2 Fix bug in --dynamic-host when an interface has /16 IPv4
3 address. Thanks to Mark Dietzer for spotting this.
5 Add --fast-dns-retry option. This gives dnsmasq the ability
6 to originate retries for upstream DNS queries itself, rather
7 than relying on the downstream client. This is most useful
8 when doing DNSSEC over unreliable upstream networks. It comes
9 with some cost in memory usage and network bandwidth.
11 Add --use-stale-cache option. When set, if a DNS name exists
12 in the cache, but its time-to-live has expired, dnsmasq will
13 return the data anyway. (It attempts to refresh the
14 data with an upstream query after returning the stale data.)
15 This can improve speed and reliability. It comes
16 at the expense of sometimes returning out-of-date data and
17 less efficient cache utilisation, since old data cannot be
18 flushed when its TTL expires, so the cache becomes
19 strictly least-recently-used.
21 Make --hostsdir (but NOT --dhcp-hostsdir and --dhcp-optsdir)
22 handle removal of whole files or entries within files.
23 Thanks to Dominik Derigs for the initial patches for this.
25 Fix bug, introduced in 2.87, which could result in DNS
26 servers being removed from the configuration when reloading
27 server configuration from DBus, or re-reading /etc/resolv.conf
28 Only servers from the same source should be replaced, but some
29 servers from other sources (i.e., hard coded or another dynamic source)
30 could mysteriously disappear. Thanks to all reporting this,
31 but especially Christopher J. Madsen who reduced the problem
32 to an easily reproducible case which saved much labour in
35 Add --no-round-robin option.
37 Allow domain names as well as IP addresses when specifying
38 upstream DNS servers. There are some gotchas associated with this
39 (it will mysteriously fail to work if the dnsmasq instance
40 being started is in the path from the system resolver to the DNS),
41 and a seemingly sensible configuration like
42 --server=domain.name@1.2.3.4 is unactionable if domain.name
43 only resolves to an IPv6 address). There are, however,
44 cases where is can be useful. Thanks to Dominik Derigs for
47 Handle DS records for unsupported crypto algorithms correctly.
48 Such a DS, as long as it is validated, should allow answers
49 in the domain it attests to be returned as unvalidated, and not
50 as a validation error.
52 Optimise reading large numbers of --server options. When re-reading
53 upstream servers from /etc/resolv.conf or other sources that
54 can change dnsmasq tries to avoid memory fragmentation by re-using
55 existing records that are being re-read unchanged. This involves
56 seaching all the server records for each new one installed.
57 During startup this search is pointless, and can cause long
58 start times with thousands of --server options because the work
59 needed is O(n^2). Handle this case more intelligently.
60 Thanks to Ye Zhou for spotting the problem and an initial patch.
62 If we detect that a DNS reply from upstream is malformed don't
63 return it to the requestor; send a SEVFAIL rcode instead.
67 Allow arbitrary prefix lengths in --rev-server and
70 Replace --address=/#/..... functionality which got
71 missed in the 2.86 domain search rewrite.
73 Add --nftset option, like --ipset but for the newer nftables.
74 Thanks to Chen Zhenge for the patch.
76 Add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6
77 addresses from DNS answers.
79 Fix crash doing netbooting when --port is set to zero
80 to disable the DNS server. Thanks to Drexl Johannes
83 Generalise --dhcp-relay. Sending via broadcast/multicast is
84 now supported for both IPv4 and IPv6 and the configuration
85 syntax made easier (but backwards compatible).
87 Add snooping of IPv6 prefix-delegations to the DHCP-relay system.
89 Finesse parsing of --dhcp-remoteid and --dhcp-subscrid. To be treated
90 as hex, the pattern must consist of only hex digits AND contain
91 at least one ':'. Thanks to Bengt-Erik Sandstrom who tripped
92 over a pattern consisting of a decimal number which was interpreted
95 Include client address in TFTP file-not-found error reports.
96 Thanks to Stefan Rink for the initial patch, which has been
97 re-worked by me (srk). All bugs mine.
99 Note in manpage the change in behaviour of -address. This behaviour
100 actually changed in v2.86, but was undocumented there. From 2.86 on,
101 (eg) --address=/example.com/1.2.3.4 ONLY applies to A queries. All other
102 types of query will be sent upstream. Pre 2.86, that would catch the
103 whole example.com domain and queries for other types would get
104 a local NODATA answer. The pre-2.86 behaviour is still available,
105 by configuring --address=/example.com/1.2.3.4 --local=/example.com/
107 Fix problem with binding DHCP sockets to an individual interface.
108 Despite the fact that the system call tales the interface _name_ as
109 a parameter, it actually, binds the socket to interface _index_.
110 Deleting the interface and creating a new one with the same name
111 leaves the socket bound to the old index. (Creating new sockets
112 always allocates a fresh index, they are not reused). We now
113 take this behaviour into account and keep up with changing indexes.
115 Add --conf-script configuration option.
117 Enhance --domain to accept, for instance,
118 --domain=net2.thekelleys.org.uk,eth2 so that hosts get a domain
119 which relects the interface they are attached to in a way which
120 doesn't require hard-coding addresses. Thanks to Sten Spans for
123 Fix write-after-free error in DHCPv6 server code.
124 CVE-2022-0934 refers.
126 Add the ability to specify destination port in
127 DHCP-relay mode. This change also removes a previous bug
128 where --dhcp-alternate-port would affect the port used
129 to relay _to_ as well as the port being listened on.
130 The new feature allows configuration to provide bug-for-bug
131 compatibility, if required. Thanks to Damian Kaczkowski
132 for the feature suggestion.
134 Bound the value of UDP packet size in the EDNS0 header of
135 forwarded queries to the configured or default value of
136 edns-packet-max. There's no point letting a client set a larger
137 value if we're unable to return the answer. Thanks to Bertie
138 Taylor for pointing out the problem and supplying the patch.
140 Fix problem with the configuration
142 --server=/some.domain/# --address=/#/<ip> --server=<server_ip>
144 This would return <ip> for queries in some.domain, rather than
145 forwarding the query via the default server.
147 Tweak DHCPv6 relay code so that packets relayed towards a server
148 have source address on the server-facing network, not the
149 client facing network. Thanks to Luis Thomas for spotting this
154 Handle DHCPREBIND requests in the DHCPv6 server code.
155 Thanks to Aichun Li for spotting this omission, and the initial
158 Fix bug which caused dnsmasq to lose track of processes forked
159 to handle TCP DNS connections under heavy load. The code
160 checked that at least one free process table slot was
161 available before listening on TCP sockets, but didn't take
162 into account that more than one TCP connection could
163 arrive, so that check was not sufficient to ensure that
164 there would be slots for all new processes. It compounded
165 this error by silently failing to store the process when
166 it did run out of slots. Even when this bug is triggered,
167 all the right things happen, and answers are still returned.
168 Only under very exceptional circumstances, does the bug
170 https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/014976.html
171 Thanks to Tijs Van Buggenhout for finding the conditions under
172 which the bug manifests itself, and then working out
173 exactly what was going on.
175 Major rewrite of the DNS server and domain handling code.
176 This should be largely transparent, but it drastically
177 improves performance and reduces memory foot-print when
178 configuring large numbers domains of the form
181 local=/adserver.com/#
182 Lookup times now grow as log-to-base-2 of the number of domains,
183 rather than greater than linearly, as before.
184 The change makes multiple addresses associated with a domain work
185 address=/example.com/1.2.3.4
186 address=/example.com/5.6.7.8
187 It also handles multiple upstream servers for a domain better; using
188 the same try/retry algorithms as non domain-specific servers. This
189 also applies to DNSSEC-generated queries.
190 Finally, some of the oldest and gnarliest code in dnsmasq has had
191 a significant clean-up. It's far from perfect, but it _is_ better.
193 Revise resource handling for number of concurrent DNS queries. This
194 used to have a global limit, but that has a problem when using
195 different servers for different upstream domains. Queries which are
196 routed by domain to an upstream server which is not responding will
197 build up and trigger the limit, which breaks DNS service for
198 all other domains which could be handled by other servers. The
199 change is to make the limit per server-group, where a server group
200 is the set of servers configured for a particular domain. In the
201 common case, where only default servers are declared, there is
204 Improve efficiency of DNSSEC. The sharing point for DNSSEC RR data
205 used to be when it entered the cache, having been validated. After
206 that queries requiring the KEY or DS records would share the cached
207 values. There is a common case in dual-stack hosts that queries for
208 A and AAAA records for the same domain are made simultaneously.
209 If required keys were not in the cache, this would result in two
210 requests being sent upstream for the same key data (and all the
211 subsequent chain-of-trust queries.) Now we combine these requests
212 and elide the duplicates, resulting in fewer queries upstream
213 and better performance. To keep a better handle on what's
214 going on, the "extra" logging mode has been modified to associate
215 queries and answers for DNSSEC queries in the same way as ordinary
216 queries. The requesting address and port have been removed from
217 DNSSEC logging lines, since this is no longer strictly defined.
219 Connection track mark based DNS query filtering. Thanks to
220 Etan Kissling for implementing this It extends query filtering
221 support beyond what is currently possible
222 with the `--ipset` configuration option, by adding support for:
223 1) Specifying allowlists on a per-client basis, based on their
224 associated Linux connection track mark.
225 2) Dynamic configuration of allowlists via Ubus.
226 3) Reporting when a DNS query resolves or is rejected via Ubus.
227 4) DNS name patterns containing wildcards.
228 Disallowed queries are not forwarded; they are rejected
229 with a REFUSED error code.
231 Allow smaller than 64 prefix lengths in synth-domain, with caveats.
232 --synth-domain=1234:4567::/56,example.com is now valid.
234 Make domains generated by --synth-domain appear in replies
235 when in authoritative mode.
237 Ensure CAP_NET_ADMIN capability is available when
238 conntrack is configured. Thanks to Yick Xie for spotting
241 When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
242 given a directory as argument, define the order in which
243 files within that directory are read (alphabetical order
244 of filename). Thanks to Ed Wildgoose for the initial patch
245 and motivation for this.
247 Allow adding IP address to nftables set in addition to
252 Fix problem with DNS retries in 2.83/2.84.
253 The new logic in 2.83/2.84 which merges distinct requests
254 for the same domain causes problems with clients which do
255 retries as distinct requests (differing IDs and/or source ports.)
256 The retries just get piggy-backed on the first, failed, request.
257 The logic is now changed so that distinct requests for repeated
258 queries still get merged into a single ID/source port, but
259 they now always trigger a re-try upstream.
260 Thanks to Nicholas Mu for his analysis.
262 Tweak sort order of tags in get-version. v2.84 sorts
263 before v2.83, but v2.83 sorts before v2.83rc1 and 2.83rc1
264 sorts before v2.83test1. This fixes the problem which lead
265 to 2.84 announcing itself as 2.84rc2.
267 Avoid treating a --dhcp-host which has an IPv6 address
268 as eligible for use with DHCPv4 on the grounds that it has
269 no address, and vice-versa. Thanks to Viktor Papp for
270 spotting the problem. (This bug was fixed was back in 2.67, and
271 then regressed in 2.81).
273 Add --dynamic-host option: A and AAAA records which take their
274 network part from the network of a local interface. Useful
275 for routers with dynamically prefixes. Thanks
276 to Fred F for the suggestion.
278 Teach --bogus-nxdomain and --ignore-address to take an IPv4 subnet.
280 Use random source ports where possible if source
281 addresses/interfaces in use.
282 CVE-2021-3448 applies. Thanks to Petr Menšík for spotting this.
283 It's possible to specify the source address or interface to be
284 used when contacting upstream name servers: server=8.8.8.8@1.2.3.4
285 or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of
286 these have, until now, used a single socket, bound to a fixed
287 port. This was originally done to allow an error (non-existent
288 interface, or non-local address) to be detected at start-up. This
289 means that any upstream servers specified in such a way don't use
290 random source ports, and are more susceptible to cache-poisoning
292 We now use random ports where possible, even when the
293 source is specified, so server=8.8.8.8@1.2.3.4 or
294 server=8.8.8.8@eth0 will use random source
295 ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will
296 use the explicitly configured port, and should only be done with
297 understanding of the security implications.
298 Note that this change changes non-existing interface, or non-local
299 source address errors from fatal to run-time. The error will be
300 logged and communication with the server not possible.
302 Change the method of allocation of random source ports for DNS.
303 Previously, without min-port or max-port configured, dnsmasq would
304 default to the compiled in defaults for those, which are 1024 and
305 65535. Now, when neither are configured, it defaults instead to
306 the kernel's ephemeral port range, which is typically
307 32768 to 60999 on Linux systems. This change eliminates the
308 possibility that dnsmasq may be using a registered port > 1024
309 when a long-running daemon starts up and wishes to claim it.
310 This change does likely slightly reduce the number of random ports
311 and therefore the protection from reply spoofing. The older
312 behaviour can be restored using the min-port and max-port config
313 switches should that be a concern.
315 Scale the size of the DNS random-port pool based on the
316 value of the --dns-forward-max configuration.
318 Tweak TFTP code to check sender of all received packets, as
319 specified in RFC 1350 para 4.
321 Support some wildcard matching of input tags to --tag-if.
322 Thanks to Geoff Back for the idea and the patch.
326 Fix a problem, introduced in 2.83, which could see DNS replies
327 being sent via the wrong socket. On machines running both
328 IPv4 and IPv6 this could result in sporadic messages of
329 the form "failed to send packet: Network is unreachable" and
330 the lost of the query. Since the error is sporadic and of
331 low probability, the client retry would normally succeed.
333 Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH.
337 Use the values of --min-port and --max-port in outgoing
338 TCP connections to upstream DNS servers.
340 Fix a remote buffer overflow problem in the DNSSEC code. Any
341 dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
342 referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
345 Be sure to only accept UDP DNS query replies at the address
346 from which the query was originated. This keeps as much entropy
347 in the {query-ID, random-port} tuple as possible, to help defeat
348 cache poisoning attacks. Refer: CVE-2020-25684.
350 Use the SHA-256 hash function to verify that DNS answers
351 received are for the questions originally asked. This replaces
352 the slightly insecure SHA-1 (when compiled with DNSSEC) or
353 the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
355 Handle multiple identical near simultaneous DNS queries better.
356 Previously, such queries would all be forwarded
357 independently. This is, in theory, inefficient but in practise
358 not a problem, _except_ that is means that an answer for any
359 of the forwarded queries will be accepted and cached.
360 An attacker can send a query multiple times, and for each repeat,
361 another {port, ID} becomes capable of accepting the answer he is
362 sending in the blind, to random IDs and ports. The chance of a
363 successful attack is therefore multiplied by the number of repeats
364 of the query. The new behaviour detects repeated queries and
365 merely stores the clients sending repeats so that when the
366 first query completes, the answer can be sent to all the
367 clients who asked. Refer: CVE-2020-25686.
371 Improve behaviour in the face of network interfaces which come
372 and go and change index. Thanks to Petr Mensik for the patch.
374 Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user
377 Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option.
379 Fix crash under heavy TCP connection load introduced in 2.81.
380 Thanks to Frank for good work chasing this down.
382 Change default lease time for DHCPv6 to one day.
384 Alter calculation of preferred and valid times in router
385 advertisements, so that these do not have a floor applied
386 of the lease time in the dhcp-range if this is not explicitly
387 specified and is merely the default.
388 Thanks to Martin-Éric Racine for suggestions on this.
392 Improve cache behaviour for TCP connections. For ease of
393 implementation, dnsmasq has always forked a new process to handle
394 each incoming TCP connection. A side-effect of this is that
395 any DNS queries answered from TCP connections are not cached:
396 when TCP connections were rare, this was not a problem.
397 With the coming of DNSSEC, it is now the case that some
398 DNSSEC queries have answers which spill to TCP, and if,
399 for instance, this applies to the keys for the root, then
400 those never get cached, and performance is very bad.
401 This fix passes cache entries back from the TCP child process to
402 the main server process, and fixes the problem.
404 Remove the NO_FORK compile-time option, and support for uclinux.
405 In an era where everything has an MMU, this looks like
406 an anachronism, and it adds to (Ok, multiplies!) the
407 combinatorial explosion of compile-time options. Thanks to
408 Kevin Darbyshire-Bryant for the patch.
410 Fix line-counting when reading /etc/hosts and friends; for
411 correct error messages. Thanks to Christian Rosentreter
414 Fix bug in DNS non-terminal code, added in 2.80, which could
415 sometimes cause a NODATA rather than an NXDOMAIN reply.
416 Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
417 for spotting and diagnosing the bug and providing patches.
419 Support TCP-fastopen (RFC-7413) on both incoming and
420 outgoing TCP connections, if supported and enabled in the OS.
422 Improve kernel-capability manipulation code under Linux. Dnsmasq
423 now fails early if a required capability is not available, and
424 tries not to request capabilities not required by its
427 Add --shared-network config. This enables allocation of addresses
428 by the DHCP server in subnets where the server (or relay) does not
429 have an interface on the network in that subnet. Many thanks to
430 kamp.de for sponsoring this feature.
432 Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
433 validation check got borked in commit 2b38e382 and release 2.80.
434 Thanks to Tomasz Szajner for spotting this.
436 Fix compilation against nettle version 3.5 and later.
438 Fix spurious DNSSEC validation failures when the auth section
439 of a reply contains unsigned RRs from a signed zone,
440 with the exception that NSEC and NSEC3 RRs must always be signed.
441 Thanks to Tore Anderson for spotting and diagnosing the bug.
443 Add --dhcp-ignore-clid. This disables reading of DHCP client
444 identifier option (option 61), so clients are only identified by
447 Fix a bug which stopped --dhcp-name-match from working when a hostname
448 is supplied in --dhcp-host. Thanks to James Feeney for spotting this.
450 Fix bug which caused very rarely caused zero-length DHCPv6 packets.
451 Thanks to Dereck Higgins for spotting this.
453 Add --tftp-single-port option.
455 Enhance --conf-dir to load files in a deterministic order. Thanks to
456 Evgenii Seliavka for the suggestion and initial patch.
458 In the router advert code, handle case where we have two
459 different interfaces on the same IPv6 net, and we are doing
460 RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
461 for spotting this case and making the initial patch.
463 Support prefixed ranges of ipv6 addresses in dhcp-host.
464 This eases problems chain-netbooting, where each link in the
465 chain requests an address using a different UID. With a single
466 address, only one gets the "static" address, but with this
467 fix, enough addresses can be reserved for all the stages of the
468 boot. Many thanks to Harald Jensås for his work on this idea and
471 Add filtering by tag of --dhcp-host directives. Based on a patch
474 Allow empty server spec in --rev-server, to match --server.
476 Remove DSA signature verification from DNSSEC, as specified in
477 RFC 8624. Thanks to Loganaden Velvindron for the original patch.
479 Add --script-on-renewal option.
483 Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
484 for the initial patch and motivation.
486 Alter the default for dnssec-check-unsigned. Versions of
487 dnsmasq prior to 2.80 defaulted to not checking unsigned
488 replies, and used --dnssec-check-unsigned to switch
489 this on. Such configurations will continue to work as before,
490 but those which used the default of no checking will need to be
491 altered to explicitly select no checking. The new default is
492 because switching off checking for unsigned replies is
493 inherently dangerous. Not only does it open the possiblity of forged
494 replies, but it allows everything to appear to be working even
495 when the upstream namesevers do not support DNSSEC, and in this
496 case no DNSSEC validation at all is occuring.
498 Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
499 are set. Thanks to Daniel Miess for help with this.
501 Add a facilty to store DNS packets sent/recieved in a
502 pcap-format file for later debugging. The file location
503 is given by the --dumpfile option, and a bitmap controlling
504 which packets should be dumped is given by the --dumpmask
507 Handle the case of both standard and constructed dhcp-ranges on the
508 same interface better. We don't now contruct a dhcp-range if there's
509 already one specified. This allows the specified interface to
510 have different parameters and avoids advertising the same
511 prefix twice. Thanks to Luis Marsano for spotting this case.
513 Allow zone transfer in authoritative mode if auth-peer is specified,
514 even if auth-sec-servers is not. Thanks to Raphaël Halimi for
517 Fix bug which sometimes caused dnsmasq to wrongly return answers
518 without DNSSEC RRs to queries with the do-bit set, but only when
519 DNSSEC validation was not enabled.
520 Thanks to Petr Menšík for spotting this.
522 Fix missing fatal errors with some malformed options
523 (server, local, address, rebind-domain-ok, ipset, alias).
524 Thanks to Eugene Lozovoy for spotting the problem.
526 Fix crash on startup with a --synth-domain which has no prefix.
527 Introduced in 2.79. Thanks to Andreas Engel for the bug report.
529 Fix missing EDNS0 section in some replies generated by local
530 DNS configuration which confused systemd-resolvd. Thanks to
531 Steve Dodd for characterising the problem.
533 Add --dhcp-name-match config option.
535 Add --caa-record config option.
537 Implement --address=/example.com/# as (more efficient) syntactic
538 sugar for --address=/example.com/0.0.0.0 and
539 --address=/example.com/::
540 Returning null addresses is a useful technique for ad-blocking.
541 Thanks to Peter Russell for the suggestion.
543 Change anti cache-snooping behaviour with queries with the
544 recursion-desired bit unset. Instead to returning SERVFAIL, we
545 now always forward, and never answer from the cache. This
546 allows "dig +trace" command to work.
548 Include in the example config file a formulation which
549 stops DHCP clients from claiming the DNS name "wpad".
550 This is a fix for the CERT Vulnerability VU#598349.
554 Fix parsing of CNAME arguments, which are confused by extra spaces.
555 Thanks to Diego Aguirre for spotting the bug.
557 Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
558 upstream servers to an interface, rather than SO_BINDTODEVICE.
559 Thanks to Beniamino Galvani for the patch.
561 Always return a SERVFAIL answer to DNS queries without the
562 recursion desired bit set, UNLESS acting as an authoritative
563 DNS server. This avoids a potential route to cache snooping.
565 Add support for Ed25519 signatures in DNSSEC validation.
567 No longer support RSA/MD5 signatures in DNSSEC validation,
568 since these are not secure. This behaviour is mandated in
571 Fix incorrect error exit code from dhcp_release6 utility.
572 Thanks Gaudenz Steinlin for the bug report.
574 Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
575 time validation when --dnssec-no-timecheck is in use.
576 Note that this is an incompatible change from earlier releases.
578 Allow more than one --bridge-interface option to refer to an
579 interface, so that we can use
580 --bridge-interface=int1,alias1
581 --bridge-interface=int1,alias2
583 --bridge-interface=int1,alias1,alias2
584 Thanks to Neil Jerram for work on this.
586 Fix for DNSSEC with wildcard-derived NSEC records.
587 It's OK for NSEC records to be expanded from wildcards,
588 but in that case, the proof of non-existence is only valid
589 starting at the wildcard name, *.<domain> NOT the name expanded
590 from the wildcard. Without this check it's possible for an
591 attacker to craft an NSEC which wrongly proves non-existence.
592 Thanks to Ralph Dolmans for finding this, and co-ordinating
593 the vulnerability tracking and fix release.
594 CVE-2017-15107 applies.
596 Remove special handling of A-for-A DNS queries. These
597 are no longer a significant problem in the global DNS.
598 http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
599 Thanks to Mattias Hellström for the initial patch.
601 Fix failure to delete dynamically created dhcp options
602 from files in -dhcp-optsdir directories. Thanks to
603 Lindgren Fredrik for the bug report.
605 Add to --synth-domain the ability to create names using
606 sequential numbers, as well as encodings of IP addresses.
608 --synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
609 creates 21 domain names of the form
610 internal-4.thekelleys.org.uk over the address range given, with
611 internal-0.thekelleys.org.uk being 192.168.0.50 and
612 internal-20.thekelleys.org.uk being 192.168.0.70
613 Thanks to Andy Hawkins for the suggestion.
615 Tidy up Crypto code, removing workarounds for ancient
616 versions of libnettle. We now require libnettle 3.
620 Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
621 Novakovic for the patch.
623 Revert ping-check of address in DHCPDISCOVER if there
624 already exists a lease for the address. Under some
625 circumstances, and netbooted windows installation can reply
626 to pings before if has a DHCP lease and block allocation
627 of the address it already used during netboot. Thanks to
628 Jan Psota for spotting this.
630 Fix DHCP relaying, broken in 2.76 and 2.77 by commit
631 ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
632 John Fitzgibbon for the diagnosis and patch.
634 Try other servers if first returns REFUSED when
635 --strict-order active. Thanks to Hans Dedecker
638 Fix regression in 2.77, ironically added as a security
639 improvement, which resulted in a crash when a DNS
640 query exceeded 512 bytes (or the EDNS0 packet size,
641 if different.) Thanks to Christian Kujau, Arne Woerner
642 Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
643 chasing this one down. CVE-2017-13704 applies.
645 Fix heap overflow in DNS code. This is a potentially serious
646 security hole. It allows an attacker who can make DNS
647 requests to dnsmasq, and who controls the contents of
648 a domain, which is thereby queried, to overflow
649 (by 2 bytes) a heap buffer and either crash, or
650 even take control of, dnsmasq.
651 CVE-2017-14491 applies.
652 Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
653 Kevin Hamacher and Ron Bowes of the Google Security Team for
656 Fix heap overflow in IPv6 router advertisement code.
657 This is a potentially serious security hole, as a
658 crafted RA request can overflow a buffer and crash or
659 control dnsmasq. Attacker must be on the local network.
660 CVE-2017-14492 applies.
661 Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
662 and Kevin Hamacher of the Google Security Team for
665 Fix stack overflow in DHCPv6 code. An attacker who can send
666 a DHCPv6 request to dnsmasq can overflow the stack frame and
667 crash or control dnsmasq.
668 CVE-2017-14493 applies.
669 Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
670 Kevin Hamacher and Ron Bowes of the Google Security Team for
673 Fix information leak in DHCPv6. A crafted DHCPv6 packet can
674 cause dnsmasq to forward memory from outside the packet
675 buffer to a DHCPv6 server when acting as a relay.
676 CVE-2017-14494 applies.
677 Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
678 Kevin Hamacher and Ron Bowes of the Google Security Team for
681 Fix DoS in DNS. Invalid boundary checks in the
682 add_pseudoheader function allows a memcpy call with negative
683 size An attacker which can send malicious DNS queries
684 to dnsmasq can trigger a DoS remotely.
685 dnsmasq is vulnerable only if one of the following option is
686 specified: --add-mac, --add-cpe-id or --add-subnet.
687 CVE-2017-14496 applies.
688 Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
689 Kevin Hamacher and Ron Bowes of the Google Security Team for
692 Fix out-of-memory Dos vulnerability. An attacker which can
693 send malicious DNS queries to dnsmasq can trigger memory
694 allocations in the add_pseudoheader function
695 The allocated memory is never freed which leads to a DoS
696 through memory exhaustion. dnsmasq is vulnerable only
697 if one of the following option is specified:
698 --add-mac, --add-cpe-id or --add-subnet.
699 CVE-2017-14495 applies.
700 Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
701 Kevin Hamacher and Ron Bowes of the Google Security Team for
706 Generate an error when configured with a CNAME loop,
707 rather than a crash. Thanks to George Metz for
708 spotting this problem.
710 Calculate the length of TFTP error reply packet
711 correctly. This fixes a problem when the error
712 message in a TFTP packet exceeds the arbitrary
713 limit of 500 characters. The message was correctly
714 truncated, but not the packet length, so
715 extra data was appended. This is a possible
716 security risk, since the extra data comes from
717 a buffer which is also used for DNS, so that
718 previous DNS queries or replies may be leaked.
719 Thanks to Mozilla for funding the security audit
720 which spotted this bug.
722 Fix logic error in Linux netlink code. This could
723 cause dnsmasq to enter a tight loop on systems
724 with a very large number of network interfaces.
725 Thanks to Ivan Kokshaysky for the diagnosis and
728 Fix problem with --dnssec-timestamp whereby receipt
729 of SIGHUP would erroneously engage timestamp checking.
730 Thanks to Kevin Darbyshire-Bryant for this work.
732 Bump zone serial on reloading /etc/hosts and friends
733 when providing authoritative DNS. Thanks to Harrald
734 Dunkel for spotting this.
736 Handle v4-mapped IPv6 addresses sanely in --synth-domain.
737 These have standard representation like ::ffff:1.2.3.4
738 and are now converted to names like
739 <prefix>--ffff-1-2-3-4.<domain>
741 Handle binding upstream servers to an interface
742 (--server=1.2.3.4@eth0) when the named interface
743 is destroyed and recreated in the kernel. Thanks to
744 Beniamino Galvani for the patch.
746 Allow wildcard CNAME records in authoritative zones.
747 For example --cname=*.example.com,default.example.com
748 Thanks to Pro Backup for sponsoring this development.
750 Bump the allowed backlog of TCP connections from 5 to 32,
751 and make this a compile-time configurable option. Thanks
752 to Donatas Abraitis for diagnosing this as a potential
755 Add DNSMASQ_REQUESTED_OPTIONS environment variable to the
756 lease-change script. Thanks to ZHAO Yu for the patch.
758 Fix foobar in rrfilter code, that could cause malformed
759 replies, especially when DNSSEC validation on, and
760 the upstream server returns answer with the RRs in a
761 particular order. The only DNS server known to tickle
762 this is Nominum's. Thanks to Dave Täht for spotting the
763 bug and assisting in the fix.
765 Fix the manpage which lied that only the primary address
766 of an interface is used by --interface-name.
768 Make --localise-queries apply to names from --interface-name.
769 Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen
772 Improve connection handling when talking to TCP upstream
773 servers. Specifically, be prepared to open a new TCP
774 connection when we want to make multiple queries
775 but the upstream server accepts fewer queries per connection.
777 Improve logging of upstream servers when there are a lot
778 of "local addresses only" entries. Thanks to Hannu Nyman for
781 Make --bogus-priv apply to IPv6, for the prefixes specified
782 in RFC6303. Thanks to Kevin Darbyshire-Bryant for work on this.
784 Allow use of MAC addresses with --tftp-unique-root. Thanks
785 to Floris Bos for the patch.
787 Add --dhcp-reply-delay option. Thanks to Floris Bos
790 Add mtu setting facility to --ra-param. Thanks to David
791 Flamand for the patch.
793 Capture STDOUT and STDERR output from dhcp-script and log
794 it as part of the dnsmasq log stream. Makes life easier
795 for diagnosing unexpected problems in scripts.
796 Thanks to Petr Mensik for the patch.
798 Generate fatal errors when failing to parse the output
799 of the dhcp-script in "init" mode. Avoids strange errors
800 when the script accidentally emits error messages.
801 Thanks to Petr Mensik for the patch.
803 Make --rev-server for an RFC1918 subnet work even in the
804 presence of the --bogus-priv flag. Thanks to
805 Vladislav Grishenko for the patch.
807 Extend --ra-param mtu: field to allow an interface name.
808 This allows the MTU of a WAN interface to be advertised on
809 the internal interfaces of a router. Thanks to
810 Vladislav Grishenko for the patch.
812 Do ICMP-ping check for address-in-use for DHCPv4 when
813 the client specifies an address in DHCPDISCOVER, and when
814 an address in configured locally. Thanks to Alin Năstac
815 for spotting the problem.
817 Add new DHCP tag "known-othernet" which is set when only a
818 dhcp-host exists for another subnet. Can be used to ensure
819 that privileged hosts are not given "guest" addresses by
820 accident. Thanks to Todd Sanket for the suggestion.
822 Remove historic automatic inclusion of IDN support when
823 building internationalisation support. This doesn't
824 fit now there is a choice of IDN libraries. Be sure
825 to include either -DHAVE_IDN or -DHAVE_LIBIDN2 for
830 Include 0.0.0.0/8 in DNS rebind checks. This range
831 translates to hosts on the local network, or, at
832 least, 0.0.0.0 accesses the local host, so could
833 be targets for DNS rebinding. See RFC 5735 section 3
834 for details. Thanks to Stephen Röttger for the bug report.
836 Enhance --add-subnet to allow arbitrary subnet addresses.
837 Thanks to Ed Barsley for the patch.
839 Respect the --no-resolv flag in inotify code. Fixes bug
840 which caused dnsmasq to fail to start if a resolv-file
841 was a dangling symbolic link, even of --no-resolv set.
842 Thanks to Alexander Kurtz for spotting the problem.
844 Fix crash when an A or AAAA record is defined locally,
845 in a hosts file, and an upstream server sends a reply
846 that the same name is empty. Thanks to Edwin Török for
849 Fix failure to correctly calculate cache-size when
850 reading a hosts-file fails. Thanks to André Glüpker
853 Fix wrong answer to simple name query when --domain-needed
854 set, but no upstream servers configured. Dnsmasq returned
855 REFUSED, in this case, when it should be the same as when
856 upstream servers are configured - NOERROR. Thanks to
857 Allain Legacy for spotting the problem.
859 Return REFUSED when running out of forwarding table slots,
862 Add --max-port configuration. Thanks to Hans Dedecker for
865 Add --script-arp and two new functions for the dhcp-script.
866 These are "arp" and "arp-old" which announce the arrival and
867 removal of entries in the ARP or neighbour tables.
869 Extend --add-mac to allow a new encoding of the MAC address
870 as base64, by configuring --add-mac=base64
872 Add --add-cpe-id option.
874 Don't crash with divide-by-zero if an IPv6 dhcp-range
875 is declared as a whole /64.
876 (ie xx::0 to xx::ffff:ffff:ffff:ffff)
877 Thanks to Laurent Bendel for spotting this problem.
879 Add support for a TTL parameter in --host-record and
882 Add --dhcp-ttl option.
884 Add --tftp-mtu option. Thanks to Patrick McLean for the
887 Check return-code of inet_pton() when parsing dhcp-option.
888 Bad addresses could fail to generate errors and result in
889 garbage dhcp-options being sent. Thanks to Marc Branchaud
892 Fix wrong value for EDNS UDP packet size when using
893 --servers-file to define upstream DNS servers. Thanks to
894 Scott Bonar for the bug report.
896 Move the dhcp_release and dhcp_lease_time tools from
897 contrib/wrt to contrib/lease-tools.
899 Add dhcp_release6 to contrib/lease-tools. Many thanks
900 to Sergey Nechaev for this code.
902 To avoid filling logs in configurations which define
903 many upstream nameservers, don't log more that 30 servers.
904 The number to be logged can be changed as SERVERS_LOGGED
907 Swap the values if BC_EFI and x86-64_EFI in --pxe-service.
908 These were previously wrong due to an error in RFC 4578.
909 If you're using BC_EFI to boot 64-bit EFI machines, you
910 will need to update your config.
912 Add ARM32_EFI and ARM64_EFI as valid architectures in
915 Fix PXE booting for UEFI architectures. Modify PXE boot
916 sequence in this case to force the client to talk to dnsmasq
917 over port 4011. This makes PXE and especially proxy-DHCP PXE
918 work with these architectures.
920 Workaround problems with UEFI PXE clients. There exist
921 in the wild PXE clients which have problems with PXE
922 boot menus. To work around this, when there's a single
923 --pxe-service which applies to client, then that target
924 will be booted directly, rather then sending a
925 single-item boot menu.
927 Many thanks to Jarek Polok, Michael Kuron and Dreamcat4
928 for their work on the long-standing UEFI PXE problem.
930 Subtle change in the semantics of "basename" in
931 --pxe-service. The historical behaviour has always been
932 that the actual filename downloaded from the TFTP server
933 is <basename>.<layer> where <layer> is an integer which
934 corresponds to the layer parameter supplied by the client.
935 It's not clear what the function of the "layer"
936 actually is in the PXE protocol, and in practise layer
937 is always zero, so the filename is <basename>.0
938 The new behaviour is the same as the old, except when
939 <basename> includes a file suffix, in which case
940 the layer suffix is no longer added. This allows
941 sensible suffices to be used, rather then the
942 meaningless ".0". Only in the unlikely event that you
943 have a config with a basename which already has a
944 suffix, is this an incompatible change, since the file
945 downloaded will change from name.suffix.0 to just
950 Fix reversion on 2.74 which caused 100% CPU use when a
951 dhcp-script is configured. Thanks to Adrian Davey for
952 reporting the bug and testing the fix.
956 Fix reversion in 2.73 where --conf-file would attempt to
957 read the default file, rather than no file.
959 Fix inotify code to handle dangling symlinks better and
960 not SEGV in some circumstances.
962 DNSSEC fix. In the case of a signed CNAME generated by a
963 wildcard which pointed to an unsigned domain, the wrong
964 status would be logged, and some necessary checks omitted.
968 Fix crash at startup when an empty suffix is supplied to
969 --conf-dir, also trivial memory leak. Thanks to
970 Tomas Hozza for spotting this.
972 Remove floor of 4096 on advertised EDNS0 packet size when
973 DNSSEC in use, the original rationale for this has long gone.
974 Thanks to Anders Kaseorg for spotting this.
976 Use inotify for checking on updates to /etc/resolv.conf and
977 friends under Linux. This fixes race conditions when the files are
978 updated rapidly and saves CPU by noy polling. To build
979 a binary that runs on old Linux kernels without inotify,
980 use make COPTS=-DNO_INOTIFY
982 Fix breakage of --domain=<domain>,<subnet>,local - only reverse
983 queries were intercepted. THis appears to have been broken
984 since 2.69. Thanks to Josh Stone for finding the bug.
986 Eliminate IPv6 privacy addresses and deprecated addresses from
987 the answers given by --interface-name. Note that reverse queries
988 (ie looking for names, given addresses) are not affected.
989 Thanks to Michael Gorbach for the suggestion.
991 Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
994 Add --ignore-address option. Ignore replies to A-record
995 queries which include the specified address. No error is
996 generated, dnsmasq simply continues to listen for another
997 reply. This is useful to defeat blocking strategies which
998 rely on quickly supplying a forged answer to a DNS
999 request for certain domains, before the correct answer can
1000 arrive. Thanks to Glen Huang for the patch.
1002 Revisit the part of DNSSEC validation which determines if an
1003 unsigned answer is legit, or is in some part of the DNS
1004 tree which should be signed. Dnsmasq now works from the
1005 DNS root downward looking for the limit of signed
1006 delegations, rather than working bottom up. This is
1007 both more correct, and less likely to trip over broken
1008 nameservers in the unsigned parts of the DNS tree
1009 which don't respond well to DNSSEC queries.
1011 Add --log-queries=extra option, which makes logs easier
1012 to search automatically.
1014 Add --min-cache-ttl option. I've resisted this for a long
1015 time, on the grounds that disbelieving TTLs is never a
1016 good idea, but I've been persuaded that there are
1017 sometimes reasons to do it. (Step forward, GFW).
1018 To avoid misuse, there's a hard limit on the TTL
1019 floor of one hour. Thanks to RinSatsuki for the patch.
1021 Cope with multiple interfaces with the same link-local
1022 address. (IPv6 addresses are scoped, so this is allowed.)
1023 Thanks to Cory Benfield for help with this.
1025 Add --dhcp-hostsdir. This allows addition of new host
1026 configurations to a running dnsmasq instance much more
1027 cheaply than having dnsmasq re-read all its existing
1028 configuration each time.
1030 Don't reply to DHCPv6 SOLICIT messages if we're not
1031 configured to do stateful DHCPv6. Thanks to Win King Wan
1034 Fix broken DNSSEC validation of ECDSA signatures.
1036 Add --dnssec-timestamp option, which provides an automatic
1037 way to detect when the system time becomes valid after
1038 boot on systems without an RTC, whilst allowing DNS
1039 queries before the clock is valid so that NTP can run.
1040 Thanks to Kevin Darbyshire-Bryant for developing this idea.
1042 Add --tftp-no-fail option. Thanks to Stefan Tomanek for
1045 Fix crash caused by looking up servers.bind, CHAOS text
1046 record, when more than about five --servers= lines are
1047 in the dnsmasq config. This causes memory corruption
1048 which causes a crash later. Thanks to Matt Coddington for
1049 sterling work chasing this down.
1051 Fix crash on receipt of certain malformed DNS requests.
1052 Thanks to Nick Sampanis for spotting the problem.
1053 Note that this is could allow the dnsmasq process's
1054 memory to be read by an attacker under certain
1055 circumstances, so it has a CVE, CVE-2015-3294
1057 Fix crash in authoritative DNS code, if a .arpa zone
1058 is declared as authoritative, and then a PTR query which
1059 is not to be treated as authoritative arrived. Normally,
1060 directly declaring .arpa zone as authoritative is not
1061 done, so this crash wouldn't be seen. Instead the
1062 relevant .arpa zone should be specified as a subnet
1063 in the auth-zone declaration. Thanks to Johnny S. Lee
1064 for the bugreport and initial patch.
1066 Fix authoritative DNS code to correctly reply to NS
1067 and SOA queries for .arpa zones for which we are
1068 declared authoritative by means of a subnet in auth-zone.
1069 Previously we provided correct answers to PTR queries
1070 in such zones (including NS and SOA) but not direct
1071 NS and SOA queries. Thanks to Johnny S. Lee for
1072 pointing out the problem.
1074 Fix logging of DHCPREPLY which should be suppressed
1075 by quiet-dhcp6. Thanks to J. Pablo Abonia for
1076 spotting the problem.
1078 Try and handle net connections with broken fragmentation
1079 that lose large UDP packets. If a server times out,
1080 reduce the maximum UDP packet size field in the EDNS0
1081 header to 1280 bytes. If it then answers, make that
1084 Check IPv4-mapped IPv6 addresses when --stop-rebind
1085 is active. Thanks to Jordan Milne for spotting this.
1087 Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
1088 Thanks to Kevin Benton for patches and work on this.
1090 Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
1091 in the correct subnet, even of not in dynamic address
1092 allocation range. Thanks to Steve Hirsch for spotting
1095 Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
1096 to Nicolas Cavallari for the patch.
1098 Allow configuration of router advertisements without the
1099 "on-link" bit set. Thanks to Neil Jerram for the patch.
1101 Extend --bridge-interface to DHCPv6 and router
1102 advertisements. Thanks to Neil Jerram for the patch.
1106 Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
1108 Add support for "ipsets" in *BSD, using pf. Thanks to
1109 Sven Falempin for the patch.
1111 Fix race condition which could lock up dnsmasq when an
1112 interface goes down and up rapidly. Thanks to Conrad
1113 Kostecki for helping to chase this down.
1115 Add DBus methods SetFilterWin2KOption and SetBogusPrivOption
1116 Thanks to the Smoothwall project for the patch.
1118 Fix failure to build against Nettle-3.0. Thanks to Steven
1119 Barth for spotting this and finding the fix.
1121 When assigning existing DHCP leases to interfaces by comparing
1122 networks, handle the case that two or more interfaces have the
1123 same network part, but different prefix lengths (favour the
1124 longer prefix length.) Thanks to Lung-Pin Chang for the
1127 Add a mode which detects and removes DNS forwarding loops, ie
1128 a query sent to an upstream server returns as a new query to
1129 dnsmasq, and would therefore be forwarded again, resulting in
1130 a query which loops many times before being dropped. Upstream
1131 servers which loop back are disabled and this event is logged.
1132 Thanks to Smoothwall for their sponsorship of this feature.
1134 Extend --conf-dir to allow filtering of files. So
1135 --conf-dir=/etc/dnsmasq.d,\*.conf
1136 will load all the files in /etc/dnsmasq.d which end in .conf
1138 Fix bug when resulted in NXDOMAIN answers instead of NODATA in
1141 Fix bug which caused dnsmasq to become unresponsive if it
1142 failed to send packets due to a network interface disappearing.
1143 Thanks to Niels Peen for spotting this.
1145 Fix problem with --local-service option on big-endian platforms
1146 Thanks to Richard Genoud for the patch.
1150 Subtle change to error handling to help DNSSEC validation
1151 when servers fail to provide NODATA answers for
1152 non-existent DS records.
1154 Tweak code which removes DNSSEC records from answers when
1155 not required. Fixes broken answers when additional section
1156 has real records in it. Thanks to Marco Davids for the bug
1159 Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
1160 for spotting that too.
1162 Fix total DNS failure and 100% CPU use if cachesize set to zero,
1163 regression introduced in 2.69. Thanks to James Hunt and
1164 the Ubuntu crowd for assistance in fixing this.
1168 Fix crash, introduced in 2.69, on TCP request when dnsmasq
1169 compiled with DNSSEC support, but running without DNSSEC
1170 enabled. Thanks to Manish Sing for spotting that one.
1172 Fix regression which broke ipset functionality. Thanks to
1173 Wang Jian for the bug report.
1177 Implement dynamic interface discovery on *BSD. This allows
1178 the constructor: syntax to be used in dhcp-range for DHCPv6
1179 on the BSD platform. Thanks to Matthias Andree for
1180 valuable research on how to implement this.
1182 Fix infinite loop associated with some --bogus-nxdomain
1183 configs. Thanks fogobogo for the bug report.
1185 Fix missing RA RDNS option with configuration like
1186 --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
1187 for spotting the problem.
1189 Add [fd00::] and [fe80::] as special addresses in DHCPv6
1190 options, analogous to [::]. [fd00::] is replaced with the
1191 actual ULA of the interface on the machine running
1192 dnsmasq, [fe80::] with the link-local address.
1193 Thanks to Tsachi Kimeldorfer for championing this.
1195 DNSSEC validation and caching. Dnsmasq needs to be
1196 compiled with this enabled, with
1198 make dnsmasq COPTS=-DHAVE_DNSSEC
1200 this adds dependencies on the nettle crypto library and the
1201 gmp maths library. It's possible to have these linked
1204 make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
1206 which bloats the dnsmasq binary, but saves the size of
1207 the shared libraries which are much bigger.
1209 To enable, DNSSEC, you will need a set of
1210 trust-anchors. Now that the TLDs are signed, this can be
1211 the keys for the root zone, and for convenience they are
1212 included in trust-anchors.conf in the dnsmasq
1213 distribution. You should of course check that these are
1214 legitimate and up-to-date. So, adding
1216 conf-file=/path/to/trust-anchors.conf
1219 to your config is all that's needed to get things
1220 working. The upstream nameservers have to be DNSSEC-capable
1221 too, of course. Many ISP nameservers aren't, but the
1222 Google public nameservers (8.8.8.8 and 8.8.4.4) are.
1223 When DNSSEC is configured, dnsmasq validates any queries
1224 for domains which are signed. Query results which are
1225 bogus are replaced with SERVFAIL replies, and results
1226 which are correctly signed have the AD bit set. In
1227 addition, and just as importantly, dnsmasq supplies
1228 correct DNSSEC information to clients which are doing
1229 their own validation, and caches DNSKEY, DS and RRSIG
1230 records, which significantly improve the performance of
1231 downstream validators. Setting --log-queries will show
1234 If a domain is returned from an upstream nameserver without
1235 DNSSEC signature, dnsmasq by default trusts this. This
1236 means that for unsigned zone (still the majority) there
1237 is effectively no cost for having DNSSEC enabled. Of course
1238 this allows an attacker to replace a signed record with a
1239 false unsigned record. This is addressed by the
1240 --dnssec-check-unsigned flag, which instructs dnsmasq
1241 to prove that an unsigned record is legitimate, by finding
1242 a secure proof that the zone containing the record is not
1243 signed. Doing this has costs (typically one or two extra
1244 upstream queries). It also has a nasty failure mode if
1245 dnsmasq's upstream nameservers are not DNSSEC capable.
1246 Without --dnssec-check-unsigned using such an upstream
1247 server will simply result in not queries being validated;
1248 with --dnssec-check-unsigned enabled and a
1249 DNSSEC-ignorant upstream server, _all_ queries will fail.
1251 Note that DNSSEC requires that the local time is valid and
1252 accurate, if not then DNSSEC validation will fail. NTP
1253 should be running. This presents a problem for routers
1254 without a battery-backed clock. To set the time needs NTP
1255 to do DNS lookups, but lookups will fail until NTP has run.
1256 To address this, there's a flag, --dnssec-no-timecheck
1257 which disables the time checks (only) in DNSSEC. When dnsmasq
1258 is started and the clock is not synced, this flag should
1259 be used. As soon as the clock is synced, SIGHUP dnsmasq.
1260 The SIGHUP clears the cache of partially-validated data and
1261 resets the no-timecheck flag, so that all DNSSEC checks
1262 henceforward will be complete.
1264 The development of DNSSEC in dnsmasq was started by
1265 Giovanni Bajo, to whom huge thanks are owed. It has been
1266 supported by Comcast, whose techfund grant has allowed for
1267 an invaluable period of full-time work to get it to
1270 Add --rev-server. Thanks to Dave Taht for suggesting this.
1272 Add --servers-file. Allows dynamic update of upstream servers
1273 full access to configuration.
1275 Add --local-service. Accept DNS queries only from hosts
1276 whose address is on a local subnet, ie a subnet for which
1277 an interface exists on the server. This option
1278 only has effect if there are no --interface --except-interface,
1279 --listen-address or --auth-server options. It is intended
1280 to be set as a default on installation, to allow
1281 unconfigured installations to be useful but also safe from
1282 being used for DNS amplification attacks.
1284 Fix crashes in cache_get_cname_target() when dangling CNAMEs
1285 encountered. Thanks to Andy and the rt-n56u project for
1286 find this and helping to chase it down.
1288 Fix wrong RCODE in authoritative DNS replies to PTR queries. The
1289 correct answer was included, but the RCODE was set to NXDOMAIN.
1290 Thanks to Craig McQueen for spotting this.
1292 Make statistics available as DNS queries in the .bind TLD as
1293 well as logging them.
1297 Use random addresses for DHCPv6 temporary address
1298 allocations, instead of algorithmically determined stable
1301 Fix bug which meant that the DHCPv6 DUID was not available
1302 in DHCP script runs during the lifetime of the dnsmasq
1303 process which created the DUID de-novo. Once the DUID was
1304 created and stored in the lease file and dnsmasq
1305 restarted, this bug disappeared.
1307 Fix bug introduced in 2.67 which could result in erroneous
1308 NXDOMAIN returns to CNAME queries.
1310 Fix build failures on MacOS X and openBSD.
1312 Allow subnet specifications in --auth-zone to be interface
1313 names as well as address literals. This makes it possible
1314 to configure authoritative DNS when local address ranges
1315 are dynamic and works much better than the previous
1316 work-around which exempted constructed DHCP ranges from the
1317 IP address filtering. As a consequence, that work-around
1318 is removed. Under certain circumstances, this change wil
1319 break existing configuration: if you're relying on the
1320 constructed-range exception, you need to change --auth-zone
1321 to specify the same interface as is used to construct your
1322 DHCP ranges, probably with a trailing "/6" like this:
1323 --auth-zone=example.com,eth0/6 to limit the addresses to
1324 IPv6 addresses of eth0.
1326 Fix problems when advertising deleted IPv6 prefixes. If
1327 the prefix is deleted (rather than replaced), it doesn't
1328 get advertised with zero preferred time. Thanks to Tsachi
1331 Fix segfault with some locally configured CNAMEs. Thanks
1332 to Andrew Childs for spotting the problem.
1334 Fix memory leak on re-reading /etc/hosts and friends,
1337 Check the arrival interface of incoming DNS and TFTP
1338 requests via IPv6, even in --bind-interfaces mode. This
1339 isn't possible for IPv4 and can generate scary warnings,
1340 but as it's always possible for IPv6 (the API always
1341 exists) then we should do it always.
1343 Tweak the rules on prefix-lengths in --dhcp-range for
1344 IPv6. The new rule is that the specified prefix length
1345 must be larger than or equal to the prefix length of the
1346 corresponding address on the local interface.
1350 Fix crash if upstream server returns SERVFAIL when
1351 --conntrack in use. Thanks to Giacomo Tazzari for finding
1352 this and supplying the patch.
1354 Repair regression in 2.64. That release stopped sending
1355 lease-time information in the reply to DHCPINFORM
1356 requests, on the correct grounds that it was a standards
1357 violation. However, this broke the dnsmasq-specific
1358 dhcp_lease_time utility. Now, DHCPINFORM returns
1359 lease-time only if it's specifically requested
1360 (maintaining standards) and the dhcp_lease_time utility
1361 has been taught to ask for it (restoring functionality).
1363 Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass
1364 to work with BOOTP and well as DHCP. Thanks to Peter
1365 Korsgaard for spotting the problem.
1367 Add --synth-domain. Thanks to Vishvananda Ishaya for
1370 Fix failure to compile ipset.c if old kernel headers are
1371 in use. Thanks to Eugene Rudoy for pointing this out.
1373 Handle IPv4 interface-address labels in Linux. These are
1374 often used to emulate the old IP-alias addresses. Before,
1375 using --interface=eth0 would service all the addresses of
1376 eth0, including ones configured as aliases, which appear
1377 in ifconfig as eth0:0. Now, only addresses with the label
1378 eth0 are active. This is not backwards compatible: if you
1379 want to continue to bind the aliases too, you need to add
1380 eg. --interface=eth0:0 to the config.
1382 Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket
1383 operation on non-socket" error on startup with
1384 configurations which have exactly one --interface option
1385 and do RA but _not_ DHCPv6. Thanks to Trever Adams for the
1388 Generalise --interface-name to cope with IPv6 addresses
1389 and multiple addresses per interface per address family.
1391 Fix option parsing for --dhcp-host, which was generating a
1392 spurious error when all seven possible items were
1393 included. Thanks to Zhiqiang Wang for the bug report.
1395 Remove restriction on prefix-length in --auth-zone. Thanks
1396 to Toke Hoiland-Jorgensen for suggesting this.
1398 Log when the maximum number of concurrent DNS queries is
1399 reached. Thanks to Marcelo Salhab Brogliato for the patch.
1401 If wildcards are used in --interface, don't assume that
1402 there will only ever be one available interface for DHCP
1403 just because there is one at start-up. More may appear, so
1404 we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug
1407 Increase timeout/number of retries in TFTP to accommodate
1408 AudioCodes Voice Gateways doing streaming writes to flash.
1409 Thanks to Damian Kaczkowski for spotting the problem.
1411 Fix crash with empty DHCP string options when adding zero
1412 terminator. Thanks to Patrick McLean for the bug report.
1414 Allow hostnames to start with a number, as allowed in
1415 RFC-1123. Thanks to Kyle Mestery for the patch.
1417 Fixes to DHCP FQDN option handling: don't terminate FQDN
1418 if domain not known and allow a FQDN option with blank
1419 name to request that a FQDN option is returned in the
1420 reply. Thanks to Roy Marples for the patch.
1422 Make --clear-on-reload apply to setting upstream servers
1425 When the address which triggered the construction of an
1426 advertised IPv6 prefix disappears, continue to advertise
1427 the prefix for up to 2 hours, with the preferred lifetime
1428 set to zero. This satisfies RFC 6204 4.3 L-13 and makes
1429 things work better if a prefix disappears without being
1430 deprecated first. Thanks to Uwe Schindler for persuasively
1433 Fix MAC address enumeration on *BSD. Thanks to Brad Smith
1436 Support RFC-4242 information-refresh-time options in the
1437 reply to DHCPv6 information-request. The lease time of the
1438 smallest valid dhcp-range is sent. Thanks to Uwe Schindler
1439 for suggesting this.
1441 Make --listen-address higher priority than --except-interface
1442 in all circumstances. Thanks to Thomas Hood for the bugreport.
1444 Provide independent control over which interfaces get TFTP
1445 service. If enable-tftp is given a list of interfaces, then TFTP
1446 is provided on those. Without the list, the previous behaviour
1447 (provide TFTP to the same interfaces we provide DHCP to)
1448 is retained. Thanks to Lonnie Abelbeck for the suggestion.
1450 Add --dhcp-relay config option. Many thanks to vtsl.net
1451 for sponsoring this development.
1453 Fix crash with empty tag: in --dhcp-range. Thanks to
1454 Kaspar Schleiser for the bug report.
1456 Add "baseline" and "bloatcheck" makefile targets, for
1457 revealing size changes during development. Thanks to
1458 Vladislav Grishenko for the patch.
1460 Cope with DHCPv6 clients which send REQUESTs without
1461 address options - treat them as SOLICIT with rapid commit.
1463 Support identification of clients by MAC address in
1464 DHCPv6. When using a relay, the relay must support RFC
1465 6939 for this to work. It always works for directly
1466 connected clients. Thanks to Vladislav Grishenko
1467 for prompting this feature.
1469 Remove the rule for constructed DHCP ranges that the local
1470 address must be either the first or last address in the
1471 range. This was originally to avoid SLAAC addresses, but
1472 we now explicitly autoconfig and privacy addresses instead.
1474 Update Polish translation. Thanks to Jan Psota.
1476 Fix problem in DHCPv6 vendorclass/userclass matching
1477 code. Thanks to Tanguy Bouzeloc for the patch.
1479 Update Spanish translation. Thanks to Vicente Soriano.
1481 Add --ra-param option. Thanks to Vladislav Grishenko for
1482 inspiration on this.
1484 Add --add-subnet configuration, to tell upstream DNS
1485 servers where the original client is. Thanks to DNSthingy
1486 for sponsoring this feature.
1488 Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to
1489 Kevin Darbyshire-Bryant for the initial patch.
1491 Allow A/AAAA records created by --interface-name to be the
1492 target of --cname. Thanks to Hadmut Danisch for the
1495 Avoid treating a --dhcp-host which has an IPv6 address
1496 as eligible for use with DHCPv4 on the grounds that it has
1497 no address, and vice-versa. Thanks to Yury Konovalov for
1498 spotting the problem.
1500 Do a better job caching dangling CNAMEs. Thanks to Yves
1501 Dorfsman for spotting the problem.
1505 Add the ability to act as an authoritative DNS
1506 server. Dnsmasq can now answer queries from the wider 'net
1507 with local data, as long as the correct NS records are set
1508 up. Only local data is provided, to avoid creating an open
1509 DNS relay. Zone transfer is supported, to allow secondary
1510 servers to be configured.
1512 Add "constructed DHCP ranges" for DHCPv6. This is intended
1513 for IPv6 routers which get prefixes dynamically via prefix
1514 delegation. With suitable configuration, stateful DHCPv6
1515 and RA can happen automatically as prefixes are delegated
1516 and then deprecated, without having to re-write the
1517 dnsmasq configuration file or restart the daemon. Thanks to
1518 Steven Barth for extensive testing and development work on
1521 Fix crash on startup on Solaris 11. Regression probably
1522 introduced in 2.61. Thanks to Geoff Johnstone for the
1525 Add code to make behaviour for TCP DNS requests that same
1526 as for UDP requests, when a request arrives for an allowed
1527 address, but via a banned interface. This change is only
1528 active on Linux, since the relevant API is missing (AFAIK)
1529 on other platforms. Many thanks to Tomas Hozza for
1530 spotting the problem, and doing invaluable discovery of
1531 the obscure and undocumented API required for the solution.
1533 Don't send the default DHCP option advertising dnsmasq as
1534 the local DNS server if dnsmasq is configured to not act
1535 as DNS server, or it's configured to a non-standard port.
1537 Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID,
1538 DNSMASQ_REMOTE_ID variables to the environment of the
1539 lease-change script (and the corresponding Lua). These hold
1540 information inserted into the DHCP request by a DHCP relay
1541 agent. Thanks to Lakefield Communications for providing a
1542 bounty for this addition.
1544 Fixed crash, introduced in 2.64, whilst handling DHCPv6
1545 information-requests with some common configurations.
1546 Thanks to Robert M. Albrecht for the bug report and
1547 chasing the problem.
1549 Add --ipset option. Thanks to Jason A. Donenfeld for the
1552 Don't erroneously reject some option names in --dhcp-match
1553 options. Thanks to Benedikt Hochstrasser for the bug report.
1555 Allow a trailing '*' wildcard in all interface-name
1556 configurations. Thanks to Christian Parpart for the patch.
1558 Handle the situation where libc headers define
1559 SO_REUSEPORT, but the kernel in use doesn't, to cope with
1560 the introduction of this option to Linux. Thanks to Rich
1561 Felker for the bug report.
1563 Update Polish translation. Thanks to Jan Psota.
1565 Fix crash if the configured DHCP lease limit is
1566 reached. Regression occurred in 2.61. Thanks to Tsachi for
1569 Update the French translation. Thanks to Gildas le Nadan.
1573 Fix regression which broke forwarding of queries sent via
1574 TCP which are not for A and AAAA and which were directed to
1575 non-default servers. Thanks to Niax for the bug report.
1577 Fix failure to build with DHCP support excluded. Thanks to
1578 Gustavo Zacarias for the patch.
1580 Fix nasty regression in 2.64 which completely broke caching.
1584 Handle DHCP FQDN options with all flag bits zero and
1585 --dhcp-client-update set. Thanks to Bernd Krumbroeck for
1586 spotting the problem.
1588 Finesse the check for /etc/hosts names which conflict with
1589 DHCP names. Previously a name/address pair in /etc/hosts
1590 which didn't match the name/address of a DHCP lease would
1591 generate a warning. Now that only happens if there is not
1592 also a match. This allows multiple addresses for a name in
1593 /etc/hosts with one of them assigned via DHCP.
1595 Fix broken vendor-option processing for BOOTP. Thanks to
1596 Hans-Joachim Baader for the bug report.
1598 Don't report spurious netlink errors, regression in
1599 2.63. Thanks to Vladislav Grishenko for the patch.
1601 Flag DHCP or DHCPv6 in startup logging. Thanks to
1602 Vladislav Grishenko for the patch.
1604 Add SetServersEx method in DBus interface. Thanks to Dan
1605 Williams for the patch.
1607 Add SetDomainServers method in DBus interface. Thanks to
1608 Roy Marples for the patch.
1610 Fix build with later Lua libraries. Thanks to Cristian
1611 Rodriguez for the patch.
1613 Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker
1616 Fix breakage of --host-record parsing, resulting in
1617 infinite loop at startup. Regression in 2.63. Thanks to
1618 Haim Gelfenbeyn for spotting this.
1620 Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6
1621 socket, this allows multiple instances of dnsmasq on a
1622 single machine, in the same way as for DHCPv4. Thanks to
1623 Gene Czarcinski and Vladislav Grishenko for work on this.
1625 Fix DHCPv6 to do access control correctly when it's
1626 configured with --listen-address. Thanks to
1627 Gene Czarcinski for sorting this out.
1629 Add a "wildcard" dhcp-range which works for any IPv6
1630 subnet, --dhcp-range=::,static Useful for Stateless
1631 DHCPv6. Thanks to Vladislav Grishenko for the patch.
1633 Don't include lease-time in DHCPACK replies to DHCPINFORM
1634 queries, since RFC-2131 says we shouldn't. Thanks to
1635 Wouter Ibens for pointing this out.
1637 Makefile tweak to do dependency checking on header files.
1638 Thanks to Johan Peeters for the patch.
1640 Check interface for outgoing unsolicited router
1641 advertisements, rather than relying on interface address
1642 configuration. Thanks to Gene Czarinski for the patch.
1644 Handle better attempts to transmit on interfaces which are
1645 still doing DAD, and specifically do not just transmit
1646 without setting source address and interface, since this
1647 can cause very puzzling effects when a router
1648 advertisement goes astray. Thanks again to Gene Czarinski.
1650 Get RA timers right when there is more than one
1651 dhcp-range on a subnet.
1655 Do duplicate dhcp-host address check in --test mode.
1657 Check that tftp-root directories are accessible before
1658 start-up. Thanks to Daniel Veillard for the initial patch.
1660 Allow more than one --tfp-root flag. The per-interface
1661 stuff is pointless without that.
1663 Add --bind-dynamic. A hybrid mode between the default and
1664 --bind-interfaces which copes with dynamically created
1667 A couple of fixes to the build system for Android. Thanks
1668 to Metin Kaya for the patches.
1670 Remove the interface:<interface> argument in --dhcp-range, and
1671 the interface argument to --enable-tftp. These were a
1672 still-born attempt to allow automatic isolated
1673 configuration by libvirt, but have never (to my knowledge)
1674 been used, had very strange semantics, and have been
1675 superseded by other mechanisms.
1677 Fixed bug logging filenames when duplicate dhcp-host
1678 addresses are found. Thanks to John Hanks for the patch.
1680 Fix regression in 2.61 which broke caching of CNAME
1681 chains. Thanks to Atul Gupta for the bug report.
1683 Allow the target of a --cname flag to be another --cname.
1685 Teach DHCPv6 about the RFC 4242 information-refresh-time
1686 option, and add parsing if the minutes, hours and days
1687 format for options. Thanks to Francois-Xavier Le Bail for
1690 Allow "w" (for week) as multiplier in lease times, as well
1691 as seconds, minutes, hours and days. Álvaro Gámez Machado
1692 spotted the omission.
1694 Update French translation. Thanks to Gildas Le Nadan.
1696 Allow a DBus service name to be given with --enable-dbus
1697 which overrides the default,
1698 uk.org.thekelleys.dnsmasq. Thanks to Mathieu
1699 Trudel-Lapierre for the patch.
1701 Set the "prefix on-link" bit in Router
1702 Advertisements. Thanks to Gui Iribarren for the patch.
1706 Update German translation. Thanks to Conrad Kostecki.
1708 Cope with router-solict packets which don't have a valid
1709 source address. Thanks to Vladislav Grishenko for the patch.
1711 Fixed bug which caused missing periodic router
1712 advertisements with some configurations. Thanks to
1713 Vladislav Grishenko for the patch.
1715 Fixed bug which broke DHCPv6/RA with prefix lengths
1716 which are not divisible by 8. Thanks to Andre Coetzee
1719 Fix non-response to router-solicitations when
1720 router-advertisement configured, but DHCPv6 not
1721 configured. Thanks to Marien Zwart for the patch.
1723 Add --dns-rr, to allow arbitrary DNS resource records.
1725 Fixed bug which broke RA scheduling when an interface had
1726 two addresses in the same network. Thanks to Jim Bos for
1727 his help nailing this.
1730 Re-write interface discovery code on *BSD to use
1731 getifaddrs. This is more portable, more straightforward,
1732 and allows us to find the prefix length for IPv6
1735 Add ra-names, ra-stateless and slaac keywords for DHCPv6.
1736 Dnsmasq can now synthesise AAAA records for dual-stack
1737 hosts which get IPv6 addresses via SLAAC. It is also now
1738 possible to use SLAAC and stateless DHCPv6, and to
1739 tell clients to use SLAAC addresses as well as DHCP ones.
1740 Thanks to Dave Taht for help with this.
1742 Add --dhcp-duid to allow DUID-EN uids to be used.
1744 Explicitly send DHCPv6 replies to the correct port, instead
1745 of relying on clients to send requests with the correct
1746 source address, since at least one client in the wild gets
1747 this wrong. Thanks to Conrad Kostecki for help tracking
1750 Send a preference value of 255 in DHCPv6 replies when
1751 --dhcp-authoritative is in effect. This tells clients not
1752 to wait around for other DHCP servers.
1754 Better logging of DHCPv6 options.
1756 Add --host-record. Thanks to Rob Zwissler for the
1759 Invoke the DHCP script with action "tftp" when a TFTP file
1760 transfer completes. The size of the file, address to which
1761 it was sent and complete pathname are supplied. Note that
1762 version 2.60 introduced some script incompatibilities
1763 associated with DHCPv6, and this is a further change. To
1764 be safe, scripts should ignore unknown actions, and if
1765 not IPv6-aware, should exit if the environment
1766 variable DNSMASQ_IAID is set. The use-case for this is
1767 to track netboot/install. Suggestion from Shantanu
1770 Update contrib/port-forward/dnsmasq-portforward to reflect
1773 Set the environment variable DNSMASQ_LOG_DHCP when running
1774 the script id --log-dhcp is in effect, so that script can
1775 taylor their logging verbosity. Suggestion from Malte
1778 Arrange that addresses specified with --listen-address
1779 work even if there is no interface carrying the
1780 address. This is chiefly useful for IPv4 loopback
1781 addresses, where any address in 127.0.0.0/8 is a valid
1782 loopback address, but normally only 127.0.0.1 appears on
1783 the lo interface. Thanks to Mathieu Trudel-Lapierre for
1784 the idea and initial patch.
1786 Fix crash, introduced in 2.60, when a DHCPINFORM is
1787 received from a network which has no valid dhcp-range.
1788 Thanks to Stephane Glondu for the bug report.
1790 Add a new DHCP lease time keyword, "deprecated" for
1791 --dhcp-range. This is only valid for IPv6, and sets the
1792 preferred lease time for both DHCP and RA to zero. The
1793 effect is that clients can continue to use the address
1794 for existing connections, but new connections will use
1795 other addresses, if they exist. This makes hitless
1796 renumbering at least possible.
1798 Fix bug in address6_available() which caused DHCPv6 lease
1799 acquisition to fail if more than one dhcp-range in use.
1801 Provide RDNSS and DNSSL data in router advertisements,
1802 using the settings provided for DHCP options
1803 option6:domain-search and option6:dns-server.
1805 Tweak logo/favicon.ico to add some transparency. Thanks to
1806 SamLT for work on this.
1808 Don't cache data from non-recursive nameservers, since it
1809 may erroneously look like a valid CNAME to a non-existent
1810 name. Thanks to Ben Winslow for finding this.
1812 Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP
1813 on exactly one interface and --bind-interfaces is set. This
1814 makes the OpenStack use-case of one dnsmasq per virtual
1815 interface work. This is only available on Linux; it's not
1816 supported on other platforms. Thanks to Vishvananda Ishaya
1817 and the OpenStack team for the suggestion.
1819 Updated French translation. Thanks to Gildas Le Nadan.
1821 Give correct from-cache answers to explicit CNAME queries.
1822 Thanks to Rob Zwissler for spotting this.
1824 Add --tftp-lowercase option. Thanks to Oliver Rath for the
1827 Ensure that the DBus DhcpLeaseUpdated events are generated
1828 when a lease goes through INIT_REBOOT state, even if the
1829 dhcp-script is not in use. Thanks to Antoaneta-Ecaterina
1832 Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks
1833 to Brad Smith for spotting this.
1837 Fix compilation problem in Mac OS X Lion. Thanks to Olaf
1838 Flebbe for the patch.
1840 Fix DHCP when using --listen-address with an IP address
1841 which is not the primary address of an interface.
1843 Add --dhcp-client-update option.
1845 Add Lua integration. Dnsmasq can now execute a DHCP
1846 lease-change script written in Lua. This needs to be
1847 enabled at compile time by setting HAVE_LUASCRIPT in
1848 src/config.h or running "make COPTS=-DHAVE_LUASCRIPT"
1849 Thanks to Jan-Piet Mens for the idea and proof-of-concept
1852 Tidied src/config.h to distinguish between
1853 platform-dependent compile-time options which are selected
1854 automatically, and builder-selectable compile time
1855 options. Document the latter better, and describe how to
1856 set them from the make command line.
1858 Tidied up IPPROTO_IP/SOL_IP (and IPv6 equivalent)
1859 confusion. IPPROTO_IP works everywhere now.
1861 Set TOS on DHCP sockets, this improves things on busy
1862 wireless networks. Thanks to Dave Taht for the patch.
1864 Determine VERSION automatically based on git magic:
1865 release tags or hash values.
1867 Improve start-up speed when reading large hosts files
1868 containing many distinct addresses.
1870 Fix problem if dnsmasq is started without the stdin,
1871 stdout and stderr file descriptors open. This can manifest
1872 itself as 100% CPU use. Thanks to Chris Moore for finding
1875 Fix shell-scripting bug in bld/pkg-wrapper. Thanks to
1876 Mark Mitchell for the patch.
1878 Allow the TFP server or boot server in --pxe-service, to
1879 be a domain name instead of an IP address. This allows for
1880 round-robin to multiple servers, in the same way as
1881 --dhcp-boot. A good suggestion from Cristiano Cumer.
1883 Support BUILDDIR variable in the Makefile. Allows builds
1884 for multiple archs from the same source tree with eg.
1885 make BUILDDIR=linux (relative to dnsmasq tree)
1886 make BUILDDIR=/tmp/openbsd (absolute path)
1887 If BUILDDIR is not set, compilation happens in the src
1888 directory, as before. Suggestion from Mark Mitchell.
1890 Support DHCPv6. Support is there for the sort of things
1891 the existing v4 server does, including tags, options,
1892 static addresses and relay support. Missing is prefix
1893 delegation, which is probably not required in the dnsmasq
1894 niche, and an easy way to accept prefix delegations from
1895 an upstream DHCPv6 server, which is. Future plans include
1896 support for DHCPv6 router option and MAC address option
1897 (to make selecting clients by MAC address work like IPv4).
1898 These will be added as the standards mature.
1899 This code has been tested, but this is the first release,
1900 so don't bet the farm on it just yet. Many thanks to all
1901 testers who have got it this far.
1903 Support IPv6 router advertisements. This is a
1904 simple-minded implementation, aimed at providing the
1905 vestigial RA needed to go alongside IPv6. Is picks up
1906 configuration from the DHCPv6 conf, and should just need
1907 enabling with --enable-ra.
1909 Fix long-standing wrinkle with --localise-queries that
1910 could result in wrong answers when DNS packets arrive
1911 via an interface other than the expected one. Thanks to
1912 Lorenzo Milesi and John Hanks for spotting this one.
1914 Update French translation. Thanks to Gildas Le Nadan.
1916 Update Polish translation. Thanks to Jan Psota.
1920 Fix regression in 2.58 which caused failure to start up
1921 with some combinations of dnsmasq config and IPv6 kernel
1922 network config. Thanks to Brielle Bruns for the bug
1925 Improve dnsmasq's behaviour when network interfaces are
1926 still doing duplicate address detection (DAD). Previously,
1927 dnsmasq would wait up to 20 seconds at start-up for the
1928 DAD state to terminate. This is broken for bridge
1929 interfaces on recent Linux kernels, which don't start DAD
1930 until the bridge comes up, and so can take arbitrary
1931 time. The new behaviour lets dnsmasq poll for an arbitrary
1932 time whilst providing service on other interfaces. Thanks
1933 to Stephen Hemminger for pointing out the problem.
1937 Provide a definition of the SA_SIZE macro where it's
1938 missing. Fixes build failure on openBSD.
1940 Don't include a zero terminator at the end of messages
1941 sent to /dev/log when /dev/log is a datagram socket.
1942 Thanks to Didier Rabound for spotting the problem.
1944 Add --dhcp-sequential-ip flag, to force allocation of IP
1945 addresses in ascending order. Note that the default
1946 pseudo-random mode is in general better but some
1947 server-deployment applications need this.
1949 Fix problem where a server-id of 0.0.0.0 is sent to a
1950 client when a dhcp-relay is in use if a client renews a
1951 lease after dnsmasq restart and before any clients on the
1952 subnet get a new lease. Thanks to Mike Ruiz for assistance
1953 in chasing this one down.
1955 Don't return NXDOMAIN to an AAAA query if we have CNAME
1956 which points to an A record only: NODATA is the correct
1957 reply in this case. Thanks to Tom Fernandes for spotting
1960 Relax the need to supply a netmask in --dhcp-range for
1961 networks which use a DHCP relay. Whilst this is still
1962 desirable, in the absence of a netmask dnsmasq will use
1963 a default based on the class (A, B, or C) of the address.
1964 This should at least remove a cause of mysterious failure
1965 for people using RFC1918 addresses and relays.
1967 Add support for Linux conntrack connection marking. If
1968 enabled with --conntrack, the connection mark for incoming
1969 DNS queries will be copied to the outgoing connections
1970 used to answer those queries. This allows clever firewall
1971 and accounting stuff. Only available if dnsmasq is
1972 compiled with HAVE_CONNTRACK and adds a dependency on
1973 libnetfilter-conntrack. Thanks to Ed Wildgoose for the
1974 initial idea, testing and sponsorship of this function.
1976 Provide a sane error message when someone attempts to
1977 match a tag in --dhcp-host.
1979 Tweak the behaviour of --domain-needed, to avoid problems
1980 with recursive nameservers downstream of dnsmasq. The new
1981 behaviour only stops A and AAAA queries, and returns
1982 NODATA rather than NXDOMAIN replies.
1984 Efficiency fix for very large DHCP configurations, thanks
1985 to James Gartrell and Mike Ruiz for help with this.
1987 Allow the TFTP-server address in --dhcp-boot to be a
1988 domain-name which is looked up in /etc/hosts. This can
1989 give multiple IP addresses which are used round-robin,
1990 thus doing TFTP server load-balancing. Thanks to Sushil
1991 Agrawal for the patch.
1993 When two tagged dhcp-options for a particular option
1994 number are both valid, use the one which is valid without
1995 a tag from the dhcp-range. Allows overriding of the value
1996 of a DHCP option for a particular host as well as
1997 per-network values. So
1998 --dhcp-range=set:interface1,......
1999 --dhcp-host=set:myhost,.....
2000 --dhcp-option=tag:interface1,option:nis-domain,"domain1"
2001 --dhcp-option=tag:myhost,option:nis-domain,"domain2"
2002 will set the NIS-domain to domain1 for hosts in the range, but
2003 override that to domain2 for a particular host.
2005 Fix bug which resulted in truncated files and timeouts for
2006 some TFTP transfers. The bug only occurs with netascii
2007 transfers and needs an unfortunate relationship between
2008 file size, blocksize and the number of newlines in the
2009 last block before it manifests itself. Many thanks to
2010 Alkis Georgopoulos for spotting the problem and providing
2011 a comprehensive test-case.
2013 Fix regression in TFTP server on *BSD platforms introduced
2014 in version 2.56, due to confusion with sockaddr
2015 length. Many thanks to Loic Pefferkorn for finding this.
2017 Support scope-ids in IPv6 addresses of nameservers from
2018 /etc/resolv.conf and in --server options. Eg
2019 nameserver fe80::202:a412:4512:7bbf%eth0 or
2020 server=fe80::202:a412:4512:7bbf%eth0. Thanks to
2021 Michael Stapelberg for the suggestion.
2023 Update Polish translation, thanks to Jan Psota.
2025 Update French translation. Thanks to Gildas Le Nadan.
2029 Add patches to allow build under Android.
2031 Provide our own header for the DNS protocol, rather than
2032 relying on arpa/nameser.h. This has proved more or less
2033 defective over the years and the final straw is that it's
2034 effectively empty on Android.
2036 Fix regression in 2.56 which caused hex constants in
2037 configuration to be rejected if they contain the '*'
2040 Correct wrong casts of arguments to ctype.h functions,
2041 isdigit(), isxdigit() etc. Thanks to Matthias Andree for
2044 Allow build with IDN support independently from i18n.
2045 IDN support continues to be included automatically
2046 when i18n is included.
2047 'make COPTS=-DHAVE_IDN' is the magic incantation.
2049 Modify check on extraneous command line junk (added in
2050 2.56) so that it doesn't complain about extra _empty_
2051 arguments. Otherwise this breaks libvirt.
2055 Add a patch to allow dnsmasq to get interface names right in a
2056 Solaris zone. Thanks to Dj Padzensky for this.
2058 Improve data-type parsing heuristics so that
2059 --dhcp-option=option:domain-search,.
2060 treats the value as a string and not an IP address.
2061 Thanks to Clemens Fischer for spotting that.
2063 Add IPv6 support to the TFTP server. Many thanks to Jan
2064 'RedBully' Seiffert for the patches.
2066 Log DNS queries at level LOG_INFO, rather then
2067 LOG_DEBUG. This makes things consistent with DHCP
2068 logging. Thanks to Adam Pribyl for spotting the problem.
2070 Ensure that dnsmasq terminates cleanly when using
2071 --syslog-async even if it cannot make a connection to the
2074 Add --add-mac option. This is to support currently
2075 experimental DNS filtering facilities. Thanks to Benjamin
2076 Petrin for the original patch.
2078 Fix bug which meant that tags were ignored in dhcp-range
2079 configuration specifying PXE-proxy service. Thanks to
2080 Cristiano Cumer for spotting this.
2082 Raise an error if there is extra junk, not part of an
2083 option, on the command line.
2085 Flag a couple of log messages in cache.c as coming from
2086 the DHCP subsystem. Thanks to Olaf Westrik for the patch.
2088 Omit timestamps from logs when a) logging to stderr and
2089 b) --keep-in-foreground is set. The logging facility on the
2090 other end of stderr can be assumed to supply them. Thanks
2091 to John Hallam for the patch.
2093 Don't complain about strings longer than 255 characters in
2094 --txt-record, just split the long strings into 255
2095 character chunks instead.
2097 Fix crash on double-free. This bug can only happen when
2098 dhcp-script is in use and then only in rare circumstances
2099 triggered by high DHCP transaction rate and a slow
2100 script. Thanks to Ferenc Wagner for finding the problem.
2102 Only log that a file has been sent by TFTP after the
2103 transfer has completed successfully.
2105 A good suggestion from Ferenc Wagner: extend
2106 the --domain option to allow this sort of thing:
2107 --domain=thekelleys.org.uk,192.168.0.0/24,local
2108 which automatically creates
2109 --local=/thekelleys.org.uk/
2110 --local=/0.168.192.in-addr.arpa/
2112 Tighten up syntax checking of hex constants in the config
2113 file. Thanks to Fred Damen for spotting this.
2115 Add dnsmasq logo/icon, contributed by Justin Swift. Many
2118 Never cache DNS replies which have the 'cd' bit set, or
2119 which result from queries forwarded with the 'cd' bit
2120 set. The 'cd' bit instructs a DNSSEC validating server
2121 upstream to ignore signature failures and return replies
2122 anyway. Without this change it's possible to pollute the
2123 dnsmasq cache with bad data by making a query with the
2124 'cd' bit set and subsequent queries would return this data
2125 without its being marked as suspect. Thanks to Anders
2126 Kaseorg for pointing out this problem.
2128 Add --proxy-dnssec flag, for compliance with RFC
2129 4035. Dnsmasq will now clear the 'ad' bit in answers returned
2130 from upstream validating nameservers unless this option is
2133 Allow a filename of "-" for --conf-file to read
2134 stdin. Suggestion from Timothy Redaelli.
2136 Rotate the order of SRV records in replies, to provide
2137 round-robin load balancing when all the priorities are
2138 equal. Thanks to Peter McKinney for the suggestion.
2141 contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist
2142 so that it doesn't log all queries to a file by
2143 default. Thanks again to Peter McKinney.
2145 By default, setting an IPv4 address for a domain but not
2146 an IPv6 address causes dnsmasq to return
2147 a NODATA reply for IPv6 (or vice-versa). So
2148 --address=/google.com/1.2.3.4 stops IPv6 queries for
2149 *google.com from being forwarded. Make it possible to
2150 override this behaviour by defining the semantics if the
2151 same domain appears in both --server and --address.
2152 In that case, the --address has priority for the address
2153 family in which is appears, but the --server has priority
2154 of the address family which doesn't appear in --address
2156 --address=/google.com/1.2.3.4
2157 --server=/google.com/#
2158 will return 1.2.3.4 for IPv4 queries for *.google.com but
2159 forward IPv6 queries to the normal upstream nameserver.
2160 Similarly when setting an IPv6 address
2161 only this will allow forwarding of IPv4 queries. Thanks to
2162 William for pointing out the need for this.
2164 Allow more than one --dhcp-optsfile and --dhcp-hostsfile
2165 and make them understand directories as arguments in the
2166 same way as --addn-hosts. Suggestion from John Hanks.
2168 Ignore rebinding requests for leases we don't know
2169 about. Rebind is broadcast, so we might get to overhear a
2170 request meant for another DHCP server. NAKing this is
2171 wrong. Thanks to Brad D'Hondt for assistance with this.
2173 Fix cosmetic bug which produced strange output when
2174 dumping cache statistics with some configurations. Thanks
2175 to Fedor Kozhevnikov for spotting this.
2179 Fix crash when /etc/ethers is in use. Thanks to
2180 Gianluigi Tiesi for finding this.
2182 Fix crash in netlink_multicast(). Thanks to Arno Wald for
2185 Allow the empty domain "." in dhcp domain-search (119)
2190 There is no version 2.54 to avoid confusion with 2.53,
2191 which incorrectly identifies itself as 2.54.
2195 Fix failure to compile on Debian/kFreeBSD. Thanks to
2196 Axel Beckert and Petr Salinger.
2198 Fix code to avoid scary strict-aliasing warnings
2199 generated by gcc 4.4.
2201 Added FAQ entry warning about DHCP failures with Vista
2202 when firewalls block 255.255.255.255.
2204 Fixed bug which caused bad things to happen if a
2205 resolv.conf file which exists is subsequently removed.
2206 Thanks to Nikolai Saoukh for the patch.
2208 Rationalised the DHCP tag system. Every configuration item
2209 which can set a tag does so by adding "set:<tag>" and
2210 every configuration item which is conditional on a tag is
2211 made so by "tag:<tag>". The NOT operator changes to '!',
2212 which is a bit more intuitive too. Dhcp-host directives
2213 can set more than one tag now. The old '#' NOT,
2214 "net:" prefix and no-prefixes are still honoured, so
2215 no existing config file needs to be changed, but
2216 the documentation and new-style config files should be
2217 much less confusing.
2219 Added --tag-if to allow boolean operations on tags.
2220 This allows complicated logic to be clearer and more
2221 general. A great suggestion from Richard Voigt.
2223 Add broadcast/unicast information to DHCP logging.
2225 Allow --dhcp-broadcast to be unconditional.
2227 Fixed incorrect behaviour with NOT <tag> conditionals in
2228 dhcp-options. Thanks to Max Turkewitz for assistance
2231 If we send vendor-class encapsulated options based on the
2232 vendor-class supplied by the client, and no explicit
2233 vendor-class option is given, echo back the vendor-class
2236 Fix bug which stopped dnsmasq from matching both a
2237 circuitid and a remoteid. Thanks to Ignacio Bravo for
2240 Add --dhcp-proxy, which makes it possible to configure
2241 dnsmasq to use a DHCP relay agent as a full proxy, with
2242 all DHCP messages passing through the proxy. This is
2243 useful if the relay adds extra information to the packets
2244 it forwards, but cannot be configured with the RFC 5107
2245 server-override option.
2247 Added interface:<iface name> part to dhcp-range. The
2248 semantics of this are very odd at first sight, but it
2249 allows a single line of the form
2250 dhcp-range=interface:virt0,192.168.0.4,192.168.0.200
2251 to be added to dnsmasq configuration which then supplies
2252 DHCP and DNS services to that interface, without affecting
2253 what services are supplied to other interfaces and
2254 irrespective of the existence or lack of
2255 interface=<interface>
2256 lines elsewhere in the dnsmasq configuration. The idea is
2257 that such a line can be added automatically by libvirt
2258 or equivalent systems, without disturbing any manual
2261 Similarly to the above, allow --enable-tftp=<interface>
2263 Allow a TFTP root to be set separately for requests via
2264 different interfaces, --tftp-root=<path>,<interface>
2266 Correctly handle and log clashes between CNAMES and
2267 DNS names being given to DHCP leases. This fixes a bug
2268 which caused nonsense IP addresses to be logged. Thanks to
2269 Sergei Zhirikov for finding and analysing the problem.
2271 Tweak flush_log so as to avoid leaving the log
2272 file in non-blocking mode. O_NONBLOCK is a property of the
2273 file, not the process/descriptor.
2275 Fix contrib/Solaris10/create_package
2276 (/usr/man -> /usr/share/man) Thanks to Vita Batrla.
2278 Fix a problem where, if a client got a lease, then went
2279 to another subnet and got another lease, then moved back,
2280 it couldn't resume the old lease, but would instead get
2281 a new address. Thanks to Leonardo Rodrigues for spotting
2282 this and testing the fix.
2284 Fix weird bug which sometimes omitted certain characters
2285 from the start of quoted strings in dhcp-options. Thanks
2286 to Dayton Turner for spotting the problem.
2288 Add facility to redirect some domains to the standard
2289 upstream servers: this allows something like
2290 --server=/google.com/1.2.3.4 --server=/www.google.com/#
2291 which will send queries for *.google.com to 1.2.3.4,
2292 except *www.google.com which will be forwarded as usual.
2293 Thanks to AJ Weber for prompting this addition.
2295 Improve the hash-algorithm used to generate IP addresses
2296 from MAC addresses during initial DHCP address
2297 allocation. This improves performance when large numbers
2298 of hosts with similar MAC addresses all try and get an IP
2299 address at the same time. Thanks to Paul Smith for his
2302 Tweak DHCP code so that --bridge-interface can be used to
2303 select which IP alias of an interface should be used for
2304 DHCP purposes on Linux. If eth0 has an alias eth0:dhcp
2305 then adding --bridge-interface=eth0:dhcp,eth0 will use
2306 the address of eth0:dhcp to determine the correct subnet
2307 for DHCP address allocation. Thanks to Pawel Golaszewski
2308 for prompting this and Eric Cooper for further testing.
2310 Add --dhcp-generate-names. Suggestion by Ferenc Wagner.
2312 Tweak DNS server selection algorithm when there is more
2313 than one server available for a domain, eg.
2314 --server=/mydomain/1.1.1.1
2315 --server=/mydomain/2.2.2.2
2316 Thanks to Alberto Cuesta-Canada for spotting a weakness
2319 Add --max-ttl. Thanks to Fredrik Ringertz for the patch.
2321 Allow --log-facility=- to force all logging to
2322 stderr. Suggestion from Clemens Fischer.
2324 Fix regression which caused configuration like
2325 --address=/.domain.com/1.2.3.4 to be rejected. The dot to the
2326 left of the domain has been implied and not required for a
2327 long time, but it should be accepted for backward
2328 compatibility. Thanks to Andrew Burcin for spotting this.
2330 Add --rebind-domain-ok and --rebind-localhost-ok.
2331 Suggestion from Clemens Fischer.
2333 Log replies to queries of type TXT, when --log-queries
2336 Fix compiler warnings when compiled with -DNO_DHCP. Thanks
2337 to Shantanu Gadgil for the patch.
2339 Updated French translation. Thanks to Gildas Le Nadan.
2341 Updated Polish translation. Thanks to Jan Psota.
2343 Updated German translation. Thanks to Matthias Andree.
2345 Added contrib/static-arp, thanks to Darren Hoo.
2347 Fix corruption of the domain when a name from /etc/hosts
2348 overrides one supplied by a DHCP client. Thanks to Fedor
2349 Kozhevnikov for spotting the problem.
2351 Updated Spanish translation. Thanks to Chris Chatham.
2355 Work around a Linux kernel bug which insists that the
2356 length of the option passed to setsockopt must be at least
2357 sizeof(int) bytes, even if we're calling SO_BINDTODEVICE
2358 and the device name is "lo". Note that this is fixed
2359 in kernel 2.6.31, but the workaround is harmless and
2360 allows earlier kernels to be used. Also fix dnsmasq
2361 bug which reported the wrong address when this failed.
2362 Thanks to Fedor for finding this.
2364 The API for IPv6 PKTINFO changed around Linux kernel
2365 2.6.14. Workaround the case where dnsmasq is compiled
2366 against newer headers, but then run on an old kernel:
2367 necessary for some *WRT distros.
2369 Re-read the set of network interfaces when re-loading
2370 /etc/resolv.conf if --bind-interfaces is not set. This
2371 handles the case that loopback interfaces do not exist
2372 when dnsmasq is first started.
2374 Tweak the PXE code to support port 4011. This should
2375 reduce broadcasts and make things more reliable when other
2376 servers are around. It also improves inter-operability
2377 with certain clients.
2379 Make a pxe-service configuration with no filename or boot
2380 service type legal: this does a local boot. eg.
2381 pxe-service=x86PC, "Local boot"
2383 Be more conservative in detecting "A for A"
2384 queries. Dnsmasq checks if the name in a type=A query looks
2385 like a dotted-quad IP address and answers the query itself
2386 if so, rather than forwarding it. Previously dnsmasq
2387 relied in the library function inet_addr() to convert
2388 addresses, and that will accept some things which are
2389 confusing in this context, like 1.2.3 or even just
2390 1234. Now we only do A for A processing for four decimal
2391 numbers delimited by dots.
2393 A couple of tweaks to fix compilation on Solaris. Thanks
2394 to Joel Macklow for help with this.
2396 Another Solaris compilation tweak, needed for Solaris
2397 2009.06. Thanks to Lee Essen for that.
2399 Added extract packaging stuff from Lee Essen to
2402 Increased the default limit on number of leases to 1000
2403 (from 150). This is mainly a defence against DoS attacks,
2404 and for the average "one for two class C networks"
2405 installation, IP address exhaustion does that just as
2406 well. Making the limit greater than the number of IP
2407 addresses available in such an installation removes a
2408 surprise which otherwise can catch people out.
2410 Removed extraneous trailing space in the value of the
2411 DNSMASQ_TIME_REMAINING DNSMASQ_LEASE_LENGTH and
2412 DNSMASQ_LEASE_EXPIRES environment variables. Thanks to
2413 Gildas Le Nadan for spotting this.
2415 Provide the network-id tags for a DHCP transaction to
2416 the lease-change script in the environment variable
2417 DNSMASQ_TAGS. A good suggestion from Gildas Le Nadan.
2419 Add support for RFC3925 "Vendor-Identifying Vendor
2420 Options". The syntax looks like this:
2421 --dhcp-option=vi-encap:<enterprise number>, .........
2423 Add support to --dhcp-match to allow matching against
2424 RFC3925 "Vendor-Identifying Vendor Classes". The syntax
2426 --dhcp-match=tag,vi-encap<enterprise number>, <value>
2428 Add some application specific code to assist in
2429 implementing the Broadband forum TR069 CPE-WAN
2430 specification. The details are in contrib/CPE-WAN/README
2432 Increase the default DNS packet size limit to 4096, as
2433 recommended by RFC5625 section 4.4.3. This can be
2434 reconfigured using --edns-packet-max if needed. Thanks to
2435 Francis Dupont for pointing this out.
2437 Rewrite query-ids even for TSIG signed packets, since
2438 this is allowed by RFC5625 section 4.5.
2440 Use getopt_long by default on OS X. It has been supported
2441 since version 10.3.0. Thanks to Arek Dreyer for spotting
2444 Added up-to-date startup configuration for MacOSX/launchd
2445 in contrib/MacOSX-launchd. Thanks to Arek Dreyer for
2448 Fix link error when including Dbus but excluding DHCP.
2449 Thanks to Oschtan for the bug report.
2451 Updated French translation. Thanks to Gildas Le Nadan.
2453 Updated Polish translation. Thanks to Jan Psota.
2455 Updated Spanish translation. Thanks to Chris Chatham.
2457 Fixed confusion about domains, when looking up DHCP hosts
2458 in /etc/hosts. This could cause spurious "Ignoring
2459 domain..." messages. Thanks to Fedor Kozhevnikov for
2460 finding and analysing the problem.
2464 Add support for internationalised DNS. Non-ASCII characters
2465 in domain names found in /etc/hosts, /etc/ethers and
2466 /etc/dnsmasq.conf will be correctly handled by translation to
2467 punycode, as specified in RFC3490. This function is only
2468 available if dnsmasq is compiled with internationalisation
2469 support, and adds a dependency on GNU libidn. Without i18n
2470 support, dnsmasq continues to be compilable with just
2471 standard tools. Thanks to Yves Dorfsman for the
2474 Add two more environment variables for lease-change scripts:
2475 First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname
2476 supplied by a client, even if the actual hostname used is
2477 over-ridden by dhcp-host or dhcp-ignore-names directives.
2478 Also DNSMASQ_RELAY_ADDRESS which gives the address of
2479 a DHCP relay, if used.
2480 Suggestions from Michael Rack.
2482 Fix regression which broke echo of relay-agent
2483 options. Thanks to Michael Rack for spotting this.
2485 Don't treat option 67 as being interchangeable with
2486 dhcp-boot parameters if it's specified as
2489 Make the code to call scripts on lease-change compile-time
2490 optional. It can be switched off by editing src/config.h
2491 or building with "make COPTS=-DNO_SCRIPT".
2493 Make the TFTP server cope with filenames from Windows/DOS
2494 which use '\' as pathname separator. Thanks to Ralf for
2497 Updated Polish translation. Thanks to Jan Psota.
2499 Warn if an IP address is duplicated in /etc/ethers. Thanks
2500 to Felix Schwarz for pointing this out.
2502 Teach --conf-dir to take an option list of file suffices
2503 which will be ignored when scanning the directory. Useful
2504 for backup files etc. Thanks to Helmut Hullen for the
2507 Add new DHCP option named tftpserver-address, which
2508 corresponds to the third argument of dhcp-boot. This
2509 allows the complete functionality of dhcp-boot to be
2510 replicated with dhcp-option. Useful when using
2513 Test which upstream nameserver to use every 10 seconds
2514 or 50 queries and not just when a query times out and
2515 is retried. This should improve performance when there
2516 is a slow nameserver in the list. Thanks to Joe for the
2519 Don't do any PXE processing, even for clients with the
2520 correct vendorclass, unless at least one pxe-prompt or
2521 pxe-service option is given. This stops dnsmasq
2522 interfering with proxy PXE subsystems when it is just
2523 the DHCP server. Thanks to Spencer Clark for spotting this.
2525 Limit the blocksize used for TFTP transfers to a value
2526 which avoids packet fragmentation, based on the MTU of the
2527 local interface. Many netboot ROMs can't cope with
2530 Honour dhcp-ignore configuration for PXE and proxy-PXE
2531 requests. Thanks to Niels Basjes for the bug report.
2533 Updated French translation. Thanks to Gildas Le Nadan.
2537 Fix security problem which allowed any host permitted to
2538 do TFTP to possibly compromise dnsmasq by remote buffer
2539 overflow when TFTP enabled. Thanks to Core Security
2540 Technologies and Iván Arce, Pablo Hernán Jorge, Alejandro
2541 Pablo Rodriguez, Martín Coco, Alberto Soliño Testa and
2542 Pablo Annetta. This problem has Bugtraq id: 36121
2545 Fix a problem which allowed a malicious TFTP client to
2546 crash dnsmasq. Thanks to Steve Grubb at Red Hat for
2547 spotting this. This problem has Bugtraq id: 36120 and
2552 Fix regression in 2.48 which disables the lease-change
2553 script. Thanks to Jose Luis Duran for spotting this.
2555 Log TFTP "file not found" errors. These were not logged,
2556 since a normal PXELinux boot generates many of them, but
2557 the lack of the messages seems to be more confusing than
2558 routinely seeing them when there is no real error.
2560 Update Spanish translation. Thanks to Chris Chatham.
2564 Archived the extensive, backwards, changelog to
2565 CHANGELOG.archive. The current changelog now runs from
2566 version 2.43 and runs conventionally.
2568 Fixed bug which broke binding of servers to physical
2569 interfaces when interface names were longer than four
2570 characters. Thanks to MURASE Katsunori for the patch.
2572 Fixed netlink code to check that messages come from the
2573 correct source, and not another userspace process. Thanks
2574 to Steve Grubb for the patch.
2576 Maintainability drive: removed bug and missing feature
2577 workarounds for some old platforms. Solaris 9, OpenBSD
2578 older than 4.1, Glibc older than 2.2, Linux 2.2.x and
2579 DBus older than 1.1.x are no longer supported.
2581 Don't read included configuration files more than once:
2582 allows complex configuration structures without problems.
2584 Mark log messages from the various subsystems in dnsmasq:
2585 messages from the DHCP subsystem now have the ident string
2586 "dnsmasq-dhcp" and messages from TFTP have ident
2587 "dnsmasq-tftp". Thanks to Olaf Westrik for the patch.
2589 Fix possible infinite DHCP protocol loop when an IP
2590 address nailed to a hostname (not a MAC address) and a
2591 host sometimes provides the name, sometimes not.
2593 Allow --addn-hosts to take a directory: all the files
2594 in the directory are read. Thanks to Phil Cornelius for
2597 Support --bridge-interface on all platforms, not just BSD.
2599 Added support for advanced PXE functions. It's now
2600 possible to define a prompt and menu options which will
2601 be displayed when a client PXE boots. It's also possible to
2602 hand-off booting to other boot servers. Proxy-DHCP, where
2603 dnsmasq just supplies the PXE information and another DHCP
2604 server does address allocation, is also allowed. See the
2605 --pxe-prompt and --pxe-service keywords. Thanks to
2606 Alkis Georgopoulos for the suggestion and Guilherme Moro
2607 and Michael Brown for assistance.
2609 Improvements to DHCP logging. Thanks to Tom Metro for
2612 Add ability to build dnsmasq without DHCP support. To do
2613 this, edit src/config.h or build with
2614 "make COPTS=-DNO_DHCP". Thanks to Mahavir Jain for the patch.
2616 Added --test command-line switch - syntax check
2617 configuration files only.
2619 Updated French translation. Thanks to Gildas Le Nadan.
2623 Updated French translation. Thanks to Gildas Le Nadan.
2625 Fixed interface enumeration code to work on NetBSD
2626 5.0. Thanks to Roy Marples for the patch.
2628 Updated config.h to use the same location for the lease
2629 file on NetBSD as the other *BSD variants. Also allow
2630 LEASEFILE and CONFFILE symbols to be overridden in CFLAGS.
2632 Handle duplicate address detection on IPv6 more
2633 intelligently. In IPv6, an interface can have an address
2634 which is not usable, because it is still undergoing DAD
2635 (such addresses are marked "tentative"). Attempting to
2636 bind to an address in this state returns an error,
2637 EADDRNOTAVAIL. Previously, on getting such an error,
2638 dnsmasq would silently abandon the address, and never
2639 listen on it. Now, it retries once per second for 20
2640 seconds before generating a fatal error. 20 seconds should
2641 be long enough for any DAD process to complete, but can be
2642 adjusted in src/config.h if necessary. Thanks to Martin
2643 Krafft for the bug report.
2645 Add DBus introspection. Patch from Jeremy Laine.
2647 Update Dbus configuration file. Patch from Colin Walters.
2649 http://bugs.freedesktop.org/show_bug.cgi?id=18961
2651 Support arbitrarily encapsulated DHCP options, suggestion
2652 and initial patch from Samium Gromoff. This is useful for
2653 (eg) iPXE, which expect all its private options to be
2654 encapsulated inside a single option 175. So, eg,
2656 dhcp-option = encap:175, 190, "iscsi-client0"
2657 dhcp-option = encap:175, 191, "iscsi-client0-secret"
2659 will provide iSCSI parameters to iPXE.
2661 Enhance --dhcp-match to allow testing of the contents of a
2662 client-sent option, as well as its presence. This
2663 application in mind for this is RFC 4578
2664 client-architecture specifiers, but it's generally useful.
2665 Joey Korkames suggested the enhancement.
2667 Move from using the IP_XMIT_IF ioctl to IP_BOUND_IF on
2668 OpenSolaris. Thanks to Bastian Machek for the heads-up.
2670 No longer complain about blank lines in
2671 /etc/ethers. Thanks to Jon Nelson for the patch.
2673 Fix binding of servers to physical devices, eg
2674 --server=/domain/1.2.3.4@eth0 which was broken from 2.43
2675 onwards unless --query-port=0 set. Thanks to Peter Naulls
2678 Reply to DHCPINFORM requests even when the supplied ciaddr
2679 doesn't fall in any dhcp-range. In this case it's not
2680 possible to supply a complete configuration, but
2681 individually-configured options (eg PAC) may be useful.
2683 Allow the source address of an alias to be a range:
2684 --alias=192.168.0.0,10.0.0.0,255.255.255.0 maps the whole
2685 subnet 192.168.0.0->192.168.0.255 to 10.0.0.0->10.0.0.255,
2687 --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
2688 maps only the 192.168.0.10->192.168.0.40 region. Thanks to
2689 Ib Uhrskov for the suggestion.
2691 Don't dynamically allocate DHCP addresses which may break
2692 Windows. Addresses which end in .255 or .0 are broken in
2693 Windows even when using supernetting.
2694 --dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0 means
2695 192.168.0.255 is a valid IP address, but not for Windows.
2696 See Microsoft KB281579. We therefore no longer allocate
2697 these addresses to avoid hard-to-diagnose problems.
2699 Update Polish translation. Thanks to Jan Psota.
2701 Delete the PID-file when dnsmasq shuts down. Note that by
2702 this time, dnsmasq is normally not running as root, so
2703 this will fail if the PID-file is stored in a root-owned
2704 directory; such failure is silently ignored. To take
2705 advantage of this feature, the PID-file must be stored in a
2706 directory owned and write-able by the user running
2711 Allow --bootp-dynamic to take a netid tag, so that it may
2712 be selectively enabled. Thanks to Olaf Westrik for the
2715 Remove ISC-leasefile reading code. This has been
2716 deprecated for a long time, and last time I removed it, it
2717 ended up going back by request of one user. This time,
2718 it's gone for good; otherwise it would need to be
2719 re-worked to support multiple domains (see below).
2721 Support DHCP clients in multiple DNS domains. This is a
2722 long-standing request. Clients are assigned to a domain
2723 based in their IP address.
2725 Add --dhcp-fqdn flag, which changes behaviour if DNS names
2726 assigned to DHCP clients. When this is set, there must be
2727 a domain associated with each client, and only
2728 fully-qualified domain names are added to the DNS. The
2729 advantage is that the only the FQDN needs to be unique,
2730 so that two or more DHCP clients can share a hostname, as
2731 long as they are in different domains.
2733 Set environment variable DNSMASQ_DOMAIN when invoking
2734 lease-change script. This may be useful information to
2735 have now that it's variable.
2737 Tighten up data-checking code for DNS packet
2738 handling. Thanks to Steve Dodd who found certain illegal
2739 packets which could crash dnsmasq. No memory overwrite was
2740 possible, so this is not a security issue beyond the DoS
2743 Update example config dhcp option 47, the previous
2744 suggestion generated an illegal, zero-length,
2745 option. Thanks to Matthias Andree for finding this.
2747 Rewrite hosts-file reading code to remove the limit of
2748 1024 characters per line. John C Meuser found this.
2750 Create a net-id tag with the name of the interface on
2751 which the DHCP request was received.
2753 Fixed minor memory leak in DBus code, thanks to Jeremy
2754 Laine for the patch.
2756 Emit DBus signals as the DHCP lease database
2757 changes. Thanks to Jeremy Laine for the patch.
2759 Allow for more that one MAC address in a dhcp-host
2760 line. This configuration tells dnsmasq that it's OK to
2761 abandon a DHCP lease of the fixed address to one MAC
2762 address, if another MAC address in the dhcp-host statement
2763 asks for an address. This is useful to give a fixed
2764 address to a host which has two network interfaces
2765 (say, a laptop with wired and wireless interfaces.)
2766 It's very important to ensure that only one interface
2767 at a time is up, since dnsmasq abandons the first lease
2768 and re-uses the address before the leased time has
2769 elapsed. John Gray suggested this.
2771 Tweak the response to a DHCP request packet with a wrong
2772 server-id when --dhcp-authoritative is set; dnsmasq now
2773 returns a DHCPNAK, rather than silently ignoring the
2774 packet. Thanks to Chris Marget for spotting this
2777 Add --cname option. This provides a limited alias
2778 function, usable for DHCP names. Thanks to AJ Weber for
2779 suggestions on this.
2781 Updated contrib/webmin with latest version from Neil
2784 Updated Polish translation. Thanks to Jan Psota.
2786 Correct the text names for DHCP options 64 and 65 to be
2787 "nis+-domain" and "nis+-servers".
2789 Updated Spanish translation. Thanks to Chris Chatham.
2791 Force re-reading of /etc/resolv.conf when an "interface
2796 Fix total DNS failure in release 2.44 unless --min-port
2797 specified. Thanks to Steven Barth and Grant Coady for
2798 bugreport. Also reject out-of-range port spec, which could
2799 break things too: suggestion from Gilles Espinasse.
2803 Fix crash when unknown client attempts to renew a DHCP
2804 lease, problem introduced in version 2.43. Thanks to
2805 Carlos Carvalho for help chasing this down.
2807 Fix potential crash when a host which doesn't have a lease
2808 does DHCPINFORM. Again introduced in 2.43. This bug has
2809 never been reported in the wild.
2811 Fix crash in netlink code introduced in 2.43. Thanks to
2812 Jean Wolter for finding this.
2814 Change implementation of min_port to work even if min-port
2817 Patch to enable compilation of latest Mac OS X. Thanks to
2820 Update Spanish translation. Thanks to Christopher Chatham.
2824 Updated Polish translation. Thanks to Jan Psota.
2826 Flag errors when configuration options are repeated
2829 Further tweaks for GNU/kFreeBSD
2831 Add --no-wrap to msgmerge call - provides nicer .po file
2834 Honour lease-time spec in dhcp-host lines even for
2835 BOOTP. The user is assumed to known what they are doing in
2836 this case. (Hosts without the time spec still get infinite
2837 leases for BOOTP, over-riding the default in the
2838 dhcp-range.) Thanks to Peter Katzmann for uncovering this.
2840 Fix problem matching relay-agent ids. Thanks to Michael
2841 Rack for the bug report.
2843 Add --naptr-record option. Suggestion from Johan
2846 Implement RFC 5107 server-id-override DHCP relay agent
2849 Apply patches from Stefan Kruger for compilation on
2850 Solaris 10 under Sun studio.
2852 Yet more tweaking of Linux capability code, to suppress
2853 pointless wingeing from kernel 2.6.25 and above.
2855 Improve error checking during startup. Previously, some
2856 errors which occurred during startup would be worked
2857 around, with dnsmasq still starting up. Some were logged,
2858 some silent. Now, they all cause a fatal error and dnsmasq
2859 terminates with a non-zero exit code. The errors are those
2860 associated with changing uid and gid, setting process
2861 capabilities and writing the pidfile. Thanks to Uwe
2862 Gansert and the Suse security team for pointing out
2863 this improvement, and Bill Reimers for good implementation
2866 Provide NO_LARGEFILE compile option to switch off largefile
2867 support when compiling against versions of uclibc which
2868 don't support it. Thanks to Stephane Billiart for the patch.
2870 Implement random source ports for interactions with
2871 upstream nameservers. New spoofing attacks have been found
2872 against nameservers which do not do this, though it is not
2873 clear if dnsmasq is vulnerable, since to doesn't implement
2874 recursion. By default dnsmasq will now use a different
2875 source port (and socket) for each query it sends
2876 upstream. This behaviour can suppressed using the
2877 --query-port option, and the old default behaviour
2878 restored using --query-port=0. Explicit source-port
2879 specifications in --server configs are still honoured.
2881 Replace the random number generator, for better
2882 security. On most BSD systems, dnsmasq uses the
2883 arc4random() RNG, which is secure, but on other platforms,
2884 it relied on the C-library RNG, which may be
2885 guessable and therefore allow spoofing. This release
2886 replaces the libc RNG with the SURF RNG, from Daniel
2887 J. Berstein's DJBDNS package.
2889 Don't attempt to change user or group or set capabilities
2890 if dnsmasq is run as a non-root user. Without this, the
2891 change from soft to hard errors when these fail causes
2892 problems for non-root daemons listening on high
2893 ports. Thanks to Patrick McLean for spotting this.
2895 Updated French translation. Thanks to Gildas Le Nadan.
2899 The changelog for version 2.42 and earlier is
2900 available in CHANGELOG.archive.