1: version 2.83
2: Use the values of --min-port and --max-port in outgoing
3: TCP connections to upstream DNS servers.
4:
5: Fix a remote buffer overflow problem in the DNSSEC code. Any
6: dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
7: referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
8: CVE-2020-25687.
9:
10: Be sure to only accept UDP DNS query replies at the address
11: from which the query was originated. This keeps as much entropy
12: in the {query-ID, random-port} tuple as possible, to help defeat
13: cache poisoning attacks. Refer: CVE-2020-25684.
14:
15: Use the SHA-256 hash function to verify that DNS answers
16: received are for the questions originally asked. This replaces
17: the slightly insecure SHA-1 (when compiled with DNSSEC) or
18: the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
19:
20: Handle multiple identical near simultaneous DNS queries better.
21: Previously, such queries would all be forwarded
22: independently. This is, in theory, inefficent but in practise
23: not a problem, _except_ that is means that an answer for any
24: of the forwarded queries will be accepted and cached.
25: An attacker can send a query multiple times, and for each repeat,
26: another {port, ID} becomes capable of accepting the answer he is
27: sending in the blind, to random IDs and ports. The chance of a
28: succesful attack is therefore multiplied by the number of repeats
29: of the query. The new behaviour detects repeated queries and
30: merely stores the clients sending repeats so that when the
31: first query completes, the answer can be sent to all the
32: clients who asked. Refer: CVE-2020-25686.
33:
34:
35: version 2.82
36: Improve behaviour in the face of network interfaces which come
37: and go and change index. Thanks to Petr Mensik for the patch.
38:
39: Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user
40: to a warning.
41:
42: Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option.
43:
44: Fix crash under heavy TCP connection load introduced in 2.81.
45: Thanks to Frank for good work chasing this down.
46:
47: Change default lease time for DHCPv6 to one day.
48:
49: Alter calculation of preferred and valid times in router
50: advertisements, so that these do not have a floor applied
51: of the lease time in the dhcp-range if this is not explicitly
52: specified and is merely the default.
53: Thanks to Martin-Éric Racine for suggestions on this.
54:
55:
56: version 2.81
57: Improve cache behaviour for TCP connections. For ease of
58: implementation, dnsmasq has always forked a new process to handle
59: each incoming TCP connection. A side-effect of this is that
60: any DNS queries answered from TCP connections are not cached:
61: when TCP connections were rare, this was not a problem.
62: With the coming of DNSSEC, it is now the case that some
63: DNSSEC queries have answers which spill to TCP, and if,
64: for instance, this applies to the keys for the root, then
65: those never get cached, and performance is very bad.
66: This fix passes cache entries back from the TCP child process to
67: the main server process, and fixes the problem.
68:
69: Remove the NO_FORK compile-time option, and support for uclinux.
70: In an era where everything has an MMU, this looks like
71: an anachronism, and it adds to (Ok, multiplies!) the
72: combinatorial explosion of compile-time options. Thanks to
73: Kevin Darbyshire-Bryant for the patch.
74:
75: Fix line-counting when reading /etc/hosts and friends; for
76: correct error messages. Thanks to Christian Rosentreter
77: for reporting this.
78:
79: Fix bug in DNS non-terminal code, added in 2.80, which could
80: sometimes cause a NODATA rather than an NXDOMAIN reply.
81: Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
82: for spotting and diagnosing the bug and providing patches.
83:
84: Support TCP-fastopen (RFC-7413) on both incoming and
85: outgoing TCP connections, if supported and enabled in the OS.
86:
87: Improve kernel-capability manipulation code under Linux. Dnsmasq
88: now fails early if a required capability is not available, and
89: tries not to request capabilities not required by its
90: configuration.
91:
92: Add --shared-network config. This enables allocation of addresses
93: by the DHCP server in subnets where the server (or relay) does not
94: have an interface on the network in that subnet. Many thanks to
95: kamp.de for sponsoring this feature.
96:
97: Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
98: validation check got borked in commit 2b38e382 and release 2.80.
99: Thanks to Tomasz Szajner for spotting this.
100:
101: Fix compilation against nettle version 3.5 and later.
102:
103: Fix spurious DNSSEC validation failures when the auth section
104: of a reply contains unsigned RRs from a signed zone,
105: with the exception that NSEC and NSEC3 RRs must always be signed.
106: Thanks to Tore Anderson for spotting and diagnosing the bug.
107:
108: Add --dhcp-ignore-clid. This disables reading of DHCP client
109: identifier option (option 61), so clients are only identified by
110: MAC addresses.
111:
112: Fix a bug which stopped --dhcp-name-match from working when a hostname
113: is supplied in --dhcp-host. Thanks to James Feeney for spotting this.
114:
115: Fix bug which caused very rarely caused zero-length DHCPv6 packets.
116: Thanks to Dereck Higgins for spotting this.
117:
118: Add --tftp-single-port option.
119:
120: Enhance --conf-dir to load files in a deterministic order. Thanks to
121: Evgenii Seliavka for the suggestion and initial patch.
122:
123: In the router advert code, handle case where we have two
124: different interfaces on the same IPv6 net, and we are doing
125: RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
126: for spotting this case and making the initial patch.
127:
128: Support prefixed ranges of ipv6 addresses in dhcp-host.
129: This eases problems chain-netbooting, where each link in the
130: chain requests an address using a different UID. With a single
131: address, only one gets the "static" address, but with this
132: fix, enough addresses can be reserved for all the stages of the
133: boot. Many thanks to Harald Jensås for his work on this idea and
134: earlier patches.
135:
136: Add filtering by tag of --dhcp-host directives. Based on a patch
137: by Harald Jensås.
138:
139: Allow empty server spec in --rev-server, to match --server.
140:
141: Remove DSA signature verification from DNSSEC, as specified in
142: RFC 8624. Thanks to Loganaden Velvindron for the original patch.
143:
144: Add --script-on-renewal option.
145:
146:
147: version 2.80
148: Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
149: for the initial patch and motivation.
150:
151: Alter the default for dnssec-check-unsigned. Versions of
152: dnsmasq prior to 2.80 defaulted to not checking unsigned
153: replies, and used --dnssec-check-unsigned to switch
154: this on. Such configurations will continue to work as before,
155: but those which used the default of no checking will need to be
156: altered to explicitly select no checking. The new default is
157: because switching off checking for unsigned replies is
158: inherently dangerous. Not only does it open the possiblity of forged
159: replies, but it allows everything to appear to be working even
160: when the upstream namesevers do not support DNSSEC, and in this
161: case no DNSSEC validation at all is occuring.
162:
163: Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
164: are set. Thanks to Daniel Miess for help with this.
165:
166: Add a facilty to store DNS packets sent/recieved in a
167: pcap-format file for later debugging. The file location
168: is given by the --dumpfile option, and a bitmap controlling
169: which packets should be dumped is given by the --dumpmask
170: option.
171:
172: Handle the case of both standard and constructed dhcp-ranges on the
173: same interface better. We don't now contruct a dhcp-range if there's
174: already one specified. This allows the specified interface to
175: have different parameters and avoids advertising the same
176: prefix twice. Thanks to Luis Marsano for spotting this case.
177:
178: Allow zone transfer in authoritative mode if auth-peer is specified,
179: even if auth-sec-servers is not. Thanks to Raphaël Halimi for
180: the suggestion.
181:
182: Fix bug which sometimes caused dnsmasq to wrongly return answers
183: without DNSSEC RRs to queries with the do-bit set, but only when
184: DNSSEC validation was not enabled.
185: Thanks to Petr Menšík for spotting this.
186:
187: Fix missing fatal errors with some malformed options
188: (server, local, address, rebind-domain-ok, ipset, alias).
189: Thanks to Eugene Lozovoy for spotting the problem.
190:
191: Fix crash on startup with a --synth-domain which has no prefix.
192: Introduced in 2.79. Thanks to Andreas Engel for the bug report.
193:
194: Fix missing EDNS0 section in some replies generated by local
195: DNS configuration which confused systemd-resolvd. Thanks to
196: Steve Dodd for characterising the problem.
197:
198: Add --dhcp-name-match config option.
199:
200: Add --caa-record config option.
201:
202: Implement --address=/example.com/# as (more efficient) syntactic
203: sugar for --address=/example.com/0.0.0.0 and
204: --address=/example.com/::
205: Returning null addresses is a useful technique for ad-blocking.
206: Thanks to Peter Russell for the suggestion.
207:
208: Change anti cache-snooping behaviour with queries with the
209: recursion-desired bit unset. Instead to returning SERVFAIL, we
210: now always forward, and never answer from the cache. This
211: allows "dig +trace" command to work.
212:
213: Include in the example config file a formulation which
214: stops DHCP clients from claiming the DNS name "wpad".
215: This is a fix for the CERT Vulnerability VU#598349.
216:
217:
218: version 2.79
219: Fix parsing of CNAME arguments, which are confused by extra spaces.
220: Thanks to Diego Aguirre for spotting the bug.
221:
222: Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
223: upstream servers to an interface, rather than SO_BINDTODEVICE.
224: Thanks to Beniamino Galvani for the patch.
225:
226: Always return a SERVFAIL answer to DNS queries without the
227: recursion desired bit set, UNLESS acting as an authoritative
228: DNS server. This avoids a potential route to cache snooping.
229:
230: Add support for Ed25519 signatures in DNSSEC validation.
231:
232: No longer support RSA/MD5 signatures in DNSSEC validation,
233: since these are not secure. This behaviour is mandated in
234: RFC-6944.
235:
236: Fix incorrect error exit code from dhcp_release6 utility.
237: Thanks Gaudenz Steinlin for the bug report.
238:
239: Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
240: time validation when --dnssec-no-timecheck is in use.
241: Note that this is an incompatible change from earlier releases.
242:
243: Allow more than one --bridge-interface option to refer to an
244: interface, so that we can use
245: --bridge-interface=int1,alias1
246: --bridge-interface=int1,alias2
247: as an alternative to
248: --bridge-interface=int1,alias1,alias2
249: Thanks to Neil Jerram for work on this.
250:
251: Fix for DNSSEC with wildcard-derived NSEC records.
252: It's OK for NSEC records to be expanded from wildcards,
253: but in that case, the proof of non-existence is only valid
254: starting at the wildcard name, *.<domain> NOT the name expanded
255: from the wildcard. Without this check it's possible for an
256: attacker to craft an NSEC which wrongly proves non-existence.
257: Thanks to Ralph Dolmans for finding this, and co-ordinating
258: the vulnerability tracking and fix release.
259: CVE-2017-15107 applies.
260:
261: Remove special handling of A-for-A DNS queries. These
262: are no longer a significant problem in the global DNS.
263: http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
264: Thanks to Mattias Hellström for the initial patch.
265:
266: Fix failure to delete dynamically created dhcp options
267: from files in -dhcp-optsdir directories. Thanks to
268: Lindgren Fredrik for the bug report.
269:
270: Add to --synth-domain the ability to create names using
271: sequential numbers, as well as encodings of IP addresses.
272: For instance,
273: --synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
274: creates 21 domain names of the form
275: internal-4.thekelleys.org.uk over the address range given, with
276: internal-0.thekelleys.org.uk being 192.168.0.50 and
277: internal-20.thekelleys.org.uk being 192.168.0.70
278: Thanks to Andy Hawkins for the suggestion.
279:
280: Tidy up Crypto code, removing workarounds for ancient
281: versions of libnettle. We now require libnettle 3.
282:
283:
284: version 2.78
285: Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
286: Novakovic for the patch.
287:
288: Revert ping-check of address in DHCPDISCOVER if there
289: already exists a lease for the address. Under some
290: circumstances, and netbooted windows installation can reply
291: to pings before if has a DHCP lease and block allocation
292: of the address it already used during netboot. Thanks to
293: Jan Psota for spotting this.
294:
295: Fix DHCP relaying, broken in 2.76 and 2.77 by commit
296: ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
297: John Fitzgibbon for the diagnosis and patch.
298:
299: Try other servers if first returns REFUSED when
300: --strict-order active. Thanks to Hans Dedecker
301: for the patch
302:
303: Fix regression in 2.77, ironically added as a security
304: improvement, which resulted in a crash when a DNS
305: query exceeded 512 bytes (or the EDNS0 packet size,
306: if different.) Thanks to Christian Kujau, Arne Woerner
307: Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
308: chasing this one down. CVE-2017-13704 applies.
309:
310: Fix heap overflow in DNS code. This is a potentially serious
311: security hole. It allows an attacker who can make DNS
312: requests to dnsmasq, and who controls the contents of
313: a domain, which is thereby queried, to overflow
314: (by 2 bytes) a heap buffer and either crash, or
315: even take control of, dnsmasq.
316: CVE-2017-14491 applies.
317: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
318: Kevin Hamacher and Ron Bowes of the Google Security Team for
319: finding this.
320:
321: Fix heap overflow in IPv6 router advertisement code.
322: This is a potentially serious security hole, as a
323: crafted RA request can overflow a buffer and crash or
324: control dnsmasq. Attacker must be on the local network.
325: CVE-2017-14492 applies.
326: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
327: and Kevin Hamacher of the Google Security Team for
328: finding this.
329:
330: Fix stack overflow in DHCPv6 code. An attacker who can send
331: a DHCPv6 request to dnsmasq can overflow the stack frame and
332: crash or control dnsmasq.
333: CVE-2017-14493 applies.
334: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
335: Kevin Hamacher and Ron Bowes of the Google Security Team for
336: finding this.
337:
338: Fix information leak in DHCPv6. A crafted DHCPv6 packet can
339: cause dnsmasq to forward memory from outside the packet
340: buffer to a DHCPv6 server when acting as a relay.
341: CVE-2017-14494 applies.
342: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
343: Kevin Hamacher and Ron Bowes of the Google Security Team for
344: finding this.
345:
346: Fix DoS in DNS. Invalid boundary checks in the
347: add_pseudoheader function allows a memcpy call with negative
348: size An attacker which can send malicious DNS queries
349: to dnsmasq can trigger a DoS remotely.
350: dnsmasq is vulnerable only if one of the following option is
351: specified: --add-mac, --add-cpe-id or --add-subnet.
352: CVE-2017-14496 applies.
353: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
354: Kevin Hamacher and Ron Bowes of the Google Security Team for
355: finding this.
356:
357: Fix out-of-memory Dos vulnerability. An attacker which can
358: send malicious DNS queries to dnsmasq can trigger memory
359: allocations in the add_pseudoheader function
360: The allocated memory is never freed which leads to a DoS
361: through memory exhaustion. dnsmasq is vulnerable only
362: if one of the following option is specified:
363: --add-mac, --add-cpe-id or --add-subnet.
364: CVE-2017-14495 applies.
365: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
366: Kevin Hamacher and Ron Bowes of the Google Security Team for
367: finding this.
368:
369:
370: version 2.77
371: Generate an error when configured with a CNAME loop,
372: rather than a crash. Thanks to George Metz for
373: spotting this problem.
374:
375: Calculate the length of TFTP error reply packet
376: correctly. This fixes a problem when the error
377: message in a TFTP packet exceeds the arbitrary
378: limit of 500 characters. The message was correctly
379: truncated, but not the packet length, so
380: extra data was appended. This is a possible
381: security risk, since the extra data comes from
382: a buffer which is also used for DNS, so that
383: previous DNS queries or replies may be leaked.
384: Thanks to Mozilla for funding the security audit
385: which spotted this bug.
386:
387: Fix logic error in Linux netlink code. This could
388: cause dnsmasq to enter a tight loop on systems
389: with a very large number of network interfaces.
390: Thanks to Ivan Kokshaysky for the diagnosis and
391: patch.
392:
393: Fix problem with --dnssec-timestamp whereby receipt
394: of SIGHUP would erroneously engage timestamp checking.
395: Thanks to Kevin Darbyshire-Bryant for this work.
396:
397: Bump zone serial on reloading /etc/hosts and friends
398: when providing authoritative DNS. Thanks to Harrald
399: Dunkel for spotting this.
400:
401: Handle v4-mapped IPv6 addresses sanely in --synth-domain.
402: These have standard representation like ::ffff:1.2.3.4
403: and are now converted to names like
404: <prefix>--ffff-1-2-3-4.<domain>
405:
406: Handle binding upstream servers to an interface
407: (--server=1.2.3.4@eth0) when the named interface
408: is destroyed and recreated in the kernel. Thanks to
409: Beniamino Galvani for the patch.
410:
411: Allow wildcard CNAME records in authoritative zones.
412: For example --cname=*.example.com,default.example.com
413: Thanks to Pro Backup for sponsoring this development.
414:
415: Bump the allowed backlog of TCP connections from 5 to 32,
416: and make this a compile-time configurable option. Thanks
417: to Donatas Abraitis for diagnosing this as a potential
418: problem.
419:
420: Add DNSMASQ_REQUESTED_OPTIONS environment variable to the
421: lease-change script. Thanks to ZHAO Yu for the patch.
422:
423: Fix foobar in rrfilter code, that could cause malformed
424: replies, especially when DNSSEC validation on, and
425: the upstream server returns answer with the RRs in a
426: particular order. The only DNS server known to tickle
427: this is Nominum's. Thanks to Dave Täht for spotting the
428: bug and assisting in the fix.
429:
430: Fix the manpage which lied that only the primary address
431: of an interface is used by --interface-name.
432:
433: Make --localise-queries apply to names from --interface-name.
434: Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen
435: for pushing this.
436:
437: Improve connection handling when talking to TCP upstream
438: servers. Specifically, be prepared to open a new TCP
439: connection when we want to make multiple queries
440: but the upstream server accepts fewer queries per connection.
441:
442: Improve logging of upstream servers when there are a lot
443: of "local addresses only" entries. Thanks to Hannu Nyman for
444: the patch.
445:
446: Make --bogus-priv apply to IPv6, for the prefixes specified
447: in RFC6303. Thanks to Kevin Darbyshire-Bryant for work on this.
448:
449: Allow use of MAC addresses with --tftp-unique-root. Thanks
450: to Floris Bos for the patch.
451:
452: Add --dhcp-reply-delay option. Thanks to Floris Bos
453: for the patch.
454:
455: Add mtu setting facility to --ra-param. Thanks to David
456: Flamand for the patch.
457:
458: Capture STDOUT and STDERR output from dhcp-script and log
459: it as part of the dnsmasq log stream. Makes life easier
460: for diagnosing unexpected problems in scripts.
461: Thanks to Petr Mensik for the patch.
462:
463: Generate fatal errors when failing to parse the output
464: of the dhcp-script in "init" mode. Avoids strange errors
465: when the script accidentally emits error messages.
466: Thanks to Petr Mensik for the patch.
467:
468: Make --rev-server for an RFC1918 subnet work even in the
469: presence of the --bogus-priv flag. Thanks to
470: Vladislav Grishenko for the patch.
471:
472: Extend --ra-param mtu: field to allow an interface name.
473: This allows the MTU of a WAN interface to be advertised on
474: the internal interfaces of a router. Thanks to
475: Vladislav Grishenko for the patch.
476:
477: Do ICMP-ping check for address-in-use for DHCPv4 when
478: the client specifies an address in DHCPDISCOVER, and when
479: an address in configured locally. Thanks to Alin Năstac
480: for spotting the problem.
481:
482: Add new DHCP tag "known-othernet" which is set when only a
483: dhcp-host exists for another subnet. Can be used to ensure
484: that privileged hosts are not given "guest" addresses by
485: accident. Thanks to Todd Sanket for the suggestion.
486:
487: Remove historic automatic inclusion of IDN support when
488: building internationalisation support. This doesn't
489: fit now there is a choice of IDN libraries. Be sure
490: to include either -DHAVE_IDN or -DHAVE_LIBIDN2 for
491: IDN support.
492:
493:
494: version 2.76
495: Include 0.0.0.0/8 in DNS rebind checks. This range
496: translates to hosts on the local network, or, at
497: least, 0.0.0.0 accesses the local host, so could
498: be targets for DNS rebinding. See RFC 5735 section 3
499: for details. Thanks to Stephen Röttger for the bug report.
500:
501: Enhance --add-subnet to allow arbitrary subnet addresses.
502: Thanks to Ed Barsley for the patch.
503:
504: Respect the --no-resolv flag in inotify code. Fixes bug
505: which caused dnsmasq to fail to start if a resolv-file
506: was a dangling symbolic link, even of --no-resolv set.
507: Thanks to Alexander Kurtz for spotting the problem.
508:
509: Fix crash when an A or AAAA record is defined locally,
510: in a hosts file, and an upstream server sends a reply
511: that the same name is empty. Thanks to Edwin Török for
512: the patch.
513:
514: Fix failure to correctly calculate cache-size when
515: reading a hosts-file fails. Thanks to André Glüpker
516: for the patch.
517:
518: Fix wrong answer to simple name query when --domain-needed
519: set, but no upstream servers configured. Dnsmasq returned
520: REFUSED, in this case, when it should be the same as when
521: upstream servers are configured - NOERROR. Thanks to
522: Allain Legacy for spotting the problem.
523:
524: Return REFUSED when running out of forwarding table slots,
525: not SERVFAIL.
526:
527: Add --max-port configuration. Thanks to Hans Dedecker for
528: the patch.
529:
530: Add --script-arp and two new functions for the dhcp-script.
531: These are "arp" and "arp-old" which announce the arrival and
532: removal of entries in the ARP or neighbour tables.
533:
534: Extend --add-mac to allow a new encoding of the MAC address
535: as base64, by configuring --add-mac=base64
536:
537: Add --add-cpe-id option.
538:
539: Don't crash with divide-by-zero if an IPv6 dhcp-range
540: is declared as a whole /64.
541: (ie xx::0 to xx::ffff:ffff:ffff:ffff)
542: Thanks to Laurent Bendel for spotting this problem.
543:
544: Add support for a TTL parameter in --host-record and
545: --cname.
546:
547: Add --dhcp-ttl option.
548:
549: Add --tftp-mtu option. Thanks to Patrick McLean for the
550: initial patch.
551:
552: Check return-code of inet_pton() when parsing dhcp-option.
553: Bad addresses could fail to generate errors and result in
554: garbage dhcp-options being sent. Thanks to Marc Branchaud
555: for spotting this.
556:
557: Fix wrong value for EDNS UDP packet size when using
558: --servers-file to define upstream DNS servers. Thanks to
559: Scott Bonar for the bug report.
560:
561: Move the dhcp_release and dhcp_lease_time tools from
562: contrib/wrt to contrib/lease-tools.
563:
564: Add dhcp_release6 to contrib/lease-tools. Many thanks
565: to Sergey Nechaev for this code.
566:
567: To avoid filling logs in configurations which define
568: many upstream nameservers, don't log more that 30 servers.
569: The number to be logged can be changed as SERVERS_LOGGED
570: in src/config.h.
571:
572: Swap the values if BC_EFI and x86-64_EFI in --pxe-service.
573: These were previously wrong due to an error in RFC 4578.
574: If you're using BC_EFI to boot 64-bit EFI machines, you
575: will need to update your config.
576:
577: Add ARM32_EFI and ARM64_EFI as valid architectures in
578: --pxe-service.
579:
580: Fix PXE booting for UEFI architectures. Modify PXE boot
581: sequence in this case to force the client to talk to dnsmasq
582: over port 4011. This makes PXE and especially proxy-DHCP PXE
583: work with these architectures.
584:
585: Workaround problems with UEFI PXE clients. There exist
586: in the wild PXE clients which have problems with PXE
587: boot menus. To work around this, when there's a single
588: --pxe-service which applies to client, then that target
589: will be booted directly, rather then sending a
590: single-item boot menu.
591:
592: Many thanks to Jarek Polok, Michael Kuron and Dreamcat4
593: for their work on the long-standing UEFI PXE problem.
594:
595: Subtle change in the semantics of "basename" in
596: --pxe-service. The historical behaviour has always been
597: that the actual filename downloaded from the TFTP server
598: is <basename>.<layer> where <layer> is an integer which
599: corresponds to the layer parameter supplied by the client.
600: It's not clear what the function of the "layer"
601: actually is in the PXE protocol, and in practise layer
602: is always zero, so the filename is <basename>.0
603: The new behaviour is the same as the old, except when
604: <basename> includes a file suffix, in which case
605: the layer suffix is no longer added. This allows
606: sensible suffices to be used, rather then the
607: meaningless ".0". Only in the unlikely event that you
608: have a config with a basename which already has a
609: suffix, is this an incompatible change, since the file
610: downloaded will change from name.suffix.0 to just
611: name.suffix
612:
613:
614: version 2.75
615: Fix reversion on 2.74 which caused 100% CPU use when a
616: dhcp-script is configured. Thanks to Adrian Davey for
617: reporting the bug and testing the fix.
618:
619:
620: version 2.74
621: Fix reversion in 2.73 where --conf-file would attempt to
622: read the default file, rather than no file.
623:
624: Fix inotify code to handle dangling symlinks better and
625: not SEGV in some circumstances.
626:
627: DNSSEC fix. In the case of a signed CNAME generated by a
628: wildcard which pointed to an unsigned domain, the wrong
629: status would be logged, and some necessary checks omitted.
630:
631:
632: version 2.73
633: Fix crash at startup when an empty suffix is supplied to
634: --conf-dir, also trivial memory leak. Thanks to
635: Tomas Hozza for spotting this.
636:
637: Remove floor of 4096 on advertised EDNS0 packet size when
638: DNSSEC in use, the original rationale for this has long gone.
639: Thanks to Anders Kaseorg for spotting this.
640:
641: Use inotify for checking on updates to /etc/resolv.conf and
642: friends under Linux. This fixes race conditions when the files are
643: updated rapidly and saves CPU by noy polling. To build
644: a binary that runs on old Linux kernels without inotify,
645: use make COPTS=-DNO_INOTIFY
646:
647: Fix breakage of --domain=<domain>,<subnet>,local - only reverse
648: queries were intercepted. THis appears to have been broken
649: since 2.69. Thanks to Josh Stone for finding the bug.
650:
651: Eliminate IPv6 privacy addresses and deprecated addresses from
652: the answers given by --interface-name. Note that reverse queries
653: (ie looking for names, given addresses) are not affected.
654: Thanks to Michael Gorbach for the suggestion.
655:
656: Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
657: for the bug report.
658:
659: Add --ignore-address option. Ignore replies to A-record
660: queries which include the specified address. No error is
661: generated, dnsmasq simply continues to listen for another
662: reply. This is useful to defeat blocking strategies which
663: rely on quickly supplying a forged answer to a DNS
664: request for certain domains, before the correct answer can
665: arrive. Thanks to Glen Huang for the patch.
666:
667: Revisit the part of DNSSEC validation which determines if an
668: unsigned answer is legit, or is in some part of the DNS
669: tree which should be signed. Dnsmasq now works from the
670: DNS root downward looking for the limit of signed
671: delegations, rather than working bottom up. This is
672: both more correct, and less likely to trip over broken
673: nameservers in the unsigned parts of the DNS tree
674: which don't respond well to DNSSEC queries.
675:
676: Add --log-queries=extra option, which makes logs easier
677: to search automatically.
678:
679: Add --min-cache-ttl option. I've resisted this for a long
680: time, on the grounds that disbelieving TTLs is never a
681: good idea, but I've been persuaded that there are
682: sometimes reasons to do it. (Step forward, GFW).
683: To avoid misuse, there's a hard limit on the TTL
684: floor of one hour. Thanks to RinSatsuki for the patch.
685:
686: Cope with multiple interfaces with the same link-local
687: address. (IPv6 addresses are scoped, so this is allowed.)
688: Thanks to Cory Benfield for help with this.
689:
690: Add --dhcp-hostsdir. This allows addition of new host
691: configurations to a running dnsmasq instance much more
692: cheaply than having dnsmasq re-read all its existing
693: configuration each time.
694:
695: Don't reply to DHCPv6 SOLICIT messages if we're not
696: configured to do stateful DHCPv6. Thanks to Win King Wan
697: for the patch.
698:
699: Fix broken DNSSEC validation of ECDSA signatures.
700:
701: Add --dnssec-timestamp option, which provides an automatic
702: way to detect when the system time becomes valid after
703: boot on systems without an RTC, whilst allowing DNS
704: queries before the clock is valid so that NTP can run.
705: Thanks to Kevin Darbyshire-Bryant for developing this idea.
706:
707: Add --tftp-no-fail option. Thanks to Stefan Tomanek for
708: the patch.
709:
710: Fix crash caused by looking up servers.bind, CHAOS text
711: record, when more than about five --servers= lines are
712: in the dnsmasq config. This causes memory corruption
713: which causes a crash later. Thanks to Matt Coddington for
714: sterling work chasing this down.
715:
716: Fix crash on receipt of certain malformed DNS requests.
717: Thanks to Nick Sampanis for spotting the problem.
718: Note that this is could allow the dnsmasq process's
719: memory to be read by an attacker under certain
720: circumstances, so it has a CVE, CVE-2015-3294
721:
722: Fix crash in authoritative DNS code, if a .arpa zone
723: is declared as authoritative, and then a PTR query which
724: is not to be treated as authoritative arrived. Normally,
725: directly declaring .arpa zone as authoritative is not
726: done, so this crash wouldn't be seen. Instead the
727: relevant .arpa zone should be specified as a subnet
728: in the auth-zone declaration. Thanks to Johnny S. Lee
729: for the bugreport and initial patch.
730:
731: Fix authoritative DNS code to correctly reply to NS
732: and SOA queries for .arpa zones for which we are
733: declared authoritative by means of a subnet in auth-zone.
734: Previously we provided correct answers to PTR queries
735: in such zones (including NS and SOA) but not direct
736: NS and SOA queries. Thanks to Johnny S. Lee for
737: pointing out the problem.
738:
739: Fix logging of DHCPREPLY which should be suppressed
740: by quiet-dhcp6. Thanks to J. Pablo Abonia for
741: spotting the problem.
742:
743: Try and handle net connections with broken fragmentation
744: that lose large UDP packets. If a server times out,
745: reduce the maximum UDP packet size field in the EDNS0
746: header to 1280 bytes. If it then answers, make that
747: change permanent.
748:
749: Check IPv4-mapped IPv6 addresses when --stop-rebind
750: is active. Thanks to Jordan Milne for spotting this.
751:
752: Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
753: Thanks to Kevin Benton for patches and work on this.
754:
755: Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
756: in the correct subnet, even of not in dynamic address
757: allocation range. Thanks to Steve Hirsch for spotting
758: the problem.
759:
760: Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
761: to Nicolas Cavallari for the patch.
762:
763: Allow configuration of router advertisements without the
764: "on-link" bit set. Thanks to Neil Jerram for the patch.
765:
766: Extend --bridge-interface to DHCPv6 and router
767: advertisements. Thanks to Neil Jerram for the patch.
768:
769:
770: version 2.72
771: Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
772:
773: Add support for "ipsets" in *BSD, using pf. Thanks to
774: Sven Falempin for the patch.
775:
776: Fix race condition which could lock up dnsmasq when an
777: interface goes down and up rapidly. Thanks to Conrad
778: Kostecki for helping to chase this down.
779:
780: Add DBus methods SetFilterWin2KOption and SetBogusPrivOption
781: Thanks to the Smoothwall project for the patch.
782:
783: Fix failure to build against Nettle-3.0. Thanks to Steven
784: Barth for spotting this and finding the fix.
785:
786: When assigning existing DHCP leases to interfaces by comparing
787: networks, handle the case that two or more interfaces have the
788: same network part, but different prefix lengths (favour the
789: longer prefix length.) Thanks to Lung-Pin Chang for the
790: patch.
791:
792: Add a mode which detects and removes DNS forwarding loops, ie
793: a query sent to an upstream server returns as a new query to
794: dnsmasq, and would therefore be forwarded again, resulting in
795: a query which loops many times before being dropped. Upstream
796: servers which loop back are disabled and this event is logged.
797: Thanks to Smoothwall for their sponsorship of this feature.
798:
799: Extend --conf-dir to allow filtering of files. So
800: --conf-dir=/etc/dnsmasq.d,\*.conf
801: will load all the files in /etc/dnsmasq.d which end in .conf
802:
803: Fix bug when resulted in NXDOMAIN answers instead of NODATA in
804: some circumstances.
805:
806: Fix bug which caused dnsmasq to become unresponsive if it
807: failed to send packets due to a network interface disappearing.
808: Thanks to Niels Peen for spotting this.
809:
810: Fix problem with --local-service option on big-endian platforms
811: Thanks to Richard Genoud for the patch.
812:
813:
814: version 2.71
815: Subtle change to error handling to help DNSSEC validation
816: when servers fail to provide NODATA answers for
817: non-existent DS records.
818:
819: Tweak code which removes DNSSEC records from answers when
820: not required. Fixes broken answers when additional section
821: has real records in it. Thanks to Marco Davids for the bug
822: report.
823:
824: Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
825: for spotting that too.
826:
827: Fix total DNS failure and 100% CPU use if cachesize set to zero,
828: regression introduced in 2.69. Thanks to James Hunt and
829: the Ubuntu crowd for assistance in fixing this.
830:
831:
832: version 2.70
833: Fix crash, introduced in 2.69, on TCP request when dnsmasq
834: compiled with DNSSEC support, but running without DNSSEC
835: enabled. Thanks to Manish Sing for spotting that one.
836:
837: Fix regression which broke ipset functionality. Thanks to
838: Wang Jian for the bug report.
839:
840:
841: version 2.69
842: Implement dynamic interface discovery on *BSD. This allows
843: the constructor: syntax to be used in dhcp-range for DHCPv6
844: on the BSD platform. Thanks to Matthias Andree for
845: valuable research on how to implement this.
846:
847: Fix infinite loop associated with some --bogus-nxdomain
848: configs. Thanks fogobogo for the bug report.
849:
850: Fix missing RA RDNS option with configuration like
851: --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
852: for spotting the problem.
853:
854: Add [fd00::] and [fe80::] as special addresses in DHCPv6
855: options, analogous to [::]. [fd00::] is replaced with the
856: actual ULA of the interface on the machine running
857: dnsmasq, [fe80::] with the link-local address.
858: Thanks to Tsachi Kimeldorfer for championing this.
859:
860: DNSSEC validation and caching. Dnsmasq needs to be
861: compiled with this enabled, with
862:
863: make dnsmasq COPTS=-DHAVE_DNSSEC
864:
865: this adds dependencies on the nettle crypto library and the
866: gmp maths library. It's possible to have these linked
867: statically with
868:
869: make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
870:
871: which bloats the dnsmasq binary, but saves the size of
872: the shared libraries which are much bigger.
873:
874: To enable, DNSSEC, you will need a set of
875: trust-anchors. Now that the TLDs are signed, this can be
876: the keys for the root zone, and for convenience they are
877: included in trust-anchors.conf in the dnsmasq
878: distribution. You should of course check that these are
879: legitimate and up-to-date. So, adding
880:
881: conf-file=/path/to/trust-anchors.conf
882: dnssec
883:
884: to your config is all that's needed to get things
885: working. The upstream nameservers have to be DNSSEC-capable
886: too, of course. Many ISP nameservers aren't, but the
887: Google public nameservers (8.8.8.8 and 8.8.4.4) are.
888: When DNSSEC is configured, dnsmasq validates any queries
889: for domains which are signed. Query results which are
890: bogus are replaced with SERVFAIL replies, and results
891: which are correctly signed have the AD bit set. In
892: addition, and just as importantly, dnsmasq supplies
893: correct DNSSEC information to clients which are doing
894: their own validation, and caches DNSKEY, DS and RRSIG
895: records, which significantly improve the performance of
896: downstream validators. Setting --log-queries will show
897: DNSSEC in action.
898:
899: If a domain is returned from an upstream nameserver without
900: DNSSEC signature, dnsmasq by default trusts this. This
901: means that for unsigned zone (still the majority) there
902: is effectively no cost for having DNSSEC enabled. Of course
903: this allows an attacker to replace a signed record with a
904: false unsigned record. This is addressed by the
905: --dnssec-check-unsigned flag, which instructs dnsmasq
906: to prove that an unsigned record is legitimate, by finding
907: a secure proof that the zone containing the record is not
908: signed. Doing this has costs (typically one or two extra
909: upstream queries). It also has a nasty failure mode if
910: dnsmasq's upstream nameservers are not DNSSEC capable.
911: Without --dnssec-check-unsigned using such an upstream
912: server will simply result in not queries being validated;
913: with --dnssec-check-unsigned enabled and a
914: DNSSEC-ignorant upstream server, _all_ queries will fail.
915:
916: Note that DNSSEC requires that the local time is valid and
917: accurate, if not then DNSSEC validation will fail. NTP
918: should be running. This presents a problem for routers
919: without a battery-backed clock. To set the time needs NTP
920: to do DNS lookups, but lookups will fail until NTP has run.
921: To address this, there's a flag, --dnssec-no-timecheck
922: which disables the time checks (only) in DNSSEC. When dnsmasq
923: is started and the clock is not synced, this flag should
924: be used. As soon as the clock is synced, SIGHUP dnsmasq.
925: The SIGHUP clears the cache of partially-validated data and
926: resets the no-timecheck flag, so that all DNSSEC checks
927: henceforward will be complete.
928:
929: The development of DNSSEC in dnsmasq was started by
930: Giovanni Bajo, to whom huge thanks are owed. It has been
931: supported by Comcast, whose techfund grant has allowed for
932: an invaluable period of full-time work to get it to
933: a workable state.
934:
935: Add --rev-server. Thanks to Dave Taht for suggesting this.
936:
937: Add --servers-file. Allows dynamic update of upstream servers
938: full access to configuration.
939:
940: Add --local-service. Accept DNS queries only from hosts
941: whose address is on a local subnet, ie a subnet for which
942: an interface exists on the server. This option
943: only has effect if there are no --interface --except-interface,
944: --listen-address or --auth-server options. It is intended
945: to be set as a default on installation, to allow
946: unconfigured installations to be useful but also safe from
947: being used for DNS amplification attacks.
948:
949: Fix crashes in cache_get_cname_target() when dangling CNAMEs
950: encountered. Thanks to Andy and the rt-n56u project for
951: find this and helping to chase it down.
952:
953: Fix wrong RCODE in authoritative DNS replies to PTR queries. The
954: correct answer was included, but the RCODE was set to NXDOMAIN.
955: Thanks to Craig McQueen for spotting this.
956:
957: Make statistics available as DNS queries in the .bind TLD as
958: well as logging them.
959:
960:
961: version 2.68
962: Use random addresses for DHCPv6 temporary address
963: allocations, instead of algorithmically determined stable
964: addresses.
965:
966: Fix bug which meant that the DHCPv6 DUID was not available
967: in DHCP script runs during the lifetime of the dnsmasq
968: process which created the DUID de-novo. Once the DUID was
969: created and stored in the lease file and dnsmasq
970: restarted, this bug disappeared.
971:
972: Fix bug introduced in 2.67 which could result in erroneous
973: NXDOMAIN returns to CNAME queries.
974:
975: Fix build failures on MacOS X and openBSD.
976:
977: Allow subnet specifications in --auth-zone to be interface
978: names as well as address literals. This makes it possible
979: to configure authoritative DNS when local address ranges
980: are dynamic and works much better than the previous
981: work-around which exempted constructed DHCP ranges from the
982: IP address filtering. As a consequence, that work-around
983: is removed. Under certain circumstances, this change wil
984: break existing configuration: if you're relying on the
985: constructed-range exception, you need to change --auth-zone
986: to specify the same interface as is used to construct your
987: DHCP ranges, probably with a trailing "/6" like this:
988: --auth-zone=example.com,eth0/6 to limit the addresses to
989: IPv6 addresses of eth0.
990:
991: Fix problems when advertising deleted IPv6 prefixes. If
992: the prefix is deleted (rather than replaced), it doesn't
993: get advertised with zero preferred time. Thanks to Tsachi
994: for the bug report.
995:
996: Fix segfault with some locally configured CNAMEs. Thanks
997: to Andrew Childs for spotting the problem.
998:
999: Fix memory leak on re-reading /etc/hosts and friends,
1000: introduced in 2.67.
1001:
1002: Check the arrival interface of incoming DNS and TFTP
1003: requests via IPv6, even in --bind-interfaces mode. This
1004: isn't possible for IPv4 and can generate scary warnings,
1005: but as it's always possible for IPv6 (the API always
1006: exists) then we should do it always.
1007:
1008: Tweak the rules on prefix-lengths in --dhcp-range for
1009: IPv6. The new rule is that the specified prefix length
1010: must be larger than or equal to the prefix length of the
1011: corresponding address on the local interface.
1012:
1013:
1014: version 2.67
1015: Fix crash if upstream server returns SERVFAIL when
1016: --conntrack in use. Thanks to Giacomo Tazzari for finding
1017: this and supplying the patch.
1018:
1019: Repair regression in 2.64. That release stopped sending
1020: lease-time information in the reply to DHCPINFORM
1021: requests, on the correct grounds that it was a standards
1022: violation. However, this broke the dnsmasq-specific
1023: dhcp_lease_time utility. Now, DHCPINFORM returns
1024: lease-time only if it's specifically requested
1025: (maintaining standards) and the dhcp_lease_time utility
1026: has been taught to ask for it (restoring functionality).
1027:
1028: Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass
1029: to work with BOOTP and well as DHCP. Thanks to Peter
1030: Korsgaard for spotting the problem.
1031:
1032: Add --synth-domain. Thanks to Vishvananda Ishaya for
1033: suggesting this.
1034:
1035: Fix failure to compile ipset.c if old kernel headers are
1036: in use. Thanks to Eugene Rudoy for pointing this out.
1037:
1038: Handle IPv4 interface-address labels in Linux. These are
1039: often used to emulate the old IP-alias addresses. Before,
1040: using --interface=eth0 would service all the addresses of
1041: eth0, including ones configured as aliases, which appear
1042: in ifconfig as eth0:0. Now, only addresses with the label
1043: eth0 are active. This is not backwards compatible: if you
1044: want to continue to bind the aliases too, you need to add
1045: eg. --interface=eth0:0 to the config.
1046:
1047: Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket
1048: operation on non-socket" error on startup with
1049: configurations which have exactly one --interface option
1050: and do RA but _not_ DHCPv6. Thanks to Trever Adams for the
1051: bug report.
1052:
1053: Generalise --interface-name to cope with IPv6 addresses
1054: and multiple addresses per interface per address family.
1055:
1056: Fix option parsing for --dhcp-host, which was generating a
1057: spurious error when all seven possible items were
1058: included. Thanks to Zhiqiang Wang for the bug report.
1059:
1060: Remove restriction on prefix-length in --auth-zone. Thanks
1061: to Toke Hoiland-Jorgensen for suggesting this.
1062:
1063: Log when the maximum number of concurrent DNS queries is
1064: reached. Thanks to Marcelo Salhab Brogliato for the patch.
1065:
1066: If wildcards are used in --interface, don't assume that
1067: there will only ever be one available interface for DHCP
1068: just because there is one at start-up. More may appear, so
1069: we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug
1070: report.
1071:
1072: Increase timeout/number of retries in TFTP to accommodate
1073: AudioCodes Voice Gateways doing streaming writes to flash.
1074: Thanks to Damian Kaczkowski for spotting the problem.
1075:
1076: Fix crash with empty DHCP string options when adding zero
1077: terminator. Thanks to Patrick McLean for the bug report.
1078:
1079: Allow hostnames to start with a number, as allowed in
1080: RFC-1123. Thanks to Kyle Mestery for the patch.
1081:
1082: Fixes to DHCP FQDN option handling: don't terminate FQDN
1083: if domain not known and allow a FQDN option with blank
1084: name to request that a FQDN option is returned in the
1085: reply. Thanks to Roy Marples for the patch.
1086:
1087: Make --clear-on-reload apply to setting upstream servers
1088: via DBus too.
1089:
1090: When the address which triggered the construction of an
1091: advertised IPv6 prefix disappears, continue to advertise
1092: the prefix for up to 2 hours, with the preferred lifetime
1093: set to zero. This satisfies RFC 6204 4.3 L-13 and makes
1094: things work better if a prefix disappears without being
1095: deprecated first. Thanks to Uwe Schindler for persuasively
1096: arguing for this.
1097:
1098: Fix MAC address enumeration on *BSD. Thanks to Brad Smith
1099: for the bug report.
1100:
1101: Support RFC-4242 information-refresh-time options in the
1102: reply to DHCPv6 information-request. The lease time of the
1103: smallest valid dhcp-range is sent. Thanks to Uwe Schindler
1104: for suggesting this.
1105:
1106: Make --listen-address higher priority than --except-interface
1107: in all circumstances. Thanks to Thomas Hood for the bugreport.
1108:
1109: Provide independent control over which interfaces get TFTP
1110: service. If enable-tftp is given a list of interfaces, then TFTP
1111: is provided on those. Without the list, the previous behaviour
1112: (provide TFTP to the same interfaces we provide DHCP to)
1113: is retained. Thanks to Lonnie Abelbeck for the suggestion.
1114:
1115: Add --dhcp-relay config option. Many thanks to vtsl.net
1116: for sponsoring this development.
1117:
1118: Fix crash with empty tag: in --dhcp-range. Thanks to
1119: Kaspar Schleiser for the bug report.
1120:
1121: Add "baseline" and "bloatcheck" makefile targets, for
1122: revealing size changes during development. Thanks to
1123: Vladislav Grishenko for the patch.
1124:
1125: Cope with DHCPv6 clients which send REQUESTs without
1126: address options - treat them as SOLICIT with rapid commit.
1127:
1128: Support identification of clients by MAC address in
1129: DHCPv6. When using a relay, the relay must support RFC
1130: 6939 for this to work. It always works for directly
1131: connected clients. Thanks to Vladislav Grishenko
1132: for prompting this feature.
1133:
1134: Remove the rule for constructed DHCP ranges that the local
1135: address must be either the first or last address in the
1136: range. This was originally to avoid SLAAC addresses, but
1137: we now explicitly autoconfig and privacy addresses instead.
1138:
1139: Update Polish translation. Thanks to Jan Psota.
1140:
1141: Fix problem in DHCPv6 vendorclass/userclass matching
1142: code. Thanks to Tanguy Bouzeloc for the patch.
1143:
1144: Update Spanish translation. Thanks to Vicente Soriano.
1145:
1146: Add --ra-param option. Thanks to Vladislav Grishenko for
1147: inspiration on this.
1148:
1149: Add --add-subnet configuration, to tell upstream DNS
1150: servers where the original client is. Thanks to DNSthingy
1151: for sponsoring this feature.
1152:
1153: Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to
1154: Kevin Darbyshire-Bryant for the initial patch.
1155:
1156: Allow A/AAAA records created by --interface-name to be the
1157: target of --cname. Thanks to Hadmut Danisch for the
1158: suggestion.
1159:
1160: Avoid treating a --dhcp-host which has an IPv6 address
1161: as eligible for use with DHCPv4 on the grounds that it has
1162: no address, and vice-versa. Thanks to Yury Konovalov for
1163: spotting the problem.
1164:
1165: Do a better job caching dangling CNAMEs. Thanks to Yves
1166: Dorfsman for spotting the problem.
1167:
1168:
1169: version 2.66
1170: Add the ability to act as an authoritative DNS
1171: server. Dnsmasq can now answer queries from the wider 'net
1172: with local data, as long as the correct NS records are set
1173: up. Only local data is provided, to avoid creating an open
1174: DNS relay. Zone transfer is supported, to allow secondary
1175: servers to be configured.
1176:
1177: Add "constructed DHCP ranges" for DHCPv6. This is intended
1178: for IPv6 routers which get prefixes dynamically via prefix
1179: delegation. With suitable configuration, stateful DHCPv6
1180: and RA can happen automatically as prefixes are delegated
1181: and then deprecated, without having to re-write the
1182: dnsmasq configuration file or restart the daemon. Thanks to
1183: Steven Barth for extensive testing and development work on
1184: this idea.
1185:
1186: Fix crash on startup on Solaris 11. Regression probably
1187: introduced in 2.61. Thanks to Geoff Johnstone for the
1188: patch.
1189:
1190: Add code to make behaviour for TCP DNS requests that same
1191: as for UDP requests, when a request arrives for an allowed
1192: address, but via a banned interface. This change is only
1193: active on Linux, since the relevant API is missing (AFAIK)
1194: on other platforms. Many thanks to Tomas Hozza for
1195: spotting the problem, and doing invaluable discovery of
1196: the obscure and undocumented API required for the solution.
1197:
1198: Don't send the default DHCP option advertising dnsmasq as
1199: the local DNS server if dnsmasq is configured to not act
1200: as DNS server, or it's configured to a non-standard port.
1201:
1202: Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID,
1203: DNSMASQ_REMOTE_ID variables to the environment of the
1204: lease-change script (and the corresponding Lua). These hold
1205: information inserted into the DHCP request by a DHCP relay
1206: agent. Thanks to Lakefield Communications for providing a
1207: bounty for this addition.
1208:
1209: Fixed crash, introduced in 2.64, whilst handling DHCPv6
1210: information-requests with some common configurations.
1211: Thanks to Robert M. Albrecht for the bug report and
1212: chasing the problem.
1213:
1214: Add --ipset option. Thanks to Jason A. Donenfeld for the
1215: patch.
1216:
1217: Don't erroneously reject some option names in --dhcp-match
1218: options. Thanks to Benedikt Hochstrasser for the bug report.
1219:
1220: Allow a trailing '*' wildcard in all interface-name
1221: configurations. Thanks to Christian Parpart for the patch.
1222:
1223: Handle the situation where libc headers define
1224: SO_REUSEPORT, but the kernel in use doesn't, to cope with
1225: the introduction of this option to Linux. Thanks to Rich
1226: Felker for the bug report.
1227:
1228: Update Polish translation. Thanks to Jan Psota.
1229:
1230: Fix crash if the configured DHCP lease limit is
1231: reached. Regression occurred in 2.61. Thanks to Tsachi for
1232: the bug report.
1233:
1234: Update the French translation. Thanks to Gildas le Nadan.
1235:
1236:
1237: version 2.65
1238: Fix regression which broke forwarding of queries sent via
1239: TCP which are not for A and AAAA and which were directed to
1240: non-default servers. Thanks to Niax for the bug report.
1241:
1242: Fix failure to build with DHCP support excluded. Thanks to
1243: Gustavo Zacarias for the patch.
1244:
1245: Fix nasty regression in 2.64 which completely broke caching.
1246:
1247:
1248: version 2.64
1249: Handle DHCP FQDN options with all flag bits zero and
1250: --dhcp-client-update set. Thanks to Bernd Krumbroeck for
1251: spotting the problem.
1252:
1253: Finesse the check for /etc/hosts names which conflict with
1254: DHCP names. Previously a name/address pair in /etc/hosts
1255: which didn't match the name/address of a DHCP lease would
1256: generate a warning. Now that only happens if there is not
1257: also a match. This allows multiple addresses for a name in
1258: /etc/hosts with one of them assigned via DHCP.
1259:
1260: Fix broken vendor-option processing for BOOTP. Thanks to
1261: Hans-Joachim Baader for the bug report.
1262:
1263: Don't report spurious netlink errors, regression in
1264: 2.63. Thanks to Vladislav Grishenko for the patch.
1265:
1266: Flag DHCP or DHCPv6 in startup logging. Thanks to
1267: Vladislav Grishenko for the patch.
1268:
1269: Add SetServersEx method in DBus interface. Thanks to Dan
1270: Williams for the patch.
1271:
1272: Add SetDomainServers method in DBus interface. Thanks to
1273: Roy Marples for the patch.
1274:
1275: Fix build with later Lua libraries. Thanks to Cristian
1276: Rodriguez for the patch.
1277:
1278: Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker
1279: for the patch.
1280:
1281: Fix breakage of --host-record parsing, resulting in
1282: infinite loop at startup. Regression in 2.63. Thanks to
1283: Haim Gelfenbeyn for spotting this.
1284:
1285: Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6
1286: socket, this allows multiple instances of dnsmasq on a
1287: single machine, in the same way as for DHCPv4. Thanks to
1288: Gene Czarcinski and Vladislav Grishenko for work on this.
1289:
1290: Fix DHCPv6 to do access control correctly when it's
1291: configured with --listen-address. Thanks to
1292: Gene Czarcinski for sorting this out.
1293:
1294: Add a "wildcard" dhcp-range which works for any IPv6
1295: subnet, --dhcp-range=::,static Useful for Stateless
1296: DHCPv6. Thanks to Vladislav Grishenko for the patch.
1297:
1298: Don't include lease-time in DHCPACK replies to DHCPINFORM
1299: queries, since RFC-2131 says we shouldn't. Thanks to
1300: Wouter Ibens for pointing this out.
1301:
1302: Makefile tweak to do dependency checking on header files.
1303: Thanks to Johan Peeters for the patch.
1304:
1305: Check interface for outgoing unsolicited router
1306: advertisements, rather than relying on interface address
1307: configuration. Thanks to Gene Czarinski for the patch.
1308:
1309: Handle better attempts to transmit on interfaces which are
1310: still doing DAD, and specifically do not just transmit
1311: without setting source address and interface, since this
1312: can cause very puzzling effects when a router
1313: advertisement goes astray. Thanks again to Gene Czarinski.
1314:
1315: Get RA timers right when there is more than one
1316: dhcp-range on a subnet.
1317:
1318:
1319: version 2.63
1320: Do duplicate dhcp-host address check in --test mode.
1321:
1322: Check that tftp-root directories are accessible before
1323: start-up. Thanks to Daniel Veillard for the initial patch.
1324:
1325: Allow more than one --tfp-root flag. The per-interface
1326: stuff is pointless without that.
1327:
1328: Add --bind-dynamic. A hybrid mode between the default and
1329: --bind-interfaces which copes with dynamically created
1330: interfaces.
1331:
1332: A couple of fixes to the build system for Android. Thanks
1333: to Metin Kaya for the patches.
1334:
1335: Remove the interface:<interface> argument in --dhcp-range, and
1336: the interface argument to --enable-tftp. These were a
1337: still-born attempt to allow automatic isolated
1338: configuration by libvirt, but have never (to my knowledge)
1339: been used, had very strange semantics, and have been
1340: superseded by other mechanisms.
1341:
1342: Fixed bug logging filenames when duplicate dhcp-host
1343: addresses are found. Thanks to John Hanks for the patch.
1344:
1345: Fix regression in 2.61 which broke caching of CNAME
1346: chains. Thanks to Atul Gupta for the bug report.
1347:
1348: Allow the target of a --cname flag to be another --cname.
1349:
1350: Teach DHCPv6 about the RFC 4242 information-refresh-time
1351: option, and add parsing if the minutes, hours and days
1352: format for options. Thanks to Francois-Xavier Le Bail for
1353: the suggestion.
1354:
1355: Allow "w" (for week) as multiplier in lease times, as well
1356: as seconds, minutes, hours and days. Álvaro Gámez Machado
1357: spotted the omission.
1358:
1359: Update French translation. Thanks to Gildas Le Nadan.
1360:
1361: Allow a DBus service name to be given with --enable-dbus
1362: which overrides the default,
1363: uk.org.thekelleys.dnsmasq. Thanks to Mathieu
1364: Trudel-Lapierre for the patch.
1365:
1366: Set the "prefix on-link" bit in Router
1367: Advertisements. Thanks to Gui Iribarren for the patch.
1368:
1369:
1370: version 2.62
1371: Update German translation. Thanks to Conrad Kostecki.
1372:
1373: Cope with router-solict packets which don't have a valid
1374: source address. Thanks to Vladislav Grishenko for the patch.
1375:
1376: Fixed bug which caused missing periodic router
1377: advertisements with some configurations. Thanks to
1378: Vladislav Grishenko for the patch.
1379:
1380: Fixed bug which broke DHCPv6/RA with prefix lengths
1381: which are not divisible by 8. Thanks to Andre Coetzee
1382: for spotting this.
1383:
1384: Fix non-response to router-solicitations when
1385: router-advertisement configured, but DHCPv6 not
1386: configured. Thanks to Marien Zwart for the patch.
1387:
1388: Add --dns-rr, to allow arbitrary DNS resource records.
1389:
1390: Fixed bug which broke RA scheduling when an interface had
1391: two addresses in the same network. Thanks to Jim Bos for
1392: his help nailing this.
1393:
1394: version 2.61
1395: Re-write interface discovery code on *BSD to use
1396: getifaddrs. This is more portable, more straightforward,
1397: and allows us to find the prefix length for IPv6
1398: addresses.
1399:
1400: Add ra-names, ra-stateless and slaac keywords for DHCPv6.
1401: Dnsmasq can now synthesise AAAA records for dual-stack
1402: hosts which get IPv6 addresses via SLAAC. It is also now
1403: possible to use SLAAC and stateless DHCPv6, and to
1404: tell clients to use SLAAC addresses as well as DHCP ones.
1405: Thanks to Dave Taht for help with this.
1406:
1407: Add --dhcp-duid to allow DUID-EN uids to be used.
1408:
1409: Explicitly send DHCPv6 replies to the correct port, instead
1410: of relying on clients to send requests with the correct
1411: source address, since at least one client in the wild gets
1412: this wrong. Thanks to Conrad Kostecki for help tracking
1413: this down.
1414:
1415: Send a preference value of 255 in DHCPv6 replies when
1416: --dhcp-authoritative is in effect. This tells clients not
1417: to wait around for other DHCP servers.
1418:
1419: Better logging of DHCPv6 options.
1420:
1421: Add --host-record. Thanks to Rob Zwissler for the
1422: suggestion.
1423:
1424: Invoke the DHCP script with action "tftp" when a TFTP file
1425: transfer completes. The size of the file, address to which
1426: it was sent and complete pathname are supplied. Note that
1427: version 2.60 introduced some script incompatibilities
1428: associated with DHCPv6, and this is a further change. To
1429: be safe, scripts should ignore unknown actions, and if
1430: not IPv6-aware, should exit if the environment
1431: variable DNSMASQ_IAID is set. The use-case for this is
1432: to track netboot/install. Suggestion from Shantanu
1433: Gadgil.
1434:
1435: Update contrib/port-forward/dnsmasq-portforward to reflect
1436: the above.
1437:
1438: Set the environment variable DNSMASQ_LOG_DHCP when running
1439: the script id --log-dhcp is in effect, so that script can
1440: taylor their logging verbosity. Suggestion from Malte
1441: Forkel.
1442:
1443: Arrange that addresses specified with --listen-address
1444: work even if there is no interface carrying the
1445: address. This is chiefly useful for IPv4 loopback
1446: addresses, where any address in 127.0.0.0/8 is a valid
1447: loopback address, but normally only 127.0.0.1 appears on
1448: the lo interface. Thanks to Mathieu Trudel-Lapierre for
1449: the idea and initial patch.
1450:
1451: Fix crash, introduced in 2.60, when a DHCPINFORM is
1452: received from a network which has no valid dhcp-range.
1453: Thanks to Stephane Glondu for the bug report.
1454:
1455: Add a new DHCP lease time keyword, "deprecated" for
1456: --dhcp-range. This is only valid for IPv6, and sets the
1457: preferred lease time for both DHCP and RA to zero. The
1458: effect is that clients can continue to use the address
1459: for existing connections, but new connections will use
1460: other addresses, if they exist. This makes hitless
1461: renumbering at least possible.
1462:
1463: Fix bug in address6_available() which caused DHCPv6 lease
1464: acquisition to fail if more than one dhcp-range in use.
1465:
1466: Provide RDNSS and DNSSL data in router advertisements,
1467: using the settings provided for DHCP options
1468: option6:domain-search and option6:dns-server.
1469:
1470: Tweak logo/favicon.ico to add some transparency. Thanks to
1471: SamLT for work on this.
1472:
1473: Don't cache data from non-recursive nameservers, since it
1474: may erroneously look like a valid CNAME to a non-existent
1475: name. Thanks to Ben Winslow for finding this.
1476:
1477: Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP
1478: on exactly one interface and --bind-interfaces is set. This
1479: makes the OpenStack use-case of one dnsmasq per virtual
1480: interface work. This is only available on Linux; it's not
1481: supported on other platforms. Thanks to Vishvananda Ishaya
1482: and the OpenStack team for the suggestion.
1483:
1484: Updated French translation. Thanks to Gildas Le Nadan.
1485:
1486: Give correct from-cache answers to explicit CNAME queries.
1487: Thanks to Rob Zwissler for spotting this.
1488:
1489: Add --tftp-lowercase option. Thanks to Oliver Rath for the
1490: patch.
1491:
1492: Ensure that the DBus DhcpLeaseUpdated events are generated
1493: when a lease goes through INIT_REBOOT state, even if the
1494: dhcp-script is not in use. Thanks to Antoaneta-Ecaterina
1495: Ene for the patch.
1496:
1497: Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks
1498: to Brad Smith for spotting this.
1499:
1500:
1501: version 2.60
1502: Fix compilation problem in Mac OS X Lion. Thanks to Olaf
1503: Flebbe for the patch.
1504:
1505: Fix DHCP when using --listen-address with an IP address
1506: which is not the primary address of an interface.
1507:
1508: Add --dhcp-client-update option.
1509:
1510: Add Lua integration. Dnsmasq can now execute a DHCP
1511: lease-change script written in Lua. This needs to be
1512: enabled at compile time by setting HAVE_LUASCRIPT in
1513: src/config.h or running "make COPTS=-DHAVE_LUASCRIPT"
1514: Thanks to Jan-Piet Mens for the idea and proof-of-concept
1515: implementation.
1516:
1517: Tidied src/config.h to distinguish between
1518: platform-dependent compile-time options which are selected
1519: automatically, and builder-selectable compile time
1520: options. Document the latter better, and describe how to
1521: set them from the make command line.
1522:
1523: Tidied up IPPROTO_IP/SOL_IP (and IPv6 equivalent)
1524: confusion. IPPROTO_IP works everywhere now.
1525:
1526: Set TOS on DHCP sockets, this improves things on busy
1527: wireless networks. Thanks to Dave Taht for the patch.
1528:
1529: Determine VERSION automatically based on git magic:
1530: release tags or hash values.
1531:
1532: Improve start-up speed when reading large hosts files
1533: containing many distinct addresses.
1534:
1535: Fix problem if dnsmasq is started without the stdin,
1536: stdout and stderr file descriptors open. This can manifest
1537: itself as 100% CPU use. Thanks to Chris Moore for finding
1538: this.
1539:
1540: Fix shell-scripting bug in bld/pkg-wrapper. Thanks to
1541: Mark Mitchell for the patch.
1542:
1543: Allow the TFP server or boot server in --pxe-service, to
1544: be a domain name instead of an IP address. This allows for
1545: round-robin to multiple servers, in the same way as
1546: --dhcp-boot. A good suggestion from Cristiano Cumer.
1547:
1548: Support BUILDDIR variable in the Makefile. Allows builds
1549: for multiple archs from the same source tree with eg.
1550: make BUILDDIR=linux (relative to dnsmasq tree)
1551: make BUILDDIR=/tmp/openbsd (absolute path)
1552: If BUILDDIR is not set, compilation happens in the src
1553: directory, as before. Suggestion from Mark Mitchell.
1554:
1555: Support DHCPv6. Support is there for the sort of things
1556: the existing v4 server does, including tags, options,
1557: static addresses and relay support. Missing is prefix
1558: delegation, which is probably not required in the dnsmasq
1559: niche, and an easy way to accept prefix delegations from
1560: an upstream DHCPv6 server, which is. Future plans include
1561: support for DHCPv6 router option and MAC address option
1562: (to make selecting clients by MAC address work like IPv4).
1563: These will be added as the standards mature.
1564: This code has been tested, but this is the first release,
1565: so don't bet the farm on it just yet. Many thanks to all
1566: testers who have got it this far.
1567:
1568: Support IPv6 router advertisements. This is a
1569: simple-minded implementation, aimed at providing the
1570: vestigial RA needed to go alongside IPv6. Is picks up
1571: configuration from the DHCPv6 conf, and should just need
1572: enabling with --enable-ra.
1573:
1574: Fix long-standing wrinkle with --localise-queries that
1575: could result in wrong answers when DNS packets arrive
1576: via an interface other than the expected one. Thanks to
1577: Lorenzo Milesi and John Hanks for spotting this one.
1578:
1579: Update French translation. Thanks to Gildas Le Nadan.
1580:
1581: Update Polish translation. Thanks to Jan Psota.
1582:
1583:
1584: version 2.59
1585: Fix regression in 2.58 which caused failure to start up
1586: with some combinations of dnsmasq config and IPv6 kernel
1587: network config. Thanks to Brielle Bruns for the bug
1588: report.
1589:
1590: Improve dnsmasq's behaviour when network interfaces are
1591: still doing duplicate address detection (DAD). Previously,
1592: dnsmasq would wait up to 20 seconds at start-up for the
1593: DAD state to terminate. This is broken for bridge
1594: interfaces on recent Linux kernels, which don't start DAD
1595: until the bridge comes up, and so can take arbitrary
1596: time. The new behaviour lets dnsmasq poll for an arbitrary
1597: time whilst providing service on other interfaces. Thanks
1598: to Stephen Hemminger for pointing out the problem.
1599:
1600:
1601: version 2.58
1602: Provide a definition of the SA_SIZE macro where it's
1603: missing. Fixes build failure on openBSD.
1604:
1605: Don't include a zero terminator at the end of messages
1606: sent to /dev/log when /dev/log is a datagram socket.
1607: Thanks to Didier Rabound for spotting the problem.
1608:
1609: Add --dhcp-sequential-ip flag, to force allocation of IP
1610: addresses in ascending order. Note that the default
1611: pseudo-random mode is in general better but some
1612: server-deployment applications need this.
1613:
1614: Fix problem where a server-id of 0.0.0.0 is sent to a
1615: client when a dhcp-relay is in use if a client renews a
1616: lease after dnsmasq restart and before any clients on the
1617: subnet get a new lease. Thanks to Mike Ruiz for assistance
1618: in chasing this one down.
1619:
1620: Don't return NXDOMAIN to an AAAA query if we have CNAME
1621: which points to an A record only: NODATA is the correct
1622: reply in this case. Thanks to Tom Fernandes for spotting
1623: the problem.
1624:
1625: Relax the need to supply a netmask in --dhcp-range for
1626: networks which use a DHCP relay. Whilst this is still
1627: desirable, in the absence of a netmask dnsmasq will use
1628: a default based on the class (A, B, or C) of the address.
1629: This should at least remove a cause of mysterious failure
1630: for people using RFC1918 addresses and relays.
1631:
1632: Add support for Linux conntrack connection marking. If
1633: enabled with --conntrack, the connection mark for incoming
1634: DNS queries will be copied to the outgoing connections
1635: used to answer those queries. This allows clever firewall
1636: and accounting stuff. Only available if dnsmasq is
1637: compiled with HAVE_CONNTRACK and adds a dependency on
1638: libnetfilter-conntrack. Thanks to Ed Wildgoose for the
1639: initial idea, testing and sponsorship of this function.
1640:
1641: Provide a sane error message when someone attempts to
1642: match a tag in --dhcp-host.
1643:
1644: Tweak the behaviour of --domain-needed, to avoid problems
1645: with recursive nameservers downstream of dnsmasq. The new
1646: behaviour only stops A and AAAA queries, and returns
1647: NODATA rather than NXDOMAIN replies.
1648:
1649: Efficiency fix for very large DHCP configurations, thanks
1650: to James Gartrell and Mike Ruiz for help with this.
1651:
1652: Allow the TFTP-server address in --dhcp-boot to be a
1653: domain-name which is looked up in /etc/hosts. This can
1654: give multiple IP addresses which are used round-robin,
1655: thus doing TFTP server load-balancing. Thanks to Sushil
1656: Agrawal for the patch.
1657:
1658: When two tagged dhcp-options for a particular option
1659: number are both valid, use the one which is valid without
1660: a tag from the dhcp-range. Allows overriding of the value
1661: of a DHCP option for a particular host as well as
1662: per-network values. So
1663: --dhcp-range=set:interface1,......
1664: --dhcp-host=set:myhost,.....
1665: --dhcp-option=tag:interface1,option:nis-domain,"domain1"
1666: --dhcp-option=tag:myhost,option:nis-domain,"domain2"
1667: will set the NIS-domain to domain1 for hosts in the range, but
1668: override that to domain2 for a particular host.
1669:
1670: Fix bug which resulted in truncated files and timeouts for
1671: some TFTP transfers. The bug only occurs with netascii
1672: transfers and needs an unfortunate relationship between
1673: file size, blocksize and the number of newlines in the
1674: last block before it manifests itself. Many thanks to
1675: Alkis Georgopoulos for spotting the problem and providing
1676: a comprehensive test-case.
1677:
1678: Fix regression in TFTP server on *BSD platforms introduced
1679: in version 2.56, due to confusion with sockaddr
1680: length. Many thanks to Loic Pefferkorn for finding this.
1681:
1682: Support scope-ids in IPv6 addresses of nameservers from
1683: /etc/resolv.conf and in --server options. Eg
1684: nameserver fe80::202:a412:4512:7bbf%eth0 or
1685: server=fe80::202:a412:4512:7bbf%eth0. Thanks to
1686: Michael Stapelberg for the suggestion.
1687:
1688: Update Polish translation, thanks to Jan Psota.
1689:
1690: Update French translation. Thanks to Gildas Le Nadan.
1691:
1692:
1693: version 2.57
1694: Add patches to allow build under Android.
1695:
1696: Provide our own header for the DNS protocol, rather than
1697: relying on arpa/nameser.h. This has proved more or less
1698: defective over the years and the final straw is that it's
1699: effectively empty on Android.
1700:
1701: Fix regression in 2.56 which caused hex constants in
1702: configuration to be rejected if they contain the '*'
1703: wildcard.
1704:
1705: Correct wrong casts of arguments to ctype.h functions,
1706: isdigit(), isxdigit() etc. Thanks to Matthias Andree for
1707: spotting this.
1708:
1709: Allow build with IDN support independently from i18n.
1710: IDN support continues to be included automatically
1711: when i18n is included.
1712: 'make COPTS=-DHAVE_IDN' is the magic incantation.
1713:
1714: Modify check on extraneous command line junk (added in
1715: 2.56) so that it doesn't complain about extra _empty_
1716: arguments. Otherwise this breaks libvirt.
1717:
1718:
1719: version 2.56
1720: Add a patch to allow dnsmasq to get interface names right in a
1721: Solaris zone. Thanks to Dj Padzensky for this.
1722:
1723: Improve data-type parsing heuristics so that
1724: --dhcp-option=option:domain-search,.
1725: treats the value as a string and not an IP address.
1726: Thanks to Clemens Fischer for spotting that.
1727:
1728: Add IPv6 support to the TFTP server. Many thanks to Jan
1729: 'RedBully' Seiffert for the patches.
1730:
1731: Log DNS queries at level LOG_INFO, rather then
1732: LOG_DEBUG. This makes things consistent with DHCP
1733: logging. Thanks to Adam Pribyl for spotting the problem.
1734:
1735: Ensure that dnsmasq terminates cleanly when using
1736: --syslog-async even if it cannot make a connection to the
1737: syslogd.
1738:
1739: Add --add-mac option. This is to support currently
1740: experimental DNS filtering facilities. Thanks to Benjamin
1741: Petrin for the original patch.
1742:
1743: Fix bug which meant that tags were ignored in dhcp-range
1744: configuration specifying PXE-proxy service. Thanks to
1745: Cristiano Cumer for spotting this.
1746:
1747: Raise an error if there is extra junk, not part of an
1748: option, on the command line.
1749:
1750: Flag a couple of log messages in cache.c as coming from
1751: the DHCP subsystem. Thanks to Olaf Westrik for the patch.
1752:
1753: Omit timestamps from logs when a) logging to stderr and
1754: b) --keep-in-foreground is set. The logging facility on the
1755: other end of stderr can be assumed to supply them. Thanks
1756: to John Hallam for the patch.
1757:
1758: Don't complain about strings longer than 255 characters in
1759: --txt-record, just split the long strings into 255
1760: character chunks instead.
1761:
1762: Fix crash on double-free. This bug can only happen when
1763: dhcp-script is in use and then only in rare circumstances
1764: triggered by high DHCP transaction rate and a slow
1765: script. Thanks to Ferenc Wagner for finding the problem.
1766:
1767: Only log that a file has been sent by TFTP after the
1768: transfer has completed successfully.
1769:
1770: A good suggestion from Ferenc Wagner: extend
1771: the --domain option to allow this sort of thing:
1772: --domain=thekelleys.org.uk,192.168.0.0/24,local
1773: which automatically creates
1774: --local=/thekelleys.org.uk/
1775: --local=/0.168.192.in-addr.arpa/
1776:
1777: Tighten up syntax checking of hex constants in the config
1778: file. Thanks to Fred Damen for spotting this.
1779:
1780: Add dnsmasq logo/icon, contributed by Justin Swift. Many
1781: thanks for that.
1782:
1783: Never cache DNS replies which have the 'cd' bit set, or
1784: which result from queries forwarded with the 'cd' bit
1785: set. The 'cd' bit instructs a DNSSEC validating server
1786: upstream to ignore signature failures and return replies
1787: anyway. Without this change it's possible to pollute the
1788: dnsmasq cache with bad data by making a query with the
1789: 'cd' bit set and subsequent queries would return this data
1790: without its being marked as suspect. Thanks to Anders
1791: Kaseorg for pointing out this problem.
1792:
1793: Add --proxy-dnssec flag, for compliance with RFC
1794: 4035. Dnsmasq will now clear the 'ad' bit in answers returned
1795: from upstream validating nameservers unless this option is
1796: set.
1797:
1798: Allow a filename of "-" for --conf-file to read
1799: stdin. Suggestion from Timothy Redaelli.
1800:
1801: Rotate the order of SRV records in replies, to provide
1802: round-robin load balancing when all the priorities are
1803: equal. Thanks to Peter McKinney for the suggestion.
1804:
1805: Edit
1806: contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist
1807: so that it doesn't log all queries to a file by
1808: default. Thanks again to Peter McKinney.
1809:
1810: By default, setting an IPv4 address for a domain but not
1811: an IPv6 address causes dnsmasq to return
1812: a NODATA reply for IPv6 (or vice-versa). So
1813: --address=/google.com/1.2.3.4 stops IPv6 queries for
1814: *google.com from being forwarded. Make it possible to
1815: override this behaviour by defining the semantics if the
1816: same domain appears in both --server and --address.
1817: In that case, the --address has priority for the address
1818: family in which is appears, but the --server has priority
1819: of the address family which doesn't appear in --address
1820: So:
1821: --address=/google.com/1.2.3.4
1822: --server=/google.com/#
1823: will return 1.2.3.4 for IPv4 queries for *.google.com but
1824: forward IPv6 queries to the normal upstream nameserver.
1825: Similarly when setting an IPv6 address
1826: only this will allow forwarding of IPv4 queries. Thanks to
1827: William for pointing out the need for this.
1828:
1829: Allow more than one --dhcp-optsfile and --dhcp-hostsfile
1830: and make them understand directories as arguments in the
1831: same way as --addn-hosts. Suggestion from John Hanks.
1832:
1833: Ignore rebinding requests for leases we don't know
1834: about. Rebind is broadcast, so we might get to overhear a
1835: request meant for another DHCP server. NAKing this is
1836: wrong. Thanks to Brad D'Hondt for assistance with this.
1837:
1838: Fix cosmetic bug which produced strange output when
1839: dumping cache statistics with some configurations. Thanks
1840: to Fedor Kozhevnikov for spotting this.
1841:
1842:
1843: version 2.55
1844: Fix crash when /etc/ethers is in use. Thanks to
1845: Gianluigi Tiesi for finding this.
1846:
1847: Fix crash in netlink_multicast(). Thanks to Arno Wald for
1848: finding this one.
1849:
1850: Allow the empty domain "." in dhcp domain-search (119)
1851: options.
1852:
1853:
1854: version 2.54
1855: There is no version 2.54 to avoid confusion with 2.53,
1856: which incorrectly identifies itself as 2.54.
1857:
1858:
1859: version 2.53
1860: Fix failure to compile on Debian/kFreeBSD. Thanks to
1861: Axel Beckert and Petr Salinger.
1862:
1863: Fix code to avoid scary strict-aliasing warnings
1864: generated by gcc 4.4.
1865:
1866: Added FAQ entry warning about DHCP failures with Vista
1867: when firewalls block 255.255.255.255.
1868:
1869: Fixed bug which caused bad things to happen if a
1870: resolv.conf file which exists is subsequently removed.
1871: Thanks to Nikolai Saoukh for the patch.
1872:
1873: Rationalised the DHCP tag system. Every configuration item
1874: which can set a tag does so by adding "set:<tag>" and
1875: every configuration item which is conditional on a tag is
1876: made so by "tag:<tag>". The NOT operator changes to '!',
1877: which is a bit more intuitive too. Dhcp-host directives
1878: can set more than one tag now. The old '#' NOT,
1879: "net:" prefix and no-prefixes are still honoured, so
1880: no existing config file needs to be changed, but
1881: the documentation and new-style config files should be
1882: much less confusing.
1883:
1884: Added --tag-if to allow boolean operations on tags.
1885: This allows complicated logic to be clearer and more
1886: general. A great suggestion from Richard Voigt.
1887:
1888: Add broadcast/unicast information to DHCP logging.
1889:
1890: Allow --dhcp-broadcast to be unconditional.
1891:
1892: Fixed incorrect behaviour with NOT <tag> conditionals in
1893: dhcp-options. Thanks to Max Turkewitz for assistance
1894: finding this.
1895:
1896: If we send vendor-class encapsulated options based on the
1897: vendor-class supplied by the client, and no explicit
1898: vendor-class option is given, echo back the vendor-class
1899: from the client.
1900:
1901: Fix bug which stopped dnsmasq from matching both a
1902: circuitid and a remoteid. Thanks to Ignacio Bravo for
1903: finding this.
1904:
1905: Add --dhcp-proxy, which makes it possible to configure
1906: dnsmasq to use a DHCP relay agent as a full proxy, with
1907: all DHCP messages passing through the proxy. This is
1908: useful if the relay adds extra information to the packets
1909: it forwards, but cannot be configured with the RFC 5107
1910: server-override option.
1911:
1912: Added interface:<iface name> part to dhcp-range. The
1913: semantics of this are very odd at first sight, but it
1914: allows a single line of the form
1915: dhcp-range=interface:virt0,192.168.0.4,192.168.0.200
1916: to be added to dnsmasq configuration which then supplies
1917: DHCP and DNS services to that interface, without affecting
1918: what services are supplied to other interfaces and
1919: irrespective of the existence or lack of
1920: interface=<interface>
1921: lines elsewhere in the dnsmasq configuration. The idea is
1922: that such a line can be added automatically by libvirt
1923: or equivalent systems, without disturbing any manual
1924: configuration.
1925:
1926: Similarly to the above, allow --enable-tftp=<interface>
1927:
1928: Allow a TFTP root to be set separately for requests via
1929: different interfaces, --tftp-root=<path>,<interface>
1930:
1931: Correctly handle and log clashes between CNAMES and
1932: DNS names being given to DHCP leases. This fixes a bug
1933: which caused nonsense IP addresses to be logged. Thanks to
1934: Sergei Zhirikov for finding and analysing the problem.
1935:
1936: Tweak flush_log so as to avoid leaving the log
1937: file in non-blocking mode. O_NONBLOCK is a property of the
1938: file, not the process/descriptor.
1939:
1940: Fix contrib/Solaris10/create_package
1941: (/usr/man -> /usr/share/man) Thanks to Vita Batrla.
1942:
1943: Fix a problem where, if a client got a lease, then went
1944: to another subnet and got another lease, then moved back,
1945: it couldn't resume the old lease, but would instead get
1946: a new address. Thanks to Leonardo Rodrigues for spotting
1947: this and testing the fix.
1948:
1949: Fix weird bug which sometimes omitted certain characters
1950: from the start of quoted strings in dhcp-options. Thanks
1951: to Dayton Turner for spotting the problem.
1952:
1953: Add facility to redirect some domains to the standard
1954: upstream servers: this allows something like
1955: --server=/google.com/1.2.3.4 --server=/www.google.com/#
1956: which will send queries for *.google.com to 1.2.3.4,
1957: except *www.google.com which will be forwarded as usual.
1958: Thanks to AJ Weber for prompting this addition.
1959:
1960: Improve the hash-algorithm used to generate IP addresses
1961: from MAC addresses during initial DHCP address
1962: allocation. This improves performance when large numbers
1963: of hosts with similar MAC addresses all try and get an IP
1964: address at the same time. Thanks to Paul Smith for his
1965: work on this.
1966:
1967: Tweak DHCP code so that --bridge-interface can be used to
1968: select which IP alias of an interface should be used for
1969: DHCP purposes on Linux. If eth0 has an alias eth0:dhcp
1970: then adding --bridge-interface=eth0:dhcp,eth0 will use
1971: the address of eth0:dhcp to determine the correct subnet
1972: for DHCP address allocation. Thanks to Pawel Golaszewski
1973: for prompting this and Eric Cooper for further testing.
1974:
1975: Add --dhcp-generate-names. Suggestion by Ferenc Wagner.
1976:
1977: Tweak DNS server selection algorithm when there is more
1978: than one server available for a domain, eg.
1979: --server=/mydomain/1.1.1.1
1980: --server=/mydomain/2.2.2.2
1981: Thanks to Alberto Cuesta-Canada for spotting a weakness
1982: here.
1983:
1984: Add --max-ttl. Thanks to Fredrik Ringertz for the patch.
1985:
1986: Allow --log-facility=- to force all logging to
1987: stderr. Suggestion from Clemens Fischer.
1988:
1989: Fix regression which caused configuration like
1990: --address=/.domain.com/1.2.3.4 to be rejected. The dot to the
1991: left of the domain has been implied and not required for a
1992: long time, but it should be accepted for backward
1993: compatibility. Thanks to Andrew Burcin for spotting this.
1994:
1995: Add --rebind-domain-ok and --rebind-localhost-ok.
1996: Suggestion from Clemens Fischer.
1997:
1998: Log replies to queries of type TXT, when --log-queries
1999: is set.
2000:
2001: Fix compiler warnings when compiled with -DNO_DHCP. Thanks
2002: to Shantanu Gadgil for the patch.
2003:
2004: Updated French translation. Thanks to Gildas Le Nadan.
2005:
2006: Updated Polish translation. Thanks to Jan Psota.
2007:
2008: Updated German translation. Thanks to Matthias Andree.
2009:
2010: Added contrib/static-arp, thanks to Darren Hoo.
2011:
2012: Fix corruption of the domain when a name from /etc/hosts
2013: overrides one supplied by a DHCP client. Thanks to Fedor
2014: Kozhevnikov for spotting the problem.
2015:
2016: Updated Spanish translation. Thanks to Chris Chatham.
2017:
2018:
2019: version 2.52
2020: Work around a Linux kernel bug which insists that the
2021: length of the option passed to setsockopt must be at least
2022: sizeof(int) bytes, even if we're calling SO_BINDTODEVICE
2023: and the device name is "lo". Note that this is fixed
2024: in kernel 2.6.31, but the workaround is harmless and
2025: allows earlier kernels to be used. Also fix dnsmasq
2026: bug which reported the wrong address when this failed.
2027: Thanks to Fedor for finding this.
2028:
2029: The API for IPv6 PKTINFO changed around Linux kernel
2030: 2.6.14. Workaround the case where dnsmasq is compiled
2031: against newer headers, but then run on an old kernel:
2032: necessary for some *WRT distros.
2033:
2034: Re-read the set of network interfaces when re-loading
2035: /etc/resolv.conf if --bind-interfaces is not set. This
2036: handles the case that loopback interfaces do not exist
2037: when dnsmasq is first started.
2038:
2039: Tweak the PXE code to support port 4011. This should
2040: reduce broadcasts and make things more reliable when other
2041: servers are around. It also improves inter-operability
2042: with certain clients.
2043:
2044: Make a pxe-service configuration with no filename or boot
2045: service type legal: this does a local boot. eg.
2046: pxe-service=x86PC, "Local boot"
2047:
2048: Be more conservative in detecting "A for A"
2049: queries. Dnsmasq checks if the name in a type=A query looks
2050: like a dotted-quad IP address and answers the query itself
2051: if so, rather than forwarding it. Previously dnsmasq
2052: relied in the library function inet_addr() to convert
2053: addresses, and that will accept some things which are
2054: confusing in this context, like 1.2.3 or even just
2055: 1234. Now we only do A for A processing for four decimal
2056: numbers delimited by dots.
2057:
2058: A couple of tweaks to fix compilation on Solaris. Thanks
2059: to Joel Macklow for help with this.
2060:
2061: Another Solaris compilation tweak, needed for Solaris
2062: 2009.06. Thanks to Lee Essen for that.
2063:
2064: Added extract packaging stuff from Lee Essen to
2065: contrib/Solaris10.
2066:
2067: Increased the default limit on number of leases to 1000
2068: (from 150). This is mainly a defence against DoS attacks,
2069: and for the average "one for two class C networks"
2070: installation, IP address exhaustion does that just as
2071: well. Making the limit greater than the number of IP
2072: addresses available in such an installation removes a
2073: surprise which otherwise can catch people out.
2074:
2075: Removed extraneous trailing space in the value of the
2076: DNSMASQ_TIME_REMAINING DNSMASQ_LEASE_LENGTH and
2077: DNSMASQ_LEASE_EXPIRES environment variables. Thanks to
2078: Gildas Le Nadan for spotting this.
2079:
2080: Provide the network-id tags for a DHCP transaction to
2081: the lease-change script in the environment variable
2082: DNSMASQ_TAGS. A good suggestion from Gildas Le Nadan.
2083:
2084: Add support for RFC3925 "Vendor-Identifying Vendor
2085: Options". The syntax looks like this:
2086: --dhcp-option=vi-encap:<enterprise number>, .........
2087:
2088: Add support to --dhcp-match to allow matching against
2089: RFC3925 "Vendor-Identifying Vendor Classes". The syntax
2090: looks like this:
2091: --dhcp-match=tag,vi-encap<enterprise number>, <value>
2092:
2093: Add some application specific code to assist in
2094: implementing the Broadband forum TR069 CPE-WAN
2095: specification. The details are in contrib/CPE-WAN/README
2096:
2097: Increase the default DNS packet size limit to 4096, as
2098: recommended by RFC5625 section 4.4.3. This can be
2099: reconfigured using --edns-packet-max if needed. Thanks to
2100: Francis Dupont for pointing this out.
2101:
2102: Rewrite query-ids even for TSIG signed packets, since
2103: this is allowed by RFC5625 section 4.5.
2104:
2105: Use getopt_long by default on OS X. It has been supported
2106: since version 10.3.0. Thanks to Arek Dreyer for spotting
2107: this.
2108:
2109: Added up-to-date startup configuration for MacOSX/launchd
2110: in contrib/MacOSX-launchd. Thanks to Arek Dreyer for
2111: providing this.
2112:
2113: Fix link error when including Dbus but excluding DHCP.
2114: Thanks to Oschtan for the bug report.
2115:
2116: Updated French translation. Thanks to Gildas Le Nadan.
2117:
2118: Updated Polish translation. Thanks to Jan Psota.
2119:
2120: Updated Spanish translation. Thanks to Chris Chatham.
2121:
2122: Fixed confusion about domains, when looking up DHCP hosts
2123: in /etc/hosts. This could cause spurious "Ignoring
2124: domain..." messages. Thanks to Fedor Kozhevnikov for
2125: finding and analysing the problem.
2126:
2127:
2128: version 2.51
2129: Add support for internationalised DNS. Non-ASCII characters
2130: in domain names found in /etc/hosts, /etc/ethers and
2131: /etc/dnsmasq.conf will be correctly handled by translation to
2132: punycode, as specified in RFC3490. This function is only
2133: available if dnsmasq is compiled with internationalisation
2134: support, and adds a dependency on GNU libidn. Without i18n
2135: support, dnsmasq continues to be compilable with just
2136: standard tools. Thanks to Yves Dorfsman for the
2137: suggestion.
2138:
2139: Add two more environment variables for lease-change scripts:
2140: First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname
2141: supplied by a client, even if the actual hostname used is
2142: over-ridden by dhcp-host or dhcp-ignore-names directives.
2143: Also DNSMASQ_RELAY_ADDRESS which gives the address of
2144: a DHCP relay, if used.
2145: Suggestions from Michael Rack.
2146:
2147: Fix regression which broke echo of relay-agent
2148: options. Thanks to Michael Rack for spotting this.
2149:
2150: Don't treat option 67 as being interchangeable with
2151: dhcp-boot parameters if it's specified as
2152: dhcp-option-force.
2153:
2154: Make the code to call scripts on lease-change compile-time
2155: optional. It can be switched off by editing src/config.h
2156: or building with "make COPTS=-DNO_SCRIPT".
2157:
2158: Make the TFTP server cope with filenames from Windows/DOS
2159: which use '\' as pathname separator. Thanks to Ralf for
2160: the patch.
2161:
2162: Updated Polish translation. Thanks to Jan Psota.
2163:
2164: Warn if an IP address is duplicated in /etc/ethers. Thanks
2165: to Felix Schwarz for pointing this out.
2166:
2167: Teach --conf-dir to take an option list of file suffices
2168: which will be ignored when scanning the directory. Useful
2169: for backup files etc. Thanks to Helmut Hullen for the
2170: suggestion.
2171:
2172: Add new DHCP option named tftpserver-address, which
2173: corresponds to the third argument of dhcp-boot. This
2174: allows the complete functionality of dhcp-boot to be
2175: replicated with dhcp-option. Useful when using
2176: dhcp-optsfile.
2177:
2178: Test which upstream nameserver to use every 10 seconds
2179: or 50 queries and not just when a query times out and
2180: is retried. This should improve performance when there
2181: is a slow nameserver in the list. Thanks to Joe for the
2182: suggestion.
2183:
2184: Don't do any PXE processing, even for clients with the
2185: correct vendorclass, unless at least one pxe-prompt or
2186: pxe-service option is given. This stops dnsmasq
2187: interfering with proxy PXE subsystems when it is just
2188: the DHCP server. Thanks to Spencer Clark for spotting this.
2189:
2190: Limit the blocksize used for TFTP transfers to a value
2191: which avoids packet fragmentation, based on the MTU of the
2192: local interface. Many netboot ROMs can't cope with
2193: fragmented packets.
2194:
2195: Honour dhcp-ignore configuration for PXE and proxy-PXE
2196: requests. Thanks to Niels Basjes for the bug report.
2197:
2198: Updated French translation. Thanks to Gildas Le Nadan.
2199:
2200:
2201: version 2.50
2202: Fix security problem which allowed any host permitted to
2203: do TFTP to possibly compromise dnsmasq by remote buffer
2204: overflow when TFTP enabled. Thanks to Core Security
2205: Technologies and Iván Arce, Pablo Hernán Jorge, Alejandro
2206: Pablo Rodriguez, Martín Coco, Alberto Soliño Testa and
2207: Pablo Annetta. This problem has Bugtraq id: 36121
2208: and CVE: 2009-2957
2209:
2210: Fix a problem which allowed a malicious TFTP client to
2211: crash dnsmasq. Thanks to Steve Grubb at Red Hat for
2212: spotting this. This problem has Bugtraq id: 36120 and
2213: CVE: 2009-2958
2214:
2215:
2216: version 2.49
2217: Fix regression in 2.48 which disables the lease-change
2218: script. Thanks to Jose Luis Duran for spotting this.
2219:
2220: Log TFTP "file not found" errors. These were not logged,
2221: since a normal PXELinux boot generates many of them, but
2222: the lack of the messages seems to be more confusing than
2223: routinely seeing them when there is no real error.
2224:
2225: Update Spanish translation. Thanks to Chris Chatham.
2226:
2227:
2228: version 2.48
2229: Archived the extensive, backwards, changelog to
2230: CHANGELOG.archive. The current changelog now runs from
2231: version 2.43 and runs conventionally.
2232:
2233: Fixed bug which broke binding of servers to physical
2234: interfaces when interface names were longer than four
2235: characters. Thanks to MURASE Katsunori for the patch.
2236:
2237: Fixed netlink code to check that messages come from the
2238: correct source, and not another userspace process. Thanks
2239: to Steve Grubb for the patch.
2240:
2241: Maintainability drive: removed bug and missing feature
2242: workarounds for some old platforms. Solaris 9, OpenBSD
2243: older than 4.1, Glibc older than 2.2, Linux 2.2.x and
2244: DBus older than 1.1.x are no longer supported.
2245:
2246: Don't read included configuration files more than once:
2247: allows complex configuration structures without problems.
2248:
2249: Mark log messages from the various subsystems in dnsmasq:
2250: messages from the DHCP subsystem now have the ident string
2251: "dnsmasq-dhcp" and messages from TFTP have ident
2252: "dnsmasq-tftp". Thanks to Olaf Westrik for the patch.
2253:
2254: Fix possible infinite DHCP protocol loop when an IP
2255: address nailed to a hostname (not a MAC address) and a
2256: host sometimes provides the name, sometimes not.
2257:
2258: Allow --addn-hosts to take a directory: all the files
2259: in the directory are read. Thanks to Phil Cornelius for
2260: the suggestion.
2261:
2262: Support --bridge-interface on all platforms, not just BSD.
2263:
2264: Added support for advanced PXE functions. It's now
2265: possible to define a prompt and menu options which will
2266: be displayed when a client PXE boots. It's also possible to
2267: hand-off booting to other boot servers. Proxy-DHCP, where
2268: dnsmasq just supplies the PXE information and another DHCP
2269: server does address allocation, is also allowed. See the
2270: --pxe-prompt and --pxe-service keywords. Thanks to
2271: Alkis Georgopoulos for the suggestion and Guilherme Moro
2272: and Michael Brown for assistance.
2273:
2274: Improvements to DHCP logging. Thanks to Tom Metro for
2275: useful suggestions.
2276:
2277: Add ability to build dnsmasq without DHCP support. To do
2278: this, edit src/config.h or build with
2279: "make COPTS=-DNO_DHCP". Thanks to Mahavir Jain for the patch.
2280:
2281: Added --test command-line switch - syntax check
2282: configuration files only.
2283:
2284: Updated French translation. Thanks to Gildas Le Nadan.
2285:
2286:
2287: version 2.47
2288: Updated French translation. Thanks to Gildas Le Nadan.
2289:
2290: Fixed interface enumeration code to work on NetBSD
2291: 5.0. Thanks to Roy Marples for the patch.
2292:
2293: Updated config.h to use the same location for the lease
2294: file on NetBSD as the other *BSD variants. Also allow
2295: LEASEFILE and CONFFILE symbols to be overridden in CFLAGS.
2296:
2297: Handle duplicate address detection on IPv6 more
2298: intelligently. In IPv6, an interface can have an address
2299: which is not usable, because it is still undergoing DAD
2300: (such addresses are marked "tentative"). Attempting to
2301: bind to an address in this state returns an error,
2302: EADDRNOTAVAIL. Previously, on getting such an error,
2303: dnsmasq would silently abandon the address, and never
2304: listen on it. Now, it retries once per second for 20
2305: seconds before generating a fatal error. 20 seconds should
2306: be long enough for any DAD process to complete, but can be
2307: adjusted in src/config.h if necessary. Thanks to Martin
2308: Krafft for the bug report.
2309:
2310: Add DBus introspection. Patch from Jeremy Laine.
2311:
2312: Update Dbus configuration file. Patch from Colin Walters.
2313: Fix for this bug:
2314: http://bugs.freedesktop.org/show_bug.cgi?id=18961
2315:
2316: Support arbitrarily encapsulated DHCP options, suggestion
2317: and initial patch from Samium Gromoff. This is useful for
2318: (eg) iPXE, which expect all its private options to be
2319: encapsulated inside a single option 175. So, eg,
2320:
2321: dhcp-option = encap:175, 190, "iscsi-client0"
2322: dhcp-option = encap:175, 191, "iscsi-client0-secret"
2323:
2324: will provide iSCSI parameters to iPXE.
2325:
2326: Enhance --dhcp-match to allow testing of the contents of a
2327: client-sent option, as well as its presence. This
2328: application in mind for this is RFC 4578
2329: client-architecture specifiers, but it's generally useful.
2330: Joey Korkames suggested the enhancement.
2331:
2332: Move from using the IP_XMIT_IF ioctl to IP_BOUND_IF on
2333: OpenSolaris. Thanks to Bastian Machek for the heads-up.
2334:
2335: No longer complain about blank lines in
2336: /etc/ethers. Thanks to Jon Nelson for the patch.
2337:
2338: Fix binding of servers to physical devices, eg
2339: --server=/domain/1.2.3.4@eth0 which was broken from 2.43
2340: onwards unless --query-port=0 set. Thanks to Peter Naulls
2341: for the bug report.
2342:
2343: Reply to DHCPINFORM requests even when the supplied ciaddr
2344: doesn't fall in any dhcp-range. In this case it's not
2345: possible to supply a complete configuration, but
2346: individually-configured options (eg PAC) may be useful.
2347:
2348: Allow the source address of an alias to be a range:
2349: --alias=192.168.0.0,10.0.0.0,255.255.255.0 maps the whole
2350: subnet 192.168.0.0->192.168.0.255 to 10.0.0.0->10.0.0.255,
2351: as before.
2352: --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
2353: maps only the 192.168.0.10->192.168.0.40 region. Thanks to
2354: Ib Uhrskov for the suggestion.
2355:
2356: Don't dynamically allocate DHCP addresses which may break
2357: Windows. Addresses which end in .255 or .0 are broken in
2358: Windows even when using supernetting.
2359: --dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0 means
2360: 192.168.0.255 is a valid IP address, but not for Windows.
2361: See Microsoft KB281579. We therefore no longer allocate
2362: these addresses to avoid hard-to-diagnose problems.
2363:
2364: Update Polish translation. Thanks to Jan Psota.
2365:
2366: Delete the PID-file when dnsmasq shuts down. Note that by
2367: this time, dnsmasq is normally not running as root, so
2368: this will fail if the PID-file is stored in a root-owned
2369: directory; such failure is silently ignored. To take
2370: advantage of this feature, the PID-file must be stored in a
2371: directory owned and write-able by the user running
2372: dnsmasq.
2373:
2374:
2375: version 2.46
2376: Allow --bootp-dynamic to take a netid tag, so that it may
2377: be selectively enabled. Thanks to Olaf Westrik for the
2378: suggestion.
2379:
2380: Remove ISC-leasefile reading code. This has been
2381: deprecated for a long time, and last time I removed it, it
2382: ended up going back by request of one user. This time,
2383: it's gone for good; otherwise it would need to be
2384: re-worked to support multiple domains (see below).
2385:
2386: Support DHCP clients in multiple DNS domains. This is a
2387: long-standing request. Clients are assigned to a domain
2388: based in their IP address.
2389:
2390: Add --dhcp-fqdn flag, which changes behaviour if DNS names
2391: assigned to DHCP clients. When this is set, there must be
2392: a domain associated with each client, and only
2393: fully-qualified domain names are added to the DNS. The
2394: advantage is that the only the FQDN needs to be unique,
2395: so that two or more DHCP clients can share a hostname, as
2396: long as they are in different domains.
2397:
2398: Set environment variable DNSMASQ_DOMAIN when invoking
2399: lease-change script. This may be useful information to
2400: have now that it's variable.
2401:
2402: Tighten up data-checking code for DNS packet
2403: handling. Thanks to Steve Dodd who found certain illegal
2404: packets which could crash dnsmasq. No memory overwrite was
2405: possible, so this is not a security issue beyond the DoS
2406: potential.
2407:
2408: Update example config dhcp option 47, the previous
2409: suggestion generated an illegal, zero-length,
2410: option. Thanks to Matthias Andree for finding this.
2411:
2412: Rewrite hosts-file reading code to remove the limit of
2413: 1024 characters per line. John C Meuser found this.
2414:
2415: Create a net-id tag with the name of the interface on
2416: which the DHCP request was received.
2417:
2418: Fixed minor memory leak in DBus code, thanks to Jeremy
2419: Laine for the patch.
2420:
2421: Emit DBus signals as the DHCP lease database
2422: changes. Thanks to Jeremy Laine for the patch.
2423:
2424: Allow for more that one MAC address in a dhcp-host
2425: line. This configuration tells dnsmasq that it's OK to
2426: abandon a DHCP lease of the fixed address to one MAC
2427: address, if another MAC address in the dhcp-host statement
2428: asks for an address. This is useful to give a fixed
2429: address to a host which has two network interfaces
2430: (say, a laptop with wired and wireless interfaces.)
2431: It's very important to ensure that only one interface
2432: at a time is up, since dnsmasq abandons the first lease
2433: and re-uses the address before the leased time has
2434: elapsed. John Gray suggested this.
2435:
2436: Tweak the response to a DHCP request packet with a wrong
2437: server-id when --dhcp-authoritative is set; dnsmasq now
2438: returns a DHCPNAK, rather than silently ignoring the
2439: packet. Thanks to Chris Marget for spotting this
2440: improvement.
2441:
2442: Add --cname option. This provides a limited alias
2443: function, usable for DHCP names. Thanks to AJ Weber for
2444: suggestions on this.
2445:
2446: Updated contrib/webmin with latest version from Neil
2447: Fisher.
2448:
2449: Updated Polish translation. Thanks to Jan Psota.
2450:
2451: Correct the text names for DHCP options 64 and 65 to be
2452: "nis+-domain" and "nis+-servers".
2453:
2454: Updated Spanish translation. Thanks to Chris Chatham.
2455:
2456: Force re-reading of /etc/resolv.conf when an "interface
2457: up" event occurs.
2458:
2459:
2460: version 2.45
2461: Fix total DNS failure in release 2.44 unless --min-port
2462: specified. Thanks to Steven Barth and Grant Coady for
2463: bugreport. Also reject out-of-range port spec, which could
2464: break things too: suggestion from Gilles Espinasse.
2465:
2466:
2467: version 2.44
2468: Fix crash when unknown client attempts to renew a DHCP
2469: lease, problem introduced in version 2.43. Thanks to
2470: Carlos Carvalho for help chasing this down.
2471:
2472: Fix potential crash when a host which doesn't have a lease
2473: does DHCPINFORM. Again introduced in 2.43. This bug has
2474: never been reported in the wild.
2475:
2476: Fix crash in netlink code introduced in 2.43. Thanks to
2477: Jean Wolter for finding this.
2478:
2479: Change implementation of min_port to work even if min-port
2480: is large.
2481:
2482: Patch to enable compilation of latest Mac OS X. Thanks to
2483: David Gilman.
2484:
2485: Update Spanish translation. Thanks to Christopher Chatham.
2486:
2487:
2488: version 2.43
2489: Updated Polish translation. Thanks to Jan Psota.
2490:
2491: Flag errors when configuration options are repeated
2492: illegally.
2493:
2494: Further tweaks for GNU/kFreeBSD
2495:
2496: Add --no-wrap to msgmerge call - provides nicer .po file
2497: format.
2498:
2499: Honour lease-time spec in dhcp-host lines even for
2500: BOOTP. The user is assumed to known what they are doing in
2501: this case. (Hosts without the time spec still get infinite
2502: leases for BOOTP, over-riding the default in the
2503: dhcp-range.) Thanks to Peter Katzmann for uncovering this.
2504:
2505: Fix problem matching relay-agent ids. Thanks to Michael
2506: Rack for the bug report.
2507:
2508: Add --naptr-record option. Suggestion from Johan
2509: Bergquist.
2510:
2511: Implement RFC 5107 server-id-override DHCP relay agent
2512: option.
2513:
2514: Apply patches from Stefan Kruger for compilation on
2515: Solaris 10 under Sun studio.
2516:
2517: Yet more tweaking of Linux capability code, to suppress
2518: pointless wingeing from kernel 2.6.25 and above.
2519:
2520: Improve error checking during startup. Previously, some
2521: errors which occurred during startup would be worked
2522: around, with dnsmasq still starting up. Some were logged,
2523: some silent. Now, they all cause a fatal error and dnsmasq
2524: terminates with a non-zero exit code. The errors are those
2525: associated with changing uid and gid, setting process
2526: capabilities and writing the pidfile. Thanks to Uwe
2527: Gansert and the Suse security team for pointing out
2528: this improvement, and Bill Reimers for good implementation
2529: suggestions.
2530:
2531: Provide NO_LARGEFILE compile option to switch off largefile
2532: support when compiling against versions of uclibc which
2533: don't support it. Thanks to Stephane Billiart for the patch.
2534:
2535: Implement random source ports for interactions with
2536: upstream nameservers. New spoofing attacks have been found
2537: against nameservers which do not do this, though it is not
2538: clear if dnsmasq is vulnerable, since to doesn't implement
2539: recursion. By default dnsmasq will now use a different
2540: source port (and socket) for each query it sends
2541: upstream. This behaviour can suppressed using the
2542: --query-port option, and the old default behaviour
2543: restored using --query-port=0. Explicit source-port
2544: specifications in --server configs are still honoured.
2545:
2546: Replace the random number generator, for better
2547: security. On most BSD systems, dnsmasq uses the
2548: arc4random() RNG, which is secure, but on other platforms,
2549: it relied on the C-library RNG, which may be
2550: guessable and therefore allow spoofing. This release
2551: replaces the libc RNG with the SURF RNG, from Daniel
2552: J. Berstein's DJBDNS package.
2553:
2554: Don't attempt to change user or group or set capabilities
2555: if dnsmasq is run as a non-root user. Without this, the
2556: change from soft to hard errors when these fail causes
2557: problems for non-root daemons listening on high
2558: ports. Thanks to Patrick McLean for spotting this.
2559:
2560: Updated French translation. Thanks to Gildas Le Nadan.
2561:
2562:
2563: version 2.42
2564: The changelog for version 2.42 and earlier is
2565: available in CHANGELOG.archive.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>