--- embedaddon/dnsmasq/CHANGELOG 2013/07/29 19:37:40 1.1.1.1 +++ embedaddon/dnsmasq/CHANGELOG 2016/11/02 09:57:01 1.1.1.3 @@ -1,3 +1,678 @@ +version 2.76 + Include 0.0.0.0/8 in DNS rebind checks. This range + translates to hosts on the local network, or, at + least, 0.0.0.0 accesses the local host, so could + be targets for DNS rebinding. See RFC 5735 section 3 + for details. Thanks to Stephen Röttger for the bug report. + + Enhance --add-subnet to allow arbitrary subnet addresses. + Thanks to Ed Barsley for the patch. + + Respect the --no-resolv flag in inotify code. Fixes bug + which caused dnsmasq to fail to start if a resolv-file + was a dangling symbolic link, even of --no-resolv set. + Thanks to Alexander Kurtz for spotting the problem. + + Fix crash when an A or AAAA record is defined locally, + in a hosts file, and an upstream server sends a reply + that the same name is empty. Thanks to Edwin Török for + the patch. + + Fix failure to correctly calculate cache-size when + reading a hosts-file fails. Thanks to André Glüpker + for the patch. + + Fix wrong answer to simple name query when --domain-needed + set, but no upstream servers configured. Dnsmasq returned + REFUSED, in this case, when it should be the same as when + upstream servers are configured - NOERROR. Thanks to + Allain Legacy for spotting the problem. + + Return REFUSED when running out of forwarding table slots, + not SERVFAIL. + + Add --max-port configuration. Thanks to Hans Dedecker for + the patch. + + Add --script-arp and two new functions for the dhcp-script. + These are "arp" and "arp-old" which announce the arrival and + removal of entries in the ARP or nieghbour tables. + + Extend --add-mac to allow a new encoding of the MAC address + as base64, by configurting --add-mac=base64 + + Add --add-cpe-id option. + + Don't crash with divide-by-zero if an IPv6 dhcp-range + is declared as a whole /64. + (ie xx::0 to xx::ffff:ffff:ffff:ffff) + Thanks to Laurent Bendel for spotting this problem. + + Add support for a TTL parameter in --host-record and + --cname. + + Add --dhcp-ttl option. + + Add --tftp-mtu option. Thanks to Patrick McLean for the + initial patch. + + Check return-code of inet_pton() when parsing dhcp-option. + Bad addresses could fail to generate errors and result in + garbage dhcp-options being sent. Thanks to Marc Branchaud + for spotting this. + + Fix wrong value for EDNS UDP packet size when using + --servers-file to define upstream DNS servers. Thanks to + Scott Bonar for the bug report. + + Move the dhcp_release and dhcp_lease_time tools from + contrib/wrt to contrib/lease-tools. + + Add dhcp_release6 to contrib/lease-tools. Many thanks + to Sergey Nechaev for this code. + + To avoid filling logs in configurations which define + many upstream nameservers, don't log more that 30 servers. + The number to be logged can be changed as SERVERS_LOGGED + in src/config.h. + + Swap the values if BC_EFI and x86-64_EFI in --pxe-service. + These were previously wrong due to an error in RFC 4578. + If you're using BC_EFI to boot 64-bit EFI machines, you + will need to update your config. + + Add ARM32_EFI and ARM64_EFI as valid architectures in + --pxe-service. + + Fix PXE booting for UEFI architectures. Modify PXE boot + sequence in this case to force the client to talk to dnsmasq + over port 4011. This makes PXE and especially proxy-DHCP PXE + work with these archictectures. + + Workaround problems with UEFI PXE clients. There exist + in the wild PXE clients which have problems with PXE + boot menus. To work around this, when there's a single + --pxe-service which applies to client, then that target + will be booted directly, rather then sending a + single-item boot menu. + + Many thanks to Jarek Polok, Michael Kuron and Dreamcat4 + for their work on the long-standing UEFI PXE problem. + + Subtle change in the semantics of "basename" in + --pxe-service. The historical behaviour has always been + that the actual filename downloaded from the TFTP server + is . where is an integer which + corresponds to the layer parameter supplied by the client. + It's not clear what the function of the "layer" + actually is in the PXE protocol, and in practise layer + is always zero, so the filename is .0 + The new behaviour is the same as the old, except when + includes a file suffix, in which case + the layer suffix is no longer added. This allows + sensible suffices to be used, rather then the + meaningless ".0". Only in the unlikely event that you + have a config with a basename which already has a + suffix, is this an incompatible change, since the file + downloaded will change from name.suffix.0 to just + name.suffix + + +version 2.75 + Fix reversion on 2.74 which caused 100% CPU use when a + dhcp-script is configured. Thanks to Adrian Davey for + reporting the bug and testing the fix. + + +version 2.74 + Fix reversion in 2.73 where --conf-file would attempt to + read the default file, rather than no file. + + Fix inotify code to handle dangling symlinks better and + not SEGV in some circumstances. + + DNSSEC fix. In the case of a signed CNAME generated by a + wildcard which pointed to an unsigned domain, the wrong + status would be logged, and some necessary checks omitted. + + +version 2.73 + Fix crash at startup when an empty suffix is supplied to + --conf-dir, also trivial memory leak. Thanks to + Tomas Hozza for spotting this. + + Remove floor of 4096 on advertised EDNS0 packet size when + DNSSEC in use, the original rationale for this has long gone. + Thanks to Anders Kaseorg for spotting this. + + Use inotify for checking on updates to /etc/resolv.conf and + friends under Linux. This fixes race conditions when the files are + updated rapidly and saves CPU by noy polling. To build + a binary that runs on old Linux kernels without inotify, + use make COPTS=-DNO_INOTIFY + + Fix breakage of --domain=,,local - only reverse + queries were intercepted. THis appears to have been broken + since 2.69. Thanks to Josh Stone for finding the bug. + + Eliminate IPv6 privacy addresses and deprecated addresses from + the answers given by --interface-name. Note that reverse queries + (ie looking for names, given addresses) are not affected. + Thanks to Michael Gorbach for the suggestion. + + Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids + for the bug report. + + Add --ignore-address option. Ignore replies to A-record + queries which include the specified address. No error is + generated, dnsmasq simply continues to listen for another + reply. This is useful to defeat blocking strategies which + rely on quickly supplying a forged answer to a DNS + request for certain domains, before the correct answer can + arrive. Thanks to Glen Huang for the patch. + + Revisit the part of DNSSEC validation which determines if an + unsigned answer is legit, or is in some part of the DNS + tree which should be signed. Dnsmasq now works from the + DNS root downward looking for the limit of signed + delegations, rather than working bottom up. This is + both more correct, and less likely to trip over broken + nameservers in the unsigned parts of the DNS tree + which don't respond well to DNSSEC queries. + + Add --log-queries=extra option, which makes logs easier + to search automatically. + + Add --min-cache-ttl option. I've resisted this for a long + time, on the grounds that disbelieving TTLs is never a + good idea, but I've been persuaded that there are + sometimes reasons to do it. (Step forward, GFW). + To avoid misuse, there's a hard limit on the TTL + floor of one hour. Thansk to RinSatsuki for the patch. + + Cope with multiple interfaces with the same link-local + address. (IPv6 addresses are scoped, so this is allowed.) + Thanks to Cory Benfield for help with this. + + Add --dhcp-hostsdir. This allows addition of new host + configurations to a running dnsmasq instance much more + cheaply than having dnsmasq re-read all its existing + configuration each time. + + Don't reply to DHCPv6 SOLICIT messages if we're not + configured to do stateful DHCPv6. Thanks to Win King Wan + for the patch. + + Fix broken DNSSEC validation of ECDSA signatures. + + Add --dnssec-timestamp option, which provides an automatic + way to detect when the system time becomes valid after + boot on systems without an RTC, whilst allowing DNS + queries before the clock is valid so that NTP can run. + Thanks to Kevin Darbyshire-Bryant for developing this idea. + + Add --tftp-no-fail option. Thanks to Stefan Tomanek for + the patch. + + Fix crash caused by looking up servers.bind, CHAOS text + record, when more than about five --servers= lines are + in the dnsmasq config. This causes memory corruption + which causes a crash later. Thanks to Matt Coddington for + sterling work chasing this down. + + Fix crash on receipt of certain malformed DNS requests. + Thanks to Nick Sampanis for spotting the problem. + Note that this is could allow the dnsmasq process's + memory to be read by an attacker under certain + circumstances, so it has a CVE, CVE-2015-3294 + + Fix crash in authoritative DNS code, if a .arpa zone + is declared as authoritative, and then a PTR query which + is not to be treated as authoritative arrived. Normally, + directly declaring .arpa zone as authoritative is not + done, so this crash wouldn't be seen. Instead the + relevant .arpa zone should be specified as a subnet + in the auth-zone declaration. Thanks to Johnny S. Lee + for the bugreport and initial patch. + + Fix authoritative DNS code to correctly reply to NS + and SOA queries for .arpa zones for which we are + declared authoritative by means of a subnet in auth-zone. + Previously we provided correct answers to PTR queries + in such zones (including NS and SOA) but not direct + NS and SOA queries. Thanks to Johnny S. Lee for + pointing out the problem. + + Fix logging of DHCPREPLY which should be suppressed + by quiet-dhcp6. Thanks to J. Pablo Abonia for + spotting the problem. + + Try and handle net connections with broken fragmentation + that lose large UDP packets. If a server times out, + reduce the maximum UDP packet size field in the EDNS0 + header to 1280 bytes. If it then answers, make that + change permanent. + + Check IPv4-mapped IPv6 addresses when --stop-rebind + is active. Thanks to Jordan Milne for spotting this. + + Allow DHCPv4 options T1 and T2 to be set using --dhcp-option. + Thanks to Kevin Benton for patches and work on this. + + Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses + in the correct subnet, even of not in dynamic address + allocation range. Thanks to Steve Hirsch for spotting + the problem. + + Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks + to Nicolas Cavallari for the patch. + + Allow configuration of router advertisements without the + "on-link" bit set. Thanks to Neil Jerram for the patch. + + Extend --bridge-interface to DHCPv6 and router + advertisements. Thanks to Neil Jerram for the patch. + + +version 2.72 + Add ra-advrouter mode, for RFC-3775 mobile IPv6 support. + + Add support for "ipsets" in *BSD, using pf. Thanks to + Sven Falempim for the patch. + + Fix race condition which could lock up dnsmasq when an + interface goes down and up rapidly. Thanks to Conrad + Kostecki for helping to chase this down. + + Add DBus methods SetFilterWin2KOption and SetBogusPrivOption + Thanks to the Smoothwall project for the patch. + + Fix failure to build against Nettle-3.0. Thanks to Steven + Barth for spotting this and finding the fix. + + When assigning existing DHCP leases to intefaces by comparing + networks, handle the case that two or more interfaces have the + same network part, but different prefix lengths (favour the + longer prefix length.) Thanks to Lung-Pin Chang for the + patch. + + Add a mode which detects and removes DNS forwarding loops, ie + a query sent to an upstream server returns as a new query to + dnsmasq, and would therefore be forwarded again, resulting in + a query which loops many times before being dropped. Upstream + servers which loop back are disabled and this event is logged. + Thanks to Smoothwall for their sponsorship of this feature. + + Extend --conf-dir to allow filtering of files. So + --conf-dir=/etc/dnsmasq.d,\*.conf + will load all the files in /etc/dnsmasq.d which end in .conf + + Fix bug when resulted in NXDOMAIN answers instead of NODATA in + some circumstances. + + Fix bug which caused dnsmasq to become unresponsive if it + failed to send packets due to a network interface disappearing. + Thanks to Niels Peen for spotting this. + + Fix problem with --local-service option on big-endian platforms + Thanks to Richard Genoud for the patch. + + +version 2.71 + Subtle change to error handling to help DNSSEC validation + when servers fail to provide NODATA answers for + non-existent DS records. + + Tweak code which removes DNSSEC records from answers when + not required. Fixes broken answers when additional section + has real records in it. Thanks to Marco Davids for the bug + report. + + Fix DNSSEC validation of ANY queries. Thanks to Marco Davids + for spotting that too. + + Fix total DNS failure and 100% CPU use if cachesize set to zero, + regression introduced in 2.69. Thanks to James Hunt and + the Ubuntu crowd for assistance in fixing this. + + +version 2.70 + Fix crash, introduced in 2.69, on TCP request when dnsmasq + compiled with DNSSEC support, but running without DNSSEC + enabled. Thanks to Manish Sing for spotting that one. + + Fix regression which broke ipset functionality. Thanks to + Wang Jian for the bug report. + + +version 2.69 + Implement dynamic interface discovery on *BSD. This allows + the contructor: syntax to be used in dhcp-range for DHCPv6 + on the BSD platform. Thanks to Matthias Andree for + valuable research on how to implement this. + + Fix infinite loop associated with some --bogus-nxdomain + configs. Thanks fogobogo for the bug report. + + Fix missing RA RDNS option with configuration like + --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer + for spotting the problem. + + Add [fd00::] and [fe80::] as special addresses in DHCPv6 + options, analogous to [::]. [fd00::] is replaced with the + actual ULA of the interface on the machine running + dnsmasq, [fe80::] with the link-local address. + Thanks to Tsachi Kimeldorfer for championing this. + + DNSSEC validation and caching. Dnsmasq needs to be + compiled with this enabled, with + + make dnsmasq COPTS=-DHAVE_DNSSEC + + this add dependencies on the nettle crypto library and the + gmp maths library. It's possible to have these linked + statically with + + make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' + + which bloats the dnsmasq binary, but saves the size of + the shared libraries which are much bigger. + + To enable, DNSSEC, you will need a set of + trust-anchors. Now that the TLDs are signed, this can be + the keys for the root zone, and for convenience they are + included in trust-anchors.conf in the dnsmasq + distribution. You should of course check that these are + legitimate and up-to-date. So, adding + + conf-file=/path/to/trust-anchors.conf + dnssec + + to your config is all thats needed to get things + working. The upstream nameservers have to be DNSSEC-capable + too, of course. Many ISP nameservers aren't, but the + Google public nameservers (8.8.8.8 and 8.8.4.4) are. + When DNSSEC is configured, dnsmasq validates any queries + for domains which are signed. Query results which are + bogus are replaced with SERVFAIL replies, and results + which are correctly signed have the AD bit set. In + addition, and just as importantly, dnsmasq supplies + correct DNSSEC information to clients which are doing + their own validation, and caches DNSKEY, DS and RRSIG + records, which significantly improve the performance of + downstream validators. Setting --log-queries will show + DNSSEC in action. + + If a domain is returned from an upstream nameserver without + DNSSEC signature, dnsmasq by default trusts this. This + means that for unsigned zone (still the majority) there + is effectively no cost for having DNSSEC enabled. Of course + this allows an attacker to replace a signed record with a + false unsigned record. This is addressed by the + --dnssec-check-unsigned flag, which instructs dnsmasq + to prove that an unsigned record is legitimate, by finding + a secure proof that the zone containing the record is not + signed. Doing this has costs (typically one or two extra + upstream queries). It also has a nasty failure mode if + dnsmasq's upstream nameservers are not DNSSEC capable. + Without --dnssec-check-unsigned using such an upstream + server will simply result in not queries being validated; + with --dnssec-check-unsigned enabled and a + DNSSEC-ignorant upstream server, _all_ queries will fail. + + Note that DNSSEC requires that the local time is valid and + accurate, if not then DNSSEC validation will fail. NTP + should be running. This presents a problem for routers + without a battery-backed clock. To set the time needs NTP + to do DNS lookups, but lookups will fail until NTP has run. + To address this, there's a flag, --dnssec-no-timecheck + which disables the time checks (only) in DNSSEC. When dnsmasq + is started and the clock is not synced, this flag should + be used. As soon as the clock is synced, SIGHUP dnsmasq. + The SIGHUP clears the cache of partially-validated data and + resets the no-timecheck flag, so that all DNSSEC checks + henceforward will be complete. + + The development of DNSSEC in dnsmasq was started by + Giovanni Bajo, to whom huge thanks are owed. It has been + supported by Comcast, whose techfund grant has allowed for + an invaluable period of full-time work to get it to + a workable state. + + Add --rev-server. Thanks to Dave Taht for suggesting this. + + Add --servers-file. Allows dynamic update of upstream servers + full access to configuration. + + Add --local-service. Accept DNS queries only from hosts + whose address is on a local subnet, ie a subnet for which + an interface exists on the server. This option + only has effect if there are no --interface --except-interface, + --listen-address or --auth-server options. It is intended + to be set as a default on installation, to allow + unconfigured installations to be useful but also safe from + being used for DNS amplification attacks. + + Fix crashes in cache_get_cname_target() when dangling CNAMEs + encountered. Thanks to Andy and the rt-n56u project for + find this and helping to chase it down. + + Fix wrong RCODE in authoritative DNS replies to PTR queries. The + correct answer was included, but the RCODE was set to NXDOMAIN. + Thanks to Craig McQueen for spotting this. + + Make statistics available as DNS queries in the .bind TLD as + well as logging them. + + +version 2.68 + Use random addresses for DHCPv6 temporary address + allocations, instead of algorithmically determined stable + addresses. + + Fix bug which meant that the DHCPv6 DUID was not available + in DHCP script runs during the lifetime of the dnsmasq + process which created the DUID de-novo. Once the DUID was + created and stored in the lease file and dnsmasq + restarted, this bug disappeared. + + Fix bug introduced in 2.67 which could result in erroneous + NXDOMAIN returns to CNAME queries. + + Fix build failures on MacOS X and openBSD. + + Allow subnet specifications in --auth-zone to be interface + names as well as address literals. This makes it possible + to configure authoritative DNS when local address ranges + are dynamic and works much better than the previous + work-around which exempted contructed DHCP ranges from the + IP address filtering. As a consequence, that work-around + is removed. Under certain circumstances, this change wil + break existing configuration: if you're relying on the + contructed-range exception, you need to change --auth-zone + to specify the same interface as is used to construct your + DHCP ranges, probably with a trailing "/6" like this: + --auth-zone=example.com,eth0/6 to limit the addresses to + IPv6 addresses of eth0. + + Fix problems when advertising deleted IPv6 prefixes. If + the prefix is deleted (rather than replaced), it doesn't + get advertised with zero preferred time. Thanks to Tsachi + for the bug report. + + Fix segfault with some locally configured CNAMEs. Thanks + to Andrew Childs for spotting the problem. + + Fix memory leak on re-reading /etc/hosts and friends, + introduced in 2.67. + + Check the arrival interface of incoming DNS and TFTP + requests via IPv6, even in --bind-interfaces mode. This + isn't possible for IPv4 and can generate scary warnings, + but as it's always possible for IPv6 (the API always + exists) then we should do it always. + + Tweak the rules on prefix-lengths in --dhcp-range for + IPv6. The new rule is that the specified prefix length + must be larger than or equal to the prefix length of the + corresponding address on the local interface. + + +version 2.67 + Fix crash if upstream server returns SERVFAIL when + --conntrack in use. Thanks to Giacomo Tazzari for finding + this and supplying the patch. + + Repair regression in 2.64. That release stopped sending + lease-time information in the reply to DHCPINFORM + requests, on the correct grounds that it was a standards + violation. However, this broke the dnsmasq-specific + dhcp_lease_time utility. Now, DHCPINFORM returns + lease-time only if it's specifically requested + (maintaining standards) and the dhcp_lease_time utility + has been taught to ask for it (restoring functionality). + + Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass + to work with BOOTP and well as DHCP. Thanks to Peter + Korsgaard for spotting the problem. + + Add --synth-domain. Thanks to Vishvananda Ishaya for + suggesting this. + + Fix failure to compile ipset.c if old kernel headers are + in use. Thanks to Eugene Rudoy for pointing this out. + + Handle IPv4 interface-address labels in Linux. These are + often used to emulate the old IP-alias addresses. Before, + using --interface=eth0 would service all the addresses of + eth0, including ones configured as aliases, which appear + in ifconfig as eth0:0. Now, only addresses with the label + eth0 are active. This is not backwards compatible: if you + want to continue to bind the aliases too, you need to add + eg. --interface=eth0:0 to the config. + + Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket + operation on non-socket" error on startup with + configurations which have exactly one --interface option + and do RA but _not_ DHCPv6. Thanks to Trever Adams for the + bug report. + + Generalise --interface-name to cope with IPv6 addresses + and multiple addresses per interface per address family. + + Fix option parsing for --dhcp-host, which was generating a + spurious error when all seven possible items were + included. Thanks to Zhiqiang Wang for the bug report. + + Remove restriction on prefix-length in --auth-zone. Thanks + to Toke Hoiland-Jorgensen for suggesting this. + + Log when the maximum number of concurrent DNS queries is + reached. Thanks to Marcelo Salhab Brogliato for the patch. + + If wildcards are used in --interface, don't assume that + there will only ever be one available interface for DHCP + just because there is one at start-up. More may appear, so + we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug + report. + + Increase timeout/number of retries in TFTP to accomodate + AudioCodes Voice Gateways doing streaming writes to flash. + Thanks to Damian Kaczkowski for spotting the problem. + + Fix crash with empty DHCP string options when adding zero + terminator. Thanks to Patrick McLean for the bug report. + + Allow hostnames to start with a number, as allowed in + RFC-1123. Thanks to Kyle Mestery for the patch. + + Fixes to DHCP FQDN option handling: don't terminate FQDN + if domain not known and allow a FQDN option with blank + name to request that a FQDN option is returned in the + reply. Thanks to Roy Marples for the patch. + + Make --clear-on-reload apply to setting upstream servers + via DBus too. + + When the address which triggered the construction of an + advertised IPv6 prefix disappears, continue to advertise + the prefix for up to 2 hours, with the preferred lifetime + set to zero. This satisfies RFC 6204 4.3 L-13 and makes + things work better if a prefix disappears without being + deprecated first. Thanks to Uwe Schindler for persuasively + arguing for this. + + Fix MAC address enumeration on *BSD. Thanks to Brad Smith + for the bug report. + + Support RFC-4242 information-refresh-time options in the + reply to DHCPv6 information-request. The lease time of the + smallest valid dhcp-range is sent. Thanks to Uwe Schindler + for suggesting this. + + Make --listen-address higher priority than --except-interface + in all circumstances. Thanks to Thomas Hood for the bugreport. + + Provide independent control over which interfaces get TFTP + service. If enable-tftp is given a list of interfaces, then TFTP + is provided on those. Without the list, the previous behaviour + (provide TFTP to the same interfaces we provide DHCP to) + is retained. Thanks to Lonnie Abelbeck for the suggestion. + + Add --dhcp-relay config option. Many thanks to vtsl.net + for sponsoring this development. + + Fix crash with empty tag: in --dhcp-range. Thanks to + Kaspar Schleiser for the bug report. + + Add "baseline" and "bloatcheck" makefile targets, for + revealing size changes during development. Thanks to + Vladislav Grishenko for the patch. + + Cope with DHCPv6 clients which send REQUESTs without + address options - treat them as SOLICIT with rapid commit. + + Support identification of clients by MAC address in + DHCPv6. When using a relay, the relay must support RFC + 6939 for this to work. It always works for directly + connected clients. Thanks to Vladislav Grishenko + for prompting this feature. + + Remove the rule for constructed DHCP ranges that the local + address must be either the first or last address in the + range. This was originally to avoid SLAAC addresses, but + we now explicitly autoconfig and privacy addresses instead. + + Update Polish translation. Thanks to Jan Psota. + + Fix problem in DHCPv6 vendorclass/userclass matching + code. Thanks to Tanguy Bouzeloc for the patch. + + Update Spanish transalation. Thanks to Vicente Soriano. + + Add --ra-param option. Thanks to Vladislav Grishenko for + inspiration on this. + + Add --add-subnet configuration, to tell upstream DNS + servers where the original client is. Thanks to DNSthingy + for sponsoring this feature. + + Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to + Kevin Darbyshire-Bryant for the initial patch. + + Allow A/AAAA records created by --interface-name to be the + target of --cname. Thanks to Hadmut Danisch for the + suggestion. + + Avoid treating a --dhcp-host which has an IPv6 address + as eligable for use with DHCPv4 on the grounds that it has + no address, and vice-versa. Thanks to Yury Konovalov for + spotting the problem. + + Do a better job caching dangling CNAMEs. Thanks to Yves + Dorfsman for spotting the problem. + + version 2.66 Add the ability to act as an authoritative DNS server. Dnsmasq can now answer queries from the wider 'net