1: version 2.71
2: Subtle change to error handling to help DNSSEC validation
3: when servers fail to provide NODATA answers for
4: non-existent DS records.
5:
6: Tweak code which removes DNSSEC records from answers when
7: not required. Fixes broken answers when additional section
8: has real records in it. Thanks to Marco Davids for the bug
9: report.
10:
11: Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
12: for spotting that too.
13:
14: Fix total DNS failure and 100% CPU use if cachesize set to zero,
15: regression introduced in 2.69. Thanks to James Hunt and
16: the Ubuntu crowd for assistance in fixing this.
17:
18:
19: version 2.70
20: Fix crash, introduced in 2.69, on TCP request when dnsmasq
21: compiled with DNSSEC support, but running without DNSSEC
22: enabled. Thanks to Manish Sing for spotting that one.
23:
24: Fix regression which broke ipset functionality. Thanks to
25: Wang Jian for the bug report.
26:
27:
28: version 2.69
29: Implement dynamic interface discovery on *BSD. This allows
30: the contructor: syntax to be used in dhcp-range for DHCPv6
31: on the BSD platform. Thanks to Matthias Andree for
32: valuable research on how to implement this.
33:
34: Fix infinite loop associated with some --bogus-nxdomain
35: configs. Thanks fogobogo for the bug report.
36:
37: Fix missing RA RDNS option with configuration like
38: --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
39: for spotting the problem.
40:
41: Add [fd00::] and [fe80::] as special addresses in DHCPv6
42: options, analogous to [::]. [fd00::] is replaced with the
43: actual ULA of the interface on the machine running
44: dnsmasq, [fe80::] with the link-local address.
45: Thanks to Tsachi Kimeldorfer for championing this.
46:
47: DNSSEC validation and caching. Dnsmasq needs to be
48: compiled with this enabled, with
49:
50: make dnsmasq COPTS=-DHAVE_DNSSEC
51:
52: this add dependencies on the nettle crypto library and the
53: gmp maths library. It's possible to have these linked
54: statically with
55:
56: make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
57:
58: which bloats the dnsmasq binary, but saves the size of
59: the shared libraries which are much bigger.
60:
61: To enable, DNSSEC, you will need a set of
62: trust-anchors. Now that the TLDs are signed, this can be
63: the keys for the root zone, and for convenience they are
64: included in trust-anchors.conf in the dnsmasq
65: distribution. You should of course check that these are
66: legitimate and up-to-date. So, adding
67:
68: conf-file=/path/to/trust-anchors.conf
69: dnssec
70:
71: to your config is all thats needed to get things
72: working. The upstream nameservers have to be DNSSEC-capable
73: too, of course. Many ISP nameservers aren't, but the
74: Google public nameservers (8.8.8.8 and 8.8.4.4) are.
75: When DNSSEC is configured, dnsmasq validates any queries
76: for domains which are signed. Query results which are
77: bogus are replaced with SERVFAIL replies, and results
78: which are correctly signed have the AD bit set. In
79: addition, and just as importantly, dnsmasq supplies
80: correct DNSSEC information to clients which are doing
81: their own validation, and caches DNSKEY, DS and RRSIG
82: records, which significantly improve the performance of
83: downstream validators. Setting --log-queries will show
84: DNSSEC in action.
85:
86: If a domain is returned from an upstream nameserver without
87: DNSSEC signature, dnsmasq by default trusts this. This
88: means that for unsigned zone (still the majority) there
89: is effectively no cost for having DNSSEC enabled. Of course
90: this allows an attacker to replace a signed record with a
91: false unsigned record. This is addressed by the
92: --dnssec-check-unsigned flag, which instructs dnsmasq
93: to prove that an unsigned record is legitimate, by finding
94: a secure proof that the zone containing the record is not
95: signed. Doing this has costs (typically one or two extra
96: upstream queries). It also has a nasty failure mode if
97: dnsmasq's upstream nameservers are not DNSSEC capable.
98: Without --dnssec-check-unsigned using such an upstream
99: server will simply result in not queries being validated;
100: with --dnssec-check-unsigned enabled and a
101: DNSSEC-ignorant upstream server, _all_ queries will fail.
102:
103: Note that DNSSEC requires that the local time is valid and
104: accurate, if not then DNSSEC validation will fail. NTP
105: should be running. This presents a problem for routers
106: without a battery-backed clock. To set the time needs NTP
107: to do DNS lookups, but lookups will fail until NTP has run.
108: To address this, there's a flag, --dnssec-no-timecheck
109: which disables the time checks (only) in DNSSEC. When dnsmasq
110: is started and the clock is not synced, this flag should
111: be used. As soon as the clock is synced, SIGHUP dnsmasq.
112: The SIGHUP clears the cache of partially-validated data and
113: resets the no-timecheck flag, so that all DNSSEC checks
114: henceforward will be complete.
115:
116: The development of DNSSEC in dnsmasq was started by
117: Giovanni Bajo, to whom huge thanks are owed. It has been
118: supported by Comcast, whose techfund grant has allowed for
119: an invaluable period of full-time work to get it to
120: a workable state.
121:
122: Add --rev-server. Thanks to Dave Taht for suggesting this.
123:
124: Add --servers-file. Allows dynamic update of upstream servers
125: full access to configuration.
126:
127: Add --local-service. Accept DNS queries only from hosts
128: whose address is on a local subnet, ie a subnet for which
129: an interface exists on the server. This option
130: only has effect if there are no --interface --except-interface,
131: --listen-address or --auth-server options. It is intended
132: to be set as a default on installation, to allow
133: unconfigured installations to be useful but also safe from
134: being used for DNS amplification attacks.
135:
136: Fix crashes in cache_get_cname_target() when dangling CNAMEs
137: encountered. Thanks to Andy and the rt-n56u project for
138: find this and helping to chase it down.
139:
140: Fix wrong RCODE in authoritative DNS replies to PTR queries. The
141: correct answer was included, but the RCODE was set to NXDOMAIN.
142: Thanks to Craig McQueen for spotting this.
143:
144: Make statistics available as DNS queries in the .bind TLD as
145: well as logging them.
146:
147:
148: version 2.68
149: Use random addresses for DHCPv6 temporary address
150: allocations, instead of algorithmically determined stable
151: addresses.
152:
153: Fix bug which meant that the DHCPv6 DUID was not available
154: in DHCP script runs during the lifetime of the dnsmasq
155: process which created the DUID de-novo. Once the DUID was
156: created and stored in the lease file and dnsmasq
157: restarted, this bug disappeared.
158:
159: Fix bug introduced in 2.67 which could result in erroneous
160: NXDOMAIN returns to CNAME queries.
161:
162: Fix build failures on MacOS X and openBSD.
163:
164: Allow subnet specifications in --auth-zone to be interface
165: names as well as address literals. This makes it possible
166: to configure authoritative DNS when local address ranges
167: are dynamic and works much better than the previous
168: work-around which exempted contructed DHCP ranges from the
169: IP address filtering. As a consequence, that work-around
170: is removed. Under certain circumstances, this change wil
171: break existing configuration: if you're relying on the
172: contructed-range exception, you need to change --auth-zone
173: to specify the same interface as is used to construct your
174: DHCP ranges, probably with a trailing "/6" like this:
175: --auth-zone=example.com,eth0/6 to limit the addresses to
176: IPv6 addresses of eth0.
177:
178: Fix problems when advertising deleted IPv6 prefixes. If
179: the prefix is deleted (rather than replaced), it doesn't
180: get advertised with zero preferred time. Thanks to Tsachi
181: for the bug report.
182:
183: Fix segfault with some locally configured CNAMEs. Thanks
184: to Andrew Childs for spotting the problem.
185:
186: Fix memory leak on re-reading /etc/hosts and friends,
187: introduced in 2.67.
188:
189: Check the arrival interface of incoming DNS and TFTP
190: requests via IPv6, even in --bind-interfaces mode. This
191: isn't possible for IPv4 and can generate scary warnings,
192: but as it's always possible for IPv6 (the API always
193: exists) then we should do it always.
194:
195: Tweak the rules on prefix-lengths in --dhcp-range for
196: IPv6. The new rule is that the specified prefix length
197: must be larger than or equal to the prefix length of the
198: corresponding address on the local interface.
199:
200:
201: version 2.67
202: Fix crash if upstream server returns SERVFAIL when
203: --conntrack in use. Thanks to Giacomo Tazzari for finding
204: this and supplying the patch.
205:
206: Repair regression in 2.64. That release stopped sending
207: lease-time information in the reply to DHCPINFORM
208: requests, on the correct grounds that it was a standards
209: violation. However, this broke the dnsmasq-specific
210: dhcp_lease_time utility. Now, DHCPINFORM returns
211: lease-time only if it's specifically requested
212: (maintaining standards) and the dhcp_lease_time utility
213: has been taught to ask for it (restoring functionality).
214:
215: Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass
216: to work with BOOTP and well as DHCP. Thanks to Peter
217: Korsgaard for spotting the problem.
218:
219: Add --synth-domain. Thanks to Vishvananda Ishaya for
220: suggesting this.
221:
222: Fix failure to compile ipset.c if old kernel headers are
223: in use. Thanks to Eugene Rudoy for pointing this out.
224:
225: Handle IPv4 interface-address labels in Linux. These are
226: often used to emulate the old IP-alias addresses. Before,
227: using --interface=eth0 would service all the addresses of
228: eth0, including ones configured as aliases, which appear
229: in ifconfig as eth0:0. Now, only addresses with the label
230: eth0 are active. This is not backwards compatible: if you
231: want to continue to bind the aliases too, you need to add
232: eg. --interface=eth0:0 to the config.
233:
234: Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket
235: operation on non-socket" error on startup with
236: configurations which have exactly one --interface option
237: and do RA but _not_ DHCPv6. Thanks to Trever Adams for the
238: bug report.
239:
240: Generalise --interface-name to cope with IPv6 addresses
241: and multiple addresses per interface per address family.
242:
243: Fix option parsing for --dhcp-host, which was generating a
244: spurious error when all seven possible items were
245: included. Thanks to Zhiqiang Wang for the bug report.
246:
247: Remove restriction on prefix-length in --auth-zone. Thanks
248: to Toke Hoiland-Jorgensen for suggesting this.
249:
250: Log when the maximum number of concurrent DNS queries is
251: reached. Thanks to Marcelo Salhab Brogliato for the patch.
252:
253: If wildcards are used in --interface, don't assume that
254: there will only ever be one available interface for DHCP
255: just because there is one at start-up. More may appear, so
256: we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug
257: report.
258:
259: Increase timeout/number of retries in TFTP to accomodate
260: AudioCodes Voice Gateways doing streaming writes to flash.
261: Thanks to Damian Kaczkowski for spotting the problem.
262:
263: Fix crash with empty DHCP string options when adding zero
264: terminator. Thanks to Patrick McLean for the bug report.
265:
266: Allow hostnames to start with a number, as allowed in
267: RFC-1123. Thanks to Kyle Mestery for the patch.
268:
269: Fixes to DHCP FQDN option handling: don't terminate FQDN
270: if domain not known and allow a FQDN option with blank
271: name to request that a FQDN option is returned in the
272: reply. Thanks to Roy Marples for the patch.
273:
274: Make --clear-on-reload apply to setting upstream servers
275: via DBus too.
276:
277: When the address which triggered the construction of an
278: advertised IPv6 prefix disappears, continue to advertise
279: the prefix for up to 2 hours, with the preferred lifetime
280: set to zero. This satisfies RFC 6204 4.3 L-13 and makes
281: things work better if a prefix disappears without being
282: deprecated first. Thanks to Uwe Schindler for persuasively
283: arguing for this.
284:
285: Fix MAC address enumeration on *BSD. Thanks to Brad Smith
286: for the bug report.
287:
288: Support RFC-4242 information-refresh-time options in the
289: reply to DHCPv6 information-request. The lease time of the
290: smallest valid dhcp-range is sent. Thanks to Uwe Schindler
291: for suggesting this.
292:
293: Make --listen-address higher priority than --except-interface
294: in all circumstances. Thanks to Thomas Hood for the bugreport.
295:
296: Provide independent control over which interfaces get TFTP
297: service. If enable-tftp is given a list of interfaces, then TFTP
298: is provided on those. Without the list, the previous behaviour
299: (provide TFTP to the same interfaces we provide DHCP to)
300: is retained. Thanks to Lonnie Abelbeck for the suggestion.
301:
302: Add --dhcp-relay config option. Many thanks to vtsl.net
303: for sponsoring this development.
304:
305: Fix crash with empty tag: in --dhcp-range. Thanks to
306: Kaspar Schleiser for the bug report.
307:
308: Add "baseline" and "bloatcheck" makefile targets, for
309: revealing size changes during development. Thanks to
310: Vladislav Grishenko for the patch.
311:
312: Cope with DHCPv6 clients which send REQUESTs without
313: address options - treat them as SOLICIT with rapid commit.
314:
315: Support identification of clients by MAC address in
316: DHCPv6. When using a relay, the relay must support RFC
317: 6939 for this to work. It always works for directly
318: connected clients. Thanks to Vladislav Grishenko
319: for prompting this feature.
320:
321: Remove the rule for constructed DHCP ranges that the local
322: address must be either the first or last address in the
323: range. This was originally to avoid SLAAC addresses, but
324: we now explicitly autoconfig and privacy addresses instead.
325:
326: Update Polish translation. Thanks to Jan Psota.
327:
328: Fix problem in DHCPv6 vendorclass/userclass matching
329: code. Thanks to Tanguy Bouzeloc for the patch.
330:
331: Update Spanish transalation. Thanks to Vicente Soriano.
332:
333: Add --ra-param option. Thanks to Vladislav Grishenko for
334: inspiration on this.
335:
336: Add --add-subnet configuration, to tell upstream DNS
337: servers where the original client is. Thanks to DNSthingy
338: for sponsoring this feature.
339:
340: Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to
341: Kevin Darbyshire-Bryant for the initial patch.
342:
343: Allow A/AAAA records created by --interface-name to be the
344: target of --cname. Thanks to Hadmut Danisch for the
345: suggestion.
346:
347: Avoid treating a --dhcp-host which has an IPv6 address
348: as eligable for use with DHCPv4 on the grounds that it has
349: no address, and vice-versa. Thanks to Yury Konovalov for
350: spotting the problem.
351:
352: Do a better job caching dangling CNAMEs. Thanks to Yves
353: Dorfsman for spotting the problem.
354:
355:
356: version 2.66
357: Add the ability to act as an authoritative DNS
358: server. Dnsmasq can now answer queries from the wider 'net
359: with local data, as long as the correct NS records are set
360: up. Only local data is provided, to avoid creating an open
361: DNS relay. Zone transfer is supported, to allow secondary
362: servers to be configured.
363:
364: Add "constructed DHCP ranges" for DHCPv6. This is intended
365: for IPv6 routers which get prefixes dynamically via prefix
366: delegation. With suitable configuration, stateful DHCPv6
367: and RA can happen automatically as prefixes are delegated
368: and then deprecated, without having to re-write the
369: dnsmasq configuration file or restart the daemon. Thanks to
370: Steven Barth for extensive testing and development work on
371: this idea.
372:
373: Fix crash on startup on Solaris 11. Regression probably
374: introduced in 2.61. Thanks to Geoff Johnstone for the
375: patch.
376:
377: Add code to make behaviour for TCP DNS requests that same
378: as for UDP requests, when a request arrives for an allowed
379: address, but via a banned interface. This change is only
380: active on Linux, since the relevant API is missing (AFAIK)
381: on other platforms. Many thanks to Tomas Hozza for
382: spotting the problem, and doing invaluable discovery of
383: the obscure and undocumented API required for the solution.
384:
385: Don't send the default DHCP option advertising dnsmasq as
386: the local DNS server if dnsmasq is configured to not act
387: as DNS server, or it's configured to a non-standard port.
388:
389: Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBCRIBER_ID,
390: DNSMASQ_REMOTE_ID variables to the environment of the
391: lease-change script (and the corresponding Lua). These hold
392: information inserted into the DHCP request by a DHCP relay
393: agent. Thanks to Lakefield Communications for providing a
394: bounty for this addition.
395:
396: Fixed crash, introduced in 2.64, whilst handling DHCPv6
397: information-requests with some common configurations.
398: Thanks to Robert M. Albrecht for the bug report and
399: chasing the problem.
400:
401: Add --ipset option. Thanks to Jason A. Donenfeld for the
402: patch.
403:
404: Don't erroneously reject some option names in --dhcp-match
405: options. Thanks to Benedikt Hochstrasser for the bug report.
406:
407: Allow a trailing '*' wildcard in all interface-name
408: configurations. Thanks to Christian Parpart for the patch.
409:
410: Handle the situation where libc headers define
411: SO_REUSEPORT, but the kernel in use doesn't, to cope with
412: the introduction of this option to Linux. Thanks to Rich
413: Felker for the bug report.
414:
415: Update Polish translation. Thanks to Jan Psota.
416:
417: Fix crash if the configured DHCP lease limit is
418: reached. Regression occurred in 2.61. Thanks to Tsachi for
419: the bug report.
420:
421: Update the French translation. Thanks to Gildas le Nadan.
422:
423:
424: version 2.65
425: Fix regression which broke forwarding of queries sent via
426: TCP which are not for A and AAAA and which were directed to
427: non-default servers. Thanks to Niax for the bug report.
428:
429: Fix failure to build with DHCP support excluded. Thanks to
430: Gustavo Zacarias for the patch.
431:
432: Fix nasty regression in 2.64 which completely broke cacheing.
433:
434:
435: version 2.64
436: Handle DHCP FQDN options with all flag bits zero and
437: --dhcp-client-update set. Thanks to Bernd Krumbroeck for
438: spotting the problem.
439:
440: Finesse the check for /etc/hosts names which conflict with
441: DHCP names. Previously a name/address pair in /etc/hosts
442: which didn't match the name/address of a DHCP lease would
443: generate a warning. Now that only happesn if there is not
444: also a match. This allows multiple addresses for a name in
445: /etc/hosts with one of them assigned via DHCP.
446:
447: Fix broken vendor-option processing for BOOTP. Thanks to
448: Hans-Joachim Baader for the bug report.
449:
450: Don't report spurious netlink errors, regression in
451: 2.63. Thanks to Vladislav Grishenko for the patch.
452:
453: Flag DHCP or DHCPv6 in starup logging. Thanks to
454: Vladislav Grishenko for the patch.
455:
456: Add SetServersEx method in DBus interface. Thanks to Dan
457: Williams for the patch.
458:
459: Add SetDomainServers method in DBus interface. Thanks to
460: Roy Marples for the patch.
461:
462: Fix build with later Lua libraries. Thansk to Cristian
463: Rodriguez for the patch.
464:
465: Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker
466: for the patch.
467:
468: Fix breakage of --host-record parsing, resulting in
469: infinte loop at startup. Regression in 2.63. Thanks to
470: Haim Gelfenbeyn for spotting this.
471:
472: Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6
473: socket, this allows multiple instances of dnsmasq on a
474: single machine, in the same way as for DHCPv4. Thanks to
475: Gene Czarcinski and Vladislav Grishenko for work on this.
476:
477: Fix DHCPv6 to do access control correctly when it's
478: configured with --listen-address. Thanks to
479: Gene Czarcinski for sorting this out.
480:
481: Add a "wildcard" dhcp-range which works for any IPv6
482: subnet, --dhcp-range=::,static Useful for Stateless
483: DHCPv6. Thanks to Vladislav Grishenko for the patch.
484:
485: Don't include lease-time in DHCPACK replies to DHCPINFORM
486: queries, since RFC-2131 says we shouldn't. Thanks to
487: Wouter Ibens for pointing this out.
488:
489: Makefile tweak to do dependency checking on header files.
490: Thanks to Johan Peeters for the patch.
491:
492: Check interface for outgoing unsolicited router
493: advertisements, rather than relying on interface address
494: configuration. Thanks to Gene Czarinski for the patch.
495:
496: Handle better attempts to transmit on interfaces which are
497: still doing DAD, and specifically do not just transmit
498: without setting source address and interface, since this
499: can cause very puzzling effects when a router
500: advertisement goes astray. Thanks again to Gene Czarinski.
501:
502: Get RA timers right when there is more than one
503: dhcp-range on a subnet.
504:
505:
506: version 2.63
507: Do duplicate dhcp-host address check in --test mode.
508:
509: Check that tftp-root directories are accessible before
510: start-up. Thanks to Daniel Veillard for the initial patch.
511:
512: Allow more than one --tfp-root flag. The per-interface
513: stuff is pointless without that.
514:
515: Add --bind-dynamic. A hybrid mode between the default and
516: --bind-interfaces which copes with dynamically created
517: interfaces.
518:
519: A couple of fixes to the build system for Android. Thanks
520: to Metin Kaya for the patches.
521:
522: Remove the interface:<interface> argument in --dhcp-range, and
523: the interface argument to --enable-tftp. These were a
524: still-born attempt to allow automatic isolated
525: configuration by libvirt, but have never (to my knowledge)
526: been used, had very strange semantics, and have been
527: superceded by other mechanisms.
528:
529: Fixed bug logging filenames when duplicate dhcp-host
530: addresses are found. Thanks to John Hanks for the patch.
531:
532: Fix regression in 2.61 which broke caching of CNAME
533: chains. Thanks to Atul Gupta for the bug report.
534:
535: Allow the target of a --cname flag to be another --cname.
536:
537: Teach DHCPv6 about the RFC 4242 information-refresh-time
538: option, and add parsing if the minutes, hours and days
539: format for options. Thanks to Francois-Xavier Le Bail for
540: the suggestion.
541:
542: Allow "w" (for week) as multiplier in lease times, as well
543: as seconds, minutes, hours and days. Álvaro Gámez Machado
544: spotted the ommission.
545:
546: Update French translation. Thanks to Gildas Le Nadan.
547:
548: Allow a DBus service name to be given with --enable-dbus
549: which overrides the default,
550: uk.org.thekelleys.dnsmasq. Thanks to Mathieu
551: Trudel-Lapierre for the patch.
552:
553: Set the "prefix on-link" bit in Router
554: Advertisements. Thanks to Gui Iribarren for the patch.
555:
556:
557: version 2.62
558: Update German translation. Thanks to Conrad Kostecki.
559:
560: Cope with router-solict packets wich don't have a valid
561: source address. Thanks to Vladislav Grishenko for the patch.
562:
563: Fixed bug which caused missing periodic router
564: advertisements with some configurations. Thanks to
565: Vladislav Grishenko for the patch.
566:
567: Fixed bug which broke DHCPv6/RA with prefix lengths
568: which are not divisible by 8. Thanks to Andre Coetzee
569: for spotting this.
570:
571: Fix non-response to router-solicitations when
572: router-advertisement configured, but DHCPv6 not
573: configured. Thanks to Marien Zwart for the patch.
574:
575: Add --dns-rr, to allow arbitrary DNS resource records.
576:
577: Fixed bug which broke RA scheduling when an interface had
578: two addresses in the same network. Thanks to Jim Bos for
579: his help nailing this.
580:
581: version 2.61
582: Re-write interface discovery code on *BSD to use
583: getifaddrs. This is more portable, more straightforward,
584: and allows us to find the prefix length for IPv6
585: addresses.
586:
587: Add ra-names, ra-stateless and slaac keywords for DHCPv6.
588: Dnsmasq can now synthesise AAAA records for dual-stack
589: hosts which get IPv6 addresses via SLAAC. It is also now
590: possible to use SLAAC and stateless DHCPv6, and to
591: tell clients to use SLAAC addresses as well as DHCP ones.
592: Thanks to Dave Taht for help with this.
593:
594: Add --dhcp-duid to allow DUID-EN uids to be used.
595:
596: Explicity send DHCPv6 replies to the correct port, instead
597: of relying on clients to send requests with the correct
598: source address, since at least one client in the wild gets
599: this wrong. Thanks to Conrad Kostecki for help tracking
600: this down.
601:
602: Send a preference value of 255 in DHCPv6 replies when
603: --dhcp-authoritative is in effect. This tells clients not
604: to wait around for other DHCP servers.
605:
606: Better logging of DHCPv6 options.
607:
608: Add --host-record. Thanks to Rob Zwissler for the
609: suggestion.
610:
611: Invoke the DHCP script with action "tftp" when a TFTP file
612: transfer completes. The size of the file, address to which
613: it was sent and complete pathname are supplied. Note that
614: version 2.60 introduced some script incompatibilties
615: associated with DHCPv6, and this is a further change. To
616: be safe, scripts should ignore unknown actions, and if
617: not IPv6-aware, should exit if the environment
618: variable DNSMASQ_IAID is set. The use-case for this is
619: to track netboot/install. Suggestion from Shantanu
620: Gadgil.
621:
622: Update contrib/port-forward/dnsmasq-portforward to reflect
623: the above.
624:
625: Set the environment variable DNSMASQ_LOG_DHCP when running
626: the script id --log-dhcp is in effect, so that script can
627: taylor their logging verbosity. Suggestion from Malte
628: Forkel.
629:
630: Arrange that addresses specified with --listen-address
631: work even if there is no interface carrying the
632: address. This is chiefly useful for IPv4 loopback
633: addresses, where any address in 127.0.0.0/8 is a valid
634: loopback address, but normally only 127.0.0.1 appears on
635: the lo interface. Thanks to Mathieu Trudel-Lapierre for
636: the idea and initial patch.
637:
638: Fix crash, introduced in 2.60, when a DHCPINFORM is
639: received from a network which has no valid dhcp-range.
640: Thanks to Stephane Glondu for the bug report.
641:
642: Add a new DHCP lease time keyword, "deprecated" for
643: --dhcp-range. This is only valid for IPv6, and sets the
644: preffered lease time for both DHCP and RA to zero. The
645: effect is that clients can continue to use the address
646: for existing connections, but new connections will use
647: other addresses, if they exist. This makes hitless
648: renumbering at least possible.
649:
650: Fix bug in address6_available() which caused DHCPv6 lease
651: aquisition to fail if more than one dhcp-range in use.
652:
653: Provide RDNSS and DNSSL data in router advertisements,
654: using the settings provided for DHCP options
655: option6:domain-search and option6:dns-server.
656:
657: Tweak logo/favicon.ico to add some transparency. Thanks to
658: SamLT for work on this.
659:
660: Don't cache data from non-recursive nameservers, since it
661: may erroneously look like a valid CNAME to a non-exitant
662: name. Thanks to Ben Winslow for finding this.
663:
664: Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP
665: on exactly one interface and --bind-interfaces is set. This
666: makes the OpenStack use-case of one dnsmasq per virtual
667: interface work. This is only available on Linux; it's not
668: supported on other platforms. Thanks to Vishvananda Ishaya
669: and the OpenStack team for the suggestion.
670:
671: Updated French translation. Thanks to Gildas Le Nadan.
672:
673: Give correct from-cache answers to explict CNAME queries.
674: Thanks to Rob Zwissler for spotting this.
675:
676: Add --tftp-lowercase option. Thanks to Oliver Rath for the
677: patch.
678:
679: Ensure that the DBus DhcpLeaseUpdated events are generated
680: when a lease goes through INIT_REBOOT state, even if the
681: dhcp-script is not in use. Thanks to Antoaneta-Ecaterina
682: Ene for the patch.
683:
684: Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks
685: to Brad Smith for spotting this.
686:
687:
688: version 2.60
689: Fix compilation problem in Mac OS X Lion. Thanks to Olaf
690: Flebbe for the patch.
691:
692: Fix DHCP when using --listen-address with an IP address
693: which is not the primary address of an interface.
694:
695: Add --dhcp-client-update option.
696:
697: Add Lua integration. Dnsmasq can now execute a DHCP
698: lease-change script written in Lua. This needs to be
699: enabled at compile time by setting HAVE_LUASCRIPT in
700: src/config.h or running "make COPTS=-DHAVE_LUASCRIPT"
701: Thanks to Jan-Piet Mens for the idea and proof-of-concept
702: implementation.
703:
704: Tidied src/config.h to distinguish between
705: platform-dependent compile-time options which are selected
706: automatically, and builder-selectable compile time
707: options. Document the latter better, and describe how to
708: set them from the make command line.
709:
710: Tidied up IPPROTO_IP/SOL_IP (and IPv6 equivalent)
711: confusion. IPPROTO_IP works everywhere now.
712:
713: Set TOS on DHCP sockets, this improves things on busy
714: wireless networks. Thanks to Dave Taht for the patch.
715:
716: Determine VERSION automatically based on git magic:
717: release tags or hash values.
718:
719: Improve start-up speed when reading large hosts files
720: containing many distinct addresses.
721:
722: Fix problem if dnsmasq is started without the stdin,
723: stdout and stderr file descriptors open. This can manifest
724: itself as 100% CPU use. Thanks to Chris Moore for finding
725: this.
726:
727: Fix shell-scripting bug in bld/pkg-wrapper. Thanks to
728: Mark Mitchell for the patch.
729:
730: Allow the TFP server or boot server in --pxe-service, to
731: be a domain name instead of an IP address. This allows for
732: round-robin to multiple servers, in the same way as
733: --dhcp-boot. A good suggestion from Cristiano Cumer.
734:
735: Support BUILDDIR variable in the Makefile. Allows builds
736: for multiple archs from the same source tree with eg.
737: make BUILDDIR=linux (relative to dnsmasq tree)
738: make BUILDDIR=/tmp/openbsd (absolute path)
739: If BUILDDIR is not set, compilation happens in the src
740: directory, as before. Suggestion from Mark Mitchell.
741:
742: Support DHCPv6. Support is there for the sort of things
743: the existing v4 server does, including tags, options,
744: static addresses and relay support. Missing is prefix
745: delegation, which is probably not required in the dnsmasq
746: niche, and an easy way to accept prefix delegations from
747: an upstream DHCPv6 server, which is. Future plans include
748: support for DHCPv6 router option and MAC address option
749: (to make selecting clients by MAC address work like IPv4).
750: These will be added as the standards mature.
751: This code has been tested, but this is the first release,
752: so don't bet the farm on it just yet. Many thanks to all
753: testers who have got it this far.
754:
755: Support IPv6 router advertisements. This is a
756: simple-minded implementation, aimed at providing the
757: vestigial RA needed to go alongside IPv6. Is picks up
758: configuration from the DHCPv6 conf, and should just need
759: enabling with --enable-ra.
760:
761: Fix long-standing wrinkle with --localise-queries that
762: could result in wrong answers when DNS packets arrive
763: via an interface other than the expected one. Thanks to
764: Lorenzo Milesi and John Hanks for spotting this one.
765:
766: Update French translation. Thanks to Gildas Le Nadan.
767:
768: Update Polish translation. Thanks to Jan Psota.
769:
770:
771: version 2.59
772: Fix regression in 2.58 which caused failure to start up
773: with some combinations of dnsmasq config and IPv6 kernel
774: network config. Thanks to Brielle Bruns for the bug
775: report.
776:
777: Improve dnsmasq's behaviour when network interfaces are
778: still doing duplicate address detection (DAD). Previously,
779: dnsmasq would wait up to 20 seconds at start-up for the
780: DAD state to terminate. This is broken for bridge
781: interfaces on recent Linux kernels, which don't start DAD
782: until the bridge comes up, and so can take arbitrary
783: time. The new behaviour lets dnsmasq poll for an arbitrary
784: time whilst providing service on other interfaces. Thanks
785: to Stephen Hemminger for pointing out the problem.
786:
787:
788: version 2.58
789: Provide a definition of the SA_SIZE macro where it's
790: missing. Fixes build failure on openBSD.
791:
792: Don't include a zero terminator at the end of messages
793: sent to /dev/log when /dev/log is a datagram socket.
794: Thanks to Didier Rabound for spotting the problem.
795:
796: Add --dhcp-sequential-ip flag, to force allocation of IP
797: addresses in ascending order. Note that the default
798: pseudo-random mode is in general better but some
799: server-deployment applications need this.
800:
801: Fix problem where a server-id of 0.0.0.0 is sent to a
802: client when a dhcp-relay is in use if a client renews a
803: lease after dnsmasq restart and before any clients on the
804: subnet get a new lease. Thanks to Mike Ruiz for assistance
805: in chasing this one down.
806:
807: Don't return NXDOMAIN to an AAAA query if we have CNAME
808: which points to an A record only: NODATA is the correct
809: reply in this case. Thanks to Tom Fernandes for spotting
810: the problem.
811:
812: Relax the need to supply a netmask in --dhcp-range for
813: networks which use a DHCP relay. Whilst this is still
814: desireable, in the absence of a netmask dnsmasq will use
815: a default based on the class (A, B, or C) of the address.
816: This should at least remove a cause of mysterious failure
817: for people using RFC1918 addresses and relays.
818:
819: Add support for Linux conntrack connection marking. If
820: enabled with --conntrack, the connection mark for incoming
821: DNS queries will be copied to the outgoing connections
822: used to answer those queries. This allows clever firewall
823: and accounting stuff. Only available if dnsmasq is
824: compiled with HAVE_CONNTRACK and adds a dependency on
825: libnetfilter-conntrack. Thanks to Ed Wildgoose for the
826: initial idea, testing and sponsorship of this function.
827:
828: Provide a sane error message when someone attempts to
829: match a tag in --dhcp-host.
830:
831: Tweak the behaviour of --domain-needed, to avoid problems
832: with recursive nameservers downstream of dnsmasq. The new
833: behaviour only stops A and AAAA queries, and returns
834: NODATA rather than NXDOMAIN replies.
835:
836: Efficiency fix for very large DHCP configurations, thanks
837: to James Gartrell and Mike Ruiz for help with this.
838:
839: Allow the TFTP-server address in --dhcp-boot to be a
840: domain-name which is looked up in /etc/hosts. This can
841: give multiple IP addresses which are used round-robin,
842: thus doing TFTP server load-balancing. Thanks to Sushil
843: Agrawal for the patch.
844:
845: When two tagged dhcp-options for a particular option
846: number are both valid, use the one which is valid without
847: a tag from the dhcp-range. Allows overriding of the value
848: of a DHCP option for a particular host as well as
849: per-network values. So
850: --dhcp-range=set:interface1,......
851: --dhcp-host=set:myhost,.....
852: --dhcp-option=tag:interface1,option:nis-domain,"domain1"
853: --dhcp-option=tag:myhost,option:nis-domain,"domain2"
854: will set the NIS-domain to domain1 for hosts in the range, but
855: override that to domain2 for a particular host.
856:
857: Fix bug which resulted in truncated files and timeouts for
858: some TFTP transfers. The bug only occurs with netascii
859: transfers and needs an unfortunate relationship between
860: file size, blocksize and the number of newlines in the
861: last block before it manifests itself. Many thanks to
862: Alkis Georgopoulos for spotting the problem and providing
863: a comprehensive test-case.
864:
865: Fix regression in TFTP server on *BSD platforms introduced
866: in version 2.56, due to confusion with sockaddr
867: length. Many thanks to Loic Pefferkorn for finding this.
868:
869: Support scope-ids in IPv6 addresses of nameservers from
870: /etc/resolv.conf and in --server options. Eg
871: nameserver fe80::202:a412:4512:7bbf%eth0 or
872: server=fe80::202:a412:4512:7bbf%eth0. Thanks to
873: Michael Stapelberg for the suggestion.
874:
875: Update Polish translation, thanks to Jan Psota.
876:
877: Update French translation. Thanks to Gildas Le Nadan.
878:
879:
880: version 2.57
881: Add patches to allow build under Android.
882:
883: Provide our own header for the DNS protocol, rather than
884: relying on arpa/nameser.h. This has proved more or less
885: defective over the years and the final straw is that it's
886: effectively empty on Android.
887:
888: Fix regression in 2.56 which caused hex constants in
889: configuration to be rejected if they contain the '*'
890: wildcard.
891:
892: Correct wrong casts of arguments to ctype.h functions,
893: isdigit(), isxdigit() etc. Thanks to Matthias Andree for
894: spotting this.
895:
896: Allow build with IDN support independently from i18n.
897: IDN support continues to be included automatically
898: when i18n is included.
899: 'make COPTS=-DHAVE_IDN' is the magic incantation.
900:
901: Modify check on extraneous command line junk (added in
902: 2.56) so that it doesn't complain about extra _empty_
903: arguments. Otherwise this breaks libvirt.
904:
905:
906: version 2.56
907: Add a patch to allow dnsmasq to get interface names right in a
908: Solaris zone. Thanks to Dj Padzensky for this.
909:
910: Improve data-type parsing heuristics so that
911: --dhcp-option=option:domain-search,.
912: treats the value as a string and not an IP address.
913: Thanks to Clemens Fischer for spotting that.
914:
915: Add IPv6 support to the TFTP server. Many thanks to Jan
916: 'RedBully' Seiffert for the patches.
917:
918: Log DNS queries at level LOG_INFO, rather then
919: LOG_DEBUG. This makes things consistent with DHCP
920: logging. Thanks to Adam Pribyl for spotting the problem.
921:
922: Ensure that dnsmasq terminates cleanly when using
923: --syslog-async even if it cannot make a connection to the
924: syslogd.
925:
926: Add --add-mac option. This is to support currently
927: experimental DNS filtering facilities. Thanks to Benjamin
928: Petrin for the orignal patch.
929:
930: Fix bug which meant that tags were ignored in dhcp-range
931: configuration specifying PXE-proxy service. Thanks to
932: Cristiano Cumer for spotting this.
933:
934: Raise an error if there is extra junk, not part of an
935: option, on the command line.
936:
937: Flag a couple of log messages in cache.c as coming from
938: the DHCP subsystem. Thanks to Olaf Westrik for the patch.
939:
940: Omit timestamps from logs when a) logging to stderr and
941: b) --keep-in-forground is set. The logging facility on the
942: other end of stderr can be assumned to supply them. Thanks
943: to John Hallam for the patch.
944:
945: Don't complain about strings longer than 255 characters in
946: --txt-record, just split the long strings into 255
947: character chunks instead.
948:
949: Fix crash on double-free. This bug can only happen when
950: dhcp-script is in use and then only in rare circumstances
951: triggered by high DHCP transaction rate and a slow
952: script. Thanks to Ferenc Wagner for finding the problem.
953:
954: Only log that a file has been sent by TFTP after the
955: transfer has completed succesfully.
956:
957: A good suggestion from Ferenc Wagner: extend
958: the --domain option to allow this sort of thing:
959: --domain=thekelleys.org.uk,192.168.0.0/24,local
960: which automatically creates
961: --local=/thekelleys.org.uk/
962: --local=/0.168.192.in-addr.arpa/
963:
964: Tighten up syntax checking of hex contants in the config
965: file. Thanks to Fred Damen for spotting this.
966:
967: Add dnsmasq logo/icon, contributed by Justin Swift. Many
968: thanks for that.
969:
970: Never cache DNS replies which have the 'cd' bit set, or
971: which result from queries forwarded with the 'cd' bit
972: set. The 'cd' bit instructs a DNSSEC validating server
973: upstream to ignore signature failures and return replies
974: anyway. Without this change it's possible to pollute the
975: dnsmasq cache with bad data by making a query with the
976: 'cd' bit set and subsequent queries would return this data
977: without its being marked as suspect. Thanks to Anders
978: Kaseorg for pointing out this problem.
979:
980: Add --proxy-dnssec flag, for compliance with RFC
981: 4035. Dnsmasq will now clear the 'ad' bit in answers returned
982: from upstream validating nameservers unless this option is
983: set.
984:
985: Allow a filename of "-" for --conf-file to read
986: stdin. Suggestion from Timothy Redaelli.
987:
988: Rotate the order of SRV records in replies, to provide
989: round-robin load balancing when all the priorities are
990: equal. Thanks to Peter McKinney for the suggestion.
991:
992: Edit
993: contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist
994: so that it doesn't log all queries to a file by
995: default. Thanks again to Peter McKinney.
996:
997: By default, setting an IPv4 address for a domain but not
998: an IPv6 address causes dnsmasq to return
999: an NODATA reply for IPv6 (or vice-versa). So
1000: --address=/google.com/1.2.3.4 stops IPv6 queries for
1001: *google.com from being forwarded. Make it possible to
1002: override this behaviour by defining the sematics if the
1003: same domain appears in both --server and --address.
1004: In that case, the --address has priority for the address
1005: family in which is appears, but the --server has priority
1006: of the address family which doesn't appear in --adddress
1007: So:
1008: --address=/google.com/1.2.3.4
1009: --server=/google.com/#
1010: will return 1.2.3.4 for IPv4 queries for *.google.com but
1011: forward IPv6 queries to the normal upstream nameserver.
1012: Similarly when setting an IPv6 address
1013: only this will allow forwarding of IPv4 queries. Thanks to
1014: William for pointing out the need for this.
1015:
1016: Allow more than one --dhcp-optsfile and --dhcp-hostsfile
1017: and make them understand directories as arguments in the
1018: same way as --addn-hosts. Suggestion from John Hanks.
1019:
1020: Ignore rebinding requests for leases we don't know
1021: about. Rebind is broadcast, so we might get to overhear a
1022: request meant for another DHCP server. NAKing this is
1023: wrong. Thanks to Brad D'Hondt for assistance with this.
1024:
1025: Fix cosmetic bug which produced strange output when
1026: dumping cache statistics with some configurations. Thanks
1027: to Fedor Kozhevnikov for spotting this.
1028:
1029:
1030: version 2.55
1031: Fix crash when /etc/ethers is in use. Thanks to
1032: Gianluigi Tiesi for finding this.
1033:
1034: Fix crash in netlink_multicast(). Thanks to Arno Wald for
1035: finding this one.
1036:
1037: Allow the empty domain "." in dhcp domain-search (119)
1038: options.
1039:
1040:
1041: version 2.54
1042: There is no version 2.54 to avoid confusion with 2.53,
1043: which incorrectly identifies itself as 2.54.
1044:
1045:
1046: version 2.53
1047: Fix failure to compile on Debian/kFreeBSD. Thanks to
1048: Axel Beckert and Petr Salinger.
1049:
1050: Fix code to avoid scary strict-aliasing warnings
1051: generated by gcc 4.4.
1052:
1053: Added FAQ entry warning about DHCP failures with Vista
1054: when firewalls block 255.255.255.255.
1055:
1056: Fixed bug which caused bad things to happen if a
1057: resolv.conf file which exists is subsequently removed.
1058: Thanks to Nikolai Saoukh for the patch.
1059:
1060: Rationalised the DHCP tag system. Every configuration item
1061: which can set a tag does so by adding "set:<tag>" and
1062: every configuration item which is conditional on a tag is
1063: made so by "tag:<tag>". The NOT operator changes to '!',
1064: which is a bit more intuitive too. Dhcp-host directives
1065: can set more than one tag now. The old '#' NOT,
1066: "net:" prefix and no-prefixes are still honoured, so
1067: no existing config file needs to be changed, but
1068: the documentation and new-style config files should be
1069: much less confusing.
1070:
1071: Added --tag-if to allow boolean operations on tags.
1072: This allows complicated logic to be clearer and more
1073: general. A great suggestion from Richard Voigt.
1074:
1075: Add broadcast/unicast information to DHCP logging.
1076:
1077: Allow --dhcp-broadcast to be unconditional.
1078:
1079: Fixed incorrect behaviour with NOT <tag> conditionals in
1080: dhcp-options. Thanks to Max Turkewitz for assistance
1081: finding this.
1082:
1083: If we send vendor-class encapsulated options based on the
1084: vendor-class supplied by the client, and no explicit
1085: vendor-class option is given, echo back the vendor-class
1086: from the client.
1087:
1088: Fix bug which stopped dnsmasq from matching both a
1089: circuitid and a remoteid. Thanks to Ignacio Bravo for
1090: finding this.
1091:
1092: Add --dhcp-proxy, which makes it possible to configure
1093: dnsmasq to use a DHCP relay agent as a full proxy, with
1094: all DHCP messages passing through the proxy. This is
1095: useful if the relay adds extra information to the packets
1096: it forwards, but cannot be configured with the RFC 5107
1097: server-override option.
1098:
1099: Added interface:<iface name> part to dhcp-range. The
1100: semantics of this are very odd at first sight, but it
1101: allows a single line of the form
1102: dhcp-range=interface:virt0,192.168.0.4,192.168.0.200
1103: to be added to dnsmasq configuration which then supplies
1104: DHCP and DNS services to that interface, without affecting
1105: what services are supplied to other interfaces and
1106: irrespective of the existance or lack of
1107: interface=<interface>
1108: lines elsewhere in the dnsmasq configuration. The idea is
1109: that such a line can be added automatically by libvirt
1110: or equivalent systems, without disturbing any manual
1111: configuration.
1112:
1113: Similarly to the above, allow --enable-tftp=<interface>
1114:
1115: Allow a TFTP root to be set separately for requests via
1116: different interfaces, --tftp-root=<path>,<interface>
1117:
1118: Correctly handle and log clashes between CNAMES and
1119: DNS names being given to DHCP leases. This fixes a bug
1120: which caused nonsense IP addresses to be logged. Thanks to
1121: Sergei Zhirikov for finding and analysing the problem.
1122:
1123: Tweak flush_log so as to avoid leaving the log
1124: file in non-blocking mode. O_NONBLOCK is a property of the
1125: file, not the process/descriptor.
1126:
1127: Fix contrib/Solaris10/create_package
1128: (/usr/man -> /usr/share/man) Thanks to Vita Batrla.
1129:
1130: Fix a problem where, if a client got a lease, then went
1131: to another subnet and got another lease, then moved back,
1132: it couldn't resume the old lease, but would instead get
1133: a new address. Thanks to Leonardo Rodrigues for spotting
1134: this and testing the fix.
1135:
1136: Fix weird bug which sometimes omitted certain characters
1137: from the start of quoted strings in dhcp-options. Thanks
1138: to Dayton Turner for spotting the problem.
1139:
1140: Add facility to redirect some domains to the standard
1141: upstream servers: this allows something like
1142: --server=/google.com/1.2.3.4 --server=/www.google.com/#
1143: which will send queries for *.google.com to 1.2.3.4,
1144: except *www.google.com which will be forwarded as usual.
1145: Thanks to AJ Weber for prompting this addition.
1146:
1147: Improve the hash-algorithm used to generate IP addresses
1148: from MAC addresses during initial DHCP address
1149: allocation. This improves performance when large numbers
1150: of hosts with similar MAC addresses all try and get an IP
1151: address at the same time. Thanks to Paul Smith for his
1152: work on this.
1153:
1154: Tweak DHCP code so that --bridge-interface can be used to
1155: select which IP alias of an interface should be used for
1156: DHCP purposes on Linux. If eth0 has an alias eth0:dhcp
1157: then adding --bridge-interface=eth0:dhcp,eth0 will use
1158: the address of eth0:dhcp to determine the correct subnet
1159: for DHCP address allocation. Thanks to Pawel Golaszewski
1160: for prompting this and Eric Cooper for further testing.
1161:
1162: Add --dhcp-generate-names. Suggestion by Ferenc Wagner.
1163:
1164: Tweak DNS server selection algorithm when there is more
1165: than one server available for a domain, eg.
1166: --server=/mydomain/1.1.1.1
1167: --server=/mydomain/2.2.2.2
1168: Thanks to Alberto Cuesta-Canada for spotting a weakness
1169: here.
1170:
1171: Add --max-ttl. Thanks to Fredrik Ringertz for the patch.
1172:
1173: Allow --log-facility=- to force all logging to
1174: stderr. Suggestion from Clemens Fischer.
1175:
1176: Fix regression which caused configuration like
1177: --address=/.domain.com/1.2.3.4 to be rejected. The dot to the
1178: left of the domain has been implied and not required for a
1179: long time, but it should be accepted for backward
1180: compatibility. Thanks to Andrew Burcin for spotting this.
1181:
1182: Add --rebind-domain-ok and --rebind-localhost-ok.
1183: Suggestion from Clemens Fischer.
1184:
1185: Log replies to queries of type TXT, when --log-queries
1186: is set.
1187:
1188: Fix compiler warnings when compiled with -DNO_DHCP. Thanks
1189: to Shantanu Gadgil for the patch.
1190:
1191: Updated French translation. Thanks to Gildas Le Nadan.
1192:
1193: Updated Polish translation. Thanks to Jan Psota.
1194:
1195: Updated German translation. Thanks to Matthias Andree.
1196:
1197: Added contrib/static-arp, thanks to Darren Hoo.
1198:
1199: Fix corruption of the domain when a name from /etc/hosts
1200: overrides one supplied by a DHCP client. Thanks to Fedor
1201: Kozhevnikov for spotting the problem.
1202:
1203: Updated Spanish translation. Thanks to Chris Chatham.
1204:
1205:
1206: version 2.52
1207: Work around a Linux kernel bug which insists that the
1208: length of the option passed to setsockopt must be at least
1209: sizeof(int) bytes, even if we're calling SO_BINDTODEVICE
1210: and the device name is "lo". Note that this is fixed
1211: in kernel 2.6.31, but the workaround is harmless and
1212: allows earlier kernels to be used. Also fix dnsmasq
1213: bug which reported the wrong address when this failed.
1214: Thanks to Fedor for finding this.
1215:
1216: The API for IPv6 PKTINFO changed around Linux kernel
1217: 2.6.14. Workaround the case where dnsmasq is compiled
1218: against newer headers, but then run on an old kernel:
1219: necessary for some *WRT distros.
1220:
1221: Re-read the set of network interfaces when re-loading
1222: /etc/resolv.conf if --bind-interfaces is not set. This
1223: handles the case that loopback interfaces do not exist
1224: when dnsmasq is first started.
1225:
1226: Tweak the PXE code to support port 4011. This should
1227: reduce broadcasts and make things more reliable when other
1228: servers are around. It also improves inter-operability
1229: with certain clients.
1230:
1231: Make a pxe-service configuration with no filename or boot
1232: service type legal: this does a local boot. eg.
1233: pxe-service=x86PC, "Local boot"
1234:
1235: Be more conservative in detecting "A for A"
1236: queries. Dnsmasq checks if the name in a type=A query looks
1237: like a dotted-quad IP address and answers the query itself
1238: if so, rather than forwarding it. Previously dnsmasq
1239: relied in the library function inet_addr() to convert
1240: addresses, and that will accept some things which are
1241: confusing in this context, like 1.2.3 or even just
1242: 1234. Now we only do A for A processing for four decimal
1243: numbers delimited by dots.
1244:
1245: A couple of tweaks to fix compilation on Solaris. Thanks
1246: to Joel Macklow for help with this.
1247:
1248: Another Solaris compilation tweak, needed for Solaris
1249: 2009.06. Thanks to Lee Essen for that.
1250:
1251: Added extract packaging stuff from Lee Essen to
1252: contrib/Solaris10.
1253:
1254: Increased the default limit on number of leases to 1000
1255: (from 150). This is mainly a defence against DoS attacks,
1256: and for the average "one for two class C networks"
1257: installation, IP address exhaustion does that just as
1258: well. Making the limit greater than the number of IP
1259: addresses available in such an installation removes a
1260: surprise which otherwise can catch people out.
1261:
1262: Removed extraneous trailing space in the value of the
1263: DNSMASQ_TIME_REMAINING DNSMASQ_LEASE_LENGTH and
1264: DNSMASQ_LEASE_EXPIRES environment variables. Thanks to
1265: Gildas Le Nadan for spotting this.
1266:
1267: Provide the network-id tags for a DHCP transaction to
1268: the lease-change script in the environment variable
1269: DNSMASQ_TAGS. A good suggestion from Gildas Le Nadan.
1270:
1271: Add support for RFC3925 "Vendor-Identifying Vendor
1272: Options". The syntax looks like this:
1273: --dhcp-option=vi-encap:<enterprise number>, .........
1274:
1275: Add support to --dhcp-match to allow matching against
1276: RFC3925 "Vendor-Identifying Vendor Classes". The syntax
1277: looks like this:
1278: --dhcp-match=tag,vi-encap<enterprise number>, <value>
1279:
1280: Add some application specific code to assist in
1281: implementing the Broadband forum TR069 CPE-WAN
1282: specification. The details are in contrib/CPE-WAN/README
1283:
1284: Increase the default DNS packet size limit to 4096, as
1285: recommended by RFC5625 section 4.4.3. This can be
1286: reconfigured using --edns-packet-max if needed. Thanks to
1287: Francis Dupont for pointing this out.
1288:
1289: Rewrite query-ids even for TSIG signed packets, since
1290: this is allowed by RFC5625 section 4.5.
1291:
1292: Use getopt_long by default on OS X. It has been supported
1293: since version 10.3.0. Thanks to Arek Dreyer for spotting
1294: this.
1295:
1296: Added up-to-date startup configuration for MacOSX/launchd
1297: in contrib/MacOSX-launchd. Thanks to Arek Dreyer for
1298: providing this.
1299:
1300: Fix link error when including Dbus but excluding DHCP.
1301: Thanks to Oschtan for the bug report.
1302:
1303: Updated French translation. Thanks to Gildas Le Nadan.
1304:
1305: Updated Polish translation. Thanks to Jan Psota.
1306:
1307: Updated Spanish translation. Thanks to Chris Chatham.
1308:
1309: Fixed confusion about domains, when looking up DHCP hosts
1310: in /etc/hosts. This could cause spurious "Ignoring
1311: domain..." messages. Thanks to Fedor Kozhevnikov for
1312: finding and analysing the problem.
1313:
1314:
1315: version 2.51
1316: Add support for internationalised DNS. Non-ASCII characters
1317: in domain names found in /etc/hosts, /etc/ethers and
1318: /etc/dnsmasq.conf will be correctly handled by translation to
1319: punycode, as specified in RFC3490. This function is only
1320: available if dnsmasq is compiled with internationalisation
1321: support, and adds a dependency on GNU libidn. Without i18n
1322: support, dnsmasq continues to be compilable with just
1323: standard tools. Thanks to Yves Dorfsman for the
1324: suggestion.
1325:
1326: Add two more environment variables for lease-change scripts:
1327: First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname
1328: supplied by a client, even if the actual hostname used is
1329: over-ridden by dhcp-host or dhcp-ignore-names directives.
1330: Also DNSMASQ_RELAY_ADDRESS which gives the address of
1331: a DHCP relay, if used.
1332: Suggestions from Michael Rack.
1333:
1334: Fix regression which broke echo of relay-agent
1335: options. Thanks to Michael Rack for spotting this.
1336:
1337: Don't treat option 67 as being interchangeable with
1338: dhcp-boot parameters if it's specified as
1339: dhcp-option-force.
1340:
1341: Make the code to call scripts on lease-change compile-time
1342: optional. It can be switched off by editing src/config.h
1343: or building with "make COPTS=-DNO_SCRIPT".
1344:
1345: Make the TFTP server cope with filenames from Windows/DOS
1346: which use '\' as pathname separator. Thanks to Ralf for
1347: the patch.
1348:
1349: Updated Polish translation. Thanks to Jan Psota.
1350:
1351: Warn if an IP address is duplicated in /etc/ethers. Thanks
1352: to Felix Schwarz for pointing this out.
1353:
1354: Teach --conf-dir to take an option list of file suffices
1355: which will be ignored when scanning the directory. Useful
1356: for backup files etc. Thanks to Helmut Hullen for the
1357: suggestion.
1358:
1359: Add new DHCP option named tftpserver-address, which
1360: corresponds to the third argument of dhcp-boot. This
1361: allows the complete functionality of dhcp-boot to be
1362: replicated with dhcp-option. Useful when using
1363: dhcp-optsfile.
1364:
1365: Test which upstream nameserver to use every 10 seconds
1366: or 50 queries and not just when a query times out and
1367: is retried. This should improve performance when there
1368: is a slow nameserver in the list. Thanks to Joe for the
1369: suggestion.
1370:
1371: Don't do any PXE processing, even for clients with the
1372: correct vendorclass, unless at least one pxe-prompt or
1373: pxe-service option is given. This stops dnsmasq
1374: interfering with proxy PXE subsystems when it is just
1375: the DHCP server. Thanks to Spencer Clark for spotting this.
1376:
1377: Limit the blocksize used for TFTP transfers to a value
1378: which avoids packet fragmentation, based on the MTU of the
1379: local interface. Many netboot ROMs can't cope with
1380: fragmented packets.
1381:
1382: Honour dhcp-ignore configuration for PXE and proxy-PXE
1383: requests. Thanks to Niels Basjes for the bug report.
1384:
1385: Updated French translation. Thanks to Gildas Le Nadan.
1386:
1387:
1388: version 2.50
1389: Fix security problem which allowed any host permitted to
1390: do TFTP to possibly compromise dnsmasq by remote buffer
1391: overflow when TFTP enabled. Thanks to Core Security
1392: Technologies and Iván Arce, Pablo Hernán Jorge, Alejandro
1393: Pablo Rodriguez, Martín Coco, Alberto Soliño Testa and
1394: Pablo Annetta. This problem has Bugtraq id: 36121
1395: and CVE: 2009-2957
1396:
1397: Fix a problem which allowed a malicious TFTP client to
1398: crash dnsmasq. Thanks to Steve Grubb at Red Hat for
1399: spotting this. This problem has Bugtraq id: 36120 and
1400: CVE: 2009-2958
1401:
1402:
1403: version 2.49
1404: Fix regression in 2.48 which disables the lease-change
1405: script. Thanks to Jose Luis Duran for spotting this.
1406:
1407: Log TFTP "file not found" errors. These were not logged,
1408: since a normal PXELinux boot generates many of them, but
1409: the lack of the messages seems to be more confusing than
1410: routinely seeing them when there is no real error.
1411:
1412: Update Spanish translation. Thanks to Chris Chatham.
1413:
1414:
1415: version 2.48
1416: Archived the extensive, backwards, changelog to
1417: CHANGELOG.archive. The current changelog now runs from
1418: version 2.43 and runs conventionally.
1419:
1420: Fixed bug which broke binding of servers to physical
1421: interfaces when interface names were longer than four
1422: characters. Thanks to MURASE Katsunori for the patch.
1423:
1424: Fixed netlink code to check that messages come from the
1425: correct source, and not another userspace process. Thanks
1426: to Steve Grubb for the patch.
1427:
1428: Maintainability drive: removed bug and missing feature
1429: workarounds for some old platforms. Solaris 9, OpenBSD
1430: older than 4.1, Glibc older than 2.2, Linux 2.2.x and
1431: DBus older than 1.1.x are no longer supported.
1432:
1433: Don't read included configuration files more than once:
1434: allows complex configuration structures without problems.
1435:
1436: Mark log messages from the various subsystems in dnsmasq:
1437: messages from the DHCP subsystem now have the ident string
1438: "dnsmasq-dhcp" and messages from TFTP have ident
1439: "dnsmasq-tftp". Thanks to Olaf Westrik for the patch.
1440:
1441: Fix possible infinite DHCP protocol loop when an IP
1442: address nailed to a hostname (not a MAC address) and a
1443: host sometimes provides the name, sometimes not.
1444:
1445: Allow --addn-hosts to take a directory: all the files
1446: in the directory are read. Thanks to Phil Cornelius for
1447: the suggestion.
1448:
1449: Support --bridge-interface on all platforms, not just BSD.
1450:
1451: Added support for advanced PXE functions. It's now
1452: possible to define a prompt and menu options which will
1453: be displayed when a client PXE boots. It's also possible to
1454: hand-off booting to other boot servers. Proxy-DHCP, where
1455: dnsmasq just supplies the PXE information and another DHCP
1456: server does address allocation, is also allowed. See the
1457: --pxe-prompt and --pxe-service keywords. Thanks to
1458: Alkis Georgopoulos for the suggestion and Guilherme Moro
1459: and Michael Brown for assistance.
1460:
1461: Improvements to DHCP logging. Thanks to Tom Metro for
1462: useful suggestions.
1463:
1464: Add ability to build dnsmasq without DHCP support. To do
1465: this, edit src/config.h or build with
1466: "make COPTS=-DNO_DHCP". Thanks to Mahavir Jain for the patch.
1467:
1468: Added --test command-line switch - syntax check
1469: configuration files only.
1470:
1471: Updated French translation. Thanks to Gildas Le Nadan.
1472:
1473:
1474: version 2.47
1475: Updated French translation. Thanks to Gildas Le Nadan.
1476:
1477: Fixed interface enumeration code to work on NetBSD
1478: 5.0. Thanks to Roy Marples for the patch.
1479:
1480: Updated config.h to use the same location for the lease
1481: file on NetBSD as the other *BSD variants. Also allow
1482: LEASEFILE and CONFFILE symbols to be overriden in CFLAGS.
1483:
1484: Handle duplicate address detection on IPv6 more
1485: intelligently. In IPv6, an interface can have an address
1486: which is not usable, because it is still undergoing DAD
1487: (such addresses are marked "tentative"). Attempting to
1488: bind to an address in this state returns an error,
1489: EADDRNOTAVAIL. Previously, on getting such an error,
1490: dnsmasq would silently abandon the address, and never
1491: listen on it. Now, it retries once per second for 20
1492: seconds before generating a fatal error. 20 seconds should
1493: be long enough for any DAD process to complete, but can be
1494: adjusted in src/config.h if necessary. Thanks to Martin
1495: Krafft for the bug report.
1496:
1497: Add DBus introspection. Patch from Jeremy Laine.
1498:
1499: Update Dbus configuration file. Patch from Colin Walters.
1500: Fix for this bug:
1501: http://bugs.freedesktop.org/show_bug.cgi?id=18961
1502:
1503: Support arbitrarily encapsulated DHCP options, suggestion
1504: and initial patch from Samium Gromoff. This is useful for
1505: (eg) gPXE, which expect all its private options to be
1506: encapsulated inside a single option 175. So, eg,
1507:
1508: dhcp-option = encap:175, 190, "iscsi-client0"
1509: dhcp-option = encap:175, 191, "iscsi-client0-secret"
1510:
1511: will provide iSCSI parameters to gPXE.
1512:
1513: Enhance --dhcp-match to allow testing of the contents of a
1514: client-sent option, as well as its presence. This
1515: application in mind for this is RFC 4578
1516: client-architecture specifiers, but it's generally useful.
1517: Joey Korkames suggested the enhancement.
1518:
1519: Move from using the IP_XMIT_IF ioctl to IP_BOUND_IF on
1520: OpenSolaris. Thanks to Bastian Machek for the heads-up.
1521:
1522: No longer complain about blank lines in
1523: /etc/ethers. Thanks to Jon Nelson for the patch.
1524:
1525: Fix binding of servers to physical devices, eg
1526: --server=/domain/1.2.3.4@eth0 which was broken from 2.43
1527: onwards unless --query-port=0 set. Thanks to Peter Naulls
1528: for the bug report.
1529:
1530: Reply to DHCPINFORM requests even when the supplied ciaddr
1531: doesn't fall in any dhcp-range. In this case it's not
1532: possible to supply a complete configuration, but
1533: individually-configured options (eg PAC) may be useful.
1534:
1535: Allow the source address of an alias to be a range:
1536: --alias=192.168.0.0,10.0.0.0,255.255.255.0 maps the whole
1537: subnet 192.168.0.0->192.168.0.255 to 10.0.0.0->10.0.0.255,
1538: as before.
1539: --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
1540: maps only the 192.168.0.10->192.168.0.40 region. Thanks to
1541: Ib Uhrskov for the suggestion.
1542:
1543: Don't dynamically allocate DHCP addresses which may break
1544: Windows. Addresses which end in .255 or .0 are broken in
1545: Windows even when using supernetting.
1546: --dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0 means
1547: 192.168.0.255 is a valid IP address, but not for Windows.
1548: See Microsoft KB281579. We therefore no longer allocate
1549: these addresses to avoid hard-to-diagnose problems.
1550:
1551: Update Polish translation. Thanks to Jan Psota.
1552:
1553: Delete the PID-file when dnsmasq shuts down. Note that by
1554: this time, dnsmasq is normally not running as root, so
1555: this will fail if the PID-file is stored in a root-owned
1556: directory; such failure is silently ignored. To take
1557: advantage of this feature, the PID-file must be stored in a
1558: directory owned and write-able by the user running
1559: dnsmasq.
1560:
1561:
1562: version 2.46
1563: Allow --bootp-dynamic to take a netid tag, so that it may
1564: be selectively enabled. Thanks to Olaf Westrik for the
1565: suggestion.
1566:
1567: Remove ISC-leasefile reading code. This has been
1568: deprecated for a long time, and last time I removed it, it
1569: ended up going back by request of one user. This time,
1570: it's gone for good; otherwise it would need to be
1571: re-worked to support multiple domains (see below).
1572:
1573: Support DHCP clients in multiple DNS domains. This is a
1574: long-standing request. Clients are assigned to a domain
1575: based in their IP address.
1576:
1577: Add --dhcp-fqdn flag, which changes behaviour if DNS names
1578: assigned to DHCP clients. When this is set, there must be
1579: a domain associated with each client, and only
1580: fully-qualified domain names are added to the DNS. The
1581: advantage is that the only the FQDN needs to be unique,
1582: so that two or more DHCP clients can share a hostname, as
1583: long as they are in different domains.
1584:
1585: Set environment variable DNSMASQ_DOMAIN when invoking
1586: lease-change script. This may be useful information to
1587: have now that it's variable.
1588:
1589: Tighten up data-checking code for DNS packet
1590: handling. Thanks to Steve Dodd who found certain illegal
1591: packets which could crash dnsmasq. No memory overwrite was
1592: possible, so this is not a security issue beyond the DoS
1593: potential.
1594:
1595: Update example config dhcp option 47, the previous
1596: suggestion generated an illegal, zero-length,
1597: option. Thanks to Matthias Andree for finding this.
1598:
1599: Rewrite hosts-file reading code to remove the limit of
1600: 1024 characters per line. John C Meuser found this.
1601:
1602: Create a net-id tag with the name of the interface on
1603: which the DHCP request was received.
1604:
1605: Fixed minor memory leak in DBus code, thanks to Jeremy
1606: Laine for the patch.
1607:
1608: Emit DBus signals as the DHCP lease database
1609: changes. Thanks to Jeremy Laine for the patch.
1610:
1611: Allow for more that one MAC address in a dhcp-host
1612: line. This configuration tells dnsmasq that it's OK to
1613: abandon a DHCP lease of the fixed address to one MAC
1614: address, if another MAC address in the dhcp-host statement
1615: asks for an address. This is useful to give a fixed
1616: address to a host which has two network interfaces
1617: (say, a laptop with wired and wireless interfaces.)
1618: It's very important to ensure that only one interface
1619: at a time is up, since dnsmasq abandons the first lease
1620: and re-uses the address before the leased time has
1621: elapsed. John Gray suggested this.
1622:
1623: Tweak the response to a DHCP request packet with a wrong
1624: server-id when --dhcp-authoritative is set; dnsmasq now
1625: returns a DHCPNAK, rather than silently ignoring the
1626: packet. Thanks to Chris Marget for spotting this
1627: improvement.
1628:
1629: Add --cname option. This provides a limited alias
1630: function, usable for DHCP names. Thanks to AJ Weber for
1631: suggestions on this.
1632:
1633: Updated contrib/webmin with latest version from Neil
1634: Fisher.
1635:
1636: Updated Polish translation. Thanks to Jan Psota.
1637:
1638: Correct the text names for DHCP options 64 and 65 to be
1639: "nis+-domain" and "nis+-servers".
1640:
1641: Updated Spanish translation. Thanks to Chris Chatham.
1642:
1643: Force re-reading of /etc/resolv.conf when an "interface
1644: up" event occurs.
1645:
1646:
1647: version 2.45
1648: Fix total DNS failure in release 2.44 unless --min-port
1649: specified. Thanks to Steven Barth and Grant Coady for
1650: bugreport. Also reject out-of-range port spec, which could
1651: break things too: suggestion from Gilles Espinasse.
1652:
1653:
1654: version 2.44
1655: Fix crash when unknown client attempts to renew a DHCP
1656: lease, problem introduced in version 2.43. Thanks to
1657: Carlos Carvalho for help chasing this down.
1658:
1659: Fix potential crash when a host which doesn't have a lease
1660: does DHCPINFORM. Again introduced in 2.43. This bug has
1661: never been reported in the wild.
1662:
1663: Fix crash in netlink code introduced in 2.43. Thanks to
1664: Jean Wolter for finding this.
1665:
1666: Change implementation of min_port to work even if min-port
1667: is large.
1668:
1669: Patch to enable compilation of latest Mac OS X. Thanks to
1670: David Gilman.
1671:
1672: Update Spanish translation. Thanks to Christopher Chatham.
1673:
1674:
1675: version 2.43
1676: Updated Polish translation. Thanks to Jan Psota.
1677:
1678: Flag errors when configuration options are repeated
1679: illegally.
1680:
1681: Further tweaks for GNU/kFreeBSD
1682:
1683: Add --no-wrap to msgmerge call - provides nicer .po file
1684: format.
1685:
1686: Honour lease-time spec in dhcp-host lines even for
1687: BOOTP. The user is assumed to known what they are doing in
1688: this case. (Hosts without the time spec still get infinite
1689: leases for BOOTP, over-riding the default in the
1690: dhcp-range.) Thanks to Peter Katzmann for uncovering this.
1691:
1692: Fix problem matching relay-agent ids. Thanks to Michael
1693: Rack for the bug report.
1694:
1695: Add --naptr-record option. Suggestion from Johan
1696: Bergquist.
1697:
1698: Implement RFC 5107 server-id-override DHCP relay agent
1699: option.
1700:
1701: Apply patches from Stefan Kruger for compilation on
1702: Solaris 10 under Sun studio.
1703:
1704: Yet more tweaking of Linux capability code, to suppress
1705: pointless wingeing from kernel 2.6.25 and above.
1706:
1707: Improve error checking during startup. Previously, some
1708: errors which occurred during startup would be worked
1709: around, with dnsmasq still starting up. Some were logged,
1710: some silent. Now, they all cause a fatal error and dnsmasq
1711: terminates with a non-zero exit code. The errors are those
1712: associated with changing uid and gid, setting process
1713: capabilities and writing the pidfile. Thanks to Uwe
1714: Gansert and the Suse security team for pointing out
1715: this improvement, and Bill Reimers for good implementation
1716: suggestions.
1717:
1718: Provide NO_LARGEFILE compile option to switch off largefile
1719: support when compiling against versions of uclibc which
1720: don't support it. Thanks to Stephane Billiart for the patch.
1721:
1722: Implement random source ports for interactions with
1723: upstream nameservers. New spoofing attacks have been found
1724: against nameservers which do not do this, though it is not
1725: clear if dnsmasq is vulnerable, since to doesn't implement
1726: recursion. By default dnsmasq will now use a different
1727: source port (and socket) for each query it sends
1728: upstream. This behaviour can suppressed using the
1729: --query-port option, and the old default behaviour
1730: restored using --query-port=0. Explicit source-port
1731: specifications in --server configs are still honoured.
1732:
1733: Replace the random number generator, for better
1734: security. On most BSD systems, dnsmasq uses the
1735: arc4random() RNG, which is secure, but on other platforms,
1736: it relied on the C-library RNG, which may be
1737: guessable and therefore allow spoofing. This release
1738: replaces the libc RNG with the SURF RNG, from Daniel
1739: J. Berstein's DJBDNS package.
1740:
1741: Don't attempt to change user or group or set capabilities
1742: if dnsmasq is run as a non-root user. Without this, the
1743: change from soft to hard errors when these fail causes
1744: problems for non-root daemons listening on high
1745: ports. Thanks to Patrick McLean for spotting this.
1746:
1747: Updated French translation. Thanks to Gildas Le Nadan.
1748:
1749:
1750: version 2.42
1751: The changelog for version 2.42 and earlier is
1752: available in CHANGELOG.archive.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to CHANGELOG CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq