--- embedaddon/dnsmasq/CHANGELOG 2016/11/02 09:57:01 1.1.1.3 +++ embedaddon/dnsmasq/CHANGELOG 2021/03/17 00:56:46 1.1.1.4 @@ -1,2072 +1,2565 @@ +version 2.83 + Use the values of --min-port and --max-port in outgoing + TCP connections to upstream DNS servers. + + Fix a remote buffer overflow problem in the DNSSEC code. Any + dnsmasq with DNSSEC compiled in and enabled is vulnerable to this, + referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 + CVE-2020-25687. + + Be sure to only accept UDP DNS query replies at the address + from which the query was originated. This keeps as much entropy + in the {query-ID, random-port} tuple as possible, to help defeat + cache poisoning attacks. Refer: CVE-2020-25684. + + Use the SHA-256 hash function to verify that DNS answers + received are for the questions originally asked. This replaces + the slightly insecure SHA-1 (when compiled with DNSSEC) or + the very insecure CRC32 (otherwise). Refer: CVE-2020-25685. + + Handle multiple identical near simultaneous DNS queries better. + Previously, such queries would all be forwarded + independently. This is, in theory, inefficent but in practise + not a problem, _except_ that is means that an answer for any + of the forwarded queries will be accepted and cached. + An attacker can send a query multiple times, and for each repeat, + another {port, ID} becomes capable of accepting the answer he is + sending in the blind, to random IDs and ports. The chance of a + succesful attack is therefore multiplied by the number of repeats + of the query. The new behaviour detects repeated queries and + merely stores the clients sending repeats so that when the + first query completes, the answer can be sent to all the + clients who asked. Refer: CVE-2020-25686. + + +version 2.82 + Improve behaviour in the face of network interfaces which come + and go and change index. Thanks to Petr Mensik for the patch. + + Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user + to a warning. + + Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option. + + Fix crash under heavy TCP connection load introduced in 2.81. + Thanks to Frank for good work chasing this down. + + Change default lease time for DHCPv6 to one day. + + Alter calculation of preferred and valid times in router + advertisements, so that these do not have a floor applied + of the lease time in the dhcp-range if this is not explicitly + specified and is merely the default. + Thanks to Martin-Éric Racine for suggestions on this. + + +version 2.81 + Improve cache behaviour for TCP connections. For ease of + implementation, dnsmasq has always forked a new process to handle + each incoming TCP connection. A side-effect of this is that + any DNS queries answered from TCP connections are not cached: + when TCP connections were rare, this was not a problem. + With the coming of DNSSEC, it is now the case that some + DNSSEC queries have answers which spill to TCP, and if, + for instance, this applies to the keys for the root, then + those never get cached, and performance is very bad. + This fix passes cache entries back from the TCP child process to + the main server process, and fixes the problem. + + Remove the NO_FORK compile-time option, and support for uclinux. + In an era where everything has an MMU, this looks like + an anachronism, and it adds to (Ok, multiplies!) the + combinatorial explosion of compile-time options. Thanks to + Kevin Darbyshire-Bryant for the patch. + + Fix line-counting when reading /etc/hosts and friends; for + correct error messages. Thanks to Christian Rosentreter + for reporting this. + + Fix bug in DNS non-terminal code, added in 2.80, which could + sometimes cause a NODATA rather than an NXDOMAIN reply. + Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski + for spotting and diagnosing the bug and providing patches. + + Support TCP-fastopen (RFC-7413) on both incoming and + outgoing TCP connections, if supported and enabled in the OS. + + Improve kernel-capability manipulation code under Linux. Dnsmasq + now fails early if a required capability is not available, and + tries not to request capabilities not required by its + configuration. + + Add --shared-network config. This enables allocation of addresses + by the DHCP server in subnets where the server (or relay) does not + have an interface on the network in that subnet. Many thanks to + kamp.de for sponsoring this feature. + + Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet + validation check got borked in commit 2b38e382 and release 2.80. + Thanks to Tomasz Szajner for spotting this. + + Fix compilation against nettle version 3.5 and later. + + Fix spurious DNSSEC validation failures when the auth section + of a reply contains unsigned RRs from a signed zone, + with the exception that NSEC and NSEC3 RRs must always be signed. + Thanks to Tore Anderson for spotting and diagnosing the bug. + + Add --dhcp-ignore-clid. This disables reading of DHCP client + identifier option (option 61), so clients are only identified by + MAC addresses. + + Fix a bug which stopped --dhcp-name-match from working when a hostname + is supplied in --dhcp-host. Thanks to James Feeney for spotting this. + + Fix bug which caused very rarely caused zero-length DHCPv6 packets. + Thanks to Dereck Higgins for spotting this. + + Add --tftp-single-port option. + + Enhance --conf-dir to load files in a deterministic order. Thanks to + Evgenii Seliavka for the suggestion and initial patch. + + In the router advert code, handle case where we have two + different interfaces on the same IPv6 net, and we are doing + RA/DHCP service on only one of them. Thanks to NIIBE Yutaka + for spotting this case and making the initial patch. + + Support prefixed ranges of ipv6 addresses in dhcp-host. + This eases problems chain-netbooting, where each link in the + chain requests an address using a different UID. With a single + address, only one gets the "static" address, but with this + fix, enough addresses can be reserved for all the stages of the + boot. Many thanks to Harald Jensås for his work on this idea and + earlier patches. + + Add filtering by tag of --dhcp-host directives. Based on a patch + by Harald Jensås. + + Allow empty server spec in --rev-server, to match --server. + + Remove DSA signature verification from DNSSEC, as specified in + RFC 8624. Thanks to Loganaden Velvindron for the original patch. + + Add --script-on-renewal option. + + +version 2.80 + Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method + for the initial patch and motivation. + + Alter the default for dnssec-check-unsigned. Versions of + dnsmasq prior to 2.80 defaulted to not checking unsigned + replies, and used --dnssec-check-unsigned to switch + this on. Such configurations will continue to work as before, + but those which used the default of no checking will need to be + altered to explicitly select no checking. The new default is + because switching off checking for unsigned replies is + inherently dangerous. Not only does it open the possiblity of forged + replies, but it allows everything to appear to be working even + when the upstream namesevers do not support DNSSEC, and in this + case no DNSSEC validation at all is occuring. + + Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip + are set. Thanks to Daniel Miess for help with this. + + Add a facilty to store DNS packets sent/recieved in a + pcap-format file for later debugging. The file location + is given by the --dumpfile option, and a bitmap controlling + which packets should be dumped is given by the --dumpmask + option. + + Handle the case of both standard and constructed dhcp-ranges on the + same interface better. We don't now contruct a dhcp-range if there's + already one specified. This allows the specified interface to + have different parameters and avoids advertising the same + prefix twice. Thanks to Luis Marsano for spotting this case. + + Allow zone transfer in authoritative mode if auth-peer is specified, + even if auth-sec-servers is not. Thanks to Raphaël Halimi for + the suggestion. + + Fix bug which sometimes caused dnsmasq to wrongly return answers + without DNSSEC RRs to queries with the do-bit set, but only when + DNSSEC validation was not enabled. + Thanks to Petr Menšík for spotting this. + + Fix missing fatal errors with some malformed options + (server, local, address, rebind-domain-ok, ipset, alias). + Thanks to Eugene Lozovoy for spotting the problem. + + Fix crash on startup with a --synth-domain which has no prefix. + Introduced in 2.79. Thanks to Andreas Engel for the bug report. + + Fix missing EDNS0 section in some replies generated by local + DNS configuration which confused systemd-resolvd. Thanks to + Steve Dodd for characterising the problem. + + Add --dhcp-name-match config option. + + Add --caa-record config option. + + Implement --address=/example.com/# as (more efficient) syntactic + sugar for --address=/example.com/0.0.0.0 and + --address=/example.com/:: + Returning null addresses is a useful technique for ad-blocking. + Thanks to Peter Russell for the suggestion. + + Change anti cache-snooping behaviour with queries with the + recursion-desired bit unset. Instead to returning SERVFAIL, we + now always forward, and never answer from the cache. This + allows "dig +trace" command to work. + + Include in the example config file a formulation which + stops DHCP clients from claiming the DNS name "wpad". + This is a fix for the CERT Vulnerability VU#598349. + + +version 2.79 + Fix parsing of CNAME arguments, which are confused by extra spaces. + Thanks to Diego Aguirre for spotting the bug. + + Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind + upstream servers to an interface, rather than SO_BINDTODEVICE. + Thanks to Beniamino Galvani for the patch. + + Always return a SERVFAIL answer to DNS queries without the + recursion desired bit set, UNLESS acting as an authoritative + DNS server. This avoids a potential route to cache snooping. + + Add support for Ed25519 signatures in DNSSEC validation. + + No longer support RSA/MD5 signatures in DNSSEC validation, + since these are not secure. This behaviour is mandated in + RFC-6944. + + Fix incorrect error exit code from dhcp_release6 utility. + Thanks Gaudenz Steinlin for the bug report. + + Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC + time validation when --dnssec-no-timecheck is in use. + Note that this is an incompatible change from earlier releases. + + Allow more than one --bridge-interface option to refer to an + interface, so that we can use + --bridge-interface=int1,alias1 + --bridge-interface=int1,alias2 + as an alternative to + --bridge-interface=int1,alias1,alias2 + Thanks to Neil Jerram for work on this. + + Fix for DNSSEC with wildcard-derived NSEC records. + It's OK for NSEC records to be expanded from wildcards, + but in that case, the proof of non-existence is only valid + starting at the wildcard name, *. NOT the name expanded + from the wildcard. Without this check it's possible for an + attacker to craft an NSEC which wrongly proves non-existence. + Thanks to Ralph Dolmans for finding this, and co-ordinating + the vulnerability tracking and fix release. + CVE-2017-15107 applies. + + Remove special handling of A-for-A DNS queries. These + are no longer a significant problem in the global DNS. + http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf + Thanks to Mattias Hellström for the initial patch. + + Fix failure to delete dynamically created dhcp options + from files in -dhcp-optsdir directories. Thanks to + Lindgren Fredrik for the bug report. + + Add to --synth-domain the ability to create names using + sequential numbers, as well as encodings of IP addresses. + For instance, + --synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-* + creates 21 domain names of the form + internal-4.thekelleys.org.uk over the address range given, with + internal-0.thekelleys.org.uk being 192.168.0.50 and + internal-20.thekelleys.org.uk being 192.168.0.70 + Thanks to Andy Hawkins for the suggestion. + + Tidy up Crypto code, removing workarounds for ancient + versions of libnettle. We now require libnettle 3. + + +version 2.78 + Fix logic of appending "." to PXE basename. Thanks to Chris + Novakovic for the patch. + + Revert ping-check of address in DHCPDISCOVER if there + already exists a lease for the address. Under some + circumstances, and netbooted windows installation can reply + to pings before if has a DHCP lease and block allocation + of the address it already used during netboot. Thanks to + Jan Psota for spotting this. + + Fix DHCP relaying, broken in 2.76 and 2.77 by commit + ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to + John Fitzgibbon for the diagnosis and patch. + + Try other servers if first returns REFUSED when + --strict-order active. Thanks to Hans Dedecker + for the patch + + Fix regression in 2.77, ironically added as a security + improvement, which resulted in a crash when a DNS + query exceeded 512 bytes (or the EDNS0 packet size, + if different.) Thanks to Christian Kujau, Arne Woerner + Juan Manuel Fernandez and Kevin Darbyshire-Bryant for + chasing this one down. CVE-2017-13704 applies. + + Fix heap overflow in DNS code. This is a potentially serious + security hole. It allows an attacker who can make DNS + requests to dnsmasq, and who controls the contents of + a domain, which is thereby queried, to overflow + (by 2 bytes) a heap buffer and either crash, or + even take control of, dnsmasq. + CVE-2017-14491 applies. + Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana + Kevin Hamacher and Ron Bowes of the Google Security Team for + finding this. + + Fix heap overflow in IPv6 router advertisement code. + This is a potentially serious security hole, as a + crafted RA request can overflow a buffer and crash or + control dnsmasq. Attacker must be on the local network. + CVE-2017-14492 applies. + Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana + and Kevin Hamacher of the Google Security Team for + finding this. + + Fix stack overflow in DHCPv6 code. An attacker who can send + a DHCPv6 request to dnsmasq can overflow the stack frame and + crash or control dnsmasq. + CVE-2017-14493 applies. + Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana + Kevin Hamacher and Ron Bowes of the Google Security Team for + finding this. + + Fix information leak in DHCPv6. A crafted DHCPv6 packet can + cause dnsmasq to forward memory from outside the packet + buffer to a DHCPv6 server when acting as a relay. + CVE-2017-14494 applies. + Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana + Kevin Hamacher and Ron Bowes of the Google Security Team for + finding this. + + Fix DoS in DNS. Invalid boundary checks in the + add_pseudoheader function allows a memcpy call with negative + size An attacker which can send malicious DNS queries + to dnsmasq can trigger a DoS remotely. + dnsmasq is vulnerable only if one of the following option is + specified: --add-mac, --add-cpe-id or --add-subnet. + CVE-2017-14496 applies. + Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana + Kevin Hamacher and Ron Bowes of the Google Security Team for + finding this. + + Fix out-of-memory Dos vulnerability. An attacker which can + send malicious DNS queries to dnsmasq can trigger memory + allocations in the add_pseudoheader function + The allocated memory is never freed which leads to a DoS + through memory exhaustion. dnsmasq is vulnerable only + if one of the following option is specified: + --add-mac, --add-cpe-id or --add-subnet. + CVE-2017-14495 applies. + Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana + Kevin Hamacher and Ron Bowes of the Google Security Team for + finding this. + + +version 2.77 + Generate an error when configured with a CNAME loop, + rather than a crash. Thanks to George Metz for + spotting this problem. + + Calculate the length of TFTP error reply packet + correctly. This fixes a problem when the error + message in a TFTP packet exceeds the arbitrary + limit of 500 characters. The message was correctly + truncated, but not the packet length, so + extra data was appended. This is a possible + security risk, since the extra data comes from + a buffer which is also used for DNS, so that + previous DNS queries or replies may be leaked. + Thanks to Mozilla for funding the security audit + which spotted this bug. + + Fix logic error in Linux netlink code. This could + cause dnsmasq to enter a tight loop on systems + with a very large number of network interfaces. + Thanks to Ivan Kokshaysky for the diagnosis and + patch. + + Fix problem with --dnssec-timestamp whereby receipt + of SIGHUP would erroneously engage timestamp checking. + Thanks to Kevin Darbyshire-Bryant for this work. + + Bump zone serial on reloading /etc/hosts and friends + when providing authoritative DNS. Thanks to Harrald + Dunkel for spotting this. + + Handle v4-mapped IPv6 addresses sanely in --synth-domain. + These have standard representation like ::ffff:1.2.3.4 + and are now converted to names like + --ffff-1-2-3-4. + + Handle binding upstream servers to an interface + (--server=1.2.3.4@eth0) when the named interface + is destroyed and recreated in the kernel. Thanks to + Beniamino Galvani for the patch. + + Allow wildcard CNAME records in authoritative zones. + For example --cname=*.example.com,default.example.com + Thanks to Pro Backup for sponsoring this development. + + Bump the allowed backlog of TCP connections from 5 to 32, + and make this a compile-time configurable option. Thanks + to Donatas Abraitis for diagnosing this as a potential + problem. + + Add DNSMASQ_REQUESTED_OPTIONS environment variable to the + lease-change script. Thanks to ZHAO Yu for the patch. + + Fix foobar in rrfilter code, that could cause malformed + replies, especially when DNSSEC validation on, and + the upstream server returns answer with the RRs in a + particular order. The only DNS server known to tickle + this is Nominum's. Thanks to Dave Täht for spotting the + bug and assisting in the fix. + + Fix the manpage which lied that only the primary address + of an interface is used by --interface-name. + + Make --localise-queries apply to names from --interface-name. + Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen + for pushing this. + + Improve connection handling when talking to TCP upstream + servers. Specifically, be prepared to open a new TCP + connection when we want to make multiple queries + but the upstream server accepts fewer queries per connection. + + Improve logging of upstream servers when there are a lot + of "local addresses only" entries. Thanks to Hannu Nyman for + the patch. + + Make --bogus-priv apply to IPv6, for the prefixes specified + in RFC6303. Thanks to Kevin Darbyshire-Bryant for work on this. + + Allow use of MAC addresses with --tftp-unique-root. Thanks + to Floris Bos for the patch. + + Add --dhcp-reply-delay option. Thanks to Floris Bos + for the patch. + + Add mtu setting facility to --ra-param. Thanks to David + Flamand for the patch. + + Capture STDOUT and STDERR output from dhcp-script and log + it as part of the dnsmasq log stream. Makes life easier + for diagnosing unexpected problems in scripts. + Thanks to Petr Mensik for the patch. + + Generate fatal errors when failing to parse the output + of the dhcp-script in "init" mode. Avoids strange errors + when the script accidentally emits error messages. + Thanks to Petr Mensik for the patch. + + Make --rev-server for an RFC1918 subnet work even in the + presence of the --bogus-priv flag. Thanks to + Vladislav Grishenko for the patch. + + Extend --ra-param mtu: field to allow an interface name. + This allows the MTU of a WAN interface to be advertised on + the internal interfaces of a router. Thanks to + Vladislav Grishenko for the patch. + + Do ICMP-ping check for address-in-use for DHCPv4 when + the client specifies an address in DHCPDISCOVER, and when + an address in configured locally. Thanks to Alin Năstac + for spotting the problem. + + Add new DHCP tag "known-othernet" which is set when only a + dhcp-host exists for another subnet. Can be used to ensure + that privileged hosts are not given "guest" addresses by + accident. Thanks to Todd Sanket for the suggestion. + + Remove historic automatic inclusion of IDN support when + building internationalisation support. This doesn't + fit now there is a choice of IDN libraries. Be sure + to include either -DHAVE_IDN or -DHAVE_LIBIDN2 for + IDN support. + + version 2.76 - Include 0.0.0.0/8 in DNS rebind checks. This range - translates to hosts on the local network, or, at - least, 0.0.0.0 accesses the local host, so could - be targets for DNS rebinding. See RFC 5735 section 3 - for details. Thanks to Stephen Röttger for the bug report. + Include 0.0.0.0/8 in DNS rebind checks. This range + translates to hosts on the local network, or, at + least, 0.0.0.0 accesses the local host, so could + be targets for DNS rebinding. See RFC 5735 section 3 + for details. Thanks to Stephen Röttger for the bug report. - Enhance --add-subnet to allow arbitrary subnet addresses. - Thanks to Ed Barsley for the patch. + Enhance --add-subnet to allow arbitrary subnet addresses. + Thanks to Ed Barsley for the patch. - Respect the --no-resolv flag in inotify code. Fixes bug - which caused dnsmasq to fail to start if a resolv-file - was a dangling symbolic link, even of --no-resolv set. - Thanks to Alexander Kurtz for spotting the problem. + Respect the --no-resolv flag in inotify code. Fixes bug + which caused dnsmasq to fail to start if a resolv-file + was a dangling symbolic link, even of --no-resolv set. + Thanks to Alexander Kurtz for spotting the problem. - Fix crash when an A or AAAA record is defined locally, - in a hosts file, and an upstream server sends a reply - that the same name is empty. Thanks to Edwin Török for - the patch. + Fix crash when an A or AAAA record is defined locally, + in a hosts file, and an upstream server sends a reply + that the same name is empty. Thanks to Edwin Török for + the patch. - Fix failure to correctly calculate cache-size when - reading a hosts-file fails. Thanks to André Glüpker - for the patch. + Fix failure to correctly calculate cache-size when + reading a hosts-file fails. Thanks to André Glüpker + for the patch. - Fix wrong answer to simple name query when --domain-needed - set, but no upstream servers configured. Dnsmasq returned - REFUSED, in this case, when it should be the same as when - upstream servers are configured - NOERROR. Thanks to - Allain Legacy for spotting the problem. + Fix wrong answer to simple name query when --domain-needed + set, but no upstream servers configured. Dnsmasq returned + REFUSED, in this case, when it should be the same as when + upstream servers are configured - NOERROR. Thanks to + Allain Legacy for spotting the problem. - Return REFUSED when running out of forwarding table slots, - not SERVFAIL. + Return REFUSED when running out of forwarding table slots, + not SERVFAIL. - Add --max-port configuration. Thanks to Hans Dedecker for - the patch. + Add --max-port configuration. Thanks to Hans Dedecker for + the patch. - Add --script-arp and two new functions for the dhcp-script. - These are "arp" and "arp-old" which announce the arrival and - removal of entries in the ARP or nieghbour tables. + Add --script-arp and two new functions for the dhcp-script. + These are "arp" and "arp-old" which announce the arrival and + removal of entries in the ARP or neighbour tables. - Extend --add-mac to allow a new encoding of the MAC address - as base64, by configurting --add-mac=base64 - - Add --add-cpe-id option. + Extend --add-mac to allow a new encoding of the MAC address + as base64, by configuring --add-mac=base64 - Don't crash with divide-by-zero if an IPv6 dhcp-range - is declared as a whole /64. - (ie xx::0 to xx::ffff:ffff:ffff:ffff) - Thanks to Laurent Bendel for spotting this problem. + Add --add-cpe-id option. - Add support for a TTL parameter in --host-record and - --cname. + Don't crash with divide-by-zero if an IPv6 dhcp-range + is declared as a whole /64. + (ie xx::0 to xx::ffff:ffff:ffff:ffff) + Thanks to Laurent Bendel for spotting this problem. - Add --dhcp-ttl option. + Add support for a TTL parameter in --host-record and + --cname. - Add --tftp-mtu option. Thanks to Patrick McLean for the - initial patch. + Add --dhcp-ttl option. - Check return-code of inet_pton() when parsing dhcp-option. - Bad addresses could fail to generate errors and result in - garbage dhcp-options being sent. Thanks to Marc Branchaud - for spotting this. + Add --tftp-mtu option. Thanks to Patrick McLean for the + initial patch. - Fix wrong value for EDNS UDP packet size when using - --servers-file to define upstream DNS servers. Thanks to - Scott Bonar for the bug report. + Check return-code of inet_pton() when parsing dhcp-option. + Bad addresses could fail to generate errors and result in + garbage dhcp-options being sent. Thanks to Marc Branchaud + for spotting this. - Move the dhcp_release and dhcp_lease_time tools from - contrib/wrt to contrib/lease-tools. + Fix wrong value for EDNS UDP packet size when using + --servers-file to define upstream DNS servers. Thanks to + Scott Bonar for the bug report. - Add dhcp_release6 to contrib/lease-tools. Many thanks - to Sergey Nechaev for this code. + Move the dhcp_release and dhcp_lease_time tools from + contrib/wrt to contrib/lease-tools. - To avoid filling logs in configurations which define - many upstream nameservers, don't log more that 30 servers. - The number to be logged can be changed as SERVERS_LOGGED - in src/config.h. + Add dhcp_release6 to contrib/lease-tools. Many thanks + to Sergey Nechaev for this code. - Swap the values if BC_EFI and x86-64_EFI in --pxe-service. - These were previously wrong due to an error in RFC 4578. - If you're using BC_EFI to boot 64-bit EFI machines, you - will need to update your config. + To avoid filling logs in configurations which define + many upstream nameservers, don't log more that 30 servers. + The number to be logged can be changed as SERVERS_LOGGED + in src/config.h. - Add ARM32_EFI and ARM64_EFI as valid architectures in - --pxe-service. + Swap the values if BC_EFI and x86-64_EFI in --pxe-service. + These were previously wrong due to an error in RFC 4578. + If you're using BC_EFI to boot 64-bit EFI machines, you + will need to update your config. - Fix PXE booting for UEFI architectures. Modify PXE boot - sequence in this case to force the client to talk to dnsmasq - over port 4011. This makes PXE and especially proxy-DHCP PXE - work with these archictectures. + Add ARM32_EFI and ARM64_EFI as valid architectures in + --pxe-service. - Workaround problems with UEFI PXE clients. There exist - in the wild PXE clients which have problems with PXE - boot menus. To work around this, when there's a single - --pxe-service which applies to client, then that target - will be booted directly, rather then sending a - single-item boot menu. + Fix PXE booting for UEFI architectures. Modify PXE boot + sequence in this case to force the client to talk to dnsmasq + over port 4011. This makes PXE and especially proxy-DHCP PXE + work with these architectures. - Many thanks to Jarek Polok, Michael Kuron and Dreamcat4 - for their work on the long-standing UEFI PXE problem. + Workaround problems with UEFI PXE clients. There exist + in the wild PXE clients which have problems with PXE + boot menus. To work around this, when there's a single + --pxe-service which applies to client, then that target + will be booted directly, rather then sending a + single-item boot menu. - Subtle change in the semantics of "basename" in - --pxe-service. The historical behaviour has always been - that the actual filename downloaded from the TFTP server - is . where is an integer which - corresponds to the layer parameter supplied by the client. - It's not clear what the function of the "layer" - actually is in the PXE protocol, and in practise layer - is always zero, so the filename is .0 - The new behaviour is the same as the old, except when - includes a file suffix, in which case - the layer suffix is no longer added. This allows - sensible suffices to be used, rather then the - meaningless ".0". Only in the unlikely event that you - have a config with a basename which already has a - suffix, is this an incompatible change, since the file - downloaded will change from name.suffix.0 to just - name.suffix + Many thanks to Jarek Polok, Michael Kuron and Dreamcat4 + for their work on the long-standing UEFI PXE problem. + Subtle change in the semantics of "basename" in + --pxe-service. The historical behaviour has always been + that the actual filename downloaded from the TFTP server + is . where is an integer which + corresponds to the layer parameter supplied by the client. + It's not clear what the function of the "layer" + actually is in the PXE protocol, and in practise layer + is always zero, so the filename is .0 + The new behaviour is the same as the old, except when + includes a file suffix, in which case + the layer suffix is no longer added. This allows + sensible suffices to be used, rather then the + meaningless ".0". Only in the unlikely event that you + have a config with a basename which already has a + suffix, is this an incompatible change, since the file + downloaded will change from name.suffix.0 to just + name.suffix + version 2.75 - Fix reversion on 2.74 which caused 100% CPU use when a - dhcp-script is configured. Thanks to Adrian Davey for - reporting the bug and testing the fix. + Fix reversion on 2.74 which caused 100% CPU use when a + dhcp-script is configured. Thanks to Adrian Davey for + reporting the bug and testing the fix. - + version 2.74 - Fix reversion in 2.73 where --conf-file would attempt to - read the default file, rather than no file. + Fix reversion in 2.73 where --conf-file would attempt to + read the default file, rather than no file. - Fix inotify code to handle dangling symlinks better and - not SEGV in some circumstances. + Fix inotify code to handle dangling symlinks better and + not SEGV in some circumstances. - DNSSEC fix. In the case of a signed CNAME generated by a - wildcard which pointed to an unsigned domain, the wrong - status would be logged, and some necessary checks omitted. - + DNSSEC fix. In the case of a signed CNAME generated by a + wildcard which pointed to an unsigned domain, the wrong + status would be logged, and some necessary checks omitted. + version 2.73 - Fix crash at startup when an empty suffix is supplied to - --conf-dir, also trivial memory leak. Thanks to - Tomas Hozza for spotting this. + Fix crash at startup when an empty suffix is supplied to + --conf-dir, also trivial memory leak. Thanks to + Tomas Hozza for spotting this. - Remove floor of 4096 on advertised EDNS0 packet size when - DNSSEC in use, the original rationale for this has long gone. - Thanks to Anders Kaseorg for spotting this. + Remove floor of 4096 on advertised EDNS0 packet size when + DNSSEC in use, the original rationale for this has long gone. + Thanks to Anders Kaseorg for spotting this. - Use inotify for checking on updates to /etc/resolv.conf and - friends under Linux. This fixes race conditions when the files are - updated rapidly and saves CPU by noy polling. To build - a binary that runs on old Linux kernels without inotify, - use make COPTS=-DNO_INOTIFY + Use inotify for checking on updates to /etc/resolv.conf and + friends under Linux. This fixes race conditions when the files are + updated rapidly and saves CPU by noy polling. To build + a binary that runs on old Linux kernels without inotify, + use make COPTS=-DNO_INOTIFY - Fix breakage of --domain=,,local - only reverse - queries were intercepted. THis appears to have been broken - since 2.69. Thanks to Josh Stone for finding the bug. + Fix breakage of --domain=,,local - only reverse + queries were intercepted. THis appears to have been broken + since 2.69. Thanks to Josh Stone for finding the bug. - Eliminate IPv6 privacy addresses and deprecated addresses from - the answers given by --interface-name. Note that reverse queries - (ie looking for names, given addresses) are not affected. - Thanks to Michael Gorbach for the suggestion. + Eliminate IPv6 privacy addresses and deprecated addresses from + the answers given by --interface-name. Note that reverse queries + (ie looking for names, given addresses) are not affected. + Thanks to Michael Gorbach for the suggestion. - Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids - for the bug report. - - Add --ignore-address option. Ignore replies to A-record - queries which include the specified address. No error is - generated, dnsmasq simply continues to listen for another - reply. This is useful to defeat blocking strategies which - rely on quickly supplying a forged answer to a DNS - request for certain domains, before the correct answer can - arrive. Thanks to Glen Huang for the patch. - - Revisit the part of DNSSEC validation which determines if an - unsigned answer is legit, or is in some part of the DNS - tree which should be signed. Dnsmasq now works from the - DNS root downward looking for the limit of signed - delegations, rather than working bottom up. This is - both more correct, and less likely to trip over broken - nameservers in the unsigned parts of the DNS tree - which don't respond well to DNSSEC queries. + Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids + for the bug report. - Add --log-queries=extra option, which makes logs easier - to search automatically. + Add --ignore-address option. Ignore replies to A-record + queries which include the specified address. No error is + generated, dnsmasq simply continues to listen for another + reply. This is useful to defeat blocking strategies which + rely on quickly supplying a forged answer to a DNS + request for certain domains, before the correct answer can + arrive. Thanks to Glen Huang for the patch. - Add --min-cache-ttl option. I've resisted this for a long - time, on the grounds that disbelieving TTLs is never a - good idea, but I've been persuaded that there are - sometimes reasons to do it. (Step forward, GFW). - To avoid misuse, there's a hard limit on the TTL - floor of one hour. Thansk to RinSatsuki for the patch. + Revisit the part of DNSSEC validation which determines if an + unsigned answer is legit, or is in some part of the DNS + tree which should be signed. Dnsmasq now works from the + DNS root downward looking for the limit of signed + delegations, rather than working bottom up. This is + both more correct, and less likely to trip over broken + nameservers in the unsigned parts of the DNS tree + which don't respond well to DNSSEC queries. - Cope with multiple interfaces with the same link-local - address. (IPv6 addresses are scoped, so this is allowed.) - Thanks to Cory Benfield for help with this. + Add --log-queries=extra option, which makes logs easier + to search automatically. - Add --dhcp-hostsdir. This allows addition of new host - configurations to a running dnsmasq instance much more - cheaply than having dnsmasq re-read all its existing - configuration each time. - - Don't reply to DHCPv6 SOLICIT messages if we're not - configured to do stateful DHCPv6. Thanks to Win King Wan - for the patch. + Add --min-cache-ttl option. I've resisted this for a long + time, on the grounds that disbelieving TTLs is never a + good idea, but I've been persuaded that there are + sometimes reasons to do it. (Step forward, GFW). + To avoid misuse, there's a hard limit on the TTL + floor of one hour. Thanks to RinSatsuki for the patch. - Fix broken DNSSEC validation of ECDSA signatures. + Cope with multiple interfaces with the same link-local + address. (IPv6 addresses are scoped, so this is allowed.) + Thanks to Cory Benfield for help with this. - Add --dnssec-timestamp option, which provides an automatic - way to detect when the system time becomes valid after - boot on systems without an RTC, whilst allowing DNS - queries before the clock is valid so that NTP can run. - Thanks to Kevin Darbyshire-Bryant for developing this idea. + Add --dhcp-hostsdir. This allows addition of new host + configurations to a running dnsmasq instance much more + cheaply than having dnsmasq re-read all its existing + configuration each time. - Add --tftp-no-fail option. Thanks to Stefan Tomanek for - the patch. + Don't reply to DHCPv6 SOLICIT messages if we're not + configured to do stateful DHCPv6. Thanks to Win King Wan + for the patch. - Fix crash caused by looking up servers.bind, CHAOS text - record, when more than about five --servers= lines are - in the dnsmasq config. This causes memory corruption - which causes a crash later. Thanks to Matt Coddington for - sterling work chasing this down. + Fix broken DNSSEC validation of ECDSA signatures. - Fix crash on receipt of certain malformed DNS requests. - Thanks to Nick Sampanis for spotting the problem. - Note that this is could allow the dnsmasq process's - memory to be read by an attacker under certain - circumstances, so it has a CVE, CVE-2015-3294 + Add --dnssec-timestamp option, which provides an automatic + way to detect when the system time becomes valid after + boot on systems without an RTC, whilst allowing DNS + queries before the clock is valid so that NTP can run. + Thanks to Kevin Darbyshire-Bryant for developing this idea. - Fix crash in authoritative DNS code, if a .arpa zone - is declared as authoritative, and then a PTR query which - is not to be treated as authoritative arrived. Normally, - directly declaring .arpa zone as authoritative is not - done, so this crash wouldn't be seen. Instead the - relevant .arpa zone should be specified as a subnet - in the auth-zone declaration. Thanks to Johnny S. Lee - for the bugreport and initial patch. + Add --tftp-no-fail option. Thanks to Stefan Tomanek for + the patch. - Fix authoritative DNS code to correctly reply to NS - and SOA queries for .arpa zones for which we are - declared authoritative by means of a subnet in auth-zone. - Previously we provided correct answers to PTR queries - in such zones (including NS and SOA) but not direct - NS and SOA queries. Thanks to Johnny S. Lee for - pointing out the problem. + Fix crash caused by looking up servers.bind, CHAOS text + record, when more than about five --servers= lines are + in the dnsmasq config. This causes memory corruption + which causes a crash later. Thanks to Matt Coddington for + sterling work chasing this down. - Fix logging of DHCPREPLY which should be suppressed - by quiet-dhcp6. Thanks to J. Pablo Abonia for - spotting the problem. + Fix crash on receipt of certain malformed DNS requests. + Thanks to Nick Sampanis for spotting the problem. + Note that this is could allow the dnsmasq process's + memory to be read by an attacker under certain + circumstances, so it has a CVE, CVE-2015-3294 - Try and handle net connections with broken fragmentation - that lose large UDP packets. If a server times out, - reduce the maximum UDP packet size field in the EDNS0 - header to 1280 bytes. If it then answers, make that - change permanent. + Fix crash in authoritative DNS code, if a .arpa zone + is declared as authoritative, and then a PTR query which + is not to be treated as authoritative arrived. Normally, + directly declaring .arpa zone as authoritative is not + done, so this crash wouldn't be seen. Instead the + relevant .arpa zone should be specified as a subnet + in the auth-zone declaration. Thanks to Johnny S. Lee + for the bugreport and initial patch. - Check IPv4-mapped IPv6 addresses when --stop-rebind - is active. Thanks to Jordan Milne for spotting this. + Fix authoritative DNS code to correctly reply to NS + and SOA queries for .arpa zones for which we are + declared authoritative by means of a subnet in auth-zone. + Previously we provided correct answers to PTR queries + in such zones (including NS and SOA) but not direct + NS and SOA queries. Thanks to Johnny S. Lee for + pointing out the problem. - Allow DHCPv4 options T1 and T2 to be set using --dhcp-option. - Thanks to Kevin Benton for patches and work on this. + Fix logging of DHCPREPLY which should be suppressed + by quiet-dhcp6. Thanks to J. Pablo Abonia for + spotting the problem. - Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses - in the correct subnet, even of not in dynamic address - allocation range. Thanks to Steve Hirsch for spotting - the problem. + Try and handle net connections with broken fragmentation + that lose large UDP packets. If a server times out, + reduce the maximum UDP packet size field in the EDNS0 + header to 1280 bytes. If it then answers, make that + change permanent. - Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks - to Nicolas Cavallari for the patch. + Check IPv4-mapped IPv6 addresses when --stop-rebind + is active. Thanks to Jordan Milne for spotting this. - Allow configuration of router advertisements without the - "on-link" bit set. Thanks to Neil Jerram for the patch. + Allow DHCPv4 options T1 and T2 to be set using --dhcp-option. + Thanks to Kevin Benton for patches and work on this. - Extend --bridge-interface to DHCPv6 and router - advertisements. Thanks to Neil Jerram for the patch. - - + Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses + in the correct subnet, even of not in dynamic address + allocation range. Thanks to Steve Hirsch for spotting + the problem. + + Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks + to Nicolas Cavallari for the patch. + + Allow configuration of router advertisements without the + "on-link" bit set. Thanks to Neil Jerram for the patch. + + Extend --bridge-interface to DHCPv6 and router + advertisements. Thanks to Neil Jerram for the patch. + + version 2.72 - Add ra-advrouter mode, for RFC-3775 mobile IPv6 support. + Add ra-advrouter mode, for RFC-3775 mobile IPv6 support. - Add support for "ipsets" in *BSD, using pf. Thanks to - Sven Falempim for the patch. + Add support for "ipsets" in *BSD, using pf. Thanks to + Sven Falempin for the patch. - Fix race condition which could lock up dnsmasq when an - interface goes down and up rapidly. Thanks to Conrad - Kostecki for helping to chase this down. + Fix race condition which could lock up dnsmasq when an + interface goes down and up rapidly. Thanks to Conrad + Kostecki for helping to chase this down. - Add DBus methods SetFilterWin2KOption and SetBogusPrivOption - Thanks to the Smoothwall project for the patch. + Add DBus methods SetFilterWin2KOption and SetBogusPrivOption + Thanks to the Smoothwall project for the patch. - Fix failure to build against Nettle-3.0. Thanks to Steven - Barth for spotting this and finding the fix. - - When assigning existing DHCP leases to intefaces by comparing - networks, handle the case that two or more interfaces have the - same network part, but different prefix lengths (favour the - longer prefix length.) Thanks to Lung-Pin Chang for the - patch. - - Add a mode which detects and removes DNS forwarding loops, ie - a query sent to an upstream server returns as a new query to - dnsmasq, and would therefore be forwarded again, resulting in - a query which loops many times before being dropped. Upstream - servers which loop back are disabled and this event is logged. - Thanks to Smoothwall for their sponsorship of this feature. + Fix failure to build against Nettle-3.0. Thanks to Steven + Barth for spotting this and finding the fix. - Extend --conf-dir to allow filtering of files. So - --conf-dir=/etc/dnsmasq.d,\*.conf - will load all the files in /etc/dnsmasq.d which end in .conf - - Fix bug when resulted in NXDOMAIN answers instead of NODATA in - some circumstances. + When assigning existing DHCP leases to interfaces by comparing + networks, handle the case that two or more interfaces have the + same network part, but different prefix lengths (favour the + longer prefix length.) Thanks to Lung-Pin Chang for the + patch. - Fix bug which caused dnsmasq to become unresponsive if it - failed to send packets due to a network interface disappearing. - Thanks to Niels Peen for spotting this. - - Fix problem with --local-service option on big-endian platforms - Thanks to Richard Genoud for the patch. + Add a mode which detects and removes DNS forwarding loops, ie + a query sent to an upstream server returns as a new query to + dnsmasq, and would therefore be forwarded again, resulting in + a query which loops many times before being dropped. Upstream + servers which loop back are disabled and this event is logged. + Thanks to Smoothwall for their sponsorship of this feature. - + Extend --conf-dir to allow filtering of files. So + --conf-dir=/etc/dnsmasq.d,\*.conf + will load all the files in /etc/dnsmasq.d which end in .conf + + Fix bug when resulted in NXDOMAIN answers instead of NODATA in + some circumstances. + + Fix bug which caused dnsmasq to become unresponsive if it + failed to send packets due to a network interface disappearing. + Thanks to Niels Peen for spotting this. + + Fix problem with --local-service option on big-endian platforms + Thanks to Richard Genoud for the patch. + + version 2.71 - Subtle change to error handling to help DNSSEC validation - when servers fail to provide NODATA answers for - non-existent DS records. + Subtle change to error handling to help DNSSEC validation + when servers fail to provide NODATA answers for + non-existent DS records. - Tweak code which removes DNSSEC records from answers when - not required. Fixes broken answers when additional section - has real records in it. Thanks to Marco Davids for the bug - report. + Tweak code which removes DNSSEC records from answers when + not required. Fixes broken answers when additional section + has real records in it. Thanks to Marco Davids for the bug + report. - Fix DNSSEC validation of ANY queries. Thanks to Marco Davids - for spotting that too. + Fix DNSSEC validation of ANY queries. Thanks to Marco Davids + for spotting that too. - Fix total DNS failure and 100% CPU use if cachesize set to zero, - regression introduced in 2.69. Thanks to James Hunt and - the Ubuntu crowd for assistance in fixing this. + Fix total DNS failure and 100% CPU use if cachesize set to zero, + regression introduced in 2.69. Thanks to James Hunt and + the Ubuntu crowd for assistance in fixing this. version 2.70 - Fix crash, introduced in 2.69, on TCP request when dnsmasq - compiled with DNSSEC support, but running without DNSSEC - enabled. Thanks to Manish Sing for spotting that one. + Fix crash, introduced in 2.69, on TCP request when dnsmasq + compiled with DNSSEC support, but running without DNSSEC + enabled. Thanks to Manish Sing for spotting that one. - Fix regression which broke ipset functionality. Thanks to - Wang Jian for the bug report. + Fix regression which broke ipset functionality. Thanks to + Wang Jian for the bug report. version 2.69 - Implement dynamic interface discovery on *BSD. This allows - the contructor: syntax to be used in dhcp-range for DHCPv6 - on the BSD platform. Thanks to Matthias Andree for - valuable research on how to implement this. + Implement dynamic interface discovery on *BSD. This allows + the constructor: syntax to be used in dhcp-range for DHCPv6 + on the BSD platform. Thanks to Matthias Andree for + valuable research on how to implement this. - Fix infinite loop associated with some --bogus-nxdomain - configs. Thanks fogobogo for the bug report. + Fix infinite loop associated with some --bogus-nxdomain + configs. Thanks fogobogo for the bug report. - Fix missing RA RDNS option with configuration like - --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer - for spotting the problem. + Fix missing RA RDNS option with configuration like + --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer + for spotting the problem. - Add [fd00::] and [fe80::] as special addresses in DHCPv6 - options, analogous to [::]. [fd00::] is replaced with the - actual ULA of the interface on the machine running - dnsmasq, [fe80::] with the link-local address. - Thanks to Tsachi Kimeldorfer for championing this. + Add [fd00::] and [fe80::] as special addresses in DHCPv6 + options, analogous to [::]. [fd00::] is replaced with the + actual ULA of the interface on the machine running + dnsmasq, [fe80::] with the link-local address. + Thanks to Tsachi Kimeldorfer for championing this. - DNSSEC validation and caching. Dnsmasq needs to be - compiled with this enabled, with - - make dnsmasq COPTS=-DHAVE_DNSSEC - - this add dependencies on the nettle crypto library and the - gmp maths library. It's possible to have these linked - statically with - - make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' - - which bloats the dnsmasq binary, but saves the size of - the shared libraries which are much bigger. + DNSSEC validation and caching. Dnsmasq needs to be + compiled with this enabled, with - To enable, DNSSEC, you will need a set of - trust-anchors. Now that the TLDs are signed, this can be - the keys for the root zone, and for convenience they are - included in trust-anchors.conf in the dnsmasq - distribution. You should of course check that these are - legitimate and up-to-date. So, adding - - conf-file=/path/to/trust-anchors.conf - dnssec + make dnsmasq COPTS=-DHAVE_DNSSEC - to your config is all thats needed to get things - working. The upstream nameservers have to be DNSSEC-capable - too, of course. Many ISP nameservers aren't, but the - Google public nameservers (8.8.8.8 and 8.8.4.4) are. - When DNSSEC is configured, dnsmasq validates any queries - for domains which are signed. Query results which are - bogus are replaced with SERVFAIL replies, and results - which are correctly signed have the AD bit set. In - addition, and just as importantly, dnsmasq supplies - correct DNSSEC information to clients which are doing - their own validation, and caches DNSKEY, DS and RRSIG - records, which significantly improve the performance of - downstream validators. Setting --log-queries will show - DNSSEC in action. + this adds dependencies on the nettle crypto library and the + gmp maths library. It's possible to have these linked + statically with - If a domain is returned from an upstream nameserver without - DNSSEC signature, dnsmasq by default trusts this. This - means that for unsigned zone (still the majority) there - is effectively no cost for having DNSSEC enabled. Of course - this allows an attacker to replace a signed record with a - false unsigned record. This is addressed by the - --dnssec-check-unsigned flag, which instructs dnsmasq - to prove that an unsigned record is legitimate, by finding - a secure proof that the zone containing the record is not - signed. Doing this has costs (typically one or two extra - upstream queries). It also has a nasty failure mode if - dnsmasq's upstream nameservers are not DNSSEC capable. - Without --dnssec-check-unsigned using such an upstream - server will simply result in not queries being validated; - with --dnssec-check-unsigned enabled and a - DNSSEC-ignorant upstream server, _all_ queries will fail. + make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' - Note that DNSSEC requires that the local time is valid and - accurate, if not then DNSSEC validation will fail. NTP - should be running. This presents a problem for routers - without a battery-backed clock. To set the time needs NTP - to do DNS lookups, but lookups will fail until NTP has run. - To address this, there's a flag, --dnssec-no-timecheck - which disables the time checks (only) in DNSSEC. When dnsmasq - is started and the clock is not synced, this flag should - be used. As soon as the clock is synced, SIGHUP dnsmasq. - The SIGHUP clears the cache of partially-validated data and - resets the no-timecheck flag, so that all DNSSEC checks - henceforward will be complete. - - The development of DNSSEC in dnsmasq was started by - Giovanni Bajo, to whom huge thanks are owed. It has been - supported by Comcast, whose techfund grant has allowed for - an invaluable period of full-time work to get it to - a workable state. - - Add --rev-server. Thanks to Dave Taht for suggesting this. - - Add --servers-file. Allows dynamic update of upstream servers - full access to configuration. + which bloats the dnsmasq binary, but saves the size of + the shared libraries which are much bigger. - Add --local-service. Accept DNS queries only from hosts - whose address is on a local subnet, ie a subnet for which - an interface exists on the server. This option - only has effect if there are no --interface --except-interface, - --listen-address or --auth-server options. It is intended - to be set as a default on installation, to allow - unconfigured installations to be useful but also safe from - being used for DNS amplification attacks. + To enable, DNSSEC, you will need a set of + trust-anchors. Now that the TLDs are signed, this can be + the keys for the root zone, and for convenience they are + included in trust-anchors.conf in the dnsmasq + distribution. You should of course check that these are + legitimate and up-to-date. So, adding - Fix crashes in cache_get_cname_target() when dangling CNAMEs - encountered. Thanks to Andy and the rt-n56u project for - find this and helping to chase it down. + conf-file=/path/to/trust-anchors.conf + dnssec - Fix wrong RCODE in authoritative DNS replies to PTR queries. The - correct answer was included, but the RCODE was set to NXDOMAIN. - Thanks to Craig McQueen for spotting this. + to your config is all that's needed to get things + working. The upstream nameservers have to be DNSSEC-capable + too, of course. Many ISP nameservers aren't, but the + Google public nameservers (8.8.8.8 and 8.8.4.4) are. + When DNSSEC is configured, dnsmasq validates any queries + for domains which are signed. Query results which are + bogus are replaced with SERVFAIL replies, and results + which are correctly signed have the AD bit set. In + addition, and just as importantly, dnsmasq supplies + correct DNSSEC information to clients which are doing + their own validation, and caches DNSKEY, DS and RRSIG + records, which significantly improve the performance of + downstream validators. Setting --log-queries will show + DNSSEC in action. - Make statistics available as DNS queries in the .bind TLD as - well as logging them. + If a domain is returned from an upstream nameserver without + DNSSEC signature, dnsmasq by default trusts this. This + means that for unsigned zone (still the majority) there + is effectively no cost for having DNSSEC enabled. Of course + this allows an attacker to replace a signed record with a + false unsigned record. This is addressed by the + --dnssec-check-unsigned flag, which instructs dnsmasq + to prove that an unsigned record is legitimate, by finding + a secure proof that the zone containing the record is not + signed. Doing this has costs (typically one or two extra + upstream queries). It also has a nasty failure mode if + dnsmasq's upstream nameservers are not DNSSEC capable. + Without --dnssec-check-unsigned using such an upstream + server will simply result in not queries being validated; + with --dnssec-check-unsigned enabled and a + DNSSEC-ignorant upstream server, _all_ queries will fail. + Note that DNSSEC requires that the local time is valid and + accurate, if not then DNSSEC validation will fail. NTP + should be running. This presents a problem for routers + without a battery-backed clock. To set the time needs NTP + to do DNS lookups, but lookups will fail until NTP has run. + To address this, there's a flag, --dnssec-no-timecheck + which disables the time checks (only) in DNSSEC. When dnsmasq + is started and the clock is not synced, this flag should + be used. As soon as the clock is synced, SIGHUP dnsmasq. + The SIGHUP clears the cache of partially-validated data and + resets the no-timecheck flag, so that all DNSSEC checks + henceforward will be complete. + The development of DNSSEC in dnsmasq was started by + Giovanni Bajo, to whom huge thanks are owed. It has been + supported by Comcast, whose techfund grant has allowed for + an invaluable period of full-time work to get it to + a workable state. + + Add --rev-server. Thanks to Dave Taht for suggesting this. + + Add --servers-file. Allows dynamic update of upstream servers + full access to configuration. + + Add --local-service. Accept DNS queries only from hosts + whose address is on a local subnet, ie a subnet for which + an interface exists on the server. This option + only has effect if there are no --interface --except-interface, + --listen-address or --auth-server options. It is intended + to be set as a default on installation, to allow + unconfigured installations to be useful but also safe from + being used for DNS amplification attacks. + + Fix crashes in cache_get_cname_target() when dangling CNAMEs + encountered. Thanks to Andy and the rt-n56u project for + find this and helping to chase it down. + + Fix wrong RCODE in authoritative DNS replies to PTR queries. The + correct answer was included, but the RCODE was set to NXDOMAIN. + Thanks to Craig McQueen for spotting this. + + Make statistics available as DNS queries in the .bind TLD as + well as logging them. + + version 2.68 - Use random addresses for DHCPv6 temporary address - allocations, instead of algorithmically determined stable - addresses. + Use random addresses for DHCPv6 temporary address + allocations, instead of algorithmically determined stable + addresses. - Fix bug which meant that the DHCPv6 DUID was not available - in DHCP script runs during the lifetime of the dnsmasq - process which created the DUID de-novo. Once the DUID was - created and stored in the lease file and dnsmasq - restarted, this bug disappeared. + Fix bug which meant that the DHCPv6 DUID was not available + in DHCP script runs during the lifetime of the dnsmasq + process which created the DUID de-novo. Once the DUID was + created and stored in the lease file and dnsmasq + restarted, this bug disappeared. - Fix bug introduced in 2.67 which could result in erroneous - NXDOMAIN returns to CNAME queries. + Fix bug introduced in 2.67 which could result in erroneous + NXDOMAIN returns to CNAME queries. - Fix build failures on MacOS X and openBSD. + Fix build failures on MacOS X and openBSD. - Allow subnet specifications in --auth-zone to be interface - names as well as address literals. This makes it possible - to configure authoritative DNS when local address ranges - are dynamic and works much better than the previous - work-around which exempted contructed DHCP ranges from the - IP address filtering. As a consequence, that work-around - is removed. Under certain circumstances, this change wil - break existing configuration: if you're relying on the - contructed-range exception, you need to change --auth-zone - to specify the same interface as is used to construct your - DHCP ranges, probably with a trailing "/6" like this: - --auth-zone=example.com,eth0/6 to limit the addresses to - IPv6 addresses of eth0. + Allow subnet specifications in --auth-zone to be interface + names as well as address literals. This makes it possible + to configure authoritative DNS when local address ranges + are dynamic and works much better than the previous + work-around which exempted constructed DHCP ranges from the + IP address filtering. As a consequence, that work-around + is removed. Under certain circumstances, this change wil + break existing configuration: if you're relying on the + constructed-range exception, you need to change --auth-zone + to specify the same interface as is used to construct your + DHCP ranges, probably with a trailing "/6" like this: + --auth-zone=example.com,eth0/6 to limit the addresses to + IPv6 addresses of eth0. - Fix problems when advertising deleted IPv6 prefixes. If - the prefix is deleted (rather than replaced), it doesn't - get advertised with zero preferred time. Thanks to Tsachi - for the bug report. + Fix problems when advertising deleted IPv6 prefixes. If + the prefix is deleted (rather than replaced), it doesn't + get advertised with zero preferred time. Thanks to Tsachi + for the bug report. - Fix segfault with some locally configured CNAMEs. Thanks - to Andrew Childs for spotting the problem. + Fix segfault with some locally configured CNAMEs. Thanks + to Andrew Childs for spotting the problem. - Fix memory leak on re-reading /etc/hosts and friends, - introduced in 2.67. + Fix memory leak on re-reading /etc/hosts and friends, + introduced in 2.67. - Check the arrival interface of incoming DNS and TFTP - requests via IPv6, even in --bind-interfaces mode. This - isn't possible for IPv4 and can generate scary warnings, - but as it's always possible for IPv6 (the API always - exists) then we should do it always. - - Tweak the rules on prefix-lengths in --dhcp-range for - IPv6. The new rule is that the specified prefix length - must be larger than or equal to the prefix length of the - corresponding address on the local interface. + Check the arrival interface of incoming DNS and TFTP + requests via IPv6, even in --bind-interfaces mode. This + isn't possible for IPv4 and can generate scary warnings, + but as it's always possible for IPv6 (the API always + exists) then we should do it always. + Tweak the rules on prefix-lengths in --dhcp-range for + IPv6. The new rule is that the specified prefix length + must be larger than or equal to the prefix length of the + corresponding address on the local interface. + version 2.67 - Fix crash if upstream server returns SERVFAIL when - --conntrack in use. Thanks to Giacomo Tazzari for finding - this and supplying the patch. + Fix crash if upstream server returns SERVFAIL when + --conntrack in use. Thanks to Giacomo Tazzari for finding + this and supplying the patch. - Repair regression in 2.64. That release stopped sending - lease-time information in the reply to DHCPINFORM - requests, on the correct grounds that it was a standards - violation. However, this broke the dnsmasq-specific - dhcp_lease_time utility. Now, DHCPINFORM returns - lease-time only if it's specifically requested - (maintaining standards) and the dhcp_lease_time utility - has been taught to ask for it (restoring functionality). + Repair regression in 2.64. That release stopped sending + lease-time information in the reply to DHCPINFORM + requests, on the correct grounds that it was a standards + violation. However, this broke the dnsmasq-specific + dhcp_lease_time utility. Now, DHCPINFORM returns + lease-time only if it's specifically requested + (maintaining standards) and the dhcp_lease_time utility + has been taught to ask for it (restoring functionality). - Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass - to work with BOOTP and well as DHCP. Thanks to Peter - Korsgaard for spotting the problem. + Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass + to work with BOOTP and well as DHCP. Thanks to Peter + Korsgaard for spotting the problem. - Add --synth-domain. Thanks to Vishvananda Ishaya for - suggesting this. + Add --synth-domain. Thanks to Vishvananda Ishaya for + suggesting this. - Fix failure to compile ipset.c if old kernel headers are - in use. Thanks to Eugene Rudoy for pointing this out. + Fix failure to compile ipset.c if old kernel headers are + in use. Thanks to Eugene Rudoy for pointing this out. - Handle IPv4 interface-address labels in Linux. These are - often used to emulate the old IP-alias addresses. Before, - using --interface=eth0 would service all the addresses of - eth0, including ones configured as aliases, which appear - in ifconfig as eth0:0. Now, only addresses with the label - eth0 are active. This is not backwards compatible: if you - want to continue to bind the aliases too, you need to add - eg. --interface=eth0:0 to the config. - - Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket - operation on non-socket" error on startup with - configurations which have exactly one --interface option - and do RA but _not_ DHCPv6. Thanks to Trever Adams for the - bug report. + Handle IPv4 interface-address labels in Linux. These are + often used to emulate the old IP-alias addresses. Before, + using --interface=eth0 would service all the addresses of + eth0, including ones configured as aliases, which appear + in ifconfig as eth0:0. Now, only addresses with the label + eth0 are active. This is not backwards compatible: if you + want to continue to bind the aliases too, you need to add + eg. --interface=eth0:0 to the config. - Generalise --interface-name to cope with IPv6 addresses - and multiple addresses per interface per address family. + Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket + operation on non-socket" error on startup with + configurations which have exactly one --interface option + and do RA but _not_ DHCPv6. Thanks to Trever Adams for the + bug report. - Fix option parsing for --dhcp-host, which was generating a - spurious error when all seven possible items were - included. Thanks to Zhiqiang Wang for the bug report. + Generalise --interface-name to cope with IPv6 addresses + and multiple addresses per interface per address family. - Remove restriction on prefix-length in --auth-zone. Thanks - to Toke Hoiland-Jorgensen for suggesting this. + Fix option parsing for --dhcp-host, which was generating a + spurious error when all seven possible items were + included. Thanks to Zhiqiang Wang for the bug report. - Log when the maximum number of concurrent DNS queries is - reached. Thanks to Marcelo Salhab Brogliato for the patch. + Remove restriction on prefix-length in --auth-zone. Thanks + to Toke Hoiland-Jorgensen for suggesting this. - If wildcards are used in --interface, don't assume that - there will only ever be one available interface for DHCP - just because there is one at start-up. More may appear, so - we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug - report. + Log when the maximum number of concurrent DNS queries is + reached. Thanks to Marcelo Salhab Brogliato for the patch. - Increase timeout/number of retries in TFTP to accomodate - AudioCodes Voice Gateways doing streaming writes to flash. - Thanks to Damian Kaczkowski for spotting the problem. + If wildcards are used in --interface, don't assume that + there will only ever be one available interface for DHCP + just because there is one at start-up. More may appear, so + we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug + report. - Fix crash with empty DHCP string options when adding zero - terminator. Thanks to Patrick McLean for the bug report. + Increase timeout/number of retries in TFTP to accommodate + AudioCodes Voice Gateways doing streaming writes to flash. + Thanks to Damian Kaczkowski for spotting the problem. - Allow hostnames to start with a number, as allowed in - RFC-1123. Thanks to Kyle Mestery for the patch. + Fix crash with empty DHCP string options when adding zero + terminator. Thanks to Patrick McLean for the bug report. - Fixes to DHCP FQDN option handling: don't terminate FQDN - if domain not known and allow a FQDN option with blank - name to request that a FQDN option is returned in the - reply. Thanks to Roy Marples for the patch. + Allow hostnames to start with a number, as allowed in + RFC-1123. Thanks to Kyle Mestery for the patch. - Make --clear-on-reload apply to setting upstream servers - via DBus too. + Fixes to DHCP FQDN option handling: don't terminate FQDN + if domain not known and allow a FQDN option with blank + name to request that a FQDN option is returned in the + reply. Thanks to Roy Marples for the patch. - When the address which triggered the construction of an - advertised IPv6 prefix disappears, continue to advertise - the prefix for up to 2 hours, with the preferred lifetime - set to zero. This satisfies RFC 6204 4.3 L-13 and makes - things work better if a prefix disappears without being - deprecated first. Thanks to Uwe Schindler for persuasively - arguing for this. + Make --clear-on-reload apply to setting upstream servers + via DBus too. - Fix MAC address enumeration on *BSD. Thanks to Brad Smith - for the bug report. + When the address which triggered the construction of an + advertised IPv6 prefix disappears, continue to advertise + the prefix for up to 2 hours, with the preferred lifetime + set to zero. This satisfies RFC 6204 4.3 L-13 and makes + things work better if a prefix disappears without being + deprecated first. Thanks to Uwe Schindler for persuasively + arguing for this. - Support RFC-4242 information-refresh-time options in the - reply to DHCPv6 information-request. The lease time of the - smallest valid dhcp-range is sent. Thanks to Uwe Schindler - for suggesting this. + Fix MAC address enumeration on *BSD. Thanks to Brad Smith + for the bug report. - Make --listen-address higher priority than --except-interface - in all circumstances. Thanks to Thomas Hood for the bugreport. + Support RFC-4242 information-refresh-time options in the + reply to DHCPv6 information-request. The lease time of the + smallest valid dhcp-range is sent. Thanks to Uwe Schindler + for suggesting this. - Provide independent control over which interfaces get TFTP - service. If enable-tftp is given a list of interfaces, then TFTP - is provided on those. Without the list, the previous behaviour - (provide TFTP to the same interfaces we provide DHCP to) - is retained. Thanks to Lonnie Abelbeck for the suggestion. + Make --listen-address higher priority than --except-interface + in all circumstances. Thanks to Thomas Hood for the bugreport. - Add --dhcp-relay config option. Many thanks to vtsl.net - for sponsoring this development. + Provide independent control over which interfaces get TFTP + service. If enable-tftp is given a list of interfaces, then TFTP + is provided on those. Without the list, the previous behaviour + (provide TFTP to the same interfaces we provide DHCP to) + is retained. Thanks to Lonnie Abelbeck for the suggestion. - Fix crash with empty tag: in --dhcp-range. Thanks to - Kaspar Schleiser for the bug report. + Add --dhcp-relay config option. Many thanks to vtsl.net + for sponsoring this development. - Add "baseline" and "bloatcheck" makefile targets, for - revealing size changes during development. Thanks to - Vladislav Grishenko for the patch. + Fix crash with empty tag: in --dhcp-range. Thanks to + Kaspar Schleiser for the bug report. - Cope with DHCPv6 clients which send REQUESTs without - address options - treat them as SOLICIT with rapid commit. + Add "baseline" and "bloatcheck" makefile targets, for + revealing size changes during development. Thanks to + Vladislav Grishenko for the patch. - Support identification of clients by MAC address in - DHCPv6. When using a relay, the relay must support RFC - 6939 for this to work. It always works for directly - connected clients. Thanks to Vladislav Grishenko - for prompting this feature. - - Remove the rule for constructed DHCP ranges that the local - address must be either the first or last address in the - range. This was originally to avoid SLAAC addresses, but - we now explicitly autoconfig and privacy addresses instead. + Cope with DHCPv6 clients which send REQUESTs without + address options - treat them as SOLICIT with rapid commit. - Update Polish translation. Thanks to Jan Psota. + Support identification of clients by MAC address in + DHCPv6. When using a relay, the relay must support RFC + 6939 for this to work. It always works for directly + connected clients. Thanks to Vladislav Grishenko + for prompting this feature. - Fix problem in DHCPv6 vendorclass/userclass matching - code. Thanks to Tanguy Bouzeloc for the patch. + Remove the rule for constructed DHCP ranges that the local + address must be either the first or last address in the + range. This was originally to avoid SLAAC addresses, but + we now explicitly autoconfig and privacy addresses instead. - Update Spanish transalation. Thanks to Vicente Soriano. + Update Polish translation. Thanks to Jan Psota. - Add --ra-param option. Thanks to Vladislav Grishenko for - inspiration on this. + Fix problem in DHCPv6 vendorclass/userclass matching + code. Thanks to Tanguy Bouzeloc for the patch. - Add --add-subnet configuration, to tell upstream DNS - servers where the original client is. Thanks to DNSthingy - for sponsoring this feature. + Update Spanish translation. Thanks to Vicente Soriano. - Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to - Kevin Darbyshire-Bryant for the initial patch. + Add --ra-param option. Thanks to Vladislav Grishenko for + inspiration on this. - Allow A/AAAA records created by --interface-name to be the - target of --cname. Thanks to Hadmut Danisch for the - suggestion. + Add --add-subnet configuration, to tell upstream DNS + servers where the original client is. Thanks to DNSthingy + for sponsoring this feature. - Avoid treating a --dhcp-host which has an IPv6 address - as eligable for use with DHCPv4 on the grounds that it has - no address, and vice-versa. Thanks to Yury Konovalov for - spotting the problem. + Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to + Kevin Darbyshire-Bryant for the initial patch. - Do a better job caching dangling CNAMEs. Thanks to Yves - Dorfsman for spotting the problem. + Allow A/AAAA records created by --interface-name to be the + target of --cname. Thanks to Hadmut Danisch for the + suggestion. - + Avoid treating a --dhcp-host which has an IPv6 address + as eligible for use with DHCPv4 on the grounds that it has + no address, and vice-versa. Thanks to Yury Konovalov for + spotting the problem. + + Do a better job caching dangling CNAMEs. Thanks to Yves + Dorfsman for spotting the problem. + + version 2.66 - Add the ability to act as an authoritative DNS - server. Dnsmasq can now answer queries from the wider 'net - with local data, as long as the correct NS records are set - up. Only local data is provided, to avoid creating an open - DNS relay. Zone transfer is supported, to allow secondary - servers to be configured. + Add the ability to act as an authoritative DNS + server. Dnsmasq can now answer queries from the wider 'net + with local data, as long as the correct NS records are set + up. Only local data is provided, to avoid creating an open + DNS relay. Zone transfer is supported, to allow secondary + servers to be configured. - Add "constructed DHCP ranges" for DHCPv6. This is intended - for IPv6 routers which get prefixes dynamically via prefix - delegation. With suitable configuration, stateful DHCPv6 - and RA can happen automatically as prefixes are delegated - and then deprecated, without having to re-write the - dnsmasq configuration file or restart the daemon. Thanks to - Steven Barth for extensive testing and development work on - this idea. + Add "constructed DHCP ranges" for DHCPv6. This is intended + for IPv6 routers which get prefixes dynamically via prefix + delegation. With suitable configuration, stateful DHCPv6 + and RA can happen automatically as prefixes are delegated + and then deprecated, without having to re-write the + dnsmasq configuration file or restart the daemon. Thanks to + Steven Barth for extensive testing and development work on + this idea. - Fix crash on startup on Solaris 11. Regression probably - introduced in 2.61. Thanks to Geoff Johnstone for the - patch. + Fix crash on startup on Solaris 11. Regression probably + introduced in 2.61. Thanks to Geoff Johnstone for the + patch. - Add code to make behaviour for TCP DNS requests that same - as for UDP requests, when a request arrives for an allowed - address, but via a banned interface. This change is only - active on Linux, since the relevant API is missing (AFAIK) - on other platforms. Many thanks to Tomas Hozza for - spotting the problem, and doing invaluable discovery of - the obscure and undocumented API required for the solution. + Add code to make behaviour for TCP DNS requests that same + as for UDP requests, when a request arrives for an allowed + address, but via a banned interface. This change is only + active on Linux, since the relevant API is missing (AFAIK) + on other platforms. Many thanks to Tomas Hozza for + spotting the problem, and doing invaluable discovery of + the obscure and undocumented API required for the solution. - Don't send the default DHCP option advertising dnsmasq as - the local DNS server if dnsmasq is configured to not act - as DNS server, or it's configured to a non-standard port. - - Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBCRIBER_ID, - DNSMASQ_REMOTE_ID variables to the environment of the - lease-change script (and the corresponding Lua). These hold - information inserted into the DHCP request by a DHCP relay - agent. Thanks to Lakefield Communications for providing a - bounty for this addition. - - Fixed crash, introduced in 2.64, whilst handling DHCPv6 - information-requests with some common configurations. - Thanks to Robert M. Albrecht for the bug report and - chasing the problem. + Don't send the default DHCP option advertising dnsmasq as + the local DNS server if dnsmasq is configured to not act + as DNS server, or it's configured to a non-standard port. - Add --ipset option. Thanks to Jason A. Donenfeld for the - patch. + Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID, + DNSMASQ_REMOTE_ID variables to the environment of the + lease-change script (and the corresponding Lua). These hold + information inserted into the DHCP request by a DHCP relay + agent. Thanks to Lakefield Communications for providing a + bounty for this addition. - Don't erroneously reject some option names in --dhcp-match - options. Thanks to Benedikt Hochstrasser for the bug report. - - Allow a trailing '*' wildcard in all interface-name - configurations. Thanks to Christian Parpart for the patch. + Fixed crash, introduced in 2.64, whilst handling DHCPv6 + information-requests with some common configurations. + Thanks to Robert M. Albrecht for the bug report and + chasing the problem. - Handle the situation where libc headers define - SO_REUSEPORT, but the kernel in use doesn't, to cope with - the introduction of this option to Linux. Thanks to Rich - Felker for the bug report. + Add --ipset option. Thanks to Jason A. Donenfeld for the + patch. - Update Polish translation. Thanks to Jan Psota. + Don't erroneously reject some option names in --dhcp-match + options. Thanks to Benedikt Hochstrasser for the bug report. - Fix crash if the configured DHCP lease limit is - reached. Regression occurred in 2.61. Thanks to Tsachi for - the bug report. - - Update the French translation. Thanks to Gildas le Nadan. + Allow a trailing '*' wildcard in all interface-name + configurations. Thanks to Christian Parpart for the patch. - + Handle the situation where libc headers define + SO_REUSEPORT, but the kernel in use doesn't, to cope with + the introduction of this option to Linux. Thanks to Rich + Felker for the bug report. + + Update Polish translation. Thanks to Jan Psota. + + Fix crash if the configured DHCP lease limit is + reached. Regression occurred in 2.61. Thanks to Tsachi for + the bug report. + + Update the French translation. Thanks to Gildas le Nadan. + + version 2.65 - Fix regression which broke forwarding of queries sent via - TCP which are not for A and AAAA and which were directed to - non-default servers. Thanks to Niax for the bug report. + Fix regression which broke forwarding of queries sent via + TCP which are not for A and AAAA and which were directed to + non-default servers. Thanks to Niax for the bug report. - Fix failure to build with DHCP support excluded. Thanks to - Gustavo Zacarias for the patch. - - Fix nasty regression in 2.64 which completely broke cacheing. + Fix failure to build with DHCP support excluded. Thanks to + Gustavo Zacarias for the patch. + Fix nasty regression in 2.64 which completely broke caching. + version 2.64 - Handle DHCP FQDN options with all flag bits zero and - --dhcp-client-update set. Thanks to Bernd Krumbroeck for - spotting the problem. + Handle DHCP FQDN options with all flag bits zero and + --dhcp-client-update set. Thanks to Bernd Krumbroeck for + spotting the problem. - Finesse the check for /etc/hosts names which conflict with - DHCP names. Previously a name/address pair in /etc/hosts - which didn't match the name/address of a DHCP lease would - generate a warning. Now that only happesn if there is not - also a match. This allows multiple addresses for a name in - /etc/hosts with one of them assigned via DHCP. + Finesse the check for /etc/hosts names which conflict with + DHCP names. Previously a name/address pair in /etc/hosts + which didn't match the name/address of a DHCP lease would + generate a warning. Now that only happens if there is not + also a match. This allows multiple addresses for a name in + /etc/hosts with one of them assigned via DHCP. - Fix broken vendor-option processing for BOOTP. Thanks to - Hans-Joachim Baader for the bug report. + Fix broken vendor-option processing for BOOTP. Thanks to + Hans-Joachim Baader for the bug report. - Don't report spurious netlink errors, regression in - 2.63. Thanks to Vladislav Grishenko for the patch. + Don't report spurious netlink errors, regression in + 2.63. Thanks to Vladislav Grishenko for the patch. - Flag DHCP or DHCPv6 in starup logging. Thanks to - Vladislav Grishenko for the patch. + Flag DHCP or DHCPv6 in startup logging. Thanks to + Vladislav Grishenko for the patch. - Add SetServersEx method in DBus interface. Thanks to Dan - Williams for the patch. + Add SetServersEx method in DBus interface. Thanks to Dan + Williams for the patch. - Add SetDomainServers method in DBus interface. Thanks to - Roy Marples for the patch. + Add SetDomainServers method in DBus interface. Thanks to + Roy Marples for the patch. - Fix build with later Lua libraries. Thansk to Cristian - Rodriguez for the patch. + Fix build with later Lua libraries. Thanks to Cristian + Rodriguez for the patch. - Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker - for the patch. + Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker + for the patch. - Fix breakage of --host-record parsing, resulting in - infinte loop at startup. Regression in 2.63. Thanks to - Haim Gelfenbeyn for spotting this. + Fix breakage of --host-record parsing, resulting in + infinite loop at startup. Regression in 2.63. Thanks to + Haim Gelfenbeyn for spotting this. - Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6 - socket, this allows multiple instances of dnsmasq on a - single machine, in the same way as for DHCPv4. Thanks to - Gene Czarcinski and Vladislav Grishenko for work on this. + Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6 + socket, this allows multiple instances of dnsmasq on a + single machine, in the same way as for DHCPv4. Thanks to + Gene Czarcinski and Vladislav Grishenko for work on this. - Fix DHCPv6 to do access control correctly when it's - configured with --listen-address. Thanks to - Gene Czarcinski for sorting this out. + Fix DHCPv6 to do access control correctly when it's + configured with --listen-address. Thanks to + Gene Czarcinski for sorting this out. - Add a "wildcard" dhcp-range which works for any IPv6 - subnet, --dhcp-range=::,static Useful for Stateless - DHCPv6. Thanks to Vladislav Grishenko for the patch. + Add a "wildcard" dhcp-range which works for any IPv6 + subnet, --dhcp-range=::,static Useful for Stateless + DHCPv6. Thanks to Vladislav Grishenko for the patch. - Don't include lease-time in DHCPACK replies to DHCPINFORM - queries, since RFC-2131 says we shouldn't. Thanks to - Wouter Ibens for pointing this out. + Don't include lease-time in DHCPACK replies to DHCPINFORM + queries, since RFC-2131 says we shouldn't. Thanks to + Wouter Ibens for pointing this out. - Makefile tweak to do dependency checking on header files. - Thanks to Johan Peeters for the patch. + Makefile tweak to do dependency checking on header files. + Thanks to Johan Peeters for the patch. - Check interface for outgoing unsolicited router - advertisements, rather than relying on interface address - configuration. Thanks to Gene Czarinski for the patch. + Check interface for outgoing unsolicited router + advertisements, rather than relying on interface address + configuration. Thanks to Gene Czarinski for the patch. - Handle better attempts to transmit on interfaces which are - still doing DAD, and specifically do not just transmit - without setting source address and interface, since this - can cause very puzzling effects when a router - advertisement goes astray. Thanks again to Gene Czarinski. + Handle better attempts to transmit on interfaces which are + still doing DAD, and specifically do not just transmit + without setting source address and interface, since this + can cause very puzzling effects when a router + advertisement goes astray. Thanks again to Gene Czarinski. - Get RA timers right when there is more than one - dhcp-range on a subnet. - + Get RA timers right when there is more than one + dhcp-range on a subnet. + version 2.63 - Do duplicate dhcp-host address check in --test mode. + Do duplicate dhcp-host address check in --test mode. - Check that tftp-root directories are accessible before - start-up. Thanks to Daniel Veillard for the initial patch. + Check that tftp-root directories are accessible before + start-up. Thanks to Daniel Veillard for the initial patch. - Allow more than one --tfp-root flag. The per-interface - stuff is pointless without that. + Allow more than one --tfp-root flag. The per-interface + stuff is pointless without that. - Add --bind-dynamic. A hybrid mode between the default and - --bind-interfaces which copes with dynamically created - interfaces. - - A couple of fixes to the build system for Android. Thanks - to Metin Kaya for the patches. + Add --bind-dynamic. A hybrid mode between the default and + --bind-interfaces which copes with dynamically created + interfaces. - Remove the interface: argument in --dhcp-range, and - the interface argument to --enable-tftp. These were a - still-born attempt to allow automatic isolated - configuration by libvirt, but have never (to my knowledge) - been used, had very strange semantics, and have been - superceded by other mechanisms. + A couple of fixes to the build system for Android. Thanks + to Metin Kaya for the patches. - Fixed bug logging filenames when duplicate dhcp-host - addresses are found. Thanks to John Hanks for the patch. + Remove the interface: argument in --dhcp-range, and + the interface argument to --enable-tftp. These were a + still-born attempt to allow automatic isolated + configuration by libvirt, but have never (to my knowledge) + been used, had very strange semantics, and have been + superseded by other mechanisms. - Fix regression in 2.61 which broke caching of CNAME - chains. Thanks to Atul Gupta for the bug report. + Fixed bug logging filenames when duplicate dhcp-host + addresses are found. Thanks to John Hanks for the patch. - Allow the target of a --cname flag to be another --cname. + Fix regression in 2.61 which broke caching of CNAME + chains. Thanks to Atul Gupta for the bug report. - Teach DHCPv6 about the RFC 4242 information-refresh-time - option, and add parsing if the minutes, hours and days - format for options. Thanks to Francois-Xavier Le Bail for - the suggestion. + Allow the target of a --cname flag to be another --cname. - Allow "w" (for week) as multiplier in lease times, as well - as seconds, minutes, hours and days. Álvaro Gámez Machado - spotted the ommission. - - Update French translation. Thanks to Gildas Le Nadan. + Teach DHCPv6 about the RFC 4242 information-refresh-time + option, and add parsing if the minutes, hours and days + format for options. Thanks to Francois-Xavier Le Bail for + the suggestion. - Allow a DBus service name to be given with --enable-dbus - which overrides the default, - uk.org.thekelleys.dnsmasq. Thanks to Mathieu - Trudel-Lapierre for the patch. + Allow "w" (for week) as multiplier in lease times, as well + as seconds, minutes, hours and days. Álvaro Gámez Machado + spotted the omission. - Set the "prefix on-link" bit in Router - Advertisements. Thanks to Gui Iribarren for the patch. + Update French translation. Thanks to Gildas Le Nadan. + Allow a DBus service name to be given with --enable-dbus + which overrides the default, + uk.org.thekelleys.dnsmasq. Thanks to Mathieu + Trudel-Lapierre for the patch. + Set the "prefix on-link" bit in Router + Advertisements. Thanks to Gui Iribarren for the patch. + + version 2.62 - Update German translation. Thanks to Conrad Kostecki. + Update German translation. Thanks to Conrad Kostecki. - Cope with router-solict packets wich don't have a valid - source address. Thanks to Vladislav Grishenko for the patch. + Cope with router-solict packets which don't have a valid + source address. Thanks to Vladislav Grishenko for the patch. - Fixed bug which caused missing periodic router - advertisements with some configurations. Thanks to - Vladislav Grishenko for the patch. + Fixed bug which caused missing periodic router + advertisements with some configurations. Thanks to + Vladislav Grishenko for the patch. - Fixed bug which broke DHCPv6/RA with prefix lengths - which are not divisible by 8. Thanks to Andre Coetzee - for spotting this. + Fixed bug which broke DHCPv6/RA with prefix lengths + which are not divisible by 8. Thanks to Andre Coetzee + for spotting this. - Fix non-response to router-solicitations when - router-advertisement configured, but DHCPv6 not - configured. Thanks to Marien Zwart for the patch. + Fix non-response to router-solicitations when + router-advertisement configured, but DHCPv6 not + configured. Thanks to Marien Zwart for the patch. - Add --dns-rr, to allow arbitrary DNS resource records. + Add --dns-rr, to allow arbitrary DNS resource records. - Fixed bug which broke RA scheduling when an interface had - two addresses in the same network. Thanks to Jim Bos for - his help nailing this. + Fixed bug which broke RA scheduling when an interface had + two addresses in the same network. Thanks to Jim Bos for + his help nailing this. version 2.61 - Re-write interface discovery code on *BSD to use - getifaddrs. This is more portable, more straightforward, - and allows us to find the prefix length for IPv6 - addresses. + Re-write interface discovery code on *BSD to use + getifaddrs. This is more portable, more straightforward, + and allows us to find the prefix length for IPv6 + addresses. - Add ra-names, ra-stateless and slaac keywords for DHCPv6. - Dnsmasq can now synthesise AAAA records for dual-stack - hosts which get IPv6 addresses via SLAAC. It is also now - possible to use SLAAC and stateless DHCPv6, and to - tell clients to use SLAAC addresses as well as DHCP ones. - Thanks to Dave Taht for help with this. + Add ra-names, ra-stateless and slaac keywords for DHCPv6. + Dnsmasq can now synthesise AAAA records for dual-stack + hosts which get IPv6 addresses via SLAAC. It is also now + possible to use SLAAC and stateless DHCPv6, and to + tell clients to use SLAAC addresses as well as DHCP ones. + Thanks to Dave Taht for help with this. - Add --dhcp-duid to allow DUID-EN uids to be used. + Add --dhcp-duid to allow DUID-EN uids to be used. - Explicity send DHCPv6 replies to the correct port, instead - of relying on clients to send requests with the correct - source address, since at least one client in the wild gets - this wrong. Thanks to Conrad Kostecki for help tracking - this down. + Explicitly send DHCPv6 replies to the correct port, instead + of relying on clients to send requests with the correct + source address, since at least one client in the wild gets + this wrong. Thanks to Conrad Kostecki for help tracking + this down. - Send a preference value of 255 in DHCPv6 replies when - --dhcp-authoritative is in effect. This tells clients not - to wait around for other DHCP servers. + Send a preference value of 255 in DHCPv6 replies when + --dhcp-authoritative is in effect. This tells clients not + to wait around for other DHCP servers. - Better logging of DHCPv6 options. + Better logging of DHCPv6 options. - Add --host-record. Thanks to Rob Zwissler for the - suggestion. + Add --host-record. Thanks to Rob Zwissler for the + suggestion. - Invoke the DHCP script with action "tftp" when a TFTP file - transfer completes. The size of the file, address to which - it was sent and complete pathname are supplied. Note that - version 2.60 introduced some script incompatibilties - associated with DHCPv6, and this is a further change. To - be safe, scripts should ignore unknown actions, and if - not IPv6-aware, should exit if the environment - variable DNSMASQ_IAID is set. The use-case for this is - to track netboot/install. Suggestion from Shantanu - Gadgil. + Invoke the DHCP script with action "tftp" when a TFTP file + transfer completes. The size of the file, address to which + it was sent and complete pathname are supplied. Note that + version 2.60 introduced some script incompatibilities + associated with DHCPv6, and this is a further change. To + be safe, scripts should ignore unknown actions, and if + not IPv6-aware, should exit if the environment + variable DNSMASQ_IAID is set. The use-case for this is + to track netboot/install. Suggestion from Shantanu + Gadgil. - Update contrib/port-forward/dnsmasq-portforward to reflect - the above. + Update contrib/port-forward/dnsmasq-portforward to reflect + the above. - Set the environment variable DNSMASQ_LOG_DHCP when running - the script id --log-dhcp is in effect, so that script can - taylor their logging verbosity. Suggestion from Malte - Forkel. - - Arrange that addresses specified with --listen-address - work even if there is no interface carrying the - address. This is chiefly useful for IPv4 loopback - addresses, where any address in 127.0.0.0/8 is a valid - loopback address, but normally only 127.0.0.1 appears on - the lo interface. Thanks to Mathieu Trudel-Lapierre for - the idea and initial patch. + Set the environment variable DNSMASQ_LOG_DHCP when running + the script id --log-dhcp is in effect, so that script can + taylor their logging verbosity. Suggestion from Malte + Forkel. - Fix crash, introduced in 2.60, when a DHCPINFORM is - received from a network which has no valid dhcp-range. - Thanks to Stephane Glondu for the bug report. + Arrange that addresses specified with --listen-address + work even if there is no interface carrying the + address. This is chiefly useful for IPv4 loopback + addresses, where any address in 127.0.0.0/8 is a valid + loopback address, but normally only 127.0.0.1 appears on + the lo interface. Thanks to Mathieu Trudel-Lapierre for + the idea and initial patch. - Add a new DHCP lease time keyword, "deprecated" for - --dhcp-range. This is only valid for IPv6, and sets the - preffered lease time for both DHCP and RA to zero. The - effect is that clients can continue to use the address - for existing connections, but new connections will use - other addresses, if they exist. This makes hitless - renumbering at least possible. + Fix crash, introduced in 2.60, when a DHCPINFORM is + received from a network which has no valid dhcp-range. + Thanks to Stephane Glondu for the bug report. - Fix bug in address6_available() which caused DHCPv6 lease - aquisition to fail if more than one dhcp-range in use. + Add a new DHCP lease time keyword, "deprecated" for + --dhcp-range. This is only valid for IPv6, and sets the + preferred lease time for both DHCP and RA to zero. The + effect is that clients can continue to use the address + for existing connections, but new connections will use + other addresses, if they exist. This makes hitless + renumbering at least possible. - Provide RDNSS and DNSSL data in router advertisements, - using the settings provided for DHCP options - option6:domain-search and option6:dns-server. + Fix bug in address6_available() which caused DHCPv6 lease + acquisition to fail if more than one dhcp-range in use. - Tweak logo/favicon.ico to add some transparency. Thanks to - SamLT for work on this. - - Don't cache data from non-recursive nameservers, since it - may erroneously look like a valid CNAME to a non-exitant - name. Thanks to Ben Winslow for finding this. + Provide RDNSS and DNSSL data in router advertisements, + using the settings provided for DHCP options + option6:domain-search and option6:dns-server. - Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP - on exactly one interface and --bind-interfaces is set. This - makes the OpenStack use-case of one dnsmasq per virtual - interface work. This is only available on Linux; it's not - supported on other platforms. Thanks to Vishvananda Ishaya - and the OpenStack team for the suggestion. + Tweak logo/favicon.ico to add some transparency. Thanks to + SamLT for work on this. - Updated French translation. Thanks to Gildas Le Nadan. + Don't cache data from non-recursive nameservers, since it + may erroneously look like a valid CNAME to a non-existent + name. Thanks to Ben Winslow for finding this. - Give correct from-cache answers to explict CNAME queries. - Thanks to Rob Zwissler for spotting this. - - Add --tftp-lowercase option. Thanks to Oliver Rath for the - patch. + Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP + on exactly one interface and --bind-interfaces is set. This + makes the OpenStack use-case of one dnsmasq per virtual + interface work. This is only available on Linux; it's not + supported on other platforms. Thanks to Vishvananda Ishaya + and the OpenStack team for the suggestion. - Ensure that the DBus DhcpLeaseUpdated events are generated - when a lease goes through INIT_REBOOT state, even if the - dhcp-script is not in use. Thanks to Antoaneta-Ecaterina - Ene for the patch. + Updated French translation. Thanks to Gildas Le Nadan. - Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks - to Brad Smith for spotting this. - + Give correct from-cache answers to explicit CNAME queries. + Thanks to Rob Zwissler for spotting this. + Add --tftp-lowercase option. Thanks to Oliver Rath for the + patch. + + Ensure that the DBus DhcpLeaseUpdated events are generated + when a lease goes through INIT_REBOOT state, even if the + dhcp-script is not in use. Thanks to Antoaneta-Ecaterina + Ene for the patch. + + Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks + to Brad Smith for spotting this. + + version 2.60 - Fix compilation problem in Mac OS X Lion. Thanks to Olaf - Flebbe for the patch. + Fix compilation problem in Mac OS X Lion. Thanks to Olaf + Flebbe for the patch. - Fix DHCP when using --listen-address with an IP address - which is not the primary address of an interface. + Fix DHCP when using --listen-address with an IP address + which is not the primary address of an interface. - Add --dhcp-client-update option. + Add --dhcp-client-update option. - Add Lua integration. Dnsmasq can now execute a DHCP - lease-change script written in Lua. This needs to be - enabled at compile time by setting HAVE_LUASCRIPT in - src/config.h or running "make COPTS=-DHAVE_LUASCRIPT" - Thanks to Jan-Piet Mens for the idea and proof-of-concept - implementation. - - Tidied src/config.h to distinguish between - platform-dependent compile-time options which are selected - automatically, and builder-selectable compile time - options. Document the latter better, and describe how to - set them from the make command line. + Add Lua integration. Dnsmasq can now execute a DHCP + lease-change script written in Lua. This needs to be + enabled at compile time by setting HAVE_LUASCRIPT in + src/config.h or running "make COPTS=-DHAVE_LUASCRIPT" + Thanks to Jan-Piet Mens for the idea and proof-of-concept + implementation. - Tidied up IPPROTO_IP/SOL_IP (and IPv6 equivalent) - confusion. IPPROTO_IP works everywhere now. - - Set TOS on DHCP sockets, this improves things on busy - wireless networks. Thanks to Dave Taht for the patch. + Tidied src/config.h to distinguish between + platform-dependent compile-time options which are selected + automatically, and builder-selectable compile time + options. Document the latter better, and describe how to + set them from the make command line. - Determine VERSION automatically based on git magic: - release tags or hash values. + Tidied up IPPROTO_IP/SOL_IP (and IPv6 equivalent) + confusion. IPPROTO_IP works everywhere now. - Improve start-up speed when reading large hosts files - containing many distinct addresses. + Set TOS on DHCP sockets, this improves things on busy + wireless networks. Thanks to Dave Taht for the patch. - Fix problem if dnsmasq is started without the stdin, - stdout and stderr file descriptors open. This can manifest - itself as 100% CPU use. Thanks to Chris Moore for finding - this. + Determine VERSION automatically based on git magic: + release tags or hash values. - Fix shell-scripting bug in bld/pkg-wrapper. Thanks to - Mark Mitchell for the patch. + Improve start-up speed when reading large hosts files + containing many distinct addresses. - Allow the TFP server or boot server in --pxe-service, to - be a domain name instead of an IP address. This allows for - round-robin to multiple servers, in the same way as - --dhcp-boot. A good suggestion from Cristiano Cumer. + Fix problem if dnsmasq is started without the stdin, + stdout and stderr file descriptors open. This can manifest + itself as 100% CPU use. Thanks to Chris Moore for finding + this. - Support BUILDDIR variable in the Makefile. Allows builds - for multiple archs from the same source tree with eg. - make BUILDDIR=linux (relative to dnsmasq tree) - make BUILDDIR=/tmp/openbsd (absolute path) - If BUILDDIR is not set, compilation happens in the src - directory, as before. Suggestion from Mark Mitchell. + Fix shell-scripting bug in bld/pkg-wrapper. Thanks to + Mark Mitchell for the patch. - Support DHCPv6. Support is there for the sort of things - the existing v4 server does, including tags, options, - static addresses and relay support. Missing is prefix - delegation, which is probably not required in the dnsmasq - niche, and an easy way to accept prefix delegations from - an upstream DHCPv6 server, which is. Future plans include - support for DHCPv6 router option and MAC address option - (to make selecting clients by MAC address work like IPv4). - These will be added as the standards mature. - This code has been tested, but this is the first release, - so don't bet the farm on it just yet. Many thanks to all - testers who have got it this far. + Allow the TFP server or boot server in --pxe-service, to + be a domain name instead of an IP address. This allows for + round-robin to multiple servers, in the same way as + --dhcp-boot. A good suggestion from Cristiano Cumer. - Support IPv6 router advertisements. This is a - simple-minded implementation, aimed at providing the - vestigial RA needed to go alongside IPv6. Is picks up - configuration from the DHCPv6 conf, and should just need - enabling with --enable-ra. + Support BUILDDIR variable in the Makefile. Allows builds + for multiple archs from the same source tree with eg. + make BUILDDIR=linux (relative to dnsmasq tree) + make BUILDDIR=/tmp/openbsd (absolute path) + If BUILDDIR is not set, compilation happens in the src + directory, as before. Suggestion from Mark Mitchell. - Fix long-standing wrinkle with --localise-queries that - could result in wrong answers when DNS packets arrive - via an interface other than the expected one. Thanks to - Lorenzo Milesi and John Hanks for spotting this one. - - Update French translation. Thanks to Gildas Le Nadan. + Support DHCPv6. Support is there for the sort of things + the existing v4 server does, including tags, options, + static addresses and relay support. Missing is prefix + delegation, which is probably not required in the dnsmasq + niche, and an easy way to accept prefix delegations from + an upstream DHCPv6 server, which is. Future plans include + support for DHCPv6 router option and MAC address option + (to make selecting clients by MAC address work like IPv4). + These will be added as the standards mature. + This code has been tested, but this is the first release, + so don't bet the farm on it just yet. Many thanks to all + testers who have got it this far. - Update Polish translation. Thanks to Jan Psota. + Support IPv6 router advertisements. This is a + simple-minded implementation, aimed at providing the + vestigial RA needed to go alongside IPv6. Is picks up + configuration from the DHCPv6 conf, and should just need + enabling with --enable-ra. + Fix long-standing wrinkle with --localise-queries that + could result in wrong answers when DNS packets arrive + via an interface other than the expected one. Thanks to + Lorenzo Milesi and John Hanks for spotting this one. + Update French translation. Thanks to Gildas Le Nadan. + + Update Polish translation. Thanks to Jan Psota. + + version 2.59 - Fix regression in 2.58 which caused failure to start up - with some combinations of dnsmasq config and IPv6 kernel - network config. Thanks to Brielle Bruns for the bug - report. + Fix regression in 2.58 which caused failure to start up + with some combinations of dnsmasq config and IPv6 kernel + network config. Thanks to Brielle Bruns for the bug + report. - Improve dnsmasq's behaviour when network interfaces are - still doing duplicate address detection (DAD). Previously, - dnsmasq would wait up to 20 seconds at start-up for the - DAD state to terminate. This is broken for bridge - interfaces on recent Linux kernels, which don't start DAD - until the bridge comes up, and so can take arbitrary - time. The new behaviour lets dnsmasq poll for an arbitrary - time whilst providing service on other interfaces. Thanks - to Stephen Hemminger for pointing out the problem. + Improve dnsmasq's behaviour when network interfaces are + still doing duplicate address detection (DAD). Previously, + dnsmasq would wait up to 20 seconds at start-up for the + DAD state to terminate. This is broken for bridge + interfaces on recent Linux kernels, which don't start DAD + until the bridge comes up, and so can take arbitrary + time. The new behaviour lets dnsmasq poll for an arbitrary + time whilst providing service on other interfaces. Thanks + to Stephen Hemminger for pointing out the problem. version 2.58 - Provide a definition of the SA_SIZE macro where it's - missing. Fixes build failure on openBSD. + Provide a definition of the SA_SIZE macro where it's + missing. Fixes build failure on openBSD. - Don't include a zero terminator at the end of messages - sent to /dev/log when /dev/log is a datagram socket. - Thanks to Didier Rabound for spotting the problem. + Don't include a zero terminator at the end of messages + sent to /dev/log when /dev/log is a datagram socket. + Thanks to Didier Rabound for spotting the problem. - Add --dhcp-sequential-ip flag, to force allocation of IP - addresses in ascending order. Note that the default - pseudo-random mode is in general better but some - server-deployment applications need this. + Add --dhcp-sequential-ip flag, to force allocation of IP + addresses in ascending order. Note that the default + pseudo-random mode is in general better but some + server-deployment applications need this. - Fix problem where a server-id of 0.0.0.0 is sent to a - client when a dhcp-relay is in use if a client renews a - lease after dnsmasq restart and before any clients on the - subnet get a new lease. Thanks to Mike Ruiz for assistance - in chasing this one down. + Fix problem where a server-id of 0.0.0.0 is sent to a + client when a dhcp-relay is in use if a client renews a + lease after dnsmasq restart and before any clients on the + subnet get a new lease. Thanks to Mike Ruiz for assistance + in chasing this one down. - Don't return NXDOMAIN to an AAAA query if we have CNAME - which points to an A record only: NODATA is the correct - reply in this case. Thanks to Tom Fernandes for spotting - the problem. + Don't return NXDOMAIN to an AAAA query if we have CNAME + which points to an A record only: NODATA is the correct + reply in this case. Thanks to Tom Fernandes for spotting + the problem. - Relax the need to supply a netmask in --dhcp-range for - networks which use a DHCP relay. Whilst this is still - desireable, in the absence of a netmask dnsmasq will use - a default based on the class (A, B, or C) of the address. - This should at least remove a cause of mysterious failure - for people using RFC1918 addresses and relays. + Relax the need to supply a netmask in --dhcp-range for + networks which use a DHCP relay. Whilst this is still + desirable, in the absence of a netmask dnsmasq will use + a default based on the class (A, B, or C) of the address. + This should at least remove a cause of mysterious failure + for people using RFC1918 addresses and relays. - Add support for Linux conntrack connection marking. If - enabled with --conntrack, the connection mark for incoming - DNS queries will be copied to the outgoing connections - used to answer those queries. This allows clever firewall - and accounting stuff. Only available if dnsmasq is - compiled with HAVE_CONNTRACK and adds a dependency on - libnetfilter-conntrack. Thanks to Ed Wildgoose for the - initial idea, testing and sponsorship of this function. + Add support for Linux conntrack connection marking. If + enabled with --conntrack, the connection mark for incoming + DNS queries will be copied to the outgoing connections + used to answer those queries. This allows clever firewall + and accounting stuff. Only available if dnsmasq is + compiled with HAVE_CONNTRACK and adds a dependency on + libnetfilter-conntrack. Thanks to Ed Wildgoose for the + initial idea, testing and sponsorship of this function. - Provide a sane error message when someone attempts to - match a tag in --dhcp-host. + Provide a sane error message when someone attempts to + match a tag in --dhcp-host. - Tweak the behaviour of --domain-needed, to avoid problems - with recursive nameservers downstream of dnsmasq. The new - behaviour only stops A and AAAA queries, and returns - NODATA rather than NXDOMAIN replies. + Tweak the behaviour of --domain-needed, to avoid problems + with recursive nameservers downstream of dnsmasq. The new + behaviour only stops A and AAAA queries, and returns + NODATA rather than NXDOMAIN replies. - Efficiency fix for very large DHCP configurations, thanks - to James Gartrell and Mike Ruiz for help with this. + Efficiency fix for very large DHCP configurations, thanks + to James Gartrell and Mike Ruiz for help with this. - Allow the TFTP-server address in --dhcp-boot to be a - domain-name which is looked up in /etc/hosts. This can - give multiple IP addresses which are used round-robin, - thus doing TFTP server load-balancing. Thanks to Sushil - Agrawal for the patch. + Allow the TFTP-server address in --dhcp-boot to be a + domain-name which is looked up in /etc/hosts. This can + give multiple IP addresses which are used round-robin, + thus doing TFTP server load-balancing. Thanks to Sushil + Agrawal for the patch. - When two tagged dhcp-options for a particular option - number are both valid, use the one which is valid without - a tag from the dhcp-range. Allows overriding of the value - of a DHCP option for a particular host as well as - per-network values. So - --dhcp-range=set:interface1,...... - --dhcp-host=set:myhost,..... - --dhcp-option=tag:interface1,option:nis-domain,"domain1" - --dhcp-option=tag:myhost,option:nis-domain,"domain2" - will set the NIS-domain to domain1 for hosts in the range, but - override that to domain2 for a particular host. + When two tagged dhcp-options for a particular option + number are both valid, use the one which is valid without + a tag from the dhcp-range. Allows overriding of the value + of a DHCP option for a particular host as well as + per-network values. So + --dhcp-range=set:interface1,...... + --dhcp-host=set:myhost,..... + --dhcp-option=tag:interface1,option:nis-domain,"domain1" + --dhcp-option=tag:myhost,option:nis-domain,"domain2" + will set the NIS-domain to domain1 for hosts in the range, but + override that to domain2 for a particular host. - Fix bug which resulted in truncated files and timeouts for - some TFTP transfers. The bug only occurs with netascii - transfers and needs an unfortunate relationship between - file size, blocksize and the number of newlines in the - last block before it manifests itself. Many thanks to - Alkis Georgopoulos for spotting the problem and providing - a comprehensive test-case. + Fix bug which resulted in truncated files and timeouts for + some TFTP transfers. The bug only occurs with netascii + transfers and needs an unfortunate relationship between + file size, blocksize and the number of newlines in the + last block before it manifests itself. Many thanks to + Alkis Georgopoulos for spotting the problem and providing + a comprehensive test-case. - Fix regression in TFTP server on *BSD platforms introduced - in version 2.56, due to confusion with sockaddr - length. Many thanks to Loic Pefferkorn for finding this. + Fix regression in TFTP server on *BSD platforms introduced + in version 2.56, due to confusion with sockaddr + length. Many thanks to Loic Pefferkorn for finding this. - Support scope-ids in IPv6 addresses of nameservers from - /etc/resolv.conf and in --server options. Eg - nameserver fe80::202:a412:4512:7bbf%eth0 or - server=fe80::202:a412:4512:7bbf%eth0. Thanks to - Michael Stapelberg for the suggestion. + Support scope-ids in IPv6 addresses of nameservers from + /etc/resolv.conf and in --server options. Eg + nameserver fe80::202:a412:4512:7bbf%eth0 or + server=fe80::202:a412:4512:7bbf%eth0. Thanks to + Michael Stapelberg for the suggestion. - Update Polish translation, thanks to Jan Psota. + Update Polish translation, thanks to Jan Psota. - Update French translation. Thanks to Gildas Le Nadan. + Update French translation. Thanks to Gildas Le Nadan. version 2.57 - Add patches to allow build under Android. + Add patches to allow build under Android. - Provide our own header for the DNS protocol, rather than - relying on arpa/nameser.h. This has proved more or less - defective over the years and the final straw is that it's - effectively empty on Android. + Provide our own header for the DNS protocol, rather than + relying on arpa/nameser.h. This has proved more or less + defective over the years and the final straw is that it's + effectively empty on Android. - Fix regression in 2.56 which caused hex constants in - configuration to be rejected if they contain the '*' - wildcard. + Fix regression in 2.56 which caused hex constants in + configuration to be rejected if they contain the '*' + wildcard. - Correct wrong casts of arguments to ctype.h functions, - isdigit(), isxdigit() etc. Thanks to Matthias Andree for - spotting this. + Correct wrong casts of arguments to ctype.h functions, + isdigit(), isxdigit() etc. Thanks to Matthias Andree for + spotting this. - Allow build with IDN support independently from i18n. - IDN support continues to be included automatically - when i18n is included. - 'make COPTS=-DHAVE_IDN' is the magic incantation. + Allow build with IDN support independently from i18n. + IDN support continues to be included automatically + when i18n is included. + 'make COPTS=-DHAVE_IDN' is the magic incantation. - Modify check on extraneous command line junk (added in - 2.56) so that it doesn't complain about extra _empty_ - arguments. Otherwise this breaks libvirt. + Modify check on extraneous command line junk (added in + 2.56) so that it doesn't complain about extra _empty_ + arguments. Otherwise this breaks libvirt. version 2.56 - Add a patch to allow dnsmasq to get interface names right in a - Solaris zone. Thanks to Dj Padzensky for this. + Add a patch to allow dnsmasq to get interface names right in a + Solaris zone. Thanks to Dj Padzensky for this. - Improve data-type parsing heuristics so that - --dhcp-option=option:domain-search,. - treats the value as a string and not an IP address. - Thanks to Clemens Fischer for spotting that. + Improve data-type parsing heuristics so that + --dhcp-option=option:domain-search,. + treats the value as a string and not an IP address. + Thanks to Clemens Fischer for spotting that. - Add IPv6 support to the TFTP server. Many thanks to Jan - 'RedBully' Seiffert for the patches. - - Log DNS queries at level LOG_INFO, rather then - LOG_DEBUG. This makes things consistent with DHCP - logging. Thanks to Adam Pribyl for spotting the problem. + Add IPv6 support to the TFTP server. Many thanks to Jan + 'RedBully' Seiffert for the patches. - Ensure that dnsmasq terminates cleanly when using - --syslog-async even if it cannot make a connection to the - syslogd. + Log DNS queries at level LOG_INFO, rather then + LOG_DEBUG. This makes things consistent with DHCP + logging. Thanks to Adam Pribyl for spotting the problem. - Add --add-mac option. This is to support currently - experimental DNS filtering facilities. Thanks to Benjamin - Petrin for the orignal patch. + Ensure that dnsmasq terminates cleanly when using + --syslog-async even if it cannot make a connection to the + syslogd. - Fix bug which meant that tags were ignored in dhcp-range - configuration specifying PXE-proxy service. Thanks to - Cristiano Cumer for spotting this. + Add --add-mac option. This is to support currently + experimental DNS filtering facilities. Thanks to Benjamin + Petrin for the original patch. - Raise an error if there is extra junk, not part of an - option, on the command line. + Fix bug which meant that tags were ignored in dhcp-range + configuration specifying PXE-proxy service. Thanks to + Cristiano Cumer for spotting this. - Flag a couple of log messages in cache.c as coming from - the DHCP subsystem. Thanks to Olaf Westrik for the patch. + Raise an error if there is extra junk, not part of an + option, on the command line. - Omit timestamps from logs when a) logging to stderr and - b) --keep-in-forground is set. The logging facility on the - other end of stderr can be assumned to supply them. Thanks - to John Hallam for the patch. + Flag a couple of log messages in cache.c as coming from + the DHCP subsystem. Thanks to Olaf Westrik for the patch. - Don't complain about strings longer than 255 characters in - --txt-record, just split the long strings into 255 - character chunks instead. + Omit timestamps from logs when a) logging to stderr and + b) --keep-in-foreground is set. The logging facility on the + other end of stderr can be assumed to supply them. Thanks + to John Hallam for the patch. - Fix crash on double-free. This bug can only happen when - dhcp-script is in use and then only in rare circumstances - triggered by high DHCP transaction rate and a slow - script. Thanks to Ferenc Wagner for finding the problem. + Don't complain about strings longer than 255 characters in + --txt-record, just split the long strings into 255 + character chunks instead. - Only log that a file has been sent by TFTP after the - transfer has completed succesfully. + Fix crash on double-free. This bug can only happen when + dhcp-script is in use and then only in rare circumstances + triggered by high DHCP transaction rate and a slow + script. Thanks to Ferenc Wagner for finding the problem. - A good suggestion from Ferenc Wagner: extend - the --domain option to allow this sort of thing: - --domain=thekelleys.org.uk,192.168.0.0/24,local - which automatically creates - --local=/thekelleys.org.uk/ - --local=/0.168.192.in-addr.arpa/ + Only log that a file has been sent by TFTP after the + transfer has completed successfully. - Tighten up syntax checking of hex contants in the config - file. Thanks to Fred Damen for spotting this. + A good suggestion from Ferenc Wagner: extend + the --domain option to allow this sort of thing: + --domain=thekelleys.org.uk,192.168.0.0/24,local + which automatically creates + --local=/thekelleys.org.uk/ + --local=/0.168.192.in-addr.arpa/ - Add dnsmasq logo/icon, contributed by Justin Swift. Many - thanks for that. + Tighten up syntax checking of hex constants in the config + file. Thanks to Fred Damen for spotting this. - Never cache DNS replies which have the 'cd' bit set, or - which result from queries forwarded with the 'cd' bit - set. The 'cd' bit instructs a DNSSEC validating server - upstream to ignore signature failures and return replies - anyway. Without this change it's possible to pollute the - dnsmasq cache with bad data by making a query with the - 'cd' bit set and subsequent queries would return this data - without its being marked as suspect. Thanks to Anders - Kaseorg for pointing out this problem. + Add dnsmasq logo/icon, contributed by Justin Swift. Many + thanks for that. - Add --proxy-dnssec flag, for compliance with RFC - 4035. Dnsmasq will now clear the 'ad' bit in answers returned - from upstream validating nameservers unless this option is - set. + Never cache DNS replies which have the 'cd' bit set, or + which result from queries forwarded with the 'cd' bit + set. The 'cd' bit instructs a DNSSEC validating server + upstream to ignore signature failures and return replies + anyway. Without this change it's possible to pollute the + dnsmasq cache with bad data by making a query with the + 'cd' bit set and subsequent queries would return this data + without its being marked as suspect. Thanks to Anders + Kaseorg for pointing out this problem. - Allow a filename of "-" for --conf-file to read - stdin. Suggestion from Timothy Redaelli. + Add --proxy-dnssec flag, for compliance with RFC + 4035. Dnsmasq will now clear the 'ad' bit in answers returned + from upstream validating nameservers unless this option is + set. - Rotate the order of SRV records in replies, to provide - round-robin load balancing when all the priorities are - equal. Thanks to Peter McKinney for the suggestion. + Allow a filename of "-" for --conf-file to read + stdin. Suggestion from Timothy Redaelli. - Edit - contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist - so that it doesn't log all queries to a file by - default. Thanks again to Peter McKinney. + Rotate the order of SRV records in replies, to provide + round-robin load balancing when all the priorities are + equal. Thanks to Peter McKinney for the suggestion. - By default, setting an IPv4 address for a domain but not - an IPv6 address causes dnsmasq to return - an NODATA reply for IPv6 (or vice-versa). So - --address=/google.com/1.2.3.4 stops IPv6 queries for - *google.com from being forwarded. Make it possible to - override this behaviour by defining the sematics if the - same domain appears in both --server and --address. - In that case, the --address has priority for the address - family in which is appears, but the --server has priority - of the address family which doesn't appear in --adddress - So: - --address=/google.com/1.2.3.4 - --server=/google.com/# - will return 1.2.3.4 for IPv4 queries for *.google.com but - forward IPv6 queries to the normal upstream nameserver. - Similarly when setting an IPv6 address - only this will allow forwarding of IPv4 queries. Thanks to - William for pointing out the need for this. + Edit + contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist + so that it doesn't log all queries to a file by + default. Thanks again to Peter McKinney. - Allow more than one --dhcp-optsfile and --dhcp-hostsfile - and make them understand directories as arguments in the - same way as --addn-hosts. Suggestion from John Hanks. + By default, setting an IPv4 address for a domain but not + an IPv6 address causes dnsmasq to return + a NODATA reply for IPv6 (or vice-versa). So + --address=/google.com/1.2.3.4 stops IPv6 queries for + *google.com from being forwarded. Make it possible to + override this behaviour by defining the semantics if the + same domain appears in both --server and --address. + In that case, the --address has priority for the address + family in which is appears, but the --server has priority + of the address family which doesn't appear in --address + So: + --address=/google.com/1.2.3.4 + --server=/google.com/# + will return 1.2.3.4 for IPv4 queries for *.google.com but + forward IPv6 queries to the normal upstream nameserver. + Similarly when setting an IPv6 address + only this will allow forwarding of IPv4 queries. Thanks to + William for pointing out the need for this. - Ignore rebinding requests for leases we don't know - about. Rebind is broadcast, so we might get to overhear a - request meant for another DHCP server. NAKing this is - wrong. Thanks to Brad D'Hondt for assistance with this. + Allow more than one --dhcp-optsfile and --dhcp-hostsfile + and make them understand directories as arguments in the + same way as --addn-hosts. Suggestion from John Hanks. - Fix cosmetic bug which produced strange output when - dumping cache statistics with some configurations. Thanks - to Fedor Kozhevnikov for spotting this. + Ignore rebinding requests for leases we don't know + about. Rebind is broadcast, so we might get to overhear a + request meant for another DHCP server. NAKing this is + wrong. Thanks to Brad D'Hondt for assistance with this. + Fix cosmetic bug which produced strange output when + dumping cache statistics with some configurations. Thanks + to Fedor Kozhevnikov for spotting this. + version 2.55 - Fix crash when /etc/ethers is in use. Thanks to - Gianluigi Tiesi for finding this. + Fix crash when /etc/ethers is in use. Thanks to + Gianluigi Tiesi for finding this. - Fix crash in netlink_multicast(). Thanks to Arno Wald for - finding this one. + Fix crash in netlink_multicast(). Thanks to Arno Wald for + finding this one. - Allow the empty domain "." in dhcp domain-search (119) - options. + Allow the empty domain "." in dhcp domain-search (119) + options. version 2.54 - There is no version 2.54 to avoid confusion with 2.53, - which incorrectly identifies itself as 2.54. + There is no version 2.54 to avoid confusion with 2.53, + which incorrectly identifies itself as 2.54. version 2.53 - Fix failure to compile on Debian/kFreeBSD. Thanks to - Axel Beckert and Petr Salinger. + Fix failure to compile on Debian/kFreeBSD. Thanks to + Axel Beckert and Petr Salinger. - Fix code to avoid scary strict-aliasing warnings - generated by gcc 4.4. - - Added FAQ entry warning about DHCP failures with Vista - when firewalls block 255.255.255.255. - - Fixed bug which caused bad things to happen if a - resolv.conf file which exists is subsequently removed. - Thanks to Nikolai Saoukh for the patch. + Fix code to avoid scary strict-aliasing warnings + generated by gcc 4.4. + + Added FAQ entry warning about DHCP failures with Vista + when firewalls block 255.255.255.255. + + Fixed bug which caused bad things to happen if a + resolv.conf file which exists is subsequently removed. + Thanks to Nikolai Saoukh for the patch. - Rationalised the DHCP tag system. Every configuration item - which can set a tag does so by adding "set:" and - every configuration item which is conditional on a tag is - made so by "tag:". The NOT operator changes to '!', - which is a bit more intuitive too. Dhcp-host directives - can set more than one tag now. The old '#' NOT, - "net:" prefix and no-prefixes are still honoured, so - no existing config file needs to be changed, but - the documentation and new-style config files should be - much less confusing. + Rationalised the DHCP tag system. Every configuration item + which can set a tag does so by adding "set:" and + every configuration item which is conditional on a tag is + made so by "tag:". The NOT operator changes to '!', + which is a bit more intuitive too. Dhcp-host directives + can set more than one tag now. The old '#' NOT, + "net:" prefix and no-prefixes are still honoured, so + no existing config file needs to be changed, but + the documentation and new-style config files should be + much less confusing. - Added --tag-if to allow boolean operations on tags. - This allows complicated logic to be clearer and more - general. A great suggestion from Richard Voigt. + Added --tag-if to allow boolean operations on tags. + This allows complicated logic to be clearer and more + general. A great suggestion from Richard Voigt. - Add broadcast/unicast information to DHCP logging. + Add broadcast/unicast information to DHCP logging. - Allow --dhcp-broadcast to be unconditional. + Allow --dhcp-broadcast to be unconditional. - Fixed incorrect behaviour with NOT conditionals in - dhcp-options. Thanks to Max Turkewitz for assistance - finding this. + Fixed incorrect behaviour with NOT conditionals in + dhcp-options. Thanks to Max Turkewitz for assistance + finding this. - If we send vendor-class encapsulated options based on the - vendor-class supplied by the client, and no explicit - vendor-class option is given, echo back the vendor-class - from the client. - - Fix bug which stopped dnsmasq from matching both a - circuitid and a remoteid. Thanks to Ignacio Bravo for - finding this. + If we send vendor-class encapsulated options based on the + vendor-class supplied by the client, and no explicit + vendor-class option is given, echo back the vendor-class + from the client. + + Fix bug which stopped dnsmasq from matching both a + circuitid and a remoteid. Thanks to Ignacio Bravo for + finding this. - Add --dhcp-proxy, which makes it possible to configure - dnsmasq to use a DHCP relay agent as a full proxy, with - all DHCP messages passing through the proxy. This is - useful if the relay adds extra information to the packets - it forwards, but cannot be configured with the RFC 5107 - server-override option. + Add --dhcp-proxy, which makes it possible to configure + dnsmasq to use a DHCP relay agent as a full proxy, with + all DHCP messages passing through the proxy. This is + useful if the relay adds extra information to the packets + it forwards, but cannot be configured with the RFC 5107 + server-override option. - Added interface: part to dhcp-range. The - semantics of this are very odd at first sight, but it - allows a single line of the form - dhcp-range=interface:virt0,192.168.0.4,192.168.0.200 - to be added to dnsmasq configuration which then supplies - DHCP and DNS services to that interface, without affecting - what services are supplied to other interfaces and - irrespective of the existance or lack of - interface= - lines elsewhere in the dnsmasq configuration. The idea is - that such a line can be added automatically by libvirt - or equivalent systems, without disturbing any manual - configuration. + Added interface: part to dhcp-range. The + semantics of this are very odd at first sight, but it + allows a single line of the form + dhcp-range=interface:virt0,192.168.0.4,192.168.0.200 + to be added to dnsmasq configuration which then supplies + DHCP and DNS services to that interface, without affecting + what services are supplied to other interfaces and + irrespective of the existence or lack of + interface= + lines elsewhere in the dnsmasq configuration. The idea is + that such a line can be added automatically by libvirt + or equivalent systems, without disturbing any manual + configuration. - Similarly to the above, allow --enable-tftp= + Similarly to the above, allow --enable-tftp= - Allow a TFTP root to be set separately for requests via - different interfaces, --tftp-root=, + Allow a TFTP root to be set separately for requests via + different interfaces, --tftp-root=, - Correctly handle and log clashes between CNAMES and - DNS names being given to DHCP leases. This fixes a bug - which caused nonsense IP addresses to be logged. Thanks to - Sergei Zhirikov for finding and analysing the problem. + Correctly handle and log clashes between CNAMES and + DNS names being given to DHCP leases. This fixes a bug + which caused nonsense IP addresses to be logged. Thanks to + Sergei Zhirikov for finding and analysing the problem. - Tweak flush_log so as to avoid leaving the log - file in non-blocking mode. O_NONBLOCK is a property of the - file, not the process/descriptor. + Tweak flush_log so as to avoid leaving the log + file in non-blocking mode. O_NONBLOCK is a property of the + file, not the process/descriptor. - Fix contrib/Solaris10/create_package - (/usr/man -> /usr/share/man) Thanks to Vita Batrla. + Fix contrib/Solaris10/create_package + (/usr/man -> /usr/share/man) Thanks to Vita Batrla. - Fix a problem where, if a client got a lease, then went - to another subnet and got another lease, then moved back, - it couldn't resume the old lease, but would instead get - a new address. Thanks to Leonardo Rodrigues for spotting - this and testing the fix. - - Fix weird bug which sometimes omitted certain characters - from the start of quoted strings in dhcp-options. Thanks - to Dayton Turner for spotting the problem. + Fix a problem where, if a client got a lease, then went + to another subnet and got another lease, then moved back, + it couldn't resume the old lease, but would instead get + a new address. Thanks to Leonardo Rodrigues for spotting + this and testing the fix. - Add facility to redirect some domains to the standard - upstream servers: this allows something like - --server=/google.com/1.2.3.4 --server=/www.google.com/# - which will send queries for *.google.com to 1.2.3.4, - except *www.google.com which will be forwarded as usual. - Thanks to AJ Weber for prompting this addition. - - Improve the hash-algorithm used to generate IP addresses - from MAC addresses during initial DHCP address - allocation. This improves performance when large numbers - of hosts with similar MAC addresses all try and get an IP - address at the same time. Thanks to Paul Smith for his - work on this. + Fix weird bug which sometimes omitted certain characters + from the start of quoted strings in dhcp-options. Thanks + to Dayton Turner for spotting the problem. - Tweak DHCP code so that --bridge-interface can be used to - select which IP alias of an interface should be used for - DHCP purposes on Linux. If eth0 has an alias eth0:dhcp - then adding --bridge-interface=eth0:dhcp,eth0 will use - the address of eth0:dhcp to determine the correct subnet - for DHCP address allocation. Thanks to Pawel Golaszewski - for prompting this and Eric Cooper for further testing. + Add facility to redirect some domains to the standard + upstream servers: this allows something like + --server=/google.com/1.2.3.4 --server=/www.google.com/# + which will send queries for *.google.com to 1.2.3.4, + except *www.google.com which will be forwarded as usual. + Thanks to AJ Weber for prompting this addition. - Add --dhcp-generate-names. Suggestion by Ferenc Wagner. + Improve the hash-algorithm used to generate IP addresses + from MAC addresses during initial DHCP address + allocation. This improves performance when large numbers + of hosts with similar MAC addresses all try and get an IP + address at the same time. Thanks to Paul Smith for his + work on this. - Tweak DNS server selection algorithm when there is more - than one server available for a domain, eg. - --server=/mydomain/1.1.1.1 - --server=/mydomain/2.2.2.2 - Thanks to Alberto Cuesta-Canada for spotting a weakness - here. + Tweak DHCP code so that --bridge-interface can be used to + select which IP alias of an interface should be used for + DHCP purposes on Linux. If eth0 has an alias eth0:dhcp + then adding --bridge-interface=eth0:dhcp,eth0 will use + the address of eth0:dhcp to determine the correct subnet + for DHCP address allocation. Thanks to Pawel Golaszewski + for prompting this and Eric Cooper for further testing. - Add --max-ttl. Thanks to Fredrik Ringertz for the patch. + Add --dhcp-generate-names. Suggestion by Ferenc Wagner. - Allow --log-facility=- to force all logging to - stderr. Suggestion from Clemens Fischer. + Tweak DNS server selection algorithm when there is more + than one server available for a domain, eg. + --server=/mydomain/1.1.1.1 + --server=/mydomain/2.2.2.2 + Thanks to Alberto Cuesta-Canada for spotting a weakness + here. - Fix regression which caused configuration like - --address=/.domain.com/1.2.3.4 to be rejected. The dot to the - left of the domain has been implied and not required for a - long time, but it should be accepted for backward - compatibility. Thanks to Andrew Burcin for spotting this. - - Add --rebind-domain-ok and --rebind-localhost-ok. - Suggestion from Clemens Fischer. + Add --max-ttl. Thanks to Fredrik Ringertz for the patch. - Log replies to queries of type TXT, when --log-queries - is set. + Allow --log-facility=- to force all logging to + stderr. Suggestion from Clemens Fischer. - Fix compiler warnings when compiled with -DNO_DHCP. Thanks - to Shantanu Gadgil for the patch. + Fix regression which caused configuration like + --address=/.domain.com/1.2.3.4 to be rejected. The dot to the + left of the domain has been implied and not required for a + long time, but it should be accepted for backward + compatibility. Thanks to Andrew Burcin for spotting this. - Updated French translation. Thanks to Gildas Le Nadan. + Add --rebind-domain-ok and --rebind-localhost-ok. + Suggestion from Clemens Fischer. - Updated Polish translation. Thanks to Jan Psota. + Log replies to queries of type TXT, when --log-queries + is set. - Updated German translation. Thanks to Matthias Andree. + Fix compiler warnings when compiled with -DNO_DHCP. Thanks + to Shantanu Gadgil for the patch. - Added contrib/static-arp, thanks to Darren Hoo. - - Fix corruption of the domain when a name from /etc/hosts - overrides one supplied by a DHCP client. Thanks to Fedor - Kozhevnikov for spotting the problem. + Updated French translation. Thanks to Gildas Le Nadan. - Updated Spanish translation. Thanks to Chris Chatham. + Updated Polish translation. Thanks to Jan Psota. + Updated German translation. Thanks to Matthias Andree. + Added contrib/static-arp, thanks to Darren Hoo. + + Fix corruption of the domain when a name from /etc/hosts + overrides one supplied by a DHCP client. Thanks to Fedor + Kozhevnikov for spotting the problem. + + Updated Spanish translation. Thanks to Chris Chatham. + + version 2.52 - Work around a Linux kernel bug which insists that the - length of the option passed to setsockopt must be at least - sizeof(int) bytes, even if we're calling SO_BINDTODEVICE - and the device name is "lo". Note that this is fixed - in kernel 2.6.31, but the workaround is harmless and - allows earlier kernels to be used. Also fix dnsmasq - bug which reported the wrong address when this failed. - Thanks to Fedor for finding this. + Work around a Linux kernel bug which insists that the + length of the option passed to setsockopt must be at least + sizeof(int) bytes, even if we're calling SO_BINDTODEVICE + and the device name is "lo". Note that this is fixed + in kernel 2.6.31, but the workaround is harmless and + allows earlier kernels to be used. Also fix dnsmasq + bug which reported the wrong address when this failed. + Thanks to Fedor for finding this. - The API for IPv6 PKTINFO changed around Linux kernel - 2.6.14. Workaround the case where dnsmasq is compiled - against newer headers, but then run on an old kernel: - necessary for some *WRT distros. + The API for IPv6 PKTINFO changed around Linux kernel + 2.6.14. Workaround the case where dnsmasq is compiled + against newer headers, but then run on an old kernel: + necessary for some *WRT distros. - Re-read the set of network interfaces when re-loading - /etc/resolv.conf if --bind-interfaces is not set. This - handles the case that loopback interfaces do not exist - when dnsmasq is first started. + Re-read the set of network interfaces when re-loading + /etc/resolv.conf if --bind-interfaces is not set. This + handles the case that loopback interfaces do not exist + when dnsmasq is first started. - Tweak the PXE code to support port 4011. This should - reduce broadcasts and make things more reliable when other - servers are around. It also improves inter-operability - with certain clients. + Tweak the PXE code to support port 4011. This should + reduce broadcasts and make things more reliable when other + servers are around. It also improves inter-operability + with certain clients. - Make a pxe-service configuration with no filename or boot - service type legal: this does a local boot. eg. - pxe-service=x86PC, "Local boot" + Make a pxe-service configuration with no filename or boot + service type legal: this does a local boot. eg. + pxe-service=x86PC, "Local boot" - Be more conservative in detecting "A for A" - queries. Dnsmasq checks if the name in a type=A query looks - like a dotted-quad IP address and answers the query itself - if so, rather than forwarding it. Previously dnsmasq - relied in the library function inet_addr() to convert - addresses, and that will accept some things which are - confusing in this context, like 1.2.3 or even just - 1234. Now we only do A for A processing for four decimal - numbers delimited by dots. + Be more conservative in detecting "A for A" + queries. Dnsmasq checks if the name in a type=A query looks + like a dotted-quad IP address and answers the query itself + if so, rather than forwarding it. Previously dnsmasq + relied in the library function inet_addr() to convert + addresses, and that will accept some things which are + confusing in this context, like 1.2.3 or even just + 1234. Now we only do A for A processing for four decimal + numbers delimited by dots. - A couple of tweaks to fix compilation on Solaris. Thanks - to Joel Macklow for help with this. + A couple of tweaks to fix compilation on Solaris. Thanks + to Joel Macklow for help with this. - Another Solaris compilation tweak, needed for Solaris - 2009.06. Thanks to Lee Essen for that. + Another Solaris compilation tweak, needed for Solaris + 2009.06. Thanks to Lee Essen for that. - Added extract packaging stuff from Lee Essen to - contrib/Solaris10. - - Increased the default limit on number of leases to 1000 - (from 150). This is mainly a defence against DoS attacks, - and for the average "one for two class C networks" - installation, IP address exhaustion does that just as - well. Making the limit greater than the number of IP - addresses available in such an installation removes a - surprise which otherwise can catch people out. + Added extract packaging stuff from Lee Essen to + contrib/Solaris10. - Removed extraneous trailing space in the value of the - DNSMASQ_TIME_REMAINING DNSMASQ_LEASE_LENGTH and - DNSMASQ_LEASE_EXPIRES environment variables. Thanks to - Gildas Le Nadan for spotting this. + Increased the default limit on number of leases to 1000 + (from 150). This is mainly a defence against DoS attacks, + and for the average "one for two class C networks" + installation, IP address exhaustion does that just as + well. Making the limit greater than the number of IP + addresses available in such an installation removes a + surprise which otherwise can catch people out. - Provide the network-id tags for a DHCP transaction to - the lease-change script in the environment variable - DNSMASQ_TAGS. A good suggestion from Gildas Le Nadan. + Removed extraneous trailing space in the value of the + DNSMASQ_TIME_REMAINING DNSMASQ_LEASE_LENGTH and + DNSMASQ_LEASE_EXPIRES environment variables. Thanks to + Gildas Le Nadan for spotting this. - Add support for RFC3925 "Vendor-Identifying Vendor - Options". The syntax looks like this: - --dhcp-option=vi-encap:, ......... + Provide the network-id tags for a DHCP transaction to + the lease-change script in the environment variable + DNSMASQ_TAGS. A good suggestion from Gildas Le Nadan. - Add support to --dhcp-match to allow matching against - RFC3925 "Vendor-Identifying Vendor Classes". The syntax - looks like this: - --dhcp-match=tag,vi-encap, - - Add some application specific code to assist in - implementing the Broadband forum TR069 CPE-WAN - specification. The details are in contrib/CPE-WAN/README + Add support for RFC3925 "Vendor-Identifying Vendor + Options". The syntax looks like this: + --dhcp-option=vi-encap:, ......... - Increase the default DNS packet size limit to 4096, as - recommended by RFC5625 section 4.4.3. This can be - reconfigured using --edns-packet-max if needed. Thanks to - Francis Dupont for pointing this out. + Add support to --dhcp-match to allow matching against + RFC3925 "Vendor-Identifying Vendor Classes". The syntax + looks like this: + --dhcp-match=tag,vi-encap, - Rewrite query-ids even for TSIG signed packets, since - this is allowed by RFC5625 section 4.5. - - Use getopt_long by default on OS X. It has been supported - since version 10.3.0. Thanks to Arek Dreyer for spotting - this. + Add some application specific code to assist in + implementing the Broadband forum TR069 CPE-WAN + specification. The details are in contrib/CPE-WAN/README - Added up-to-date startup configuration for MacOSX/launchd - in contrib/MacOSX-launchd. Thanks to Arek Dreyer for - providing this. + Increase the default DNS packet size limit to 4096, as + recommended by RFC5625 section 4.4.3. This can be + reconfigured using --edns-packet-max if needed. Thanks to + Francis Dupont for pointing this out. - Fix link error when including Dbus but excluding DHCP. - Thanks to Oschtan for the bug report. + Rewrite query-ids even for TSIG signed packets, since + this is allowed by RFC5625 section 4.5. - Updated French translation. Thanks to Gildas Le Nadan. - - Updated Polish translation. Thanks to Jan Psota. + Use getopt_long by default on OS X. It has been supported + since version 10.3.0. Thanks to Arek Dreyer for spotting + this. - Updated Spanish translation. Thanks to Chris Chatham. + Added up-to-date startup configuration for MacOSX/launchd + in contrib/MacOSX-launchd. Thanks to Arek Dreyer for + providing this. - Fixed confusion about domains, when looking up DHCP hosts - in /etc/hosts. This could cause spurious "Ignoring - domain..." messages. Thanks to Fedor Kozhevnikov for - finding and analysing the problem. + Fix link error when including Dbus but excluding DHCP. + Thanks to Oschtan for the bug report. - + Updated French translation. Thanks to Gildas Le Nadan. + + Updated Polish translation. Thanks to Jan Psota. + + Updated Spanish translation. Thanks to Chris Chatham. + + Fixed confusion about domains, when looking up DHCP hosts + in /etc/hosts. This could cause spurious "Ignoring + domain..." messages. Thanks to Fedor Kozhevnikov for + finding and analysing the problem. + + version 2.51 - Add support for internationalised DNS. Non-ASCII characters - in domain names found in /etc/hosts, /etc/ethers and - /etc/dnsmasq.conf will be correctly handled by translation to - punycode, as specified in RFC3490. This function is only - available if dnsmasq is compiled with internationalisation - support, and adds a dependency on GNU libidn. Without i18n - support, dnsmasq continues to be compilable with just - standard tools. Thanks to Yves Dorfsman for the - suggestion. + Add support for internationalised DNS. Non-ASCII characters + in domain names found in /etc/hosts, /etc/ethers and + /etc/dnsmasq.conf will be correctly handled by translation to + punycode, as specified in RFC3490. This function is only + available if dnsmasq is compiled with internationalisation + support, and adds a dependency on GNU libidn. Without i18n + support, dnsmasq continues to be compilable with just + standard tools. Thanks to Yves Dorfsman for the + suggestion. - Add two more environment variables for lease-change scripts: - First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname - supplied by a client, even if the actual hostname used is - over-ridden by dhcp-host or dhcp-ignore-names directives. - Also DNSMASQ_RELAY_ADDRESS which gives the address of - a DHCP relay, if used. - Suggestions from Michael Rack. + Add two more environment variables for lease-change scripts: + First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname + supplied by a client, even if the actual hostname used is + over-ridden by dhcp-host or dhcp-ignore-names directives. + Also DNSMASQ_RELAY_ADDRESS which gives the address of + a DHCP relay, if used. + Suggestions from Michael Rack. - Fix regression which broke echo of relay-agent - options. Thanks to Michael Rack for spotting this. - - Don't treat option 67 as being interchangeable with - dhcp-boot parameters if it's specified as - dhcp-option-force. + Fix regression which broke echo of relay-agent + options. Thanks to Michael Rack for spotting this. - Make the code to call scripts on lease-change compile-time - optional. It can be switched off by editing src/config.h - or building with "make COPTS=-DNO_SCRIPT". - - Make the TFTP server cope with filenames from Windows/DOS - which use '\' as pathname separator. Thanks to Ralf for - the patch. + Don't treat option 67 as being interchangeable with + dhcp-boot parameters if it's specified as + dhcp-option-force. - Updated Polish translation. Thanks to Jan Psota. - - Warn if an IP address is duplicated in /etc/ethers. Thanks - to Felix Schwarz for pointing this out. + Make the code to call scripts on lease-change compile-time + optional. It can be switched off by editing src/config.h + or building with "make COPTS=-DNO_SCRIPT". - Teach --conf-dir to take an option list of file suffices - which will be ignored when scanning the directory. Useful - for backup files etc. Thanks to Helmut Hullen for the - suggestion. + Make the TFTP server cope with filenames from Windows/DOS + which use '\' as pathname separator. Thanks to Ralf for + the patch. - Add new DHCP option named tftpserver-address, which - corresponds to the third argument of dhcp-boot. This - allows the complete functionality of dhcp-boot to be - replicated with dhcp-option. Useful when using - dhcp-optsfile. + Updated Polish translation. Thanks to Jan Psota. - Test which upstream nameserver to use every 10 seconds - or 50 queries and not just when a query times out and - is retried. This should improve performance when there - is a slow nameserver in the list. Thanks to Joe for the - suggestion. + Warn if an IP address is duplicated in /etc/ethers. Thanks + to Felix Schwarz for pointing this out. - Don't do any PXE processing, even for clients with the - correct vendorclass, unless at least one pxe-prompt or - pxe-service option is given. This stops dnsmasq - interfering with proxy PXE subsystems when it is just - the DHCP server. Thanks to Spencer Clark for spotting this. + Teach --conf-dir to take an option list of file suffices + which will be ignored when scanning the directory. Useful + for backup files etc. Thanks to Helmut Hullen for the + suggestion. - Limit the blocksize used for TFTP transfers to a value - which avoids packet fragmentation, based on the MTU of the - local interface. Many netboot ROMs can't cope with - fragmented packets. + Add new DHCP option named tftpserver-address, which + corresponds to the third argument of dhcp-boot. This + allows the complete functionality of dhcp-boot to be + replicated with dhcp-option. Useful when using + dhcp-optsfile. - Honour dhcp-ignore configuration for PXE and proxy-PXE - requests. Thanks to Niels Basjes for the bug report. + Test which upstream nameserver to use every 10 seconds + or 50 queries and not just when a query times out and + is retried. This should improve performance when there + is a slow nameserver in the list. Thanks to Joe for the + suggestion. - Updated French translation. Thanks to Gildas Le Nadan. + Don't do any PXE processing, even for clients with the + correct vendorclass, unless at least one pxe-prompt or + pxe-service option is given. This stops dnsmasq + interfering with proxy PXE subsystems when it is just + the DHCP server. Thanks to Spencer Clark for spotting this. + Limit the blocksize used for TFTP transfers to a value + which avoids packet fragmentation, based on the MTU of the + local interface. Many netboot ROMs can't cope with + fragmented packets. + Honour dhcp-ignore configuration for PXE and proxy-PXE + requests. Thanks to Niels Basjes for the bug report. + + Updated French translation. Thanks to Gildas Le Nadan. + + version 2.50 - Fix security problem which allowed any host permitted to - do TFTP to possibly compromise dnsmasq by remote buffer - overflow when TFTP enabled. Thanks to Core Security - Technologies and Iván Arce, Pablo Hernán Jorge, Alejandro - Pablo Rodriguez, Martín Coco, Alberto Soliño Testa and - Pablo Annetta. This problem has Bugtraq id: 36121 - and CVE: 2009-2957 + Fix security problem which allowed any host permitted to + do TFTP to possibly compromise dnsmasq by remote buffer + overflow when TFTP enabled. Thanks to Core Security + Technologies and Iván Arce, Pablo Hernán Jorge, Alejandro + Pablo Rodriguez, Martín Coco, Alberto Soliño Testa and + Pablo Annetta. This problem has Bugtraq id: 36121 + and CVE: 2009-2957 - Fix a problem which allowed a malicious TFTP client to - crash dnsmasq. Thanks to Steve Grubb at Red Hat for - spotting this. This problem has Bugtraq id: 36120 and - CVE: 2009-2958 + Fix a problem which allowed a malicious TFTP client to + crash dnsmasq. Thanks to Steve Grubb at Red Hat for + spotting this. This problem has Bugtraq id: 36120 and + CVE: 2009-2958 version 2.49 - Fix regression in 2.48 which disables the lease-change - script. Thanks to Jose Luis Duran for spotting this. + Fix regression in 2.48 which disables the lease-change + script. Thanks to Jose Luis Duran for spotting this. - Log TFTP "file not found" errors. These were not logged, - since a normal PXELinux boot generates many of them, but - the lack of the messages seems to be more confusing than - routinely seeing them when there is no real error. + Log TFTP "file not found" errors. These were not logged, + since a normal PXELinux boot generates many of them, but + the lack of the messages seems to be more confusing than + routinely seeing them when there is no real error. - Update Spanish translation. Thanks to Chris Chatham. - + Update Spanish translation. Thanks to Chris Chatham. + version 2.48 - Archived the extensive, backwards, changelog to - CHANGELOG.archive. The current changelog now runs from - version 2.43 and runs conventionally. + Archived the extensive, backwards, changelog to + CHANGELOG.archive. The current changelog now runs from + version 2.43 and runs conventionally. - Fixed bug which broke binding of servers to physical - interfaces when interface names were longer than four - characters. Thanks to MURASE Katsunori for the patch. + Fixed bug which broke binding of servers to physical + interfaces when interface names were longer than four + characters. Thanks to MURASE Katsunori for the patch. - Fixed netlink code to check that messages come from the - correct source, and not another userspace process. Thanks - to Steve Grubb for the patch. + Fixed netlink code to check that messages come from the + correct source, and not another userspace process. Thanks + to Steve Grubb for the patch. - Maintainability drive: removed bug and missing feature - workarounds for some old platforms. Solaris 9, OpenBSD - older than 4.1, Glibc older than 2.2, Linux 2.2.x and - DBus older than 1.1.x are no longer supported. + Maintainability drive: removed bug and missing feature + workarounds for some old platforms. Solaris 9, OpenBSD + older than 4.1, Glibc older than 2.2, Linux 2.2.x and + DBus older than 1.1.x are no longer supported. - Don't read included configuration files more than once: - allows complex configuration structures without problems. + Don't read included configuration files more than once: + allows complex configuration structures without problems. - Mark log messages from the various subsystems in dnsmasq: - messages from the DHCP subsystem now have the ident string - "dnsmasq-dhcp" and messages from TFTP have ident - "dnsmasq-tftp". Thanks to Olaf Westrik for the patch. + Mark log messages from the various subsystems in dnsmasq: + messages from the DHCP subsystem now have the ident string + "dnsmasq-dhcp" and messages from TFTP have ident + "dnsmasq-tftp". Thanks to Olaf Westrik for the patch. - Fix possible infinite DHCP protocol loop when an IP - address nailed to a hostname (not a MAC address) and a - host sometimes provides the name, sometimes not. + Fix possible infinite DHCP protocol loop when an IP + address nailed to a hostname (not a MAC address) and a + host sometimes provides the name, sometimes not. - Allow --addn-hosts to take a directory: all the files - in the directory are read. Thanks to Phil Cornelius for - the suggestion. + Allow --addn-hosts to take a directory: all the files + in the directory are read. Thanks to Phil Cornelius for + the suggestion. - Support --bridge-interface on all platforms, not just BSD. - - Added support for advanced PXE functions. It's now - possible to define a prompt and menu options which will - be displayed when a client PXE boots. It's also possible to - hand-off booting to other boot servers. Proxy-DHCP, where - dnsmasq just supplies the PXE information and another DHCP - server does address allocation, is also allowed. See the - --pxe-prompt and --pxe-service keywords. Thanks to - Alkis Georgopoulos for the suggestion and Guilherme Moro - and Michael Brown for assistance. + Support --bridge-interface on all platforms, not just BSD. - Improvements to DHCP logging. Thanks to Tom Metro for - useful suggestions. - - Add ability to build dnsmasq without DHCP support. To do - this, edit src/config.h or build with - "make COPTS=-DNO_DHCP". Thanks to Mahavir Jain for the patch. - - Added --test command-line switch - syntax check - configuration files only. - - Updated French translation. Thanks to Gildas Le Nadan. + Added support for advanced PXE functions. It's now + possible to define a prompt and menu options which will + be displayed when a client PXE boots. It's also possible to + hand-off booting to other boot servers. Proxy-DHCP, where + dnsmasq just supplies the PXE information and another DHCP + server does address allocation, is also allowed. See the + --pxe-prompt and --pxe-service keywords. Thanks to + Alkis Georgopoulos for the suggestion and Guilherme Moro + and Michael Brown for assistance. + Improvements to DHCP logging. Thanks to Tom Metro for + useful suggestions. + Add ability to build dnsmasq without DHCP support. To do + this, edit src/config.h or build with + "make COPTS=-DNO_DHCP". Thanks to Mahavir Jain for the patch. + + Added --test command-line switch - syntax check + configuration files only. + + Updated French translation. Thanks to Gildas Le Nadan. + + version 2.47 - Updated French translation. Thanks to Gildas Le Nadan. + Updated French translation. Thanks to Gildas Le Nadan. - Fixed interface enumeration code to work on NetBSD - 5.0. Thanks to Roy Marples for the patch. + Fixed interface enumeration code to work on NetBSD + 5.0. Thanks to Roy Marples for the patch. - Updated config.h to use the same location for the lease - file on NetBSD as the other *BSD variants. Also allow - LEASEFILE and CONFFILE symbols to be overriden in CFLAGS. + Updated config.h to use the same location for the lease + file on NetBSD as the other *BSD variants. Also allow + LEASEFILE and CONFFILE symbols to be overridden in CFLAGS. - Handle duplicate address detection on IPv6 more - intelligently. In IPv6, an interface can have an address - which is not usable, because it is still undergoing DAD - (such addresses are marked "tentative"). Attempting to - bind to an address in this state returns an error, - EADDRNOTAVAIL. Previously, on getting such an error, - dnsmasq would silently abandon the address, and never - listen on it. Now, it retries once per second for 20 - seconds before generating a fatal error. 20 seconds should - be long enough for any DAD process to complete, but can be - adjusted in src/config.h if necessary. Thanks to Martin - Krafft for the bug report. + Handle duplicate address detection on IPv6 more + intelligently. In IPv6, an interface can have an address + which is not usable, because it is still undergoing DAD + (such addresses are marked "tentative"). Attempting to + bind to an address in this state returns an error, + EADDRNOTAVAIL. Previously, on getting such an error, + dnsmasq would silently abandon the address, and never + listen on it. Now, it retries once per second for 20 + seconds before generating a fatal error. 20 seconds should + be long enough for any DAD process to complete, but can be + adjusted in src/config.h if necessary. Thanks to Martin + Krafft for the bug report. - Add DBus introspection. Patch from Jeremy Laine. + Add DBus introspection. Patch from Jeremy Laine. - Update Dbus configuration file. Patch from Colin Walters. - Fix for this bug: - http://bugs.freedesktop.org/show_bug.cgi?id=18961 + Update Dbus configuration file. Patch from Colin Walters. + Fix for this bug: + http://bugs.freedesktop.org/show_bug.cgi?id=18961 - Support arbitrarily encapsulated DHCP options, suggestion - and initial patch from Samium Gromoff. This is useful for - (eg) gPXE, which expect all its private options to be - encapsulated inside a single option 175. So, eg, + Support arbitrarily encapsulated DHCP options, suggestion + and initial patch from Samium Gromoff. This is useful for + (eg) iPXE, which expect all its private options to be + encapsulated inside a single option 175. So, eg, - dhcp-option = encap:175, 190, "iscsi-client0" - dhcp-option = encap:175, 191, "iscsi-client0-secret" - - will provide iSCSI parameters to gPXE. + dhcp-option = encap:175, 190, "iscsi-client0" + dhcp-option = encap:175, 191, "iscsi-client0-secret" - Enhance --dhcp-match to allow testing of the contents of a - client-sent option, as well as its presence. This - application in mind for this is RFC 4578 - client-architecture specifiers, but it's generally useful. - Joey Korkames suggested the enhancement. + will provide iSCSI parameters to iPXE. - Move from using the IP_XMIT_IF ioctl to IP_BOUND_IF on - OpenSolaris. Thanks to Bastian Machek for the heads-up. + Enhance --dhcp-match to allow testing of the contents of a + client-sent option, as well as its presence. This + application in mind for this is RFC 4578 + client-architecture specifiers, but it's generally useful. + Joey Korkames suggested the enhancement. - No longer complain about blank lines in - /etc/ethers. Thanks to Jon Nelson for the patch. + Move from using the IP_XMIT_IF ioctl to IP_BOUND_IF on + OpenSolaris. Thanks to Bastian Machek for the heads-up. - Fix binding of servers to physical devices, eg - --server=/domain/1.2.3.4@eth0 which was broken from 2.43 - onwards unless --query-port=0 set. Thanks to Peter Naulls - for the bug report. + No longer complain about blank lines in + /etc/ethers. Thanks to Jon Nelson for the patch. - Reply to DHCPINFORM requests even when the supplied ciaddr - doesn't fall in any dhcp-range. In this case it's not - possible to supply a complete configuration, but - individually-configured options (eg PAC) may be useful. + Fix binding of servers to physical devices, eg + --server=/domain/1.2.3.4@eth0 which was broken from 2.43 + onwards unless --query-port=0 set. Thanks to Peter Naulls + for the bug report. - Allow the source address of an alias to be a range: - --alias=192.168.0.0,10.0.0.0,255.255.255.0 maps the whole - subnet 192.168.0.0->192.168.0.255 to 10.0.0.0->10.0.0.255, - as before. - --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 - maps only the 192.168.0.10->192.168.0.40 region. Thanks to - Ib Uhrskov for the suggestion. + Reply to DHCPINFORM requests even when the supplied ciaddr + doesn't fall in any dhcp-range. In this case it's not + possible to supply a complete configuration, but + individually-configured options (eg PAC) may be useful. - Don't dynamically allocate DHCP addresses which may break - Windows. Addresses which end in .255 or .0 are broken in - Windows even when using supernetting. - --dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0 means - 192.168.0.255 is a valid IP address, but not for Windows. - See Microsoft KB281579. We therefore no longer allocate - these addresses to avoid hard-to-diagnose problems. + Allow the source address of an alias to be a range: + --alias=192.168.0.0,10.0.0.0,255.255.255.0 maps the whole + subnet 192.168.0.0->192.168.0.255 to 10.0.0.0->10.0.0.255, + as before. + --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 + maps only the 192.168.0.10->192.168.0.40 region. Thanks to + Ib Uhrskov for the suggestion. - Update Polish translation. Thanks to Jan Psota. + Don't dynamically allocate DHCP addresses which may break + Windows. Addresses which end in .255 or .0 are broken in + Windows even when using supernetting. + --dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0 means + 192.168.0.255 is a valid IP address, but not for Windows. + See Microsoft KB281579. We therefore no longer allocate + these addresses to avoid hard-to-diagnose problems. - Delete the PID-file when dnsmasq shuts down. Note that by - this time, dnsmasq is normally not running as root, so - this will fail if the PID-file is stored in a root-owned - directory; such failure is silently ignored. To take - advantage of this feature, the PID-file must be stored in a - directory owned and write-able by the user running - dnsmasq. + Update Polish translation. Thanks to Jan Psota. + Delete the PID-file when dnsmasq shuts down. Note that by + this time, dnsmasq is normally not running as root, so + this will fail if the PID-file is stored in a root-owned + directory; such failure is silently ignored. To take + advantage of this feature, the PID-file must be stored in a + directory owned and write-able by the user running + dnsmasq. + version 2.46 - Allow --bootp-dynamic to take a netid tag, so that it may - be selectively enabled. Thanks to Olaf Westrik for the - suggestion. + Allow --bootp-dynamic to take a netid tag, so that it may + be selectively enabled. Thanks to Olaf Westrik for the + suggestion. - Remove ISC-leasefile reading code. This has been - deprecated for a long time, and last time I removed it, it - ended up going back by request of one user. This time, - it's gone for good; otherwise it would need to be - re-worked to support multiple domains (see below). + Remove ISC-leasefile reading code. This has been + deprecated for a long time, and last time I removed it, it + ended up going back by request of one user. This time, + it's gone for good; otherwise it would need to be + re-worked to support multiple domains (see below). - Support DHCP clients in multiple DNS domains. This is a - long-standing request. Clients are assigned to a domain - based in their IP address. + Support DHCP clients in multiple DNS domains. This is a + long-standing request. Clients are assigned to a domain + based in their IP address. - Add --dhcp-fqdn flag, which changes behaviour if DNS names - assigned to DHCP clients. When this is set, there must be - a domain associated with each client, and only - fully-qualified domain names are added to the DNS. The - advantage is that the only the FQDN needs to be unique, - so that two or more DHCP clients can share a hostname, as - long as they are in different domains. + Add --dhcp-fqdn flag, which changes behaviour if DNS names + assigned to DHCP clients. When this is set, there must be + a domain associated with each client, and only + fully-qualified domain names are added to the DNS. The + advantage is that the only the FQDN needs to be unique, + so that two or more DHCP clients can share a hostname, as + long as they are in different domains. - Set environment variable DNSMASQ_DOMAIN when invoking - lease-change script. This may be useful information to - have now that it's variable. + Set environment variable DNSMASQ_DOMAIN when invoking + lease-change script. This may be useful information to + have now that it's variable. - Tighten up data-checking code for DNS packet - handling. Thanks to Steve Dodd who found certain illegal - packets which could crash dnsmasq. No memory overwrite was - possible, so this is not a security issue beyond the DoS - potential. + Tighten up data-checking code for DNS packet + handling. Thanks to Steve Dodd who found certain illegal + packets which could crash dnsmasq. No memory overwrite was + possible, so this is not a security issue beyond the DoS + potential. - Update example config dhcp option 47, the previous - suggestion generated an illegal, zero-length, - option. Thanks to Matthias Andree for finding this. + Update example config dhcp option 47, the previous + suggestion generated an illegal, zero-length, + option. Thanks to Matthias Andree for finding this. - Rewrite hosts-file reading code to remove the limit of - 1024 characters per line. John C Meuser found this. + Rewrite hosts-file reading code to remove the limit of + 1024 characters per line. John C Meuser found this. - Create a net-id tag with the name of the interface on - which the DHCP request was received. + Create a net-id tag with the name of the interface on + which the DHCP request was received. - Fixed minor memory leak in DBus code, thanks to Jeremy - Laine for the patch. + Fixed minor memory leak in DBus code, thanks to Jeremy + Laine for the patch. - Emit DBus signals as the DHCP lease database - changes. Thanks to Jeremy Laine for the patch. + Emit DBus signals as the DHCP lease database + changes. Thanks to Jeremy Laine for the patch. - Allow for more that one MAC address in a dhcp-host - line. This configuration tells dnsmasq that it's OK to - abandon a DHCP lease of the fixed address to one MAC - address, if another MAC address in the dhcp-host statement - asks for an address. This is useful to give a fixed - address to a host which has two network interfaces - (say, a laptop with wired and wireless interfaces.) - It's very important to ensure that only one interface - at a time is up, since dnsmasq abandons the first lease - and re-uses the address before the leased time has - elapsed. John Gray suggested this. + Allow for more that one MAC address in a dhcp-host + line. This configuration tells dnsmasq that it's OK to + abandon a DHCP lease of the fixed address to one MAC + address, if another MAC address in the dhcp-host statement + asks for an address. This is useful to give a fixed + address to a host which has two network interfaces + (say, a laptop with wired and wireless interfaces.) + It's very important to ensure that only one interface + at a time is up, since dnsmasq abandons the first lease + and re-uses the address before the leased time has + elapsed. John Gray suggested this. - Tweak the response to a DHCP request packet with a wrong - server-id when --dhcp-authoritative is set; dnsmasq now - returns a DHCPNAK, rather than silently ignoring the - packet. Thanks to Chris Marget for spotting this - improvement. + Tweak the response to a DHCP request packet with a wrong + server-id when --dhcp-authoritative is set; dnsmasq now + returns a DHCPNAK, rather than silently ignoring the + packet. Thanks to Chris Marget for spotting this + improvement. - Add --cname option. This provides a limited alias - function, usable for DHCP names. Thanks to AJ Weber for - suggestions on this. + Add --cname option. This provides a limited alias + function, usable for DHCP names. Thanks to AJ Weber for + suggestions on this. - Updated contrib/webmin with latest version from Neil - Fisher. + Updated contrib/webmin with latest version from Neil + Fisher. - Updated Polish translation. Thanks to Jan Psota. - - Correct the text names for DHCP options 64 and 65 to be - "nis+-domain" and "nis+-servers". + Updated Polish translation. Thanks to Jan Psota. - Updated Spanish translation. Thanks to Chris Chatham. + Correct the text names for DHCP options 64 and 65 to be + "nis+-domain" and "nis+-servers". - Force re-reading of /etc/resolv.conf when an "interface - up" event occurs. + Updated Spanish translation. Thanks to Chris Chatham. + Force re-reading of /etc/resolv.conf when an "interface + up" event occurs. + version 2.45 - Fix total DNS failure in release 2.44 unless --min-port - specified. Thanks to Steven Barth and Grant Coady for - bugreport. Also reject out-of-range port spec, which could - break things too: suggestion from Gilles Espinasse. - + Fix total DNS failure in release 2.44 unless --min-port + specified. Thanks to Steven Barth and Grant Coady for + bugreport. Also reject out-of-range port spec, which could + break things too: suggestion from Gilles Espinasse. + version 2.44 - Fix crash when unknown client attempts to renew a DHCP - lease, problem introduced in version 2.43. Thanks to - Carlos Carvalho for help chasing this down. + Fix crash when unknown client attempts to renew a DHCP + lease, problem introduced in version 2.43. Thanks to + Carlos Carvalho for help chasing this down. - Fix potential crash when a host which doesn't have a lease - does DHCPINFORM. Again introduced in 2.43. This bug has - never been reported in the wild. + Fix potential crash when a host which doesn't have a lease + does DHCPINFORM. Again introduced in 2.43. This bug has + never been reported in the wild. - Fix crash in netlink code introduced in 2.43. Thanks to - Jean Wolter for finding this. + Fix crash in netlink code introduced in 2.43. Thanks to + Jean Wolter for finding this. - Change implementation of min_port to work even if min-port - is large. + Change implementation of min_port to work even if min-port + is large. - Patch to enable compilation of latest Mac OS X. Thanks to - David Gilman. + Patch to enable compilation of latest Mac OS X. Thanks to + David Gilman. - Update Spanish translation. Thanks to Christopher Chatham. + Update Spanish translation. Thanks to Christopher Chatham. version 2.43 - Updated Polish translation. Thanks to Jan Psota. + Updated Polish translation. Thanks to Jan Psota. - Flag errors when configuration options are repeated - illegally. + Flag errors when configuration options are repeated + illegally. - Further tweaks for GNU/kFreeBSD + Further tweaks for GNU/kFreeBSD - Add --no-wrap to msgmerge call - provides nicer .po file - format. + Add --no-wrap to msgmerge call - provides nicer .po file + format. - Honour lease-time spec in dhcp-host lines even for - BOOTP. The user is assumed to known what they are doing in - this case. (Hosts without the time spec still get infinite - leases for BOOTP, over-riding the default in the - dhcp-range.) Thanks to Peter Katzmann for uncovering this. + Honour lease-time spec in dhcp-host lines even for + BOOTP. The user is assumed to known what they are doing in + this case. (Hosts without the time spec still get infinite + leases for BOOTP, over-riding the default in the + dhcp-range.) Thanks to Peter Katzmann for uncovering this. - Fix problem matching relay-agent ids. Thanks to Michael - Rack for the bug report. + Fix problem matching relay-agent ids. Thanks to Michael + Rack for the bug report. - Add --naptr-record option. Suggestion from Johan - Bergquist. + Add --naptr-record option. Suggestion from Johan + Bergquist. - Implement RFC 5107 server-id-override DHCP relay agent - option. + Implement RFC 5107 server-id-override DHCP relay agent + option. - Apply patches from Stefan Kruger for compilation on - Solaris 10 under Sun studio. + Apply patches from Stefan Kruger for compilation on + Solaris 10 under Sun studio. - Yet more tweaking of Linux capability code, to suppress - pointless wingeing from kernel 2.6.25 and above. + Yet more tweaking of Linux capability code, to suppress + pointless wingeing from kernel 2.6.25 and above. - Improve error checking during startup. Previously, some - errors which occurred during startup would be worked - around, with dnsmasq still starting up. Some were logged, - some silent. Now, they all cause a fatal error and dnsmasq - terminates with a non-zero exit code. The errors are those - associated with changing uid and gid, setting process - capabilities and writing the pidfile. Thanks to Uwe - Gansert and the Suse security team for pointing out - this improvement, and Bill Reimers for good implementation - suggestions. + Improve error checking during startup. Previously, some + errors which occurred during startup would be worked + around, with dnsmasq still starting up. Some were logged, + some silent. Now, they all cause a fatal error and dnsmasq + terminates with a non-zero exit code. The errors are those + associated with changing uid and gid, setting process + capabilities and writing the pidfile. Thanks to Uwe + Gansert and the Suse security team for pointing out + this improvement, and Bill Reimers for good implementation + suggestions. - Provide NO_LARGEFILE compile option to switch off largefile - support when compiling against versions of uclibc which - don't support it. Thanks to Stephane Billiart for the patch. - - Implement random source ports for interactions with - upstream nameservers. New spoofing attacks have been found - against nameservers which do not do this, though it is not - clear if dnsmasq is vulnerable, since to doesn't implement - recursion. By default dnsmasq will now use a different - source port (and socket) for each query it sends - upstream. This behaviour can suppressed using the - --query-port option, and the old default behaviour - restored using --query-port=0. Explicit source-port - specifications in --server configs are still honoured. + Provide NO_LARGEFILE compile option to switch off largefile + support when compiling against versions of uclibc which + don't support it. Thanks to Stephane Billiart for the patch. - Replace the random number generator, for better - security. On most BSD systems, dnsmasq uses the - arc4random() RNG, which is secure, but on other platforms, - it relied on the C-library RNG, which may be - guessable and therefore allow spoofing. This release - replaces the libc RNG with the SURF RNG, from Daniel - J. Berstein's DJBDNS package. + Implement random source ports for interactions with + upstream nameservers. New spoofing attacks have been found + against nameservers which do not do this, though it is not + clear if dnsmasq is vulnerable, since to doesn't implement + recursion. By default dnsmasq will now use a different + source port (and socket) for each query it sends + upstream. This behaviour can suppressed using the + --query-port option, and the old default behaviour + restored using --query-port=0. Explicit source-port + specifications in --server configs are still honoured. - Don't attempt to change user or group or set capabilities - if dnsmasq is run as a non-root user. Without this, the - change from soft to hard errors when these fail causes - problems for non-root daemons listening on high - ports. Thanks to Patrick McLean for spotting this. + Replace the random number generator, for better + security. On most BSD systems, dnsmasq uses the + arc4random() RNG, which is secure, but on other platforms, + it relied on the C-library RNG, which may be + guessable and therefore allow spoofing. This release + replaces the libc RNG with the SURF RNG, from Daniel + J. Berstein's DJBDNS package. - Updated French translation. Thanks to Gildas Le Nadan. + Don't attempt to change user or group or set capabilities + if dnsmasq is run as a non-root user. Without this, the + change from soft to hard errors when these fail causes + problems for non-root daemons listening on high + ports. Thanks to Patrick McLean for spotting this. + Updated French translation. Thanks to Gildas Le Nadan. + version 2.42 - The changelog for version 2.42 and earlier is - available in CHANGELOG.archive. + The changelog for version 2.42 and earlier is + available in CHANGELOG.archive.