Annotation of embedaddon/dnsmasq/CHANGELOG, revision 1.1.1.4
1.1.1.4 ! misho 1: version 2.83
! 2: Use the values of --min-port and --max-port in outgoing
! 3: TCP connections to upstream DNS servers.
! 4:
! 5: Fix a remote buffer overflow problem in the DNSSEC code. Any
! 6: dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
! 7: referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
! 8: CVE-2020-25687.
! 9:
! 10: Be sure to only accept UDP DNS query replies at the address
! 11: from which the query was originated. This keeps as much entropy
! 12: in the {query-ID, random-port} tuple as possible, to help defeat
! 13: cache poisoning attacks. Refer: CVE-2020-25684.
! 14:
! 15: Use the SHA-256 hash function to verify that DNS answers
! 16: received are for the questions originally asked. This replaces
! 17: the slightly insecure SHA-1 (when compiled with DNSSEC) or
! 18: the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
! 19:
! 20: Handle multiple identical near simultaneous DNS queries better.
! 21: Previously, such queries would all be forwarded
! 22: independently. This is, in theory, inefficent but in practise
! 23: not a problem, _except_ that is means that an answer for any
! 24: of the forwarded queries will be accepted and cached.
! 25: An attacker can send a query multiple times, and for each repeat,
! 26: another {port, ID} becomes capable of accepting the answer he is
! 27: sending in the blind, to random IDs and ports. The chance of a
! 28: succesful attack is therefore multiplied by the number of repeats
! 29: of the query. The new behaviour detects repeated queries and
! 30: merely stores the clients sending repeats so that when the
! 31: first query completes, the answer can be sent to all the
! 32: clients who asked. Refer: CVE-2020-25686.
! 33:
1.1.1.3 misho 34:
1.1.1.4 ! misho 35: version 2.82
! 36: Improve behaviour in the face of network interfaces which come
! 37: and go and change index. Thanks to Petr Mensik for the patch.
1.1.1.3 misho 38:
1.1.1.4 ! misho 39: Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user
! 40: to a warning.
1.1.1.3 misho 41:
1.1.1.4 ! misho 42: Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option.
1.1.1.3 misho 43:
1.1.1.4 ! misho 44: Fix crash under heavy TCP connection load introduced in 2.81.
! 45: Thanks to Frank for good work chasing this down.
1.1.1.3 misho 46:
1.1.1.4 ! misho 47: Change default lease time for DHCPv6 to one day.
! 48:
! 49: Alter calculation of preferred and valid times in router
! 50: advertisements, so that these do not have a floor applied
! 51: of the lease time in the dhcp-range if this is not explicitly
! 52: specified and is merely the default.
! 53: Thanks to Martin-Éric Racine for suggestions on this.
1.1.1.3 misho 54:
55:
1.1.1.4 ! misho 56: version 2.81
! 57: Improve cache behaviour for TCP connections. For ease of
! 58: implementation, dnsmasq has always forked a new process to handle
! 59: each incoming TCP connection. A side-effect of this is that
! 60: any DNS queries answered from TCP connections are not cached:
! 61: when TCP connections were rare, this was not a problem.
! 62: With the coming of DNSSEC, it is now the case that some
! 63: DNSSEC queries have answers which spill to TCP, and if,
! 64: for instance, this applies to the keys for the root, then
! 65: those never get cached, and performance is very bad.
! 66: This fix passes cache entries back from the TCP child process to
! 67: the main server process, and fixes the problem.
! 68:
! 69: Remove the NO_FORK compile-time option, and support for uclinux.
! 70: In an era where everything has an MMU, this looks like
! 71: an anachronism, and it adds to (Ok, multiplies!) the
! 72: combinatorial explosion of compile-time options. Thanks to
! 73: Kevin Darbyshire-Bryant for the patch.
! 74:
! 75: Fix line-counting when reading /etc/hosts and friends; for
! 76: correct error messages. Thanks to Christian Rosentreter
! 77: for reporting this.
! 78:
! 79: Fix bug in DNS non-terminal code, added in 2.80, which could
! 80: sometimes cause a NODATA rather than an NXDOMAIN reply.
! 81: Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
! 82: for spotting and diagnosing the bug and providing patches.
! 83:
! 84: Support TCP-fastopen (RFC-7413) on both incoming and
! 85: outgoing TCP connections, if supported and enabled in the OS.
! 86:
! 87: Improve kernel-capability manipulation code under Linux. Dnsmasq
! 88: now fails early if a required capability is not available, and
! 89: tries not to request capabilities not required by its
! 90: configuration.
! 91:
! 92: Add --shared-network config. This enables allocation of addresses
! 93: by the DHCP server in subnets where the server (or relay) does not
! 94: have an interface on the network in that subnet. Many thanks to
! 95: kamp.de for sponsoring this feature.
1.1.1.3 misho 96:
1.1.1.4 ! misho 97: Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
! 98: validation check got borked in commit 2b38e382 and release 2.80.
! 99: Thanks to Tomasz Szajner for spotting this.
! 100:
! 101: Fix compilation against nettle version 3.5 and later.
! 102:
! 103: Fix spurious DNSSEC validation failures when the auth section
! 104: of a reply contains unsigned RRs from a signed zone,
! 105: with the exception that NSEC and NSEC3 RRs must always be signed.
! 106: Thanks to Tore Anderson for spotting and diagnosing the bug.
1.1.1.3 misho 107:
1.1.1.4 ! misho 108: Add --dhcp-ignore-clid. This disables reading of DHCP client
! 109: identifier option (option 61), so clients are only identified by
! 110: MAC addresses.
! 111:
! 112: Fix a bug which stopped --dhcp-name-match from working when a hostname
! 113: is supplied in --dhcp-host. Thanks to James Feeney for spotting this.
! 114:
! 115: Fix bug which caused very rarely caused zero-length DHCPv6 packets.
! 116: Thanks to Dereck Higgins for spotting this.
! 117:
! 118: Add --tftp-single-port option.
! 119:
! 120: Enhance --conf-dir to load files in a deterministic order. Thanks to
! 121: Evgenii Seliavka for the suggestion and initial patch.
! 122:
! 123: In the router advert code, handle case where we have two
! 124: different interfaces on the same IPv6 net, and we are doing
! 125: RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
! 126: for spotting this case and making the initial patch.
! 127:
! 128: Support prefixed ranges of ipv6 addresses in dhcp-host.
! 129: This eases problems chain-netbooting, where each link in the
! 130: chain requests an address using a different UID. With a single
! 131: address, only one gets the "static" address, but with this
! 132: fix, enough addresses can be reserved for all the stages of the
! 133: boot. Many thanks to Harald Jensås for his work on this idea and
! 134: earlier patches.
! 135:
! 136: Add filtering by tag of --dhcp-host directives. Based on a patch
! 137: by Harald Jensås.
! 138:
! 139: Allow empty server spec in --rev-server, to match --server.
! 140:
! 141: Remove DSA signature verification from DNSSEC, as specified in
! 142: RFC 8624. Thanks to Loganaden Velvindron for the original patch.
1.1.1.3 misho 143:
1.1.1.4 ! misho 144: Add --script-on-renewal option.
1.1.1.3 misho 145:
146:
1.1.1.4 ! misho 147: version 2.80
! 148: Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
! 149: for the initial patch and motivation.
! 150:
! 151: Alter the default for dnssec-check-unsigned. Versions of
! 152: dnsmasq prior to 2.80 defaulted to not checking unsigned
! 153: replies, and used --dnssec-check-unsigned to switch
! 154: this on. Such configurations will continue to work as before,
! 155: but those which used the default of no checking will need to be
! 156: altered to explicitly select no checking. The new default is
! 157: because switching off checking for unsigned replies is
! 158: inherently dangerous. Not only does it open the possiblity of forged
! 159: replies, but it allows everything to appear to be working even
! 160: when the upstream namesevers do not support DNSSEC, and in this
! 161: case no DNSSEC validation at all is occuring.
! 162:
! 163: Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
! 164: are set. Thanks to Daniel Miess for help with this.
! 165:
! 166: Add a facilty to store DNS packets sent/recieved in a
! 167: pcap-format file for later debugging. The file location
! 168: is given by the --dumpfile option, and a bitmap controlling
! 169: which packets should be dumped is given by the --dumpmask
! 170: option.
! 171:
! 172: Handle the case of both standard and constructed dhcp-ranges on the
! 173: same interface better. We don't now contruct a dhcp-range if there's
! 174: already one specified. This allows the specified interface to
! 175: have different parameters and avoids advertising the same
! 176: prefix twice. Thanks to Luis Marsano for spotting this case.
! 177:
! 178: Allow zone transfer in authoritative mode if auth-peer is specified,
! 179: even if auth-sec-servers is not. Thanks to Raphaël Halimi for
! 180: the suggestion.
! 181:
! 182: Fix bug which sometimes caused dnsmasq to wrongly return answers
! 183: without DNSSEC RRs to queries with the do-bit set, but only when
! 184: DNSSEC validation was not enabled.
! 185: Thanks to Petr Menšík for spotting this.
! 186:
! 187: Fix missing fatal errors with some malformed options
! 188: (server, local, address, rebind-domain-ok, ipset, alias).
! 189: Thanks to Eugene Lozovoy for spotting the problem.
! 190:
! 191: Fix crash on startup with a --synth-domain which has no prefix.
! 192: Introduced in 2.79. Thanks to Andreas Engel for the bug report.
! 193:
! 194: Fix missing EDNS0 section in some replies generated by local
! 195: DNS configuration which confused systemd-resolvd. Thanks to
! 196: Steve Dodd for characterising the problem.
! 197:
! 198: Add --dhcp-name-match config option.
! 199:
! 200: Add --caa-record config option.
! 201:
! 202: Implement --address=/example.com/# as (more efficient) syntactic
! 203: sugar for --address=/example.com/0.0.0.0 and
! 204: --address=/example.com/::
! 205: Returning null addresses is a useful technique for ad-blocking.
! 206: Thanks to Peter Russell for the suggestion.
1.1.1.3 misho 207:
1.1.1.4 ! misho 208: Change anti cache-snooping behaviour with queries with the
! 209: recursion-desired bit unset. Instead to returning SERVFAIL, we
! 210: now always forward, and never answer from the cache. This
! 211: allows "dig +trace" command to work.
! 212:
! 213: Include in the example config file a formulation which
! 214: stops DHCP clients from claiming the DNS name "wpad".
! 215: This is a fix for the CERT Vulnerability VU#598349.
! 216:
! 217:
! 218: version 2.79
! 219: Fix parsing of CNAME arguments, which are confused by extra spaces.
! 220: Thanks to Diego Aguirre for spotting the bug.
! 221:
! 222: Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
! 223: upstream servers to an interface, rather than SO_BINDTODEVICE.
! 224: Thanks to Beniamino Galvani for the patch.
! 225:
! 226: Always return a SERVFAIL answer to DNS queries without the
! 227: recursion desired bit set, UNLESS acting as an authoritative
! 228: DNS server. This avoids a potential route to cache snooping.
! 229:
! 230: Add support for Ed25519 signatures in DNSSEC validation.
! 231:
! 232: No longer support RSA/MD5 signatures in DNSSEC validation,
! 233: since these are not secure. This behaviour is mandated in
! 234: RFC-6944.
! 235:
! 236: Fix incorrect error exit code from dhcp_release6 utility.
! 237: Thanks Gaudenz Steinlin for the bug report.
! 238:
! 239: Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
! 240: time validation when --dnssec-no-timecheck is in use.
! 241: Note that this is an incompatible change from earlier releases.
! 242:
! 243: Allow more than one --bridge-interface option to refer to an
! 244: interface, so that we can use
! 245: --bridge-interface=int1,alias1
! 246: --bridge-interface=int1,alias2
! 247: as an alternative to
! 248: --bridge-interface=int1,alias1,alias2
! 249: Thanks to Neil Jerram for work on this.
! 250:
! 251: Fix for DNSSEC with wildcard-derived NSEC records.
! 252: It's OK for NSEC records to be expanded from wildcards,
! 253: but in that case, the proof of non-existence is only valid
! 254: starting at the wildcard name, *.<domain> NOT the name expanded
! 255: from the wildcard. Without this check it's possible for an
! 256: attacker to craft an NSEC which wrongly proves non-existence.
! 257: Thanks to Ralph Dolmans for finding this, and co-ordinating
! 258: the vulnerability tracking and fix release.
! 259: CVE-2017-15107 applies.
! 260:
! 261: Remove special handling of A-for-A DNS queries. These
! 262: are no longer a significant problem in the global DNS.
! 263: http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
! 264: Thanks to Mattias Hellström for the initial patch.
! 265:
! 266: Fix failure to delete dynamically created dhcp options
! 267: from files in -dhcp-optsdir directories. Thanks to
! 268: Lindgren Fredrik for the bug report.
! 269:
! 270: Add to --synth-domain the ability to create names using
! 271: sequential numbers, as well as encodings of IP addresses.
! 272: For instance,
! 273: --synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
! 274: creates 21 domain names of the form
! 275: internal-4.thekelleys.org.uk over the address range given, with
! 276: internal-0.thekelleys.org.uk being 192.168.0.50 and
! 277: internal-20.thekelleys.org.uk being 192.168.0.70
! 278: Thanks to Andy Hawkins for the suggestion.
! 279:
! 280: Tidy up Crypto code, removing workarounds for ancient
! 281: versions of libnettle. We now require libnettle 3.
! 282:
! 283:
! 284: version 2.78
! 285: Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
! 286: Novakovic for the patch.
! 287:
! 288: Revert ping-check of address in DHCPDISCOVER if there
! 289: already exists a lease for the address. Under some
! 290: circumstances, and netbooted windows installation can reply
! 291: to pings before if has a DHCP lease and block allocation
! 292: of the address it already used during netboot. Thanks to
! 293: Jan Psota for spotting this.
! 294:
! 295: Fix DHCP relaying, broken in 2.76 and 2.77 by commit
! 296: ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
! 297: John Fitzgibbon for the diagnosis and patch.
! 298:
! 299: Try other servers if first returns REFUSED when
! 300: --strict-order active. Thanks to Hans Dedecker
! 301: for the patch
! 302:
! 303: Fix regression in 2.77, ironically added as a security
! 304: improvement, which resulted in a crash when a DNS
! 305: query exceeded 512 bytes (or the EDNS0 packet size,
! 306: if different.) Thanks to Christian Kujau, Arne Woerner
! 307: Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
! 308: chasing this one down. CVE-2017-13704 applies.
! 309:
! 310: Fix heap overflow in DNS code. This is a potentially serious
! 311: security hole. It allows an attacker who can make DNS
! 312: requests to dnsmasq, and who controls the contents of
! 313: a domain, which is thereby queried, to overflow
! 314: (by 2 bytes) a heap buffer and either crash, or
! 315: even take control of, dnsmasq.
! 316: CVE-2017-14491 applies.
! 317: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
! 318: Kevin Hamacher and Ron Bowes of the Google Security Team for
! 319: finding this.
! 320:
! 321: Fix heap overflow in IPv6 router advertisement code.
! 322: This is a potentially serious security hole, as a
! 323: crafted RA request can overflow a buffer and crash or
! 324: control dnsmasq. Attacker must be on the local network.
! 325: CVE-2017-14492 applies.
! 326: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
! 327: and Kevin Hamacher of the Google Security Team for
! 328: finding this.
! 329:
! 330: Fix stack overflow in DHCPv6 code. An attacker who can send
! 331: a DHCPv6 request to dnsmasq can overflow the stack frame and
! 332: crash or control dnsmasq.
! 333: CVE-2017-14493 applies.
! 334: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
! 335: Kevin Hamacher and Ron Bowes of the Google Security Team for
! 336: finding this.
! 337:
! 338: Fix information leak in DHCPv6. A crafted DHCPv6 packet can
! 339: cause dnsmasq to forward memory from outside the packet
! 340: buffer to a DHCPv6 server when acting as a relay.
! 341: CVE-2017-14494 applies.
! 342: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
! 343: Kevin Hamacher and Ron Bowes of the Google Security Team for
! 344: finding this.
! 345:
! 346: Fix DoS in DNS. Invalid boundary checks in the
! 347: add_pseudoheader function allows a memcpy call with negative
! 348: size An attacker which can send malicious DNS queries
! 349: to dnsmasq can trigger a DoS remotely.
! 350: dnsmasq is vulnerable only if one of the following option is
! 351: specified: --add-mac, --add-cpe-id or --add-subnet.
! 352: CVE-2017-14496 applies.
! 353: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
! 354: Kevin Hamacher and Ron Bowes of the Google Security Team for
! 355: finding this.
! 356:
! 357: Fix out-of-memory Dos vulnerability. An attacker which can
! 358: send malicious DNS queries to dnsmasq can trigger memory
! 359: allocations in the add_pseudoheader function
! 360: The allocated memory is never freed which leads to a DoS
! 361: through memory exhaustion. dnsmasq is vulnerable only
! 362: if one of the following option is specified:
! 363: --add-mac, --add-cpe-id or --add-subnet.
! 364: CVE-2017-14495 applies.
! 365: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
! 366: Kevin Hamacher and Ron Bowes of the Google Security Team for
! 367: finding this.
! 368:
! 369:
! 370: version 2.77
! 371: Generate an error when configured with a CNAME loop,
! 372: rather than a crash. Thanks to George Metz for
! 373: spotting this problem.
! 374:
! 375: Calculate the length of TFTP error reply packet
! 376: correctly. This fixes a problem when the error
! 377: message in a TFTP packet exceeds the arbitrary
! 378: limit of 500 characters. The message was correctly
! 379: truncated, but not the packet length, so
! 380: extra data was appended. This is a possible
! 381: security risk, since the extra data comes from
! 382: a buffer which is also used for DNS, so that
! 383: previous DNS queries or replies may be leaked.
! 384: Thanks to Mozilla for funding the security audit
! 385: which spotted this bug.
! 386:
! 387: Fix logic error in Linux netlink code. This could
! 388: cause dnsmasq to enter a tight loop on systems
! 389: with a very large number of network interfaces.
! 390: Thanks to Ivan Kokshaysky for the diagnosis and
! 391: patch.
! 392:
! 393: Fix problem with --dnssec-timestamp whereby receipt
! 394: of SIGHUP would erroneously engage timestamp checking.
! 395: Thanks to Kevin Darbyshire-Bryant for this work.
! 396:
! 397: Bump zone serial on reloading /etc/hosts and friends
! 398: when providing authoritative DNS. Thanks to Harrald
! 399: Dunkel for spotting this.
! 400:
! 401: Handle v4-mapped IPv6 addresses sanely in --synth-domain.
! 402: These have standard representation like ::ffff:1.2.3.4
! 403: and are now converted to names like
! 404: <prefix>--ffff-1-2-3-4.<domain>
! 405:
! 406: Handle binding upstream servers to an interface
! 407: (--server=1.2.3.4@eth0) when the named interface
! 408: is destroyed and recreated in the kernel. Thanks to
! 409: Beniamino Galvani for the patch.
! 410:
! 411: Allow wildcard CNAME records in authoritative zones.
! 412: For example --cname=*.example.com,default.example.com
! 413: Thanks to Pro Backup for sponsoring this development.
! 414:
! 415: Bump the allowed backlog of TCP connections from 5 to 32,
! 416: and make this a compile-time configurable option. Thanks
! 417: to Donatas Abraitis for diagnosing this as a potential
! 418: problem.
! 419:
! 420: Add DNSMASQ_REQUESTED_OPTIONS environment variable to the
! 421: lease-change script. Thanks to ZHAO Yu for the patch.
! 422:
! 423: Fix foobar in rrfilter code, that could cause malformed
! 424: replies, especially when DNSSEC validation on, and
! 425: the upstream server returns answer with the RRs in a
! 426: particular order. The only DNS server known to tickle
! 427: this is Nominum's. Thanks to Dave Täht for spotting the
! 428: bug and assisting in the fix.
! 429:
! 430: Fix the manpage which lied that only the primary address
! 431: of an interface is used by --interface-name.
! 432:
! 433: Make --localise-queries apply to names from --interface-name.
! 434: Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen
! 435: for pushing this.
! 436:
! 437: Improve connection handling when talking to TCP upstream
! 438: servers. Specifically, be prepared to open a new TCP
! 439: connection when we want to make multiple queries
! 440: but the upstream server accepts fewer queries per connection.
! 441:
! 442: Improve logging of upstream servers when there are a lot
! 443: of "local addresses only" entries. Thanks to Hannu Nyman for
! 444: the patch.
! 445:
! 446: Make --bogus-priv apply to IPv6, for the prefixes specified
! 447: in RFC6303. Thanks to Kevin Darbyshire-Bryant for work on this.
! 448:
! 449: Allow use of MAC addresses with --tftp-unique-root. Thanks
! 450: to Floris Bos for the patch.
! 451:
! 452: Add --dhcp-reply-delay option. Thanks to Floris Bos
! 453: for the patch.
! 454:
! 455: Add mtu setting facility to --ra-param. Thanks to David
! 456: Flamand for the patch.
! 457:
! 458: Capture STDOUT and STDERR output from dhcp-script and log
! 459: it as part of the dnsmasq log stream. Makes life easier
! 460: for diagnosing unexpected problems in scripts.
! 461: Thanks to Petr Mensik for the patch.
! 462:
! 463: Generate fatal errors when failing to parse the output
! 464: of the dhcp-script in "init" mode. Avoids strange errors
! 465: when the script accidentally emits error messages.
! 466: Thanks to Petr Mensik for the patch.
! 467:
! 468: Make --rev-server for an RFC1918 subnet work even in the
! 469: presence of the --bogus-priv flag. Thanks to
! 470: Vladislav Grishenko for the patch.
! 471:
! 472: Extend --ra-param mtu: field to allow an interface name.
! 473: This allows the MTU of a WAN interface to be advertised on
! 474: the internal interfaces of a router. Thanks to
! 475: Vladislav Grishenko for the patch.
! 476:
! 477: Do ICMP-ping check for address-in-use for DHCPv4 when
! 478: the client specifies an address in DHCPDISCOVER, and when
! 479: an address in configured locally. Thanks to Alin Năstac
! 480: for spotting the problem.
! 481:
! 482: Add new DHCP tag "known-othernet" which is set when only a
! 483: dhcp-host exists for another subnet. Can be used to ensure
! 484: that privileged hosts are not given "guest" addresses by
! 485: accident. Thanks to Todd Sanket for the suggestion.
! 486:
! 487: Remove historic automatic inclusion of IDN support when
! 488: building internationalisation support. This doesn't
! 489: fit now there is a choice of IDN libraries. Be sure
! 490: to include either -DHAVE_IDN or -DHAVE_LIBIDN2 for
! 491: IDN support.
! 492:
! 493:
! 494: version 2.76
! 495: Include 0.0.0.0/8 in DNS rebind checks. This range
! 496: translates to hosts on the local network, or, at
! 497: least, 0.0.0.0 accesses the local host, so could
! 498: be targets for DNS rebinding. See RFC 5735 section 3
! 499: for details. Thanks to Stephen Röttger for the bug report.
! 500:
! 501: Enhance --add-subnet to allow arbitrary subnet addresses.
! 502: Thanks to Ed Barsley for the patch.
! 503:
! 504: Respect the --no-resolv flag in inotify code. Fixes bug
! 505: which caused dnsmasq to fail to start if a resolv-file
! 506: was a dangling symbolic link, even of --no-resolv set.
! 507: Thanks to Alexander Kurtz for spotting the problem.
! 508:
! 509: Fix crash when an A or AAAA record is defined locally,
! 510: in a hosts file, and an upstream server sends a reply
! 511: that the same name is empty. Thanks to Edwin Török for
! 512: the patch.
! 513:
! 514: Fix failure to correctly calculate cache-size when
! 515: reading a hosts-file fails. Thanks to André Glüpker
! 516: for the patch.
! 517:
! 518: Fix wrong answer to simple name query when --domain-needed
! 519: set, but no upstream servers configured. Dnsmasq returned
! 520: REFUSED, in this case, when it should be the same as when
! 521: upstream servers are configured - NOERROR. Thanks to
! 522: Allain Legacy for spotting the problem.
! 523:
! 524: Return REFUSED when running out of forwarding table slots,
! 525: not SERVFAIL.
! 526:
! 527: Add --max-port configuration. Thanks to Hans Dedecker for
! 528: the patch.
! 529:
! 530: Add --script-arp and two new functions for the dhcp-script.
! 531: These are "arp" and "arp-old" which announce the arrival and
! 532: removal of entries in the ARP or neighbour tables.
! 533:
! 534: Extend --add-mac to allow a new encoding of the MAC address
! 535: as base64, by configuring --add-mac=base64
! 536:
! 537: Add --add-cpe-id option.
! 538:
! 539: Don't crash with divide-by-zero if an IPv6 dhcp-range
! 540: is declared as a whole /64.
! 541: (ie xx::0 to xx::ffff:ffff:ffff:ffff)
! 542: Thanks to Laurent Bendel for spotting this problem.
! 543:
! 544: Add support for a TTL parameter in --host-record and
! 545: --cname.
! 546:
! 547: Add --dhcp-ttl option.
! 548:
! 549: Add --tftp-mtu option. Thanks to Patrick McLean for the
! 550: initial patch.
! 551:
! 552: Check return-code of inet_pton() when parsing dhcp-option.
! 553: Bad addresses could fail to generate errors and result in
! 554: garbage dhcp-options being sent. Thanks to Marc Branchaud
! 555: for spotting this.
! 556:
! 557: Fix wrong value for EDNS UDP packet size when using
! 558: --servers-file to define upstream DNS servers. Thanks to
! 559: Scott Bonar for the bug report.
! 560:
! 561: Move the dhcp_release and dhcp_lease_time tools from
! 562: contrib/wrt to contrib/lease-tools.
! 563:
! 564: Add dhcp_release6 to contrib/lease-tools. Many thanks
! 565: to Sergey Nechaev for this code.
! 566:
! 567: To avoid filling logs in configurations which define
! 568: many upstream nameservers, don't log more that 30 servers.
! 569: The number to be logged can be changed as SERVERS_LOGGED
! 570: in src/config.h.
! 571:
! 572: Swap the values if BC_EFI and x86-64_EFI in --pxe-service.
! 573: These were previously wrong due to an error in RFC 4578.
! 574: If you're using BC_EFI to boot 64-bit EFI machines, you
! 575: will need to update your config.
! 576:
! 577: Add ARM32_EFI and ARM64_EFI as valid architectures in
! 578: --pxe-service.
! 579:
! 580: Fix PXE booting for UEFI architectures. Modify PXE boot
! 581: sequence in this case to force the client to talk to dnsmasq
! 582: over port 4011. This makes PXE and especially proxy-DHCP PXE
! 583: work with these architectures.
! 584:
! 585: Workaround problems with UEFI PXE clients. There exist
! 586: in the wild PXE clients which have problems with PXE
! 587: boot menus. To work around this, when there's a single
! 588: --pxe-service which applies to client, then that target
! 589: will be booted directly, rather then sending a
! 590: single-item boot menu.
! 591:
! 592: Many thanks to Jarek Polok, Michael Kuron and Dreamcat4
! 593: for their work on the long-standing UEFI PXE problem.
! 594:
! 595: Subtle change in the semantics of "basename" in
! 596: --pxe-service. The historical behaviour has always been
! 597: that the actual filename downloaded from the TFTP server
! 598: is <basename>.<layer> where <layer> is an integer which
! 599: corresponds to the layer parameter supplied by the client.
! 600: It's not clear what the function of the "layer"
! 601: actually is in the PXE protocol, and in practise layer
! 602: is always zero, so the filename is <basename>.0
! 603: The new behaviour is the same as the old, except when
! 604: <basename> includes a file suffix, in which case
! 605: the layer suffix is no longer added. This allows
! 606: sensible suffices to be used, rather then the
! 607: meaningless ".0". Only in the unlikely event that you
! 608: have a config with a basename which already has a
! 609: suffix, is this an incompatible change, since the file
! 610: downloaded will change from name.suffix.0 to just
! 611: name.suffix
! 612:
! 613:
! 614: version 2.75
! 615: Fix reversion on 2.74 which caused 100% CPU use when a
! 616: dhcp-script is configured. Thanks to Adrian Davey for
! 617: reporting the bug and testing the fix.
! 618:
! 619:
! 620: version 2.74
! 621: Fix reversion in 2.73 where --conf-file would attempt to
! 622: read the default file, rather than no file.
! 623:
! 624: Fix inotify code to handle dangling symlinks better and
! 625: not SEGV in some circumstances.
! 626:
! 627: DNSSEC fix. In the case of a signed CNAME generated by a
! 628: wildcard which pointed to an unsigned domain, the wrong
! 629: status would be logged, and some necessary checks omitted.
! 630:
! 631:
! 632: version 2.73
! 633: Fix crash at startup when an empty suffix is supplied to
! 634: --conf-dir, also trivial memory leak. Thanks to
! 635: Tomas Hozza for spotting this.
! 636:
! 637: Remove floor of 4096 on advertised EDNS0 packet size when
! 638: DNSSEC in use, the original rationale for this has long gone.
! 639: Thanks to Anders Kaseorg for spotting this.
! 640:
! 641: Use inotify for checking on updates to /etc/resolv.conf and
! 642: friends under Linux. This fixes race conditions when the files are
! 643: updated rapidly and saves CPU by noy polling. To build
! 644: a binary that runs on old Linux kernels without inotify,
! 645: use make COPTS=-DNO_INOTIFY
! 646:
! 647: Fix breakage of --domain=<domain>,<subnet>,local - only reverse
! 648: queries were intercepted. THis appears to have been broken
! 649: since 2.69. Thanks to Josh Stone for finding the bug.
! 650:
! 651: Eliminate IPv6 privacy addresses and deprecated addresses from
! 652: the answers given by --interface-name. Note that reverse queries
! 653: (ie looking for names, given addresses) are not affected.
! 654: Thanks to Michael Gorbach for the suggestion.
! 655:
! 656: Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
! 657: for the bug report.
! 658:
! 659: Add --ignore-address option. Ignore replies to A-record
! 660: queries which include the specified address. No error is
! 661: generated, dnsmasq simply continues to listen for another
! 662: reply. This is useful to defeat blocking strategies which
! 663: rely on quickly supplying a forged answer to a DNS
! 664: request for certain domains, before the correct answer can
! 665: arrive. Thanks to Glen Huang for the patch.
! 666:
! 667: Revisit the part of DNSSEC validation which determines if an
! 668: unsigned answer is legit, or is in some part of the DNS
! 669: tree which should be signed. Dnsmasq now works from the
! 670: DNS root downward looking for the limit of signed
! 671: delegations, rather than working bottom up. This is
! 672: both more correct, and less likely to trip over broken
! 673: nameservers in the unsigned parts of the DNS tree
! 674: which don't respond well to DNSSEC queries.
! 675:
! 676: Add --log-queries=extra option, which makes logs easier
! 677: to search automatically.
! 678:
! 679: Add --min-cache-ttl option. I've resisted this for a long
! 680: time, on the grounds that disbelieving TTLs is never a
! 681: good idea, but I've been persuaded that there are
! 682: sometimes reasons to do it. (Step forward, GFW).
! 683: To avoid misuse, there's a hard limit on the TTL
! 684: floor of one hour. Thanks to RinSatsuki for the patch.
! 685:
! 686: Cope with multiple interfaces with the same link-local
! 687: address. (IPv6 addresses are scoped, so this is allowed.)
! 688: Thanks to Cory Benfield for help with this.
! 689:
! 690: Add --dhcp-hostsdir. This allows addition of new host
! 691: configurations to a running dnsmasq instance much more
! 692: cheaply than having dnsmasq re-read all its existing
! 693: configuration each time.
! 694:
! 695: Don't reply to DHCPv6 SOLICIT messages if we're not
! 696: configured to do stateful DHCPv6. Thanks to Win King Wan
! 697: for the patch.
! 698:
! 699: Fix broken DNSSEC validation of ECDSA signatures.
! 700:
! 701: Add --dnssec-timestamp option, which provides an automatic
! 702: way to detect when the system time becomes valid after
! 703: boot on systems without an RTC, whilst allowing DNS
! 704: queries before the clock is valid so that NTP can run.
! 705: Thanks to Kevin Darbyshire-Bryant for developing this idea.
! 706:
! 707: Add --tftp-no-fail option. Thanks to Stefan Tomanek for
! 708: the patch.
! 709:
! 710: Fix crash caused by looking up servers.bind, CHAOS text
! 711: record, when more than about five --servers= lines are
! 712: in the dnsmasq config. This causes memory corruption
! 713: which causes a crash later. Thanks to Matt Coddington for
! 714: sterling work chasing this down.
! 715:
! 716: Fix crash on receipt of certain malformed DNS requests.
! 717: Thanks to Nick Sampanis for spotting the problem.
! 718: Note that this is could allow the dnsmasq process's
! 719: memory to be read by an attacker under certain
! 720: circumstances, so it has a CVE, CVE-2015-3294
! 721:
! 722: Fix crash in authoritative DNS code, if a .arpa zone
! 723: is declared as authoritative, and then a PTR query which
! 724: is not to be treated as authoritative arrived. Normally,
! 725: directly declaring .arpa zone as authoritative is not
! 726: done, so this crash wouldn't be seen. Instead the
! 727: relevant .arpa zone should be specified as a subnet
! 728: in the auth-zone declaration. Thanks to Johnny S. Lee
! 729: for the bugreport and initial patch.
! 730:
! 731: Fix authoritative DNS code to correctly reply to NS
! 732: and SOA queries for .arpa zones for which we are
! 733: declared authoritative by means of a subnet in auth-zone.
! 734: Previously we provided correct answers to PTR queries
! 735: in such zones (including NS and SOA) but not direct
! 736: NS and SOA queries. Thanks to Johnny S. Lee for
! 737: pointing out the problem.
! 738:
! 739: Fix logging of DHCPREPLY which should be suppressed
! 740: by quiet-dhcp6. Thanks to J. Pablo Abonia for
! 741: spotting the problem.
! 742:
! 743: Try and handle net connections with broken fragmentation
! 744: that lose large UDP packets. If a server times out,
! 745: reduce the maximum UDP packet size field in the EDNS0
! 746: header to 1280 bytes. If it then answers, make that
! 747: change permanent.
! 748:
! 749: Check IPv4-mapped IPv6 addresses when --stop-rebind
! 750: is active. Thanks to Jordan Milne for spotting this.
! 751:
! 752: Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
! 753: Thanks to Kevin Benton for patches and work on this.
! 754:
! 755: Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
! 756: in the correct subnet, even of not in dynamic address
! 757: allocation range. Thanks to Steve Hirsch for spotting
! 758: the problem.
! 759:
! 760: Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
! 761: to Nicolas Cavallari for the patch.
! 762:
! 763: Allow configuration of router advertisements without the
! 764: "on-link" bit set. Thanks to Neil Jerram for the patch.
! 765:
! 766: Extend --bridge-interface to DHCPv6 and router
! 767: advertisements. Thanks to Neil Jerram for the patch.
! 768:
! 769:
1.1.1.3 misho 770: version 2.72
1.1.1.4 ! misho 771: Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
1.1.1.3 misho 772:
1.1.1.4 ! misho 773: Add support for "ipsets" in *BSD, using pf. Thanks to
! 774: Sven Falempin for the patch.
! 775:
! 776: Fix race condition which could lock up dnsmasq when an
! 777: interface goes down and up rapidly. Thanks to Conrad
! 778: Kostecki for helping to chase this down.
! 779:
! 780: Add DBus methods SetFilterWin2KOption and SetBogusPrivOption
! 781: Thanks to the Smoothwall project for the patch.
! 782:
! 783: Fix failure to build against Nettle-3.0. Thanks to Steven
! 784: Barth for spotting this and finding the fix.
! 785:
! 786: When assigning existing DHCP leases to interfaces by comparing
! 787: networks, handle the case that two or more interfaces have the
! 788: same network part, but different prefix lengths (favour the
! 789: longer prefix length.) Thanks to Lung-Pin Chang for the
! 790: patch.
! 791:
! 792: Add a mode which detects and removes DNS forwarding loops, ie
! 793: a query sent to an upstream server returns as a new query to
! 794: dnsmasq, and would therefore be forwarded again, resulting in
! 795: a query which loops many times before being dropped. Upstream
! 796: servers which loop back are disabled and this event is logged.
! 797: Thanks to Smoothwall for their sponsorship of this feature.
! 798:
! 799: Extend --conf-dir to allow filtering of files. So
! 800: --conf-dir=/etc/dnsmasq.d,\*.conf
! 801: will load all the files in /etc/dnsmasq.d which end in .conf
! 802:
! 803: Fix bug when resulted in NXDOMAIN answers instead of NODATA in
! 804: some circumstances.
! 805:
! 806: Fix bug which caused dnsmasq to become unresponsive if it
! 807: failed to send packets due to a network interface disappearing.
! 808: Thanks to Niels Peen for spotting this.
! 809:
! 810: Fix problem with --local-service option on big-endian platforms
! 811: Thanks to Richard Genoud for the patch.
1.1.1.3 misho 812:
813:
1.1.1.2 misho 814: version 2.71
1.1.1.4 ! misho 815: Subtle change to error handling to help DNSSEC validation
! 816: when servers fail to provide NODATA answers for
! 817: non-existent DS records.
! 818:
! 819: Tweak code which removes DNSSEC records from answers when
! 820: not required. Fixes broken answers when additional section
! 821: has real records in it. Thanks to Marco Davids for the bug
! 822: report.
! 823:
! 824: Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
! 825: for spotting that too.
! 826:
! 827: Fix total DNS failure and 100% CPU use if cachesize set to zero,
! 828: regression introduced in 2.69. Thanks to James Hunt and
! 829: the Ubuntu crowd for assistance in fixing this.
1.1.1.2 misho 830:
831:
832: version 2.70
1.1.1.4 ! misho 833: Fix crash, introduced in 2.69, on TCP request when dnsmasq
! 834: compiled with DNSSEC support, but running without DNSSEC
! 835: enabled. Thanks to Manish Sing for spotting that one.
1.1.1.2 misho 836:
1.1.1.4 ! misho 837: Fix regression which broke ipset functionality. Thanks to
! 838: Wang Jian for the bug report.
1.1.1.2 misho 839:
840:
841: version 2.69
1.1.1.4 ! misho 842: Implement dynamic interface discovery on *BSD. This allows
! 843: the constructor: syntax to be used in dhcp-range for DHCPv6
! 844: on the BSD platform. Thanks to Matthias Andree for
! 845: valuable research on how to implement this.
! 846:
! 847: Fix infinite loop associated with some --bogus-nxdomain
! 848: configs. Thanks fogobogo for the bug report.
! 849:
! 850: Fix missing RA RDNS option with configuration like
! 851: --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
! 852: for spotting the problem.
! 853:
! 854: Add [fd00::] and [fe80::] as special addresses in DHCPv6
! 855: options, analogous to [::]. [fd00::] is replaced with the
! 856: actual ULA of the interface on the machine running
! 857: dnsmasq, [fe80::] with the link-local address.
! 858: Thanks to Tsachi Kimeldorfer for championing this.
! 859:
! 860: DNSSEC validation and caching. Dnsmasq needs to be
! 861: compiled with this enabled, with
! 862:
! 863: make dnsmasq COPTS=-DHAVE_DNSSEC
! 864:
! 865: this adds dependencies on the nettle crypto library and the
! 866: gmp maths library. It's possible to have these linked
! 867: statically with
! 868:
! 869: make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
! 870:
! 871: which bloats the dnsmasq binary, but saves the size of
! 872: the shared libraries which are much bigger.
! 873:
! 874: To enable, DNSSEC, you will need a set of
! 875: trust-anchors. Now that the TLDs are signed, this can be
! 876: the keys for the root zone, and for convenience they are
! 877: included in trust-anchors.conf in the dnsmasq
! 878: distribution. You should of course check that these are
! 879: legitimate and up-to-date. So, adding
! 880:
! 881: conf-file=/path/to/trust-anchors.conf
! 882: dnssec
! 883:
! 884: to your config is all that's needed to get things
! 885: working. The upstream nameservers have to be DNSSEC-capable
! 886: too, of course. Many ISP nameservers aren't, but the
! 887: Google public nameservers (8.8.8.8 and 8.8.4.4) are.
! 888: When DNSSEC is configured, dnsmasq validates any queries
! 889: for domains which are signed. Query results which are
! 890: bogus are replaced with SERVFAIL replies, and results
! 891: which are correctly signed have the AD bit set. In
! 892: addition, and just as importantly, dnsmasq supplies
! 893: correct DNSSEC information to clients which are doing
! 894: their own validation, and caches DNSKEY, DS and RRSIG
! 895: records, which significantly improve the performance of
! 896: downstream validators. Setting --log-queries will show
! 897: DNSSEC in action.
! 898:
! 899: If a domain is returned from an upstream nameserver without
! 900: DNSSEC signature, dnsmasq by default trusts this. This
! 901: means that for unsigned zone (still the majority) there
! 902: is effectively no cost for having DNSSEC enabled. Of course
! 903: this allows an attacker to replace a signed record with a
! 904: false unsigned record. This is addressed by the
! 905: --dnssec-check-unsigned flag, which instructs dnsmasq
! 906: to prove that an unsigned record is legitimate, by finding
! 907: a secure proof that the zone containing the record is not
! 908: signed. Doing this has costs (typically one or two extra
! 909: upstream queries). It also has a nasty failure mode if
! 910: dnsmasq's upstream nameservers are not DNSSEC capable.
! 911: Without --dnssec-check-unsigned using such an upstream
! 912: server will simply result in not queries being validated;
! 913: with --dnssec-check-unsigned enabled and a
! 914: DNSSEC-ignorant upstream server, _all_ queries will fail.
! 915:
! 916: Note that DNSSEC requires that the local time is valid and
! 917: accurate, if not then DNSSEC validation will fail. NTP
! 918: should be running. This presents a problem for routers
! 919: without a battery-backed clock. To set the time needs NTP
! 920: to do DNS lookups, but lookups will fail until NTP has run.
! 921: To address this, there's a flag, --dnssec-no-timecheck
! 922: which disables the time checks (only) in DNSSEC. When dnsmasq
! 923: is started and the clock is not synced, this flag should
! 924: be used. As soon as the clock is synced, SIGHUP dnsmasq.
! 925: The SIGHUP clears the cache of partially-validated data and
! 926: resets the no-timecheck flag, so that all DNSSEC checks
! 927: henceforward will be complete.
! 928:
! 929: The development of DNSSEC in dnsmasq was started by
! 930: Giovanni Bajo, to whom huge thanks are owed. It has been
! 931: supported by Comcast, whose techfund grant has allowed for
! 932: an invaluable period of full-time work to get it to
! 933: a workable state.
! 934:
! 935: Add --rev-server. Thanks to Dave Taht for suggesting this.
! 936:
! 937: Add --servers-file. Allows dynamic update of upstream servers
! 938: full access to configuration.
! 939:
! 940: Add --local-service. Accept DNS queries only from hosts
! 941: whose address is on a local subnet, ie a subnet for which
! 942: an interface exists on the server. This option
! 943: only has effect if there are no --interface --except-interface,
! 944: --listen-address or --auth-server options. It is intended
! 945: to be set as a default on installation, to allow
! 946: unconfigured installations to be useful but also safe from
! 947: being used for DNS amplification attacks.
! 948:
! 949: Fix crashes in cache_get_cname_target() when dangling CNAMEs
! 950: encountered. Thanks to Andy and the rt-n56u project for
! 951: find this and helping to chase it down.
! 952:
! 953: Fix wrong RCODE in authoritative DNS replies to PTR queries. The
! 954: correct answer was included, but the RCODE was set to NXDOMAIN.
! 955: Thanks to Craig McQueen for spotting this.
1.1.1.2 misho 956:
1.1.1.4 ! misho 957: Make statistics available as DNS queries in the .bind TLD as
! 958: well as logging them.
1.1.1.2 misho 959:
960:
961: version 2.68
1.1.1.4 ! misho 962: Use random addresses for DHCPv6 temporary address
! 963: allocations, instead of algorithmically determined stable
! 964: addresses.
! 965:
! 966: Fix bug which meant that the DHCPv6 DUID was not available
! 967: in DHCP script runs during the lifetime of the dnsmasq
! 968: process which created the DUID de-novo. Once the DUID was
! 969: created and stored in the lease file and dnsmasq
! 970: restarted, this bug disappeared.
! 971:
! 972: Fix bug introduced in 2.67 which could result in erroneous
! 973: NXDOMAIN returns to CNAME queries.
! 974:
! 975: Fix build failures on MacOS X and openBSD.
! 976:
! 977: Allow subnet specifications in --auth-zone to be interface
! 978: names as well as address literals. This makes it possible
! 979: to configure authoritative DNS when local address ranges
! 980: are dynamic and works much better than the previous
! 981: work-around which exempted constructed DHCP ranges from the
! 982: IP address filtering. As a consequence, that work-around
! 983: is removed. Under certain circumstances, this change wil
! 984: break existing configuration: if you're relying on the
! 985: constructed-range exception, you need to change --auth-zone
! 986: to specify the same interface as is used to construct your
! 987: DHCP ranges, probably with a trailing "/6" like this:
! 988: --auth-zone=example.com,eth0/6 to limit the addresses to
! 989: IPv6 addresses of eth0.
! 990:
! 991: Fix problems when advertising deleted IPv6 prefixes. If
! 992: the prefix is deleted (rather than replaced), it doesn't
! 993: get advertised with zero preferred time. Thanks to Tsachi
! 994: for the bug report.
! 995:
! 996: Fix segfault with some locally configured CNAMEs. Thanks
! 997: to Andrew Childs for spotting the problem.
! 998:
! 999: Fix memory leak on re-reading /etc/hosts and friends,
! 1000: introduced in 2.67.
! 1001:
! 1002: Check the arrival interface of incoming DNS and TFTP
! 1003: requests via IPv6, even in --bind-interfaces mode. This
! 1004: isn't possible for IPv4 and can generate scary warnings,
! 1005: but as it's always possible for IPv6 (the API always
! 1006: exists) then we should do it always.
! 1007:
! 1008: Tweak the rules on prefix-lengths in --dhcp-range for
! 1009: IPv6. The new rule is that the specified prefix length
! 1010: must be larger than or equal to the prefix length of the
! 1011: corresponding address on the local interface.
1.1.1.2 misho 1012:
1013:
1014: version 2.67
1.1.1.4 ! misho 1015: Fix crash if upstream server returns SERVFAIL when
! 1016: --conntrack in use. Thanks to Giacomo Tazzari for finding
! 1017: this and supplying the patch.
! 1018:
! 1019: Repair regression in 2.64. That release stopped sending
! 1020: lease-time information in the reply to DHCPINFORM
! 1021: requests, on the correct grounds that it was a standards
! 1022: violation. However, this broke the dnsmasq-specific
! 1023: dhcp_lease_time utility. Now, DHCPINFORM returns
! 1024: lease-time only if it's specifically requested
! 1025: (maintaining standards) and the dhcp_lease_time utility
! 1026: has been taught to ask for it (restoring functionality).
! 1027:
! 1028: Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass
! 1029: to work with BOOTP and well as DHCP. Thanks to Peter
! 1030: Korsgaard for spotting the problem.
! 1031:
! 1032: Add --synth-domain. Thanks to Vishvananda Ishaya for
! 1033: suggesting this.
! 1034:
! 1035: Fix failure to compile ipset.c if old kernel headers are
! 1036: in use. Thanks to Eugene Rudoy for pointing this out.
! 1037:
! 1038: Handle IPv4 interface-address labels in Linux. These are
! 1039: often used to emulate the old IP-alias addresses. Before,
! 1040: using --interface=eth0 would service all the addresses of
! 1041: eth0, including ones configured as aliases, which appear
! 1042: in ifconfig as eth0:0. Now, only addresses with the label
! 1043: eth0 are active. This is not backwards compatible: if you
! 1044: want to continue to bind the aliases too, you need to add
! 1045: eg. --interface=eth0:0 to the config.
! 1046:
! 1047: Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket
! 1048: operation on non-socket" error on startup with
! 1049: configurations which have exactly one --interface option
! 1050: and do RA but _not_ DHCPv6. Thanks to Trever Adams for the
! 1051: bug report.
! 1052:
! 1053: Generalise --interface-name to cope with IPv6 addresses
! 1054: and multiple addresses per interface per address family.
! 1055:
! 1056: Fix option parsing for --dhcp-host, which was generating a
! 1057: spurious error when all seven possible items were
! 1058: included. Thanks to Zhiqiang Wang for the bug report.
! 1059:
! 1060: Remove restriction on prefix-length in --auth-zone. Thanks
! 1061: to Toke Hoiland-Jorgensen for suggesting this.
! 1062:
! 1063: Log when the maximum number of concurrent DNS queries is
! 1064: reached. Thanks to Marcelo Salhab Brogliato for the patch.
! 1065:
! 1066: If wildcards are used in --interface, don't assume that
! 1067: there will only ever be one available interface for DHCP
! 1068: just because there is one at start-up. More may appear, so
! 1069: we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug
! 1070: report.
! 1071:
! 1072: Increase timeout/number of retries in TFTP to accommodate
! 1073: AudioCodes Voice Gateways doing streaming writes to flash.
! 1074: Thanks to Damian Kaczkowski for spotting the problem.
! 1075:
! 1076: Fix crash with empty DHCP string options when adding zero
! 1077: terminator. Thanks to Patrick McLean for the bug report.
! 1078:
! 1079: Allow hostnames to start with a number, as allowed in
! 1080: RFC-1123. Thanks to Kyle Mestery for the patch.
! 1081:
! 1082: Fixes to DHCP FQDN option handling: don't terminate FQDN
! 1083: if domain not known and allow a FQDN option with blank
! 1084: name to request that a FQDN option is returned in the
! 1085: reply. Thanks to Roy Marples for the patch.
! 1086:
! 1087: Make --clear-on-reload apply to setting upstream servers
! 1088: via DBus too.
! 1089:
! 1090: When the address which triggered the construction of an
! 1091: advertised IPv6 prefix disappears, continue to advertise
! 1092: the prefix for up to 2 hours, with the preferred lifetime
! 1093: set to zero. This satisfies RFC 6204 4.3 L-13 and makes
! 1094: things work better if a prefix disappears without being
! 1095: deprecated first. Thanks to Uwe Schindler for persuasively
! 1096: arguing for this.
! 1097:
! 1098: Fix MAC address enumeration on *BSD. Thanks to Brad Smith
! 1099: for the bug report.
! 1100:
! 1101: Support RFC-4242 information-refresh-time options in the
! 1102: reply to DHCPv6 information-request. The lease time of the
! 1103: smallest valid dhcp-range is sent. Thanks to Uwe Schindler
! 1104: for suggesting this.
! 1105:
! 1106: Make --listen-address higher priority than --except-interface
! 1107: in all circumstances. Thanks to Thomas Hood for the bugreport.
! 1108:
! 1109: Provide independent control over which interfaces get TFTP
! 1110: service. If enable-tftp is given a list of interfaces, then TFTP
! 1111: is provided on those. Without the list, the previous behaviour
! 1112: (provide TFTP to the same interfaces we provide DHCP to)
! 1113: is retained. Thanks to Lonnie Abelbeck for the suggestion.
! 1114:
! 1115: Add --dhcp-relay config option. Many thanks to vtsl.net
! 1116: for sponsoring this development.
! 1117:
! 1118: Fix crash with empty tag: in --dhcp-range. Thanks to
! 1119: Kaspar Schleiser for the bug report.
! 1120:
! 1121: Add "baseline" and "bloatcheck" makefile targets, for
! 1122: revealing size changes during development. Thanks to
! 1123: Vladislav Grishenko for the patch.
! 1124:
! 1125: Cope with DHCPv6 clients which send REQUESTs without
! 1126: address options - treat them as SOLICIT with rapid commit.
! 1127:
! 1128: Support identification of clients by MAC address in
! 1129: DHCPv6. When using a relay, the relay must support RFC
! 1130: 6939 for this to work. It always works for directly
! 1131: connected clients. Thanks to Vladislav Grishenko
! 1132: for prompting this feature.
! 1133:
! 1134: Remove the rule for constructed DHCP ranges that the local
! 1135: address must be either the first or last address in the
! 1136: range. This was originally to avoid SLAAC addresses, but
! 1137: we now explicitly autoconfig and privacy addresses instead.
! 1138:
! 1139: Update Polish translation. Thanks to Jan Psota.
! 1140:
! 1141: Fix problem in DHCPv6 vendorclass/userclass matching
! 1142: code. Thanks to Tanguy Bouzeloc for the patch.
! 1143:
! 1144: Update Spanish translation. Thanks to Vicente Soriano.
! 1145:
! 1146: Add --ra-param option. Thanks to Vladislav Grishenko for
! 1147: inspiration on this.
! 1148:
! 1149: Add --add-subnet configuration, to tell upstream DNS
! 1150: servers where the original client is. Thanks to DNSthingy
! 1151: for sponsoring this feature.
! 1152:
! 1153: Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to
! 1154: Kevin Darbyshire-Bryant for the initial patch.
! 1155:
! 1156: Allow A/AAAA records created by --interface-name to be the
! 1157: target of --cname. Thanks to Hadmut Danisch for the
! 1158: suggestion.
! 1159:
! 1160: Avoid treating a --dhcp-host which has an IPv6 address
! 1161: as eligible for use with DHCPv4 on the grounds that it has
! 1162: no address, and vice-versa. Thanks to Yury Konovalov for
! 1163: spotting the problem.
! 1164:
! 1165: Do a better job caching dangling CNAMEs. Thanks to Yves
! 1166: Dorfsman for spotting the problem.
1.1.1.2 misho 1167:
1168:
1.1 misho 1169: version 2.66
1.1.1.4 ! misho 1170: Add the ability to act as an authoritative DNS
! 1171: server. Dnsmasq can now answer queries from the wider 'net
! 1172: with local data, as long as the correct NS records are set
! 1173: up. Only local data is provided, to avoid creating an open
! 1174: DNS relay. Zone transfer is supported, to allow secondary
! 1175: servers to be configured.
! 1176:
! 1177: Add "constructed DHCP ranges" for DHCPv6. This is intended
! 1178: for IPv6 routers which get prefixes dynamically via prefix
! 1179: delegation. With suitable configuration, stateful DHCPv6
! 1180: and RA can happen automatically as prefixes are delegated
! 1181: and then deprecated, without having to re-write the
! 1182: dnsmasq configuration file or restart the daemon. Thanks to
! 1183: Steven Barth for extensive testing and development work on
! 1184: this idea.
! 1185:
! 1186: Fix crash on startup on Solaris 11. Regression probably
! 1187: introduced in 2.61. Thanks to Geoff Johnstone for the
! 1188: patch.
! 1189:
! 1190: Add code to make behaviour for TCP DNS requests that same
! 1191: as for UDP requests, when a request arrives for an allowed
! 1192: address, but via a banned interface. This change is only
! 1193: active on Linux, since the relevant API is missing (AFAIK)
! 1194: on other platforms. Many thanks to Tomas Hozza for
! 1195: spotting the problem, and doing invaluable discovery of
! 1196: the obscure and undocumented API required for the solution.
! 1197:
! 1198: Don't send the default DHCP option advertising dnsmasq as
! 1199: the local DNS server if dnsmasq is configured to not act
! 1200: as DNS server, or it's configured to a non-standard port.
! 1201:
! 1202: Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID,
! 1203: DNSMASQ_REMOTE_ID variables to the environment of the
! 1204: lease-change script (and the corresponding Lua). These hold
! 1205: information inserted into the DHCP request by a DHCP relay
! 1206: agent. Thanks to Lakefield Communications for providing a
! 1207: bounty for this addition.
! 1208:
! 1209: Fixed crash, introduced in 2.64, whilst handling DHCPv6
! 1210: information-requests with some common configurations.
! 1211: Thanks to Robert M. Albrecht for the bug report and
! 1212: chasing the problem.
! 1213:
! 1214: Add --ipset option. Thanks to Jason A. Donenfeld for the
! 1215: patch.
! 1216:
! 1217: Don't erroneously reject some option names in --dhcp-match
! 1218: options. Thanks to Benedikt Hochstrasser for the bug report.
! 1219:
! 1220: Allow a trailing '*' wildcard in all interface-name
! 1221: configurations. Thanks to Christian Parpart for the patch.
! 1222:
! 1223: Handle the situation where libc headers define
! 1224: SO_REUSEPORT, but the kernel in use doesn't, to cope with
! 1225: the introduction of this option to Linux. Thanks to Rich
! 1226: Felker for the bug report.
! 1227:
! 1228: Update Polish translation. Thanks to Jan Psota.
! 1229:
! 1230: Fix crash if the configured DHCP lease limit is
! 1231: reached. Regression occurred in 2.61. Thanks to Tsachi for
! 1232: the bug report.
! 1233:
! 1234: Update the French translation. Thanks to Gildas le Nadan.
! 1235:
1.1 misho 1236:
1237: version 2.65
1.1.1.4 ! misho 1238: Fix regression which broke forwarding of queries sent via
! 1239: TCP which are not for A and AAAA and which were directed to
! 1240: non-default servers. Thanks to Niax for the bug report.
! 1241:
! 1242: Fix failure to build with DHCP support excluded. Thanks to
! 1243: Gustavo Zacarias for the patch.
! 1244:
! 1245: Fix nasty regression in 2.64 which completely broke caching.
1.1 misho 1246:
1247:
1248: version 2.64
1.1.1.4 ! misho 1249: Handle DHCP FQDN options with all flag bits zero and
! 1250: --dhcp-client-update set. Thanks to Bernd Krumbroeck for
! 1251: spotting the problem.
! 1252:
! 1253: Finesse the check for /etc/hosts names which conflict with
! 1254: DHCP names. Previously a name/address pair in /etc/hosts
! 1255: which didn't match the name/address of a DHCP lease would
! 1256: generate a warning. Now that only happens if there is not
! 1257: also a match. This allows multiple addresses for a name in
! 1258: /etc/hosts with one of them assigned via DHCP.
! 1259:
! 1260: Fix broken vendor-option processing for BOOTP. Thanks to
! 1261: Hans-Joachim Baader for the bug report.
! 1262:
! 1263: Don't report spurious netlink errors, regression in
! 1264: 2.63. Thanks to Vladislav Grishenko for the patch.
! 1265:
! 1266: Flag DHCP or DHCPv6 in startup logging. Thanks to
! 1267: Vladislav Grishenko for the patch.
! 1268:
! 1269: Add SetServersEx method in DBus interface. Thanks to Dan
! 1270: Williams for the patch.
! 1271:
! 1272: Add SetDomainServers method in DBus interface. Thanks to
! 1273: Roy Marples for the patch.
! 1274:
! 1275: Fix build with later Lua libraries. Thanks to Cristian
! 1276: Rodriguez for the patch.
! 1277:
! 1278: Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker
! 1279: for the patch.
! 1280:
! 1281: Fix breakage of --host-record parsing, resulting in
! 1282: infinite loop at startup. Regression in 2.63. Thanks to
! 1283: Haim Gelfenbeyn for spotting this.
! 1284:
! 1285: Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6
! 1286: socket, this allows multiple instances of dnsmasq on a
! 1287: single machine, in the same way as for DHCPv4. Thanks to
! 1288: Gene Czarcinski and Vladislav Grishenko for work on this.
! 1289:
! 1290: Fix DHCPv6 to do access control correctly when it's
! 1291: configured with --listen-address. Thanks to
! 1292: Gene Czarcinski for sorting this out.
! 1293:
! 1294: Add a "wildcard" dhcp-range which works for any IPv6
! 1295: subnet, --dhcp-range=::,static Useful for Stateless
! 1296: DHCPv6. Thanks to Vladislav Grishenko for the patch.
! 1297:
! 1298: Don't include lease-time in DHCPACK replies to DHCPINFORM
! 1299: queries, since RFC-2131 says we shouldn't. Thanks to
! 1300: Wouter Ibens for pointing this out.
! 1301:
! 1302: Makefile tweak to do dependency checking on header files.
! 1303: Thanks to Johan Peeters for the patch.
! 1304:
! 1305: Check interface for outgoing unsolicited router
! 1306: advertisements, rather than relying on interface address
! 1307: configuration. Thanks to Gene Czarinski for the patch.
! 1308:
! 1309: Handle better attempts to transmit on interfaces which are
! 1310: still doing DAD, and specifically do not just transmit
! 1311: without setting source address and interface, since this
! 1312: can cause very puzzling effects when a router
! 1313: advertisement goes astray. Thanks again to Gene Czarinski.
! 1314:
! 1315: Get RA timers right when there is more than one
! 1316: dhcp-range on a subnet.
! 1317:
1.1 misho 1318:
1319: version 2.63
1.1.1.4 ! misho 1320: Do duplicate dhcp-host address check in --test mode.
! 1321:
! 1322: Check that tftp-root directories are accessible before
! 1323: start-up. Thanks to Daniel Veillard for the initial patch.
! 1324:
! 1325: Allow more than one --tfp-root flag. The per-interface
! 1326: stuff is pointless without that.
! 1327:
! 1328: Add --bind-dynamic. A hybrid mode between the default and
! 1329: --bind-interfaces which copes with dynamically created
! 1330: interfaces.
1.1 misho 1331:
1.1.1.4 ! misho 1332: A couple of fixes to the build system for Android. Thanks
! 1333: to Metin Kaya for the patches.
1.1 misho 1334:
1.1.1.4 ! misho 1335: Remove the interface:<interface> argument in --dhcp-range, and
! 1336: the interface argument to --enable-tftp. These were a
! 1337: still-born attempt to allow automatic isolated
! 1338: configuration by libvirt, but have never (to my knowledge)
! 1339: been used, had very strange semantics, and have been
! 1340: superseded by other mechanisms.
1.1 misho 1341:
1.1.1.4 ! misho 1342: Fixed bug logging filenames when duplicate dhcp-host
! 1343: addresses are found. Thanks to John Hanks for the patch.
1.1 misho 1344:
1.1.1.4 ! misho 1345: Fix regression in 2.61 which broke caching of CNAME
! 1346: chains. Thanks to Atul Gupta for the bug report.
! 1347:
! 1348: Allow the target of a --cname flag to be another --cname.
! 1349:
! 1350: Teach DHCPv6 about the RFC 4242 information-refresh-time
! 1351: option, and add parsing if the minutes, hours and days
! 1352: format for options. Thanks to Francois-Xavier Le Bail for
! 1353: the suggestion.
! 1354:
! 1355: Allow "w" (for week) as multiplier in lease times, as well
! 1356: as seconds, minutes, hours and days. Álvaro Gámez Machado
! 1357: spotted the omission.
! 1358:
! 1359: Update French translation. Thanks to Gildas Le Nadan.
! 1360:
! 1361: Allow a DBus service name to be given with --enable-dbus
! 1362: which overrides the default,
! 1363: uk.org.thekelleys.dnsmasq. Thanks to Mathieu
! 1364: Trudel-Lapierre for the patch.
! 1365:
! 1366: Set the "prefix on-link" bit in Router
! 1367: Advertisements. Thanks to Gui Iribarren for the patch.
1.1 misho 1368:
1369:
1370: version 2.62
1.1.1.4 ! misho 1371: Update German translation. Thanks to Conrad Kostecki.
1.1 misho 1372:
1.1.1.4 ! misho 1373: Cope with router-solict packets which don't have a valid
! 1374: source address. Thanks to Vladislav Grishenko for the patch.
1.1 misho 1375:
1.1.1.4 ! misho 1376: Fixed bug which caused missing periodic router
! 1377: advertisements with some configurations. Thanks to
! 1378: Vladislav Grishenko for the patch.
1.1 misho 1379:
1.1.1.4 ! misho 1380: Fixed bug which broke DHCPv6/RA with prefix lengths
! 1381: which are not divisible by 8. Thanks to Andre Coetzee
! 1382: for spotting this.
1.1 misho 1383:
1.1.1.4 ! misho 1384: Fix non-response to router-solicitations when
! 1385: router-advertisement configured, but DHCPv6 not
! 1386: configured. Thanks to Marien Zwart for the patch.
1.1 misho 1387:
1.1.1.4 ! misho 1388: Add --dns-rr, to allow arbitrary DNS resource records.
1.1 misho 1389:
1.1.1.4 ! misho 1390: Fixed bug which broke RA scheduling when an interface had
! 1391: two addresses in the same network. Thanks to Jim Bos for
! 1392: his help nailing this.
1.1 misho 1393:
1394: version 2.61
1.1.1.4 ! misho 1395: Re-write interface discovery code on *BSD to use
! 1396: getifaddrs. This is more portable, more straightforward,
! 1397: and allows us to find the prefix length for IPv6
! 1398: addresses.
! 1399:
! 1400: Add ra-names, ra-stateless and slaac keywords for DHCPv6.
! 1401: Dnsmasq can now synthesise AAAA records for dual-stack
! 1402: hosts which get IPv6 addresses via SLAAC. It is also now
! 1403: possible to use SLAAC and stateless DHCPv6, and to
! 1404: tell clients to use SLAAC addresses as well as DHCP ones.
! 1405: Thanks to Dave Taht for help with this.
! 1406:
! 1407: Add --dhcp-duid to allow DUID-EN uids to be used.
! 1408:
! 1409: Explicitly send DHCPv6 replies to the correct port, instead
! 1410: of relying on clients to send requests with the correct
! 1411: source address, since at least one client in the wild gets
! 1412: this wrong. Thanks to Conrad Kostecki for help tracking
! 1413: this down.
! 1414:
! 1415: Send a preference value of 255 in DHCPv6 replies when
! 1416: --dhcp-authoritative is in effect. This tells clients not
! 1417: to wait around for other DHCP servers.
! 1418:
! 1419: Better logging of DHCPv6 options.
! 1420:
! 1421: Add --host-record. Thanks to Rob Zwissler for the
! 1422: suggestion.
! 1423:
! 1424: Invoke the DHCP script with action "tftp" when a TFTP file
! 1425: transfer completes. The size of the file, address to which
! 1426: it was sent and complete pathname are supplied. Note that
! 1427: version 2.60 introduced some script incompatibilities
! 1428: associated with DHCPv6, and this is a further change. To
! 1429: be safe, scripts should ignore unknown actions, and if
! 1430: not IPv6-aware, should exit if the environment
! 1431: variable DNSMASQ_IAID is set. The use-case for this is
! 1432: to track netboot/install. Suggestion from Shantanu
! 1433: Gadgil.
! 1434:
! 1435: Update contrib/port-forward/dnsmasq-portforward to reflect
! 1436: the above.
! 1437:
! 1438: Set the environment variable DNSMASQ_LOG_DHCP when running
! 1439: the script id --log-dhcp is in effect, so that script can
! 1440: taylor their logging verbosity. Suggestion from Malte
! 1441: Forkel.
! 1442:
! 1443: Arrange that addresses specified with --listen-address
! 1444: work even if there is no interface carrying the
! 1445: address. This is chiefly useful for IPv4 loopback
! 1446: addresses, where any address in 127.0.0.0/8 is a valid
! 1447: loopback address, but normally only 127.0.0.1 appears on
! 1448: the lo interface. Thanks to Mathieu Trudel-Lapierre for
! 1449: the idea and initial patch.
! 1450:
! 1451: Fix crash, introduced in 2.60, when a DHCPINFORM is
! 1452: received from a network which has no valid dhcp-range.
! 1453: Thanks to Stephane Glondu for the bug report.
! 1454:
! 1455: Add a new DHCP lease time keyword, "deprecated" for
! 1456: --dhcp-range. This is only valid for IPv6, and sets the
! 1457: preferred lease time for both DHCP and RA to zero. The
! 1458: effect is that clients can continue to use the address
! 1459: for existing connections, but new connections will use
! 1460: other addresses, if they exist. This makes hitless
! 1461: renumbering at least possible.
! 1462:
! 1463: Fix bug in address6_available() which caused DHCPv6 lease
! 1464: acquisition to fail if more than one dhcp-range in use.
! 1465:
! 1466: Provide RDNSS and DNSSL data in router advertisements,
! 1467: using the settings provided for DHCP options
! 1468: option6:domain-search and option6:dns-server.
! 1469:
! 1470: Tweak logo/favicon.ico to add some transparency. Thanks to
! 1471: SamLT for work on this.
! 1472:
! 1473: Don't cache data from non-recursive nameservers, since it
! 1474: may erroneously look like a valid CNAME to a non-existent
! 1475: name. Thanks to Ben Winslow for finding this.
! 1476:
! 1477: Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP
! 1478: on exactly one interface and --bind-interfaces is set. This
! 1479: makes the OpenStack use-case of one dnsmasq per virtual
! 1480: interface work. This is only available on Linux; it's not
! 1481: supported on other platforms. Thanks to Vishvananda Ishaya
! 1482: and the OpenStack team for the suggestion.
! 1483:
! 1484: Updated French translation. Thanks to Gildas Le Nadan.
! 1485:
! 1486: Give correct from-cache answers to explicit CNAME queries.
! 1487: Thanks to Rob Zwissler for spotting this.
! 1488:
! 1489: Add --tftp-lowercase option. Thanks to Oliver Rath for the
! 1490: patch.
! 1491:
! 1492: Ensure that the DBus DhcpLeaseUpdated events are generated
! 1493: when a lease goes through INIT_REBOOT state, even if the
! 1494: dhcp-script is not in use. Thanks to Antoaneta-Ecaterina
! 1495: Ene for the patch.
! 1496:
! 1497: Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks
! 1498: to Brad Smith for spotting this.
! 1499:
1.1 misho 1500:
1501: version 2.60
1.1.1.4 ! misho 1502: Fix compilation problem in Mac OS X Lion. Thanks to Olaf
! 1503: Flebbe for the patch.
! 1504:
! 1505: Fix DHCP when using --listen-address with an IP address
! 1506: which is not the primary address of an interface.
1.1 misho 1507:
1.1.1.4 ! misho 1508: Add --dhcp-client-update option.
1.1 misho 1509:
1.1.1.4 ! misho 1510: Add Lua integration. Dnsmasq can now execute a DHCP
! 1511: lease-change script written in Lua. This needs to be
! 1512: enabled at compile time by setting HAVE_LUASCRIPT in
! 1513: src/config.h or running "make COPTS=-DHAVE_LUASCRIPT"
! 1514: Thanks to Jan-Piet Mens for the idea and proof-of-concept
! 1515: implementation.
! 1516:
! 1517: Tidied src/config.h to distinguish between
! 1518: platform-dependent compile-time options which are selected
! 1519: automatically, and builder-selectable compile time
! 1520: options. Document the latter better, and describe how to
! 1521: set them from the make command line.
! 1522:
! 1523: Tidied up IPPROTO_IP/SOL_IP (and IPv6 equivalent)
! 1524: confusion. IPPROTO_IP works everywhere now.
! 1525:
! 1526: Set TOS on DHCP sockets, this improves things on busy
! 1527: wireless networks. Thanks to Dave Taht for the patch.
! 1528:
! 1529: Determine VERSION automatically based on git magic:
! 1530: release tags or hash values.
! 1531:
! 1532: Improve start-up speed when reading large hosts files
! 1533: containing many distinct addresses.
! 1534:
! 1535: Fix problem if dnsmasq is started without the stdin,
! 1536: stdout and stderr file descriptors open. This can manifest
! 1537: itself as 100% CPU use. Thanks to Chris Moore for finding
! 1538: this.
! 1539:
! 1540: Fix shell-scripting bug in bld/pkg-wrapper. Thanks to
! 1541: Mark Mitchell for the patch.
! 1542:
! 1543: Allow the TFP server or boot server in --pxe-service, to
! 1544: be a domain name instead of an IP address. This allows for
! 1545: round-robin to multiple servers, in the same way as
! 1546: --dhcp-boot. A good suggestion from Cristiano Cumer.
! 1547:
! 1548: Support BUILDDIR variable in the Makefile. Allows builds
! 1549: for multiple archs from the same source tree with eg.
! 1550: make BUILDDIR=linux (relative to dnsmasq tree)
! 1551: make BUILDDIR=/tmp/openbsd (absolute path)
! 1552: If BUILDDIR is not set, compilation happens in the src
! 1553: directory, as before. Suggestion from Mark Mitchell.
! 1554:
! 1555: Support DHCPv6. Support is there for the sort of things
! 1556: the existing v4 server does, including tags, options,
! 1557: static addresses and relay support. Missing is prefix
! 1558: delegation, which is probably not required in the dnsmasq
! 1559: niche, and an easy way to accept prefix delegations from
! 1560: an upstream DHCPv6 server, which is. Future plans include
! 1561: support for DHCPv6 router option and MAC address option
! 1562: (to make selecting clients by MAC address work like IPv4).
! 1563: These will be added as the standards mature.
! 1564: This code has been tested, but this is the first release,
! 1565: so don't bet the farm on it just yet. Many thanks to all
! 1566: testers who have got it this far.
! 1567:
! 1568: Support IPv6 router advertisements. This is a
! 1569: simple-minded implementation, aimed at providing the
! 1570: vestigial RA needed to go alongside IPv6. Is picks up
! 1571: configuration from the DHCPv6 conf, and should just need
! 1572: enabling with --enable-ra.
! 1573:
! 1574: Fix long-standing wrinkle with --localise-queries that
! 1575: could result in wrong answers when DNS packets arrive
! 1576: via an interface other than the expected one. Thanks to
! 1577: Lorenzo Milesi and John Hanks for spotting this one.
1.1 misho 1578:
1.1.1.4 ! misho 1579: Update French translation. Thanks to Gildas Le Nadan.
1.1 misho 1580:
1.1.1.4 ! misho 1581: Update Polish translation. Thanks to Jan Psota.
1.1 misho 1582:
1583:
1584: version 2.59
1.1.1.4 ! misho 1585: Fix regression in 2.58 which caused failure to start up
! 1586: with some combinations of dnsmasq config and IPv6 kernel
! 1587: network config. Thanks to Brielle Bruns for the bug
! 1588: report.
! 1589:
! 1590: Improve dnsmasq's behaviour when network interfaces are
! 1591: still doing duplicate address detection (DAD). Previously,
! 1592: dnsmasq would wait up to 20 seconds at start-up for the
! 1593: DAD state to terminate. This is broken for bridge
! 1594: interfaces on recent Linux kernels, which don't start DAD
! 1595: until the bridge comes up, and so can take arbitrary
! 1596: time. The new behaviour lets dnsmasq poll for an arbitrary
! 1597: time whilst providing service on other interfaces. Thanks
! 1598: to Stephen Hemminger for pointing out the problem.
1.1 misho 1599:
1600:
1601: version 2.58
1.1.1.4 ! misho 1602: Provide a definition of the SA_SIZE macro where it's
! 1603: missing. Fixes build failure on openBSD.
1.1 misho 1604:
1.1.1.4 ! misho 1605: Don't include a zero terminator at the end of messages
! 1606: sent to /dev/log when /dev/log is a datagram socket.
! 1607: Thanks to Didier Rabound for spotting the problem.
! 1608:
! 1609: Add --dhcp-sequential-ip flag, to force allocation of IP
! 1610: addresses in ascending order. Note that the default
! 1611: pseudo-random mode is in general better but some
! 1612: server-deployment applications need this.
! 1613:
! 1614: Fix problem where a server-id of 0.0.0.0 is sent to a
! 1615: client when a dhcp-relay is in use if a client renews a
! 1616: lease after dnsmasq restart and before any clients on the
! 1617: subnet get a new lease. Thanks to Mike Ruiz for assistance
! 1618: in chasing this one down.
! 1619:
! 1620: Don't return NXDOMAIN to an AAAA query if we have CNAME
! 1621: which points to an A record only: NODATA is the correct
! 1622: reply in this case. Thanks to Tom Fernandes for spotting
! 1623: the problem.
! 1624:
! 1625: Relax the need to supply a netmask in --dhcp-range for
! 1626: networks which use a DHCP relay. Whilst this is still
! 1627: desirable, in the absence of a netmask dnsmasq will use
! 1628: a default based on the class (A, B, or C) of the address.
! 1629: This should at least remove a cause of mysterious failure
! 1630: for people using RFC1918 addresses and relays.
! 1631:
! 1632: Add support for Linux conntrack connection marking. If
! 1633: enabled with --conntrack, the connection mark for incoming
! 1634: DNS queries will be copied to the outgoing connections
! 1635: used to answer those queries. This allows clever firewall
! 1636: and accounting stuff. Only available if dnsmasq is
! 1637: compiled with HAVE_CONNTRACK and adds a dependency on
! 1638: libnetfilter-conntrack. Thanks to Ed Wildgoose for the
! 1639: initial idea, testing and sponsorship of this function.
! 1640:
! 1641: Provide a sane error message when someone attempts to
! 1642: match a tag in --dhcp-host.
! 1643:
! 1644: Tweak the behaviour of --domain-needed, to avoid problems
! 1645: with recursive nameservers downstream of dnsmasq. The new
! 1646: behaviour only stops A and AAAA queries, and returns
! 1647: NODATA rather than NXDOMAIN replies.
! 1648:
! 1649: Efficiency fix for very large DHCP configurations, thanks
! 1650: to James Gartrell and Mike Ruiz for help with this.
! 1651:
! 1652: Allow the TFTP-server address in --dhcp-boot to be a
! 1653: domain-name which is looked up in /etc/hosts. This can
! 1654: give multiple IP addresses which are used round-robin,
! 1655: thus doing TFTP server load-balancing. Thanks to Sushil
! 1656: Agrawal for the patch.
! 1657:
! 1658: When two tagged dhcp-options for a particular option
! 1659: number are both valid, use the one which is valid without
! 1660: a tag from the dhcp-range. Allows overriding of the value
! 1661: of a DHCP option for a particular host as well as
! 1662: per-network values. So
! 1663: --dhcp-range=set:interface1,......
! 1664: --dhcp-host=set:myhost,.....
! 1665: --dhcp-option=tag:interface1,option:nis-domain,"domain1"
! 1666: --dhcp-option=tag:myhost,option:nis-domain,"domain2"
! 1667: will set the NIS-domain to domain1 for hosts in the range, but
! 1668: override that to domain2 for a particular host.
! 1669:
! 1670: Fix bug which resulted in truncated files and timeouts for
! 1671: some TFTP transfers. The bug only occurs with netascii
! 1672: transfers and needs an unfortunate relationship between
! 1673: file size, blocksize and the number of newlines in the
! 1674: last block before it manifests itself. Many thanks to
! 1675: Alkis Georgopoulos for spotting the problem and providing
! 1676: a comprehensive test-case.
! 1677:
! 1678: Fix regression in TFTP server on *BSD platforms introduced
! 1679: in version 2.56, due to confusion with sockaddr
! 1680: length. Many thanks to Loic Pefferkorn for finding this.
! 1681:
! 1682: Support scope-ids in IPv6 addresses of nameservers from
! 1683: /etc/resolv.conf and in --server options. Eg
! 1684: nameserver fe80::202:a412:4512:7bbf%eth0 or
! 1685: server=fe80::202:a412:4512:7bbf%eth0. Thanks to
! 1686: Michael Stapelberg for the suggestion.
1.1 misho 1687:
1.1.1.4 ! misho 1688: Update Polish translation, thanks to Jan Psota.
1.1 misho 1689:
1.1.1.4 ! misho 1690: Update French translation. Thanks to Gildas Le Nadan.
1.1 misho 1691:
1692:
1693: version 2.57
1.1.1.4 ! misho 1694: Add patches to allow build under Android.
1.1 misho 1695:
1.1.1.4 ! misho 1696: Provide our own header for the DNS protocol, rather than
! 1697: relying on arpa/nameser.h. This has proved more or less
! 1698: defective over the years and the final straw is that it's
! 1699: effectively empty on Android.
! 1700:
! 1701: Fix regression in 2.56 which caused hex constants in
! 1702: configuration to be rejected if they contain the '*'
! 1703: wildcard.
! 1704:
! 1705: Correct wrong casts of arguments to ctype.h functions,
! 1706: isdigit(), isxdigit() etc. Thanks to Matthias Andree for
! 1707: spotting this.
! 1708:
! 1709: Allow build with IDN support independently from i18n.
! 1710: IDN support continues to be included automatically
! 1711: when i18n is included.
! 1712: 'make COPTS=-DHAVE_IDN' is the magic incantation.
! 1713:
! 1714: Modify check on extraneous command line junk (added in
! 1715: 2.56) so that it doesn't complain about extra _empty_
! 1716: arguments. Otherwise this breaks libvirt.
1.1 misho 1717:
1718:
1719: version 2.56
1.1.1.4 ! misho 1720: Add a patch to allow dnsmasq to get interface names right in a
! 1721: Solaris zone. Thanks to Dj Padzensky for this.
1.1 misho 1722:
1.1.1.4 ! misho 1723: Improve data-type parsing heuristics so that
! 1724: --dhcp-option=option:domain-search,.
! 1725: treats the value as a string and not an IP address.
! 1726: Thanks to Clemens Fischer for spotting that.
! 1727:
! 1728: Add IPv6 support to the TFTP server. Many thanks to Jan
! 1729: 'RedBully' Seiffert for the patches.
! 1730:
! 1731: Log DNS queries at level LOG_INFO, rather then
! 1732: LOG_DEBUG. This makes things consistent with DHCP
! 1733: logging. Thanks to Adam Pribyl for spotting the problem.
! 1734:
! 1735: Ensure that dnsmasq terminates cleanly when using
! 1736: --syslog-async even if it cannot make a connection to the
! 1737: syslogd.
! 1738:
! 1739: Add --add-mac option. This is to support currently
! 1740: experimental DNS filtering facilities. Thanks to Benjamin
! 1741: Petrin for the original patch.
! 1742:
! 1743: Fix bug which meant that tags were ignored in dhcp-range
! 1744: configuration specifying PXE-proxy service. Thanks to
! 1745: Cristiano Cumer for spotting this.
! 1746:
! 1747: Raise an error if there is extra junk, not part of an
! 1748: option, on the command line.
! 1749:
! 1750: Flag a couple of log messages in cache.c as coming from
! 1751: the DHCP subsystem. Thanks to Olaf Westrik for the patch.
! 1752:
! 1753: Omit timestamps from logs when a) logging to stderr and
! 1754: b) --keep-in-foreground is set. The logging facility on the
! 1755: other end of stderr can be assumed to supply them. Thanks
! 1756: to John Hallam for the patch.
! 1757:
! 1758: Don't complain about strings longer than 255 characters in
! 1759: --txt-record, just split the long strings into 255
! 1760: character chunks instead.
! 1761:
! 1762: Fix crash on double-free. This bug can only happen when
! 1763: dhcp-script is in use and then only in rare circumstances
! 1764: triggered by high DHCP transaction rate and a slow
! 1765: script. Thanks to Ferenc Wagner for finding the problem.
! 1766:
! 1767: Only log that a file has been sent by TFTP after the
! 1768: transfer has completed successfully.
! 1769:
! 1770: A good suggestion from Ferenc Wagner: extend
! 1771: the --domain option to allow this sort of thing:
! 1772: --domain=thekelleys.org.uk,192.168.0.0/24,local
! 1773: which automatically creates
! 1774: --local=/thekelleys.org.uk/
! 1775: --local=/0.168.192.in-addr.arpa/
! 1776:
! 1777: Tighten up syntax checking of hex constants in the config
! 1778: file. Thanks to Fred Damen for spotting this.
! 1779:
! 1780: Add dnsmasq logo/icon, contributed by Justin Swift. Many
! 1781: thanks for that.
! 1782:
! 1783: Never cache DNS replies which have the 'cd' bit set, or
! 1784: which result from queries forwarded with the 'cd' bit
! 1785: set. The 'cd' bit instructs a DNSSEC validating server
! 1786: upstream to ignore signature failures and return replies
! 1787: anyway. Without this change it's possible to pollute the
! 1788: dnsmasq cache with bad data by making a query with the
! 1789: 'cd' bit set and subsequent queries would return this data
! 1790: without its being marked as suspect. Thanks to Anders
! 1791: Kaseorg for pointing out this problem.
! 1792:
! 1793: Add --proxy-dnssec flag, for compliance with RFC
! 1794: 4035. Dnsmasq will now clear the 'ad' bit in answers returned
! 1795: from upstream validating nameservers unless this option is
! 1796: set.
! 1797:
! 1798: Allow a filename of "-" for --conf-file to read
! 1799: stdin. Suggestion from Timothy Redaelli.
! 1800:
! 1801: Rotate the order of SRV records in replies, to provide
! 1802: round-robin load balancing when all the priorities are
! 1803: equal. Thanks to Peter McKinney for the suggestion.
! 1804:
! 1805: Edit
! 1806: contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist
! 1807: so that it doesn't log all queries to a file by
! 1808: default. Thanks again to Peter McKinney.
! 1809:
! 1810: By default, setting an IPv4 address for a domain but not
! 1811: an IPv6 address causes dnsmasq to return
! 1812: a NODATA reply for IPv6 (or vice-versa). So
! 1813: --address=/google.com/1.2.3.4 stops IPv6 queries for
! 1814: *google.com from being forwarded. Make it possible to
! 1815: override this behaviour by defining the semantics if the
! 1816: same domain appears in both --server and --address.
! 1817: In that case, the --address has priority for the address
! 1818: family in which is appears, but the --server has priority
! 1819: of the address family which doesn't appear in --address
! 1820: So:
! 1821: --address=/google.com/1.2.3.4
! 1822: --server=/google.com/#
! 1823: will return 1.2.3.4 for IPv4 queries for *.google.com but
! 1824: forward IPv6 queries to the normal upstream nameserver.
! 1825: Similarly when setting an IPv6 address
! 1826: only this will allow forwarding of IPv4 queries. Thanks to
! 1827: William for pointing out the need for this.
! 1828:
! 1829: Allow more than one --dhcp-optsfile and --dhcp-hostsfile
! 1830: and make them understand directories as arguments in the
! 1831: same way as --addn-hosts. Suggestion from John Hanks.
! 1832:
! 1833: Ignore rebinding requests for leases we don't know
! 1834: about. Rebind is broadcast, so we might get to overhear a
! 1835: request meant for another DHCP server. NAKing this is
! 1836: wrong. Thanks to Brad D'Hondt for assistance with this.
! 1837:
! 1838: Fix cosmetic bug which produced strange output when
! 1839: dumping cache statistics with some configurations. Thanks
! 1840: to Fedor Kozhevnikov for spotting this.
1.1 misho 1841:
1842:
1843: version 2.55
1.1.1.4 ! misho 1844: Fix crash when /etc/ethers is in use. Thanks to
! 1845: Gianluigi Tiesi for finding this.
1.1 misho 1846:
1.1.1.4 ! misho 1847: Fix crash in netlink_multicast(). Thanks to Arno Wald for
! 1848: finding this one.
1.1 misho 1849:
1.1.1.4 ! misho 1850: Allow the empty domain "." in dhcp domain-search (119)
! 1851: options.
1.1 misho 1852:
1853:
1854: version 2.54
1.1.1.4 ! misho 1855: There is no version 2.54 to avoid confusion with 2.53,
! 1856: which incorrectly identifies itself as 2.54.
1.1 misho 1857:
1858:
1859: version 2.53
1.1.1.4 ! misho 1860: Fix failure to compile on Debian/kFreeBSD. Thanks to
! 1861: Axel Beckert and Petr Salinger.
1.1 misho 1862:
1.1.1.4 ! misho 1863: Fix code to avoid scary strict-aliasing warnings
! 1864: generated by gcc 4.4.
! 1865:
! 1866: Added FAQ entry warning about DHCP failures with Vista
! 1867: when firewalls block 255.255.255.255.
! 1868:
! 1869: Fixed bug which caused bad things to happen if a
! 1870: resolv.conf file which exists is subsequently removed.
! 1871: Thanks to Nikolai Saoukh for the patch.
! 1872:
! 1873: Rationalised the DHCP tag system. Every configuration item
! 1874: which can set a tag does so by adding "set:<tag>" and
! 1875: every configuration item which is conditional on a tag is
! 1876: made so by "tag:<tag>". The NOT operator changes to '!',
! 1877: which is a bit more intuitive too. Dhcp-host directives
! 1878: can set more than one tag now. The old '#' NOT,
! 1879: "net:" prefix and no-prefixes are still honoured, so
! 1880: no existing config file needs to be changed, but
! 1881: the documentation and new-style config files should be
! 1882: much less confusing.
! 1883:
! 1884: Added --tag-if to allow boolean operations on tags.
! 1885: This allows complicated logic to be clearer and more
! 1886: general. A great suggestion from Richard Voigt.
! 1887:
! 1888: Add broadcast/unicast information to DHCP logging.
! 1889:
! 1890: Allow --dhcp-broadcast to be unconditional.
! 1891:
! 1892: Fixed incorrect behaviour with NOT <tag> conditionals in
! 1893: dhcp-options. Thanks to Max Turkewitz for assistance
! 1894: finding this.
! 1895:
! 1896: If we send vendor-class encapsulated options based on the
! 1897: vendor-class supplied by the client, and no explicit
! 1898: vendor-class option is given, echo back the vendor-class
! 1899: from the client.
! 1900:
! 1901: Fix bug which stopped dnsmasq from matching both a
! 1902: circuitid and a remoteid. Thanks to Ignacio Bravo for
! 1903: finding this.
! 1904:
! 1905: Add --dhcp-proxy, which makes it possible to configure
! 1906: dnsmasq to use a DHCP relay agent as a full proxy, with
! 1907: all DHCP messages passing through the proxy. This is
! 1908: useful if the relay adds extra information to the packets
! 1909: it forwards, but cannot be configured with the RFC 5107
! 1910: server-override option.
! 1911:
! 1912: Added interface:<iface name> part to dhcp-range. The
! 1913: semantics of this are very odd at first sight, but it
! 1914: allows a single line of the form
! 1915: dhcp-range=interface:virt0,192.168.0.4,192.168.0.200
! 1916: to be added to dnsmasq configuration which then supplies
! 1917: DHCP and DNS services to that interface, without affecting
! 1918: what services are supplied to other interfaces and
! 1919: irrespective of the existence or lack of
! 1920: interface=<interface>
! 1921: lines elsewhere in the dnsmasq configuration. The idea is
! 1922: that such a line can be added automatically by libvirt
! 1923: or equivalent systems, without disturbing any manual
! 1924: configuration.
! 1925:
! 1926: Similarly to the above, allow --enable-tftp=<interface>
! 1927:
! 1928: Allow a TFTP root to be set separately for requests via
! 1929: different interfaces, --tftp-root=<path>,<interface>
! 1930:
! 1931: Correctly handle and log clashes between CNAMES and
! 1932: DNS names being given to DHCP leases. This fixes a bug
! 1933: which caused nonsense IP addresses to be logged. Thanks to
! 1934: Sergei Zhirikov for finding and analysing the problem.
! 1935:
! 1936: Tweak flush_log so as to avoid leaving the log
! 1937: file in non-blocking mode. O_NONBLOCK is a property of the
! 1938: file, not the process/descriptor.
! 1939:
! 1940: Fix contrib/Solaris10/create_package
! 1941: (/usr/man -> /usr/share/man) Thanks to Vita Batrla.
! 1942:
! 1943: Fix a problem where, if a client got a lease, then went
! 1944: to another subnet and got another lease, then moved back,
! 1945: it couldn't resume the old lease, but would instead get
! 1946: a new address. Thanks to Leonardo Rodrigues for spotting
! 1947: this and testing the fix.
! 1948:
! 1949: Fix weird bug which sometimes omitted certain characters
! 1950: from the start of quoted strings in dhcp-options. Thanks
! 1951: to Dayton Turner for spotting the problem.
! 1952:
! 1953: Add facility to redirect some domains to the standard
! 1954: upstream servers: this allows something like
! 1955: --server=/google.com/1.2.3.4 --server=/www.google.com/#
! 1956: which will send queries for *.google.com to 1.2.3.4,
! 1957: except *www.google.com which will be forwarded as usual.
! 1958: Thanks to AJ Weber for prompting this addition.
! 1959:
! 1960: Improve the hash-algorithm used to generate IP addresses
! 1961: from MAC addresses during initial DHCP address
! 1962: allocation. This improves performance when large numbers
! 1963: of hosts with similar MAC addresses all try and get an IP
! 1964: address at the same time. Thanks to Paul Smith for his
! 1965: work on this.
! 1966:
! 1967: Tweak DHCP code so that --bridge-interface can be used to
! 1968: select which IP alias of an interface should be used for
! 1969: DHCP purposes on Linux. If eth0 has an alias eth0:dhcp
! 1970: then adding --bridge-interface=eth0:dhcp,eth0 will use
! 1971: the address of eth0:dhcp to determine the correct subnet
! 1972: for DHCP address allocation. Thanks to Pawel Golaszewski
! 1973: for prompting this and Eric Cooper for further testing.
! 1974:
! 1975: Add --dhcp-generate-names. Suggestion by Ferenc Wagner.
! 1976:
! 1977: Tweak DNS server selection algorithm when there is more
! 1978: than one server available for a domain, eg.
! 1979: --server=/mydomain/1.1.1.1
! 1980: --server=/mydomain/2.2.2.2
! 1981: Thanks to Alberto Cuesta-Canada for spotting a weakness
! 1982: here.
! 1983:
! 1984: Add --max-ttl. Thanks to Fredrik Ringertz for the patch.
! 1985:
! 1986: Allow --log-facility=- to force all logging to
! 1987: stderr. Suggestion from Clemens Fischer.
! 1988:
! 1989: Fix regression which caused configuration like
! 1990: --address=/.domain.com/1.2.3.4 to be rejected. The dot to the
! 1991: left of the domain has been implied and not required for a
! 1992: long time, but it should be accepted for backward
! 1993: compatibility. Thanks to Andrew Burcin for spotting this.
! 1994:
! 1995: Add --rebind-domain-ok and --rebind-localhost-ok.
! 1996: Suggestion from Clemens Fischer.
! 1997:
! 1998: Log replies to queries of type TXT, when --log-queries
! 1999: is set.
! 2000:
! 2001: Fix compiler warnings when compiled with -DNO_DHCP. Thanks
! 2002: to Shantanu Gadgil for the patch.
! 2003:
! 2004: Updated French translation. Thanks to Gildas Le Nadan.
! 2005:
! 2006: Updated Polish translation. Thanks to Jan Psota.
! 2007:
! 2008: Updated German translation. Thanks to Matthias Andree.
! 2009:
! 2010: Added contrib/static-arp, thanks to Darren Hoo.
! 2011:
! 2012: Fix corruption of the domain when a name from /etc/hosts
! 2013: overrides one supplied by a DHCP client. Thanks to Fedor
! 2014: Kozhevnikov for spotting the problem.
1.1 misho 2015:
1.1.1.4 ! misho 2016: Updated Spanish translation. Thanks to Chris Chatham.
1.1 misho 2017:
2018:
2019: version 2.52
1.1.1.4 ! misho 2020: Work around a Linux kernel bug which insists that the
! 2021: length of the option passed to setsockopt must be at least
! 2022: sizeof(int) bytes, even if we're calling SO_BINDTODEVICE
! 2023: and the device name is "lo". Note that this is fixed
! 2024: in kernel 2.6.31, but the workaround is harmless and
! 2025: allows earlier kernels to be used. Also fix dnsmasq
! 2026: bug which reported the wrong address when this failed.
! 2027: Thanks to Fedor for finding this.
! 2028:
! 2029: The API for IPv6 PKTINFO changed around Linux kernel
! 2030: 2.6.14. Workaround the case where dnsmasq is compiled
! 2031: against newer headers, but then run on an old kernel:
! 2032: necessary for some *WRT distros.
! 2033:
! 2034: Re-read the set of network interfaces when re-loading
! 2035: /etc/resolv.conf if --bind-interfaces is not set. This
! 2036: handles the case that loopback interfaces do not exist
! 2037: when dnsmasq is first started.
! 2038:
! 2039: Tweak the PXE code to support port 4011. This should
! 2040: reduce broadcasts and make things more reliable when other
! 2041: servers are around. It also improves inter-operability
! 2042: with certain clients.
! 2043:
! 2044: Make a pxe-service configuration with no filename or boot
! 2045: service type legal: this does a local boot. eg.
! 2046: pxe-service=x86PC, "Local boot"
! 2047:
! 2048: Be more conservative in detecting "A for A"
! 2049: queries. Dnsmasq checks if the name in a type=A query looks
! 2050: like a dotted-quad IP address and answers the query itself
! 2051: if so, rather than forwarding it. Previously dnsmasq
! 2052: relied in the library function inet_addr() to convert
! 2053: addresses, and that will accept some things which are
! 2054: confusing in this context, like 1.2.3 or even just
! 2055: 1234. Now we only do A for A processing for four decimal
! 2056: numbers delimited by dots.
! 2057:
! 2058: A couple of tweaks to fix compilation on Solaris. Thanks
! 2059: to Joel Macklow for help with this.
! 2060:
! 2061: Another Solaris compilation tweak, needed for Solaris
! 2062: 2009.06. Thanks to Lee Essen for that.
! 2063:
! 2064: Added extract packaging stuff from Lee Essen to
! 2065: contrib/Solaris10.
! 2066:
! 2067: Increased the default limit on number of leases to 1000
! 2068: (from 150). This is mainly a defence against DoS attacks,
! 2069: and for the average "one for two class C networks"
! 2070: installation, IP address exhaustion does that just as
! 2071: well. Making the limit greater than the number of IP
! 2072: addresses available in such an installation removes a
! 2073: surprise which otherwise can catch people out.
! 2074:
! 2075: Removed extraneous trailing space in the value of the
! 2076: DNSMASQ_TIME_REMAINING DNSMASQ_LEASE_LENGTH and
! 2077: DNSMASQ_LEASE_EXPIRES environment variables. Thanks to
! 2078: Gildas Le Nadan for spotting this.
! 2079:
! 2080: Provide the network-id tags for a DHCP transaction to
! 2081: the lease-change script in the environment variable
! 2082: DNSMASQ_TAGS. A good suggestion from Gildas Le Nadan.
! 2083:
! 2084: Add support for RFC3925 "Vendor-Identifying Vendor
! 2085: Options". The syntax looks like this:
! 2086: --dhcp-option=vi-encap:<enterprise number>, .........
! 2087:
! 2088: Add support to --dhcp-match to allow matching against
! 2089: RFC3925 "Vendor-Identifying Vendor Classes". The syntax
! 2090: looks like this:
! 2091: --dhcp-match=tag,vi-encap<enterprise number>, <value>
! 2092:
! 2093: Add some application specific code to assist in
! 2094: implementing the Broadband forum TR069 CPE-WAN
! 2095: specification. The details are in contrib/CPE-WAN/README
! 2096:
! 2097: Increase the default DNS packet size limit to 4096, as
! 2098: recommended by RFC5625 section 4.4.3. This can be
! 2099: reconfigured using --edns-packet-max if needed. Thanks to
! 2100: Francis Dupont for pointing this out.
! 2101:
! 2102: Rewrite query-ids even for TSIG signed packets, since
! 2103: this is allowed by RFC5625 section 4.5.
! 2104:
! 2105: Use getopt_long by default on OS X. It has been supported
! 2106: since version 10.3.0. Thanks to Arek Dreyer for spotting
! 2107: this.
! 2108:
! 2109: Added up-to-date startup configuration for MacOSX/launchd
! 2110: in contrib/MacOSX-launchd. Thanks to Arek Dreyer for
! 2111: providing this.
! 2112:
! 2113: Fix link error when including Dbus but excluding DHCP.
! 2114: Thanks to Oschtan for the bug report.
! 2115:
! 2116: Updated French translation. Thanks to Gildas Le Nadan.
! 2117:
! 2118: Updated Polish translation. Thanks to Jan Psota.
! 2119:
! 2120: Updated Spanish translation. Thanks to Chris Chatham.
! 2121:
! 2122: Fixed confusion about domains, when looking up DHCP hosts
! 2123: in /etc/hosts. This could cause spurious "Ignoring
! 2124: domain..." messages. Thanks to Fedor Kozhevnikov for
! 2125: finding and analysing the problem.
! 2126:
1.1 misho 2127:
2128: version 2.51
1.1.1.4 ! misho 2129: Add support for internationalised DNS. Non-ASCII characters
! 2130: in domain names found in /etc/hosts, /etc/ethers and
! 2131: /etc/dnsmasq.conf will be correctly handled by translation to
! 2132: punycode, as specified in RFC3490. This function is only
! 2133: available if dnsmasq is compiled with internationalisation
! 2134: support, and adds a dependency on GNU libidn. Without i18n
! 2135: support, dnsmasq continues to be compilable with just
! 2136: standard tools. Thanks to Yves Dorfsman for the
! 2137: suggestion.
! 2138:
! 2139: Add two more environment variables for lease-change scripts:
! 2140: First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname
! 2141: supplied by a client, even if the actual hostname used is
! 2142: over-ridden by dhcp-host or dhcp-ignore-names directives.
! 2143: Also DNSMASQ_RELAY_ADDRESS which gives the address of
! 2144: a DHCP relay, if used.
! 2145: Suggestions from Michael Rack.
! 2146:
! 2147: Fix regression which broke echo of relay-agent
! 2148: options. Thanks to Michael Rack for spotting this.
! 2149:
! 2150: Don't treat option 67 as being interchangeable with
! 2151: dhcp-boot parameters if it's specified as
! 2152: dhcp-option-force.
! 2153:
! 2154: Make the code to call scripts on lease-change compile-time
! 2155: optional. It can be switched off by editing src/config.h
! 2156: or building with "make COPTS=-DNO_SCRIPT".
! 2157:
! 2158: Make the TFTP server cope with filenames from Windows/DOS
! 2159: which use '\' as pathname separator. Thanks to Ralf for
! 2160: the patch.
! 2161:
! 2162: Updated Polish translation. Thanks to Jan Psota.
! 2163:
! 2164: Warn if an IP address is duplicated in /etc/ethers. Thanks
! 2165: to Felix Schwarz for pointing this out.
! 2166:
! 2167: Teach --conf-dir to take an option list of file suffices
! 2168: which will be ignored when scanning the directory. Useful
! 2169: for backup files etc. Thanks to Helmut Hullen for the
! 2170: suggestion.
! 2171:
! 2172: Add new DHCP option named tftpserver-address, which
! 2173: corresponds to the third argument of dhcp-boot. This
! 2174: allows the complete functionality of dhcp-boot to be
! 2175: replicated with dhcp-option. Useful when using
! 2176: dhcp-optsfile.
! 2177:
! 2178: Test which upstream nameserver to use every 10 seconds
! 2179: or 50 queries and not just when a query times out and
! 2180: is retried. This should improve performance when there
! 2181: is a slow nameserver in the list. Thanks to Joe for the
! 2182: suggestion.
! 2183:
! 2184: Don't do any PXE processing, even for clients with the
! 2185: correct vendorclass, unless at least one pxe-prompt or
! 2186: pxe-service option is given. This stops dnsmasq
! 2187: interfering with proxy PXE subsystems when it is just
! 2188: the DHCP server. Thanks to Spencer Clark for spotting this.
! 2189:
! 2190: Limit the blocksize used for TFTP transfers to a value
! 2191: which avoids packet fragmentation, based on the MTU of the
! 2192: local interface. Many netboot ROMs can't cope with
! 2193: fragmented packets.
1.1 misho 2194:
1.1.1.4 ! misho 2195: Honour dhcp-ignore configuration for PXE and proxy-PXE
! 2196: requests. Thanks to Niels Basjes for the bug report.
1.1 misho 2197:
1.1.1.4 ! misho 2198: Updated French translation. Thanks to Gildas Le Nadan.
1.1 misho 2199:
2200:
2201: version 2.50
1.1.1.4 ! misho 2202: Fix security problem which allowed any host permitted to
! 2203: do TFTP to possibly compromise dnsmasq by remote buffer
! 2204: overflow when TFTP enabled. Thanks to Core Security
! 2205: Technologies and Iván Arce, Pablo Hernán Jorge, Alejandro
! 2206: Pablo Rodriguez, Martín Coco, Alberto Soliño Testa and
! 2207: Pablo Annetta. This problem has Bugtraq id: 36121
! 2208: and CVE: 2009-2957
! 2209:
! 2210: Fix a problem which allowed a malicious TFTP client to
! 2211: crash dnsmasq. Thanks to Steve Grubb at Red Hat for
! 2212: spotting this. This problem has Bugtraq id: 36120 and
! 2213: CVE: 2009-2958
1.1 misho 2214:
2215:
2216: version 2.49
1.1.1.4 ! misho 2217: Fix regression in 2.48 which disables the lease-change
! 2218: script. Thanks to Jose Luis Duran for spotting this.
! 2219:
! 2220: Log TFTP "file not found" errors. These were not logged,
! 2221: since a normal PXELinux boot generates many of them, but
! 2222: the lack of the messages seems to be more confusing than
! 2223: routinely seeing them when there is no real error.
1.1 misho 2224:
1.1.1.4 ! misho 2225: Update Spanish translation. Thanks to Chris Chatham.
1.1 misho 2226:
2227:
2228: version 2.48
1.1.1.4 ! misho 2229: Archived the extensive, backwards, changelog to
! 2230: CHANGELOG.archive. The current changelog now runs from
! 2231: version 2.43 and runs conventionally.
! 2232:
! 2233: Fixed bug which broke binding of servers to physical
! 2234: interfaces when interface names were longer than four
! 2235: characters. Thanks to MURASE Katsunori for the patch.
! 2236:
! 2237: Fixed netlink code to check that messages come from the
! 2238: correct source, and not another userspace process. Thanks
! 2239: to Steve Grubb for the patch.
! 2240:
! 2241: Maintainability drive: removed bug and missing feature
! 2242: workarounds for some old platforms. Solaris 9, OpenBSD
! 2243: older than 4.1, Glibc older than 2.2, Linux 2.2.x and
! 2244: DBus older than 1.1.x are no longer supported.
! 2245:
! 2246: Don't read included configuration files more than once:
! 2247: allows complex configuration structures without problems.
! 2248:
! 2249: Mark log messages from the various subsystems in dnsmasq:
! 2250: messages from the DHCP subsystem now have the ident string
! 2251: "dnsmasq-dhcp" and messages from TFTP have ident
! 2252: "dnsmasq-tftp". Thanks to Olaf Westrik for the patch.
! 2253:
! 2254: Fix possible infinite DHCP protocol loop when an IP
! 2255: address nailed to a hostname (not a MAC address) and a
! 2256: host sometimes provides the name, sometimes not.
! 2257:
! 2258: Allow --addn-hosts to take a directory: all the files
! 2259: in the directory are read. Thanks to Phil Cornelius for
! 2260: the suggestion.
! 2261:
! 2262: Support --bridge-interface on all platforms, not just BSD.
! 2263:
! 2264: Added support for advanced PXE functions. It's now
! 2265: possible to define a prompt and menu options which will
! 2266: be displayed when a client PXE boots. It's also possible to
! 2267: hand-off booting to other boot servers. Proxy-DHCP, where
! 2268: dnsmasq just supplies the PXE information and another DHCP
! 2269: server does address allocation, is also allowed. See the
! 2270: --pxe-prompt and --pxe-service keywords. Thanks to
! 2271: Alkis Georgopoulos for the suggestion and Guilherme Moro
! 2272: and Michael Brown for assistance.
! 2273:
! 2274: Improvements to DHCP logging. Thanks to Tom Metro for
! 2275: useful suggestions.
! 2276:
! 2277: Add ability to build dnsmasq without DHCP support. To do
! 2278: this, edit src/config.h or build with
! 2279: "make COPTS=-DNO_DHCP". Thanks to Mahavir Jain for the patch.
! 2280:
! 2281: Added --test command-line switch - syntax check
! 2282: configuration files only.
! 2283:
! 2284: Updated French translation. Thanks to Gildas Le Nadan.
1.1 misho 2285:
2286:
2287: version 2.47
1.1.1.4 ! misho 2288: Updated French translation. Thanks to Gildas Le Nadan.
1.1 misho 2289:
1.1.1.4 ! misho 2290: Fixed interface enumeration code to work on NetBSD
! 2291: 5.0. Thanks to Roy Marples for the patch.
1.1 misho 2292:
1.1.1.4 ! misho 2293: Updated config.h to use the same location for the lease
! 2294: file on NetBSD as the other *BSD variants. Also allow
! 2295: LEASEFILE and CONFFILE symbols to be overridden in CFLAGS.
! 2296:
! 2297: Handle duplicate address detection on IPv6 more
! 2298: intelligently. In IPv6, an interface can have an address
! 2299: which is not usable, because it is still undergoing DAD
! 2300: (such addresses are marked "tentative"). Attempting to
! 2301: bind to an address in this state returns an error,
! 2302: EADDRNOTAVAIL. Previously, on getting such an error,
! 2303: dnsmasq would silently abandon the address, and never
! 2304: listen on it. Now, it retries once per second for 20
! 2305: seconds before generating a fatal error. 20 seconds should
! 2306: be long enough for any DAD process to complete, but can be
! 2307: adjusted in src/config.h if necessary. Thanks to Martin
! 2308: Krafft for the bug report.
! 2309:
! 2310: Add DBus introspection. Patch from Jeremy Laine.
! 2311:
! 2312: Update Dbus configuration file. Patch from Colin Walters.
! 2313: Fix for this bug:
! 2314: http://bugs.freedesktop.org/show_bug.cgi?id=18961
! 2315:
! 2316: Support arbitrarily encapsulated DHCP options, suggestion
! 2317: and initial patch from Samium Gromoff. This is useful for
! 2318: (eg) iPXE, which expect all its private options to be
! 2319: encapsulated inside a single option 175. So, eg,
! 2320:
! 2321: dhcp-option = encap:175, 190, "iscsi-client0"
! 2322: dhcp-option = encap:175, 191, "iscsi-client0-secret"
! 2323:
! 2324: will provide iSCSI parameters to iPXE.
! 2325:
! 2326: Enhance --dhcp-match to allow testing of the contents of a
! 2327: client-sent option, as well as its presence. This
! 2328: application in mind for this is RFC 4578
! 2329: client-architecture specifiers, but it's generally useful.
! 2330: Joey Korkames suggested the enhancement.
! 2331:
! 2332: Move from using the IP_XMIT_IF ioctl to IP_BOUND_IF on
! 2333: OpenSolaris. Thanks to Bastian Machek for the heads-up.
! 2334:
! 2335: No longer complain about blank lines in
! 2336: /etc/ethers. Thanks to Jon Nelson for the patch.
! 2337:
! 2338: Fix binding of servers to physical devices, eg
! 2339: --server=/domain/1.2.3.4@eth0 which was broken from 2.43
! 2340: onwards unless --query-port=0 set. Thanks to Peter Naulls
! 2341: for the bug report.
! 2342:
! 2343: Reply to DHCPINFORM requests even when the supplied ciaddr
! 2344: doesn't fall in any dhcp-range. In this case it's not
! 2345: possible to supply a complete configuration, but
! 2346: individually-configured options (eg PAC) may be useful.
! 2347:
! 2348: Allow the source address of an alias to be a range:
! 2349: --alias=192.168.0.0,10.0.0.0,255.255.255.0 maps the whole
! 2350: subnet 192.168.0.0->192.168.0.255 to 10.0.0.0->10.0.0.255,
! 2351: as before.
! 2352: --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
! 2353: maps only the 192.168.0.10->192.168.0.40 region. Thanks to
! 2354: Ib Uhrskov for the suggestion.
! 2355:
! 2356: Don't dynamically allocate DHCP addresses which may break
! 2357: Windows. Addresses which end in .255 or .0 are broken in
! 2358: Windows even when using supernetting.
! 2359: --dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0 means
! 2360: 192.168.0.255 is a valid IP address, but not for Windows.
! 2361: See Microsoft KB281579. We therefore no longer allocate
! 2362: these addresses to avoid hard-to-diagnose problems.
! 2363:
! 2364: Update Polish translation. Thanks to Jan Psota.
! 2365:
! 2366: Delete the PID-file when dnsmasq shuts down. Note that by
! 2367: this time, dnsmasq is normally not running as root, so
! 2368: this will fail if the PID-file is stored in a root-owned
! 2369: directory; such failure is silently ignored. To take
! 2370: advantage of this feature, the PID-file must be stored in a
! 2371: directory owned and write-able by the user running
! 2372: dnsmasq.
1.1 misho 2373:
2374:
2375: version 2.46
1.1.1.4 ! misho 2376: Allow --bootp-dynamic to take a netid tag, so that it may
! 2377: be selectively enabled. Thanks to Olaf Westrik for the
! 2378: suggestion.
! 2379:
! 2380: Remove ISC-leasefile reading code. This has been
! 2381: deprecated for a long time, and last time I removed it, it
! 2382: ended up going back by request of one user. This time,
! 2383: it's gone for good; otherwise it would need to be
! 2384: re-worked to support multiple domains (see below).
! 2385:
! 2386: Support DHCP clients in multiple DNS domains. This is a
! 2387: long-standing request. Clients are assigned to a domain
! 2388: based in their IP address.
! 2389:
! 2390: Add --dhcp-fqdn flag, which changes behaviour if DNS names
! 2391: assigned to DHCP clients. When this is set, there must be
! 2392: a domain associated with each client, and only
! 2393: fully-qualified domain names are added to the DNS. The
! 2394: advantage is that the only the FQDN needs to be unique,
! 2395: so that two or more DHCP clients can share a hostname, as
! 2396: long as they are in different domains.
! 2397:
! 2398: Set environment variable DNSMASQ_DOMAIN when invoking
! 2399: lease-change script. This may be useful information to
! 2400: have now that it's variable.
! 2401:
! 2402: Tighten up data-checking code for DNS packet
! 2403: handling. Thanks to Steve Dodd who found certain illegal
! 2404: packets which could crash dnsmasq. No memory overwrite was
! 2405: possible, so this is not a security issue beyond the DoS
! 2406: potential.
! 2407:
! 2408: Update example config dhcp option 47, the previous
! 2409: suggestion generated an illegal, zero-length,
! 2410: option. Thanks to Matthias Andree for finding this.
! 2411:
! 2412: Rewrite hosts-file reading code to remove the limit of
! 2413: 1024 characters per line. John C Meuser found this.
! 2414:
! 2415: Create a net-id tag with the name of the interface on
! 2416: which the DHCP request was received.
! 2417:
! 2418: Fixed minor memory leak in DBus code, thanks to Jeremy
! 2419: Laine for the patch.
! 2420:
! 2421: Emit DBus signals as the DHCP lease database
! 2422: changes. Thanks to Jeremy Laine for the patch.
! 2423:
! 2424: Allow for more that one MAC address in a dhcp-host
! 2425: line. This configuration tells dnsmasq that it's OK to
! 2426: abandon a DHCP lease of the fixed address to one MAC
! 2427: address, if another MAC address in the dhcp-host statement
! 2428: asks for an address. This is useful to give a fixed
! 2429: address to a host which has two network interfaces
! 2430: (say, a laptop with wired and wireless interfaces.)
! 2431: It's very important to ensure that only one interface
! 2432: at a time is up, since dnsmasq abandons the first lease
! 2433: and re-uses the address before the leased time has
! 2434: elapsed. John Gray suggested this.
! 2435:
! 2436: Tweak the response to a DHCP request packet with a wrong
! 2437: server-id when --dhcp-authoritative is set; dnsmasq now
! 2438: returns a DHCPNAK, rather than silently ignoring the
! 2439: packet. Thanks to Chris Marget for spotting this
! 2440: improvement.
! 2441:
! 2442: Add --cname option. This provides a limited alias
! 2443: function, usable for DHCP names. Thanks to AJ Weber for
! 2444: suggestions on this.
! 2445:
! 2446: Updated contrib/webmin with latest version from Neil
! 2447: Fisher.
! 2448:
! 2449: Updated Polish translation. Thanks to Jan Psota.
1.1 misho 2450:
1.1.1.4 ! misho 2451: Correct the text names for DHCP options 64 and 65 to be
! 2452: "nis+-domain" and "nis+-servers".
1.1 misho 2453:
1.1.1.4 ! misho 2454: Updated Spanish translation. Thanks to Chris Chatham.
! 2455:
! 2456: Force re-reading of /etc/resolv.conf when an "interface
! 2457: up" event occurs.
1.1 misho 2458:
2459:
2460: version 2.45
1.1.1.4 ! misho 2461: Fix total DNS failure in release 2.44 unless --min-port
! 2462: specified. Thanks to Steven Barth and Grant Coady for
! 2463: bugreport. Also reject out-of-range port spec, which could
! 2464: break things too: suggestion from Gilles Espinasse.
! 2465:
1.1 misho 2466:
2467: version 2.44
1.1.1.4 ! misho 2468: Fix crash when unknown client attempts to renew a DHCP
! 2469: lease, problem introduced in version 2.43. Thanks to
! 2470: Carlos Carvalho for help chasing this down.
1.1 misho 2471:
1.1.1.4 ! misho 2472: Fix potential crash when a host which doesn't have a lease
! 2473: does DHCPINFORM. Again introduced in 2.43. This bug has
! 2474: never been reported in the wild.
1.1 misho 2475:
1.1.1.4 ! misho 2476: Fix crash in netlink code introduced in 2.43. Thanks to
! 2477: Jean Wolter for finding this.
1.1 misho 2478:
1.1.1.4 ! misho 2479: Change implementation of min_port to work even if min-port
! 2480: is large.
1.1 misho 2481:
1.1.1.4 ! misho 2482: Patch to enable compilation of latest Mac OS X. Thanks to
! 2483: David Gilman.
1.1 misho 2484:
1.1.1.4 ! misho 2485: Update Spanish translation. Thanks to Christopher Chatham.
1.1 misho 2486:
2487:
2488: version 2.43
1.1.1.4 ! misho 2489: Updated Polish translation. Thanks to Jan Psota.
1.1 misho 2490:
1.1.1.4 ! misho 2491: Flag errors when configuration options are repeated
! 2492: illegally.
1.1 misho 2493:
1.1.1.4 ! misho 2494: Further tweaks for GNU/kFreeBSD
1.1 misho 2495:
1.1.1.4 ! misho 2496: Add --no-wrap to msgmerge call - provides nicer .po file
! 2497: format.
! 2498:
! 2499: Honour lease-time spec in dhcp-host lines even for
! 2500: BOOTP. The user is assumed to known what they are doing in
! 2501: this case. (Hosts without the time spec still get infinite
! 2502: leases for BOOTP, over-riding the default in the
! 2503: dhcp-range.) Thanks to Peter Katzmann for uncovering this.
! 2504:
! 2505: Fix problem matching relay-agent ids. Thanks to Michael
! 2506: Rack for the bug report.
! 2507:
! 2508: Add --naptr-record option. Suggestion from Johan
! 2509: Bergquist.
! 2510:
! 2511: Implement RFC 5107 server-id-override DHCP relay agent
! 2512: option.
! 2513:
! 2514: Apply patches from Stefan Kruger for compilation on
! 2515: Solaris 10 under Sun studio.
! 2516:
! 2517: Yet more tweaking of Linux capability code, to suppress
! 2518: pointless wingeing from kernel 2.6.25 and above.
! 2519:
! 2520: Improve error checking during startup. Previously, some
! 2521: errors which occurred during startup would be worked
! 2522: around, with dnsmasq still starting up. Some were logged,
! 2523: some silent. Now, they all cause a fatal error and dnsmasq
! 2524: terminates with a non-zero exit code. The errors are those
! 2525: associated with changing uid and gid, setting process
! 2526: capabilities and writing the pidfile. Thanks to Uwe
! 2527: Gansert and the Suse security team for pointing out
! 2528: this improvement, and Bill Reimers for good implementation
! 2529: suggestions.
! 2530:
! 2531: Provide NO_LARGEFILE compile option to switch off largefile
! 2532: support when compiling against versions of uclibc which
! 2533: don't support it. Thanks to Stephane Billiart for the patch.
! 2534:
! 2535: Implement random source ports for interactions with
! 2536: upstream nameservers. New spoofing attacks have been found
! 2537: against nameservers which do not do this, though it is not
! 2538: clear if dnsmasq is vulnerable, since to doesn't implement
! 2539: recursion. By default dnsmasq will now use a different
! 2540: source port (and socket) for each query it sends
! 2541: upstream. This behaviour can suppressed using the
! 2542: --query-port option, and the old default behaviour
! 2543: restored using --query-port=0. Explicit source-port
! 2544: specifications in --server configs are still honoured.
! 2545:
! 2546: Replace the random number generator, for better
! 2547: security. On most BSD systems, dnsmasq uses the
! 2548: arc4random() RNG, which is secure, but on other platforms,
! 2549: it relied on the C-library RNG, which may be
! 2550: guessable and therefore allow spoofing. This release
! 2551: replaces the libc RNG with the SURF RNG, from Daniel
! 2552: J. Berstein's DJBDNS package.
! 2553:
! 2554: Don't attempt to change user or group or set capabilities
! 2555: if dnsmasq is run as a non-root user. Without this, the
! 2556: change from soft to hard errors when these fail causes
! 2557: problems for non-root daemons listening on high
! 2558: ports. Thanks to Patrick McLean for spotting this.
1.1 misho 2559:
1.1.1.4 ! misho 2560: Updated French translation. Thanks to Gildas Le Nadan.
1.1 misho 2561:
2562:
2563: version 2.42
1.1.1.4 ! misho 2564: The changelog for version 2.42 and earlier is
! 2565: available in CHANGELOG.archive.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to CHANGELOG CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq