2 Subtle change to error handling to help DNSSEC validation
3 when servers fail to provide NODATA answers for
4 non-existent DS records.
6 Tweak code which removes DNSSEC records from answers when
7 not required. Fixes broken answers when additional section
8 has real records in it. Thanks to Marco Davids for the bug
11 Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
12 for spotting that too.
14 Fix total DNS failure and 100% CPU use if cachesize set to zero,
15 regression introduced in 2.69. Thanks to James Hunt and
16 the Ubuntu crowd for assistance in fixing this.
20 Fix crash, introduced in 2.69, on TCP request when dnsmasq
21 compiled with DNSSEC support, but running without DNSSEC
22 enabled. Thanks to Manish Sing for spotting that one.
24 Fix regression which broke ipset functionality. Thanks to
25 Wang Jian for the bug report.
29 Implement dynamic interface discovery on *BSD. This allows
30 the contructor: syntax to be used in dhcp-range for DHCPv6
31 on the BSD platform. Thanks to Matthias Andree for
32 valuable research on how to implement this.
34 Fix infinite loop associated with some --bogus-nxdomain
35 configs. Thanks fogobogo for the bug report.
37 Fix missing RA RDNS option with configuration like
38 --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
39 for spotting the problem.
41 Add [fd00::] and [fe80::] as special addresses in DHCPv6
42 options, analogous to [::]. [fd00::] is replaced with the
43 actual ULA of the interface on the machine running
44 dnsmasq, [fe80::] with the link-local address.
45 Thanks to Tsachi Kimeldorfer for championing this.
47 DNSSEC validation and caching. Dnsmasq needs to be
48 compiled with this enabled, with
50 make dnsmasq COPTS=-DHAVE_DNSSEC
52 this add dependencies on the nettle crypto library and the
53 gmp maths library. It's possible to have these linked
56 make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
58 which bloats the dnsmasq binary, but saves the size of
59 the shared libraries which are much bigger.
61 To enable, DNSSEC, you will need a set of
62 trust-anchors. Now that the TLDs are signed, this can be
63 the keys for the root zone, and for convenience they are
64 included in trust-anchors.conf in the dnsmasq
65 distribution. You should of course check that these are
66 legitimate and up-to-date. So, adding
68 conf-file=/path/to/trust-anchors.conf
71 to your config is all thats needed to get things
72 working. The upstream nameservers have to be DNSSEC-capable
73 too, of course. Many ISP nameservers aren't, but the
74 Google public nameservers (8.8.8.8 and 8.8.4.4) are.
75 When DNSSEC is configured, dnsmasq validates any queries
76 for domains which are signed. Query results which are
77 bogus are replaced with SERVFAIL replies, and results
78 which are correctly signed have the AD bit set. In
79 addition, and just as importantly, dnsmasq supplies
80 correct DNSSEC information to clients which are doing
81 their own validation, and caches DNSKEY, DS and RRSIG
82 records, which significantly improve the performance of
83 downstream validators. Setting --log-queries will show
86 If a domain is returned from an upstream nameserver without
87 DNSSEC signature, dnsmasq by default trusts this. This
88 means that for unsigned zone (still the majority) there
89 is effectively no cost for having DNSSEC enabled. Of course
90 this allows an attacker to replace a signed record with a
91 false unsigned record. This is addressed by the
92 --dnssec-check-unsigned flag, which instructs dnsmasq
93 to prove that an unsigned record is legitimate, by finding
94 a secure proof that the zone containing the record is not
95 signed. Doing this has costs (typically one or two extra
96 upstream queries). It also has a nasty failure mode if
97 dnsmasq's upstream nameservers are not DNSSEC capable.
98 Without --dnssec-check-unsigned using such an upstream
99 server will simply result in not queries being validated;
100 with --dnssec-check-unsigned enabled and a
101 DNSSEC-ignorant upstream server, _all_ queries will fail.
103 Note that DNSSEC requires that the local time is valid and
104 accurate, if not then DNSSEC validation will fail. NTP
105 should be running. This presents a problem for routers
106 without a battery-backed clock. To set the time needs NTP
107 to do DNS lookups, but lookups will fail until NTP has run.
108 To address this, there's a flag, --dnssec-no-timecheck
109 which disables the time checks (only) in DNSSEC. When dnsmasq
110 is started and the clock is not synced, this flag should
111 be used. As soon as the clock is synced, SIGHUP dnsmasq.
112 The SIGHUP clears the cache of partially-validated data and
113 resets the no-timecheck flag, so that all DNSSEC checks
114 henceforward will be complete.
116 The development of DNSSEC in dnsmasq was started by
117 Giovanni Bajo, to whom huge thanks are owed. It has been
118 supported by Comcast, whose techfund grant has allowed for
119 an invaluable period of full-time work to get it to
122 Add --rev-server. Thanks to Dave Taht for suggesting this.
124 Add --servers-file. Allows dynamic update of upstream servers
125 full access to configuration.
127 Add --local-service. Accept DNS queries only from hosts
128 whose address is on a local subnet, ie a subnet for which
129 an interface exists on the server. This option
130 only has effect if there are no --interface --except-interface,
131 --listen-address or --auth-server options. It is intended
132 to be set as a default on installation, to allow
133 unconfigured installations to be useful but also safe from
134 being used for DNS amplification attacks.
136 Fix crashes in cache_get_cname_target() when dangling CNAMEs
137 encountered. Thanks to Andy and the rt-n56u project for
138 find this and helping to chase it down.
140 Fix wrong RCODE in authoritative DNS replies to PTR queries. The
141 correct answer was included, but the RCODE was set to NXDOMAIN.
142 Thanks to Craig McQueen for spotting this.
144 Make statistics available as DNS queries in the .bind TLD as
145 well as logging them.
149 Use random addresses for DHCPv6 temporary address
150 allocations, instead of algorithmically determined stable
153 Fix bug which meant that the DHCPv6 DUID was not available
154 in DHCP script runs during the lifetime of the dnsmasq
155 process which created the DUID de-novo. Once the DUID was
156 created and stored in the lease file and dnsmasq
157 restarted, this bug disappeared.
159 Fix bug introduced in 2.67 which could result in erroneous
160 NXDOMAIN returns to CNAME queries.
162 Fix build failures on MacOS X and openBSD.
164 Allow subnet specifications in --auth-zone to be interface
165 names as well as address literals. This makes it possible
166 to configure authoritative DNS when local address ranges
167 are dynamic and works much better than the previous
168 work-around which exempted contructed DHCP ranges from the
169 IP address filtering. As a consequence, that work-around
170 is removed. Under certain circumstances, this change wil
171 break existing configuration: if you're relying on the
172 contructed-range exception, you need to change --auth-zone
173 to specify the same interface as is used to construct your
174 DHCP ranges, probably with a trailing "/6" like this:
175 --auth-zone=example.com,eth0/6 to limit the addresses to
176 IPv6 addresses of eth0.
178 Fix problems when advertising deleted IPv6 prefixes. If
179 the prefix is deleted (rather than replaced), it doesn't
180 get advertised with zero preferred time. Thanks to Tsachi
183 Fix segfault with some locally configured CNAMEs. Thanks
184 to Andrew Childs for spotting the problem.
186 Fix memory leak on re-reading /etc/hosts and friends,
189 Check the arrival interface of incoming DNS and TFTP
190 requests via IPv6, even in --bind-interfaces mode. This
191 isn't possible for IPv4 and can generate scary warnings,
192 but as it's always possible for IPv6 (the API always
193 exists) then we should do it always.
195 Tweak the rules on prefix-lengths in --dhcp-range for
196 IPv6. The new rule is that the specified prefix length
197 must be larger than or equal to the prefix length of the
198 corresponding address on the local interface.
202 Fix crash if upstream server returns SERVFAIL when
203 --conntrack in use. Thanks to Giacomo Tazzari for finding
204 this and supplying the patch.
206 Repair regression in 2.64. That release stopped sending
207 lease-time information in the reply to DHCPINFORM
208 requests, on the correct grounds that it was a standards
209 violation. However, this broke the dnsmasq-specific
210 dhcp_lease_time utility. Now, DHCPINFORM returns
211 lease-time only if it's specifically requested
212 (maintaining standards) and the dhcp_lease_time utility
213 has been taught to ask for it (restoring functionality).
215 Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass
216 to work with BOOTP and well as DHCP. Thanks to Peter
217 Korsgaard for spotting the problem.
219 Add --synth-domain. Thanks to Vishvananda Ishaya for
222 Fix failure to compile ipset.c if old kernel headers are
223 in use. Thanks to Eugene Rudoy for pointing this out.
225 Handle IPv4 interface-address labels in Linux. These are
226 often used to emulate the old IP-alias addresses. Before,
227 using --interface=eth0 would service all the addresses of
228 eth0, including ones configured as aliases, which appear
229 in ifconfig as eth0:0. Now, only addresses with the label
230 eth0 are active. This is not backwards compatible: if you
231 want to continue to bind the aliases too, you need to add
232 eg. --interface=eth0:0 to the config.
234 Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket
235 operation on non-socket" error on startup with
236 configurations which have exactly one --interface option
237 and do RA but _not_ DHCPv6. Thanks to Trever Adams for the
240 Generalise --interface-name to cope with IPv6 addresses
241 and multiple addresses per interface per address family.
243 Fix option parsing for --dhcp-host, which was generating a
244 spurious error when all seven possible items were
245 included. Thanks to Zhiqiang Wang for the bug report.
247 Remove restriction on prefix-length in --auth-zone. Thanks
248 to Toke Hoiland-Jorgensen for suggesting this.
250 Log when the maximum number of concurrent DNS queries is
251 reached. Thanks to Marcelo Salhab Brogliato for the patch.
253 If wildcards are used in --interface, don't assume that
254 there will only ever be one available interface for DHCP
255 just because there is one at start-up. More may appear, so
256 we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug
259 Increase timeout/number of retries in TFTP to accomodate
260 AudioCodes Voice Gateways doing streaming writes to flash.
261 Thanks to Damian Kaczkowski for spotting the problem.
263 Fix crash with empty DHCP string options when adding zero
264 terminator. Thanks to Patrick McLean for the bug report.
266 Allow hostnames to start with a number, as allowed in
267 RFC-1123. Thanks to Kyle Mestery for the patch.
269 Fixes to DHCP FQDN option handling: don't terminate FQDN
270 if domain not known and allow a FQDN option with blank
271 name to request that a FQDN option is returned in the
272 reply. Thanks to Roy Marples for the patch.
274 Make --clear-on-reload apply to setting upstream servers
277 When the address which triggered the construction of an
278 advertised IPv6 prefix disappears, continue to advertise
279 the prefix for up to 2 hours, with the preferred lifetime
280 set to zero. This satisfies RFC 6204 4.3 L-13 and makes
281 things work better if a prefix disappears without being
282 deprecated first. Thanks to Uwe Schindler for persuasively
285 Fix MAC address enumeration on *BSD. Thanks to Brad Smith
288 Support RFC-4242 information-refresh-time options in the
289 reply to DHCPv6 information-request. The lease time of the
290 smallest valid dhcp-range is sent. Thanks to Uwe Schindler
293 Make --listen-address higher priority than --except-interface
294 in all circumstances. Thanks to Thomas Hood for the bugreport.
296 Provide independent control over which interfaces get TFTP
297 service. If enable-tftp is given a list of interfaces, then TFTP
298 is provided on those. Without the list, the previous behaviour
299 (provide TFTP to the same interfaces we provide DHCP to)
300 is retained. Thanks to Lonnie Abelbeck for the suggestion.
302 Add --dhcp-relay config option. Many thanks to vtsl.net
303 for sponsoring this development.
305 Fix crash with empty tag: in --dhcp-range. Thanks to
306 Kaspar Schleiser for the bug report.
308 Add "baseline" and "bloatcheck" makefile targets, for
309 revealing size changes during development. Thanks to
310 Vladislav Grishenko for the patch.
312 Cope with DHCPv6 clients which send REQUESTs without
313 address options - treat them as SOLICIT with rapid commit.
315 Support identification of clients by MAC address in
316 DHCPv6. When using a relay, the relay must support RFC
317 6939 for this to work. It always works for directly
318 connected clients. Thanks to Vladislav Grishenko
319 for prompting this feature.
321 Remove the rule for constructed DHCP ranges that the local
322 address must be either the first or last address in the
323 range. This was originally to avoid SLAAC addresses, but
324 we now explicitly autoconfig and privacy addresses instead.
326 Update Polish translation. Thanks to Jan Psota.
328 Fix problem in DHCPv6 vendorclass/userclass matching
329 code. Thanks to Tanguy Bouzeloc for the patch.
331 Update Spanish transalation. Thanks to Vicente Soriano.
333 Add --ra-param option. Thanks to Vladislav Grishenko for
336 Add --add-subnet configuration, to tell upstream DNS
337 servers where the original client is. Thanks to DNSthingy
338 for sponsoring this feature.
340 Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to
341 Kevin Darbyshire-Bryant for the initial patch.
343 Allow A/AAAA records created by --interface-name to be the
344 target of --cname. Thanks to Hadmut Danisch for the
347 Avoid treating a --dhcp-host which has an IPv6 address
348 as eligable for use with DHCPv4 on the grounds that it has
349 no address, and vice-versa. Thanks to Yury Konovalov for
350 spotting the problem.
352 Do a better job caching dangling CNAMEs. Thanks to Yves
353 Dorfsman for spotting the problem.
357 Add the ability to act as an authoritative DNS
358 server. Dnsmasq can now answer queries from the wider 'net
359 with local data, as long as the correct NS records are set
360 up. Only local data is provided, to avoid creating an open
361 DNS relay. Zone transfer is supported, to allow secondary
362 servers to be configured.
364 Add "constructed DHCP ranges" for DHCPv6. This is intended
365 for IPv6 routers which get prefixes dynamically via prefix
366 delegation. With suitable configuration, stateful DHCPv6
367 and RA can happen automatically as prefixes are delegated
368 and then deprecated, without having to re-write the
369 dnsmasq configuration file or restart the daemon. Thanks to
370 Steven Barth for extensive testing and development work on
373 Fix crash on startup on Solaris 11. Regression probably
374 introduced in 2.61. Thanks to Geoff Johnstone for the
377 Add code to make behaviour for TCP DNS requests that same
378 as for UDP requests, when a request arrives for an allowed
379 address, but via a banned interface. This change is only
380 active on Linux, since the relevant API is missing (AFAIK)
381 on other platforms. Many thanks to Tomas Hozza for
382 spotting the problem, and doing invaluable discovery of
383 the obscure and undocumented API required for the solution.
385 Don't send the default DHCP option advertising dnsmasq as
386 the local DNS server if dnsmasq is configured to not act
387 as DNS server, or it's configured to a non-standard port.
389 Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBCRIBER_ID,
390 DNSMASQ_REMOTE_ID variables to the environment of the
391 lease-change script (and the corresponding Lua). These hold
392 information inserted into the DHCP request by a DHCP relay
393 agent. Thanks to Lakefield Communications for providing a
394 bounty for this addition.
396 Fixed crash, introduced in 2.64, whilst handling DHCPv6
397 information-requests with some common configurations.
398 Thanks to Robert M. Albrecht for the bug report and
401 Add --ipset option. Thanks to Jason A. Donenfeld for the
404 Don't erroneously reject some option names in --dhcp-match
405 options. Thanks to Benedikt Hochstrasser for the bug report.
407 Allow a trailing '*' wildcard in all interface-name
408 configurations. Thanks to Christian Parpart for the patch.
410 Handle the situation where libc headers define
411 SO_REUSEPORT, but the kernel in use doesn't, to cope with
412 the introduction of this option to Linux. Thanks to Rich
413 Felker for the bug report.
415 Update Polish translation. Thanks to Jan Psota.
417 Fix crash if the configured DHCP lease limit is
418 reached. Regression occurred in 2.61. Thanks to Tsachi for
421 Update the French translation. Thanks to Gildas le Nadan.
425 Fix regression which broke forwarding of queries sent via
426 TCP which are not for A and AAAA and which were directed to
427 non-default servers. Thanks to Niax for the bug report.
429 Fix failure to build with DHCP support excluded. Thanks to
430 Gustavo Zacarias for the patch.
432 Fix nasty regression in 2.64 which completely broke cacheing.
436 Handle DHCP FQDN options with all flag bits zero and
437 --dhcp-client-update set. Thanks to Bernd Krumbroeck for
438 spotting the problem.
440 Finesse the check for /etc/hosts names which conflict with
441 DHCP names. Previously a name/address pair in /etc/hosts
442 which didn't match the name/address of a DHCP lease would
443 generate a warning. Now that only happesn if there is not
444 also a match. This allows multiple addresses for a name in
445 /etc/hosts with one of them assigned via DHCP.
447 Fix broken vendor-option processing for BOOTP. Thanks to
448 Hans-Joachim Baader for the bug report.
450 Don't report spurious netlink errors, regression in
451 2.63. Thanks to Vladislav Grishenko for the patch.
453 Flag DHCP or DHCPv6 in starup logging. Thanks to
454 Vladislav Grishenko for the patch.
456 Add SetServersEx method in DBus interface. Thanks to Dan
457 Williams for the patch.
459 Add SetDomainServers method in DBus interface. Thanks to
460 Roy Marples for the patch.
462 Fix build with later Lua libraries. Thansk to Cristian
463 Rodriguez for the patch.
465 Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker
468 Fix breakage of --host-record parsing, resulting in
469 infinte loop at startup. Regression in 2.63. Thanks to
470 Haim Gelfenbeyn for spotting this.
472 Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6
473 socket, this allows multiple instances of dnsmasq on a
474 single machine, in the same way as for DHCPv4. Thanks to
475 Gene Czarcinski and Vladislav Grishenko for work on this.
477 Fix DHCPv6 to do access control correctly when it's
478 configured with --listen-address. Thanks to
479 Gene Czarcinski for sorting this out.
481 Add a "wildcard" dhcp-range which works for any IPv6
482 subnet, --dhcp-range=::,static Useful for Stateless
483 DHCPv6. Thanks to Vladislav Grishenko for the patch.
485 Don't include lease-time in DHCPACK replies to DHCPINFORM
486 queries, since RFC-2131 says we shouldn't. Thanks to
487 Wouter Ibens for pointing this out.
489 Makefile tweak to do dependency checking on header files.
490 Thanks to Johan Peeters for the patch.
492 Check interface for outgoing unsolicited router
493 advertisements, rather than relying on interface address
494 configuration. Thanks to Gene Czarinski for the patch.
496 Handle better attempts to transmit on interfaces which are
497 still doing DAD, and specifically do not just transmit
498 without setting source address and interface, since this
499 can cause very puzzling effects when a router
500 advertisement goes astray. Thanks again to Gene Czarinski.
502 Get RA timers right when there is more than one
503 dhcp-range on a subnet.
507 Do duplicate dhcp-host address check in --test mode.
509 Check that tftp-root directories are accessible before
510 start-up. Thanks to Daniel Veillard for the initial patch.
512 Allow more than one --tfp-root flag. The per-interface
513 stuff is pointless without that.
515 Add --bind-dynamic. A hybrid mode between the default and
516 --bind-interfaces which copes with dynamically created
519 A couple of fixes to the build system for Android. Thanks
520 to Metin Kaya for the patches.
522 Remove the interface:<interface> argument in --dhcp-range, and
523 the interface argument to --enable-tftp. These were a
524 still-born attempt to allow automatic isolated
525 configuration by libvirt, but have never (to my knowledge)
526 been used, had very strange semantics, and have been
527 superceded by other mechanisms.
529 Fixed bug logging filenames when duplicate dhcp-host
530 addresses are found. Thanks to John Hanks for the patch.
532 Fix regression in 2.61 which broke caching of CNAME
533 chains. Thanks to Atul Gupta for the bug report.
535 Allow the target of a --cname flag to be another --cname.
537 Teach DHCPv6 about the RFC 4242 information-refresh-time
538 option, and add parsing if the minutes, hours and days
539 format for options. Thanks to Francois-Xavier Le Bail for
542 Allow "w" (for week) as multiplier in lease times, as well
543 as seconds, minutes, hours and days. Álvaro Gámez Machado
544 spotted the ommission.
546 Update French translation. Thanks to Gildas Le Nadan.
548 Allow a DBus service name to be given with --enable-dbus
549 which overrides the default,
550 uk.org.thekelleys.dnsmasq. Thanks to Mathieu
551 Trudel-Lapierre for the patch.
553 Set the "prefix on-link" bit in Router
554 Advertisements. Thanks to Gui Iribarren for the patch.
558 Update German translation. Thanks to Conrad Kostecki.
560 Cope with router-solict packets wich don't have a valid
561 source address. Thanks to Vladislav Grishenko for the patch.
563 Fixed bug which caused missing periodic router
564 advertisements with some configurations. Thanks to
565 Vladislav Grishenko for the patch.
567 Fixed bug which broke DHCPv6/RA with prefix lengths
568 which are not divisible by 8. Thanks to Andre Coetzee
571 Fix non-response to router-solicitations when
572 router-advertisement configured, but DHCPv6 not
573 configured. Thanks to Marien Zwart for the patch.
575 Add --dns-rr, to allow arbitrary DNS resource records.
577 Fixed bug which broke RA scheduling when an interface had
578 two addresses in the same network. Thanks to Jim Bos for
579 his help nailing this.
582 Re-write interface discovery code on *BSD to use
583 getifaddrs. This is more portable, more straightforward,
584 and allows us to find the prefix length for IPv6
587 Add ra-names, ra-stateless and slaac keywords for DHCPv6.
588 Dnsmasq can now synthesise AAAA records for dual-stack
589 hosts which get IPv6 addresses via SLAAC. It is also now
590 possible to use SLAAC and stateless DHCPv6, and to
591 tell clients to use SLAAC addresses as well as DHCP ones.
592 Thanks to Dave Taht for help with this.
594 Add --dhcp-duid to allow DUID-EN uids to be used.
596 Explicity send DHCPv6 replies to the correct port, instead
597 of relying on clients to send requests with the correct
598 source address, since at least one client in the wild gets
599 this wrong. Thanks to Conrad Kostecki for help tracking
602 Send a preference value of 255 in DHCPv6 replies when
603 --dhcp-authoritative is in effect. This tells clients not
604 to wait around for other DHCP servers.
606 Better logging of DHCPv6 options.
608 Add --host-record. Thanks to Rob Zwissler for the
611 Invoke the DHCP script with action "tftp" when a TFTP file
612 transfer completes. The size of the file, address to which
613 it was sent and complete pathname are supplied. Note that
614 version 2.60 introduced some script incompatibilties
615 associated with DHCPv6, and this is a further change. To
616 be safe, scripts should ignore unknown actions, and if
617 not IPv6-aware, should exit if the environment
618 variable DNSMASQ_IAID is set. The use-case for this is
619 to track netboot/install. Suggestion from Shantanu
622 Update contrib/port-forward/dnsmasq-portforward to reflect
625 Set the environment variable DNSMASQ_LOG_DHCP when running
626 the script id --log-dhcp is in effect, so that script can
627 taylor their logging verbosity. Suggestion from Malte
630 Arrange that addresses specified with --listen-address
631 work even if there is no interface carrying the
632 address. This is chiefly useful for IPv4 loopback
633 addresses, where any address in 127.0.0.0/8 is a valid
634 loopback address, but normally only 127.0.0.1 appears on
635 the lo interface. Thanks to Mathieu Trudel-Lapierre for
636 the idea and initial patch.
638 Fix crash, introduced in 2.60, when a DHCPINFORM is
639 received from a network which has no valid dhcp-range.
640 Thanks to Stephane Glondu for the bug report.
642 Add a new DHCP lease time keyword, "deprecated" for
643 --dhcp-range. This is only valid for IPv6, and sets the
644 preffered lease time for both DHCP and RA to zero. The
645 effect is that clients can continue to use the address
646 for existing connections, but new connections will use
647 other addresses, if they exist. This makes hitless
648 renumbering at least possible.
650 Fix bug in address6_available() which caused DHCPv6 lease
651 aquisition to fail if more than one dhcp-range in use.
653 Provide RDNSS and DNSSL data in router advertisements,
654 using the settings provided for DHCP options
655 option6:domain-search and option6:dns-server.
657 Tweak logo/favicon.ico to add some transparency. Thanks to
658 SamLT for work on this.
660 Don't cache data from non-recursive nameservers, since it
661 may erroneously look like a valid CNAME to a non-exitant
662 name. Thanks to Ben Winslow for finding this.
664 Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP
665 on exactly one interface and --bind-interfaces is set. This
666 makes the OpenStack use-case of one dnsmasq per virtual
667 interface work. This is only available on Linux; it's not
668 supported on other platforms. Thanks to Vishvananda Ishaya
669 and the OpenStack team for the suggestion.
671 Updated French translation. Thanks to Gildas Le Nadan.
673 Give correct from-cache answers to explict CNAME queries.
674 Thanks to Rob Zwissler for spotting this.
676 Add --tftp-lowercase option. Thanks to Oliver Rath for the
679 Ensure that the DBus DhcpLeaseUpdated events are generated
680 when a lease goes through INIT_REBOOT state, even if the
681 dhcp-script is not in use. Thanks to Antoaneta-Ecaterina
684 Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks
685 to Brad Smith for spotting this.
689 Fix compilation problem in Mac OS X Lion. Thanks to Olaf
690 Flebbe for the patch.
692 Fix DHCP when using --listen-address with an IP address
693 which is not the primary address of an interface.
695 Add --dhcp-client-update option.
697 Add Lua integration. Dnsmasq can now execute a DHCP
698 lease-change script written in Lua. This needs to be
699 enabled at compile time by setting HAVE_LUASCRIPT in
700 src/config.h or running "make COPTS=-DHAVE_LUASCRIPT"
701 Thanks to Jan-Piet Mens for the idea and proof-of-concept
704 Tidied src/config.h to distinguish between
705 platform-dependent compile-time options which are selected
706 automatically, and builder-selectable compile time
707 options. Document the latter better, and describe how to
708 set them from the make command line.
710 Tidied up IPPROTO_IP/SOL_IP (and IPv6 equivalent)
711 confusion. IPPROTO_IP works everywhere now.
713 Set TOS on DHCP sockets, this improves things on busy
714 wireless networks. Thanks to Dave Taht for the patch.
716 Determine VERSION automatically based on git magic:
717 release tags or hash values.
719 Improve start-up speed when reading large hosts files
720 containing many distinct addresses.
722 Fix problem if dnsmasq is started without the stdin,
723 stdout and stderr file descriptors open. This can manifest
724 itself as 100% CPU use. Thanks to Chris Moore for finding
727 Fix shell-scripting bug in bld/pkg-wrapper. Thanks to
728 Mark Mitchell for the patch.
730 Allow the TFP server or boot server in --pxe-service, to
731 be a domain name instead of an IP address. This allows for
732 round-robin to multiple servers, in the same way as
733 --dhcp-boot. A good suggestion from Cristiano Cumer.
735 Support BUILDDIR variable in the Makefile. Allows builds
736 for multiple archs from the same source tree with eg.
737 make BUILDDIR=linux (relative to dnsmasq tree)
738 make BUILDDIR=/tmp/openbsd (absolute path)
739 If BUILDDIR is not set, compilation happens in the src
740 directory, as before. Suggestion from Mark Mitchell.
742 Support DHCPv6. Support is there for the sort of things
743 the existing v4 server does, including tags, options,
744 static addresses and relay support. Missing is prefix
745 delegation, which is probably not required in the dnsmasq
746 niche, and an easy way to accept prefix delegations from
747 an upstream DHCPv6 server, which is. Future plans include
748 support for DHCPv6 router option and MAC address option
749 (to make selecting clients by MAC address work like IPv4).
750 These will be added as the standards mature.
751 This code has been tested, but this is the first release,
752 so don't bet the farm on it just yet. Many thanks to all
753 testers who have got it this far.
755 Support IPv6 router advertisements. This is a
756 simple-minded implementation, aimed at providing the
757 vestigial RA needed to go alongside IPv6. Is picks up
758 configuration from the DHCPv6 conf, and should just need
759 enabling with --enable-ra.
761 Fix long-standing wrinkle with --localise-queries that
762 could result in wrong answers when DNS packets arrive
763 via an interface other than the expected one. Thanks to
764 Lorenzo Milesi and John Hanks for spotting this one.
766 Update French translation. Thanks to Gildas Le Nadan.
768 Update Polish translation. Thanks to Jan Psota.
772 Fix regression in 2.58 which caused failure to start up
773 with some combinations of dnsmasq config and IPv6 kernel
774 network config. Thanks to Brielle Bruns for the bug
777 Improve dnsmasq's behaviour when network interfaces are
778 still doing duplicate address detection (DAD). Previously,
779 dnsmasq would wait up to 20 seconds at start-up for the
780 DAD state to terminate. This is broken for bridge
781 interfaces on recent Linux kernels, which don't start DAD
782 until the bridge comes up, and so can take arbitrary
783 time. The new behaviour lets dnsmasq poll for an arbitrary
784 time whilst providing service on other interfaces. Thanks
785 to Stephen Hemminger for pointing out the problem.
789 Provide a definition of the SA_SIZE macro where it's
790 missing. Fixes build failure on openBSD.
792 Don't include a zero terminator at the end of messages
793 sent to /dev/log when /dev/log is a datagram socket.
794 Thanks to Didier Rabound for spotting the problem.
796 Add --dhcp-sequential-ip flag, to force allocation of IP
797 addresses in ascending order. Note that the default
798 pseudo-random mode is in general better but some
799 server-deployment applications need this.
801 Fix problem where a server-id of 0.0.0.0 is sent to a
802 client when a dhcp-relay is in use if a client renews a
803 lease after dnsmasq restart and before any clients on the
804 subnet get a new lease. Thanks to Mike Ruiz for assistance
805 in chasing this one down.
807 Don't return NXDOMAIN to an AAAA query if we have CNAME
808 which points to an A record only: NODATA is the correct
809 reply in this case. Thanks to Tom Fernandes for spotting
812 Relax the need to supply a netmask in --dhcp-range for
813 networks which use a DHCP relay. Whilst this is still
814 desireable, in the absence of a netmask dnsmasq will use
815 a default based on the class (A, B, or C) of the address.
816 This should at least remove a cause of mysterious failure
817 for people using RFC1918 addresses and relays.
819 Add support for Linux conntrack connection marking. If
820 enabled with --conntrack, the connection mark for incoming
821 DNS queries will be copied to the outgoing connections
822 used to answer those queries. This allows clever firewall
823 and accounting stuff. Only available if dnsmasq is
824 compiled with HAVE_CONNTRACK and adds a dependency on
825 libnetfilter-conntrack. Thanks to Ed Wildgoose for the
826 initial idea, testing and sponsorship of this function.
828 Provide a sane error message when someone attempts to
829 match a tag in --dhcp-host.
831 Tweak the behaviour of --domain-needed, to avoid problems
832 with recursive nameservers downstream of dnsmasq. The new
833 behaviour only stops A and AAAA queries, and returns
834 NODATA rather than NXDOMAIN replies.
836 Efficiency fix for very large DHCP configurations, thanks
837 to James Gartrell and Mike Ruiz for help with this.
839 Allow the TFTP-server address in --dhcp-boot to be a
840 domain-name which is looked up in /etc/hosts. This can
841 give multiple IP addresses which are used round-robin,
842 thus doing TFTP server load-balancing. Thanks to Sushil
843 Agrawal for the patch.
845 When two tagged dhcp-options for a particular option
846 number are both valid, use the one which is valid without
847 a tag from the dhcp-range. Allows overriding of the value
848 of a DHCP option for a particular host as well as
849 per-network values. So
850 --dhcp-range=set:interface1,......
851 --dhcp-host=set:myhost,.....
852 --dhcp-option=tag:interface1,option:nis-domain,"domain1"
853 --dhcp-option=tag:myhost,option:nis-domain,"domain2"
854 will set the NIS-domain to domain1 for hosts in the range, but
855 override that to domain2 for a particular host.
857 Fix bug which resulted in truncated files and timeouts for
858 some TFTP transfers. The bug only occurs with netascii
859 transfers and needs an unfortunate relationship between
860 file size, blocksize and the number of newlines in the
861 last block before it manifests itself. Many thanks to
862 Alkis Georgopoulos for spotting the problem and providing
863 a comprehensive test-case.
865 Fix regression in TFTP server on *BSD platforms introduced
866 in version 2.56, due to confusion with sockaddr
867 length. Many thanks to Loic Pefferkorn for finding this.
869 Support scope-ids in IPv6 addresses of nameservers from
870 /etc/resolv.conf and in --server options. Eg
871 nameserver fe80::202:a412:4512:7bbf%eth0 or
872 server=fe80::202:a412:4512:7bbf%eth0. Thanks to
873 Michael Stapelberg for the suggestion.
875 Update Polish translation, thanks to Jan Psota.
877 Update French translation. Thanks to Gildas Le Nadan.
881 Add patches to allow build under Android.
883 Provide our own header for the DNS protocol, rather than
884 relying on arpa/nameser.h. This has proved more or less
885 defective over the years and the final straw is that it's
886 effectively empty on Android.
888 Fix regression in 2.56 which caused hex constants in
889 configuration to be rejected if they contain the '*'
892 Correct wrong casts of arguments to ctype.h functions,
893 isdigit(), isxdigit() etc. Thanks to Matthias Andree for
896 Allow build with IDN support independently from i18n.
897 IDN support continues to be included automatically
898 when i18n is included.
899 'make COPTS=-DHAVE_IDN' is the magic incantation.
901 Modify check on extraneous command line junk (added in
902 2.56) so that it doesn't complain about extra _empty_
903 arguments. Otherwise this breaks libvirt.
907 Add a patch to allow dnsmasq to get interface names right in a
908 Solaris zone. Thanks to Dj Padzensky for this.
910 Improve data-type parsing heuristics so that
911 --dhcp-option=option:domain-search,.
912 treats the value as a string and not an IP address.
913 Thanks to Clemens Fischer for spotting that.
915 Add IPv6 support to the TFTP server. Many thanks to Jan
916 'RedBully' Seiffert for the patches.
918 Log DNS queries at level LOG_INFO, rather then
919 LOG_DEBUG. This makes things consistent with DHCP
920 logging. Thanks to Adam Pribyl for spotting the problem.
922 Ensure that dnsmasq terminates cleanly when using
923 --syslog-async even if it cannot make a connection to the
926 Add --add-mac option. This is to support currently
927 experimental DNS filtering facilities. Thanks to Benjamin
928 Petrin for the orignal patch.
930 Fix bug which meant that tags were ignored in dhcp-range
931 configuration specifying PXE-proxy service. Thanks to
932 Cristiano Cumer for spotting this.
934 Raise an error if there is extra junk, not part of an
935 option, on the command line.
937 Flag a couple of log messages in cache.c as coming from
938 the DHCP subsystem. Thanks to Olaf Westrik for the patch.
940 Omit timestamps from logs when a) logging to stderr and
941 b) --keep-in-forground is set. The logging facility on the
942 other end of stderr can be assumned to supply them. Thanks
943 to John Hallam for the patch.
945 Don't complain about strings longer than 255 characters in
946 --txt-record, just split the long strings into 255
947 character chunks instead.
949 Fix crash on double-free. This bug can only happen when
950 dhcp-script is in use and then only in rare circumstances
951 triggered by high DHCP transaction rate and a slow
952 script. Thanks to Ferenc Wagner for finding the problem.
954 Only log that a file has been sent by TFTP after the
955 transfer has completed succesfully.
957 A good suggestion from Ferenc Wagner: extend
958 the --domain option to allow this sort of thing:
959 --domain=thekelleys.org.uk,192.168.0.0/24,local
960 which automatically creates
961 --local=/thekelleys.org.uk/
962 --local=/0.168.192.in-addr.arpa/
964 Tighten up syntax checking of hex contants in the config
965 file. Thanks to Fred Damen for spotting this.
967 Add dnsmasq logo/icon, contributed by Justin Swift. Many
970 Never cache DNS replies which have the 'cd' bit set, or
971 which result from queries forwarded with the 'cd' bit
972 set. The 'cd' bit instructs a DNSSEC validating server
973 upstream to ignore signature failures and return replies
974 anyway. Without this change it's possible to pollute the
975 dnsmasq cache with bad data by making a query with the
976 'cd' bit set and subsequent queries would return this data
977 without its being marked as suspect. Thanks to Anders
978 Kaseorg for pointing out this problem.
980 Add --proxy-dnssec flag, for compliance with RFC
981 4035. Dnsmasq will now clear the 'ad' bit in answers returned
982 from upstream validating nameservers unless this option is
985 Allow a filename of "-" for --conf-file to read
986 stdin. Suggestion from Timothy Redaelli.
988 Rotate the order of SRV records in replies, to provide
989 round-robin load balancing when all the priorities are
990 equal. Thanks to Peter McKinney for the suggestion.
993 contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist
994 so that it doesn't log all queries to a file by
995 default. Thanks again to Peter McKinney.
997 By default, setting an IPv4 address for a domain but not
998 an IPv6 address causes dnsmasq to return
999 an NODATA reply for IPv6 (or vice-versa). So
1000 --address=/google.com/1.2.3.4 stops IPv6 queries for
1001 *google.com from being forwarded. Make it possible to
1002 override this behaviour by defining the sematics if the
1003 same domain appears in both --server and --address.
1004 In that case, the --address has priority for the address
1005 family in which is appears, but the --server has priority
1006 of the address family which doesn't appear in --adddress
1008 --address=/google.com/1.2.3.4
1009 --server=/google.com/#
1010 will return 1.2.3.4 for IPv4 queries for *.google.com but
1011 forward IPv6 queries to the normal upstream nameserver.
1012 Similarly when setting an IPv6 address
1013 only this will allow forwarding of IPv4 queries. Thanks to
1014 William for pointing out the need for this.
1016 Allow more than one --dhcp-optsfile and --dhcp-hostsfile
1017 and make them understand directories as arguments in the
1018 same way as --addn-hosts. Suggestion from John Hanks.
1020 Ignore rebinding requests for leases we don't know
1021 about. Rebind is broadcast, so we might get to overhear a
1022 request meant for another DHCP server. NAKing this is
1023 wrong. Thanks to Brad D'Hondt for assistance with this.
1025 Fix cosmetic bug which produced strange output when
1026 dumping cache statistics with some configurations. Thanks
1027 to Fedor Kozhevnikov for spotting this.
1031 Fix crash when /etc/ethers is in use. Thanks to
1032 Gianluigi Tiesi for finding this.
1034 Fix crash in netlink_multicast(). Thanks to Arno Wald for
1037 Allow the empty domain "." in dhcp domain-search (119)
1042 There is no version 2.54 to avoid confusion with 2.53,
1043 which incorrectly identifies itself as 2.54.
1047 Fix failure to compile on Debian/kFreeBSD. Thanks to
1048 Axel Beckert and Petr Salinger.
1050 Fix code to avoid scary strict-aliasing warnings
1051 generated by gcc 4.4.
1053 Added FAQ entry warning about DHCP failures with Vista
1054 when firewalls block 255.255.255.255.
1056 Fixed bug which caused bad things to happen if a
1057 resolv.conf file which exists is subsequently removed.
1058 Thanks to Nikolai Saoukh for the patch.
1060 Rationalised the DHCP tag system. Every configuration item
1061 which can set a tag does so by adding "set:<tag>" and
1062 every configuration item which is conditional on a tag is
1063 made so by "tag:<tag>". The NOT operator changes to '!',
1064 which is a bit more intuitive too. Dhcp-host directives
1065 can set more than one tag now. The old '#' NOT,
1066 "net:" prefix and no-prefixes are still honoured, so
1067 no existing config file needs to be changed, but
1068 the documentation and new-style config files should be
1069 much less confusing.
1071 Added --tag-if to allow boolean operations on tags.
1072 This allows complicated logic to be clearer and more
1073 general. A great suggestion from Richard Voigt.
1075 Add broadcast/unicast information to DHCP logging.
1077 Allow --dhcp-broadcast to be unconditional.
1079 Fixed incorrect behaviour with NOT <tag> conditionals in
1080 dhcp-options. Thanks to Max Turkewitz for assistance
1083 If we send vendor-class encapsulated options based on the
1084 vendor-class supplied by the client, and no explicit
1085 vendor-class option is given, echo back the vendor-class
1088 Fix bug which stopped dnsmasq from matching both a
1089 circuitid and a remoteid. Thanks to Ignacio Bravo for
1092 Add --dhcp-proxy, which makes it possible to configure
1093 dnsmasq to use a DHCP relay agent as a full proxy, with
1094 all DHCP messages passing through the proxy. This is
1095 useful if the relay adds extra information to the packets
1096 it forwards, but cannot be configured with the RFC 5107
1097 server-override option.
1099 Added interface:<iface name> part to dhcp-range. The
1100 semantics of this are very odd at first sight, but it
1101 allows a single line of the form
1102 dhcp-range=interface:virt0,192.168.0.4,192.168.0.200
1103 to be added to dnsmasq configuration which then supplies
1104 DHCP and DNS services to that interface, without affecting
1105 what services are supplied to other interfaces and
1106 irrespective of the existance or lack of
1107 interface=<interface>
1108 lines elsewhere in the dnsmasq configuration. The idea is
1109 that such a line can be added automatically by libvirt
1110 or equivalent systems, without disturbing any manual
1113 Similarly to the above, allow --enable-tftp=<interface>
1115 Allow a TFTP root to be set separately for requests via
1116 different interfaces, --tftp-root=<path>,<interface>
1118 Correctly handle and log clashes between CNAMES and
1119 DNS names being given to DHCP leases. This fixes a bug
1120 which caused nonsense IP addresses to be logged. Thanks to
1121 Sergei Zhirikov for finding and analysing the problem.
1123 Tweak flush_log so as to avoid leaving the log
1124 file in non-blocking mode. O_NONBLOCK is a property of the
1125 file, not the process/descriptor.
1127 Fix contrib/Solaris10/create_package
1128 (/usr/man -> /usr/share/man) Thanks to Vita Batrla.
1130 Fix a problem where, if a client got a lease, then went
1131 to another subnet and got another lease, then moved back,
1132 it couldn't resume the old lease, but would instead get
1133 a new address. Thanks to Leonardo Rodrigues for spotting
1134 this and testing the fix.
1136 Fix weird bug which sometimes omitted certain characters
1137 from the start of quoted strings in dhcp-options. Thanks
1138 to Dayton Turner for spotting the problem.
1140 Add facility to redirect some domains to the standard
1141 upstream servers: this allows something like
1142 --server=/google.com/1.2.3.4 --server=/www.google.com/#
1143 which will send queries for *.google.com to 1.2.3.4,
1144 except *www.google.com which will be forwarded as usual.
1145 Thanks to AJ Weber for prompting this addition.
1147 Improve the hash-algorithm used to generate IP addresses
1148 from MAC addresses during initial DHCP address
1149 allocation. This improves performance when large numbers
1150 of hosts with similar MAC addresses all try and get an IP
1151 address at the same time. Thanks to Paul Smith for his
1154 Tweak DHCP code so that --bridge-interface can be used to
1155 select which IP alias of an interface should be used for
1156 DHCP purposes on Linux. If eth0 has an alias eth0:dhcp
1157 then adding --bridge-interface=eth0:dhcp,eth0 will use
1158 the address of eth0:dhcp to determine the correct subnet
1159 for DHCP address allocation. Thanks to Pawel Golaszewski
1160 for prompting this and Eric Cooper for further testing.
1162 Add --dhcp-generate-names. Suggestion by Ferenc Wagner.
1164 Tweak DNS server selection algorithm when there is more
1165 than one server available for a domain, eg.
1166 --server=/mydomain/1.1.1.1
1167 --server=/mydomain/2.2.2.2
1168 Thanks to Alberto Cuesta-Canada for spotting a weakness
1171 Add --max-ttl. Thanks to Fredrik Ringertz for the patch.
1173 Allow --log-facility=- to force all logging to
1174 stderr. Suggestion from Clemens Fischer.
1176 Fix regression which caused configuration like
1177 --address=/.domain.com/1.2.3.4 to be rejected. The dot to the
1178 left of the domain has been implied and not required for a
1179 long time, but it should be accepted for backward
1180 compatibility. Thanks to Andrew Burcin for spotting this.
1182 Add --rebind-domain-ok and --rebind-localhost-ok.
1183 Suggestion from Clemens Fischer.
1185 Log replies to queries of type TXT, when --log-queries
1188 Fix compiler warnings when compiled with -DNO_DHCP. Thanks
1189 to Shantanu Gadgil for the patch.
1191 Updated French translation. Thanks to Gildas Le Nadan.
1193 Updated Polish translation. Thanks to Jan Psota.
1195 Updated German translation. Thanks to Matthias Andree.
1197 Added contrib/static-arp, thanks to Darren Hoo.
1199 Fix corruption of the domain when a name from /etc/hosts
1200 overrides one supplied by a DHCP client. Thanks to Fedor
1201 Kozhevnikov for spotting the problem.
1203 Updated Spanish translation. Thanks to Chris Chatham.
1207 Work around a Linux kernel bug which insists that the
1208 length of the option passed to setsockopt must be at least
1209 sizeof(int) bytes, even if we're calling SO_BINDTODEVICE
1210 and the device name is "lo". Note that this is fixed
1211 in kernel 2.6.31, but the workaround is harmless and
1212 allows earlier kernels to be used. Also fix dnsmasq
1213 bug which reported the wrong address when this failed.
1214 Thanks to Fedor for finding this.
1216 The API for IPv6 PKTINFO changed around Linux kernel
1217 2.6.14. Workaround the case where dnsmasq is compiled
1218 against newer headers, but then run on an old kernel:
1219 necessary for some *WRT distros.
1221 Re-read the set of network interfaces when re-loading
1222 /etc/resolv.conf if --bind-interfaces is not set. This
1223 handles the case that loopback interfaces do not exist
1224 when dnsmasq is first started.
1226 Tweak the PXE code to support port 4011. This should
1227 reduce broadcasts and make things more reliable when other
1228 servers are around. It also improves inter-operability
1229 with certain clients.
1231 Make a pxe-service configuration with no filename or boot
1232 service type legal: this does a local boot. eg.
1233 pxe-service=x86PC, "Local boot"
1235 Be more conservative in detecting "A for A"
1236 queries. Dnsmasq checks if the name in a type=A query looks
1237 like a dotted-quad IP address and answers the query itself
1238 if so, rather than forwarding it. Previously dnsmasq
1239 relied in the library function inet_addr() to convert
1240 addresses, and that will accept some things which are
1241 confusing in this context, like 1.2.3 or even just
1242 1234. Now we only do A for A processing for four decimal
1243 numbers delimited by dots.
1245 A couple of tweaks to fix compilation on Solaris. Thanks
1246 to Joel Macklow for help with this.
1248 Another Solaris compilation tweak, needed for Solaris
1249 2009.06. Thanks to Lee Essen for that.
1251 Added extract packaging stuff from Lee Essen to
1254 Increased the default limit on number of leases to 1000
1255 (from 150). This is mainly a defence against DoS attacks,
1256 and for the average "one for two class C networks"
1257 installation, IP address exhaustion does that just as
1258 well. Making the limit greater than the number of IP
1259 addresses available in such an installation removes a
1260 surprise which otherwise can catch people out.
1262 Removed extraneous trailing space in the value of the
1263 DNSMASQ_TIME_REMAINING DNSMASQ_LEASE_LENGTH and
1264 DNSMASQ_LEASE_EXPIRES environment variables. Thanks to
1265 Gildas Le Nadan for spotting this.
1267 Provide the network-id tags for a DHCP transaction to
1268 the lease-change script in the environment variable
1269 DNSMASQ_TAGS. A good suggestion from Gildas Le Nadan.
1271 Add support for RFC3925 "Vendor-Identifying Vendor
1272 Options". The syntax looks like this:
1273 --dhcp-option=vi-encap:<enterprise number>, .........
1275 Add support to --dhcp-match to allow matching against
1276 RFC3925 "Vendor-Identifying Vendor Classes". The syntax
1278 --dhcp-match=tag,vi-encap<enterprise number>, <value>
1280 Add some application specific code to assist in
1281 implementing the Broadband forum TR069 CPE-WAN
1282 specification. The details are in contrib/CPE-WAN/README
1284 Increase the default DNS packet size limit to 4096, as
1285 recommended by RFC5625 section 4.4.3. This can be
1286 reconfigured using --edns-packet-max if needed. Thanks to
1287 Francis Dupont for pointing this out.
1289 Rewrite query-ids even for TSIG signed packets, since
1290 this is allowed by RFC5625 section 4.5.
1292 Use getopt_long by default on OS X. It has been supported
1293 since version 10.3.0. Thanks to Arek Dreyer for spotting
1296 Added up-to-date startup configuration for MacOSX/launchd
1297 in contrib/MacOSX-launchd. Thanks to Arek Dreyer for
1300 Fix link error when including Dbus but excluding DHCP.
1301 Thanks to Oschtan for the bug report.
1303 Updated French translation. Thanks to Gildas Le Nadan.
1305 Updated Polish translation. Thanks to Jan Psota.
1307 Updated Spanish translation. Thanks to Chris Chatham.
1309 Fixed confusion about domains, when looking up DHCP hosts
1310 in /etc/hosts. This could cause spurious "Ignoring
1311 domain..." messages. Thanks to Fedor Kozhevnikov for
1312 finding and analysing the problem.
1316 Add support for internationalised DNS. Non-ASCII characters
1317 in domain names found in /etc/hosts, /etc/ethers and
1318 /etc/dnsmasq.conf will be correctly handled by translation to
1319 punycode, as specified in RFC3490. This function is only
1320 available if dnsmasq is compiled with internationalisation
1321 support, and adds a dependency on GNU libidn. Without i18n
1322 support, dnsmasq continues to be compilable with just
1323 standard tools. Thanks to Yves Dorfsman for the
1326 Add two more environment variables for lease-change scripts:
1327 First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname
1328 supplied by a client, even if the actual hostname used is
1329 over-ridden by dhcp-host or dhcp-ignore-names directives.
1330 Also DNSMASQ_RELAY_ADDRESS which gives the address of
1331 a DHCP relay, if used.
1332 Suggestions from Michael Rack.
1334 Fix regression which broke echo of relay-agent
1335 options. Thanks to Michael Rack for spotting this.
1337 Don't treat option 67 as being interchangeable with
1338 dhcp-boot parameters if it's specified as
1341 Make the code to call scripts on lease-change compile-time
1342 optional. It can be switched off by editing src/config.h
1343 or building with "make COPTS=-DNO_SCRIPT".
1345 Make the TFTP server cope with filenames from Windows/DOS
1346 which use '\' as pathname separator. Thanks to Ralf for
1349 Updated Polish translation. Thanks to Jan Psota.
1351 Warn if an IP address is duplicated in /etc/ethers. Thanks
1352 to Felix Schwarz for pointing this out.
1354 Teach --conf-dir to take an option list of file suffices
1355 which will be ignored when scanning the directory. Useful
1356 for backup files etc. Thanks to Helmut Hullen for the
1359 Add new DHCP option named tftpserver-address, which
1360 corresponds to the third argument of dhcp-boot. This
1361 allows the complete functionality of dhcp-boot to be
1362 replicated with dhcp-option. Useful when using
1365 Test which upstream nameserver to use every 10 seconds
1366 or 50 queries and not just when a query times out and
1367 is retried. This should improve performance when there
1368 is a slow nameserver in the list. Thanks to Joe for the
1371 Don't do any PXE processing, even for clients with the
1372 correct vendorclass, unless at least one pxe-prompt or
1373 pxe-service option is given. This stops dnsmasq
1374 interfering with proxy PXE subsystems when it is just
1375 the DHCP server. Thanks to Spencer Clark for spotting this.
1377 Limit the blocksize used for TFTP transfers to a value
1378 which avoids packet fragmentation, based on the MTU of the
1379 local interface. Many netboot ROMs can't cope with
1382 Honour dhcp-ignore configuration for PXE and proxy-PXE
1383 requests. Thanks to Niels Basjes for the bug report.
1385 Updated French translation. Thanks to Gildas Le Nadan.
1389 Fix security problem which allowed any host permitted to
1390 do TFTP to possibly compromise dnsmasq by remote buffer
1391 overflow when TFTP enabled. Thanks to Core Security
1392 Technologies and Iván Arce, Pablo Hernán Jorge, Alejandro
1393 Pablo Rodriguez, Martín Coco, Alberto Soliño Testa and
1394 Pablo Annetta. This problem has Bugtraq id: 36121
1397 Fix a problem which allowed a malicious TFTP client to
1398 crash dnsmasq. Thanks to Steve Grubb at Red Hat for
1399 spotting this. This problem has Bugtraq id: 36120 and
1404 Fix regression in 2.48 which disables the lease-change
1405 script. Thanks to Jose Luis Duran for spotting this.
1407 Log TFTP "file not found" errors. These were not logged,
1408 since a normal PXELinux boot generates many of them, but
1409 the lack of the messages seems to be more confusing than
1410 routinely seeing them when there is no real error.
1412 Update Spanish translation. Thanks to Chris Chatham.
1416 Archived the extensive, backwards, changelog to
1417 CHANGELOG.archive. The current changelog now runs from
1418 version 2.43 and runs conventionally.
1420 Fixed bug which broke binding of servers to physical
1421 interfaces when interface names were longer than four
1422 characters. Thanks to MURASE Katsunori for the patch.
1424 Fixed netlink code to check that messages come from the
1425 correct source, and not another userspace process. Thanks
1426 to Steve Grubb for the patch.
1428 Maintainability drive: removed bug and missing feature
1429 workarounds for some old platforms. Solaris 9, OpenBSD
1430 older than 4.1, Glibc older than 2.2, Linux 2.2.x and
1431 DBus older than 1.1.x are no longer supported.
1433 Don't read included configuration files more than once:
1434 allows complex configuration structures without problems.
1436 Mark log messages from the various subsystems in dnsmasq:
1437 messages from the DHCP subsystem now have the ident string
1438 "dnsmasq-dhcp" and messages from TFTP have ident
1439 "dnsmasq-tftp". Thanks to Olaf Westrik for the patch.
1441 Fix possible infinite DHCP protocol loop when an IP
1442 address nailed to a hostname (not a MAC address) and a
1443 host sometimes provides the name, sometimes not.
1445 Allow --addn-hosts to take a directory: all the files
1446 in the directory are read. Thanks to Phil Cornelius for
1449 Support --bridge-interface on all platforms, not just BSD.
1451 Added support for advanced PXE functions. It's now
1452 possible to define a prompt and menu options which will
1453 be displayed when a client PXE boots. It's also possible to
1454 hand-off booting to other boot servers. Proxy-DHCP, where
1455 dnsmasq just supplies the PXE information and another DHCP
1456 server does address allocation, is also allowed. See the
1457 --pxe-prompt and --pxe-service keywords. Thanks to
1458 Alkis Georgopoulos for the suggestion and Guilherme Moro
1459 and Michael Brown for assistance.
1461 Improvements to DHCP logging. Thanks to Tom Metro for
1464 Add ability to build dnsmasq without DHCP support. To do
1465 this, edit src/config.h or build with
1466 "make COPTS=-DNO_DHCP". Thanks to Mahavir Jain for the patch.
1468 Added --test command-line switch - syntax check
1469 configuration files only.
1471 Updated French translation. Thanks to Gildas Le Nadan.
1475 Updated French translation. Thanks to Gildas Le Nadan.
1477 Fixed interface enumeration code to work on NetBSD
1478 5.0. Thanks to Roy Marples for the patch.
1480 Updated config.h to use the same location for the lease
1481 file on NetBSD as the other *BSD variants. Also allow
1482 LEASEFILE and CONFFILE symbols to be overriden in CFLAGS.
1484 Handle duplicate address detection on IPv6 more
1485 intelligently. In IPv6, an interface can have an address
1486 which is not usable, because it is still undergoing DAD
1487 (such addresses are marked "tentative"). Attempting to
1488 bind to an address in this state returns an error,
1489 EADDRNOTAVAIL. Previously, on getting such an error,
1490 dnsmasq would silently abandon the address, and never
1491 listen on it. Now, it retries once per second for 20
1492 seconds before generating a fatal error. 20 seconds should
1493 be long enough for any DAD process to complete, but can be
1494 adjusted in src/config.h if necessary. Thanks to Martin
1495 Krafft for the bug report.
1497 Add DBus introspection. Patch from Jeremy Laine.
1499 Update Dbus configuration file. Patch from Colin Walters.
1501 http://bugs.freedesktop.org/show_bug.cgi?id=18961
1503 Support arbitrarily encapsulated DHCP options, suggestion
1504 and initial patch from Samium Gromoff. This is useful for
1505 (eg) gPXE, which expect all its private options to be
1506 encapsulated inside a single option 175. So, eg,
1508 dhcp-option = encap:175, 190, "iscsi-client0"
1509 dhcp-option = encap:175, 191, "iscsi-client0-secret"
1511 will provide iSCSI parameters to gPXE.
1513 Enhance --dhcp-match to allow testing of the contents of a
1514 client-sent option, as well as its presence. This
1515 application in mind for this is RFC 4578
1516 client-architecture specifiers, but it's generally useful.
1517 Joey Korkames suggested the enhancement.
1519 Move from using the IP_XMIT_IF ioctl to IP_BOUND_IF on
1520 OpenSolaris. Thanks to Bastian Machek for the heads-up.
1522 No longer complain about blank lines in
1523 /etc/ethers. Thanks to Jon Nelson for the patch.
1525 Fix binding of servers to physical devices, eg
1526 --server=/domain/1.2.3.4@eth0 which was broken from 2.43
1527 onwards unless --query-port=0 set. Thanks to Peter Naulls
1530 Reply to DHCPINFORM requests even when the supplied ciaddr
1531 doesn't fall in any dhcp-range. In this case it's not
1532 possible to supply a complete configuration, but
1533 individually-configured options (eg PAC) may be useful.
1535 Allow the source address of an alias to be a range:
1536 --alias=192.168.0.0,10.0.0.0,255.255.255.0 maps the whole
1537 subnet 192.168.0.0->192.168.0.255 to 10.0.0.0->10.0.0.255,
1539 --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
1540 maps only the 192.168.0.10->192.168.0.40 region. Thanks to
1541 Ib Uhrskov for the suggestion.
1543 Don't dynamically allocate DHCP addresses which may break
1544 Windows. Addresses which end in .255 or .0 are broken in
1545 Windows even when using supernetting.
1546 --dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0 means
1547 192.168.0.255 is a valid IP address, but not for Windows.
1548 See Microsoft KB281579. We therefore no longer allocate
1549 these addresses to avoid hard-to-diagnose problems.
1551 Update Polish translation. Thanks to Jan Psota.
1553 Delete the PID-file when dnsmasq shuts down. Note that by
1554 this time, dnsmasq is normally not running as root, so
1555 this will fail if the PID-file is stored in a root-owned
1556 directory; such failure is silently ignored. To take
1557 advantage of this feature, the PID-file must be stored in a
1558 directory owned and write-able by the user running
1563 Allow --bootp-dynamic to take a netid tag, so that it may
1564 be selectively enabled. Thanks to Olaf Westrik for the
1567 Remove ISC-leasefile reading code. This has been
1568 deprecated for a long time, and last time I removed it, it
1569 ended up going back by request of one user. This time,
1570 it's gone for good; otherwise it would need to be
1571 re-worked to support multiple domains (see below).
1573 Support DHCP clients in multiple DNS domains. This is a
1574 long-standing request. Clients are assigned to a domain
1575 based in their IP address.
1577 Add --dhcp-fqdn flag, which changes behaviour if DNS names
1578 assigned to DHCP clients. When this is set, there must be
1579 a domain associated with each client, and only
1580 fully-qualified domain names are added to the DNS. The
1581 advantage is that the only the FQDN needs to be unique,
1582 so that two or more DHCP clients can share a hostname, as
1583 long as they are in different domains.
1585 Set environment variable DNSMASQ_DOMAIN when invoking
1586 lease-change script. This may be useful information to
1587 have now that it's variable.
1589 Tighten up data-checking code for DNS packet
1590 handling. Thanks to Steve Dodd who found certain illegal
1591 packets which could crash dnsmasq. No memory overwrite was
1592 possible, so this is not a security issue beyond the DoS
1595 Update example config dhcp option 47, the previous
1596 suggestion generated an illegal, zero-length,
1597 option. Thanks to Matthias Andree for finding this.
1599 Rewrite hosts-file reading code to remove the limit of
1600 1024 characters per line. John C Meuser found this.
1602 Create a net-id tag with the name of the interface on
1603 which the DHCP request was received.
1605 Fixed minor memory leak in DBus code, thanks to Jeremy
1606 Laine for the patch.
1608 Emit DBus signals as the DHCP lease database
1609 changes. Thanks to Jeremy Laine for the patch.
1611 Allow for more that one MAC address in a dhcp-host
1612 line. This configuration tells dnsmasq that it's OK to
1613 abandon a DHCP lease of the fixed address to one MAC
1614 address, if another MAC address in the dhcp-host statement
1615 asks for an address. This is useful to give a fixed
1616 address to a host which has two network interfaces
1617 (say, a laptop with wired and wireless interfaces.)
1618 It's very important to ensure that only one interface
1619 at a time is up, since dnsmasq abandons the first lease
1620 and re-uses the address before the leased time has
1621 elapsed. John Gray suggested this.
1623 Tweak the response to a DHCP request packet with a wrong
1624 server-id when --dhcp-authoritative is set; dnsmasq now
1625 returns a DHCPNAK, rather than silently ignoring the
1626 packet. Thanks to Chris Marget for spotting this
1629 Add --cname option. This provides a limited alias
1630 function, usable for DHCP names. Thanks to AJ Weber for
1631 suggestions on this.
1633 Updated contrib/webmin with latest version from Neil
1636 Updated Polish translation. Thanks to Jan Psota.
1638 Correct the text names for DHCP options 64 and 65 to be
1639 "nis+-domain" and "nis+-servers".
1641 Updated Spanish translation. Thanks to Chris Chatham.
1643 Force re-reading of /etc/resolv.conf when an "interface
1648 Fix total DNS failure in release 2.44 unless --min-port
1649 specified. Thanks to Steven Barth and Grant Coady for
1650 bugreport. Also reject out-of-range port spec, which could
1651 break things too: suggestion from Gilles Espinasse.
1655 Fix crash when unknown client attempts to renew a DHCP
1656 lease, problem introduced in version 2.43. Thanks to
1657 Carlos Carvalho for help chasing this down.
1659 Fix potential crash when a host which doesn't have a lease
1660 does DHCPINFORM. Again introduced in 2.43. This bug has
1661 never been reported in the wild.
1663 Fix crash in netlink code introduced in 2.43. Thanks to
1664 Jean Wolter for finding this.
1666 Change implementation of min_port to work even if min-port
1669 Patch to enable compilation of latest Mac OS X. Thanks to
1672 Update Spanish translation. Thanks to Christopher Chatham.
1676 Updated Polish translation. Thanks to Jan Psota.
1678 Flag errors when configuration options are repeated
1681 Further tweaks for GNU/kFreeBSD
1683 Add --no-wrap to msgmerge call - provides nicer .po file
1686 Honour lease-time spec in dhcp-host lines even for
1687 BOOTP. The user is assumed to known what they are doing in
1688 this case. (Hosts without the time spec still get infinite
1689 leases for BOOTP, over-riding the default in the
1690 dhcp-range.) Thanks to Peter Katzmann for uncovering this.
1692 Fix problem matching relay-agent ids. Thanks to Michael
1693 Rack for the bug report.
1695 Add --naptr-record option. Suggestion from Johan
1698 Implement RFC 5107 server-id-override DHCP relay agent
1701 Apply patches from Stefan Kruger for compilation on
1702 Solaris 10 under Sun studio.
1704 Yet more tweaking of Linux capability code, to suppress
1705 pointless wingeing from kernel 2.6.25 and above.
1707 Improve error checking during startup. Previously, some
1708 errors which occurred during startup would be worked
1709 around, with dnsmasq still starting up. Some were logged,
1710 some silent. Now, they all cause a fatal error and dnsmasq
1711 terminates with a non-zero exit code. The errors are those
1712 associated with changing uid and gid, setting process
1713 capabilities and writing the pidfile. Thanks to Uwe
1714 Gansert and the Suse security team for pointing out
1715 this improvement, and Bill Reimers for good implementation
1718 Provide NO_LARGEFILE compile option to switch off largefile
1719 support when compiling against versions of uclibc which
1720 don't support it. Thanks to Stephane Billiart for the patch.
1722 Implement random source ports for interactions with
1723 upstream nameservers. New spoofing attacks have been found
1724 against nameservers which do not do this, though it is not
1725 clear if dnsmasq is vulnerable, since to doesn't implement
1726 recursion. By default dnsmasq will now use a different
1727 source port (and socket) for each query it sends
1728 upstream. This behaviour can suppressed using the
1729 --query-port option, and the old default behaviour
1730 restored using --query-port=0. Explicit source-port
1731 specifications in --server configs are still honoured.
1733 Replace the random number generator, for better
1734 security. On most BSD systems, dnsmasq uses the
1735 arc4random() RNG, which is secure, but on other platforms,
1736 it relied on the C-library RNG, which may be
1737 guessable and therefore allow spoofing. This release
1738 replaces the libc RNG with the SURF RNG, from Daniel
1739 J. Berstein's DJBDNS package.
1741 Don't attempt to change user or group or set capabilities
1742 if dnsmasq is run as a non-root user. Without this, the
1743 change from soft to hard errors when these fail causes
1744 problems for non-root daemons listening on high
1745 ports. Thanks to Patrick McLean for spotting this.
1747 Updated French translation. Thanks to Gildas Le Nadan.
1751 The changelog for version 2.42 and earlier is
1752 available in CHANGELOG.archive.