address in TFTP file-not-found error reports. |
| |
Thanks to Stefan Rink for the initial patch, which has been |
| |
re-worked by me (srk). All bugs mine. |
| |
|
| |
Note in manpage the change in behaviour of -address. This behaviour |
| |
actually changed in v2.86, but was undocumented there. From 2.86 on, |
| |
(eg) --address=/example.com/1.2.3.4 ONLY applies to A queries. All other |
| |
types of query will be sent upstream. Pre 2.86, that would catch the |
| |
whole example.com domain and queries for other types would get |
| |
a local NODATA answer. The pre-2.86 behaviour is still available, |
| |
by configuring --address=/example.com/1.2.3.4 --local=/example.com/ |
| |
|
| |
Fix problem with binding DHCP sockets to an individual interface. |
| |
Despite the fact that the system call tales the interface _name_ as |
| |
a parameter, it actually, binds the socket to interface _index_. |
| |
Deleting the interface and creating a new one with the same name |
| |
leaves the socket bound to the old index. (Creating new sockets |
| |
always allocates a fresh index, they are not reused). We now |
| |
take this behaviour into account and keep up with changing indexes. |
| |
|
| |
Add --conf-script configuration option. |
| |
|
| |
Enhance --domain to accept, for instance, |
| |
--domain=net2.thekelleys.org.uk,eth2 so that hosts get a domain |
| |
which relects the interface they are attached to in a way which |
| |
doesn't require hard-coding addresses. Thanks to Sten Spans for |
| |
the idea. |
| |
|
| |
Fix write-after-free error in DHCPv6 server code. |
| |
CVE-2022-0934 refers. |
| |
|
| |
Add the ability to specify destination port in |
| |
DHCP-relay mode. This change also removes a previous bug |
| |
where --dhcp-alternate-port would affect the port used |
| |
to relay _to_ as well as the port being listened on. |
| |
The new feature allows configuration to provide bug-for-bug |
| |
compatibility, if required. Thanks to Damian Kaczkowski |
| |
for the feature suggestion. |
| |
|
| |
Bound the value of UDP packet size in the EDNS0 header of |
| |
forwarded queries to the configured or default value of |
| |
edns-packet-max. There's no point letting a client set a larger |
| |
value if we're unable to return the answer. Thanks to Bertie |
| |
Taylor for pointing out the problem and supplying the patch. |
| |
|
| |
Fix problem with the configuration |
| |
|
| |
--server=/some.domain/# --address=/#/<ip> --server=<server_ip> |
| |
|
| |
This would return <ip> for queries in some.domain, rather than |
| |
forwarding the query via the default server. |
| |
|
| |
Tweak DHCPv6 relay code so that packets relayed towards a server |
| |
have source address on the server-facing network, not the |
| |
client facing network. Thanks to Luis Thomas for spotting this |
| |
and initial patch. |
| |
|
| |
|
| |
version 2.86 |
| |
Handle DHCPREBIND requests in the DHCPv6 server code. |
| |
Thanks to Aichun Li for spotting this omission, and the initial |
| |
patch. |
| |
|
| |
Fix bug which caused dnsmasq to lose track of processes forked |
| |
to handle TCP DNS connections under heavy load. The code |
| |
checked that at least one free process table slot was |
| |
available before listening on TCP sockets, but didn't take |
| |
into account that more than one TCP connection could |
| |
arrive, so that check was not sufficient to ensure that |
| |
there would be slots for all new processes. It compounded |
| |
this error by silently failing to store the process when |
| |
it did run out of slots. Even when this bug is triggered, |
| |
all the right things happen, and answers are still returned. |
| |
Only under very exceptional circumstances, does the bug |
| |
manifest itself: see |
| |
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/014976.html |
| |
Thanks to Tijs Van Buggenhout for finding the conditions under |
| |
which the bug manifests itself, and then working out |
| |
exactly what was going on. |
| |
|
| |
Major rewrite of the DNS server and domain handling code. |
| |
This should be largely transparent, but it drastically |
| |
improves performance and reduces memory foot-print when |
| |
configuring large numbers domains of the form |
| |
local=/adserver.com/ |
| |
or |
| |
local=/adserver.com/# |
| |
Lookup times now grow as log-to-base-2 of the number of domains, |
| |
rather than greater than linearly, as before. |
| |
The change makes multiple addresses associated with a domain work |
| |
address=/example.com/1.2.3.4 |
| |
address=/example.com/5.6.7.8 |
| |
It also handles multiple upstream servers for a domain better; using |
| |
the same try/retry algorithms as non domain-specific servers. This |
| |
also applies to DNSSEC-generated queries. |
| |
Finally, some of the oldest and gnarliest code in dnsmasq has had |
| |
a significant clean-up. It's far from perfect, but it _is_ better. |
| |
|
| |
Revise resource handling for number of concurrent DNS queries. This |
| |
used to have a global limit, but that has a problem when using |
| |
different servers for different upstream domains. Queries which are |
| |
routed by domain to an upstream server which is not responding will |
| |
build up and trigger the limit, which breaks DNS service for |
| |
all other domains which could be handled by other servers. The |
| |
change is to make the limit per server-group, where a server group |
| |
is the set of servers configured for a particular domain. In the |
| |
common case, where only default servers are declared, there is |
| |
no effective change. |
| |
|
| |
Improve efficiency of DNSSEC. The sharing point for DNSSEC RR data |
| |
used to be when it entered the cache, having been validated. After |
| |
that queries requiring the KEY or DS records would share the cached |
| |
values. There is a common case in dual-stack hosts that queries for |
| |
A and AAAA records for the same domain are made simultaneously. |
| |
If required keys were not in the cache, this would result in two |
| |
requests being sent upstream for the same key data (and all the |
| |
subsequent chain-of-trust queries.) Now we combine these requests |
| |
and elide the duplicates, resulting in fewer queries upstream |
| |
and better performance. To keep a better handle on what's |
| |
going on, the "extra" logging mode has been modified to associate |
| |
queries and answers for DNSSEC queries in the same way as ordinary |
| |
queries. The requesting address and port have been removed from |
| |
DNSSEC logging lines, since this is no longer strictly defined. |
| |
|
| |
Connection track mark based DNS query filtering. Thanks to |
| |
Etan Kissling for implementing this It extends query filtering |
| |
support beyond what is currently possible |
| |
with the `--ipset` configuration option, by adding support for: |
| |
1) Specifying allowlists on a per-client basis, based on their |
| |
associated Linux connection track mark. |
| |
2) Dynamic configuration of allowlists via Ubus. |
| |
3) Reporting when a DNS query resolves or is rejected via Ubus. |
| |
4) DNS name patterns containing wildcards. |
| |
Disallowed queries are not forwarded; they are rejected |
| |
with a REFUSED error code. |
| |
|
| |
Allow smaller than 64 prefix lengths in synth-domain, with caveats. |
| |
--synth-domain=1234:4567::/56,example.com is now valid. |
| |
|
| |
Make domains generated by --synth-domain appear in replies |
| |
when in authoritative mode. |
| |
|
| |
Ensure CAP_NET_ADMIN capability is available when |
| |
conntrack is configured. Thanks to Yick Xie for spotting |
| |
the lack of this. |
| |
|
| |
When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are |
| |
given a directory as argument, define the order in which |
| |
files within that directory are read (alphabetical order |
| |
of filename). Thanks to Ed Wildgoose for the initial patch |
| |
and motivation for this. |
| |
|
| |
Allow adding IP address to nftables set in addition to |
| |
ipset. |
| |
|
| |
|
| |
version 2.85 |
| |
Fix problem with DNS retries in 2.83/2.84. |
| |
The new logic in 2.83/2.84 which merges distinct requests |
| |
for the same domain causes problems with clients which do |
| |
retries as distinct requests (differing IDs and/or source ports.) |
| |
The retries just get piggy-backed on the first, failed, request. |
| |
The logic is now changed so that distinct requests for repeated |
| |
queries still get merged into a single ID/source port, but |
| |
they now always trigger a re-try upstream. |
| |
Thanks to Nicholas Mu for his analysis. |
| |
|
| |
Tweak sort order of tags in get-version. v2.84 sorts |
| |
before v2.83, but v2.83 sorts before v2.83rc1 and 2.83rc1 |
| |
sorts before v2.83test1. This fixes the problem which lead |
| |
to 2.84 announcing itself as 2.84rc2. |
| |
|
| |
Avoid treating a --dhcp-host which has an IPv6 address |
| |
as eligible for use with DHCPv4 on the grounds that it has |
| |
no address, and vice-versa. Thanks to Viktor Papp for |
| |
spotting the problem. (This bug was fixed was back in 2.67, and |
| |
then regressed in 2.81). |
| |
|
| |
Add --dynamic-host option: A and AAAA records which take their |
| |
network part from the network of a local interface. Useful |
| |
for routers with dynamically prefixes. Thanks |
| |
to Fred F for the suggestion. |
| |
|
| |
Teach --bogus-nxdomain and --ignore-address to take an IPv4 subnet. |
| |
|
| |
Use random source ports where possible if source |
| |
addresses/interfaces in use. |
| |
CVE-2021-3448 applies. Thanks to Petr Menšík for spotting this. |
| |
It's possible to specify the source address or interface to be |
| |
used when contacting upstream name servers: server=8.8.8.8@1.2.3.4 |
| |
or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of |
| |
these have, until now, used a single socket, bound to a fixed |
| |
port. This was originally done to allow an error (non-existent |
| |
interface, or non-local address) to be detected at start-up. This |
| |
means that any upstream servers specified in such a way don't use |
| |
random source ports, and are more susceptible to cache-poisoning |
| |
attacks. |
| |
We now use random ports where possible, even when the |
| |
source is specified, so server=8.8.8.8@1.2.3.4 or |
| |
server=8.8.8.8@eth0 will use random source |
| |
ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will |
| |
use the explicitly configured port, and should only be done with |
| |
understanding of the security implications. |
| |
Note that this change changes non-existing interface, or non-local |
| |
source address errors from fatal to run-time. The error will be |
| |
logged and communication with the server not possible. |
| |
|
| |
Change the method of allocation of random source ports for DNS. |
| |
Previously, without min-port or max-port configured, dnsmasq would |
| |
default to the compiled in defaults for those, which are 1024 and |
| |
65535. Now, when neither are configured, it defaults instead to |
| |
the kernel's ephemeral port range, which is typically |
| |
32768 to 60999 on Linux systems. This change eliminates the |
| |
possibility that dnsmasq may be using a registered port > 1024 |
| |
when a long-running daemon starts up and wishes to claim it. |
| |
This change does likely slightly reduce the number of random ports |
| |
and therefore the protection from reply spoofing. The older |
| |
behaviour can be restored using the min-port and max-port config |
| |
switches should that be a concern. |
| |
|
| |
Scale the size of the DNS random-port pool based on the |
| |
value of the --dns-forward-max configuration. |
| |
|
| |
Tweak TFTP code to check sender of all received packets, as |
| |
specified in RFC 1350 para 4. |
| |
|
| |
Support some wildcard matching of input tags to --tag-if. |
| |
Thanks to Geoff Back for the idea and the patch. |
| |
|
| |
|
| |
version 2.84 |
| |
Fix a problem, introduced in 2.83, which could see DNS replies |
| |
being sent via the wrong socket. On machines running both |
| |
IPv4 and IPv6 this could result in sporadic messages of |
| |
the form "failed to send packet: Network is unreachable" and |
| |
the lost of the query. Since the error is sporadic and of |
| |
low probability, the client retry would normally succeed. |
| |
|
| |
Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH. |
| |
|
| |
|
| version 2.83 |
version 2.83 |
| Use the values of --min-port and --max-port in outgoing |
Use the values of --min-port and --max-port in outgoing |
| TCP connections to upstream DNS servers. |
TCP connections to upstream DNS servers. |
|
Line 19 version 2.83
|
Line 385 version 2.83
|
| |
|
| Handle multiple identical near simultaneous DNS queries better. |
Handle multiple identical near simultaneous DNS queries better. |
| Previously, such queries would all be forwarded |
Previously, such queries would all be forwarded |
| independently. This is, in theory, inefficent but in practise | independently. This is, in theory, inefficient but in practise |
| not a problem, _except_ that is means that an answer for any |
not a problem, _except_ that is means that an answer for any |
| of the forwarded queries will be accepted and cached. |
of the forwarded queries will be accepted and cached. |
| An attacker can send a query multiple times, and for each repeat, |
An attacker can send a query multiple times, and for each repeat, |
| another {port, ID} becomes capable of accepting the answer he is |
another {port, ID} becomes capable of accepting the answer he is |
| sending in the blind, to random IDs and ports. The chance of a |
sending in the blind, to random IDs and ports. The chance of a |
| succesful attack is therefore multiplied by the number of repeats | successful attack is therefore multiplied by the number of repeats |
| of the query. The new behaviour detects repeated queries and |
of the query. The new behaviour detects repeated queries and |
| merely stores the clients sending repeats so that when the |
merely stores the clients sending repeats so that when the |
| first query completes, the answer can be sent to all the |
first query completes, the answer can be sent to all the |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to CHANGELOG CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq