From i3endek, thanks!
version 2.80
Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
for the initial patch and motivation.
Alter the default for dnssec-check-unsigned. Versions of
dnsmasq prior to 2.80 defaulted to not checking unsigned
replies, and used --dnssec-check-unsigned to switch
this on. Such configurations will continue to work as before,
but those which used the default of no checking will need to be
altered to explicitly select no checking. The new default is
because switching off checking for unsigned replies is
inherently dangerous. Not only does it open the possiblity of forged
replies, but it allows everything to appear to be working even
when the upstream namesevers do not support DNSSEC, and in this
case no DNSSEC validation at all is occuring.
Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
are set. Thanks to Daniel Miess for help with this.
Add a facilty to store DNS packets sent/recieved in a
pcap-format file for later debugging. The file location
is given by the --dumpfile option, and a bitmap controlling
which packets should be dumped is given by the --dumpmask
option.
Handle the case of both standard and constructed dhcp-ranges on the
same interface better. We don't now contruct a dhcp-range if there's
already one specified. This allows the specified interface to
have different parameters and avoids advertising the same
prefix twice. Thanks to Luis Marsano for spotting this case.
Allow zone transfer in authoritative mode if auth-peer is specified,
even if auth-sec-servers is not. Thanks to Raphaël Halimi for
the suggestion.
Fix bug which sometimes caused dnsmasq to wrongly return answers
without DNSSEC RRs to queries with the do-bit set, but only when
DNSSEC validation was not enabled.
Thanks to Petr Menšík for spotting this.
Fix missing fatal errors with some malformed options
(server, local, address, rebind-domain-ok, ipset, alias).
Thanks to Eugene Lozovoy for spotting the problem.
Fix crash on startup with a --synth-domain which has no prefix.
Introduced in 2.79. Thanks to Andreas Engel for the bug report.
Fix missing EDNS0 section in some replies generated by local
DNS configuration which confused systemd-resolvd. Thanks to
Steve Dodd for characterising the problem.
Add --dhcp-name-match config option.
Add --caa-record config option.
Implement --address=/example.com/# as (more efficient) syntactic
sugar for --address=/example.com/0.0.0.0 and
--address=/example.com/::
Returning null addresses is a useful technique for ad-blocking.
Thanks to Peter Russell for the suggestion.
Change anti cache-snooping behaviour with queries with the
recursion-desired bit unset. Instead to returning SERVFAIL, we
now always forward, and never answer from the cache. This
allows "dig +trace" command to work.
Include in the example config file a formulation which
stops DHCP clients from claiming the DNS name "wpad".
This is a fix for the CERT Vulnerability VU#598349.
version 2.79
Fix parsing of CNAME arguments, which are confused by extra spaces.
Thanks to Diego Aguirre for spotting the bug.
Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
upstream servers to an interface, rather than SO_BINDTODEVICE.
Thanks to Beniamino Galvani for the patch.
Always return a SERVFAIL answer to DNS queries without the
recursion desired bit set, UNLESS acting as an authoritative
DNS server. This avoids a potential route to cache snooping.
Add support for Ed25519 signatures in DNSSEC validation.
No longer support RSA/MD5 signatures in DNSSEC validation,
since these are not secure. This behaviour is mandated in
RFC-6944.
Fix incorrect error exit code from dhcp_release6 utility.
Thanks Gaudenz Steinlin for the bug report.
Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
time validation when --dnssec-no-timecheck is in use.
Note that this is an incompatible change from earlier releases.
Allow more than one --bridge-interface option to refer to an
interface, so that we can use
--bridge-interface=int1,alias1
--bridge-interface=int1,alias2
as an alternative to
--bridge-interface=int1,alias1,alias2
Thanks to Neil Jerram for work on this.
Fix for DNSSEC with wildcard-derived NSEC records.
It's OK for NSEC records to be expanded from wildcards,
but in that case, the proof of non-existence is only valid
starting at the wildcard name, *.<domain> NOT the name expanded
from the wildcard. Without this check it's possible for an
attacker to craft an NSEC which wrongly proves non-existence.
Thanks to Ralph Dolmans for finding this, and co-ordinating
the vulnerability tracking and fix release.
CVE-2017-15107 applies.
Remove special handling of A-for-A DNS queries. These
are no longer a significant problem in the global DNS.
http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
Thanks to Mattias Hellström for the initial patch.
Fix failure to delete dynamically created dhcp options
from files in -dhcp-optsdir directories. Thanks to
Lindgren Fredrik for the bug report.
Add to --synth-domain the ability to create names using
sequential numbers, as well as encodings of IP addresses.
For instance,
--synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
creates 21 domain names of the form
internal-4.thekelleys.org.uk over the address range given, with
internal-0.thekelleys.org.uk being 192.168.0.50 and
internal-20.thekelleys.org.uk being 192.168.0.70
Thanks to Andy Hawkins for the suggestion.
Tidy up Crypto code, removing workarounds for ancient
versions of libnettle. We now require libnettle 3.
version 2.78
Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
Novakovic for the patch.
Revert ping-check of address in DHCPDISCOVER if there
already exists a lease for the address. Under some
circumstances, and netbooted windows installation can reply
to pings before if has a DHCP lease and block allocation
of the address it already used during netboot. Thanks to
Jan Psota for spotting this.
Fix DHCP relaying, broken in 2.76 and 2.77 by commit
ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
John Fitzgibbon for the diagnosis and patch.
Try other servers if first returns REFUSED when
--strict-order active. Thanks to Hans Dedecker
for the patch
Fix regression in 2.77, ironically added as a security
improvement, which resulted in a crash when a DNS
query exceeded 512 bytes (or the EDNS0 packet size,
if different.) Thanks to Christian Kujau, Arne Woerner
Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
chasing this one down. CVE-2017-13704 applies.
Fix heap overflow in DNS code. This is a potentially serious
security hole. It allows an attacker who can make DNS
requests to dnsmasq, and who controls the contents of
a domain, which is thereby queried, to overflow
(by 2 bytes) a heap buffer and either crash, or
even take control of, dnsmasq.
CVE-2017-14491 applies.
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
Kevin Hamacher and Ron Bowes of the Google Security Team for
finding this.
Fix heap overflow in IPv6 router advertisement code.
This is a potentially serious security hole, as a
crafted RA request can overflow a buffer and crash or
control dnsmasq. Attacker must be on the local network.
CVE-2017-14492 applies.
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
and Kevin Hamacher of the Google Security Team for
finding this.
Fix stack overflow in DHCPv6 code. An attacker who can send
a DHCPv6 request to dnsmasq can overflow the stack frame and
crash or control dnsmasq.
CVE-2017-14493 applies.
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
Kevin Hamacher and Ron Bowes of the Google Security Team for
finding this.
Fix information leak in DHCPv6. A crafted DHCPv6 packet can
cause dnsmasq to forward memory from outside the packet
buffer to a DHCPv6 server when acting as a relay.
CVE-2017-14494 applies.
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
Kevin Hamacher and Ron Bowes of the Google Security Team for
finding this.
Fix DoS in DNS. Invalid boundary checks in the
add_pseudoheader function allows a memcpy call with negative
size An attacker which can send malicious DNS queries
to dnsmasq can trigger a DoS remotely.
dnsmasq is vulnerable only if one of the following option is
specified: --add-mac, --add-cpe-id or --add-subnet.
CVE-2017-14496 applies.
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
Kevin Hamacher and Ron Bowes of the Google Security Team for
finding this.
Fix out-of-memory Dos vulnerability. An attacker which can
send malicious DNS queries to dnsmasq can trigger memory
allocations in the add_pseudoheader function
The allocated memory is never freed which leads to a DoS
through memory exhaustion. dnsmasq is vulnerable only
if one of the following option is specified:
--add-mac, --add-cpe-id or --add-subnet.
CVE-2017-14495 applies.
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
Kevin Hamacher and Ron Bowes of the Google Security Team for
finding this.
Generate an error when configured with a CNAME loop,
rather than a crash. Thanks to George Metz for
spotting this problem.
Calculate the length of TFTP error reply packet
correctly. This fixes a problem when the error
message in a TFTP packet exceeds the arbitrary
limit of 500 characters. The message was correctly
truncated, but not the packet length, so
extra data was appended. This is a possible
security risk, since the extra data comes from
a buffer which is also used for DNS, so that
previous DNS queries or replies may be leaked.
Fix logic error in Linux netlink code. This could
cause dnsmasq to enter a tight loop on systems
with a very large number of network interfaces.
Fix problem with --dnssec-timestamp whereby receipt
of SIGHUP would erroneously engage timestamp checking.
Bump zone serial on reloading /etc/hosts and friends
when providing authoritative DNS.
Handle v4-mapped IPv6 addresses sanely in --synth-domain.
These have standard representation like ::ffff:1.2.3.4
and are now converted to names like
<prefix>--ffff-1-2-3-4.<domain>
Handle binding upstream servers to an interface
(--server=1.2.3.4@eth0) when the named interface
is destroyed and recreated in the kernel.
Allow wildcard CNAME records in authoritative zones.
For example --cname=*.example.com,default.example.com
more...
---------------------------
version 2.76
Include 0.0.0.0/8 in DNS rebind checks. This range
translates to hosts on the local network, or, at
least, 0.0.0.0 accesses the local host, so could
be targets for DNS rebinding. See RFC 5735 section 3
for details. Thanks to Stephen R旦ttger for the bug report.
Enhance --add-subnet to allow arbitrary subnet addresses.
Thanks to Ed Barsley for the patch.
Respect the --no-resolv flag in inotify code. Fixes bug
which caused dnsmasq to fail to start if a resolv-file
was a dangling symbolic link, even of --no-resolv set.
Thanks to Alexander Kurtz for spotting the problem.
Fix crash when an A or AAAA record is defined locally,
in a hosts file, and an upstream server sends a reply
that the same name is empty. Thanks to Edwin T旦r旦k for
the patch.
Fix failure to correctly calculate cache-size when
reading a hosts-file fails. Thanks to Andr辿 Gl端pker
for the patch.
Fix wrong answer to simple name query when --domain-needed
set, but no upstream servers configured. Dnsmasq returned
REFUSED, in this case, when it should be the same as when
upstream servers are configured - NOERROR. Thanks to
Allain Legacy for spotting the problem.
Return REFUSED when running out of forwarding table slots,
not SERVFAIL.
Add --max-port configuration. Thanks to Hans Dedecker for
the patch.
Add --script-arp and two new functions for the dhcp-script.
These are "arp" and "arp-old" which announce the arrival and
removal of entries in the ARP or nieghbour tables.
Extend --add-mac to allow a new encoding of the MAC address
as base64, by configurting --add-mac=base64
Add --add-cpe-id option.
Don't crash with divide-by-zero if an IPv6 dhcp-range
is declared as a whole /64.
(ie xx::0 to xx::ffff:ffff:ffff:ffff)
Thanks to Laurent Bendel for spotting this problem.
Add support for a TTL parameter in --host-record and
--cname.
Add --dhcp-ttl option.
Add --tftp-mtu option. Thanks to Patrick McLean for the
initial patch.
Check return-code of inet_pton() when parsing dhcp-option.
Bad addresses could fail to generate errors and result in
garbage dhcp-options being sent. Thanks to Marc Branchaud
for spotting this.
Fix wrong value for EDNS UDP packet size when using
--servers-file to define upstream DNS servers. Thanks to
Scott Bonar for the bug report.
Move the dhcp_release and dhcp_lease_time tools from
contrib/wrt to contrib/lease-tools.
Add dhcp_release6 to contrib/lease-tools. Many thanks
to Sergey Nechaev for this code.
To avoid filling logs in configurations which define
many upstream nameservers, don't log more that 30 servers.
The number to be logged can be changed as SERVERS_LOGGED
in src/config.h.
Swap the values if BC_EFI and x86-64_EFI in --pxe-service.
These were previously wrong due to an error in RFC 4578.
If you're using BC_EFI to boot 64-bit EFI machines, you
will need to update your config.
Add ARM32_EFI and ARM64_EFI as valid architectures in
--pxe-service.
Fix PXE booting for UEFI architectures. Modify PXE boot
sequence in this case to force the client to talk to dnsmasq
over port 4011. This makes PXE and especially proxy-DHCP PXE
work with these archictectures.
Workaround problems with UEFI PXE clients. There exist
in the wild PXE clients which have problems with PXE
boot menus. To work around this, when there's a single
--pxe-service which applies to client, then that target
will be booted directly, rather then sending a
single-item boot menu.
Many thanks to Jarek Polok, Michael Kuron and Dreamcat4
for their work on the long-standing UEFI PXE problem.
Subtle change in the semantics of "basename" in
--pxe-service. The historical behaviour has always been
that the actual filename downloaded from the TFTP server
is <basename>.<layer> where <layer> is an integer which
corresponds to the layer parameter supplied by the client.
It's not clear what the function of the "layer"
actually is in the PXE protocol, and in practise layer
is always zero, so the filename is <basename>.0
The new behaviour is the same as the old, except when
<basename> includes a file suffix, in which case
the layer suffix is no longer added. This allows
sensible suffices to be used, rather then the
meaningless ".0". Only in the unlikely event that you
have a config with a basename which already has a
suffix, is this an incompatible change, since the file
downloaded will change from name.suffix.0 to justy
name.suffix
pkgsrc-users@.
ok wiz@
pkgsrc changes:
o Pass COPTS via MAKE_FLAGS. This avoid to completely rebuild dnsmasq when dbus
option is selected.
Changes:
version 2.75
Fix reversion on 2.74 which caused 100% CPU use when a
dhcp-script is configured. Thanks to Adrian Davey for
reporting the bug and testing the fix.
version 2.74
Fix reversion in 2.73 where --conf-file would attempt to
read the default file, rather than no file.
Fix inotify code to handle dangling symlinks better and
not SEGV in some circumstances.
DNSSEC fix. In the case of a signed CNAME generated by a
wildcard which pointed to an unsigned domain, the wrong
status would be logged, and some necessary checks omitted.
Fix build on SunOS.
Version 2.73
Fix crash at startup when an empty suffix is supplied to
--conf-dir, also trivial memory leak. Thanks to
Tomas Hozza for spotting this.
Remove floor of 4096 on advertised EDNS0 packet size when
DNSSEC in use, the original rationale for this has long gone.
Thanks to Anders Kaseorg for spotting this.
Use inotify for checking on updates to /etc/resolv.conf and
friends under Linux. This fixes race conditions when the files are
updated rapidly and saves CPU by noy polling. To build
a binary that runs on old Linux kernels without inotify,
use make COPTS=-DNO_INOTIFY
Fix breakage of --domain=<domain>,<subnet>,local - only reverse
queries were intercepted. THis appears to have been broken
since 2.69. Thanks to Josh Stone for finding the bug.
Eliminate IPv6 privacy addresses and deprecated addresses from
the answers given by --interface-name. Note that reverse queries
(ie looking for names, given addresses) are not affected.
Thanks to Michael Gorbach for the suggestion.
Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
for the bug report.
Add --ignore-address option. Ignore replies to A-record
queries which include the specified address. No error is
generated, dnsmasq simply continues to listen for another
reply. This is useful to defeat blocking strategies which
rely on quickly supplying a forged answer to a DNS
request for certain domains, before the correct answer can
arrive. Thanks to Glen Huang for the patch.
Revisit the part of DNSSEC validation which determines if an
unsigned answer is legit, or is in some part of the DNS
tree which should be signed. Dnsmasq now works from the
DNS root downward looking for the limit of signed
delegations, rather than working bottom up. This is
both more correct, and less likely to trip over broken
nameservers in the unsigned parts of the DNS tree
which don't respond well to DNSSEC queries.
Add --log-queries=extra option, which makes logs easier
to search automatically.
Add --min-cache-ttl option. I've resisted this for a long
time, on the grounds that disbelieving TTLs is never a
good idea, but I've been persuaded that there are
sometimes reasons to do it. (Step forward, GFW).
To avoid misuse, there's a hard limit on the TTL
floor of one hour. Thansk to RinSatsuki for the patch.
Cope with multiple interfaces with the same link-local
address. (IPv6 addresses are scoped, so this is allowed.)
Thanks to Cory Benfield for help with this.
Add --dhcp-hostsdir. This allows addition of new host
configurations to a running dnsmasq instance much more
cheaply than having dnsmasq re-read all its existing
configuration each time.
Don't reply to DHCPv6 SOLICIT messages if we're not
configured to do stateful DHCPv6. Thanks to Win King Wan
for the patch.
Fix broken DNSSEC validation of ECDSA signatures.
Add --dnssec-timestamp option, which provides an automatic
way to detect when the system time becomes valid after
boot on systems without an RTC, whilst allowing DNS
queries before the clock is valid so that NTP can run.
Thanks to Kevin Darbyshire-Bryant for developing this idea.
Add --tftp-no-fail option. Thanks to Stefan Tomanek for
the patch.
Fix crash caused by looking up servers.bind, CHAOS text
record, when more than about five --servers= lines are
in the dnsmasq config. This causes memory corruption
which causes a crash later. Thanks to Matt Coddington for
sterling work chasing this down.
Fix crash on receipt of certain malformed DNS requests.
Thanks to Nick Sampanis for spotting the problem.
Note that this is could allow the dnsmasq process's
memory to be read by an attacker under certain
circumstances, so it has a CVE, CVE-2015-3294
Fix crash in authoritative DNS code, if a .arpa zone
is declared as authoritative, and then a PTR query which
is not to be treated as authoritative arrived. Normally,
directly declaring .arpa zone as authoritative is not
done, so this crash wouldn't be seen. Instead the
relevant .arpa zone should be specified as a subnet
in the auth-zone declaration. Thanks to Johnny S. Lee
for the bugreport and initial patch.
Fix authoritative DNS code to correctly reply to NS
and SOA queries for .arpa zones for which we are
declared authoritative by means of a subnet in auth-zone.
Previously we provided correct answers to PTR queries
in such zones (including NS and SOA) but not direct
NS and SOA queries. Thanks to Johnny S. Lee for
pointing out the problem.
Fix logging of DHCPREPLY which should be suppressed
by quiet-dhcp6. Thanks to J. Pablo Abonia for
spotting the problem.
Try and handle net connections with broken fragmentation
that lose large UDP packets. If a server times out,
reduce the maximum UDP packet size field in the EDNS0
header to 1280 bytes. If it then answers, make that
change permanent.
Check IPv4-mapped IPv6 addresses when --stop-rebind
is active. Thanks to Jordan Milne for spotting this.
Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
Thanks to Kevin Benton for patches and work on this.
Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
in the correct subnet, even of not in dynamic address
allocation range. Thanks to Steve Hirsch for spotting
the problem.
Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
to Nicolas Cavallari for the patch.
Allow configuration of router advertisements without the
"on-link" bit set. Thanks to Neil Jerram for the patch.
Extend --bridge-interface to DHCPv6 and router
advertisements. Thanks to Neil Jerram for the patch.
-------------------
version 2.72
Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
Add support for "ipsets" in *BSD, using pf. Thanks to
Sven Falempim for the patch.
Fix race condition which could lock up dnsmasq when an
interface goes down and up rapidly. Thanks to Conrad
Kostecki for helping to chase this down.
Add DBus methods SetFilterWin2KOption and SetBogusPrivOption
Thanks to the Smoothwall project for the patch.
Fix failure to build against Nettle-3.0. Thanks to Steven
Barth for spotting this and finding the fix.
When assigning existing DHCP leases to intefaces by comparing
networks, handle the case that two or more interfaces have the
same network part, but different prefix lengths (favour the
longer prefix length.) Thanks to Lung-Pin Chang for the
patch.
Add a mode which detects and removes DNS forwarding loops, ie
a query sent to an upstream server returns as a new query to
dnsmasq, and would therefore be forwarded again, resulting in
a query which loops many times before being dropped. Upstream
servers which loop back are disabled and this event is logged.
Thanks to Smoothwall for their sponsorship of this feature.
Extend --conf-dir to allow filtering of files. So
--conf-dir=/etc/dnsmasq.d,\*.conf
will load all the files in /etc/dnsmasq.d which end in .conf
Fix bug when resulted in NXDOMAIN answers instead of NODATA in
some circumstances.
Fix bug which caused dnsmasq to become unresponsive if it
failed to send packets due to a network interface disappearing.
Thanks to Niels Peen for spotting this.
Fix problem with --local-service option on big-endian platforms
Thanks to Richard Genoud for the patch.
version 2.71
Subtle change to error handling to help DNSSEC validation
when servers fail to provide NODATA answers for
non-existent DS records.
Tweak code which removes DNSSEC records from answers when
not required. Fixes broken answers when additional section
has real records in it. Thanks to Marco Davids for the bug
report.
Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
for spotting that too.
Fix total DNS failure and 100% CPU use if cachesize set to zero,
regression introduced in 2.69. Thanks to James Hunt and
the Ubuntu crowd for assistance in fixing this.
version 2.70
Fix crash, introduced in 2.69, on TCP request when dnsmasq
compiled with DNSSEC support, but running without DNSSEC
enabled. Thanks to Manish Sing for spotting that one.
Fix regression which broke ipset functionality. Thanks to
Wang Jian for the bug report.
version 2.69
Implement dynamic interface discovery on *BSD. This allows
the contructor: syntax to be used in dhcp-range for DHCPv6
on the BSD platform. Thanks to Matthias Andree for
valuable research on how to implement this.
Fix infinite loop associated with some --bogus-nxdomain
configs. Thanks fogobogo for the bug report.
Fix missing RA RDNS option with configuration like
--dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
for spotting the problem.
Add [fd00::] and [fe80::] as special addresses in DHCPv6
options, analogous to [::]. [fd00::] is replaced with the
actual ULA of the interface on the machine running
dnsmasq, [fe80::] with the link-local address.
Thanks to Tsachi Kimeldorfer for championing this.
DNSSEC validation and caching. Dnsmasq needs to be
compiled with this enabled, with
make dnsmasq COPTS=-DHAVE_DNSSEC
this add dependencies on the nettle crypto library and the
gmp maths library. It's possible to have these linked
statically with
make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
which bloats the dnsmasq binary, but saves the size of
the shared libraries which are much bigger.
To enable, DNSSEC, you will need a set of
trust-anchors. Now that the TLDs are signed, this can be
the keys for the root zone, and for convenience they are
included in trust-anchors.conf in the dnsmasq
distribution. You should of course check that these are
legitimate and up-to-date. So, adding
conf-file=/path/to/trust-anchors.conf
dnssec
to your config is all thats needed to get things
working. The upstream nameservers have to be DNSSEC-capable
too, of course. Many ISP nameservers aren't, but the
Google public nameservers (8.8.8.8 and 8.8.4.4) are.
When DNSSEC is configured, dnsmasq validates any queries
for domains which are signed. Query results which are
bogus are replaced with SERVFAIL replies, and results
which are correctly signed have the AD bit set. In
addition, and just as importantly, dnsmasq supplies
correct DNSSEC information to clients which are doing
their own validation, and caches DNSKEY, DS and RRSIG
records, which significantly improve the performance of
downstream validators. Setting --log-queries will show
DNSSEC in action.
If a domain is returned from an upstream nameserver without
DNSSEC signature, dnsmasq by default trusts this. This
means that for unsigned zone (still the majority) there
is effectively no cost for having DNSSEC enabled. Of course
this allows an attacker to replace a signed record with a
false unsigned record. This is addressed by the
--dnssec-check-unsigned flag, which instructs dnsmasq
to prove that an unsigned record is legitimate, by finding
a secure proof that the zone containing the record is not
signed. Doing this has costs (typically one or two extra
upstream queries). It also has a nasty failure mode if
dnsmasq's upstream nameservers are not DNSSEC capable.
Without --dnssec-check-unsigned using such an upstream
server will simply result in not queries being validated;
with --dnssec-check-unsigned enabled and a
DNSSEC-ignorant upstream server, _all_ queries will fail.
Note that DNSSEC requires that the local time is valid and
accurate, if not then DNSSEC validation will fail. NTP
should be running. This presents a problem for routers
without a battery-backed clock. To set the time needs NTP
to do DNS lookups, but lookups will fail until NTP has run.
To address this, there's a flag, --dnssec-no-timecheck
which disables the time checks (only) in DNSSEC. When dnsmasq
is started and the clock is not synced, this flag should
be used. As soon as the clock is synced, SIGHUP dnsmasq.
The SIGHUP clears the cache of partially-validated data and
resets the no-timecheck flag, so that all DNSSEC checks
henceforward will be complete.
The development of DNSSEC in dnsmasq was started by
Giovanni Bajo, to whom huge thanks are owed. It has been
supported by Comcast, whose techfund grant has allowed for
an invaluable period of full-time work to get it to
a workable state.
Add --rev-server. Thanks to Dave Taht for suggesting this.
Add --servers-file. Allows dynamic update of upstream servers
full access to configuration.
Add --local-service. Accept DNS queries only from hosts
whose address is on a local subnet, ie a subnet for which
an interface exists on the server. This option
only has effect if there are no --interface --except-interface,
--listen-address or --auth-server options. It is intended
to be set as a default on installation, to allow
unconfigured installations to be useful but also safe from
being used for DNS amplification attacks.
Fix crashes in cache_get_cname_target() when dangling CNAMEs
encountered. Thanks to Andy and the rt-n56u project for
find this and helping to chase it down.
Fix wrong RCODE in authoritative DNS replies to PTR queries. The
correct answer was included, but the RCODE was set to NXDOMAIN.
Thanks to Craig McQueen for spotting this.
Make statistics available as DNS queries in the .bind TLD as
well as logging them.
version 2.68
Use random addresses for DHCPv6 temporary address
allocations, instead of algorithmically determined stable
addresses.
Fix bug which meant that the DHCPv6 DUID was not available
in DHCP script runs during the lifetime of the dnsmasq
process which created the DUID de-novo. Once the DUID was
created and stored in the lease file and dnsmasq
restarted, this bug disappeared.
Fix bug introduced in 2.67 which could result in erroneous
NXDOMAIN returns to CNAME queries.
Fix build failures on MacOS X and openBSD.
Allow subnet specifications in --auth-zone to be interface
names as well as address literals. This makes it possible
to configure authoritative DNS when local address ranges
are dynamic and works much better than the previous
work-around which exempted contructed DHCP ranges from the
IP address filtering. As a consequence, that work-around
is removed. Under certain circumstances, this change wil
break existing configuration: if you're relying on the
contructed-range exception, you need to change --auth-zone
to specify the same interface as is used to construct your
DHCP ranges, probably with a trailing "/6" like this:
--auth-zone=example.com,eth0/6 to limit the addresses to
IPv6 addresses of eth0.
Fix problems when advertising deleted IPv6 prefixes. If
the prefix is deleted (rather than replaced), it doesn't
get advertised with zero preferred time. Thanks to Tsachi
for the bug report.
Fix segfault with some locally configured CNAMEs. Thanks
to Andrew Childs for spotting the problem.
Fix memory leak on re-reading /etc/hosts and friends,
introduced in 2.67.
Check the arrival interface of incoming DNS and TFTP
requests via IPv6, even in --bind-interfaces mode. This
isn't possible for IPv4 and can generate scary warnings,
but as it's always possible for IPv6 (the API always
exists) then we should do it always.
Tweak the rules on prefix-lengths in --dhcp-range for
IPv6. The new rule is that the specified prefix length
must be larger than or equal to the prefix length of the
corresponding address on the local interface.
Changes in 2.66
- Add the ability to act as an authoritative DNS server
- Add "constructed DHCP ranges" for DHCPv6
- Fix crash on startup on Solaris 11
- Add code to make behaviour for TCP DNS requests when a request arrives
for an allowed address, but via a banned interface
- Don't send the default DHCP option advertising dnsmasq as the local
DNS server if dnsmasq is configured to not act as DNS server, or
it's configured to a non-standard port.
- Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBCRIBER_ID, DNSMASQ_REMOTE_ID variables
to the environment of the lease-change script
- Fixed crash whilst handling DHCPv6 information-requests
- Add --ipset option
- Don't erroneously reject some option names in --dhcp-match options
- Allow a trailing '*' wildcard in all interface-name configurations
- Handle the situation where libc headers define SO_REUSEPORT, but
the kernel in use doesn't
- Update Polish translation
- Fix crash if the configured DHCP lease limit is reached
- Update the French translation
Changes in 2.65:
- Fix regression which broke forwarding of queries sent via TCP which
are not for A and AAAA and which were directed to non-default servers
- Fix failure to build with DHCP support excluded
- Fix nasty regression in 2.64 which completely broke cacheing
See full changelog:
http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
When building DBus support, install the config file for DBus
Notable Changes from 2.55:
IPv6 interface fixes
Fixed an invalid server id of 0.0.0.0 being sent in some situations
Correctly return NODATA for an AAAA query to a CNAME with only an A
Fixed a bug with some truncated TFTP files
Support IPv6 scope ids in resolv.conf
* Allow the empty domain "." in dhcp domain-search (119) options.
* Fix corruption of the domain when a name from /etc/hosts
overrides one supplied by a DHCP client.
* Fix regression which caused configuration like
--address=/.domain.com/1.2.3.4 to be rejected.
* Many new options added and improved.
Changes from dnsmasq-2.51 include
* More conservative in detecing "A for A" queries
* Increased default number of leases to 1000
* Added support for RFC3925 "Vendor-Identifying Vendor Options"
* Default DNS packet size now 4096 as recommended by RFC5625
Changes from 2.50 include:
* TFTP supports Windows/Dos \ separator.
* Warn if IP duplicated in /etc/ethers
* Test upstream responsiveness to work around upstream server slowdowns
* PXE and relay agent fixes
Changes since 2.47 include
* Fix a possible infinite with fixed hostnames to ip and the client
sometimes sending one and sometimes not
* Improved DHCP logging
* addn-hosts now works with a directory instead of just a file
Noteable changes include:
NetBSD-5 support
Optional DBus and IPv6 support
ISC leasefile support removed
Support DHCP clients in multiple DNS domains
Re-read /etc/resolv.conf when an "interface up" event occurs
Changes since version 2.38:
- Names ending in a dot now work.
- Whitespaces arround commata in config files are now ignored.
- Asynchronous logging.
- New --log-dhcp flag was added.
- RFC3046 relay agent data matching.
- RFC3993 subscriber ID relay agent data matching.
- RFC 5107 server-id-override DHCP relay agent option.
- Option for interface names added.
- SIGUSR2 now closes and reopens the log files.
- DNS LOC record support.
- Allow disabling the DNS functionality by setting the port to 0.
- DNSMASQ_INTERFACE is now part of the environment of the lease change script.
- PMTUd disabled on DHCP and TFTP sockets.
- --dhcp-bridge now works on all BSD variants.
- Now including a Solaris 10 SMF.
- Random source ports for DNS queries (CVE-2008-1447).
version 2.24
Updated contrib/openvpn/dnsmasq.patch from Joseph Tate.
Tweaked DHCP NAK code, a DHCP NAK is now unicast as a
fallback in cases where a broadcast is futile: namely in
response to a unicast REQUEST from a non-local network
which was not sent via a relay.
Slightly changed the semantics of domain matching in
--server and --address configs. --server=/domain.com/ still
matches domain.com and sub.domain.com but does not
now match newdomain.com The semantics of
--server=/.domain.com/ are unchanged.
Thanks to Chris Blaise for the patch.
Added backwards-compatible internationalisation support.
The existing make targets, (all, dnsmasq, install) work as
before. New ones (all-i18n, and install-i18n) add gettext.
The translations live in po/ There are not too many
strings, so if anybody can provide translations (and for
the manpage....) please send them in.
Tweak behaviour on receipt of REFUSED or SERVFAIL rcodes,
now the query gets retried on all servers before returning
the error to the source of the query. Thanks to Javier
Kohen for the report.
Added Polish translation - thanks to Tomasz Sochanski.
Changed default manpage install location from /usr/man
to /usr/share/man
Added Spanish translation - thanks to Christopher Chatham.
Log a warning when a DHCP packet is truncated due to lack
of space. (Thanks to Michael Welle for the prompt to do
this.)
Added French translation - thanks to Lionel Tricon.
Added Indonesian translation - thanks to Salman AS.
Tweaked the netlink code to cope with interface broadcast
address not set, or set to 0.0.0.0.
Fixed problem assigning fixed addresses to hosts when more
than one dhcp-range is available. Thanks to Sorin Panca
for help chasing this down.
Added more explict error mesages to the hosts file and
ethers file reading code. Markus Kaiserswerth suffered to
make this happen.
Ensure that a hostname supplied by a DHCP client can never
override one configured on the server. Previously, any
host claiming a name would be given it, even if that
over-rode a dhcp-host declaration, leading to potentially
confusing situations.
Added Slackware package-build stuff into contrib/ The i18n
effort broke the current scripts, and working ones were
needed for testing, so they ended up here rather than make
Pat re-invent the wheel.
Added Romanian translation, thanks to Sorin Panca for
that.
version 2.25
Fixed RedHat spec file for FC4 - thanks to Werner Hoelzl
and Andrew Bird.
Fixed Suse spec file - thanks to Steven Springl.
Fixed DHCP bug when two distict subnets are on the same
physical interface. Thanks to Pawel Zawora for finding
this and suggesting the fix.
Added logging to make it explicit when dnsmasq falls back
from using RT-netlink sockets to the old ioctl API for
getting information about interfaces. Doing this
completely silently made remote debugging hard.
Merged uclibc build fixes from the OpenWRT package into
src/config.h
Added Norwegian translation - thanks to Jan Erik Askildt.
version 2.26
Fixed SuSe rpm patch problem - thanks to Steven Springl.
Fixed crash when attempting to send a DHCP NAK to a host
which believes it has a lease on an unknown
network. Thanks to Lutz Pressler for the bug report and
patch.
version 2.27
Tweaked DHCP behaviour when a client attempts to renew a lease
which dnsmasq doesn't know about. Previously that would always
result in a DHCPNAK. Now, in dhcp-authoritative mode, the
lease will be created, if it's legal. This makes dnsmasq work
better if the lease database is lost, for example on an OpenWRT
system which reboots. Thanks to Stephen Rose for work on
this.
Added the ability to support RFC-3442 style destination
descriptors in dhcp-options. This makes classless static
routes easy to do, eg dhcp-option=121,192.168.1.0/24,1.2.3.4
Added error-checking to the code which writes the lease
file. If this fails for any reason, an error is logged,
and a retry occurs after one minute. This should improve
things eg when a filesystem is full. Thanks to Jens Holze
for the bug report.
Fixed breakage of the "/#/ matches any domain" facility
which happened in 2.24. Thanks to Peter Surda for the bug
report.
Use "size_t" and "ssize_t" types where appropriate in the
code.
Fix buggy CNAME handling in mixed IPv4 and IPv6
queries. Thanks to Andreas Pelme for help finding that.
Added some code to attempt to re-transmit DNS queries when
a network interface comes up. This helps on DoD links,
where frequently the packet which triggers dialling is
a DNS query, which then gets lost. By re-sending, we can
avoid the lookup failing. This function is only active
when netlink support is compiled in, and therefore only
under Linux. Thanks to Jean Wolter for help with this.
Tweaked the DHCP tag-matching code to work correctly with
NOT-tag conditions. Thanks to Lutz Pressler for finding
the bug.
Generalised netid-tag matching in dhcp-range statements to
allow more than one tag.
Added --dhcp-mac to do MAC address matching in the same
way as vendorclass and userclass matching. A good
suggestion from Lutz Pressler.
Add workaround for buggy early Microsoft DHCP clients
which need zero-termination in string options.
Thanks to Fabiano Pires for help with this.
Generalised the DHCP code to cope with any hardware
address type, at least on Linux. *BSD is still limited to
ethernet only.
version 2.28
Eliminated all raw network access when running on
Linux. All DHCP network activity now goes through the IP
stack. Packet sockets are no longer required. Apart from
being a neat hack, this should also allow DHCP over IPsec
to work better. On *BSD and OS X, the old method of raw net
access through BPF is retained.
Simplified build options. Networking is now slimmed down
to a choice of "linux" or "other". Netlink is always used
under Linux. Since netlink has been available since 2.2
and non-optional in an IPv4-configured kernel since 2.4,
and the dnsmasq netlink code is now well tested, this
should work out fine.
Removed decayed build support for libc5 and Solaris.
Removed pselect code: use a pipe for race-free signal
handling instead, as this works everywhere.
No longer enable the ISC leasefile reading code in the
distributed sources. I doubt there are many people left
using this 1.x compatibility code. Those that are will
have to explicitly enable it in src/config.h.
Don't send the "DHCP maximum message size" option, even if
requested. RFC2131 says this is a "MUST NOT".
Support larger-than-minimum DHCP message. Dnsmasq is now
happy to get larger than 576-byte DHCP messages, and will
return large messages, if permitted by the "maximum
message size" option of the message to which it is
replying. There's now an arbitrary sanity limit of 16384
bytes.
Added --no-ping option. This fixes an RFC2131 "SHOULD".
Building on the 2.27 MAC-address changes, allow clients to
provide no MAC address at all, relying on the client-id as
a unique identifier. This should make things like DHCP for
USB come easier.
Fixed regression in netlink code under 2.2.x kernels which
occurred in 2.27. Erik Jan Tromp is the vintage kernel fan
who found this. P.S. It looks like this "netlink bind:
permission denied" problem occured in kernels at least as
late a 2.4.18. Good information from Alain Richoux.
Added a warning when it's impossible to give a host its
configured address because the address is leased
elsewhere. A sensible suggestion from Mircea Bardac.
Added minimal support for RFC 3046 DHCP relay agent-id
options. The DHCP server now echoes these back to the
relay, as required by the RFC. Also, RFC 3527 link selection
sub-options are honoured.
Set the process "dumpable" flag when running in debug
mode: this makes getting core dumps from root processes
much easier.
Fixed one-byte buffer overflow which seems to only cause
problems when dnsmasq is linked with uclibc. Thanks to
Eric House and Eric Spakman for help in chasing this down.
Tolerate configuration screwups which lead to the DHCP
server attemping to allocate its own address to a
client; eg setting the whole subnet range as a DHCP
range. Addresses in use by the server are now excluded
from use by clients.
Did some thinking about HAVE_BROKEN_RTC mode, and made it
much simpler and better. The key is to just keep lease
lengths in the lease file. Since these normally never
change, even as the lease is renewed, the lease file never
needs to change except when machines arrive on the network
or leave. This eliminates the code for timed writes, and
reduces the amount of wear on a flash filesystem to the
absolute minimum. Also re-did the basic time function in
this mode to use the portable times(), rather than parsing
/proc/uptime.
Believe the source port number when replying to unicast
DHCP requests and DHCP requests via a relay, instead of always
using the standard ports. This will allow relays on
non-standard ports and DHCPINFORM from unprivileged ports
to work. The source port sent by unconfigured clients is still
ignored, since this may be unreliable. This means that a DHCP
client must use the standard port to do full configuration.
version 2.29
Fixed compilation on OpenBSD (thanks to Tom Hensel for the
report).
Fixed false "no interface" errors when --bind-interfaces is
set along with --interface=lo or --listen-address. Thanks
to Paul Wise for the report.
Updated patch for SuSE rpm. Thanks to Steven Springl.
It turns out that there are some Linux kernel
configurations which make using the capability system
impossible. If this situation occurs then continue, running
as root, and log a warning. Thanks to Scott Wehrenberg
for help tracking this down.
version 2.30
Fixed crash when a DHCP client requested a broadcast
reply. This problem was introduced in version 2.28.
Thanks to Sandra Dekkers for the bug report.
version 2.31
Added --dhcp-script option. There have been calls for this
for a long time from many good people. Fabio Muzzi gets
the prize for finally convincing me.
Added example dbus config file and moved dbus stuff into
its own directory.
Removed horribly outdated Redhat RPM build files. These
are obsolete now that dnsmasq in in Fedora extras. Thanks
to Patrick "Jima" Laughton, the Fedora package
maintainer.
Added workaround for Linux kernel bug. This manifests
itself as failure of DHCP on kernels with "support for
classical IP over ATM" configured. That includes most
Debian kernel packages. Many thanks to A. Costa and
Benjamin Kudria for their huge efforts in chasing this
down.
Force-kill child processes when dnsmasq is sent a sigterm,
otherwise an unclosed TCP connection could keep dnsmasq
hanging round for a few minutes.
Tweaked config.h logic for uclibc build. It will now pick
up MMU and IPV6 status correctly on every system I tested.
version 2.32
Attempt a better job of replacing previous configuration
when re-reading /etc/hosts and /etc/ethers. SIGHUP is
still not identical to a restart under all circumstances,
but it is for the common case of name->MAC address in
/etc/ethers and name->IP address in /etc/hosts.
Fall back to broadcast for DHCP to an unconfigured client
when the MAC address size is greater than 14 bytes.
Fix problem in 2.28-onwards releases which breaks DNS on
Mac OS X. Thanks to Doug Fields for the bug report and
testing.
Added fix to allow compilation on c89-only compilers.
Thanks to John Mastwijk for the patch.
Tweak resolv file polling code to work better if there is
a race between updating the mtime and file contents. This
is not normally a problem, but it can be on systems which
replace nameservers whilst active. The code now continues
to read resolv.conf until it gets at least one usable
server. Thanks to Holger Mauermann for help with this.
If a client DECLINEs an address which is allocated to it
via dhcp-host or /etc/hosts, lock that address out of use
for ten minutes, instead of forever, and log when it's not
being used because of the lock-out. This should provide
less surprising behaviour when a configured address can't be
used. Thanks to Peter Surda and Heinz Deinhart for input
on this.
Fixed *BSD DHCP breakage with only some
arches/compilers, depending on structure padding rules.
Thanks to Jeb Campbell and Tom Hensel for help with this.
Added --conf-dir option. Suggestion from Aaron Tygart.
Applied patch from Brent Cook which allows netids in
dhcp-option configuration lines to be prefixed by
"net:". This is not required by the syntax, but it is
consistent with other configuration items.
Added --log-facility option. Suggestion from Fabio Muzzi.
Major update to Spanish translation. Many thanks to Chris
Chatham.
Fixed gcc-4.1 strict-alias compilation warning.
version 2.33
Remove bash-specific shellcode from the Makefile.
Fix breakage with some DHCP relay implementations which
was introduced in 2.28. Believing the source port in
DHCP requests and sending the reply there is sometimes a
bad thing to do, so I've reverted to always sending to
the relay on port 68. Thanks to Daniel Hamlin and Alex
(alde) for bug reports on this.
Moved the SuSe packaging files to contrib. I will no
longer attempt to maintain this in the source tarball. It
will be done externally, in the same way as packaging for
other distros. Suse packages are available from
ftp://ftp.suse.com/pub/people/ug/
Merged patch from Gentoo to honour $LDFLAGS environment.
Fix bug in resolv.conf processing when more than one file
is being checked.
Add --dns-forward-max option.
Warn if --resolv-file flags are ignored because of
--no-resolv. Thanks to Martin F Krafft for spotting this
one.
Add --leasefile-ro option which allows the use of an
external lease database. Many thanks to Steve Horbachuk
for assistance developing this feature.
Provide extra information to lease-change script via its
environment. If the host has a client-id, then
DNSMASQ_CLIENT_ID will be set. Either the lease length (in
DNSMASQ_LEASE_LENGTH) or lease expiry time (in
DNSMASQ_LEASE_EXPIRES) will be set, depending on the
HAVE_BROKEN_RTC compile-time option. This extra
information should make it possible to maintain the lease
database in external storage such as LDAP or a relational
database. Note that while leasefile-ro is set, the script
will be called with "old" events more often, since
changes to the client-id and lease length
(HAVE_BROKEN_RTC) or lease expiry time (otherwise)
are now flagged.
Add contrib/wrt/* which is an example implementation of an
external persistent lease database for *WRT distros with
the nvram command.
Add contrib/wrt/dhcp_release.c which is a small utility
which removes DHCP leases using DHCPRELEASE operation in
the DHCP protocol.
version 2.34
Tweak network-determination code for another corner case:
in this case a host forced to move between dhcp-ranges on
the same physical interface. Thanks to Matthias Andree.
Improve handling of high DNS loads by throttling acceptance of
new queries when resources are tight. This should be a
better response than the "forwarding table full..."
message which was logged before.
Fixed intermittent infinite loop when re-reading
/etc/ethers after SIGHUP. Thanks to Eldon Ziegler for the
bug report.
Provide extra information to the lease-change script: when
a lease loses its hostname (because a new lease comes
along and claims the same new), the "old" action is called
with the current state of the lease, ie no name. The
change is to provide the former name which the lease had
in the environment variable DNSMASQ_OLD_HOSTNAME. This
helps scripts which do stuff based on hostname, rather
than IP address. Also provide vendor-class and user-class
information to the lease-change script when a new lease is
created in the DNSMASQ_VENDOR_CLASS and
DNSMASQ_USER_CLASS<n> environment variables. Suggestion
from Francois-Xavier Le Bail.
Run the lease change script as root, even when dnsmasq is
configured to change UID to an unprivileged user. Since
most uses of the lease change script need root, this
allows its use whilst keeping the security advantages of
running the daemon without privs. The script is invoked
via a small helper process which keeps root UID, and
validates all data received from the main process. To get
root, an attacker would have to break dnsmasq and then
break the helper through the restricted comms channel
linking the two.
Add contrib/port-forward/* which is a script to set up
port-forwards using the DHCP lease-change script. It's
possible to add a host to a config file by name, and when
that host gets a DHCP lease, the script will use iptables
to set up port-forwards to configured ports at the address
which the host is allocated. The script also handles
setting up the port-forward iptables entries after reboot,
using the persistent lease database, and removing them
when a host leaves and its DHCP lease expires.
Fix unaligned access problem which caused wrong log
messages with some clients on some architectures. Thanks
to Francois-Xavier Le Bail for the bugreport.
Fixed problem with DHCPRELEASE and multi-address
interfaces. Enhanced contrib/wrt/dhcp_release to cope
under these circumstances too. Thanks to Eldon Ziegler for
input on this.
Updated French translation: thanks to Gildas Le Nadan.
Upgraded the name hash function in the DNS cache. Thanks
to Oleg Khovayko for good work on this.
Added --clear-on-reload flag. Suggestion from Johannes
Stezenbach.
Treat a nameserver address of 0.0.0.0 as "nothing". Erwin
Cabrera spotted that specifying a nameserver as 0.0.0.0
breaks things badly; this is because the network stack
treats is as "this host" and an endless loop ensues.
Added Webmin module in contrib/webmin. Thanks to Neil
Fisher for that.
version 2.35
Generate an "old" script event when a client does a DHCPREQUEST
in INIT-REBOOT or SELECTING state and the lease already
exists. Supply vendor and user class information to these
script calls.
Added support for Dragonfly BSD to src/config.h
Removed "Upgrading to 2.0" document, which is ancient
history now.
Tweak DHCP networking code for BSD, esp OpenBSD. Added a
workaround for a bug in OpenBSD 4.0: there should finally
be support for multiple interfaces under OpenBSD now.
Note that no version of dnsmasq before 2.35 will work for
DHCP under OpenBSD 4.0 because of a kernel bug.
Thanks to Claudio Jeker, Jeb Campbell and Cristobal
Palmer for help with this.
Optimised the cache code for the case of large
/etc/hosts. This is mainly to remove the O(n-squared)
algorithm which made reading large (50000 lines) files
slow, but it also takes into account the size of
/etc/hosts when building hash tables, so overall
performance should be better. Thanks to "koko" for
pointing out the problem.
version 2.36
Added --dhcp-ignore-names flag which tells dnsmasq not to
use names provided by DHCP clients. Suggestion from
Thomas M Steenholdt.
Send netmask and broadcast address DHCP options always,
even if the client doesn't request them. This makes a few
odd clients work better.
Added simple TFTP function, optimised for net-boot. It is
now possible to net boot hosts using only dnsmasq. The
TFTP server is read-only, binary-mode only, and designed to be
secure; it adds about 4K to the dnsmasq binary.
Support DHCP option 120, SIP servers, (RFC 3361). Both
encodings are supported, so both --dhcp-option=120,192.168.2.3
and --dhcp-option=120,sip.example.net will work. Brian
Candler pointed out the need for this.
Allow spaces in domain names, to support DNS-SD.
Add --ptr-record flag, again for DNS-SD. Thanks to Stephan
Sokolow for the suggestion.
Tolerate leading space on lines in the config file. Thanks
to Luigi Rizzo for pointing this out.
Fixed netlink.c to cope with headers from the Linux 2.6.19
kernel. Thanks to Philip Wall for the bug report.
Added --dhcp-bridge option, but only to the FreeBSD
build. This fixes an oddity with a a particular bridged
network configuration on FreeBSD. Thanks to Luigi Rizzo
for the patch.
Added FAQ entry about running dnsmasq in a Linux
vserver. Thanks to Gildas le Nadan for the information.
Fixed problem with option parsing which interpreted "/" as
an address and not a string. Thanks to Luigi Rizzo
for the patch.
Ignore the --domain-needed flag when forwarding NS
and SOA queries, since NS queries of TLDs are always legit.
Marcus Better pointed out this problem.
Take care to forward signed DNS requests bit-perfect, so
as not to affect the validity of the signature. This
should allow DDNS updates to be forwarded.
version 2.37
Add better support for RFC-2855 DHCP-over-firewire and RFC
-4390 DHCP-over-InfiniBand. A good suggestion from Karl Svec.
Some efficiency tweaks to the cache code for very large
/etc/hosts files. Should improve reverse (address->name)
lookups and garbage collection. Thanks to Jan 'RedBully'
Seiffert for input on this.
Fix regression in 2.36 which made bogus-nxdomain
and DNS caching unreliable. Thanks to Dennis DeDonatis
and Jan Seiffert for bug reports.
Make DHCP encapsulated vendor-class options sane. Be
warned that some conceivable existing configurations
using these may break, but they work in a much
simpler and more logical way now. Prepending
"vendor:<client-id>" to an option encapsulates it
in option 43, and the option is sent only if the
client-supplied vendor-class substring-matches with
the given client-id. Thanks to Dennis DeDonatis for
help with this.
Apply patch from Jan Seiffert to tidy up tftp.c
Add support for overloading the filename and servername
fields in DHCP packet. This gives extra option-space when
these fields are not being used or with a modern client
which supports moving them into options.
Added a LIMITS section to the man-page, with guidance on
maximum numbers of clients, file sizes and tuning.
release 2.38
Fix compilation on *BSD. Thanks to Tom Hensel.
Don't send length zero DHCP option 43 and cope with
encapsulated options whose total length exceeds 255 octets
by splitting them into multiple option 43 pieces.
Avoid queries being retried forever when --strict-order is
set and an upstream server returns a SERVFAIL
error. Thanks to Johannes Stezenbach for spotting this.
Fix BOOTP support, broken in version 2.37.
Add example dhcp-options for Etherboot.
Add \e (for ASCII ESCape) to the set of valid escapes
in config-file strings.
Added --dhcp-option-force flag and examples in the
configuration file which use this to control PXELinux.
Added --tftp-no-blocksize option.
Set netid tag "bootp" when BOOTP (rather than DHCP) is in
use. This makes it easy to customise which options are
sent to BOOTP clients. (BOOTP allows only 64 octets for
options, so it can be necessary to trim things.)
Fix rare hang in cache code, a 2.37 regression. This
probably needs an infinite DHCP lease and some bad luck to
trigger. Thanks to Detlef Reichelt for bug reports and testing.
dhowland.
Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
server. It is designed to provide DNS and, optionally, DHCP, to a
small network. It can serve the names of local machines which are not
in the global DNS. The DHCP server integrates with the DNS server and
allows machines with DHCP-allocated addresses to appear in the DNS
with names configured either in each host or in a central
configuration file. Dnsmasq supports static and dynamic DHCP leases
and BOOTP for network booting of diskless machines.
