1: version 2.90
2: Fix reversion in --rev-server introduced in 2.88 which
3: caused breakage if the prefix length is not exactly divisible
4: by 8 (IPv4) or 4 (IPv6).
5:
6: Fix possible SEGV when there server(s) for a particular
7: domain are configured, but no server which is not qualified
8: for a particular domain. Thanks to Daniel Danzberger for
9: spotting this bug.
10:
11:
12: version 2.89
13: Fix bug introduced in 2.88 (commit fe91134b) which can result
14: in corruption of the DNS cache internal data structures and
15: logging of "cache internal error". This has only been seen
16: in one place in the wild, and it took considerable effort
17: to even generate a test case to reproduce it, but there's
18: no way to be sure it won't strike, and the effect is to break
19: the cache badly. Installations with DNSSEC enabled are more
20: likely to see the problem, but not running DNSSEC does not
21: guarantee that it won't happen. Thanks to Timo van Roermund
22: for reporting the bug and for his great efforts in chasing
23: it down.
24:
25:
26: version 2.88
27: Fix bug in --dynamic-host when an interface has /16 IPv4
28: address. Thanks to Mark Dietzer for spotting this.
29:
30: Add --fast-dns-retry option. This gives dnsmasq the ability
31: to originate retries for upstream DNS queries itself, rather
32: than relying on the downstream client. This is most useful
33: when doing DNSSEC over unreliable upstream networks. It comes
34: with some cost in memory usage and network bandwidth.
35:
36: Add --use-stale-cache option. When set, if a DNS name exists
37: in the cache, but its time-to-live has expired, dnsmasq will
38: return the data anyway. (It attempts to refresh the
39: data with an upstream query after returning the stale data.)
40: This can improve speed and reliability. It comes
41: at the expense of sometimes returning out-of-date data and
42: less efficient cache utilisation, since old data cannot be
43: flushed when its TTL expires, so the cache becomes
44: strictly least-recently-used.
45:
46: Add --port-limit option which allows tuning for robustness in
47: the face of some upstream network errors. Thanks to
48: Prashant Kumar Singh, Ravi Nagayach and Mike Danilov,
49: all of Amazon Web Services, for their efforts in developing this
50: and the stale-cache and fast-retry options.
51:
52: Make --hostsdir (but NOT --dhcp-hostsdir and --dhcp-optsdir)
53: handle removal of whole files or entries within files.
54: Thanks to Dominik Derigs for the initial patches for this.
55:
56: Fix bug, introduced in 2.87, which could result in DNS
57: servers being removed from the configuration when reloading
58: server configuration from DBus, or re-reading /etc/resolv.conf
59: Only servers from the same source should be replaced, but some
60: servers from other sources (i.e., hard coded or another dynamic source)
61: could mysteriously disappear. Thanks to all reporting this,
62: but especially Christopher J. Madsen who reduced the problem
63: to an easily reproducible case which saved much labour in
64: finding it.
65:
66: Add --no-round-robin option.
67:
68: Allow domain names as well as IP addresses when specifying
69: upstream DNS servers. There are some gotchas associated with this
70: (it will mysteriously fail to work if the dnsmasq instance
71: being started is in the path from the system resolver to the DNS),
72: and a seemingly sensible configuration like
73: --server=domain.name@1.2.3.4 is unactionable if domain.name
74: only resolves to an IPv6 address). There are, however,
75: cases where is can be useful. Thanks to Dominik Derigs for
76: the patch.
77:
78: Handle DS records for unsupported crypto algorithms correctly.
79: Such a DS, as long as it is validated, should allow answers
80: in the domain it attests to be returned as unvalidated, and not
81: as a validation error.
82:
83: Optimise reading large numbers of --server options. When re-reading
84: upstream servers from /etc/resolv.conf or other sources that
85: can change dnsmasq tries to avoid memory fragmentation by re-using
86: existing records that are being re-read unchanged. This involves
87: seaching all the server records for each new one installed.
88: During startup this search is pointless, and can cause long
89: start times with thousands of --server options because the work
90: needed is O(n^2). Handle this case more intelligently.
91: Thanks to Ye Zhou for spotting the problem and an initial patch.
92:
93: If we detect that a DNS reply from upstream is malformed don't
94: return it to the requestor; send a SEVFAIL rcode instead.
95:
96:
97: version 2.87
98: Allow arbitrary prefix lengths in --rev-server and
99: --domain=....,local
100:
101: Replace --address=/#/..... functionality which got
102: missed in the 2.86 domain search rewrite.
103:
104: Add --nftset option, like --ipset but for the newer nftables.
105: Thanks to Chen Zhenge for the patch.
106:
107: Add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6
108: addresses from DNS answers.
109:
110: Fix crash doing netbooting when --port is set to zero
111: to disable the DNS server. Thanks to Drexl Johannes
112: for the bug report.
113:
114: Generalise --dhcp-relay. Sending via broadcast/multicast is
115: now supported for both IPv4 and IPv6 and the configuration
116: syntax made easier (but backwards compatible).
117:
118: Add snooping of IPv6 prefix-delegations to the DHCP-relay system.
119:
120: Finesse parsing of --dhcp-remoteid and --dhcp-subscrid. To be treated
121: as hex, the pattern must consist of only hex digits AND contain
122: at least one ':'. Thanks to Bengt-Erik Sandstrom who tripped
123: over a pattern consisting of a decimal number which was interpreted
124: surprisingly.
125:
126: Include client address in TFTP file-not-found error reports.
127: Thanks to Stefan Rink for the initial patch, which has been
128: re-worked by me (srk). All bugs mine.
129:
130: Note in manpage the change in behaviour of -address. This behaviour
131: actually changed in v2.86, but was undocumented there. From 2.86 on,
132: (eg) --address=/example.com/1.2.3.4 ONLY applies to A queries. All other
133: types of query will be sent upstream. Pre 2.86, that would catch the
134: whole example.com domain and queries for other types would get
135: a local NODATA answer. The pre-2.86 behaviour is still available,
136: by configuring --address=/example.com/1.2.3.4 --local=/example.com/
137:
138: Fix problem with binding DHCP sockets to an individual interface.
139: Despite the fact that the system call tales the interface _name_ as
140: a parameter, it actually, binds the socket to interface _index_.
141: Deleting the interface and creating a new one with the same name
142: leaves the socket bound to the old index. (Creating new sockets
143: always allocates a fresh index, they are not reused). We now
144: take this behaviour into account and keep up with changing indexes.
145:
146: Add --conf-script configuration option.
147:
148: Enhance --domain to accept, for instance,
149: --domain=net2.thekelleys.org.uk,eth2 so that hosts get a domain
150: which relects the interface they are attached to in a way which
151: doesn't require hard-coding addresses. Thanks to Sten Spans for
152: the idea.
153:
154: Fix write-after-free error in DHCPv6 server code.
155: CVE-2022-0934 refers.
156:
157: Add the ability to specify destination port in
158: DHCP-relay mode. This change also removes a previous bug
159: where --dhcp-alternate-port would affect the port used
160: to relay _to_ as well as the port being listened on.
161: The new feature allows configuration to provide bug-for-bug
162: compatibility, if required. Thanks to Damian Kaczkowski
163: for the feature suggestion.
164:
165: Bound the value of UDP packet size in the EDNS0 header of
166: forwarded queries to the configured or default value of
167: edns-packet-max. There's no point letting a client set a larger
168: value if we're unable to return the answer. Thanks to Bertie
169: Taylor for pointing out the problem and supplying the patch.
170:
171: Fix problem with the configuration
172:
173: --server=/some.domain/# --address=/#/<ip> --server=<server_ip>
174:
175: This would return <ip> for queries in some.domain, rather than
176: forwarding the query via the default server.
177:
178: Tweak DHCPv6 relay code so that packets relayed towards a server
179: have source address on the server-facing network, not the
180: client facing network. Thanks to Luis Thomas for spotting this
181: and initial patch.
182:
183:
184: version 2.86
185: Handle DHCPREBIND requests in the DHCPv6 server code.
186: Thanks to Aichun Li for spotting this omission, and the initial
187: patch.
188:
189: Fix bug which caused dnsmasq to lose track of processes forked
190: to handle TCP DNS connections under heavy load. The code
191: checked that at least one free process table slot was
192: available before listening on TCP sockets, but didn't take
193: into account that more than one TCP connection could
194: arrive, so that check was not sufficient to ensure that
195: there would be slots for all new processes. It compounded
196: this error by silently failing to store the process when
197: it did run out of slots. Even when this bug is triggered,
198: all the right things happen, and answers are still returned.
199: Only under very exceptional circumstances, does the bug
200: manifest itself: see
201: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/014976.html
202: Thanks to Tijs Van Buggenhout for finding the conditions under
203: which the bug manifests itself, and then working out
204: exactly what was going on.
205:
206: Major rewrite of the DNS server and domain handling code.
207: This should be largely transparent, but it drastically
208: improves performance and reduces memory foot-print when
209: configuring large numbers domains of the form
210: local=/adserver.com/
211: or
212: local=/adserver.com/#
213: Lookup times now grow as log-to-base-2 of the number of domains,
214: rather than greater than linearly, as before.
215: The change makes multiple addresses associated with a domain work
216: address=/example.com/1.2.3.4
217: address=/example.com/5.6.7.8
218: It also handles multiple upstream servers for a domain better; using
219: the same try/retry algorithms as non domain-specific servers. This
220: also applies to DNSSEC-generated queries.
221: Finally, some of the oldest and gnarliest code in dnsmasq has had
222: a significant clean-up. It's far from perfect, but it _is_ better.
223:
224: Revise resource handling for number of concurrent DNS queries. This
225: used to have a global limit, but that has a problem when using
226: different servers for different upstream domains. Queries which are
227: routed by domain to an upstream server which is not responding will
228: build up and trigger the limit, which breaks DNS service for
229: all other domains which could be handled by other servers. The
230: change is to make the limit per server-group, where a server group
231: is the set of servers configured for a particular domain. In the
232: common case, where only default servers are declared, there is
233: no effective change.
234:
235: Improve efficiency of DNSSEC. The sharing point for DNSSEC RR data
236: used to be when it entered the cache, having been validated. After
237: that queries requiring the KEY or DS records would share the cached
238: values. There is a common case in dual-stack hosts that queries for
239: A and AAAA records for the same domain are made simultaneously.
240: If required keys were not in the cache, this would result in two
241: requests being sent upstream for the same key data (and all the
242: subsequent chain-of-trust queries.) Now we combine these requests
243: and elide the duplicates, resulting in fewer queries upstream
244: and better performance. To keep a better handle on what's
245: going on, the "extra" logging mode has been modified to associate
246: queries and answers for DNSSEC queries in the same way as ordinary
247: queries. The requesting address and port have been removed from
248: DNSSEC logging lines, since this is no longer strictly defined.
249:
250: Connection track mark based DNS query filtering. Thanks to
251: Etan Kissling for implementing this It extends query filtering
252: support beyond what is currently possible
253: with the `--ipset` configuration option, by adding support for:
254: 1) Specifying allowlists on a per-client basis, based on their
255: associated Linux connection track mark.
256: 2) Dynamic configuration of allowlists via Ubus.
257: 3) Reporting when a DNS query resolves or is rejected via Ubus.
258: 4) DNS name patterns containing wildcards.
259: Disallowed queries are not forwarded; they are rejected
260: with a REFUSED error code.
261:
262: Allow smaller than 64 prefix lengths in synth-domain, with caveats.
263: --synth-domain=1234:4567::/56,example.com is now valid.
264:
265: Make domains generated by --synth-domain appear in replies
266: when in authoritative mode.
267:
268: Ensure CAP_NET_ADMIN capability is available when
269: conntrack is configured. Thanks to Yick Xie for spotting
270: the lack of this.
271:
272: When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
273: given a directory as argument, define the order in which
274: files within that directory are read (alphabetical order
275: of filename). Thanks to Ed Wildgoose for the initial patch
276: and motivation for this.
277:
278: Allow adding IP address to nftables set in addition to
279: ipset.
280:
281:
282: version 2.85
283: Fix problem with DNS retries in 2.83/2.84.
284: The new logic in 2.83/2.84 which merges distinct requests
285: for the same domain causes problems with clients which do
286: retries as distinct requests (differing IDs and/or source ports.)
287: The retries just get piggy-backed on the first, failed, request.
288: The logic is now changed so that distinct requests for repeated
289: queries still get merged into a single ID/source port, but
290: they now always trigger a re-try upstream.
291: Thanks to Nicholas Mu for his analysis.
292:
293: Tweak sort order of tags in get-version. v2.84 sorts
294: before v2.83, but v2.83 sorts before v2.83rc1 and 2.83rc1
295: sorts before v2.83test1. This fixes the problem which lead
296: to 2.84 announcing itself as 2.84rc2.
297:
298: Avoid treating a --dhcp-host which has an IPv6 address
299: as eligible for use with DHCPv4 on the grounds that it has
300: no address, and vice-versa. Thanks to Viktor Papp for
301: spotting the problem. (This bug was fixed was back in 2.67, and
302: then regressed in 2.81).
303:
304: Add --dynamic-host option: A and AAAA records which take their
305: network part from the network of a local interface. Useful
306: for routers with dynamically prefixes. Thanks
307: to Fred F for the suggestion.
308:
309: Teach --bogus-nxdomain and --ignore-address to take an IPv4 subnet.
310:
311: Use random source ports where possible if source
312: addresses/interfaces in use.
313: CVE-2021-3448 applies. Thanks to Petr Menšík for spotting this.
314: It's possible to specify the source address or interface to be
315: used when contacting upstream name servers: server=8.8.8.8@1.2.3.4
316: or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of
317: these have, until now, used a single socket, bound to a fixed
318: port. This was originally done to allow an error (non-existent
319: interface, or non-local address) to be detected at start-up. This
320: means that any upstream servers specified in such a way don't use
321: random source ports, and are more susceptible to cache-poisoning
322: attacks.
323: We now use random ports where possible, even when the
324: source is specified, so server=8.8.8.8@1.2.3.4 or
325: server=8.8.8.8@eth0 will use random source
326: ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will
327: use the explicitly configured port, and should only be done with
328: understanding of the security implications.
329: Note that this change changes non-existing interface, or non-local
330: source address errors from fatal to run-time. The error will be
331: logged and communication with the server not possible.
332:
333: Change the method of allocation of random source ports for DNS.
334: Previously, without min-port or max-port configured, dnsmasq would
335: default to the compiled in defaults for those, which are 1024 and
336: 65535. Now, when neither are configured, it defaults instead to
337: the kernel's ephemeral port range, which is typically
338: 32768 to 60999 on Linux systems. This change eliminates the
339: possibility that dnsmasq may be using a registered port > 1024
340: when a long-running daemon starts up and wishes to claim it.
341: This change does likely slightly reduce the number of random ports
342: and therefore the protection from reply spoofing. The older
343: behaviour can be restored using the min-port and max-port config
344: switches should that be a concern.
345:
346: Scale the size of the DNS random-port pool based on the
347: value of the --dns-forward-max configuration.
348:
349: Tweak TFTP code to check sender of all received packets, as
350: specified in RFC 1350 para 4.
351:
352: Support some wildcard matching of input tags to --tag-if.
353: Thanks to Geoff Back for the idea and the patch.
354:
355:
356: version 2.84
357: Fix a problem, introduced in 2.83, which could see DNS replies
358: being sent via the wrong socket. On machines running both
359: IPv4 and IPv6 this could result in sporadic messages of
360: the form "failed to send packet: Network is unreachable" and
361: the lost of the query. Since the error is sporadic and of
362: low probability, the client retry would normally succeed.
363:
364: Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH.
365:
366:
367: version 2.83
368: Use the values of --min-port and --max-port in outgoing
369: TCP connections to upstream DNS servers.
370:
371: Fix a remote buffer overflow problem in the DNSSEC code. Any
372: dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
373: referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
374: CVE-2020-25687.
375:
376: Be sure to only accept UDP DNS query replies at the address
377: from which the query was originated. This keeps as much entropy
378: in the {query-ID, random-port} tuple as possible, to help defeat
379: cache poisoning attacks. Refer: CVE-2020-25684.
380:
381: Use the SHA-256 hash function to verify that DNS answers
382: received are for the questions originally asked. This replaces
383: the slightly insecure SHA-1 (when compiled with DNSSEC) or
384: the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
385:
386: Handle multiple identical near simultaneous DNS queries better.
387: Previously, such queries would all be forwarded
388: independently. This is, in theory, inefficient but in practise
389: not a problem, _except_ that is means that an answer for any
390: of the forwarded queries will be accepted and cached.
391: An attacker can send a query multiple times, and for each repeat,
392: another {port, ID} becomes capable of accepting the answer he is
393: sending in the blind, to random IDs and ports. The chance of a
394: successful attack is therefore multiplied by the number of repeats
395: of the query. The new behaviour detects repeated queries and
396: merely stores the clients sending repeats so that when the
397: first query completes, the answer can be sent to all the
398: clients who asked. Refer: CVE-2020-25686.
399:
400:
401: version 2.82
402: Improve behaviour in the face of network interfaces which come
403: and go and change index. Thanks to Petr Mensik for the patch.
404:
405: Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user
406: to a warning.
407:
408: Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option.
409:
410: Fix crash under heavy TCP connection load introduced in 2.81.
411: Thanks to Frank for good work chasing this down.
412:
413: Change default lease time for DHCPv6 to one day.
414:
415: Alter calculation of preferred and valid times in router
416: advertisements, so that these do not have a floor applied
417: of the lease time in the dhcp-range if this is not explicitly
418: specified and is merely the default.
419: Thanks to Martin-Éric Racine for suggestions on this.
420:
421:
422: version 2.81
423: Improve cache behaviour for TCP connections. For ease of
424: implementation, dnsmasq has always forked a new process to handle
425: each incoming TCP connection. A side-effect of this is that
426: any DNS queries answered from TCP connections are not cached:
427: when TCP connections were rare, this was not a problem.
428: With the coming of DNSSEC, it is now the case that some
429: DNSSEC queries have answers which spill to TCP, and if,
430: for instance, this applies to the keys for the root, then
431: those never get cached, and performance is very bad.
432: This fix passes cache entries back from the TCP child process to
433: the main server process, and fixes the problem.
434:
435: Remove the NO_FORK compile-time option, and support for uclinux.
436: In an era where everything has an MMU, this looks like
437: an anachronism, and it adds to (Ok, multiplies!) the
438: combinatorial explosion of compile-time options. Thanks to
439: Kevin Darbyshire-Bryant for the patch.
440:
441: Fix line-counting when reading /etc/hosts and friends; for
442: correct error messages. Thanks to Christian Rosentreter
443: for reporting this.
444:
445: Fix bug in DNS non-terminal code, added in 2.80, which could
446: sometimes cause a NODATA rather than an NXDOMAIN reply.
447: Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
448: for spotting and diagnosing the bug and providing patches.
449:
450: Support TCP-fastopen (RFC-7413) on both incoming and
451: outgoing TCP connections, if supported and enabled in the OS.
452:
453: Improve kernel-capability manipulation code under Linux. Dnsmasq
454: now fails early if a required capability is not available, and
455: tries not to request capabilities not required by its
456: configuration.
457:
458: Add --shared-network config. This enables allocation of addresses
459: by the DHCP server in subnets where the server (or relay) does not
460: have an interface on the network in that subnet. Many thanks to
461: kamp.de for sponsoring this feature.
462:
463: Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
464: validation check got borked in commit 2b38e382 and release 2.80.
465: Thanks to Tomasz Szajner for spotting this.
466:
467: Fix compilation against nettle version 3.5 and later.
468:
469: Fix spurious DNSSEC validation failures when the auth section
470: of a reply contains unsigned RRs from a signed zone,
471: with the exception that NSEC and NSEC3 RRs must always be signed.
472: Thanks to Tore Anderson for spotting and diagnosing the bug.
473:
474: Add --dhcp-ignore-clid. This disables reading of DHCP client
475: identifier option (option 61), so clients are only identified by
476: MAC addresses.
477:
478: Fix a bug which stopped --dhcp-name-match from working when a hostname
479: is supplied in --dhcp-host. Thanks to James Feeney for spotting this.
480:
481: Fix bug which caused very rarely caused zero-length DHCPv6 packets.
482: Thanks to Dereck Higgins for spotting this.
483:
484: Add --tftp-single-port option.
485:
486: Enhance --conf-dir to load files in a deterministic order. Thanks to
487: Evgenii Seliavka for the suggestion and initial patch.
488:
489: In the router advert code, handle case where we have two
490: different interfaces on the same IPv6 net, and we are doing
491: RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
492: for spotting this case and making the initial patch.
493:
494: Support prefixed ranges of ipv6 addresses in dhcp-host.
495: This eases problems chain-netbooting, where each link in the
496: chain requests an address using a different UID. With a single
497: address, only one gets the "static" address, but with this
498: fix, enough addresses can be reserved for all the stages of the
499: boot. Many thanks to Harald Jensås for his work on this idea and
500: earlier patches.
501:
502: Add filtering by tag of --dhcp-host directives. Based on a patch
503: by Harald Jensås.
504:
505: Allow empty server spec in --rev-server, to match --server.
506:
507: Remove DSA signature verification from DNSSEC, as specified in
508: RFC 8624. Thanks to Loganaden Velvindron for the original patch.
509:
510: Add --script-on-renewal option.
511:
512:
513: version 2.80
514: Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
515: for the initial patch and motivation.
516:
517: Alter the default for dnssec-check-unsigned. Versions of
518: dnsmasq prior to 2.80 defaulted to not checking unsigned
519: replies, and used --dnssec-check-unsigned to switch
520: this on. Such configurations will continue to work as before,
521: but those which used the default of no checking will need to be
522: altered to explicitly select no checking. The new default is
523: because switching off checking for unsigned replies is
524: inherently dangerous. Not only does it open the possiblity of forged
525: replies, but it allows everything to appear to be working even
526: when the upstream namesevers do not support DNSSEC, and in this
527: case no DNSSEC validation at all is occuring.
528:
529: Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
530: are set. Thanks to Daniel Miess for help with this.
531:
532: Add a facilty to store DNS packets sent/recieved in a
533: pcap-format file for later debugging. The file location
534: is given by the --dumpfile option, and a bitmap controlling
535: which packets should be dumped is given by the --dumpmask
536: option.
537:
538: Handle the case of both standard and constructed dhcp-ranges on the
539: same interface better. We don't now contruct a dhcp-range if there's
540: already one specified. This allows the specified interface to
541: have different parameters and avoids advertising the same
542: prefix twice. Thanks to Luis Marsano for spotting this case.
543:
544: Allow zone transfer in authoritative mode if auth-peer is specified,
545: even if auth-sec-servers is not. Thanks to Raphaël Halimi for
546: the suggestion.
547:
548: Fix bug which sometimes caused dnsmasq to wrongly return answers
549: without DNSSEC RRs to queries with the do-bit set, but only when
550: DNSSEC validation was not enabled.
551: Thanks to Petr Menšík for spotting this.
552:
553: Fix missing fatal errors with some malformed options
554: (server, local, address, rebind-domain-ok, ipset, alias).
555: Thanks to Eugene Lozovoy for spotting the problem.
556:
557: Fix crash on startup with a --synth-domain which has no prefix.
558: Introduced in 2.79. Thanks to Andreas Engel for the bug report.
559:
560: Fix missing EDNS0 section in some replies generated by local
561: DNS configuration which confused systemd-resolvd. Thanks to
562: Steve Dodd for characterising the problem.
563:
564: Add --dhcp-name-match config option.
565:
566: Add --caa-record config option.
567:
568: Implement --address=/example.com/# as (more efficient) syntactic
569: sugar for --address=/example.com/0.0.0.0 and
570: --address=/example.com/::
571: Returning null addresses is a useful technique for ad-blocking.
572: Thanks to Peter Russell for the suggestion.
573:
574: Change anti cache-snooping behaviour with queries with the
575: recursion-desired bit unset. Instead to returning SERVFAIL, we
576: now always forward, and never answer from the cache. This
577: allows "dig +trace" command to work.
578:
579: Include in the example config file a formulation which
580: stops DHCP clients from claiming the DNS name "wpad".
581: This is a fix for the CERT Vulnerability VU#598349.
582:
583:
584: version 2.79
585: Fix parsing of CNAME arguments, which are confused by extra spaces.
586: Thanks to Diego Aguirre for spotting the bug.
587:
588: Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
589: upstream servers to an interface, rather than SO_BINDTODEVICE.
590: Thanks to Beniamino Galvani for the patch.
591:
592: Always return a SERVFAIL answer to DNS queries without the
593: recursion desired bit set, UNLESS acting as an authoritative
594: DNS server. This avoids a potential route to cache snooping.
595:
596: Add support for Ed25519 signatures in DNSSEC validation.
597:
598: No longer support RSA/MD5 signatures in DNSSEC validation,
599: since these are not secure. This behaviour is mandated in
600: RFC-6944.
601:
602: Fix incorrect error exit code from dhcp_release6 utility.
603: Thanks Gaudenz Steinlin for the bug report.
604:
605: Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
606: time validation when --dnssec-no-timecheck is in use.
607: Note that this is an incompatible change from earlier releases.
608:
609: Allow more than one --bridge-interface option to refer to an
610: interface, so that we can use
611: --bridge-interface=int1,alias1
612: --bridge-interface=int1,alias2
613: as an alternative to
614: --bridge-interface=int1,alias1,alias2
615: Thanks to Neil Jerram for work on this.
616:
617: Fix for DNSSEC with wildcard-derived NSEC records.
618: It's OK for NSEC records to be expanded from wildcards,
619: but in that case, the proof of non-existence is only valid
620: starting at the wildcard name, *.<domain> NOT the name expanded
621: from the wildcard. Without this check it's possible for an
622: attacker to craft an NSEC which wrongly proves non-existence.
623: Thanks to Ralph Dolmans for finding this, and co-ordinating
624: the vulnerability tracking and fix release.
625: CVE-2017-15107 applies.
626:
627: Remove special handling of A-for-A DNS queries. These
628: are no longer a significant problem in the global DNS.
629: http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
630: Thanks to Mattias Hellström for the initial patch.
631:
632: Fix failure to delete dynamically created dhcp options
633: from files in -dhcp-optsdir directories. Thanks to
634: Lindgren Fredrik for the bug report.
635:
636: Add to --synth-domain the ability to create names using
637: sequential numbers, as well as encodings of IP addresses.
638: For instance,
639: --synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
640: creates 21 domain names of the form
641: internal-4.thekelleys.org.uk over the address range given, with
642: internal-0.thekelleys.org.uk being 192.168.0.50 and
643: internal-20.thekelleys.org.uk being 192.168.0.70
644: Thanks to Andy Hawkins for the suggestion.
645:
646: Tidy up Crypto code, removing workarounds for ancient
647: versions of libnettle. We now require libnettle 3.
648:
649:
650: version 2.78
651: Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
652: Novakovic for the patch.
653:
654: Revert ping-check of address in DHCPDISCOVER if there
655: already exists a lease for the address. Under some
656: circumstances, and netbooted windows installation can reply
657: to pings before if has a DHCP lease and block allocation
658: of the address it already used during netboot. Thanks to
659: Jan Psota for spotting this.
660:
661: Fix DHCP relaying, broken in 2.76 and 2.77 by commit
662: ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
663: John Fitzgibbon for the diagnosis and patch.
664:
665: Try other servers if first returns REFUSED when
666: --strict-order active. Thanks to Hans Dedecker
667: for the patch
668:
669: Fix regression in 2.77, ironically added as a security
670: improvement, which resulted in a crash when a DNS
671: query exceeded 512 bytes (or the EDNS0 packet size,
672: if different.) Thanks to Christian Kujau, Arne Woerner
673: Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
674: chasing this one down. CVE-2017-13704 applies.
675:
676: Fix heap overflow in DNS code. This is a potentially serious
677: security hole. It allows an attacker who can make DNS
678: requests to dnsmasq, and who controls the contents of
679: a domain, which is thereby queried, to overflow
680: (by 2 bytes) a heap buffer and either crash, or
681: even take control of, dnsmasq.
682: CVE-2017-14491 applies.
683: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
684: Kevin Hamacher and Ron Bowes of the Google Security Team for
685: finding this.
686:
687: Fix heap overflow in IPv6 router advertisement code.
688: This is a potentially serious security hole, as a
689: crafted RA request can overflow a buffer and crash or
690: control dnsmasq. Attacker must be on the local network.
691: CVE-2017-14492 applies.
692: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
693: and Kevin Hamacher of the Google Security Team for
694: finding this.
695:
696: Fix stack overflow in DHCPv6 code. An attacker who can send
697: a DHCPv6 request to dnsmasq can overflow the stack frame and
698: crash or control dnsmasq.
699: CVE-2017-14493 applies.
700: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
701: Kevin Hamacher and Ron Bowes of the Google Security Team for
702: finding this.
703:
704: Fix information leak in DHCPv6. A crafted DHCPv6 packet can
705: cause dnsmasq to forward memory from outside the packet
706: buffer to a DHCPv6 server when acting as a relay.
707: CVE-2017-14494 applies.
708: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
709: Kevin Hamacher and Ron Bowes of the Google Security Team for
710: finding this.
711:
712: Fix DoS in DNS. Invalid boundary checks in the
713: add_pseudoheader function allows a memcpy call with negative
714: size An attacker which can send malicious DNS queries
715: to dnsmasq can trigger a DoS remotely.
716: dnsmasq is vulnerable only if one of the following option is
717: specified: --add-mac, --add-cpe-id or --add-subnet.
718: CVE-2017-14496 applies.
719: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
720: Kevin Hamacher and Ron Bowes of the Google Security Team for
721: finding this.
722:
723: Fix out-of-memory Dos vulnerability. An attacker which can
724: send malicious DNS queries to dnsmasq can trigger memory
725: allocations in the add_pseudoheader function
726: The allocated memory is never freed which leads to a DoS
727: through memory exhaustion. dnsmasq is vulnerable only
728: if one of the following option is specified:
729: --add-mac, --add-cpe-id or --add-subnet.
730: CVE-2017-14495 applies.
731: Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
732: Kevin Hamacher and Ron Bowes of the Google Security Team for
733: finding this.
734:
735:
736: version 2.77
737: Generate an error when configured with a CNAME loop,
738: rather than a crash. Thanks to George Metz for
739: spotting this problem.
740:
741: Calculate the length of TFTP error reply packet
742: correctly. This fixes a problem when the error
743: message in a TFTP packet exceeds the arbitrary
744: limit of 500 characters. The message was correctly
745: truncated, but not the packet length, so
746: extra data was appended. This is a possible
747: security risk, since the extra data comes from
748: a buffer which is also used for DNS, so that
749: previous DNS queries or replies may be leaked.
750: Thanks to Mozilla for funding the security audit
751: which spotted this bug.
752:
753: Fix logic error in Linux netlink code. This could
754: cause dnsmasq to enter a tight loop on systems
755: with a very large number of network interfaces.
756: Thanks to Ivan Kokshaysky for the diagnosis and
757: patch.
758:
759: Fix problem with --dnssec-timestamp whereby receipt
760: of SIGHUP would erroneously engage timestamp checking.
761: Thanks to Kevin Darbyshire-Bryant for this work.
762:
763: Bump zone serial on reloading /etc/hosts and friends
764: when providing authoritative DNS. Thanks to Harrald
765: Dunkel for spotting this.
766:
767: Handle v4-mapped IPv6 addresses sanely in --synth-domain.
768: These have standard representation like ::ffff:1.2.3.4
769: and are now converted to names like
770: <prefix>--ffff-1-2-3-4.<domain>
771:
772: Handle binding upstream servers to an interface
773: (--server=1.2.3.4@eth0) when the named interface
774: is destroyed and recreated in the kernel. Thanks to
775: Beniamino Galvani for the patch.
776:
777: Allow wildcard CNAME records in authoritative zones.
778: For example --cname=*.example.com,default.example.com
779: Thanks to Pro Backup for sponsoring this development.
780:
781: Bump the allowed backlog of TCP connections from 5 to 32,
782: and make this a compile-time configurable option. Thanks
783: to Donatas Abraitis for diagnosing this as a potential
784: problem.
785:
786: Add DNSMASQ_REQUESTED_OPTIONS environment variable to the
787: lease-change script. Thanks to ZHAO Yu for the patch.
788:
789: Fix foobar in rrfilter code, that could cause malformed
790: replies, especially when DNSSEC validation on, and
791: the upstream server returns answer with the RRs in a
792: particular order. The only DNS server known to tickle
793: this is Nominum's. Thanks to Dave Täht for spotting the
794: bug and assisting in the fix.
795:
796: Fix the manpage which lied that only the primary address
797: of an interface is used by --interface-name.
798:
799: Make --localise-queries apply to names from --interface-name.
800: Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen
801: for pushing this.
802:
803: Improve connection handling when talking to TCP upstream
804: servers. Specifically, be prepared to open a new TCP
805: connection when we want to make multiple queries
806: but the upstream server accepts fewer queries per connection.
807:
808: Improve logging of upstream servers when there are a lot
809: of "local addresses only" entries. Thanks to Hannu Nyman for
810: the patch.
811:
812: Make --bogus-priv apply to IPv6, for the prefixes specified
813: in RFC6303. Thanks to Kevin Darbyshire-Bryant for work on this.
814:
815: Allow use of MAC addresses with --tftp-unique-root. Thanks
816: to Floris Bos for the patch.
817:
818: Add --dhcp-reply-delay option. Thanks to Floris Bos
819: for the patch.
820:
821: Add mtu setting facility to --ra-param. Thanks to David
822: Flamand for the patch.
823:
824: Capture STDOUT and STDERR output from dhcp-script and log
825: it as part of the dnsmasq log stream. Makes life easier
826: for diagnosing unexpected problems in scripts.
827: Thanks to Petr Mensik for the patch.
828:
829: Generate fatal errors when failing to parse the output
830: of the dhcp-script in "init" mode. Avoids strange errors
831: when the script accidentally emits error messages.
832: Thanks to Petr Mensik for the patch.
833:
834: Make --rev-server for an RFC1918 subnet work even in the
835: presence of the --bogus-priv flag. Thanks to
836: Vladislav Grishenko for the patch.
837:
838: Extend --ra-param mtu: field to allow an interface name.
839: This allows the MTU of a WAN interface to be advertised on
840: the internal interfaces of a router. Thanks to
841: Vladislav Grishenko for the patch.
842:
843: Do ICMP-ping check for address-in-use for DHCPv4 when
844: the client specifies an address in DHCPDISCOVER, and when
845: an address in configured locally. Thanks to Alin Năstac
846: for spotting the problem.
847:
848: Add new DHCP tag "known-othernet" which is set when only a
849: dhcp-host exists for another subnet. Can be used to ensure
850: that privileged hosts are not given "guest" addresses by
851: accident. Thanks to Todd Sanket for the suggestion.
852:
853: Remove historic automatic inclusion of IDN support when
854: building internationalisation support. This doesn't
855: fit now there is a choice of IDN libraries. Be sure
856: to include either -DHAVE_IDN or -DHAVE_LIBIDN2 for
857: IDN support.
858:
859:
860: version 2.76
861: Include 0.0.0.0/8 in DNS rebind checks. This range
862: translates to hosts on the local network, or, at
863: least, 0.0.0.0 accesses the local host, so could
864: be targets for DNS rebinding. See RFC 5735 section 3
865: for details. Thanks to Stephen Röttger for the bug report.
866:
867: Enhance --add-subnet to allow arbitrary subnet addresses.
868: Thanks to Ed Barsley for the patch.
869:
870: Respect the --no-resolv flag in inotify code. Fixes bug
871: which caused dnsmasq to fail to start if a resolv-file
872: was a dangling symbolic link, even of --no-resolv set.
873: Thanks to Alexander Kurtz for spotting the problem.
874:
875: Fix crash when an A or AAAA record is defined locally,
876: in a hosts file, and an upstream server sends a reply
877: that the same name is empty. Thanks to Edwin Török for
878: the patch.
879:
880: Fix failure to correctly calculate cache-size when
881: reading a hosts-file fails. Thanks to André Glüpker
882: for the patch.
883:
884: Fix wrong answer to simple name query when --domain-needed
885: set, but no upstream servers configured. Dnsmasq returned
886: REFUSED, in this case, when it should be the same as when
887: upstream servers are configured - NOERROR. Thanks to
888: Allain Legacy for spotting the problem.
889:
890: Return REFUSED when running out of forwarding table slots,
891: not SERVFAIL.
892:
893: Add --max-port configuration. Thanks to Hans Dedecker for
894: the patch.
895:
896: Add --script-arp and two new functions for the dhcp-script.
897: These are "arp" and "arp-old" which announce the arrival and
898: removal of entries in the ARP or neighbour tables.
899:
900: Extend --add-mac to allow a new encoding of the MAC address
901: as base64, by configuring --add-mac=base64
902:
903: Add --add-cpe-id option.
904:
905: Don't crash with divide-by-zero if an IPv6 dhcp-range
906: is declared as a whole /64.
907: (ie xx::0 to xx::ffff:ffff:ffff:ffff)
908: Thanks to Laurent Bendel for spotting this problem.
909:
910: Add support for a TTL parameter in --host-record and
911: --cname.
912:
913: Add --dhcp-ttl option.
914:
915: Add --tftp-mtu option. Thanks to Patrick McLean for the
916: initial patch.
917:
918: Check return-code of inet_pton() when parsing dhcp-option.
919: Bad addresses could fail to generate errors and result in
920: garbage dhcp-options being sent. Thanks to Marc Branchaud
921: for spotting this.
922:
923: Fix wrong value for EDNS UDP packet size when using
924: --servers-file to define upstream DNS servers. Thanks to
925: Scott Bonar for the bug report.
926:
927: Move the dhcp_release and dhcp_lease_time tools from
928: contrib/wrt to contrib/lease-tools.
929:
930: Add dhcp_release6 to contrib/lease-tools. Many thanks
931: to Sergey Nechaev for this code.
932:
933: To avoid filling logs in configurations which define
934: many upstream nameservers, don't log more that 30 servers.
935: The number to be logged can be changed as SERVERS_LOGGED
936: in src/config.h.
937:
938: Swap the values if BC_EFI and x86-64_EFI in --pxe-service.
939: These were previously wrong due to an error in RFC 4578.
940: If you're using BC_EFI to boot 64-bit EFI machines, you
941: will need to update your config.
942:
943: Add ARM32_EFI and ARM64_EFI as valid architectures in
944: --pxe-service.
945:
946: Fix PXE booting for UEFI architectures. Modify PXE boot
947: sequence in this case to force the client to talk to dnsmasq
948: over port 4011. This makes PXE and especially proxy-DHCP PXE
949: work with these architectures.
950:
951: Workaround problems with UEFI PXE clients. There exist
952: in the wild PXE clients which have problems with PXE
953: boot menus. To work around this, when there's a single
954: --pxe-service which applies to client, then that target
955: will be booted directly, rather then sending a
956: single-item boot menu.
957:
958: Many thanks to Jarek Polok, Michael Kuron and Dreamcat4
959: for their work on the long-standing UEFI PXE problem.
960:
961: Subtle change in the semantics of "basename" in
962: --pxe-service. The historical behaviour has always been
963: that the actual filename downloaded from the TFTP server
964: is <basename>.<layer> where <layer> is an integer which
965: corresponds to the layer parameter supplied by the client.
966: It's not clear what the function of the "layer"
967: actually is in the PXE protocol, and in practise layer
968: is always zero, so the filename is <basename>.0
969: The new behaviour is the same as the old, except when
970: <basename> includes a file suffix, in which case
971: the layer suffix is no longer added. This allows
972: sensible suffices to be used, rather then the
973: meaningless ".0". Only in the unlikely event that you
974: have a config with a basename which already has a
975: suffix, is this an incompatible change, since the file
976: downloaded will change from name.suffix.0 to just
977: name.suffix
978:
979:
980: version 2.75
981: Fix reversion on 2.74 which caused 100% CPU use when a
982: dhcp-script is configured. Thanks to Adrian Davey for
983: reporting the bug and testing the fix.
984:
985:
986: version 2.74
987: Fix reversion in 2.73 where --conf-file would attempt to
988: read the default file, rather than no file.
989:
990: Fix inotify code to handle dangling symlinks better and
991: not SEGV in some circumstances.
992:
993: DNSSEC fix. In the case of a signed CNAME generated by a
994: wildcard which pointed to an unsigned domain, the wrong
995: status would be logged, and some necessary checks omitted.
996:
997:
998: version 2.73
999: Fix crash at startup when an empty suffix is supplied to
1000: --conf-dir, also trivial memory leak. Thanks to
1001: Tomas Hozza for spotting this.
1002:
1003: Remove floor of 4096 on advertised EDNS0 packet size when
1004: DNSSEC in use, the original rationale for this has long gone.
1005: Thanks to Anders Kaseorg for spotting this.
1006:
1007: Use inotify for checking on updates to /etc/resolv.conf and
1008: friends under Linux. This fixes race conditions when the files are
1009: updated rapidly and saves CPU by noy polling. To build
1010: a binary that runs on old Linux kernels without inotify,
1011: use make COPTS=-DNO_INOTIFY
1012:
1013: Fix breakage of --domain=<domain>,<subnet>,local - only reverse
1014: queries were intercepted. THis appears to have been broken
1015: since 2.69. Thanks to Josh Stone for finding the bug.
1016:
1017: Eliminate IPv6 privacy addresses and deprecated addresses from
1018: the answers given by --interface-name. Note that reverse queries
1019: (ie looking for names, given addresses) are not affected.
1020: Thanks to Michael Gorbach for the suggestion.
1021:
1022: Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
1023: for the bug report.
1024:
1025: Add --ignore-address option. Ignore replies to A-record
1026: queries which include the specified address. No error is
1027: generated, dnsmasq simply continues to listen for another
1028: reply. This is useful to defeat blocking strategies which
1029: rely on quickly supplying a forged answer to a DNS
1030: request for certain domains, before the correct answer can
1031: arrive. Thanks to Glen Huang for the patch.
1032:
1033: Revisit the part of DNSSEC validation which determines if an
1034: unsigned answer is legit, or is in some part of the DNS
1035: tree which should be signed. Dnsmasq now works from the
1036: DNS root downward looking for the limit of signed
1037: delegations, rather than working bottom up. This is
1038: both more correct, and less likely to trip over broken
1039: nameservers in the unsigned parts of the DNS tree
1040: which don't respond well to DNSSEC queries.
1041:
1042: Add --log-queries=extra option, which makes logs easier
1043: to search automatically.
1044:
1045: Add --min-cache-ttl option. I've resisted this for a long
1046: time, on the grounds that disbelieving TTLs is never a
1047: good idea, but I've been persuaded that there are
1048: sometimes reasons to do it. (Step forward, GFW).
1049: To avoid misuse, there's a hard limit on the TTL
1050: floor of one hour. Thanks to RinSatsuki for the patch.
1051:
1052: Cope with multiple interfaces with the same link-local
1053: address. (IPv6 addresses are scoped, so this is allowed.)
1054: Thanks to Cory Benfield for help with this.
1055:
1056: Add --dhcp-hostsdir. This allows addition of new host
1057: configurations to a running dnsmasq instance much more
1058: cheaply than having dnsmasq re-read all its existing
1059: configuration each time.
1060:
1061: Don't reply to DHCPv6 SOLICIT messages if we're not
1062: configured to do stateful DHCPv6. Thanks to Win King Wan
1063: for the patch.
1064:
1065: Fix broken DNSSEC validation of ECDSA signatures.
1066:
1067: Add --dnssec-timestamp option, which provides an automatic
1068: way to detect when the system time becomes valid after
1069: boot on systems without an RTC, whilst allowing DNS
1070: queries before the clock is valid so that NTP can run.
1071: Thanks to Kevin Darbyshire-Bryant for developing this idea.
1072:
1073: Add --tftp-no-fail option. Thanks to Stefan Tomanek for
1074: the patch.
1075:
1076: Fix crash caused by looking up servers.bind, CHAOS text
1077: record, when more than about five --servers= lines are
1078: in the dnsmasq config. This causes memory corruption
1079: which causes a crash later. Thanks to Matt Coddington for
1080: sterling work chasing this down.
1081:
1082: Fix crash on receipt of certain malformed DNS requests.
1083: Thanks to Nick Sampanis for spotting the problem.
1084: Note that this is could allow the dnsmasq process's
1085: memory to be read by an attacker under certain
1086: circumstances, so it has a CVE, CVE-2015-3294
1087:
1088: Fix crash in authoritative DNS code, if a .arpa zone
1089: is declared as authoritative, and then a PTR query which
1090: is not to be treated as authoritative arrived. Normally,
1091: directly declaring .arpa zone as authoritative is not
1092: done, so this crash wouldn't be seen. Instead the
1093: relevant .arpa zone should be specified as a subnet
1094: in the auth-zone declaration. Thanks to Johnny S. Lee
1095: for the bugreport and initial patch.
1096:
1097: Fix authoritative DNS code to correctly reply to NS
1098: and SOA queries for .arpa zones for which we are
1099: declared authoritative by means of a subnet in auth-zone.
1100: Previously we provided correct answers to PTR queries
1101: in such zones (including NS and SOA) but not direct
1102: NS and SOA queries. Thanks to Johnny S. Lee for
1103: pointing out the problem.
1104:
1105: Fix logging of DHCPREPLY which should be suppressed
1106: by quiet-dhcp6. Thanks to J. Pablo Abonia for
1107: spotting the problem.
1108:
1109: Try and handle net connections with broken fragmentation
1110: that lose large UDP packets. If a server times out,
1111: reduce the maximum UDP packet size field in the EDNS0
1112: header to 1280 bytes. If it then answers, make that
1113: change permanent.
1114:
1115: Check IPv4-mapped IPv6 addresses when --stop-rebind
1116: is active. Thanks to Jordan Milne for spotting this.
1117:
1118: Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
1119: Thanks to Kevin Benton for patches and work on this.
1120:
1121: Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
1122: in the correct subnet, even of not in dynamic address
1123: allocation range. Thanks to Steve Hirsch for spotting
1124: the problem.
1125:
1126: Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
1127: to Nicolas Cavallari for the patch.
1128:
1129: Allow configuration of router advertisements without the
1130: "on-link" bit set. Thanks to Neil Jerram for the patch.
1131:
1132: Extend --bridge-interface to DHCPv6 and router
1133: advertisements. Thanks to Neil Jerram for the patch.
1134:
1135:
1136: version 2.72
1137: Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
1138:
1139: Add support for "ipsets" in *BSD, using pf. Thanks to
1140: Sven Falempin for the patch.
1141:
1142: Fix race condition which could lock up dnsmasq when an
1143: interface goes down and up rapidly. Thanks to Conrad
1144: Kostecki for helping to chase this down.
1145:
1146: Add DBus methods SetFilterWin2KOption and SetBogusPrivOption
1147: Thanks to the Smoothwall project for the patch.
1148:
1149: Fix failure to build against Nettle-3.0. Thanks to Steven
1150: Barth for spotting this and finding the fix.
1151:
1152: When assigning existing DHCP leases to interfaces by comparing
1153: networks, handle the case that two or more interfaces have the
1154: same network part, but different prefix lengths (favour the
1155: longer prefix length.) Thanks to Lung-Pin Chang for the
1156: patch.
1157:
1158: Add a mode which detects and removes DNS forwarding loops, ie
1159: a query sent to an upstream server returns as a new query to
1160: dnsmasq, and would therefore be forwarded again, resulting in
1161: a query which loops many times before being dropped. Upstream
1162: servers which loop back are disabled and this event is logged.
1163: Thanks to Smoothwall for their sponsorship of this feature.
1164:
1165: Extend --conf-dir to allow filtering of files. So
1166: --conf-dir=/etc/dnsmasq.d,\*.conf
1167: will load all the files in /etc/dnsmasq.d which end in .conf
1168:
1169: Fix bug when resulted in NXDOMAIN answers instead of NODATA in
1170: some circumstances.
1171:
1172: Fix bug which caused dnsmasq to become unresponsive if it
1173: failed to send packets due to a network interface disappearing.
1174: Thanks to Niels Peen for spotting this.
1175:
1176: Fix problem with --local-service option on big-endian platforms
1177: Thanks to Richard Genoud for the patch.
1178:
1179:
1180: version 2.71
1181: Subtle change to error handling to help DNSSEC validation
1182: when servers fail to provide NODATA answers for
1183: non-existent DS records.
1184:
1185: Tweak code which removes DNSSEC records from answers when
1186: not required. Fixes broken answers when additional section
1187: has real records in it. Thanks to Marco Davids for the bug
1188: report.
1189:
1190: Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
1191: for spotting that too.
1192:
1193: Fix total DNS failure and 100% CPU use if cachesize set to zero,
1194: regression introduced in 2.69. Thanks to James Hunt and
1195: the Ubuntu crowd for assistance in fixing this.
1196:
1197:
1198: version 2.70
1199: Fix crash, introduced in 2.69, on TCP request when dnsmasq
1200: compiled with DNSSEC support, but running without DNSSEC
1201: enabled. Thanks to Manish Sing for spotting that one.
1202:
1203: Fix regression which broke ipset functionality. Thanks to
1204: Wang Jian for the bug report.
1205:
1206:
1207: version 2.69
1208: Implement dynamic interface discovery on *BSD. This allows
1209: the constructor: syntax to be used in dhcp-range for DHCPv6
1210: on the BSD platform. Thanks to Matthias Andree for
1211: valuable research on how to implement this.
1212:
1213: Fix infinite loop associated with some --bogus-nxdomain
1214: configs. Thanks fogobogo for the bug report.
1215:
1216: Fix missing RA RDNS option with configuration like
1217: --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
1218: for spotting the problem.
1219:
1220: Add [fd00::] and [fe80::] as special addresses in DHCPv6
1221: options, analogous to [::]. [fd00::] is replaced with the
1222: actual ULA of the interface on the machine running
1223: dnsmasq, [fe80::] with the link-local address.
1224: Thanks to Tsachi Kimeldorfer for championing this.
1225:
1226: DNSSEC validation and caching. Dnsmasq needs to be
1227: compiled with this enabled, with
1228:
1229: make dnsmasq COPTS=-DHAVE_DNSSEC
1230:
1231: this adds dependencies on the nettle crypto library and the
1232: gmp maths library. It's possible to have these linked
1233: statically with
1234:
1235: make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
1236:
1237: which bloats the dnsmasq binary, but saves the size of
1238: the shared libraries which are much bigger.
1239:
1240: To enable, DNSSEC, you will need a set of
1241: trust-anchors. Now that the TLDs are signed, this can be
1242: the keys for the root zone, and for convenience they are
1243: included in trust-anchors.conf in the dnsmasq
1244: distribution. You should of course check that these are
1245: legitimate and up-to-date. So, adding
1246:
1247: conf-file=/path/to/trust-anchors.conf
1248: dnssec
1249:
1250: to your config is all that's needed to get things
1251: working. The upstream nameservers have to be DNSSEC-capable
1252: too, of course. Many ISP nameservers aren't, but the
1253: Google public nameservers (8.8.8.8 and 8.8.4.4) are.
1254: When DNSSEC is configured, dnsmasq validates any queries
1255: for domains which are signed. Query results which are
1256: bogus are replaced with SERVFAIL replies, and results
1257: which are correctly signed have the AD bit set. In
1258: addition, and just as importantly, dnsmasq supplies
1259: correct DNSSEC information to clients which are doing
1260: their own validation, and caches DNSKEY, DS and RRSIG
1261: records, which significantly improve the performance of
1262: downstream validators. Setting --log-queries will show
1263: DNSSEC in action.
1264:
1265: If a domain is returned from an upstream nameserver without
1266: DNSSEC signature, dnsmasq by default trusts this. This
1267: means that for unsigned zone (still the majority) there
1268: is effectively no cost for having DNSSEC enabled. Of course
1269: this allows an attacker to replace a signed record with a
1270: false unsigned record. This is addressed by the
1271: --dnssec-check-unsigned flag, which instructs dnsmasq
1272: to prove that an unsigned record is legitimate, by finding
1273: a secure proof that the zone containing the record is not
1274: signed. Doing this has costs (typically one or two extra
1275: upstream queries). It also has a nasty failure mode if
1276: dnsmasq's upstream nameservers are not DNSSEC capable.
1277: Without --dnssec-check-unsigned using such an upstream
1278: server will simply result in not queries being validated;
1279: with --dnssec-check-unsigned enabled and a
1280: DNSSEC-ignorant upstream server, _all_ queries will fail.
1281:
1282: Note that DNSSEC requires that the local time is valid and
1283: accurate, if not then DNSSEC validation will fail. NTP
1284: should be running. This presents a problem for routers
1285: without a battery-backed clock. To set the time needs NTP
1286: to do DNS lookups, but lookups will fail until NTP has run.
1287: To address this, there's a flag, --dnssec-no-timecheck
1288: which disables the time checks (only) in DNSSEC. When dnsmasq
1289: is started and the clock is not synced, this flag should
1290: be used. As soon as the clock is synced, SIGHUP dnsmasq.
1291: The SIGHUP clears the cache of partially-validated data and
1292: resets the no-timecheck flag, so that all DNSSEC checks
1293: henceforward will be complete.
1294:
1295: The development of DNSSEC in dnsmasq was started by
1296: Giovanni Bajo, to whom huge thanks are owed. It has been
1297: supported by Comcast, whose techfund grant has allowed for
1298: an invaluable period of full-time work to get it to
1299: a workable state.
1300:
1301: Add --rev-server. Thanks to Dave Taht for suggesting this.
1302:
1303: Add --servers-file. Allows dynamic update of upstream servers
1304: full access to configuration.
1305:
1306: Add --local-service. Accept DNS queries only from hosts
1307: whose address is on a local subnet, ie a subnet for which
1308: an interface exists on the server. This option
1309: only has effect if there are no --interface --except-interface,
1310: --listen-address or --auth-server options. It is intended
1311: to be set as a default on installation, to allow
1312: unconfigured installations to be useful but also safe from
1313: being used for DNS amplification attacks.
1314:
1315: Fix crashes in cache_get_cname_target() when dangling CNAMEs
1316: encountered. Thanks to Andy and the rt-n56u project for
1317: find this and helping to chase it down.
1318:
1319: Fix wrong RCODE in authoritative DNS replies to PTR queries. The
1320: correct answer was included, but the RCODE was set to NXDOMAIN.
1321: Thanks to Craig McQueen for spotting this.
1322:
1323: Make statistics available as DNS queries in the .bind TLD as
1324: well as logging them.
1325:
1326:
1327: version 2.68
1328: Use random addresses for DHCPv6 temporary address
1329: allocations, instead of algorithmically determined stable
1330: addresses.
1331:
1332: Fix bug which meant that the DHCPv6 DUID was not available
1333: in DHCP script runs during the lifetime of the dnsmasq
1334: process which created the DUID de-novo. Once the DUID was
1335: created and stored in the lease file and dnsmasq
1336: restarted, this bug disappeared.
1337:
1338: Fix bug introduced in 2.67 which could result in erroneous
1339: NXDOMAIN returns to CNAME queries.
1340:
1341: Fix build failures on MacOS X and openBSD.
1342:
1343: Allow subnet specifications in --auth-zone to be interface
1344: names as well as address literals. This makes it possible
1345: to configure authoritative DNS when local address ranges
1346: are dynamic and works much better than the previous
1347: work-around which exempted constructed DHCP ranges from the
1348: IP address filtering. As a consequence, that work-around
1349: is removed. Under certain circumstances, this change wil
1350: break existing configuration: if you're relying on the
1351: constructed-range exception, you need to change --auth-zone
1352: to specify the same interface as is used to construct your
1353: DHCP ranges, probably with a trailing "/6" like this:
1354: --auth-zone=example.com,eth0/6 to limit the addresses to
1355: IPv6 addresses of eth0.
1356:
1357: Fix problems when advertising deleted IPv6 prefixes. If
1358: the prefix is deleted (rather than replaced), it doesn't
1359: get advertised with zero preferred time. Thanks to Tsachi
1360: for the bug report.
1361:
1362: Fix segfault with some locally configured CNAMEs. Thanks
1363: to Andrew Childs for spotting the problem.
1364:
1365: Fix memory leak on re-reading /etc/hosts and friends,
1366: introduced in 2.67.
1367:
1368: Check the arrival interface of incoming DNS and TFTP
1369: requests via IPv6, even in --bind-interfaces mode. This
1370: isn't possible for IPv4 and can generate scary warnings,
1371: but as it's always possible for IPv6 (the API always
1372: exists) then we should do it always.
1373:
1374: Tweak the rules on prefix-lengths in --dhcp-range for
1375: IPv6. The new rule is that the specified prefix length
1376: must be larger than or equal to the prefix length of the
1377: corresponding address on the local interface.
1378:
1379:
1380: version 2.67
1381: Fix crash if upstream server returns SERVFAIL when
1382: --conntrack in use. Thanks to Giacomo Tazzari for finding
1383: this and supplying the patch.
1384:
1385: Repair regression in 2.64. That release stopped sending
1386: lease-time information in the reply to DHCPINFORM
1387: requests, on the correct grounds that it was a standards
1388: violation. However, this broke the dnsmasq-specific
1389: dhcp_lease_time utility. Now, DHCPINFORM returns
1390: lease-time only if it's specifically requested
1391: (maintaining standards) and the dhcp_lease_time utility
1392: has been taught to ask for it (restoring functionality).
1393:
1394: Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass
1395: to work with BOOTP and well as DHCP. Thanks to Peter
1396: Korsgaard for spotting the problem.
1397:
1398: Add --synth-domain. Thanks to Vishvananda Ishaya for
1399: suggesting this.
1400:
1401: Fix failure to compile ipset.c if old kernel headers are
1402: in use. Thanks to Eugene Rudoy for pointing this out.
1403:
1404: Handle IPv4 interface-address labels in Linux. These are
1405: often used to emulate the old IP-alias addresses. Before,
1406: using --interface=eth0 would service all the addresses of
1407: eth0, including ones configured as aliases, which appear
1408: in ifconfig as eth0:0. Now, only addresses with the label
1409: eth0 are active. This is not backwards compatible: if you
1410: want to continue to bind the aliases too, you need to add
1411: eg. --interface=eth0:0 to the config.
1412:
1413: Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket
1414: operation on non-socket" error on startup with
1415: configurations which have exactly one --interface option
1416: and do RA but _not_ DHCPv6. Thanks to Trever Adams for the
1417: bug report.
1418:
1419: Generalise --interface-name to cope with IPv6 addresses
1420: and multiple addresses per interface per address family.
1421:
1422: Fix option parsing for --dhcp-host, which was generating a
1423: spurious error when all seven possible items were
1424: included. Thanks to Zhiqiang Wang for the bug report.
1425:
1426: Remove restriction on prefix-length in --auth-zone. Thanks
1427: to Toke Hoiland-Jorgensen for suggesting this.
1428:
1429: Log when the maximum number of concurrent DNS queries is
1430: reached. Thanks to Marcelo Salhab Brogliato for the patch.
1431:
1432: If wildcards are used in --interface, don't assume that
1433: there will only ever be one available interface for DHCP
1434: just because there is one at start-up. More may appear, so
1435: we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug
1436: report.
1437:
1438: Increase timeout/number of retries in TFTP to accommodate
1439: AudioCodes Voice Gateways doing streaming writes to flash.
1440: Thanks to Damian Kaczkowski for spotting the problem.
1441:
1442: Fix crash with empty DHCP string options when adding zero
1443: terminator. Thanks to Patrick McLean for the bug report.
1444:
1445: Allow hostnames to start with a number, as allowed in
1446: RFC-1123. Thanks to Kyle Mestery for the patch.
1447:
1448: Fixes to DHCP FQDN option handling: don't terminate FQDN
1449: if domain not known and allow a FQDN option with blank
1450: name to request that a FQDN option is returned in the
1451: reply. Thanks to Roy Marples for the patch.
1452:
1453: Make --clear-on-reload apply to setting upstream servers
1454: via DBus too.
1455:
1456: When the address which triggered the construction of an
1457: advertised IPv6 prefix disappears, continue to advertise
1458: the prefix for up to 2 hours, with the preferred lifetime
1459: set to zero. This satisfies RFC 6204 4.3 L-13 and makes
1460: things work better if a prefix disappears without being
1461: deprecated first. Thanks to Uwe Schindler for persuasively
1462: arguing for this.
1463:
1464: Fix MAC address enumeration on *BSD. Thanks to Brad Smith
1465: for the bug report.
1466:
1467: Support RFC-4242 information-refresh-time options in the
1468: reply to DHCPv6 information-request. The lease time of the
1469: smallest valid dhcp-range is sent. Thanks to Uwe Schindler
1470: for suggesting this.
1471:
1472: Make --listen-address higher priority than --except-interface
1473: in all circumstances. Thanks to Thomas Hood for the bugreport.
1474:
1475: Provide independent control over which interfaces get TFTP
1476: service. If enable-tftp is given a list of interfaces, then TFTP
1477: is provided on those. Without the list, the previous behaviour
1478: (provide TFTP to the same interfaces we provide DHCP to)
1479: is retained. Thanks to Lonnie Abelbeck for the suggestion.
1480:
1481: Add --dhcp-relay config option. Many thanks to vtsl.net
1482: for sponsoring this development.
1483:
1484: Fix crash with empty tag: in --dhcp-range. Thanks to
1485: Kaspar Schleiser for the bug report.
1486:
1487: Add "baseline" and "bloatcheck" makefile targets, for
1488: revealing size changes during development. Thanks to
1489: Vladislav Grishenko for the patch.
1490:
1491: Cope with DHCPv6 clients which send REQUESTs without
1492: address options - treat them as SOLICIT with rapid commit.
1493:
1494: Support identification of clients by MAC address in
1495: DHCPv6. When using a relay, the relay must support RFC
1496: 6939 for this to work. It always works for directly
1497: connected clients. Thanks to Vladislav Grishenko
1498: for prompting this feature.
1499:
1500: Remove the rule for constructed DHCP ranges that the local
1501: address must be either the first or last address in the
1502: range. This was originally to avoid SLAAC addresses, but
1503: we now explicitly autoconfig and privacy addresses instead.
1504:
1505: Update Polish translation. Thanks to Jan Psota.
1506:
1507: Fix problem in DHCPv6 vendorclass/userclass matching
1508: code. Thanks to Tanguy Bouzeloc for the patch.
1509:
1510: Update Spanish translation. Thanks to Vicente Soriano.
1511:
1512: Add --ra-param option. Thanks to Vladislav Grishenko for
1513: inspiration on this.
1514:
1515: Add --add-subnet configuration, to tell upstream DNS
1516: servers where the original client is. Thanks to DNSthingy
1517: for sponsoring this feature.
1518:
1519: Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to
1520: Kevin Darbyshire-Bryant for the initial patch.
1521:
1522: Allow A/AAAA records created by --interface-name to be the
1523: target of --cname. Thanks to Hadmut Danisch for the
1524: suggestion.
1525:
1526: Avoid treating a --dhcp-host which has an IPv6 address
1527: as eligible for use with DHCPv4 on the grounds that it has
1528: no address, and vice-versa. Thanks to Yury Konovalov for
1529: spotting the problem.
1530:
1531: Do a better job caching dangling CNAMEs. Thanks to Yves
1532: Dorfsman for spotting the problem.
1533:
1534:
1535: version 2.66
1536: Add the ability to act as an authoritative DNS
1537: server. Dnsmasq can now answer queries from the wider 'net
1538: with local data, as long as the correct NS records are set
1539: up. Only local data is provided, to avoid creating an open
1540: DNS relay. Zone transfer is supported, to allow secondary
1541: servers to be configured.
1542:
1543: Add "constructed DHCP ranges" for DHCPv6. This is intended
1544: for IPv6 routers which get prefixes dynamically via prefix
1545: delegation. With suitable configuration, stateful DHCPv6
1546: and RA can happen automatically as prefixes are delegated
1547: and then deprecated, without having to re-write the
1548: dnsmasq configuration file or restart the daemon. Thanks to
1549: Steven Barth for extensive testing and development work on
1550: this idea.
1551:
1552: Fix crash on startup on Solaris 11. Regression probably
1553: introduced in 2.61. Thanks to Geoff Johnstone for the
1554: patch.
1555:
1556: Add code to make behaviour for TCP DNS requests that same
1557: as for UDP requests, when a request arrives for an allowed
1558: address, but via a banned interface. This change is only
1559: active on Linux, since the relevant API is missing (AFAIK)
1560: on other platforms. Many thanks to Tomas Hozza for
1561: spotting the problem, and doing invaluable discovery of
1562: the obscure and undocumented API required for the solution.
1563:
1564: Don't send the default DHCP option advertising dnsmasq as
1565: the local DNS server if dnsmasq is configured to not act
1566: as DNS server, or it's configured to a non-standard port.
1567:
1568: Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID,
1569: DNSMASQ_REMOTE_ID variables to the environment of the
1570: lease-change script (and the corresponding Lua). These hold
1571: information inserted into the DHCP request by a DHCP relay
1572: agent. Thanks to Lakefield Communications for providing a
1573: bounty for this addition.
1574:
1575: Fixed crash, introduced in 2.64, whilst handling DHCPv6
1576: information-requests with some common configurations.
1577: Thanks to Robert M. Albrecht for the bug report and
1578: chasing the problem.
1579:
1580: Add --ipset option. Thanks to Jason A. Donenfeld for the
1581: patch.
1582:
1583: Don't erroneously reject some option names in --dhcp-match
1584: options. Thanks to Benedikt Hochstrasser for the bug report.
1585:
1586: Allow a trailing '*' wildcard in all interface-name
1587: configurations. Thanks to Christian Parpart for the patch.
1588:
1589: Handle the situation where libc headers define
1590: SO_REUSEPORT, but the kernel in use doesn't, to cope with
1591: the introduction of this option to Linux. Thanks to Rich
1592: Felker for the bug report.
1593:
1594: Update Polish translation. Thanks to Jan Psota.
1595:
1596: Fix crash if the configured DHCP lease limit is
1597: reached. Regression occurred in 2.61. Thanks to Tsachi for
1598: the bug report.
1599:
1600: Update the French translation. Thanks to Gildas le Nadan.
1601:
1602:
1603: version 2.65
1604: Fix regression which broke forwarding of queries sent via
1605: TCP which are not for A and AAAA and which were directed to
1606: non-default servers. Thanks to Niax for the bug report.
1607:
1608: Fix failure to build with DHCP support excluded. Thanks to
1609: Gustavo Zacarias for the patch.
1610:
1611: Fix nasty regression in 2.64 which completely broke caching.
1612:
1613:
1614: version 2.64
1615: Handle DHCP FQDN options with all flag bits zero and
1616: --dhcp-client-update set. Thanks to Bernd Krumbroeck for
1617: spotting the problem.
1618:
1619: Finesse the check for /etc/hosts names which conflict with
1620: DHCP names. Previously a name/address pair in /etc/hosts
1621: which didn't match the name/address of a DHCP lease would
1622: generate a warning. Now that only happens if there is not
1623: also a match. This allows multiple addresses for a name in
1624: /etc/hosts with one of them assigned via DHCP.
1625:
1626: Fix broken vendor-option processing for BOOTP. Thanks to
1627: Hans-Joachim Baader for the bug report.
1628:
1629: Don't report spurious netlink errors, regression in
1630: 2.63. Thanks to Vladislav Grishenko for the patch.
1631:
1632: Flag DHCP or DHCPv6 in startup logging. Thanks to
1633: Vladislav Grishenko for the patch.
1634:
1635: Add SetServersEx method in DBus interface. Thanks to Dan
1636: Williams for the patch.
1637:
1638: Add SetDomainServers method in DBus interface. Thanks to
1639: Roy Marples for the patch.
1640:
1641: Fix build with later Lua libraries. Thanks to Cristian
1642: Rodriguez for the patch.
1643:
1644: Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker
1645: for the patch.
1646:
1647: Fix breakage of --host-record parsing, resulting in
1648: infinite loop at startup. Regression in 2.63. Thanks to
1649: Haim Gelfenbeyn for spotting this.
1650:
1651: Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6
1652: socket, this allows multiple instances of dnsmasq on a
1653: single machine, in the same way as for DHCPv4. Thanks to
1654: Gene Czarcinski and Vladislav Grishenko for work on this.
1655:
1656: Fix DHCPv6 to do access control correctly when it's
1657: configured with --listen-address. Thanks to
1658: Gene Czarcinski for sorting this out.
1659:
1660: Add a "wildcard" dhcp-range which works for any IPv6
1661: subnet, --dhcp-range=::,static Useful for Stateless
1662: DHCPv6. Thanks to Vladislav Grishenko for the patch.
1663:
1664: Don't include lease-time in DHCPACK replies to DHCPINFORM
1665: queries, since RFC-2131 says we shouldn't. Thanks to
1666: Wouter Ibens for pointing this out.
1667:
1668: Makefile tweak to do dependency checking on header files.
1669: Thanks to Johan Peeters for the patch.
1670:
1671: Check interface for outgoing unsolicited router
1672: advertisements, rather than relying on interface address
1673: configuration. Thanks to Gene Czarinski for the patch.
1674:
1675: Handle better attempts to transmit on interfaces which are
1676: still doing DAD, and specifically do not just transmit
1677: without setting source address and interface, since this
1678: can cause very puzzling effects when a router
1679: advertisement goes astray. Thanks again to Gene Czarinski.
1680:
1681: Get RA timers right when there is more than one
1682: dhcp-range on a subnet.
1683:
1684:
1685: version 2.63
1686: Do duplicate dhcp-host address check in --test mode.
1687:
1688: Check that tftp-root directories are accessible before
1689: start-up. Thanks to Daniel Veillard for the initial patch.
1690:
1691: Allow more than one --tfp-root flag. The per-interface
1692: stuff is pointless without that.
1693:
1694: Add --bind-dynamic. A hybrid mode between the default and
1695: --bind-interfaces which copes with dynamically created
1696: interfaces.
1697:
1698: A couple of fixes to the build system for Android. Thanks
1699: to Metin Kaya for the patches.
1700:
1701: Remove the interface:<interface> argument in --dhcp-range, and
1702: the interface argument to --enable-tftp. These were a
1703: still-born attempt to allow automatic isolated
1704: configuration by libvirt, but have never (to my knowledge)
1705: been used, had very strange semantics, and have been
1706: superseded by other mechanisms.
1707:
1708: Fixed bug logging filenames when duplicate dhcp-host
1709: addresses are found. Thanks to John Hanks for the patch.
1710:
1711: Fix regression in 2.61 which broke caching of CNAME
1712: chains. Thanks to Atul Gupta for the bug report.
1713:
1714: Allow the target of a --cname flag to be another --cname.
1715:
1716: Teach DHCPv6 about the RFC 4242 information-refresh-time
1717: option, and add parsing if the minutes, hours and days
1718: format for options. Thanks to Francois-Xavier Le Bail for
1719: the suggestion.
1720:
1721: Allow "w" (for week) as multiplier in lease times, as well
1722: as seconds, minutes, hours and days. Álvaro Gámez Machado
1723: spotted the omission.
1724:
1725: Update French translation. Thanks to Gildas Le Nadan.
1726:
1727: Allow a DBus service name to be given with --enable-dbus
1728: which overrides the default,
1729: uk.org.thekelleys.dnsmasq. Thanks to Mathieu
1730: Trudel-Lapierre for the patch.
1731:
1732: Set the "prefix on-link" bit in Router
1733: Advertisements. Thanks to Gui Iribarren for the patch.
1734:
1735:
1736: version 2.62
1737: Update German translation. Thanks to Conrad Kostecki.
1738:
1739: Cope with router-solict packets which don't have a valid
1740: source address. Thanks to Vladislav Grishenko for the patch.
1741:
1742: Fixed bug which caused missing periodic router
1743: advertisements with some configurations. Thanks to
1744: Vladislav Grishenko for the patch.
1745:
1746: Fixed bug which broke DHCPv6/RA with prefix lengths
1747: which are not divisible by 8. Thanks to Andre Coetzee
1748: for spotting this.
1749:
1750: Fix non-response to router-solicitations when
1751: router-advertisement configured, but DHCPv6 not
1752: configured. Thanks to Marien Zwart for the patch.
1753:
1754: Add --dns-rr, to allow arbitrary DNS resource records.
1755:
1756: Fixed bug which broke RA scheduling when an interface had
1757: two addresses in the same network. Thanks to Jim Bos for
1758: his help nailing this.
1759:
1760: version 2.61
1761: Re-write interface discovery code on *BSD to use
1762: getifaddrs. This is more portable, more straightforward,
1763: and allows us to find the prefix length for IPv6
1764: addresses.
1765:
1766: Add ra-names, ra-stateless and slaac keywords for DHCPv6.
1767: Dnsmasq can now synthesise AAAA records for dual-stack
1768: hosts which get IPv6 addresses via SLAAC. It is also now
1769: possible to use SLAAC and stateless DHCPv6, and to
1770: tell clients to use SLAAC addresses as well as DHCP ones.
1771: Thanks to Dave Taht for help with this.
1772:
1773: Add --dhcp-duid to allow DUID-EN uids to be used.
1774:
1775: Explicitly send DHCPv6 replies to the correct port, instead
1776: of relying on clients to send requests with the correct
1777: source address, since at least one client in the wild gets
1778: this wrong. Thanks to Conrad Kostecki for help tracking
1779: this down.
1780:
1781: Send a preference value of 255 in DHCPv6 replies when
1782: --dhcp-authoritative is in effect. This tells clients not
1783: to wait around for other DHCP servers.
1784:
1785: Better logging of DHCPv6 options.
1786:
1787: Add --host-record. Thanks to Rob Zwissler for the
1788: suggestion.
1789:
1790: Invoke the DHCP script with action "tftp" when a TFTP file
1791: transfer completes. The size of the file, address to which
1792: it was sent and complete pathname are supplied. Note that
1793: version 2.60 introduced some script incompatibilities
1794: associated with DHCPv6, and this is a further change. To
1795: be safe, scripts should ignore unknown actions, and if
1796: not IPv6-aware, should exit if the environment
1797: variable DNSMASQ_IAID is set. The use-case for this is
1798: to track netboot/install. Suggestion from Shantanu
1799: Gadgil.
1800:
1801: Update contrib/port-forward/dnsmasq-portforward to reflect
1802: the above.
1803:
1804: Set the environment variable DNSMASQ_LOG_DHCP when running
1805: the script id --log-dhcp is in effect, so that script can
1806: taylor their logging verbosity. Suggestion from Malte
1807: Forkel.
1808:
1809: Arrange that addresses specified with --listen-address
1810: work even if there is no interface carrying the
1811: address. This is chiefly useful for IPv4 loopback
1812: addresses, where any address in 127.0.0.0/8 is a valid
1813: loopback address, but normally only 127.0.0.1 appears on
1814: the lo interface. Thanks to Mathieu Trudel-Lapierre for
1815: the idea and initial patch.
1816:
1817: Fix crash, introduced in 2.60, when a DHCPINFORM is
1818: received from a network which has no valid dhcp-range.
1819: Thanks to Stephane Glondu for the bug report.
1820:
1821: Add a new DHCP lease time keyword, "deprecated" for
1822: --dhcp-range. This is only valid for IPv6, and sets the
1823: preferred lease time for both DHCP and RA to zero. The
1824: effect is that clients can continue to use the address
1825: for existing connections, but new connections will use
1826: other addresses, if they exist. This makes hitless
1827: renumbering at least possible.
1828:
1829: Fix bug in address6_available() which caused DHCPv6 lease
1830: acquisition to fail if more than one dhcp-range in use.
1831:
1832: Provide RDNSS and DNSSL data in router advertisements,
1833: using the settings provided for DHCP options
1834: option6:domain-search and option6:dns-server.
1835:
1836: Tweak logo/favicon.ico to add some transparency. Thanks to
1837: SamLT for work on this.
1838:
1839: Don't cache data from non-recursive nameservers, since it
1840: may erroneously look like a valid CNAME to a non-existent
1841: name. Thanks to Ben Winslow for finding this.
1842:
1843: Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP
1844: on exactly one interface and --bind-interfaces is set. This
1845: makes the OpenStack use-case of one dnsmasq per virtual
1846: interface work. This is only available on Linux; it's not
1847: supported on other platforms. Thanks to Vishvananda Ishaya
1848: and the OpenStack team for the suggestion.
1849:
1850: Updated French translation. Thanks to Gildas Le Nadan.
1851:
1852: Give correct from-cache answers to explicit CNAME queries.
1853: Thanks to Rob Zwissler for spotting this.
1854:
1855: Add --tftp-lowercase option. Thanks to Oliver Rath for the
1856: patch.
1857:
1858: Ensure that the DBus DhcpLeaseUpdated events are generated
1859: when a lease goes through INIT_REBOOT state, even if the
1860: dhcp-script is not in use. Thanks to Antoaneta-Ecaterina
1861: Ene for the patch.
1862:
1863: Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks
1864: to Brad Smith for spotting this.
1865:
1866:
1867: version 2.60
1868: Fix compilation problem in Mac OS X Lion. Thanks to Olaf
1869: Flebbe for the patch.
1870:
1871: Fix DHCP when using --listen-address with an IP address
1872: which is not the primary address of an interface.
1873:
1874: Add --dhcp-client-update option.
1875:
1876: Add Lua integration. Dnsmasq can now execute a DHCP
1877: lease-change script written in Lua. This needs to be
1878: enabled at compile time by setting HAVE_LUASCRIPT in
1879: src/config.h or running "make COPTS=-DHAVE_LUASCRIPT"
1880: Thanks to Jan-Piet Mens for the idea and proof-of-concept
1881: implementation.
1882:
1883: Tidied src/config.h to distinguish between
1884: platform-dependent compile-time options which are selected
1885: automatically, and builder-selectable compile time
1886: options. Document the latter better, and describe how to
1887: set them from the make command line.
1888:
1889: Tidied up IPPROTO_IP/SOL_IP (and IPv6 equivalent)
1890: confusion. IPPROTO_IP works everywhere now.
1891:
1892: Set TOS on DHCP sockets, this improves things on busy
1893: wireless networks. Thanks to Dave Taht for the patch.
1894:
1895: Determine VERSION automatically based on git magic:
1896: release tags or hash values.
1897:
1898: Improve start-up speed when reading large hosts files
1899: containing many distinct addresses.
1900:
1901: Fix problem if dnsmasq is started without the stdin,
1902: stdout and stderr file descriptors open. This can manifest
1903: itself as 100% CPU use. Thanks to Chris Moore for finding
1904: this.
1905:
1906: Fix shell-scripting bug in bld/pkg-wrapper. Thanks to
1907: Mark Mitchell for the patch.
1908:
1909: Allow the TFP server or boot server in --pxe-service, to
1910: be a domain name instead of an IP address. This allows for
1911: round-robin to multiple servers, in the same way as
1912: --dhcp-boot. A good suggestion from Cristiano Cumer.
1913:
1914: Support BUILDDIR variable in the Makefile. Allows builds
1915: for multiple archs from the same source tree with eg.
1916: make BUILDDIR=linux (relative to dnsmasq tree)
1917: make BUILDDIR=/tmp/openbsd (absolute path)
1918: If BUILDDIR is not set, compilation happens in the src
1919: directory, as before. Suggestion from Mark Mitchell.
1920:
1921: Support DHCPv6. Support is there for the sort of things
1922: the existing v4 server does, including tags, options,
1923: static addresses and relay support. Missing is prefix
1924: delegation, which is probably not required in the dnsmasq
1925: niche, and an easy way to accept prefix delegations from
1926: an upstream DHCPv6 server, which is. Future plans include
1927: support for DHCPv6 router option and MAC address option
1928: (to make selecting clients by MAC address work like IPv4).
1929: These will be added as the standards mature.
1930: This code has been tested, but this is the first release,
1931: so don't bet the farm on it just yet. Many thanks to all
1932: testers who have got it this far.
1933:
1934: Support IPv6 router advertisements. This is a
1935: simple-minded implementation, aimed at providing the
1936: vestigial RA needed to go alongside IPv6. Is picks up
1937: configuration from the DHCPv6 conf, and should just need
1938: enabling with --enable-ra.
1939:
1940: Fix long-standing wrinkle with --localise-queries that
1941: could result in wrong answers when DNS packets arrive
1942: via an interface other than the expected one. Thanks to
1943: Lorenzo Milesi and John Hanks for spotting this one.
1944:
1945: Update French translation. Thanks to Gildas Le Nadan.
1946:
1947: Update Polish translation. Thanks to Jan Psota.
1948:
1949:
1950: version 2.59
1951: Fix regression in 2.58 which caused failure to start up
1952: with some combinations of dnsmasq config and IPv6 kernel
1953: network config. Thanks to Brielle Bruns for the bug
1954: report.
1955:
1956: Improve dnsmasq's behaviour when network interfaces are
1957: still doing duplicate address detection (DAD). Previously,
1958: dnsmasq would wait up to 20 seconds at start-up for the
1959: DAD state to terminate. This is broken for bridge
1960: interfaces on recent Linux kernels, which don't start DAD
1961: until the bridge comes up, and so can take arbitrary
1962: time. The new behaviour lets dnsmasq poll for an arbitrary
1963: time whilst providing service on other interfaces. Thanks
1964: to Stephen Hemminger for pointing out the problem.
1965:
1966:
1967: version 2.58
1968: Provide a definition of the SA_SIZE macro where it's
1969: missing. Fixes build failure on openBSD.
1970:
1971: Don't include a zero terminator at the end of messages
1972: sent to /dev/log when /dev/log is a datagram socket.
1973: Thanks to Didier Rabound for spotting the problem.
1974:
1975: Add --dhcp-sequential-ip flag, to force allocation of IP
1976: addresses in ascending order. Note that the default
1977: pseudo-random mode is in general better but some
1978: server-deployment applications need this.
1979:
1980: Fix problem where a server-id of 0.0.0.0 is sent to a
1981: client when a dhcp-relay is in use if a client renews a
1982: lease after dnsmasq restart and before any clients on the
1983: subnet get a new lease. Thanks to Mike Ruiz for assistance
1984: in chasing this one down.
1985:
1986: Don't return NXDOMAIN to an AAAA query if we have CNAME
1987: which points to an A record only: NODATA is the correct
1988: reply in this case. Thanks to Tom Fernandes for spotting
1989: the problem.
1990:
1991: Relax the need to supply a netmask in --dhcp-range for
1992: networks which use a DHCP relay. Whilst this is still
1993: desirable, in the absence of a netmask dnsmasq will use
1994: a default based on the class (A, B, or C) of the address.
1995: This should at least remove a cause of mysterious failure
1996: for people using RFC1918 addresses and relays.
1997:
1998: Add support for Linux conntrack connection marking. If
1999: enabled with --conntrack, the connection mark for incoming
2000: DNS queries will be copied to the outgoing connections
2001: used to answer those queries. This allows clever firewall
2002: and accounting stuff. Only available if dnsmasq is
2003: compiled with HAVE_CONNTRACK and adds a dependency on
2004: libnetfilter-conntrack. Thanks to Ed Wildgoose for the
2005: initial idea, testing and sponsorship of this function.
2006:
2007: Provide a sane error message when someone attempts to
2008: match a tag in --dhcp-host.
2009:
2010: Tweak the behaviour of --domain-needed, to avoid problems
2011: with recursive nameservers downstream of dnsmasq. The new
2012: behaviour only stops A and AAAA queries, and returns
2013: NODATA rather than NXDOMAIN replies.
2014:
2015: Efficiency fix for very large DHCP configurations, thanks
2016: to James Gartrell and Mike Ruiz for help with this.
2017:
2018: Allow the TFTP-server address in --dhcp-boot to be a
2019: domain-name which is looked up in /etc/hosts. This can
2020: give multiple IP addresses which are used round-robin,
2021: thus doing TFTP server load-balancing. Thanks to Sushil
2022: Agrawal for the patch.
2023:
2024: When two tagged dhcp-options for a particular option
2025: number are both valid, use the one which is valid without
2026: a tag from the dhcp-range. Allows overriding of the value
2027: of a DHCP option for a particular host as well as
2028: per-network values. So
2029: --dhcp-range=set:interface1,......
2030: --dhcp-host=set:myhost,.....
2031: --dhcp-option=tag:interface1,option:nis-domain,"domain1"
2032: --dhcp-option=tag:myhost,option:nis-domain,"domain2"
2033: will set the NIS-domain to domain1 for hosts in the range, but
2034: override that to domain2 for a particular host.
2035:
2036: Fix bug which resulted in truncated files and timeouts for
2037: some TFTP transfers. The bug only occurs with netascii
2038: transfers and needs an unfortunate relationship between
2039: file size, blocksize and the number of newlines in the
2040: last block before it manifests itself. Many thanks to
2041: Alkis Georgopoulos for spotting the problem and providing
2042: a comprehensive test-case.
2043:
2044: Fix regression in TFTP server on *BSD platforms introduced
2045: in version 2.56, due to confusion with sockaddr
2046: length. Many thanks to Loic Pefferkorn for finding this.
2047:
2048: Support scope-ids in IPv6 addresses of nameservers from
2049: /etc/resolv.conf and in --server options. Eg
2050: nameserver fe80::202:a412:4512:7bbf%eth0 or
2051: server=fe80::202:a412:4512:7bbf%eth0. Thanks to
2052: Michael Stapelberg for the suggestion.
2053:
2054: Update Polish translation, thanks to Jan Psota.
2055:
2056: Update French translation. Thanks to Gildas Le Nadan.
2057:
2058:
2059: version 2.57
2060: Add patches to allow build under Android.
2061:
2062: Provide our own header for the DNS protocol, rather than
2063: relying on arpa/nameser.h. This has proved more or less
2064: defective over the years and the final straw is that it's
2065: effectively empty on Android.
2066:
2067: Fix regression in 2.56 which caused hex constants in
2068: configuration to be rejected if they contain the '*'
2069: wildcard.
2070:
2071: Correct wrong casts of arguments to ctype.h functions,
2072: isdigit(), isxdigit() etc. Thanks to Matthias Andree for
2073: spotting this.
2074:
2075: Allow build with IDN support independently from i18n.
2076: IDN support continues to be included automatically
2077: when i18n is included.
2078: 'make COPTS=-DHAVE_IDN' is the magic incantation.
2079:
2080: Modify check on extraneous command line junk (added in
2081: 2.56) so that it doesn't complain about extra _empty_
2082: arguments. Otherwise this breaks libvirt.
2083:
2084:
2085: version 2.56
2086: Add a patch to allow dnsmasq to get interface names right in a
2087: Solaris zone. Thanks to Dj Padzensky for this.
2088:
2089: Improve data-type parsing heuristics so that
2090: --dhcp-option=option:domain-search,.
2091: treats the value as a string and not an IP address.
2092: Thanks to Clemens Fischer for spotting that.
2093:
2094: Add IPv6 support to the TFTP server. Many thanks to Jan
2095: 'RedBully' Seiffert for the patches.
2096:
2097: Log DNS queries at level LOG_INFO, rather then
2098: LOG_DEBUG. This makes things consistent with DHCP
2099: logging. Thanks to Adam Pribyl for spotting the problem.
2100:
2101: Ensure that dnsmasq terminates cleanly when using
2102: --syslog-async even if it cannot make a connection to the
2103: syslogd.
2104:
2105: Add --add-mac option. This is to support currently
2106: experimental DNS filtering facilities. Thanks to Benjamin
2107: Petrin for the original patch.
2108:
2109: Fix bug which meant that tags were ignored in dhcp-range
2110: configuration specifying PXE-proxy service. Thanks to
2111: Cristiano Cumer for spotting this.
2112:
2113: Raise an error if there is extra junk, not part of an
2114: option, on the command line.
2115:
2116: Flag a couple of log messages in cache.c as coming from
2117: the DHCP subsystem. Thanks to Olaf Westrik for the patch.
2118:
2119: Omit timestamps from logs when a) logging to stderr and
2120: b) --keep-in-foreground is set. The logging facility on the
2121: other end of stderr can be assumed to supply them. Thanks
2122: to John Hallam for the patch.
2123:
2124: Don't complain about strings longer than 255 characters in
2125: --txt-record, just split the long strings into 255
2126: character chunks instead.
2127:
2128: Fix crash on double-free. This bug can only happen when
2129: dhcp-script is in use and then only in rare circumstances
2130: triggered by high DHCP transaction rate and a slow
2131: script. Thanks to Ferenc Wagner for finding the problem.
2132:
2133: Only log that a file has been sent by TFTP after the
2134: transfer has completed successfully.
2135:
2136: A good suggestion from Ferenc Wagner: extend
2137: the --domain option to allow this sort of thing:
2138: --domain=thekelleys.org.uk,192.168.0.0/24,local
2139: which automatically creates
2140: --local=/thekelleys.org.uk/
2141: --local=/0.168.192.in-addr.arpa/
2142:
2143: Tighten up syntax checking of hex constants in the config
2144: file. Thanks to Fred Damen for spotting this.
2145:
2146: Add dnsmasq logo/icon, contributed by Justin Swift. Many
2147: thanks for that.
2148:
2149: Never cache DNS replies which have the 'cd' bit set, or
2150: which result from queries forwarded with the 'cd' bit
2151: set. The 'cd' bit instructs a DNSSEC validating server
2152: upstream to ignore signature failures and return replies
2153: anyway. Without this change it's possible to pollute the
2154: dnsmasq cache with bad data by making a query with the
2155: 'cd' bit set and subsequent queries would return this data
2156: without its being marked as suspect. Thanks to Anders
2157: Kaseorg for pointing out this problem.
2158:
2159: Add --proxy-dnssec flag, for compliance with RFC
2160: 4035. Dnsmasq will now clear the 'ad' bit in answers returned
2161: from upstream validating nameservers unless this option is
2162: set.
2163:
2164: Allow a filename of "-" for --conf-file to read
2165: stdin. Suggestion from Timothy Redaelli.
2166:
2167: Rotate the order of SRV records in replies, to provide
2168: round-robin load balancing when all the priorities are
2169: equal. Thanks to Peter McKinney for the suggestion.
2170:
2171: Edit
2172: contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist
2173: so that it doesn't log all queries to a file by
2174: default. Thanks again to Peter McKinney.
2175:
2176: By default, setting an IPv4 address for a domain but not
2177: an IPv6 address causes dnsmasq to return
2178: a NODATA reply for IPv6 (or vice-versa). So
2179: --address=/google.com/1.2.3.4 stops IPv6 queries for
2180: *google.com from being forwarded. Make it possible to
2181: override this behaviour by defining the semantics if the
2182: same domain appears in both --server and --address.
2183: In that case, the --address has priority for the address
2184: family in which is appears, but the --server has priority
2185: of the address family which doesn't appear in --address
2186: So:
2187: --address=/google.com/1.2.3.4
2188: --server=/google.com/#
2189: will return 1.2.3.4 for IPv4 queries for *.google.com but
2190: forward IPv6 queries to the normal upstream nameserver.
2191: Similarly when setting an IPv6 address
2192: only this will allow forwarding of IPv4 queries. Thanks to
2193: William for pointing out the need for this.
2194:
2195: Allow more than one --dhcp-optsfile and --dhcp-hostsfile
2196: and make them understand directories as arguments in the
2197: same way as --addn-hosts. Suggestion from John Hanks.
2198:
2199: Ignore rebinding requests for leases we don't know
2200: about. Rebind is broadcast, so we might get to overhear a
2201: request meant for another DHCP server. NAKing this is
2202: wrong. Thanks to Brad D'Hondt for assistance with this.
2203:
2204: Fix cosmetic bug which produced strange output when
2205: dumping cache statistics with some configurations. Thanks
2206: to Fedor Kozhevnikov for spotting this.
2207:
2208:
2209: version 2.55
2210: Fix crash when /etc/ethers is in use. Thanks to
2211: Gianluigi Tiesi for finding this.
2212:
2213: Fix crash in netlink_multicast(). Thanks to Arno Wald for
2214: finding this one.
2215:
2216: Allow the empty domain "." in dhcp domain-search (119)
2217: options.
2218:
2219:
2220: version 2.54
2221: There is no version 2.54 to avoid confusion with 2.53,
2222: which incorrectly identifies itself as 2.54.
2223:
2224:
2225: version 2.53
2226: Fix failure to compile on Debian/kFreeBSD. Thanks to
2227: Axel Beckert and Petr Salinger.
2228:
2229: Fix code to avoid scary strict-aliasing warnings
2230: generated by gcc 4.4.
2231:
2232: Added FAQ entry warning about DHCP failures with Vista
2233: when firewalls block 255.255.255.255.
2234:
2235: Fixed bug which caused bad things to happen if a
2236: resolv.conf file which exists is subsequently removed.
2237: Thanks to Nikolai Saoukh for the patch.
2238:
2239: Rationalised the DHCP tag system. Every configuration item
2240: which can set a tag does so by adding "set:<tag>" and
2241: every configuration item which is conditional on a tag is
2242: made so by "tag:<tag>". The NOT operator changes to '!',
2243: which is a bit more intuitive too. Dhcp-host directives
2244: can set more than one tag now. The old '#' NOT,
2245: "net:" prefix and no-prefixes are still honoured, so
2246: no existing config file needs to be changed, but
2247: the documentation and new-style config files should be
2248: much less confusing.
2249:
2250: Added --tag-if to allow boolean operations on tags.
2251: This allows complicated logic to be clearer and more
2252: general. A great suggestion from Richard Voigt.
2253:
2254: Add broadcast/unicast information to DHCP logging.
2255:
2256: Allow --dhcp-broadcast to be unconditional.
2257:
2258: Fixed incorrect behaviour with NOT <tag> conditionals in
2259: dhcp-options. Thanks to Max Turkewitz for assistance
2260: finding this.
2261:
2262: If we send vendor-class encapsulated options based on the
2263: vendor-class supplied by the client, and no explicit
2264: vendor-class option is given, echo back the vendor-class
2265: from the client.
2266:
2267: Fix bug which stopped dnsmasq from matching both a
2268: circuitid and a remoteid. Thanks to Ignacio Bravo for
2269: finding this.
2270:
2271: Add --dhcp-proxy, which makes it possible to configure
2272: dnsmasq to use a DHCP relay agent as a full proxy, with
2273: all DHCP messages passing through the proxy. This is
2274: useful if the relay adds extra information to the packets
2275: it forwards, but cannot be configured with the RFC 5107
2276: server-override option.
2277:
2278: Added interface:<iface name> part to dhcp-range. The
2279: semantics of this are very odd at first sight, but it
2280: allows a single line of the form
2281: dhcp-range=interface:virt0,192.168.0.4,192.168.0.200
2282: to be added to dnsmasq configuration which then supplies
2283: DHCP and DNS services to that interface, without affecting
2284: what services are supplied to other interfaces and
2285: irrespective of the existence or lack of
2286: interface=<interface>
2287: lines elsewhere in the dnsmasq configuration. The idea is
2288: that such a line can be added automatically by libvirt
2289: or equivalent systems, without disturbing any manual
2290: configuration.
2291:
2292: Similarly to the above, allow --enable-tftp=<interface>
2293:
2294: Allow a TFTP root to be set separately for requests via
2295: different interfaces, --tftp-root=<path>,<interface>
2296:
2297: Correctly handle and log clashes between CNAMES and
2298: DNS names being given to DHCP leases. This fixes a bug
2299: which caused nonsense IP addresses to be logged. Thanks to
2300: Sergei Zhirikov for finding and analysing the problem.
2301:
2302: Tweak flush_log so as to avoid leaving the log
2303: file in non-blocking mode. O_NONBLOCK is a property of the
2304: file, not the process/descriptor.
2305:
2306: Fix contrib/Solaris10/create_package
2307: (/usr/man -> /usr/share/man) Thanks to Vita Batrla.
2308:
2309: Fix a problem where, if a client got a lease, then went
2310: to another subnet and got another lease, then moved back,
2311: it couldn't resume the old lease, but would instead get
2312: a new address. Thanks to Leonardo Rodrigues for spotting
2313: this and testing the fix.
2314:
2315: Fix weird bug which sometimes omitted certain characters
2316: from the start of quoted strings in dhcp-options. Thanks
2317: to Dayton Turner for spotting the problem.
2318:
2319: Add facility to redirect some domains to the standard
2320: upstream servers: this allows something like
2321: --server=/google.com/1.2.3.4 --server=/www.google.com/#
2322: which will send queries for *.google.com to 1.2.3.4,
2323: except *www.google.com which will be forwarded as usual.
2324: Thanks to AJ Weber for prompting this addition.
2325:
2326: Improve the hash-algorithm used to generate IP addresses
2327: from MAC addresses during initial DHCP address
2328: allocation. This improves performance when large numbers
2329: of hosts with similar MAC addresses all try and get an IP
2330: address at the same time. Thanks to Paul Smith for his
2331: work on this.
2332:
2333: Tweak DHCP code so that --bridge-interface can be used to
2334: select which IP alias of an interface should be used for
2335: DHCP purposes on Linux. If eth0 has an alias eth0:dhcp
2336: then adding --bridge-interface=eth0:dhcp,eth0 will use
2337: the address of eth0:dhcp to determine the correct subnet
2338: for DHCP address allocation. Thanks to Pawel Golaszewski
2339: for prompting this and Eric Cooper for further testing.
2340:
2341: Add --dhcp-generate-names. Suggestion by Ferenc Wagner.
2342:
2343: Tweak DNS server selection algorithm when there is more
2344: than one server available for a domain, eg.
2345: --server=/mydomain/1.1.1.1
2346: --server=/mydomain/2.2.2.2
2347: Thanks to Alberto Cuesta-Canada for spotting a weakness
2348: here.
2349:
2350: Add --max-ttl. Thanks to Fredrik Ringertz for the patch.
2351:
2352: Allow --log-facility=- to force all logging to
2353: stderr. Suggestion from Clemens Fischer.
2354:
2355: Fix regression which caused configuration like
2356: --address=/.domain.com/1.2.3.4 to be rejected. The dot to the
2357: left of the domain has been implied and not required for a
2358: long time, but it should be accepted for backward
2359: compatibility. Thanks to Andrew Burcin for spotting this.
2360:
2361: Add --rebind-domain-ok and --rebind-localhost-ok.
2362: Suggestion from Clemens Fischer.
2363:
2364: Log replies to queries of type TXT, when --log-queries
2365: is set.
2366:
2367: Fix compiler warnings when compiled with -DNO_DHCP. Thanks
2368: to Shantanu Gadgil for the patch.
2369:
2370: Updated French translation. Thanks to Gildas Le Nadan.
2371:
2372: Updated Polish translation. Thanks to Jan Psota.
2373:
2374: Updated German translation. Thanks to Matthias Andree.
2375:
2376: Added contrib/static-arp, thanks to Darren Hoo.
2377:
2378: Fix corruption of the domain when a name from /etc/hosts
2379: overrides one supplied by a DHCP client. Thanks to Fedor
2380: Kozhevnikov for spotting the problem.
2381:
2382: Updated Spanish translation. Thanks to Chris Chatham.
2383:
2384:
2385: version 2.52
2386: Work around a Linux kernel bug which insists that the
2387: length of the option passed to setsockopt must be at least
2388: sizeof(int) bytes, even if we're calling SO_BINDTODEVICE
2389: and the device name is "lo". Note that this is fixed
2390: in kernel 2.6.31, but the workaround is harmless and
2391: allows earlier kernels to be used. Also fix dnsmasq
2392: bug which reported the wrong address when this failed.
2393: Thanks to Fedor for finding this.
2394:
2395: The API for IPv6 PKTINFO changed around Linux kernel
2396: 2.6.14. Workaround the case where dnsmasq is compiled
2397: against newer headers, but then run on an old kernel:
2398: necessary for some *WRT distros.
2399:
2400: Re-read the set of network interfaces when re-loading
2401: /etc/resolv.conf if --bind-interfaces is not set. This
2402: handles the case that loopback interfaces do not exist
2403: when dnsmasq is first started.
2404:
2405: Tweak the PXE code to support port 4011. This should
2406: reduce broadcasts and make things more reliable when other
2407: servers are around. It also improves inter-operability
2408: with certain clients.
2409:
2410: Make a pxe-service configuration with no filename or boot
2411: service type legal: this does a local boot. eg.
2412: pxe-service=x86PC, "Local boot"
2413:
2414: Be more conservative in detecting "A for A"
2415: queries. Dnsmasq checks if the name in a type=A query looks
2416: like a dotted-quad IP address and answers the query itself
2417: if so, rather than forwarding it. Previously dnsmasq
2418: relied in the library function inet_addr() to convert
2419: addresses, and that will accept some things which are
2420: confusing in this context, like 1.2.3 or even just
2421: 1234. Now we only do A for A processing for four decimal
2422: numbers delimited by dots.
2423:
2424: A couple of tweaks to fix compilation on Solaris. Thanks
2425: to Joel Macklow for help with this.
2426:
2427: Another Solaris compilation tweak, needed for Solaris
2428: 2009.06. Thanks to Lee Essen for that.
2429:
2430: Added extract packaging stuff from Lee Essen to
2431: contrib/Solaris10.
2432:
2433: Increased the default limit on number of leases to 1000
2434: (from 150). This is mainly a defence against DoS attacks,
2435: and for the average "one for two class C networks"
2436: installation, IP address exhaustion does that just as
2437: well. Making the limit greater than the number of IP
2438: addresses available in such an installation removes a
2439: surprise which otherwise can catch people out.
2440:
2441: Removed extraneous trailing space in the value of the
2442: DNSMASQ_TIME_REMAINING DNSMASQ_LEASE_LENGTH and
2443: DNSMASQ_LEASE_EXPIRES environment variables. Thanks to
2444: Gildas Le Nadan for spotting this.
2445:
2446: Provide the network-id tags for a DHCP transaction to
2447: the lease-change script in the environment variable
2448: DNSMASQ_TAGS. A good suggestion from Gildas Le Nadan.
2449:
2450: Add support for RFC3925 "Vendor-Identifying Vendor
2451: Options". The syntax looks like this:
2452: --dhcp-option=vi-encap:<enterprise number>, .........
2453:
2454: Add support to --dhcp-match to allow matching against
2455: RFC3925 "Vendor-Identifying Vendor Classes". The syntax
2456: looks like this:
2457: --dhcp-match=tag,vi-encap<enterprise number>, <value>
2458:
2459: Add some application specific code to assist in
2460: implementing the Broadband forum TR069 CPE-WAN
2461: specification. The details are in contrib/CPE-WAN/README
2462:
2463: Increase the default DNS packet size limit to 4096, as
2464: recommended by RFC5625 section 4.4.3. This can be
2465: reconfigured using --edns-packet-max if needed. Thanks to
2466: Francis Dupont for pointing this out.
2467:
2468: Rewrite query-ids even for TSIG signed packets, since
2469: this is allowed by RFC5625 section 4.5.
2470:
2471: Use getopt_long by default on OS X. It has been supported
2472: since version 10.3.0. Thanks to Arek Dreyer for spotting
2473: this.
2474:
2475: Added up-to-date startup configuration for MacOSX/launchd
2476: in contrib/MacOSX-launchd. Thanks to Arek Dreyer for
2477: providing this.
2478:
2479: Fix link error when including Dbus but excluding DHCP.
2480: Thanks to Oschtan for the bug report.
2481:
2482: Updated French translation. Thanks to Gildas Le Nadan.
2483:
2484: Updated Polish translation. Thanks to Jan Psota.
2485:
2486: Updated Spanish translation. Thanks to Chris Chatham.
2487:
2488: Fixed confusion about domains, when looking up DHCP hosts
2489: in /etc/hosts. This could cause spurious "Ignoring
2490: domain..." messages. Thanks to Fedor Kozhevnikov for
2491: finding and analysing the problem.
2492:
2493:
2494: version 2.51
2495: Add support for internationalised DNS. Non-ASCII characters
2496: in domain names found in /etc/hosts, /etc/ethers and
2497: /etc/dnsmasq.conf will be correctly handled by translation to
2498: punycode, as specified in RFC3490. This function is only
2499: available if dnsmasq is compiled with internationalisation
2500: support, and adds a dependency on GNU libidn. Without i18n
2501: support, dnsmasq continues to be compilable with just
2502: standard tools. Thanks to Yves Dorfsman for the
2503: suggestion.
2504:
2505: Add two more environment variables for lease-change scripts:
2506: First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname
2507: supplied by a client, even if the actual hostname used is
2508: over-ridden by dhcp-host or dhcp-ignore-names directives.
2509: Also DNSMASQ_RELAY_ADDRESS which gives the address of
2510: a DHCP relay, if used.
2511: Suggestions from Michael Rack.
2512:
2513: Fix regression which broke echo of relay-agent
2514: options. Thanks to Michael Rack for spotting this.
2515:
2516: Don't treat option 67 as being interchangeable with
2517: dhcp-boot parameters if it's specified as
2518: dhcp-option-force.
2519:
2520: Make the code to call scripts on lease-change compile-time
2521: optional. It can be switched off by editing src/config.h
2522: or building with "make COPTS=-DNO_SCRIPT".
2523:
2524: Make the TFTP server cope with filenames from Windows/DOS
2525: which use '\' as pathname separator. Thanks to Ralf for
2526: the patch.
2527:
2528: Updated Polish translation. Thanks to Jan Psota.
2529:
2530: Warn if an IP address is duplicated in /etc/ethers. Thanks
2531: to Felix Schwarz for pointing this out.
2532:
2533: Teach --conf-dir to take an option list of file suffices
2534: which will be ignored when scanning the directory. Useful
2535: for backup files etc. Thanks to Helmut Hullen for the
2536: suggestion.
2537:
2538: Add new DHCP option named tftpserver-address, which
2539: corresponds to the third argument of dhcp-boot. This
2540: allows the complete functionality of dhcp-boot to be
2541: replicated with dhcp-option. Useful when using
2542: dhcp-optsfile.
2543:
2544: Test which upstream nameserver to use every 10 seconds
2545: or 50 queries and not just when a query times out and
2546: is retried. This should improve performance when there
2547: is a slow nameserver in the list. Thanks to Joe for the
2548: suggestion.
2549:
2550: Don't do any PXE processing, even for clients with the
2551: correct vendorclass, unless at least one pxe-prompt or
2552: pxe-service option is given. This stops dnsmasq
2553: interfering with proxy PXE subsystems when it is just
2554: the DHCP server. Thanks to Spencer Clark for spotting this.
2555:
2556: Limit the blocksize used for TFTP transfers to a value
2557: which avoids packet fragmentation, based on the MTU of the
2558: local interface. Many netboot ROMs can't cope with
2559: fragmented packets.
2560:
2561: Honour dhcp-ignore configuration for PXE and proxy-PXE
2562: requests. Thanks to Niels Basjes for the bug report.
2563:
2564: Updated French translation. Thanks to Gildas Le Nadan.
2565:
2566:
2567: version 2.50
2568: Fix security problem which allowed any host permitted to
2569: do TFTP to possibly compromise dnsmasq by remote buffer
2570: overflow when TFTP enabled. Thanks to Core Security
2571: Technologies and Iván Arce, Pablo Hernán Jorge, Alejandro
2572: Pablo Rodriguez, Martín Coco, Alberto Soliño Testa and
2573: Pablo Annetta. This problem has Bugtraq id: 36121
2574: and CVE: 2009-2957
2575:
2576: Fix a problem which allowed a malicious TFTP client to
2577: crash dnsmasq. Thanks to Steve Grubb at Red Hat for
2578: spotting this. This problem has Bugtraq id: 36120 and
2579: CVE: 2009-2958
2580:
2581:
2582: version 2.49
2583: Fix regression in 2.48 which disables the lease-change
2584: script. Thanks to Jose Luis Duran for spotting this.
2585:
2586: Log TFTP "file not found" errors. These were not logged,
2587: since a normal PXELinux boot generates many of them, but
2588: the lack of the messages seems to be more confusing than
2589: routinely seeing them when there is no real error.
2590:
2591: Update Spanish translation. Thanks to Chris Chatham.
2592:
2593:
2594: version 2.48
2595: Archived the extensive, backwards, changelog to
2596: CHANGELOG.archive. The current changelog now runs from
2597: version 2.43 and runs conventionally.
2598:
2599: Fixed bug which broke binding of servers to physical
2600: interfaces when interface names were longer than four
2601: characters. Thanks to MURASE Katsunori for the patch.
2602:
2603: Fixed netlink code to check that messages come from the
2604: correct source, and not another userspace process. Thanks
2605: to Steve Grubb for the patch.
2606:
2607: Maintainability drive: removed bug and missing feature
2608: workarounds for some old platforms. Solaris 9, OpenBSD
2609: older than 4.1, Glibc older than 2.2, Linux 2.2.x and
2610: DBus older than 1.1.x are no longer supported.
2611:
2612: Don't read included configuration files more than once:
2613: allows complex configuration structures without problems.
2614:
2615: Mark log messages from the various subsystems in dnsmasq:
2616: messages from the DHCP subsystem now have the ident string
2617: "dnsmasq-dhcp" and messages from TFTP have ident
2618: "dnsmasq-tftp". Thanks to Olaf Westrik for the patch.
2619:
2620: Fix possible infinite DHCP protocol loop when an IP
2621: address nailed to a hostname (not a MAC address) and a
2622: host sometimes provides the name, sometimes not.
2623:
2624: Allow --addn-hosts to take a directory: all the files
2625: in the directory are read. Thanks to Phil Cornelius for
2626: the suggestion.
2627:
2628: Support --bridge-interface on all platforms, not just BSD.
2629:
2630: Added support for advanced PXE functions. It's now
2631: possible to define a prompt and menu options which will
2632: be displayed when a client PXE boots. It's also possible to
2633: hand-off booting to other boot servers. Proxy-DHCP, where
2634: dnsmasq just supplies the PXE information and another DHCP
2635: server does address allocation, is also allowed. See the
2636: --pxe-prompt and --pxe-service keywords. Thanks to
2637: Alkis Georgopoulos for the suggestion and Guilherme Moro
2638: and Michael Brown for assistance.
2639:
2640: Improvements to DHCP logging. Thanks to Tom Metro for
2641: useful suggestions.
2642:
2643: Add ability to build dnsmasq without DHCP support. To do
2644: this, edit src/config.h or build with
2645: "make COPTS=-DNO_DHCP". Thanks to Mahavir Jain for the patch.
2646:
2647: Added --test command-line switch - syntax check
2648: configuration files only.
2649:
2650: Updated French translation. Thanks to Gildas Le Nadan.
2651:
2652:
2653: version 2.47
2654: Updated French translation. Thanks to Gildas Le Nadan.
2655:
2656: Fixed interface enumeration code to work on NetBSD
2657: 5.0. Thanks to Roy Marples for the patch.
2658:
2659: Updated config.h to use the same location for the lease
2660: file on NetBSD as the other *BSD variants. Also allow
2661: LEASEFILE and CONFFILE symbols to be overridden in CFLAGS.
2662:
2663: Handle duplicate address detection on IPv6 more
2664: intelligently. In IPv6, an interface can have an address
2665: which is not usable, because it is still undergoing DAD
2666: (such addresses are marked "tentative"). Attempting to
2667: bind to an address in this state returns an error,
2668: EADDRNOTAVAIL. Previously, on getting such an error,
2669: dnsmasq would silently abandon the address, and never
2670: listen on it. Now, it retries once per second for 20
2671: seconds before generating a fatal error. 20 seconds should
2672: be long enough for any DAD process to complete, but can be
2673: adjusted in src/config.h if necessary. Thanks to Martin
2674: Krafft for the bug report.
2675:
2676: Add DBus introspection. Patch from Jeremy Laine.
2677:
2678: Update Dbus configuration file. Patch from Colin Walters.
2679: Fix for this bug:
2680: http://bugs.freedesktop.org/show_bug.cgi?id=18961
2681:
2682: Support arbitrarily encapsulated DHCP options, suggestion
2683: and initial patch from Samium Gromoff. This is useful for
2684: (eg) iPXE, which expect all its private options to be
2685: encapsulated inside a single option 175. So, eg,
2686:
2687: dhcp-option = encap:175, 190, "iscsi-client0"
2688: dhcp-option = encap:175, 191, "iscsi-client0-secret"
2689:
2690: will provide iSCSI parameters to iPXE.
2691:
2692: Enhance --dhcp-match to allow testing of the contents of a
2693: client-sent option, as well as its presence. This
2694: application in mind for this is RFC 4578
2695: client-architecture specifiers, but it's generally useful.
2696: Joey Korkames suggested the enhancement.
2697:
2698: Move from using the IP_XMIT_IF ioctl to IP_BOUND_IF on
2699: OpenSolaris. Thanks to Bastian Machek for the heads-up.
2700:
2701: No longer complain about blank lines in
2702: /etc/ethers. Thanks to Jon Nelson for the patch.
2703:
2704: Fix binding of servers to physical devices, eg
2705: --server=/domain/1.2.3.4@eth0 which was broken from 2.43
2706: onwards unless --query-port=0 set. Thanks to Peter Naulls
2707: for the bug report.
2708:
2709: Reply to DHCPINFORM requests even when the supplied ciaddr
2710: doesn't fall in any dhcp-range. In this case it's not
2711: possible to supply a complete configuration, but
2712: individually-configured options (eg PAC) may be useful.
2713:
2714: Allow the source address of an alias to be a range:
2715: --alias=192.168.0.0,10.0.0.0,255.255.255.0 maps the whole
2716: subnet 192.168.0.0->192.168.0.255 to 10.0.0.0->10.0.0.255,
2717: as before.
2718: --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
2719: maps only the 192.168.0.10->192.168.0.40 region. Thanks to
2720: Ib Uhrskov for the suggestion.
2721:
2722: Don't dynamically allocate DHCP addresses which may break
2723: Windows. Addresses which end in .255 or .0 are broken in
2724: Windows even when using supernetting.
2725: --dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0 means
2726: 192.168.0.255 is a valid IP address, but not for Windows.
2727: See Microsoft KB281579. We therefore no longer allocate
2728: these addresses to avoid hard-to-diagnose problems.
2729:
2730: Update Polish translation. Thanks to Jan Psota.
2731:
2732: Delete the PID-file when dnsmasq shuts down. Note that by
2733: this time, dnsmasq is normally not running as root, so
2734: this will fail if the PID-file is stored in a root-owned
2735: directory; such failure is silently ignored. To take
2736: advantage of this feature, the PID-file must be stored in a
2737: directory owned and write-able by the user running
2738: dnsmasq.
2739:
2740:
2741: version 2.46
2742: Allow --bootp-dynamic to take a netid tag, so that it may
2743: be selectively enabled. Thanks to Olaf Westrik for the
2744: suggestion.
2745:
2746: Remove ISC-leasefile reading code. This has been
2747: deprecated for a long time, and last time I removed it, it
2748: ended up going back by request of one user. This time,
2749: it's gone for good; otherwise it would need to be
2750: re-worked to support multiple domains (see below).
2751:
2752: Support DHCP clients in multiple DNS domains. This is a
2753: long-standing request. Clients are assigned to a domain
2754: based in their IP address.
2755:
2756: Add --dhcp-fqdn flag, which changes behaviour if DNS names
2757: assigned to DHCP clients. When this is set, there must be
2758: a domain associated with each client, and only
2759: fully-qualified domain names are added to the DNS. The
2760: advantage is that the only the FQDN needs to be unique,
2761: so that two or more DHCP clients can share a hostname, as
2762: long as they are in different domains.
2763:
2764: Set environment variable DNSMASQ_DOMAIN when invoking
2765: lease-change script. This may be useful information to
2766: have now that it's variable.
2767:
2768: Tighten up data-checking code for DNS packet
2769: handling. Thanks to Steve Dodd who found certain illegal
2770: packets which could crash dnsmasq. No memory overwrite was
2771: possible, so this is not a security issue beyond the DoS
2772: potential.
2773:
2774: Update example config dhcp option 47, the previous
2775: suggestion generated an illegal, zero-length,
2776: option. Thanks to Matthias Andree for finding this.
2777:
2778: Rewrite hosts-file reading code to remove the limit of
2779: 1024 characters per line. John C Meuser found this.
2780:
2781: Create a net-id tag with the name of the interface on
2782: which the DHCP request was received.
2783:
2784: Fixed minor memory leak in DBus code, thanks to Jeremy
2785: Laine for the patch.
2786:
2787: Emit DBus signals as the DHCP lease database
2788: changes. Thanks to Jeremy Laine for the patch.
2789:
2790: Allow for more that one MAC address in a dhcp-host
2791: line. This configuration tells dnsmasq that it's OK to
2792: abandon a DHCP lease of the fixed address to one MAC
2793: address, if another MAC address in the dhcp-host statement
2794: asks for an address. This is useful to give a fixed
2795: address to a host which has two network interfaces
2796: (say, a laptop with wired and wireless interfaces.)
2797: It's very important to ensure that only one interface
2798: at a time is up, since dnsmasq abandons the first lease
2799: and re-uses the address before the leased time has
2800: elapsed. John Gray suggested this.
2801:
2802: Tweak the response to a DHCP request packet with a wrong
2803: server-id when --dhcp-authoritative is set; dnsmasq now
2804: returns a DHCPNAK, rather than silently ignoring the
2805: packet. Thanks to Chris Marget for spotting this
2806: improvement.
2807:
2808: Add --cname option. This provides a limited alias
2809: function, usable for DHCP names. Thanks to AJ Weber for
2810: suggestions on this.
2811:
2812: Updated contrib/webmin with latest version from Neil
2813: Fisher.
2814:
2815: Updated Polish translation. Thanks to Jan Psota.
2816:
2817: Correct the text names for DHCP options 64 and 65 to be
2818: "nis+-domain" and "nis+-servers".
2819:
2820: Updated Spanish translation. Thanks to Chris Chatham.
2821:
2822: Force re-reading of /etc/resolv.conf when an "interface
2823: up" event occurs.
2824:
2825:
2826: version 2.45
2827: Fix total DNS failure in release 2.44 unless --min-port
2828: specified. Thanks to Steven Barth and Grant Coady for
2829: bugreport. Also reject out-of-range port spec, which could
2830: break things too: suggestion from Gilles Espinasse.
2831:
2832:
2833: version 2.44
2834: Fix crash when unknown client attempts to renew a DHCP
2835: lease, problem introduced in version 2.43. Thanks to
2836: Carlos Carvalho for help chasing this down.
2837:
2838: Fix potential crash when a host which doesn't have a lease
2839: does DHCPINFORM. Again introduced in 2.43. This bug has
2840: never been reported in the wild.
2841:
2842: Fix crash in netlink code introduced in 2.43. Thanks to
2843: Jean Wolter for finding this.
2844:
2845: Change implementation of min_port to work even if min-port
2846: is large.
2847:
2848: Patch to enable compilation of latest Mac OS X. Thanks to
2849: David Gilman.
2850:
2851: Update Spanish translation. Thanks to Christopher Chatham.
2852:
2853:
2854: version 2.43
2855: Updated Polish translation. Thanks to Jan Psota.
2856:
2857: Flag errors when configuration options are repeated
2858: illegally.
2859:
2860: Further tweaks for GNU/kFreeBSD
2861:
2862: Add --no-wrap to msgmerge call - provides nicer .po file
2863: format.
2864:
2865: Honour lease-time spec in dhcp-host lines even for
2866: BOOTP. The user is assumed to known what they are doing in
2867: this case. (Hosts without the time spec still get infinite
2868: leases for BOOTP, over-riding the default in the
2869: dhcp-range.) Thanks to Peter Katzmann for uncovering this.
2870:
2871: Fix problem matching relay-agent ids. Thanks to Michael
2872: Rack for the bug report.
2873:
2874: Add --naptr-record option. Suggestion from Johan
2875: Bergquist.
2876:
2877: Implement RFC 5107 server-id-override DHCP relay agent
2878: option.
2879:
2880: Apply patches from Stefan Kruger for compilation on
2881: Solaris 10 under Sun studio.
2882:
2883: Yet more tweaking of Linux capability code, to suppress
2884: pointless wingeing from kernel 2.6.25 and above.
2885:
2886: Improve error checking during startup. Previously, some
2887: errors which occurred during startup would be worked
2888: around, with dnsmasq still starting up. Some were logged,
2889: some silent. Now, they all cause a fatal error and dnsmasq
2890: terminates with a non-zero exit code. The errors are those
2891: associated with changing uid and gid, setting process
2892: capabilities and writing the pidfile. Thanks to Uwe
2893: Gansert and the Suse security team for pointing out
2894: this improvement, and Bill Reimers for good implementation
2895: suggestions.
2896:
2897: Provide NO_LARGEFILE compile option to switch off largefile
2898: support when compiling against versions of uclibc which
2899: don't support it. Thanks to Stephane Billiart for the patch.
2900:
2901: Implement random source ports for interactions with
2902: upstream nameservers. New spoofing attacks have been found
2903: against nameservers which do not do this, though it is not
2904: clear if dnsmasq is vulnerable, since to doesn't implement
2905: recursion. By default dnsmasq will now use a different
2906: source port (and socket) for each query it sends
2907: upstream. This behaviour can suppressed using the
2908: --query-port option, and the old default behaviour
2909: restored using --query-port=0. Explicit source-port
2910: specifications in --server configs are still honoured.
2911:
2912: Replace the random number generator, for better
2913: security. On most BSD systems, dnsmasq uses the
2914: arc4random() RNG, which is secure, but on other platforms,
2915: it relied on the C-library RNG, which may be
2916: guessable and therefore allow spoofing. This release
2917: replaces the libc RNG with the SURF RNG, from Daniel
2918: J. Berstein's DJBDNS package.
2919:
2920: Don't attempt to change user or group or set capabilities
2921: if dnsmasq is run as a non-root user. Without this, the
2922: change from soft to hard errors when these fail causes
2923: problems for non-root daemons listening on high
2924: ports. Thanks to Patrick McLean for spotting this.
2925:
2926: Updated French translation. Thanks to Gildas Le Nadan.
2927:
2928:
2929: version 2.42
2930: The changelog for version 2.42 and earlier is
2931: available in CHANGELOG.archive.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to CHANGELOG CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq