blob: ca555edd86f41ab9b8452df761781c4456cd26a0 [file] [log] [blame]
Simon Kelley9e169a92021-02-22 23:07:48 +00001version 2.85
2 Fix problem with DNS retries in 2.83/2.84.
3 The new logic in 2.83/2.84 which merges distinct requests
4 for the same domain causes problems with clients which do
5 retries as distinct requests (differing IDs and/or source ports.)
6 The retries just get piggy-backed on the first, failed, request.
7 The logic is now changed so that distinct requests for repeated
8 queries still get merged into a single ID/source port, but
9 they now always trigger a re-try upstream.
10 Thanks to Nicholas Mu for his analysis.
11
12 Tweak sort order of tags in get-version. v2.84 sorts
13 before v2.83, but v2.83 sorts before v2.83rc1 and 2.83rc1
14 sorts before v2.83test1. This fixes the problem which lead
15 to 2.84 announcing itself as 2.84rc2.
16
Simon Kelleyb7cf7542021-03-04 16:54:14 +000017 Avoid treating a --dhcp-host which has an IPv6 address
Matthias Andree2a407a72021-03-27 15:41:45 +010018 as eligible for use with DHCPv4 on the grounds that it has
Simon Kelleye7c0d7b2021-02-28 17:56:54 +000019 no address, and vice-versa. Thanks to Viktor Papp for
20 spotting the problem. (This bug was fixed was back in 2.67, and
Matthias Andree2a407a72021-03-27 15:41:45 +010021 then regressed in 2.81).
Simon Kelleyb7cf7542021-03-04 16:54:14 +000022
23 Add --dynamic-host option: A and AAAA records which take their
24 network part from the network of a local interface. Useful
25 for routers with dynamically prefixes. Thanks
26 to Fred F for the suggestion.
27
Simon Kelley9eaa91b2021-03-17 20:31:06 +000028 Teach --bogus-nxdomain and --ignore-address to take an IPv4 subnet.
Simon Kelley023ace82021-03-17 20:42:21 +000029
Simon Kelley74d4fcd2021-03-15 21:59:51 +000030 Use random source ports where possible if source
31 addresses/interfaces in use.
32 CVE-2021-3448 applies. Thanks to Petr Menšík for spotting this.
33 It's possible to specify the source address or interface to be
Matthias Andree2a407a72021-03-27 15:41:45 +010034 used when contacting upstream name servers: server=8.8.8.8@1.2.3.4
Simon Kelley74d4fcd2021-03-15 21:59:51 +000035 or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of
36 these have, until now, used a single socket, bound to a fixed
37 port. This was originally done to allow an error (non-existent
38 interface, or non-local address) to be detected at start-up. This
39 means that any upstream servers specified in such a way don't use
40 random source ports, and are more susceptible to cache-poisoning
41 attacks.
42 We now use random ports where possible, even when the
43 source is specified, so server=8.8.8.8@1.2.3.4 or
44 server=8.8.8.8@eth0 will use random source
45 ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will
46 use the explicitly configured port, and should only be done with
47 understanding of the security implications.
48 Note that this change changes non-existing interface, or non-local
49 source address errors from fatal to run-time. The error will be
Matthias Andree2a407a72021-03-27 15:41:45 +010050 logged and communication with the server not possible.
Simon Kelleyb7cf7542021-03-04 16:54:14 +000051
Simon Kelley4a8c0982021-03-26 21:19:39 +000052 Change the method of allocation of random source ports for DNS.
53 Previously, without min-port or max-port configured, dnsmasq would
54 default to the compiled in defaults for those, which are 1024 and
55 65535. Now, when neither are configured, it defaults instead to
56 the kernel's ephemeral port range, which is typically
57 32768 to 60999 on Linux systems. This change eliminates the
58 possibility that dnsmasq may be using a registered port > 1024
59 when a long-running daemon starts up and wishes to claim it.
Matthias Andree2a407a72021-03-27 15:41:45 +010060 This change does likely slightly reduce the number of random ports
Simon Kelley4a8c0982021-03-26 21:19:39 +000061 and therefore the protection from reply spoofing. The older
62 behaviour can be restored using the min-port and max-port config
63 switches should that be a concern.
Simon Kelley023ace82021-03-17 20:42:21 +000064
Simon Kelleyea28d0e2021-03-26 22:02:04 +000065 Scale the size of the DNS random-port pool based on the
66 value of the --dns-forward-max configuration.
67
Matthias Andree89df73a2021-04-03 23:01:46 +010068 Tweak TFTP code to check sender of all received packets, as
Simon Kelleydfb1f7c2021-03-30 21:21:09 +010069 specified in RFC 1350 para 4.
70
Simon Kelley4a8c0982021-03-26 21:19:39 +000071
Simon Kelley9e169a92021-02-22 23:07:48 +000072version 2.84
73 Fix a problem, introduced in 2.83, which could see DNS replies
74 being sent via the wrong socket. On machines running both
75 IPv4 and IPv6 this could result in sporadic messages of
76 the form "failed to send packet: Network is unreachable" and
77 the lost of the query. Since the error is sporadic and of
78 low probability, the client retry would normally succeed.
79
80 Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH.
81
Simon Kelley023ace82021-03-17 20:42:21 +000082
Simon Kelleya2a7e042020-12-12 23:26:45 +000083version 2.83
84 Use the values of --min-port and --max-port in outgoing
85 TCP connections to upstream DNS servers.
86
Simon Kelley4e96a4b2020-11-11 23:25:04 +000087 Fix a remote buffer overflow problem in the DNSSEC code. Any
88 dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
Simon Kelleye01e09c2021-01-08 22:50:03 +000089 referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
90 CVE-2020-25687.
Simon Kelley4e96a4b2020-11-11 23:25:04 +000091
Simon Kelley257ac0c2020-11-12 18:49:23 +000092 Be sure to only accept UDP DNS query replies at the address
93 from which the query was originated. This keeps as much entropy
Simon Kelley15b60dd2020-11-18 18:34:55 +000094 in the {query-ID, random-port} tuple as possible, to help defeat
Simon Kelleye01e09c2021-01-08 22:50:03 +000095 cache poisoning attacks. Refer: CVE-2020-25684.
Simon Kelley4e96a4b2020-11-11 23:25:04 +000096
Simon Kelley2d765862020-11-12 22:06:07 +000097 Use the SHA-256 hash function to verify that DNS answers
98 received are for the questions originally asked. This replaces
99 the slightly insecure SHA-1 (when compiled with DNSSEC) or
Simon Kelleye01e09c2021-01-08 22:50:03 +0000100 the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
Simon Kelley15b60dd2020-11-18 18:34:55 +0000101
102 Handle multiple identical near simultaneous DNS queries better.
103 Previously, such queries would all be forwarded
Matthias Andree2a407a72021-03-27 15:41:45 +0100104 independently. This is, in theory, inefficient but in practise
Simon Kelley15b60dd2020-11-18 18:34:55 +0000105 not a problem, _except_ that is means that an answer for any
106 of the forwarded queries will be accepted and cached.
107 An attacker can send a query multiple times, and for each repeat,
108 another {port, ID} becomes capable of accepting the answer he is
109 sending in the blind, to random IDs and ports. The chance of a
Matthias Andree2a407a72021-03-27 15:41:45 +0100110 successful attack is therefore multiplied by the number of repeats
Simon Kelley15b60dd2020-11-18 18:34:55 +0000111 of the query. The new behaviour detects repeated queries and
112 merely stores the clients sending repeats so that when the
113 first query completes, the answer can be sent to all the
Simon Kelleye01e09c2021-01-08 22:50:03 +0000114 clients who asked. Refer: CVE-2020-25686.
Simon Kelley2d765862020-11-12 22:06:07 +0000115
Simon Kelley257ac0c2020-11-12 18:49:23 +0000116
Simon Kelley2bd02d22020-07-12 21:57:38 +0100117version 2.82
118 Improve behaviour in the face of network interfaces which come
119 and go and change index. Thanks to Petr Mensik for the patch.
120
121 Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user
122 to a warning.
123
124 Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option.
125
Matthias Andreef60fea12020-07-19 21:54:44 +0100126 Fix crash under heavy TCP connection load introduced in 2.81.
Simon Kelley2bd02d22020-07-12 21:57:38 +0100127 Thanks to Frank for good work chasing this down.
128
Simon Kelley4d85e402020-07-12 22:45:46 +0100129 Change default lease time for DHCPv6 to one day.
130
Matthias Andreef60fea12020-07-19 21:54:44 +0100131 Alter calculation of preferred and valid times in router
Simon Kelley4d85e402020-07-12 22:45:46 +0100132 advertisements, so that these do not have a floor applied
133 of the lease time in the dhcp-range if this is not explicitly
134 specified and is merely the default.
135 Thanks to Martin-Éric Racine for suggestions on this.
136
Simon Kelley2bd02d22020-07-12 21:57:38 +0100137
Simon Kelleya799ca02018-10-18 19:35:29 +0100138version 2.81
Matthias Andree081a1c42020-04-05 11:26:38 +0200139 Improve cache behaviour for TCP connections. For ease of
Matthias Andreef60fea12020-07-19 21:54:44 +0100140 implementation, dnsmasq has always forked a new process to handle
Simon Kelleya799ca02018-10-18 19:35:29 +0100141 each incoming TCP connection. A side-effect of this is that
142 any DNS queries answered from TCP connections are not cached:
143 when TCP connections were rare, this was not a problem.
Matthias Andree081a1c42020-04-05 11:26:38 +0200144 With the coming of DNSSEC, it is now the case that some
Simon Kelleya799ca02018-10-18 19:35:29 +0100145 DNSSEC queries have answers which spill to TCP, and if,
Matthias Andree081a1c42020-04-05 11:26:38 +0200146 for instance, this applies to the keys for the root, then
Simon Kelleya799ca02018-10-18 19:35:29 +0100147 those never get cached, and performance is very bad.
148 This fix passes cache entries back from the TCP child process to
149 the main server process, and fixes the problem.
150
Simon Kelley48d12f12018-11-02 21:55:04 +0000151 Remove the NO_FORK compile-time option, and support for uclinux.
152 In an era where everything has an MMU, this looks like
153 an anachronism, and it adds to (Ok, multiplies!) the
154 combinatorial explosion of compile-time options. Thanks to
155 Kevin Darbyshire-Bryant for the patch.
156
Simon Kelley4219ade2019-02-27 20:30:21 +0000157 Fix line-counting when reading /etc/hosts and friends; for
158 correct error messages. Thanks to Christian Rosentreter
159 for reporting this.
160
Sven Mueller162e5e02019-02-27 21:17:37 +0000161 Fix bug in DNS non-terminal code, added in 2.80, which could
162 sometimes cause a NODATA rather than an NXDOMAIN reply.
Simon Kelleya066aac2019-03-01 16:18:07 +0000163 Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
164 for spotting and diagnosing the bug and providing patches.
Sven Mueller162e5e02019-02-27 21:17:37 +0000165
Simon Kelley608aa9f2019-03-10 22:44:15 +0000166 Support TCP-fastopen (RFC-7413) on both incoming and
167 outgoing TCP connections, if supported and enabled in the OS.
Simon Kelley305ffb52019-03-16 18:17:17 +0000168
169 Improve kernel-capability manipulation code under Linux. Dnsmasq
170 now fails early if a required capability is not available, and
171 tries not to request capabilities not required by its
172 configuration.
173
Simon Kelleyae5b7e02019-03-27 22:33:28 +0000174 Add --shared-network config. This enables allocation of addresses
Matthias Andree081a1c42020-04-05 11:26:38 +0200175 by the DHCP server in subnets where the server (or relay) does not
Simon Kelleyae5b7e02019-03-27 22:33:28 +0000176 have an interface on the network in that subnet. Many thanks to
Simon Kelley1da81f72019-03-28 13:51:11 +0000177 kamp.de for sponsoring this feature.
Simon Kelley225accd2019-08-14 21:52:50 +0100178
179 Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
180 validation check got borked in commit 2b38e382 and release 2.80.
181 Thanks to Tomasz Szajner for spotting this.
Simon Kelleyae5b7e02019-03-27 22:33:28 +0000182
Simon Kelley5a562332019-08-14 21:53:59 +0100183 Fix compilation against nettle version 3.5 and later.
184
Simon Kelleyfef2f1c2019-08-29 21:59:00 +0100185 Fix spurious DNSSEC validation failures when the auth section
Simon Kelley69a04772019-09-03 16:49:02 +0100186 of a reply contains unsigned RRs from a signed zone,
187 with the exception that NSEC and NSEC3 RRs must always be signed.
188 Thanks to Tore Anderson for spotting and diagnosing the bug.
Simon Kelleyfef2f1c2019-08-29 21:59:00 +0100189
Florent Fourcot13a58f92019-06-20 10:26:40 +0200190 Add --dhcp-ignore-clid. This disables reading of DHCP client
191 identifier option (option 61), so clients are only identified by
192 MAC addresses.
193
Simon Kelley6ebdc952019-10-30 21:04:27 +0000194 Fix a bug which stopped --dhcp-name-match from working when a hostname
195 is supplied in --dhcp-host. Thanks to James Feeney for spotting this.
196
Simon Kelleyf73f7392019-12-03 18:18:46 +0000197 Fix bug which caused very rarely caused zero-length DHCPv6 packets.
198 Thanks to Dereck Higgins for spotting this.
199
Simon Kelley66f62652020-01-05 16:21:24 +0000200 Add --tftp-single-port option.
Simon Kelleyab538832020-01-10 20:44:48 +0000201
202 Enhance --conf-dir to load files in a deterministic order. Thanks to
203 Evgenii Seliavka for the suggestion and initial patch.
Simon Kelley34d41472019-12-05 23:44:29 +0000204
Simon Kelleycd672932020-01-27 22:53:07 +0000205 In the router advert code, handle case where we have two
Matthias Andree081a1c42020-04-05 11:26:38 +0200206 different interfaces on the same IPv6 net, and we are doing
Simon Kelleycd672932020-01-27 22:53:07 +0000207 RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
208 for spotting this case and making the initial patch.
Simon Kelley79aba0f2020-02-03 23:58:45 +0000209
210 Support prefixed ranges of ipv6 addresses in dhcp-host.
211 This eases problems chain-netbooting, where each link in the
212 chain requests an address using a different UID. With a single
213 address, only one gets the "static" address, but with this
214 fix, enough addresses can be reserved for all the stages of the
215 boot. Many thanks to Harald Jensås for his work on this idea and
Simon Kelley52ec7832020-02-07 21:05:54 +0000216 earlier patches.
217
218 Add filtering by tag of --dhcp-host directives. Based on a patch
219 by Harald Jensås.
Simon Kelleya9b022a2020-02-11 21:58:59 +0000220
221 Allow empty server spec in --rev-server, to match --server.
Simon Kelleycd672932020-01-27 22:53:07 +0000222
Simon Kelley425e2402020-02-26 18:28:32 +0000223 Remove DSA signature verification from DNSSEC, as specified in
224 RFC 8624. Thanks to Loganaden Velvindron for the original patch.
225
Simon Kelleyee645822020-02-27 16:34:14 +0000226 Add --script-on-renewal option.
227
Simon Kelleycd672932020-01-27 22:53:07 +0000228
Simon Kelley734d5312018-03-23 23:09:53 +0000229version 2.80
230 Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
231 for the initial patch and motivation.
232
Simon Kelleya6918532018-04-15 16:20:52 +0100233 Alter the default for dnssec-check-unsigned. Versions of
234 dnsmasq prior to 2.80 defaulted to not checking unsigned
235 replies, and used --dnssec-check-unsigned to switch
236 this on. Such configurations will continue to work as before,
237 but those which used the default of no checking will need to be
238 altered to explicitly select no checking. The new default is
239 because switching off checking for unsigned replies is
240 inherently dangerous. Not only does it open the possiblity of forged
241 replies, but it allows everything to appear to be working even
242 when the upstream namesevers do not support DNSSEC, and in this
243 case no DNSSEC validation at all is occuring.
244
Simon Kelley0669ee72018-05-04 16:46:24 +0100245 Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
246 are set. Thanks to Daniel Miess for help with this.
Simon Kelleya6918532018-04-15 16:20:52 +0100247
Simon Kelley6b173352018-05-08 18:32:14 +0100248 Add a facilty to store DNS packets sent/recieved in a
249 pcap-format file for later debugging. The file location
250 is given by the --dumpfile option, and a bitmap controlling
251 which packets should be dumped is given by the --dumpmask
252 option.
253
Simon Kelleyc488b682018-06-02 13:06:00 +0100254 Handle the case of both standard and constructed dhcp-ranges on the
255 same interface better. We don't now contruct a dhcp-range if there's
256 already one specified. This allows the specified interface to
257 have different parameters and avoids advertising the same
258 prefix twice. Thanks to Luis Marsano for spotting this case.
259
Simon Kelley090856c2018-06-02 18:37:07 +0100260 Allow zone transfer in authoritative mode if auth-peer is specified,
261 even if auth-sec-servers is not. Thanks to Raphaël Halimi for
262 the suggestion.
263
Simon Kelleya997ca02018-06-29 14:39:41 +0100264 Fix bug which sometimes caused dnsmasq to wrongly return answers
265 without DNSSEC RRs to queries with the do-bit set, but only when
266 DNSSEC validation was not enabled.
267 Thanks to Petr Menšík for spotting this.
Simon Kelleya3bd7e72018-07-19 22:00:08 +0100268
269 Fix missing fatal errors with some malformed options
270 (server, local, address, rebind-domain-ok, ipset, alias).
271 Thanks to Eugene Lozovoy for spotting the problem.
Simon Kelleydd33e982018-07-30 14:55:39 +0100272
273 Fix crash on startup with a --synth-domain which has no prefix.
274 Introduced in 2.79. Thanks to Andreas Engel for the bug report.
275
Simon Kelley1682d152018-08-03 20:38:18 +0100276 Fix missing EDNS0 section in some replies generated by local
277 DNS configuration which confused systemd-resolvd. Thanks to
278 Steve Dodd for characterising the problem.
279
Simon Kelleyc8226202018-08-08 23:46:03 +0100280 Add --dhcp-name-match config option.
281
Simon Kelley974a6d02018-08-23 23:01:16 +0100282 Add --caa-record config option.
Simon Kelleyda8b6512018-09-03 23:18:36 +0100283
284 Implement --address=/example.com/# as (more efficient) syntactic
285 sugar for --address=/example.com/0.0.0.0 and
286 --address=/example.com/::
287 Returning null addresses is a useful technique for ad-blocking.
288 Thanks to Peter Russell for the suggestion.
Simon Kelley974a6d02018-08-23 23:01:16 +0100289
Simon Kelley41392982018-09-19 22:27:11 +0100290 Change anti cache-snooping behaviour with queries with the
291 recursion-desired bit unset. Instead to returning SERVFAIL, we
292 now always forward, and never answer from the cache. This
293 allows "dig +trace" command to work.
294
Simon Kelley7cbf4972018-09-26 18:03:10 +0100295 Include in the example config file a formulation which
296 stops DHCP clients from claiming the DNS name "wpad".
297 This is a fix for the CERT Vulnerability VU#598349.
298
Simon Kelley41392982018-09-19 22:27:11 +0100299
Simon Kelley30858e32017-10-09 22:36:11 +0100300version 2.79
301 Fix parsing of CNAME arguments, which are confused by extra spaces.
302 Thanks to Diego Aguirre for spotting the bug.
303
Simon Kelley9d6918d2017-10-13 17:55:09 +0100304 Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
305 upstream servers to an interface, rather than SO_BINDTODEVICE.
306 Thanks to Beniamino Galvani for the patch.
307
Simon Kelley087eb762017-10-30 23:16:54 +0000308 Always return a SERVFAIL answer to DNS queries without the
Ville Skyttäfaaf3062018-01-14 17:32:52 +0000309 recursion desired bit set, UNLESS acting as an authoritative
Simon Kelley087eb762017-10-30 23:16:54 +0000310 DNS server. This avoids a potential route to cache snooping.
311
Simon Kelley8e8b2d62017-10-30 23:21:52 +0000312 Add support for Ed25519 signatures in DNSSEC validation.
313
314 No longer support RSA/MD5 signatures in DNSSEC validation,
315 since these are not secure. This behaviour is mandated in
316 RFC-6944.
317
Simon Kelleya6cee692017-12-14 22:40:48 +0000318 Fix incorrect error exit code from dhcp_release6 utility.
319 Thanks Gaudenz Steinlin for the bug report.
320
Simon Kelley3c973ad2018-01-14 21:05:37 +0000321 Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
322 time validation when --dnssec-no-timecheck is in use.
323 Note that this is an incompatible change from earlier releases.
324
Simon Kelley22cd8602018-01-14 22:57:14 +0000325 Allow more than one --bridge-interface option to refer to an
326 interface, so that we can use
327 --bridge-interface=int1,alias1
328 --bridge-interface=int1,alias2
329 as an alternative to
330 --bridge-interface=int1,alias1,alias2
331 Thanks to Neil Jerram for work on this.
Simon Kelley4fe67442018-01-19 12:26:08 +0000332
333 Fix for DNSSEC with wildcard-derived NSEC records.
334 It's OK for NSEC records to be expanded from wildcards,
335 but in that case, the proof of non-existence is only valid
336 starting at the wildcard name, *.<domain> NOT the name expanded
337 from the wildcard. Without this check it's possible for an
338 attacker to craft an NSEC which wrongly proves non-existence.
339 Thanks to Ralph Dolmans for finding this, and co-ordinating
340 the vulnerability tracking and fix release.
341 CVE-2017-15107 applies.
342
Simon Kelley17214532018-02-14 22:56:09 +0000343 Remove special handling of A-for-A DNS queries. These
344 are no longer a significant problem in the global DNS.
345 http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
346 Thanks to Mattias Hellström for the initial patch.
Simon Kelley4f7bb572018-03-08 18:47:08 +0000347
348 Fix failure to delete dynamically created dhcp options
349 from files in -dhcp-optsdir directories. Thanks to
350 Lindgren Fredrik for the bug report.
Simon Kelley6b2b5642018-03-10 18:12:04 +0000351
352 Add to --synth-domain the ability to create names using
353 sequential numbers, as well as encodings of IP addresses.
354 For instance,
355 --synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
356 creates 21 domain names of the form
357 internal-4.thekelleys.org.uk over the address range given, with
358 internal-0.thekelleys.org.uk being 192.168.0.50 and
359 internal-20.thekelleys.org.uk being 192.168.0.70
360 Thanks to Andy Hawkins for the suggestion.
361
Simon Kelley94b68782018-03-17 18:39:23 +0000362 Tidy up Crypto code, removing workarounds for ancient
363 versions of libnettle. We now require libnettle 3.
364
Simon Kelley30858e32017-10-09 22:36:11 +0100365
Simon Kelley1649f702017-06-25 21:19:30 +0100366version 2.78
Simon Kelley32be32e2017-06-25 21:33:28 +0100367 Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
368 Novakovic for the patch.
Simon Kelley1649f702017-06-25 21:19:30 +0100369
370 Revert ping-check of address in DHCPDISCOVER if there
371 already exists a lease for the address. Under some
372 circumstances, and netbooted windows installation can reply
373 to pings before if has a DHCP lease and block allocation
374 of the address it already used during netboot. Thanks to
375 Jan Psota for spotting this.
376
377 Fix DHCP relaying, broken in 2.76 and 2.77 by commit
378 ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
379 John Fitzgibbon for the diagnosis and patch.
Simon Kelley32be32e2017-06-25 21:33:28 +0100380
Hans Dedecker93967522017-06-27 22:08:47 +0100381 Try other servers if first returns REFUSED when
382 --strict-order active. Thanks to Hans Dedecker
383 for the patch
Simon Kelley32be32e2017-06-25 21:33:28 +0100384
Simon Kelley63437ff2017-09-06 22:34:21 +0100385 Fix regression in 2.77, ironically added as a security
386 improvement, which resulted in a crash when a DNS
387 query exceeded 512 bytes (or the EDNS0 packet size,
388 if different.) Thanks to Christian Kujau, Arne Woerner
389 Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
390 chasing this one down. CVE-2017-13704 applies.
391
Simon Kelley0549c732017-09-25 18:17:11 +0100392 Fix heap overflow in DNS code. This is a potentially serious
393 security hole. It allows an attacker who can make DNS
394 requests to dnsmasq, and who controls the contents of
395 a domain, which is thereby queried, to overflow
396 (by 2 bytes) a heap buffer and either crash, or
397 even take control of, dnsmasq.
398 CVE-2017-14491 applies.
399 Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
Simon Kelley39921d02017-09-26 18:43:19 +0100400 Kevin Hamacher and Ron Bowes of the Google Security Team for
Simon Kelley0549c732017-09-25 18:17:11 +0100401 finding this.
402
Simon Kelley24036ea2017-09-25 18:47:15 +0100403 Fix heap overflow in IPv6 router advertisement code.
404 This is a potentially serious security hole, as a
405 crafted RA request can overflow a buffer and crash or
406 control dnsmasq. Attacker must be on the local network.
407 CVE-2017-14492 applies.
408 Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
409 and Kevin Hamacher of the Google Security Team for
410 finding this.
Simon Kelley3d4ff1b2017-09-25 18:52:50 +0100411
412 Fix stack overflow in DHCPv6 code. An attacker who can send
413 a DHCPv6 request to dnsmasq can overflow the stack frame and
414 crash or control dnsmasq.
415 CVE-2017-14493 applies.
416 Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
Simon Kelley39921d02017-09-26 18:43:19 +0100417 Kevin Hamacher and Ron Bowes of the Google Security Team for
Simon Kelley3d4ff1b2017-09-25 18:52:50 +0100418 finding this.
Simon Kelley33e3f102017-09-25 20:05:11 +0100419
420 Fix information leak in DHCPv6. A crafted DHCPv6 packet can
421 cause dnsmasq to forward memory from outside the packet
422 buffer to a DHCPv6 server when acting as a relay.
423 CVE-2017-14494 applies.
424 Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
Simon Kelley39921d02017-09-26 18:43:19 +0100425 Kevin Hamacher and Ron Bowes of the Google Security Team for
Simon Kelley33e3f102017-09-25 20:05:11 +0100426 finding this.
Simon Kelley39921d02017-09-26 18:43:19 +0100427
Simon Kelley897c1132017-09-25 20:11:58 +0100428 Fix DoS in DNS. Invalid boundary checks in the
429 add_pseudoheader function allows a memcpy call with negative
430 size An attacker which can send malicious DNS queries
431 to dnsmasq can trigger a DoS remotely.
432 dnsmasq is vulnerable only if one of the following option is
433 specified: --add-mac, --add-cpe-id or --add-subnet.
434 CVE-2017-14496 applies.
435 Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
Simon Kelley39921d02017-09-26 18:43:19 +0100436 Kevin Hamacher and Ron Bowes of the Google Security Team for
Simon Kelley897c1132017-09-25 20:11:58 +0100437 finding this.
Simon Kelley51eadb62017-09-25 20:16:50 +0100438
439 Fix out-of-memory Dos vulnerability. An attacker which can
440 send malicious DNS queries to dnsmasq can trigger memory
441 allocations in the add_pseudoheader function
442 The allocated memory is never freed which leads to a DoS
443 through memory exhaustion. dnsmasq is vulnerable only
444 if one of the following option is specified:
445 --add-mac, --add-cpe-id or --add-subnet.
446 CVE-2017-14495 applies.
447 Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
Simon Kelley39921d02017-09-26 18:43:19 +0100448 Kevin Hamacher and Ron Bowes of the Google Security Team for
Simon Kelley51eadb62017-09-25 20:16:50 +0100449 finding this.
Simon Kelley39921d02017-09-26 18:43:19 +0100450
451
Simon Kelley294d36d2016-07-06 21:30:25 +0100452version 2.77
Simon Kelley32be32e2017-06-25 21:33:28 +0100453 Generate an error when configured with a CNAME loop,
454 rather than a crash. Thanks to George Metz for
455 spotting this problem.
Simon Kelley903df072017-01-19 17:22:00 +0000456
Simon Kelley32be32e2017-06-25 21:33:28 +0100457 Calculate the length of TFTP error reply packet
458 correctly. This fixes a problem when the error
459 message in a TFTP packet exceeds the arbitrary
460 limit of 500 characters. The message was correctly
461 truncated, but not the packet length, so
462 extra data was appended. This is a possible
463 security risk, since the extra data comes from
464 a buffer which is also used for DNS, so that
465 previous DNS queries or replies may be leaked.
466 Thanks to Mozilla for funding the security audit
467 which spotted this bug.
Simon Kelley294d36d2016-07-06 21:30:25 +0100468
Simon Kelley32be32e2017-06-25 21:33:28 +0100469 Fix logic error in Linux netlink code. This could
470 cause dnsmasq to enter a tight loop on systems
471 with a very large number of network interfaces.
472 Thanks to Ivan Kokshaysky for the diagnosis and
473 patch.
Ivan Kokshaysky1d076672016-07-11 18:36:05 +0100474
Simon Kelley32be32e2017-06-25 21:33:28 +0100475 Fix problem with --dnssec-timestamp whereby receipt
476 of SIGHUP would erroneously engage timestamp checking.
477 Thanks to Kevin Darbyshire-Bryant for this work.
Simon Kelleyc8328ec2016-08-05 16:54:58 +0100478
Simon Kelley32be32e2017-06-25 21:33:28 +0100479 Bump zone serial on reloading /etc/hosts and friends
480 when providing authoritative DNS. Thanks to Harrald
481 Dunkel for spotting this.
Simon Kelley6d950992016-08-11 23:38:54 +0100482
Simon Kelley32be32e2017-06-25 21:33:28 +0100483 Handle v4-mapped IPv6 addresses sanely in --synth-domain.
484 These have standard representation like ::ffff:1.2.3.4
485 and are now converted to names like
486 <prefix>--ffff-1-2-3-4.<domain>
Simon Kelley6d950992016-08-11 23:38:54 +0100487
Simon Kelley32be32e2017-06-25 21:33:28 +0100488 Handle binding upstream servers to an interface
489 (--server=1.2.3.4@eth0) when the named interface
490 is destroyed and recreated in the kernel. Thanks to
491 Beniamino Galvani for the patch.
Beniamino Galvani2675f202016-08-28 20:44:05 +0100492
Simon Kelley32be32e2017-06-25 21:33:28 +0100493 Allow wildcard CNAME records in authoritative zones.
494 For example --cname=*.example.com,default.example.com
495 Thanks to Pro Backup for sponsoring this development.
Simon Kelleyb637d782016-12-13 16:44:11 +0000496
Simon Kelley32be32e2017-06-25 21:33:28 +0100497 Bump the allowed backlog of TCP connections from 5 to 32,
498 and make this a compile-time configurable option. Thanks
499 to Donatas Abraitis for diagnosing this as a potential
500 problem.
Simon Kelley09b768e2016-12-22 22:16:58 +0000501
Simon Kelley32be32e2017-06-25 21:33:28 +0100502 Add DNSMASQ_REQUESTED_OPTIONS environment variable to the
503 lease-change script. Thanks to ZHAO Yu for the patch.
Simon Kelley294d36d2016-07-06 21:30:25 +0100504
Simon Kelley32be32e2017-06-25 21:33:28 +0100505 Fix foobar in rrfilter code, that could cause malformed
506 replies, especially when DNSSEC validation on, and
507 the upstream server returns answer with the RRs in a
508 particular order. The only DNS server known to tickle
509 this is Nominum's. Thanks to Dave Täht for spotting the
510 bug and assisting in the fix.
Simon Kelley0740e432017-01-26 18:02:54 +0000511
Simon Kelley32be32e2017-06-25 21:33:28 +0100512 Fix the manpage which lied that only the primary address
513 of an interface is used by --interface-name.
Simon Kelleyd42d4702017-02-02 16:52:06 +0000514
Simon Kelley32be32e2017-06-25 21:33:28 +0100515 Make --localise-queries apply to names from --interface-name.
516 Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen
517 for pushing this.
Simon Kelleyd42d4702017-02-02 16:52:06 +0000518
Simon Kelley32be32e2017-06-25 21:33:28 +0100519 Improve connection handling when talking to TCP upstream
520 servers. Specifically, be prepared to open a new TCP
521 connection when we want to make multiple queries
522 but the upstream server accepts fewer queries per connection.
Simon Kelley361dfe52017-02-10 21:12:30 +0000523
Simon Kelley32be32e2017-06-25 21:33:28 +0100524 Improve logging of upstream servers when there are a lot
525 of "local addresses only" entries. Thanks to Hannu Nyman for
526 the patch.
Floris Bos60704f52017-04-09 22:22:49 +0100527
Simon Kelley32be32e2017-06-25 21:33:28 +0100528 Make --bogus-priv apply to IPv6, for the prefixes specified
529 in RFC6303. Thanks to Kevin Darbyshire-Bryant for work on this.
Floris Bos503c6092017-04-09 23:07:13 +0100530
Simon Kelley32be32e2017-06-25 21:33:28 +0100531 Allow use of MAC addresses with --tftp-unique-root. Thanks
532 to Floris Bos for the patch.
David Flamand005c46d2017-04-11 11:49:54 +0100533
Simon Kelley32be32e2017-06-25 21:33:28 +0100534 Add --dhcp-reply-delay option. Thanks to Floris Bos
535 for the patch.
Petr Menšíkc77fb9d2017-04-16 20:20:08 +0100536
Simon Kelley32be32e2017-06-25 21:33:28 +0100537 Add mtu setting facility to --ra-param. Thanks to David
538 Flamand for the patch.
Petr Menšíkc77fb9d2017-04-16 20:20:08 +0100539
Simon Kelley32be32e2017-06-25 21:33:28 +0100540 Capture STDOUT and STDERR output from dhcp-script and log
541 it as part of the dnsmasq log stream. Makes life easier
542 for diagnosing unexpected problems in scripts.
543 Thanks to Petr Mensik for the patch.
Petr Menšík3a8b0f62017-04-23 14:12:37 +0100544
Simon Kelley32be32e2017-06-25 21:33:28 +0100545 Generate fatal errors when failing to parse the output
546 of the dhcp-script in "init" mode. Avoids strange errors
547 when the script accidentally emits error messages.
548 Thanks to Petr Mensik for the patch.
Simon Kelley88a77a72017-02-11 17:02:02 +0000549
Simon Kelley32be32e2017-06-25 21:33:28 +0100550 Make --rev-server for an RFC1918 subnet work even in the
551 presence of the --bogus-priv flag. Thanks to
552 Vladislav Grishenko for the patch.
Vladislav Grishenko6ec5f5c2017-04-24 22:34:45 +0100553
Simon Kelley32be32e2017-06-25 21:33:28 +0100554 Extend --ra-param mtu: field to allow an interface name.
555 This allows the MTU of a WAN interface to be advertised on
556 the internal interfaces of a router. Thanks to
557 Vladislav Grishenko for the patch.
Simon Kelley5ce3e762017-04-28 22:14:20 +0100558
Simon Kelley32be32e2017-06-25 21:33:28 +0100559 Do ICMP-ping check for address-in-use for DHCPv4 when
560 the client specifies an address in DHCPDISCOVER, and when
561 an address in configured locally. Thanks to Alin Năstac
562 for spotting the problem.
Simon Kelleyb2a9c572017-04-30 18:21:31 +0100563
Simon Kelley32be32e2017-06-25 21:33:28 +0100564 Add new DHCP tag "known-othernet" which is set when only a
565 dhcp-host exists for another subnet. Can be used to ensure
566 that privileged hosts are not given "guest" addresses by
567 accident. Thanks to Todd Sanket for the suggestion.
Vladislav Grishenko6ec5f5c2017-04-24 22:34:45 +0100568
Simon Kelley32be32e2017-06-25 21:33:28 +0100569 Remove historic automatic inclusion of IDN support when
570 building internationalisation support. This doesn't
571 fit now there is a choice of IDN libraries. Be sure
572 to include either -DHAVE_IDN or -DHAVE_LIBIDN2 for
573 IDN support.
574
575
Simon Kelleyd2aa7df2015-08-03 21:52:12 +0100576version 2.76
Simon Kelley32be32e2017-06-25 21:33:28 +0100577 Include 0.0.0.0/8 in DNS rebind checks. This range
578 translates to hosts on the local network, or, at
579 least, 0.0.0.0 accesses the local host, so could
580 be targets for DNS rebinding. See RFC 5735 section 3
581 for details. Thanks to Stephen Röttger for the bug report.
Simon Kelley77607cb2015-09-10 23:08:43 +0100582
Simon Kelley32be32e2017-06-25 21:33:28 +0100583 Enhance --add-subnet to allow arbitrary subnet addresses.
584 Thanks to Ed Barsley for the patch.
Simon Kelley77607cb2015-09-10 23:08:43 +0100585
Simon Kelley32be32e2017-06-25 21:33:28 +0100586 Respect the --no-resolv flag in inotify code. Fixes bug
587 which caused dnsmasq to fail to start if a resolv-file
588 was a dangling symbolic link, even of --no-resolv set.
589 Thanks to Alexander Kurtz for spotting the problem.
Edwin Török41a8d9e2015-11-14 17:45:48 +0000590
Simon Kelley32be32e2017-06-25 21:33:28 +0100591 Fix crash when an A or AAAA record is defined locally,
592 in a hosts file, and an upstream server sends a reply
593 that the same name is empty. Thanks to Edwin Török for
594 the patch.
André Glüpkereddf3652016-01-12 12:54:17 +0000595
Simon Kelley32be32e2017-06-25 21:33:28 +0100596 Fix failure to correctly calculate cache-size when
597 reading a hosts-file fails. Thanks to André Glüpker
598 for the patch.
Simon Kelleyd05dd582016-01-19 21:23:30 +0000599
Simon Kelley32be32e2017-06-25 21:33:28 +0100600 Fix wrong answer to simple name query when --domain-needed
601 set, but no upstream servers configured. Dnsmasq returned
602 REFUSED, in this case, when it should be the same as when
603 upstream servers are configured - NOERROR. Thanks to
604 Allain Legacy for spotting the problem.
Simon Kelleyd05dd582016-01-19 21:23:30 +0000605
Simon Kelley32be32e2017-06-25 21:33:28 +0100606 Return REFUSED when running out of forwarding table slots,
607 not SERVFAIL.
Simon Kelley1e505122016-01-25 21:29:23 +0000608
Simon Kelley32be32e2017-06-25 21:33:28 +0100609 Add --max-port configuration. Thanks to Hans Dedecker for
610 the patch.
Simon Kelley1e505122016-01-25 21:29:23 +0000611
Simon Kelley32be32e2017-06-25 21:33:28 +0100612 Add --script-arp and two new functions for the dhcp-script.
613 These are "arp" and "arp-old" which announce the arrival and
614 removal of entries in the ARP or neighbour tables.
Simon Kelley1e505122016-01-25 21:29:23 +0000615
Simon Kelley32be32e2017-06-25 21:33:28 +0100616 Extend --add-mac to allow a new encoding of the MAC address
617 as base64, by configuring --add-mac=base64
Simon Kelleyfdc97e12016-02-13 17:47:17 +0000618
Simon Kelley32be32e2017-06-25 21:33:28 +0100619 Add --add-cpe-id option.
Simon Kelleye06e6e32016-02-24 21:26:16 +0000620
Simon Kelley32be32e2017-06-25 21:33:28 +0100621 Don't crash with divide-by-zero if an IPv6 dhcp-range
622 is declared as a whole /64.
623 (ie xx::0 to xx::ffff:ffff:ffff:ffff)
624 Thanks to Laurent Bendel for spotting this problem.
Simon Kelleyfdc97e12016-02-13 17:47:17 +0000625
Simon Kelley32be32e2017-06-25 21:33:28 +0100626 Add support for a TTL parameter in --host-record and
627 --cname.
Simon Kelleybec366b2016-02-24 22:03:26 +0000628
Simon Kelley32be32e2017-06-25 21:33:28 +0100629 Add --dhcp-ttl option.
Simon Kelleya2bc2542016-04-21 22:34:22 +0100630
Simon Kelley32be32e2017-06-25 21:33:28 +0100631 Add --tftp-mtu option. Thanks to Patrick McLean for the
632 initial patch.
Simon Kelley14ffa072016-04-25 16:36:44 +0100633
Simon Kelley32be32e2017-06-25 21:33:28 +0100634 Check return-code of inet_pton() when parsing dhcp-option.
635 Bad addresses could fail to generate errors and result in
636 garbage dhcp-options being sent. Thanks to Marc Branchaud
637 for spotting this.
Simon Kelley69cbf782016-05-03 21:33:38 +0100638
Simon Kelley32be32e2017-06-25 21:33:28 +0100639 Fix wrong value for EDNS UDP packet size when using
640 --servers-file to define upstream DNS servers. Thanks to
641 Scott Bonar for the bug report.
Simon Kelley69cbf782016-05-03 21:33:38 +0100642
Simon Kelley32be32e2017-06-25 21:33:28 +0100643 Move the dhcp_release and dhcp_lease_time tools from
644 contrib/wrt to contrib/lease-tools.
Simon Kelley68bea102016-05-11 22:15:06 +0100645
Simon Kelley32be32e2017-06-25 21:33:28 +0100646 Add dhcp_release6 to contrib/lease-tools. Many thanks
647 to Sergey Nechaev for this code.
Simon Kelley68bea102016-05-11 22:15:06 +0100648
Simon Kelley32be32e2017-06-25 21:33:28 +0100649 To avoid filling logs in configurations which define
650 many upstream nameservers, don't log more that 30 servers.
651 The number to be logged can be changed as SERVERS_LOGGED
652 in src/config.h.
Simon Kelleyb9702602016-05-03 22:34:06 +0100653
Simon Kelley32be32e2017-06-25 21:33:28 +0100654 Swap the values if BC_EFI and x86-64_EFI in --pxe-service.
655 These were previously wrong due to an error in RFC 4578.
656 If you're using BC_EFI to boot 64-bit EFI machines, you
657 will need to update your config.
Simon Kelley0a4a0492016-05-15 20:13:45 +0100658
Simon Kelley32be32e2017-06-25 21:33:28 +0100659 Add ARM32_EFI and ARM64_EFI as valid architectures in
660 --pxe-service.
Simon Kelley0a4a0492016-05-15 20:13:45 +0100661
Simon Kelley32be32e2017-06-25 21:33:28 +0100662 Fix PXE booting for UEFI architectures. Modify PXE boot
663 sequence in this case to force the client to talk to dnsmasq
664 over port 4011. This makes PXE and especially proxy-DHCP PXE
665 work with these architectures.
Simon Kelley0a4a0492016-05-15 20:13:45 +0100666
Simon Kelley32be32e2017-06-25 21:33:28 +0100667 Workaround problems with UEFI PXE clients. There exist
668 in the wild PXE clients which have problems with PXE
669 boot menus. To work around this, when there's a single
670 --pxe-service which applies to client, then that target
671 will be booted directly, rather then sending a
672 single-item boot menu.
673
674 Many thanks to Jarek Polok, Michael Kuron and Dreamcat4
675 for their work on the long-standing UEFI PXE problem.
676
677 Subtle change in the semantics of "basename" in
678 --pxe-service. The historical behaviour has always been
679 that the actual filename downloaded from the TFTP server
680 is <basename>.<layer> where <layer> is an integer which
681 corresponds to the layer parameter supplied by the client.
682 It's not clear what the function of the "layer"
683 actually is in the PXE protocol, and in practise layer
684 is always zero, so the filename is <basename>.0
685 The new behaviour is the same as the old, except when
686 <basename> includes a file suffix, in which case
687 the layer suffix is no longer added. This allows
688 sensible suffices to be used, rather then the
689 meaningless ".0". Only in the unlikely event that you
690 have a config with a basename which already has a
691 suffix, is this an incompatible change, since the file
692 downloaded will change from name.suffix.0 to just
693 name.suffix
Simon Kelleyda2cad42016-05-18 15:14:08 +0100694
Simon Kelleybec366b2016-02-24 22:03:26 +0000695
Simon Kelley63ec5d12015-07-30 20:59:07 +0100696version 2.75
Simon Kelley32be32e2017-06-25 21:33:28 +0100697 Fix reversion on 2.74 which caused 100% CPU use when a
698 dhcp-script is configured. Thanks to Adrian Davey for
699 reporting the bug and testing the fix.
Simon Kelley63ec5d12015-07-30 20:59:07 +0100700
Simon Kelley32be32e2017-06-25 21:33:28 +0100701
Simon Kelley90cb2222015-07-05 21:59:10 +0100702version 2.74
Simon Kelley32be32e2017-06-25 21:33:28 +0100703 Fix reversion in 2.73 where --conf-file would attempt to
704 read the default file, rather than no file.
Simon Kelley90cb2222015-07-05 21:59:10 +0100705
Simon Kelley32be32e2017-06-25 21:33:28 +0100706 Fix inotify code to handle dangling symlinks better and
707 not SEGV in some circumstances.
Simon Kelley362c9302015-07-06 21:48:49 +0100708
Simon Kelley32be32e2017-06-25 21:33:28 +0100709 DNSSEC fix. In the case of a signed CNAME generated by a
710 wildcard which pointed to an unsigned domain, the wrong
711 status would be logged, and some necessary checks omitted.
712
Simon Kelley362c9302015-07-06 21:48:49 +0100713
Simon Kelley00cd9d52014-10-02 21:44:21 +0100714version 2.73
Simon Kelley32be32e2017-06-25 21:33:28 +0100715 Fix crash at startup when an empty suffix is supplied to
716 --conf-dir, also trivial memory leak. Thanks to
717 Tomas Hozza for spotting this.
Simon Kelley800c5cc2014-12-15 17:50:15 +0000718
Simon Kelley32be32e2017-06-25 21:33:28 +0100719 Remove floor of 4096 on advertised EDNS0 packet size when
720 DNSSEC in use, the original rationale for this has long gone.
721 Thanks to Anders Kaseorg for spotting this.
Simon Kelley800c5cc2014-12-15 17:50:15 +0000722
Simon Kelley32be32e2017-06-25 21:33:28 +0100723 Use inotify for checking on updates to /etc/resolv.conf and
724 friends under Linux. This fixes race conditions when the files are
725 updated rapidly and saves CPU by noy polling. To build
726 a binary that runs on old Linux kernels without inotify,
727 use make COPTS=-DNO_INOTIFY
Simon Kelley3ad3f3b2014-12-16 18:25:17 +0000728
Simon Kelley32be32e2017-06-25 21:33:28 +0100729 Fix breakage of --domain=<domain>,<subnet>,local - only reverse
730 queries were intercepted. THis appears to have been broken
731 since 2.69. Thanks to Josh Stone for finding the bug.
Simon Kelley47669362014-12-17 12:41:56 +0000732
Simon Kelley32be32e2017-06-25 21:33:28 +0100733 Eliminate IPv6 privacy addresses and deprecated addresses from
734 the answers given by --interface-name. Note that reverse queries
735 (ie looking for names, given addresses) are not affected.
736 Thanks to Michael Gorbach for the suggestion.
Simon Kelley094b5c32014-12-21 16:11:52 +0000737
Simon Kelley32be32e2017-06-25 21:33:28 +0100738 Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
739 for the bug report.
Simon Kelley00cd9d52014-10-02 21:44:21 +0100740
Simon Kelley32be32e2017-06-25 21:33:28 +0100741 Add --ignore-address option. Ignore replies to A-record
742 queries which include the specified address. No error is
743 generated, dnsmasq simply continues to listen for another
744 reply. This is useful to defeat blocking strategies which
745 rely on quickly supplying a forged answer to a DNS
746 request for certain domains, before the correct answer can
747 arrive. Thanks to Glen Huang for the patch.
Simon Kelley25cf5e32015-01-09 15:53:03 +0000748
Simon Kelley32be32e2017-06-25 21:33:28 +0100749 Revisit the part of DNSSEC validation which determines if an
750 unsigned answer is legit, or is in some part of the DNS
751 tree which should be signed. Dnsmasq now works from the
752 DNS root downward looking for the limit of signed
753 delegations, rather than working bottom up. This is
754 both more correct, and less likely to trip over broken
755 nameservers in the unsigned parts of the DNS tree
756 which don't respond well to DNSSEC queries.
Simon Kelley39341552015-01-18 22:11:10 +0000757
Simon Kelley32be32e2017-06-25 21:33:28 +0100758 Add --log-queries=extra option, which makes logs easier
759 to search automatically.
Simon Kelley5f4dc5c2015-01-20 20:51:02 +0000760
Simon Kelley32be32e2017-06-25 21:33:28 +0100761 Add --min-cache-ttl option. I've resisted this for a long
762 time, on the grounds that disbelieving TTLs is never a
763 good idea, but I've been persuaded that there are
764 sometimes reasons to do it. (Step forward, GFW).
765 To avoid misuse, there's a hard limit on the TTL
766 floor of one hour. Thanks to RinSatsuki for the patch.
Win King Wan61b838d2015-01-21 20:41:48 +0000767
Simon Kelley32be32e2017-06-25 21:33:28 +0100768 Cope with multiple interfaces with the same link-local
769 address. (IPv6 addresses are scoped, so this is allowed.)
770 Thanks to Cory Benfield for help with this.
Simon Kelleyf6e62e22015-03-01 18:17:54 +0000771
Simon Kelley32be32e2017-06-25 21:33:28 +0100772 Add --dhcp-hostsdir. This allows addition of new host
773 configurations to a running dnsmasq instance much more
774 cheaply than having dnsmasq re-read all its existing
775 configuration each time.
Stefan Tomanek30d08792015-03-31 22:32:11 +0100776
Simon Kelley32be32e2017-06-25 21:33:28 +0100777 Don't reply to DHCPv6 SOLICIT messages if we're not
778 configured to do stateful DHCPv6. Thanks to Win King Wan
779 for the patch.
Simon Kelley04b0ac02015-04-06 17:19:13 +0100780
Simon Kelley32be32e2017-06-25 21:33:28 +0100781 Fix broken DNSSEC validation of ECDSA signatures.
Simon Kelley38440b22015-04-12 21:52:47 +0100782
Simon Kelley32be32e2017-06-25 21:33:28 +0100783 Add --dnssec-timestamp option, which provides an automatic
784 way to detect when the system time becomes valid after
785 boot on systems without an RTC, whilst allowing DNS
786 queries before the clock is valid so that NTP can run.
787 Thanks to Kevin Darbyshire-Bryant for developing this idea.
Simon Kelley38440b22015-04-12 21:52:47 +0100788
Simon Kelley32be32e2017-06-25 21:33:28 +0100789 Add --tftp-no-fail option. Thanks to Stefan Tomanek for
790 the patch.
Simon Kelley04b0ac02015-04-06 17:19:13 +0100791
Simon Kelley32be32e2017-06-25 21:33:28 +0100792 Fix crash caused by looking up servers.bind, CHAOS text
793 record, when more than about five --servers= lines are
794 in the dnsmasq config. This causes memory corruption
795 which causes a crash later. Thanks to Matt Coddington for
796 sterling work chasing this down.
Simon Kelleya5ae1f82015-04-25 21:46:10 +0100797
Simon Kelley32be32e2017-06-25 21:33:28 +0100798 Fix crash on receipt of certain malformed DNS requests.
799 Thanks to Nick Sampanis for spotting the problem.
800 Note that this is could allow the dnsmasq process's
801 memory to be read by an attacker under certain
802 circumstances, so it has a CVE, CVE-2015-3294
Simon Kelley78c61842015-04-16 15:05:30 +0100803
Simon Kelley32be32e2017-06-25 21:33:28 +0100804 Fix crash in authoritative DNS code, if a .arpa zone
805 is declared as authoritative, and then a PTR query which
806 is not to be treated as authoritative arrived. Normally,
807 directly declaring .arpa zone as authoritative is not
808 done, so this crash wouldn't be seen. Instead the
809 relevant .arpa zone should be specified as a subnet
810 in the auth-zone declaration. Thanks to Johnny S. Lee
811 for the bugreport and initial patch.
Simon Kelleya77cec82015-05-08 16:25:38 +0100812
Simon Kelley32be32e2017-06-25 21:33:28 +0100813 Fix authoritative DNS code to correctly reply to NS
814 and SOA queries for .arpa zones for which we are
815 declared authoritative by means of a subnet in auth-zone.
816 Previously we provided correct answers to PTR queries
817 in such zones (including NS and SOA) but not direct
818 NS and SOA queries. Thanks to Johnny S. Lee for
819 pointing out the problem.
Simon Kelleyb059c962015-05-08 20:25:51 +0100820
Simon Kelley32be32e2017-06-25 21:33:28 +0100821 Fix logging of DHCPREPLY which should be suppressed
822 by quiet-dhcp6. Thanks to J. Pablo Abonia for
823 spotting the problem.
Simon Kelleyca85a282015-05-13 22:33:04 +0100824
Simon Kelley32be32e2017-06-25 21:33:28 +0100825 Try and handle net connections with broken fragmentation
826 that lose large UDP packets. If a server times out,
827 reduce the maximum UDP packet size field in the EDNS0
828 header to 1280 bytes. If it then answers, make that
829 change permanent.
Nicolas Cavallaric6d82c92015-06-09 20:42:20 +0100830
Simon Kelley32be32e2017-06-25 21:33:28 +0100831 Check IPv4-mapped IPv6 addresses when --stop-rebind
832 is active. Thanks to Jordan Milne for spotting this.
Neil Jerram4918bd52015-06-10 22:23:20 +0100833
Simon Kelley32be32e2017-06-25 21:33:28 +0100834 Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
835 Thanks to Kevin Benton for patches and work on this.
Neil Jerram4918bd52015-06-10 22:23:20 +0100836
Simon Kelley32be32e2017-06-25 21:33:28 +0100837 Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
838 in the correct subnet, even of not in dynamic address
839 allocation range. Thanks to Steve Hirsch for spotting
840 the problem.
841
842 Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
843 to Nicolas Cavallari for the patch.
844
845 Allow configuration of router advertisements without the
846 "on-link" bit set. Thanks to Neil Jerram for the patch.
847
848 Extend --bridge-interface to DHCPv6 and router
849 advertisements. Thanks to Neil Jerram for the patch.
850
851
Simon Kelley8e9ffba2014-05-20 20:38:25 +0100852version 2.72
Simon Kelley32be32e2017-06-25 21:33:28 +0100853 Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
Simon Kelleyc4a09372014-06-02 20:30:07 +0100854
Simon Kelley32be32e2017-06-25 21:33:28 +0100855 Add support for "ipsets" in *BSD, using pf. Thanks to
856 Sven Falempin for the patch.
Simon Kelley8e9ffba2014-05-20 20:38:25 +0100857
Simon Kelley32be32e2017-06-25 21:33:28 +0100858 Fix race condition which could lock up dnsmasq when an
859 interface goes down and up rapidly. Thanks to Conrad
860 Kostecki for helping to chase this down.
Daniel Collinsc4638f92014-06-07 21:21:44 +0100861
Simon Kelley32be32e2017-06-25 21:33:28 +0100862 Add DBus methods SetFilterWin2KOption and SetBogusPrivOption
863 Thanks to the Smoothwall project for the patch.
Simon Kelleycdb755c2014-06-18 20:52:53 +0100864
Simon Kelley32be32e2017-06-25 21:33:28 +0100865 Fix failure to build against Nettle-3.0. Thanks to Steven
866 Barth for spotting this and finding the fix.
Simon Kelleyb5ea1cc2014-07-29 16:34:14 +0100867
Simon Kelley32be32e2017-06-25 21:33:28 +0100868 When assigning existing DHCP leases to interfaces by comparing
869 networks, handle the case that two or more interfaces have the
870 same network part, but different prefix lengths (favour the
871 longer prefix length.) Thanks to Lung-Pin Chang for the
872 patch.
Simon Kelley57826492014-09-18 22:08:58 +0100873
Simon Kelley32be32e2017-06-25 21:33:28 +0100874 Add a mode which detects and removes DNS forwarding loops, ie
875 a query sent to an upstream server returns as a new query to
876 dnsmasq, and would therefore be forwarded again, resulting in
877 a query which loops many times before being dropped. Upstream
878 servers which loop back are disabled and this event is logged.
879 Thanks to Smoothwall for their sponsorship of this feature.
Simon Kelleybf2db4b2014-09-18 22:10:46 +0100880
Simon Kelley32be32e2017-06-25 21:33:28 +0100881 Extend --conf-dir to allow filtering of files. So
882 --conf-dir=/etc/dnsmasq.d,\*.conf
883 will load all the files in /etc/dnsmasq.d which end in .conf
884
885 Fix bug when resulted in NXDOMAIN answers instead of NODATA in
886 some circumstances.
887
888 Fix bug which caused dnsmasq to become unresponsive if it
889 failed to send packets due to a network interface disappearing.
890 Thanks to Niels Peen for spotting this.
891
892 Fix problem with --local-service option on big-endian platforms
893 Thanks to Richard Genoud for the patch.
894
895
Simon Kelley9d1b22a2014-04-29 13:02:41 +0100896version 2.71
Simon Kelley32be32e2017-06-25 21:33:28 +0100897 Subtle change to error handling to help DNSSEC validation
898 when servers fail to provide NODATA answers for
899 non-existent DS records.
Simon Kelley9d1b22a2014-04-29 13:02:41 +0100900
Simon Kelley32be32e2017-06-25 21:33:28 +0100901 Tweak code which removes DNSSEC records from answers when
902 not required. Fixes broken answers when additional section
903 has real records in it. Thanks to Marco Davids for the bug
904 report.
Simon Kelley9d1b22a2014-04-29 13:02:41 +0100905
Simon Kelley32be32e2017-06-25 21:33:28 +0100906 Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
907 for spotting that too.
Simon Kelley9d1b22a2014-04-29 13:02:41 +0100908
Simon Kelley32be32e2017-06-25 21:33:28 +0100909 Fix total DNS failure and 100% CPU use if cachesize set to zero,
910 regression introduced in 2.69. Thanks to James Hunt and
911 the Ubuntu crowd for assistance in fixing this.
Simon Kelleyb692f232014-05-09 10:29:43 +0100912
Simon Kelley9d1b22a2014-04-29 13:02:41 +0100913
Simon Kelley63758382014-04-16 22:20:55 +0100914version 2.70
Simon Kelley32be32e2017-06-25 21:33:28 +0100915 Fix crash, introduced in 2.69, on TCP request when dnsmasq
916 compiled with DNSSEC support, but running without DNSSEC
917 enabled. Thanks to Manish Sing for spotting that one.
Simon Kelley63758382014-04-16 22:20:55 +0100918
Simon Kelley32be32e2017-06-25 21:33:28 +0100919 Fix regression which broke ipset functionality. Thanks to
920 Wang Jian for the bug report.
Simon Kelley3b1b3e92014-04-23 15:46:05 +0100921
Simon Kelley63758382014-04-16 22:20:55 +0100922
Simon Kelley1ee9be42013-12-09 16:50:19 +0000923version 2.69
Simon Kelley32be32e2017-06-25 21:33:28 +0100924 Implement dynamic interface discovery on *BSD. This allows
925 the constructor: syntax to be used in dhcp-range for DHCPv6
926 on the BSD platform. Thanks to Matthias Andree for
927 valuable research on how to implement this.
Simon Kelley1ee9be42013-12-09 16:50:19 +0000928
Simon Kelley32be32e2017-06-25 21:33:28 +0100929 Fix infinite loop associated with some --bogus-nxdomain
930 configs. Thanks fogobogo for the bug report.
Simon Kelley8db957d2013-12-17 15:47:10 +0000931
Simon Kelley32be32e2017-06-25 21:33:28 +0100932 Fix missing RA RDNS option with configuration like
933 --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
934 for spotting the problem.
Simon Kelleyae762422014-01-10 18:15:16 +0000935
Simon Kelley32be32e2017-06-25 21:33:28 +0100936 Add [fd00::] and [fe80::] as special addresses in DHCPv6
937 options, analogous to [::]. [fd00::] is replaced with the
938 actual ULA of the interface on the machine running
939 dnsmasq, [fe80::] with the link-local address.
940 Thanks to Tsachi Kimeldorfer for championing this.
Simon Kelleyc3a04082014-01-11 22:18:19 +0000941
Simon Kelley32be32e2017-06-25 21:33:28 +0100942 DNSSEC validation and caching. Dnsmasq needs to be
943 compiled with this enabled, with
Simon Kelley198d9402014-04-09 20:36:53 +0100944
Simon Kelley32be32e2017-06-25 21:33:28 +0100945 make dnsmasq COPTS=-DHAVE_DNSSEC
Simon Kelley1ee9be42013-12-09 16:50:19 +0000946
Simon Kelley32be32e2017-06-25 21:33:28 +0100947 this adds dependencies on the nettle crypto library and the
948 gmp maths library. It's possible to have these linked
949 statically with
Simon Kelley613d6c52014-02-04 11:50:11 +0000950
Simon Kelley32be32e2017-06-25 21:33:28 +0100951 make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
Simon Kelley198d9402014-04-09 20:36:53 +0100952
Simon Kelley32be32e2017-06-25 21:33:28 +0100953 which bloats the dnsmasq binary, but saves the size of
954 the shared libraries which are much bigger.
Simon Kelleyde73a492014-02-17 21:43:27 +0000955
Simon Kelley32be32e2017-06-25 21:33:28 +0100956 To enable, DNSSEC, you will need a set of
957 trust-anchors. Now that the TLDs are signed, this can be
958 the keys for the root zone, and for convenience they are
959 included in trust-anchors.conf in the dnsmasq
960 distribution. You should of course check that these are
961 legitimate and up-to-date. So, adding
Simon Kelleyc8a80482014-03-05 14:29:54 +0000962
Simon Kelley32be32e2017-06-25 21:33:28 +0100963 conf-file=/path/to/trust-anchors.conf
964 dnssec
Simon Kelley604f7592014-03-22 19:33:43 +0000965
Simon Kelley32be32e2017-06-25 21:33:28 +0100966 to your config is all that's needed to get things
967 working. The upstream nameservers have to be DNSSEC-capable
968 too, of course. Many ISP nameservers aren't, but the
969 Google public nameservers (8.8.8.8 and 8.8.4.4) are.
970 When DNSSEC is configured, dnsmasq validates any queries
971 for domains which are signed. Query results which are
972 bogus are replaced with SERVFAIL replies, and results
973 which are correctly signed have the AD bit set. In
974 addition, and just as importantly, dnsmasq supplies
975 correct DNSSEC information to clients which are doing
976 their own validation, and caches DNSKEY, DS and RRSIG
977 records, which significantly improve the performance of
978 downstream validators. Setting --log-queries will show
979 DNSSEC in action.
Simon Kelley10068602014-04-03 21:16:40 +0100980
Simon Kelley32be32e2017-06-25 21:33:28 +0100981 If a domain is returned from an upstream nameserver without
982 DNSSEC signature, dnsmasq by default trusts this. This
983 means that for unsigned zone (still the majority) there
984 is effectively no cost for having DNSSEC enabled. Of course
985 this allows an attacker to replace a signed record with a
986 false unsigned record. This is addressed by the
987 --dnssec-check-unsigned flag, which instructs dnsmasq
988 to prove that an unsigned record is legitimate, by finding
989 a secure proof that the zone containing the record is not
990 signed. Doing this has costs (typically one or two extra
991 upstream queries). It also has a nasty failure mode if
992 dnsmasq's upstream nameservers are not DNSSEC capable.
993 Without --dnssec-check-unsigned using such an upstream
994 server will simply result in not queries being validated;
995 with --dnssec-check-unsigned enabled and a
996 DNSSEC-ignorant upstream server, _all_ queries will fail.
997
998 Note that DNSSEC requires that the local time is valid and
999 accurate, if not then DNSSEC validation will fail. NTP
1000 should be running. This presents a problem for routers
1001 without a battery-backed clock. To set the time needs NTP
1002 to do DNS lookups, but lookups will fail until NTP has run.
1003 To address this, there's a flag, --dnssec-no-timecheck
1004 which disables the time checks (only) in DNSSEC. When dnsmasq
1005 is started and the clock is not synced, this flag should
1006 be used. As soon as the clock is synced, SIGHUP dnsmasq.
1007 The SIGHUP clears the cache of partially-validated data and
1008 resets the no-timecheck flag, so that all DNSSEC checks
1009 henceforward will be complete.
1010
1011 The development of DNSSEC in dnsmasq was started by
1012 Giovanni Bajo, to whom huge thanks are owed. It has been
1013 supported by Comcast, whose techfund grant has allowed for
1014 an invaluable period of full-time work to get it to
1015 a workable state.
1016
1017 Add --rev-server. Thanks to Dave Taht for suggesting this.
1018
1019 Add --servers-file. Allows dynamic update of upstream servers
1020 full access to configuration.
1021
1022 Add --local-service. Accept DNS queries only from hosts
1023 whose address is on a local subnet, ie a subnet for which
1024 an interface exists on the server. This option
1025 only has effect if there are no --interface --except-interface,
1026 --listen-address or --auth-server options. It is intended
1027 to be set as a default on installation, to allow
1028 unconfigured installations to be useful but also safe from
1029 being used for DNS amplification attacks.
1030
1031 Fix crashes in cache_get_cname_target() when dangling CNAMEs
1032 encountered. Thanks to Andy and the rt-n56u project for
1033 find this and helping to chase it down.
1034
1035 Fix wrong RCODE in authoritative DNS replies to PTR queries. The
1036 correct answer was included, but the RCODE was set to NXDOMAIN.
1037 Thanks to Craig McQueen for spotting this.
1038
1039 Make statistics available as DNS queries in the .bind TLD as
1040 well as logging them.
Simon Kelley198d9402014-04-09 20:36:53 +01001041
Simon Kelleyc8a80482014-03-05 14:29:54 +00001042
Simon Kelley376d48c2013-11-13 13:04:30 +00001043version 2.68
Simon Kelley32be32e2017-06-25 21:33:28 +01001044 Use random addresses for DHCPv6 temporary address
1045 allocations, instead of algorithmically determined stable
1046 addresses.
Simon Kelley376d48c2013-11-13 13:04:30 +00001047
Simon Kelley32be32e2017-06-25 21:33:28 +01001048 Fix bug which meant that the DHCPv6 DUID was not available
1049 in DHCP script runs during the lifetime of the dnsmasq
1050 process which created the DUID de-novo. Once the DUID was
1051 created and stored in the lease file and dnsmasq
1052 restarted, this bug disappeared.
Simon Kelley376d48c2013-11-13 13:04:30 +00001053
Simon Kelley32be32e2017-06-25 21:33:28 +01001054 Fix bug introduced in 2.67 which could result in erroneous
1055 NXDOMAIN returns to CNAME queries.
Simon Kelley376d48c2013-11-13 13:04:30 +00001056
Simon Kelley32be32e2017-06-25 21:33:28 +01001057 Fix build failures on MacOS X and openBSD.
Simon Kelley376d48c2013-11-13 13:04:30 +00001058
Simon Kelley32be32e2017-06-25 21:33:28 +01001059 Allow subnet specifications in --auth-zone to be interface
1060 names as well as address literals. This makes it possible
1061 to configure authoritative DNS when local address ranges
1062 are dynamic and works much better than the previous
1063 work-around which exempted constructed DHCP ranges from the
1064 IP address filtering. As a consequence, that work-around
1065 is removed. Under certain circumstances, this change wil
1066 break existing configuration: if you're relying on the
1067 constructed-range exception, you need to change --auth-zone
1068 to specify the same interface as is used to construct your
1069 DHCP ranges, probably with a trailing "/6" like this:
1070 --auth-zone=example.com,eth0/6 to limit the addresses to
1071 IPv6 addresses of eth0.
Simon Kelleydd9d9ce2013-11-15 11:24:00 +00001072
Simon Kelley32be32e2017-06-25 21:33:28 +01001073 Fix problems when advertising deleted IPv6 prefixes. If
1074 the prefix is deleted (rather than replaced), it doesn't
1075 get advertised with zero preferred time. Thanks to Tsachi
1076 for the bug report.
Simon Kelley25439062013-11-25 21:14:51 +00001077
Simon Kelley32be32e2017-06-25 21:33:28 +01001078 Fix segfault with some locally configured CNAMEs. Thanks
1079 to Andrew Childs for spotting the problem.
Simon Kelley25439062013-11-25 21:14:51 +00001080
Simon Kelley32be32e2017-06-25 21:33:28 +01001081 Fix memory leak on re-reading /etc/hosts and friends,
1082 introduced in 2.67.
Simon Kelley2329bef2013-12-03 13:41:16 +00001083
Simon Kelley32be32e2017-06-25 21:33:28 +01001084 Check the arrival interface of incoming DNS and TFTP
1085 requests via IPv6, even in --bind-interfaces mode. This
1086 isn't possible for IPv4 and can generate scary warnings,
1087 but as it's always possible for IPv6 (the API always
1088 exists) then we should do it always.
1089
1090 Tweak the rules on prefix-lengths in --dhcp-range for
1091 IPv6. The new rule is that the specified prefix length
1092 must be larger than or equal to the prefix length of the
1093 corresponding address on the local interface.
Vladislav Grishenko4c82efc2013-12-03 16:05:30 +00001094
Simon Kelley376d48c2013-11-13 13:04:30 +00001095
Giacomo Tazzari797a7af2013-04-22 13:16:37 +01001096version 2.67
Simon Kelley32be32e2017-06-25 21:33:28 +01001097 Fix crash if upstream server returns SERVFAIL when
1098 --conntrack in use. Thanks to Giacomo Tazzari for finding
1099 this and supplying the patch.
Simon Kelleyaa63a212013-04-22 15:01:52 +01001100
Simon Kelley32be32e2017-06-25 21:33:28 +01001101 Repair regression in 2.64. That release stopped sending
1102 lease-time information in the reply to DHCPINFORM
1103 requests, on the correct grounds that it was a standards
1104 violation. However, this broke the dnsmasq-specific
1105 dhcp_lease_time utility. Now, DHCPINFORM returns
1106 lease-time only if it's specifically requested
1107 (maintaining standards) and the dhcp_lease_time utility
1108 has been taught to ask for it (restoring functionality).
Simon Kelley86e92f92013-04-23 11:31:39 +01001109
Simon Kelley32be32e2017-06-25 21:33:28 +01001110 Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass
1111 to work with BOOTP and well as DHCP. Thanks to Peter
1112 Korsgaard for spotting the problem.
Simon Kelley2bb73af2013-04-24 17:38:19 +01001113
Simon Kelley32be32e2017-06-25 21:33:28 +01001114 Add --synth-domain. Thanks to Vishvananda Ishaya for
1115 suggesting this.
Simon Kelleyd5052fb2013-04-25 12:44:20 +01001116
Simon Kelley32be32e2017-06-25 21:33:28 +01001117 Fix failure to compile ipset.c if old kernel headers are
1118 in use. Thanks to Eugene Rudoy for pointing this out.
Simon Kelley3f2873d2013-05-14 11:28:47 +01001119
Simon Kelley32be32e2017-06-25 21:33:28 +01001120 Handle IPv4 interface-address labels in Linux. These are
1121 often used to emulate the old IP-alias addresses. Before,
1122 using --interface=eth0 would service all the addresses of
1123 eth0, including ones configured as aliases, which appear
1124 in ifconfig as eth0:0. Now, only addresses with the label
1125 eth0 are active. This is not backwards compatible: if you
1126 want to continue to bind the aliases too, you need to add
1127 eg. --interface=eth0:0 to the config.
Giacomo Tazzari797a7af2013-04-22 13:16:37 +01001128
Simon Kelley32be32e2017-06-25 21:33:28 +01001129 Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket
1130 operation on non-socket" error on startup with
1131 configurations which have exactly one --interface option
1132 and do RA but _not_ DHCPv6. Thanks to Trever Adams for the
1133 bug report.
Simon Kelley115ac3e2013-05-20 11:28:32 +01001134
Simon Kelley32be32e2017-06-25 21:33:28 +01001135 Generalise --interface-name to cope with IPv6 addresses
1136 and multiple addresses per interface per address family.
Simon Kelleybaa80ae2013-05-29 16:32:07 +01001137
Simon Kelley32be32e2017-06-25 21:33:28 +01001138 Fix option parsing for --dhcp-host, which was generating a
1139 spurious error when all seven possible items were
1140 included. Thanks to Zhiqiang Wang for the bug report.
Simon Kelleybaa80ae2013-05-29 16:32:07 +01001141
Simon Kelley32be32e2017-06-25 21:33:28 +01001142 Remove restriction on prefix-length in --auth-zone. Thanks
1143 to Toke Hoiland-Jorgensen for suggesting this.
Marcelo Salhab Brogliato0da5e892013-05-31 11:49:06 +01001144
Simon Kelley32be32e2017-06-25 21:33:28 +01001145 Log when the maximum number of concurrent DNS queries is
1146 reached. Thanks to Marcelo Salhab Brogliato for the patch.
Simon Kelleye2ba0df2013-05-31 17:04:25 +01001147
Simon Kelley32be32e2017-06-25 21:33:28 +01001148 If wildcards are used in --interface, don't assume that
1149 there will only ever be one available interface for DHCP
1150 just because there is one at start-up. More may appear, so
1151 we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug
1152 report.
Simon Kelleyb4b93082013-06-19 10:31:23 +01001153
Simon Kelley32be32e2017-06-25 21:33:28 +01001154 Increase timeout/number of retries in TFTP to accommodate
1155 AudioCodes Voice Gateways doing streaming writes to flash.
1156 Thanks to Damian Kaczkowski for spotting the problem.
Simon Kelley625ac282013-07-02 21:19:32 +01001157
Simon Kelley32be32e2017-06-25 21:33:28 +01001158 Fix crash with empty DHCP string options when adding zero
1159 terminator. Thanks to Patrick McLean for the bug report.
Kyle Mesteryd859ca22013-07-24 13:11:58 +01001160
Simon Kelley32be32e2017-06-25 21:33:28 +01001161 Allow hostnames to start with a number, as allowed in
1162 RFC-1123. Thanks to Kyle Mestery for the patch.
Roy Marples3f3adae2013-07-25 16:22:46 +01001163
Simon Kelley32be32e2017-06-25 21:33:28 +01001164 Fixes to DHCP FQDN option handling: don't terminate FQDN
1165 if domain not known and allow a FQDN option with blank
1166 name to request that a FQDN option is returned in the
1167 reply. Thanks to Roy Marples for the patch.
Simon Kelleyd9fb0be2013-07-25 21:47:17 +01001168
Simon Kelley32be32e2017-06-25 21:33:28 +01001169 Make --clear-on-reload apply to setting upstream servers
1170 via DBus too.
Simon Kelleyef1a94a2013-07-26 13:59:03 +01001171
Simon Kelley32be32e2017-06-25 21:33:28 +01001172 When the address which triggered the construction of an
1173 advertised IPv6 prefix disappears, continue to advertise
1174 the prefix for up to 2 hours, with the preferred lifetime
1175 set to zero. This satisfies RFC 6204 4.3 L-13 and makes
1176 things work better if a prefix disappears without being
1177 deprecated first. Thanks to Uwe Schindler for persuasively
1178 arguing for this.
Simon Kelleyb4b93082013-06-19 10:31:23 +01001179
Simon Kelley32be32e2017-06-25 21:33:28 +01001180 Fix MAC address enumeration on *BSD. Thanks to Brad Smith
1181 for the bug report.
Simon Kelley871d4562013-07-27 21:32:32 +01001182
Simon Kelley32be32e2017-06-25 21:33:28 +01001183 Support RFC-4242 information-refresh-time options in the
1184 reply to DHCPv6 information-request. The lease time of the
1185 smallest valid dhcp-range is sent. Thanks to Uwe Schindler
1186 for suggesting this.
Simon Kelleyedf0bde2013-07-29 17:21:48 +01001187
Simon Kelley32be32e2017-06-25 21:33:28 +01001188 Make --listen-address higher priority than --except-interface
1189 in all circumstances. Thanks to Thomas Hood for the bugreport.
Simon Kelley2937f8a2013-07-29 19:49:07 +01001190
Simon Kelley32be32e2017-06-25 21:33:28 +01001191 Provide independent control over which interfaces get TFTP
1192 service. If enable-tftp is given a list of interfaces, then TFTP
1193 is provided on those. Without the list, the previous behaviour
1194 (provide TFTP to the same interfaces we provide DHCP to)
1195 is retained. Thanks to Lonnie Abelbeck for the suggestion.
Simon Kelleyff7eea22013-09-04 18:01:38 +01001196
Simon Kelley32be32e2017-06-25 21:33:28 +01001197 Add --dhcp-relay config option. Many thanks to vtsl.net
1198 for sponsoring this development.
Simon Kelley0932f9c2013-09-05 11:30:30 +01001199
Simon Kelley32be32e2017-06-25 21:33:28 +01001200 Fix crash with empty tag: in --dhcp-range. Thanks to
1201 Kaspar Schleiser for the bug report.
Simon Kelleyceae52d2013-09-12 15:05:47 +01001202
Simon Kelley32be32e2017-06-25 21:33:28 +01001203 Add "baseline" and "bloatcheck" makefile targets, for
1204 revealing size changes during development. Thanks to
1205 Vladislav Grishenko for the patch.
Simon Kelleyc8f2dd82013-09-13 11:22:55 +01001206
Simon Kelley32be32e2017-06-25 21:33:28 +01001207 Cope with DHCPv6 clients which send REQUESTs without
1208 address options - treat them as SOLICIT with rapid commit.
Simon Kelley89500e32013-09-20 16:29:20 +01001209
Simon Kelley32be32e2017-06-25 21:33:28 +01001210 Support identification of clients by MAC address in
1211 DHCPv6. When using a relay, the relay must support RFC
1212 6939 for this to work. It always works for directly
1213 connected clients. Thanks to Vladislav Grishenko
1214 for prompting this feature.
Simon Kelley889d8a12013-10-02 13:12:09 +01001215
Simon Kelley32be32e2017-06-25 21:33:28 +01001216 Remove the rule for constructed DHCP ranges that the local
1217 address must be either the first or last address in the
1218 range. This was originally to avoid SLAAC addresses, but
1219 we now explicitly autoconfig and privacy addresses instead.
Tanguy Bouzelocef1d7422013-10-03 11:06:31 +01001220
Simon Kelley32be32e2017-06-25 21:33:28 +01001221 Update Polish translation. Thanks to Jan Psota.
Simon Kelley871d4562013-07-27 21:32:32 +01001222
Simon Kelley32be32e2017-06-25 21:33:28 +01001223 Fix problem in DHCPv6 vendorclass/userclass matching
1224 code. Thanks to Tanguy Bouzeloc for the patch.
Simon Kelleyc4cd95d2013-10-10 20:58:11 +01001225
Simon Kelley32be32e2017-06-25 21:33:28 +01001226 Update Spanish translation. Thanks to Vicente Soriano.
Simon Kelleyed4c0762013-10-08 20:46:34 +01001227
Simon Kelley32be32e2017-06-25 21:33:28 +01001228 Add --ra-param option. Thanks to Vladislav Grishenko for
1229 inspiration on this.
Kevin Darbyshire-Bryant8c0b73d2013-10-11 11:56:33 +01001230
Simon Kelley32be32e2017-06-25 21:33:28 +01001231 Add --add-subnet configuration, to tell upstream DNS
1232 servers where the original client is. Thanks to DNSthingy
1233 for sponsoring this feature.
Simon Kelleyd56a6042013-10-11 14:39:03 +01001234
Simon Kelley32be32e2017-06-25 21:33:28 +01001235 Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to
1236 Kevin Darbyshire-Bryant for the initial patch.
Simon Kelley24b5a5d2013-10-11 15:19:28 +01001237
Simon Kelley32be32e2017-06-25 21:33:28 +01001238 Allow A/AAAA records created by --interface-name to be the
1239 target of --cname. Thanks to Hadmut Danisch for the
1240 suggestion.
Simon Kelley45cca582013-10-15 10:20:13 +01001241
Simon Kelley32be32e2017-06-25 21:33:28 +01001242 Avoid treating a --dhcp-host which has an IPv6 address
1243 as eligible for use with DHCPv4 on the grounds that it has
1244 no address, and vice-versa. Thanks to Yury Konovalov for
1245 spotting the problem.
1246
1247 Do a better job caching dangling CNAMEs. Thanks to Yves
1248 Dorfsman for spotting the problem.
1249
1250
Simon Kelley333b2ce2013-01-07 21:46:03 +00001251version 2.66
Simon Kelley32be32e2017-06-25 21:33:28 +01001252 Add the ability to act as an authoritative DNS
1253 server. Dnsmasq can now answer queries from the wider 'net
1254 with local data, as long as the correct NS records are set
1255 up. Only local data is provided, to avoid creating an open
1256 DNS relay. Zone transfer is supported, to allow secondary
1257 servers to be configured.
Simon Kelley333b2ce2013-01-07 21:46:03 +00001258
Simon Kelley32be32e2017-06-25 21:33:28 +01001259 Add "constructed DHCP ranges" for DHCPv6. This is intended
1260 for IPv6 routers which get prefixes dynamically via prefix
1261 delegation. With suitable configuration, stateful DHCPv6
1262 and RA can happen automatically as prefixes are delegated
1263 and then deprecated, without having to re-write the
1264 dnsmasq configuration file or restart the daemon. Thanks to
1265 Steven Barth for extensive testing and development work on
1266 this idea.
Simon Kelley71c73ac2013-01-08 21:22:24 +00001267
Simon Kelley32be32e2017-06-25 21:33:28 +01001268 Fix crash on startup on Solaris 11. Regression probably
1269 introduced in 2.61. Thanks to Geoff Johnstone for the
1270 patch.
Simon Kelley22ce5502013-01-22 13:53:04 +00001271
Simon Kelley32be32e2017-06-25 21:33:28 +01001272 Add code to make behaviour for TCP DNS requests that same
1273 as for UDP requests, when a request arrives for an allowed
1274 address, but via a banned interface. This change is only
1275 active on Linux, since the relevant API is missing (AFAIK)
1276 on other platforms. Many thanks to Tomas Hozza for
1277 spotting the problem, and doing invaluable discovery of
1278 the obscure and undocumented API required for the solution.
Simon Kelleya21e27b2013-02-17 16:41:35 +00001279
Simon Kelley32be32e2017-06-25 21:33:28 +01001280 Don't send the default DHCP option advertising dnsmasq as
1281 the local DNS server if dnsmasq is configured to not act
1282 as DNS server, or it's configured to a non-standard port.
Simon Kelley4038ae22013-02-19 16:47:07 +00001283
Simon Kelley32be32e2017-06-25 21:33:28 +01001284 Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID,
1285 DNSMASQ_REMOTE_ID variables to the environment of the
1286 lease-change script (and the corresponding Lua). These hold
1287 information inserted into the DHCP request by a DHCP relay
1288 agent. Thanks to Lakefield Communications for providing a
1289 bounty for this addition.
Jason A. Donenfeld13d86c72013-02-22 18:20:53 +00001290
Simon Kelley32be32e2017-06-25 21:33:28 +01001291 Fixed crash, introduced in 2.64, whilst handling DHCPv6
1292 information-requests with some common configurations.
1293 Thanks to Robert M. Albrecht for the bug report and
1294 chasing the problem.
Simon Kelleyc7961072013-02-28 15:17:58 +00001295
Simon Kelley32be32e2017-06-25 21:33:28 +01001296 Add --ipset option. Thanks to Jason A. Donenfeld for the
1297 patch.
Simon Kelley56a11422013-04-02 17:02:58 +01001298
Simon Kelley32be32e2017-06-25 21:33:28 +01001299 Don't erroneously reject some option names in --dhcp-match
1300 options. Thanks to Benedikt Hochstrasser for the bug report.
Simon Kelley0b0a73c2013-04-11 14:07:02 +01001301
Simon Kelley32be32e2017-06-25 21:33:28 +01001302 Allow a trailing '*' wildcard in all interface-name
1303 configurations. Thanks to Christian Parpart for the patch.
Simon Kelley834f36f2013-04-17 13:52:49 +01001304
Simon Kelley32be32e2017-06-25 21:33:28 +01001305 Handle the situation where libc headers define
1306 SO_REUSEPORT, but the kernel in use doesn't, to cope with
1307 the introduction of this option to Linux. Thanks to Rich
1308 Felker for the bug report.
1309
1310 Update Polish translation. Thanks to Jan Psota.
1311
1312 Fix crash if the configured DHCP lease limit is
1313 reached. Regression occurred in 2.61. Thanks to Tsachi for
1314 the bug report.
1315
1316 Update the French translation. Thanks to Gildas le Nadan.
1317
1318
Simon Kelleyee86ce62012-12-07 11:54:46 +00001319version 2.65
Simon Kelley32be32e2017-06-25 21:33:28 +01001320 Fix regression which broke forwarding of queries sent via
1321 TCP which are not for A and AAAA and which were directed to
1322 non-default servers. Thanks to Niax for the bug report.
Simon Kelleyee86ce62012-12-07 11:54:46 +00001323
Simon Kelley32be32e2017-06-25 21:33:28 +01001324 Fix failure to build with DHCP support excluded. Thanks to
1325 Gustavo Zacarias for the patch.
1326
1327 Fix nasty regression in 2.64 which completely broke caching.
Simon Kelleyb5a8dd12012-12-10 11:37:25 +00001328
1329
Simon Kelley2e34ac12012-08-29 14:15:25 +01001330version 2.64
Simon Kelley32be32e2017-06-25 21:33:28 +01001331 Handle DHCP FQDN options with all flag bits zero and
1332 --dhcp-client-update set. Thanks to Bernd Krumbroeck for
1333 spotting the problem.
Simon Kelley2e34ac12012-08-29 14:15:25 +01001334
Simon Kelley32be32e2017-06-25 21:33:28 +01001335 Finesse the check for /etc/hosts names which conflict with
1336 DHCP names. Previously a name/address pair in /etc/hosts
1337 which didn't match the name/address of a DHCP lease would
1338 generate a warning. Now that only happens if there is not
1339 also a match. This allows multiple addresses for a name in
1340 /etc/hosts with one of them assigned via DHCP.
Simon Kelley12d71ed2012-08-30 15:16:41 +01001341
Simon Kelley32be32e2017-06-25 21:33:28 +01001342 Fix broken vendor-option processing for BOOTP. Thanks to
1343 Hans-Joachim Baader for the bug report.
Simon Kelley4d0f5b42012-09-05 23:29:30 +01001344
Simon Kelley32be32e2017-06-25 21:33:28 +01001345 Don't report spurious netlink errors, regression in
1346 2.63. Thanks to Vladislav Grishenko for the patch.
Simon Kelleydfb23b32012-09-18 21:44:47 +01001347
Simon Kelley32be32e2017-06-25 21:33:28 +01001348 Flag DHCP or DHCPv6 in startup logging. Thanks to
1349 Vladislav Grishenko for the patch.
Simon Kelley2b127a12012-09-18 21:51:22 +01001350
Simon Kelley32be32e2017-06-25 21:33:28 +01001351 Add SetServersEx method in DBus interface. Thanks to Dan
1352 Williams for the patch.
Simon Kelleyfaafb3f2012-09-20 14:17:39 +01001353
Simon Kelley32be32e2017-06-25 21:33:28 +01001354 Add SetDomainServers method in DBus interface. Thanks to
1355 Roy Marples for the patch.
Simon Kelley295a54e2012-12-01 21:02:15 +00001356
Simon Kelley32be32e2017-06-25 21:33:28 +01001357 Fix build with later Lua libraries. Thanks to Cristian
1358 Rodriguez for the patch.
Simon Kelley2e34ac12012-08-29 14:15:25 +01001359
Simon Kelley32be32e2017-06-25 21:33:28 +01001360 Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker
1361 for the patch.
Simon Kelley1d860412012-09-20 20:48:04 +01001362
Simon Kelley32be32e2017-06-25 21:33:28 +01001363 Fix breakage of --host-record parsing, resulting in
1364 infinite loop at startup. Regression in 2.63. Thanks to
1365 Haim Gelfenbeyn for spotting this.
Simon Kelleye4807d82012-09-27 21:52:26 +01001366
Simon Kelley32be32e2017-06-25 21:33:28 +01001367 Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6
1368 socket, this allows multiple instances of dnsmasq on a
1369 single machine, in the same way as for DHCPv4. Thanks to
1370 Gene Czarcinski and Vladislav Grishenko for work on this.
Simon Kelley20223102012-10-15 10:41:17 +01001371
Simon Kelley32be32e2017-06-25 21:33:28 +01001372 Fix DHCPv6 to do access control correctly when it's
1373 configured with --listen-address. Thanks to
1374 Gene Czarcinski for sorting this out.
Simon Kelleybe6cfb42012-10-16 20:38:31 +01001375
Simon Kelley32be32e2017-06-25 21:33:28 +01001376 Add a "wildcard" dhcp-range which works for any IPv6
1377 subnet, --dhcp-range=::,static Useful for Stateless
1378 DHCPv6. Thanks to Vladislav Grishenko for the patch.
Simon Kelley819ff4d2012-10-21 18:25:12 +01001379
Simon Kelley32be32e2017-06-25 21:33:28 +01001380 Don't include lease-time in DHCPACK replies to DHCPINFORM
1381 queries, since RFC-2131 says we shouldn't. Thanks to
1382 Wouter Ibens for pointing this out.
Simon Kelley8e4b8792012-11-14 14:12:56 +00001383
Simon Kelley32be32e2017-06-25 21:33:28 +01001384 Makefile tweak to do dependency checking on header files.
1385 Thanks to Johan Peeters for the patch.
Simon Kelleyd89fb4e2012-12-01 21:21:13 +00001386
Simon Kelley32be32e2017-06-25 21:33:28 +01001387 Check interface for outgoing unsolicited router
1388 advertisements, rather than relying on interface address
1389 configuration. Thanks to Gene Czarinski for the patch.
Simon Kelley29d28dd2012-12-03 14:05:59 +00001390
Simon Kelley32be32e2017-06-25 21:33:28 +01001391 Handle better attempts to transmit on interfaces which are
1392 still doing DAD, and specifically do not just transmit
1393 without setting source address and interface, since this
1394 can cause very puzzling effects when a router
1395 advertisement goes astray. Thanks again to Gene Czarinski.
Simon Kelley29d28dd2012-12-03 14:05:59 +00001396
Simon Kelley32be32e2017-06-25 21:33:28 +01001397 Get RA timers right when there is more than one
1398 dhcp-range on a subnet.
1399
Simon Kelleyd1a59752012-11-05 16:50:30 +00001400
Simon Kelley078a6302012-06-07 13:56:23 +01001401version 2.63
Simon Kelley32be32e2017-06-25 21:33:28 +01001402 Do duplicate dhcp-host address check in --test mode.
Simon Kelley078a6302012-06-07 13:56:23 +01001403
Simon Kelley32be32e2017-06-25 21:33:28 +01001404 Check that tftp-root directories are accessible before
1405 start-up. Thanks to Daniel Veillard for the initial patch.
Simon Kelley8b3ae2f2012-06-13 13:43:49 +01001406
Simon Kelley32be32e2017-06-25 21:33:28 +01001407 Allow more than one --tfp-root flag. The per-interface
1408 stuff is pointless without that.
Simon Kelley8b3ae2f2012-06-13 13:43:49 +01001409
Simon Kelley32be32e2017-06-25 21:33:28 +01001410 Add --bind-dynamic. A hybrid mode between the default and
1411 --bind-interfaces which copes with dynamically created
1412 interfaces.
Simon Kelley54dd3932012-06-20 11:23:38 +01001413
Simon Kelley32be32e2017-06-25 21:33:28 +01001414 A couple of fixes to the build system for Android. Thanks
1415 to Metin Kaya for the patches.
Simon Kelley8bc4cec2012-07-03 21:04:11 +01001416
Simon Kelley32be32e2017-06-25 21:33:28 +01001417 Remove the interface:<interface> argument in --dhcp-range, and
1418 the interface argument to --enable-tftp. These were a
1419 still-born attempt to allow automatic isolated
1420 configuration by libvirt, but have never (to my knowledge)
1421 been used, had very strange semantics, and have been
1422 superseded by other mechanisms.
Simon Kelleyc4a7f902012-07-12 20:52:12 +01001423
Simon Kelley32be32e2017-06-25 21:33:28 +01001424 Fixed bug logging filenames when duplicate dhcp-host
1425 addresses are found. Thanks to John Hanks for the patch.
Simon Kelley611ebc52012-07-16 16:23:46 +01001426
Simon Kelley32be32e2017-06-25 21:33:28 +01001427 Fix regression in 2.61 which broke caching of CNAME
1428 chains. Thanks to Atul Gupta for the bug report.
Simon Kelley611ebc52012-07-16 16:23:46 +01001429
Simon Kelley32be32e2017-06-25 21:33:28 +01001430 Allow the target of a --cname flag to be another --cname.
Simon Kelley42243212012-07-20 15:19:18 +01001431
Simon Kelley32be32e2017-06-25 21:33:28 +01001432 Teach DHCPv6 about the RFC 4242 information-refresh-time
1433 option, and add parsing if the minutes, hours and days
1434 format for options. Thanks to Francois-Xavier Le Bail for
1435 the suggestion.
Simon Kelley42243212012-07-20 15:19:18 +01001436
Simon Kelley32be32e2017-06-25 21:33:28 +01001437 Allow "w" (for week) as multiplier in lease times, as well
1438 as seconds, minutes, hours and days. Álvaro Gámez Machado
1439 spotted the omission.
Simon Kelleyad094272012-08-10 17:10:54 +01001440
Simon Kelley32be32e2017-06-25 21:33:28 +01001441 Update French translation. Thanks to Gildas Le Nadan.
1442
1443 Allow a DBus service name to be given with --enable-dbus
1444 which overrides the default,
1445 uk.org.thekelleys.dnsmasq. Thanks to Mathieu
1446 Trudel-Lapierre for the patch.
1447
1448 Set the "prefix on-link" bit in Router
1449 Advertisements. Thanks to Gui Iribarren for the patch.
Simon Kelleyfd05f122012-08-12 17:48:50 +01001450
Simon Kelley078a6302012-06-07 13:56:23 +01001451
Simon Kelley8358e0f2012-04-29 21:53:09 +01001452version 2.62
Simon Kelley32be32e2017-06-25 21:33:28 +01001453 Update German translation. Thanks to Conrad Kostecki.
Simon Kelley8358e0f2012-04-29 21:53:09 +01001454
Simon Kelley32be32e2017-06-25 21:33:28 +01001455 Cope with router-solict packets which don't have a valid
1456 source address. Thanks to Vladislav Grishenko for the patch.
Simon Kelleyf632e562012-05-12 15:05:34 +01001457
Simon Kelley32be32e2017-06-25 21:33:28 +01001458 Fixed bug which caused missing periodic router
1459 advertisements with some configurations. Thanks to
1460 Vladislav Grishenko for the patch.
Simon Kelley919dd7c2012-05-12 15:23:09 +01001461
Simon Kelley32be32e2017-06-25 21:33:28 +01001462 Fixed bug which broke DHCPv6/RA with prefix lengths
1463 which are not divisible by 8. Thanks to Andre Coetzee
1464 for spotting this.
Simon Kelleyc64b7f62012-05-18 10:19:59 +01001465
Simon Kelley32be32e2017-06-25 21:33:28 +01001466 Fix non-response to router-solicitations when
1467 router-advertisement configured, but DHCPv6 not
1468 configured. Thanks to Marien Zwart for the patch.
Simon Kelley18c63ef2012-05-21 14:34:15 +01001469
Simon Kelley32be32e2017-06-25 21:33:28 +01001470 Add --dns-rr, to allow arbitrary DNS resource records.
Simon Kelley9f7f3b12012-05-28 21:39:57 +01001471
Simon Kelley32be32e2017-06-25 21:33:28 +01001472 Fixed bug which broke RA scheduling when an interface had
1473 two addresses in the same network. Thanks to Jim Bos for
1474 his help nailing this.
Simon Kelley5ae34bf2012-06-04 21:14:03 +01001475
Simon Kelleyeabc6dd2012-03-07 20:28:20 +00001476version 2.61
Simon Kelley32be32e2017-06-25 21:33:28 +01001477 Re-write interface discovery code on *BSD to use
1478 getifaddrs. This is more portable, more straightforward,
1479 and allows us to find the prefix length for IPv6
1480 addresses.
Simon Kelleyeabc6dd2012-03-07 20:28:20 +00001481
Simon Kelley32be32e2017-06-25 21:33:28 +01001482 Add ra-names, ra-stateless and slaac keywords for DHCPv6.
1483 Dnsmasq can now synthesise AAAA records for dual-stack
1484 hosts which get IPv6 addresses via SLAAC. It is also now
1485 possible to use SLAAC and stateless DHCPv6, and to
1486 tell clients to use SLAAC addresses as well as DHCP ones.
1487 Thanks to Dave Taht for help with this.
Simon Kelley7023e382012-03-09 12:05:49 +00001488
Simon Kelley32be32e2017-06-25 21:33:28 +01001489 Add --dhcp-duid to allow DUID-EN uids to be used.
Simon Kelley8b372702012-03-09 17:45:10 +00001490
Simon Kelley32be32e2017-06-25 21:33:28 +01001491 Explicitly send DHCPv6 replies to the correct port, instead
1492 of relying on clients to send requests with the correct
1493 source address, since at least one client in the wild gets
1494 this wrong. Thanks to Conrad Kostecki for help tracking
1495 this down.
Simon Kelleyeabc6dd2012-03-07 20:28:20 +00001496
Simon Kelley32be32e2017-06-25 21:33:28 +01001497 Send a preference value of 255 in DHCPv6 replies when
1498 --dhcp-authoritative is in effect. This tells clients not
1499 to wait around for other DHCP servers.
Simon Kelley8643ec72012-03-12 20:04:14 +00001500
Simon Kelley32be32e2017-06-25 21:33:28 +01001501 Better logging of DHCPv6 options.
Simon Kelley8643ec72012-03-12 20:04:14 +00001502
Simon Kelley32be32e2017-06-25 21:33:28 +01001503 Add --host-record. Thanks to Rob Zwissler for the
1504 suggestion.
Simon Kelleye759d422012-03-16 13:18:57 +00001505
Simon Kelley32be32e2017-06-25 21:33:28 +01001506 Invoke the DHCP script with action "tftp" when a TFTP file
1507 transfer completes. The size of the file, address to which
1508 it was sent and complete pathname are supplied. Note that
1509 version 2.60 introduced some script incompatibilities
1510 associated with DHCPv6, and this is a further change. To
1511 be safe, scripts should ignore unknown actions, and if
1512 not IPv6-aware, should exit if the environment
1513 variable DNSMASQ_IAID is set. The use-case for this is
1514 to track netboot/install. Suggestion from Shantanu
1515 Gadgil.
Simon Kelleya9530962012-03-20 22:07:35 +00001516
Simon Kelley32be32e2017-06-25 21:33:28 +01001517 Update contrib/port-forward/dnsmasq-portforward to reflect
1518 the above.
Simon Kelleya9530962012-03-20 22:07:35 +00001519
Simon Kelley32be32e2017-06-25 21:33:28 +01001520 Set the environment variable DNSMASQ_LOG_DHCP when running
1521 the script id --log-dhcp is in effect, so that script can
1522 taylor their logging verbosity. Suggestion from Malte
1523 Forkel.
Simon Kelleya9530962012-03-20 22:07:35 +00001524
Simon Kelley32be32e2017-06-25 21:33:28 +01001525 Arrange that addresses specified with --listen-address
1526 work even if there is no interface carrying the
1527 address. This is chiefly useful for IPv4 loopback
1528 addresses, where any address in 127.0.0.0/8 is a valid
1529 loopback address, but normally only 127.0.0.1 appears on
1530 the lo interface. Thanks to Mathieu Trudel-Lapierre for
1531 the idea and initial patch.
Simon Kelley7d2b5c92012-03-23 10:00:02 +00001532
Simon Kelley32be32e2017-06-25 21:33:28 +01001533 Fix crash, introduced in 2.60, when a DHCPINFORM is
1534 received from a network which has no valid dhcp-range.
1535 Thanks to Stephane Glondu for the bug report.
Simon Kelleyc8257542012-03-28 21:15:41 +01001536
Simon Kelley32be32e2017-06-25 21:33:28 +01001537 Add a new DHCP lease time keyword, "deprecated" for
1538 --dhcp-range. This is only valid for IPv6, and sets the
1539 preferred lease time for both DHCP and RA to zero. The
1540 effect is that clients can continue to use the address
1541 for existing connections, but new connections will use
1542 other addresses, if they exist. This makes hitless
1543 renumbering at least possible.
Simon Kelley18f0fb02012-03-31 21:18:55 +01001544
Simon Kelley32be32e2017-06-25 21:33:28 +01001545 Fix bug in address6_available() which caused DHCPv6 lease
1546 acquisition to fail if more than one dhcp-range in use.
Simon Kelley6c559c32012-04-02 20:40:34 +01001547
Simon Kelley32be32e2017-06-25 21:33:28 +01001548 Provide RDNSS and DNSSL data in router advertisements,
1549 using the settings provided for DHCP options
1550 option6:domain-search and option6:dns-server.
Simon Kelley9380ba72012-04-16 14:41:56 +01001551
Simon Kelley32be32e2017-06-25 21:33:28 +01001552 Tweak logo/favicon.ico to add some transparency. Thanks to
1553 SamLT for work on this.
Simon Kelleye46164e2012-04-16 16:39:38 +01001554
Simon Kelley32be32e2017-06-25 21:33:28 +01001555 Don't cache data from non-recursive nameservers, since it
1556 may erroneously look like a valid CNAME to a non-existent
1557 name. Thanks to Ben Winslow for finding this.
Simon Kelleyd1c759c2012-04-16 17:26:19 +01001558
Simon Kelley32be32e2017-06-25 21:33:28 +01001559 Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP
1560 on exactly one interface and --bind-interfaces is set. This
1561 makes the OpenStack use-case of one dnsmasq per virtual
1562 interface work. This is only available on Linux; it's not
1563 supported on other platforms. Thanks to Vishvananda Ishaya
1564 and the OpenStack team for the suggestion.
Simon Kelleydcffad22012-04-24 15:25:18 +01001565
Simon Kelley32be32e2017-06-25 21:33:28 +01001566 Updated French translation. Thanks to Gildas Le Nadan.
Simon Kelley19d69be2012-04-27 10:14:34 +01001567
Simon Kelley32be32e2017-06-25 21:33:28 +01001568 Give correct from-cache answers to explicit CNAME queries.
1569 Thanks to Rob Zwissler for spotting this.
1570
1571 Add --tftp-lowercase option. Thanks to Oliver Rath for the
1572 patch.
1573
1574 Ensure that the DBus DhcpLeaseUpdated events are generated
1575 when a lease goes through INIT_REBOOT state, even if the
1576 dhcp-script is not in use. Thanks to Antoaneta-Ecaterina
1577 Ene for the patch.
1578
1579 Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks
1580 to Brad Smith for spotting this.
1581
Simon Kelleyc8257542012-03-28 21:15:41 +01001582
Simon Kelleyc72daea2012-01-05 21:33:27 +00001583version 2.60
Simon Kelley32be32e2017-06-25 21:33:28 +01001584 Fix compilation problem in Mac OS X Lion. Thanks to Olaf
1585 Flebbe for the patch.
Simon Kelley74c95c22011-10-19 09:33:39 +01001586
Simon Kelley32be32e2017-06-25 21:33:28 +01001587 Fix DHCP when using --listen-address with an IP address
1588 which is not the primary address of an interface.
Simon Kelleyc72daea2012-01-05 21:33:27 +00001589
Simon Kelley32be32e2017-06-25 21:33:28 +01001590 Add --dhcp-client-update option.
Simon Kelleyc72daea2012-01-05 21:33:27 +00001591
Simon Kelley32be32e2017-06-25 21:33:28 +01001592 Add Lua integration. Dnsmasq can now execute a DHCP
1593 lease-change script written in Lua. This needs to be
1594 enabled at compile time by setting HAVE_LUASCRIPT in
1595 src/config.h or running "make COPTS=-DHAVE_LUASCRIPT"
1596 Thanks to Jan-Piet Mens for the idea and proof-of-concept
1597 implementation.
Simon Kelleyc72daea2012-01-05 21:33:27 +00001598
Simon Kelley32be32e2017-06-25 21:33:28 +01001599 Tidied src/config.h to distinguish between
1600 platform-dependent compile-time options which are selected
1601 automatically, and builder-selectable compile time
1602 options. Document the latter better, and describe how to
1603 set them from the make command line.
Simon Kelleyc72daea2012-01-05 21:33:27 +00001604
Simon Kelley32be32e2017-06-25 21:33:28 +01001605 Tidied up IPPROTO_IP/SOL_IP (and IPv6 equivalent)
1606 confusion. IPPROTO_IP works everywhere now.
Simon Kelleyc72daea2012-01-05 21:33:27 +00001607
Simon Kelley32be32e2017-06-25 21:33:28 +01001608 Set TOS on DHCP sockets, this improves things on busy
1609 wireless networks. Thanks to Dave Taht for the patch.
Simon Kelleya2761752012-01-18 16:07:21 +00001610
Simon Kelley32be32e2017-06-25 21:33:28 +01001611 Determine VERSION automatically based on git magic:
1612 release tags or hash values.
Simon Kelleya2761752012-01-18 16:07:21 +00001613
Simon Kelley32be32e2017-06-25 21:33:28 +01001614 Improve start-up speed when reading large hosts files
1615 containing many distinct addresses.
Simon Kelley9bbc8872012-02-09 21:33:09 +00001616
Simon Kelley32be32e2017-06-25 21:33:28 +01001617 Fix problem if dnsmasq is started without the stdin,
1618 stdout and stderr file descriptors open. This can manifest
1619 itself as 100% CPU use. Thanks to Chris Moore for finding
1620 this.
Simon Kelley751d6f42012-02-10 15:24:51 +00001621
Simon Kelley32be32e2017-06-25 21:33:28 +01001622 Fix shell-scripting bug in bld/pkg-wrapper. Thanks to
1623 Mark Mitchell for the patch.
Simon Kelleyb36ae192012-02-13 12:54:34 +00001624
Simon Kelley32be32e2017-06-25 21:33:28 +01001625 Allow the TFP server or boot server in --pxe-service, to
1626 be a domain name instead of an IP address. This allows for
1627 round-robin to multiple servers, in the same way as
1628 --dhcp-boot. A good suggestion from Cristiano Cumer.
Simon Kelley1adadf52012-02-13 22:15:58 +00001629
Simon Kelley32be32e2017-06-25 21:33:28 +01001630 Support BUILDDIR variable in the Makefile. Allows builds
1631 for multiple archs from the same source tree with eg.
1632 make BUILDDIR=linux (relative to dnsmasq tree)
1633 make BUILDDIR=/tmp/openbsd (absolute path)
1634 If BUILDDIR is not set, compilation happens in the src
1635 directory, as before. Suggestion from Mark Mitchell.
Simon Kelleyac8540c2012-02-26 20:57:31 +00001636
Simon Kelley32be32e2017-06-25 21:33:28 +01001637 Support DHCPv6. Support is there for the sort of things
1638 the existing v4 server does, including tags, options,
1639 static addresses and relay support. Missing is prefix
1640 delegation, which is probably not required in the dnsmasq
1641 niche, and an easy way to accept prefix delegations from
1642 an upstream DHCPv6 server, which is. Future plans include
1643 support for DHCPv6 router option and MAC address option
1644 (to make selecting clients by MAC address work like IPv4).
1645 These will be added as the standards mature.
1646 This code has been tested, but this is the first release,
1647 so don't bet the farm on it just yet. Many thanks to all
1648 testers who have got it this far.
Simon Kelley552af8b2012-02-29 20:10:31 +00001649
Simon Kelley32be32e2017-06-25 21:33:28 +01001650 Support IPv6 router advertisements. This is a
1651 simple-minded implementation, aimed at providing the
1652 vestigial RA needed to go alongside IPv6. Is picks up
1653 configuration from the DHCPv6 conf, and should just need
1654 enabling with --enable-ra.
1655
1656 Fix long-standing wrinkle with --localise-queries that
1657 could result in wrong answers when DNS packets arrive
1658 via an interface other than the expected one. Thanks to
1659 Lorenzo Milesi and John Hanks for spotting this one.
1660
1661 Update French translation. Thanks to Gildas Le Nadan.
1662
1663 Update Polish translation. Thanks to Jan Psota.
Simon Kelleydf66e342012-03-04 20:04:22 +00001664
1665
Simon Kelleyc72daea2012-01-05 21:33:27 +00001666version 2.59
Simon Kelley32be32e2017-06-25 21:33:28 +01001667 Fix regression in 2.58 which caused failure to start up
1668 with some combinations of dnsmasq config and IPv6 kernel
1669 network config. Thanks to Brielle Bruns for the bug
1670 report.
Simon Kelleyc72daea2012-01-05 21:33:27 +00001671
Simon Kelley32be32e2017-06-25 21:33:28 +01001672 Improve dnsmasq's behaviour when network interfaces are
1673 still doing duplicate address detection (DAD). Previously,
1674 dnsmasq would wait up to 20 seconds at start-up for the
1675 DAD state to terminate. This is broken for bridge
1676 interfaces on recent Linux kernels, which don't start DAD
1677 until the bridge comes up, and so can take arbitrary
1678 time. The new behaviour lets dnsmasq poll for an arbitrary
1679 time whilst providing service on other interfaces. Thanks
1680 to Stephen Hemminger for pointing out the problem.
Simon Kelley74c95c22011-10-19 09:33:39 +01001681
1682
Simon Kelley7de060b2011-08-26 17:24:52 +01001683version 2.58
Simon Kelley32be32e2017-06-25 21:33:28 +01001684 Provide a definition of the SA_SIZE macro where it's
1685 missing. Fixes build failure on openBSD.
Simon Kelley7de060b2011-08-26 17:24:52 +01001686
Simon Kelley32be32e2017-06-25 21:33:28 +01001687 Don't include a zero terminator at the end of messages
1688 sent to /dev/log when /dev/log is a datagram socket.
1689 Thanks to Didier Rabound for spotting the problem.
Simon Kelley7de060b2011-08-26 17:24:52 +01001690
Simon Kelley32be32e2017-06-25 21:33:28 +01001691 Add --dhcp-sequential-ip flag, to force allocation of IP
1692 addresses in ascending order. Note that the default
1693 pseudo-random mode is in general better but some
1694 server-deployment applications need this.
Simon Kelley7de060b2011-08-26 17:24:52 +01001695
Simon Kelley32be32e2017-06-25 21:33:28 +01001696 Fix problem where a server-id of 0.0.0.0 is sent to a
1697 client when a dhcp-relay is in use if a client renews a
1698 lease after dnsmasq restart and before any clients on the
1699 subnet get a new lease. Thanks to Mike Ruiz for assistance
1700 in chasing this one down.
Simon Kelley7de060b2011-08-26 17:24:52 +01001701
Simon Kelley32be32e2017-06-25 21:33:28 +01001702 Don't return NXDOMAIN to an AAAA query if we have CNAME
1703 which points to an A record only: NODATA is the correct
1704 reply in this case. Thanks to Tom Fernandes for spotting
1705 the problem.
Simon Kelley7de060b2011-08-26 17:24:52 +01001706
Simon Kelley32be32e2017-06-25 21:33:28 +01001707 Relax the need to supply a netmask in --dhcp-range for
1708 networks which use a DHCP relay. Whilst this is still
1709 desirable, in the absence of a netmask dnsmasq will use
1710 a default based on the class (A, B, or C) of the address.
1711 This should at least remove a cause of mysterious failure
1712 for people using RFC1918 addresses and relays.
Simon Kelley7de060b2011-08-26 17:24:52 +01001713
Simon Kelley32be32e2017-06-25 21:33:28 +01001714 Add support for Linux conntrack connection marking. If
1715 enabled with --conntrack, the connection mark for incoming
1716 DNS queries will be copied to the outgoing connections
1717 used to answer those queries. This allows clever firewall
1718 and accounting stuff. Only available if dnsmasq is
1719 compiled with HAVE_CONNTRACK and adds a dependency on
1720 libnetfilter-conntrack. Thanks to Ed Wildgoose for the
1721 initial idea, testing and sponsorship of this function.
Simon Kelley7de060b2011-08-26 17:24:52 +01001722
Simon Kelley32be32e2017-06-25 21:33:28 +01001723 Provide a sane error message when someone attempts to
1724 match a tag in --dhcp-host.
Simon Kelley7de060b2011-08-26 17:24:52 +01001725
Simon Kelley32be32e2017-06-25 21:33:28 +01001726 Tweak the behaviour of --domain-needed, to avoid problems
1727 with recursive nameservers downstream of dnsmasq. The new
1728 behaviour only stops A and AAAA queries, and returns
1729 NODATA rather than NXDOMAIN replies.
Simon Kelley7de060b2011-08-26 17:24:52 +01001730
Simon Kelley32be32e2017-06-25 21:33:28 +01001731 Efficiency fix for very large DHCP configurations, thanks
1732 to James Gartrell and Mike Ruiz for help with this.
Simon Kelley7de060b2011-08-26 17:24:52 +01001733
Simon Kelley32be32e2017-06-25 21:33:28 +01001734 Allow the TFTP-server address in --dhcp-boot to be a
1735 domain-name which is looked up in /etc/hosts. This can
1736 give multiple IP addresses which are used round-robin,
1737 thus doing TFTP server load-balancing. Thanks to Sushil
1738 Agrawal for the patch.
Simon Kelley7de060b2011-08-26 17:24:52 +01001739
Simon Kelley32be32e2017-06-25 21:33:28 +01001740 When two tagged dhcp-options for a particular option
1741 number are both valid, use the one which is valid without
1742 a tag from the dhcp-range. Allows overriding of the value
1743 of a DHCP option for a particular host as well as
1744 per-network values. So
1745 --dhcp-range=set:interface1,......
1746 --dhcp-host=set:myhost,.....
1747 --dhcp-option=tag:interface1,option:nis-domain,"domain1"
1748 --dhcp-option=tag:myhost,option:nis-domain,"domain2"
1749 will set the NIS-domain to domain1 for hosts in the range, but
1750 override that to domain2 for a particular host.
Simon Kelley7de060b2011-08-26 17:24:52 +01001751
Simon Kelley32be32e2017-06-25 21:33:28 +01001752 Fix bug which resulted in truncated files and timeouts for
1753 some TFTP transfers. The bug only occurs with netascii
1754 transfers and needs an unfortunate relationship between
1755 file size, blocksize and the number of newlines in the
1756 last block before it manifests itself. Many thanks to
1757 Alkis Georgopoulos for spotting the problem and providing
1758 a comprehensive test-case.
Simon Kelley7de060b2011-08-26 17:24:52 +01001759
Simon Kelley32be32e2017-06-25 21:33:28 +01001760 Fix regression in TFTP server on *BSD platforms introduced
1761 in version 2.56, due to confusion with sockaddr
1762 length. Many thanks to Loic Pefferkorn for finding this.
Simon Kelley7de060b2011-08-26 17:24:52 +01001763
Simon Kelley32be32e2017-06-25 21:33:28 +01001764 Support scope-ids in IPv6 addresses of nameservers from
1765 /etc/resolv.conf and in --server options. Eg
1766 nameserver fe80::202:a412:4512:7bbf%eth0 or
1767 server=fe80::202:a412:4512:7bbf%eth0. Thanks to
1768 Michael Stapelberg for the suggestion.
Simon Kelley7de060b2011-08-26 17:24:52 +01001769
Simon Kelley32be32e2017-06-25 21:33:28 +01001770 Update Polish translation, thanks to Jan Psota.
Simon Kelley7de060b2011-08-26 17:24:52 +01001771
Simon Kelley32be32e2017-06-25 21:33:28 +01001772 Update French translation. Thanks to Gildas Le Nadan.
Simon Kelley7de060b2011-08-26 17:24:52 +01001773
1774
Simon Kelley572b41e2011-02-18 18:11:18 +00001775version 2.57
Simon Kelley32be32e2017-06-25 21:33:28 +01001776 Add patches to allow build under Android.
Simon Kelley572b41e2011-02-18 18:11:18 +00001777
Simon Kelley32be32e2017-06-25 21:33:28 +01001778 Provide our own header for the DNS protocol, rather than
1779 relying on arpa/nameser.h. This has proved more or less
1780 defective over the years and the final straw is that it's
1781 effectively empty on Android.
Simon Kelley572b41e2011-02-18 18:11:18 +00001782
Simon Kelley32be32e2017-06-25 21:33:28 +01001783 Fix regression in 2.56 which caused hex constants in
1784 configuration to be rejected if they contain the '*'
1785 wildcard.
Simon Kelley572b41e2011-02-18 18:11:18 +00001786
Simon Kelley32be32e2017-06-25 21:33:28 +01001787 Correct wrong casts of arguments to ctype.h functions,
1788 isdigit(), isxdigit() etc. Thanks to Matthias Andree for
1789 spotting this.
Simon Kelley572b41e2011-02-18 18:11:18 +00001790
Simon Kelley32be32e2017-06-25 21:33:28 +01001791 Allow build with IDN support independently from i18n.
1792 IDN support continues to be included automatically
1793 when i18n is included.
1794 'make COPTS=-DHAVE_IDN' is the magic incantation.
Simon Kelley572b41e2011-02-18 18:11:18 +00001795
Simon Kelley32be32e2017-06-25 21:33:28 +01001796 Modify check on extraneous command line junk (added in
1797 2.56) so that it doesn't complain about extra _empty_
1798 arguments. Otherwise this breaks libvirt.
Simon Kelley572b41e2011-02-18 18:11:18 +00001799
1800
Simon Kelley28866e92011-02-14 20:19:14 +00001801version 2.56
Simon Kelley32be32e2017-06-25 21:33:28 +01001802 Add a patch to allow dnsmasq to get interface names right in a
1803 Solaris zone. Thanks to Dj Padzensky for this.
Simon Kelley28866e92011-02-14 20:19:14 +00001804
Simon Kelley32be32e2017-06-25 21:33:28 +01001805 Improve data-type parsing heuristics so that
1806 --dhcp-option=option:domain-search,.
1807 treats the value as a string and not an IP address.
1808 Thanks to Clemens Fischer for spotting that.
Simon Kelley28866e92011-02-14 20:19:14 +00001809
Simon Kelley32be32e2017-06-25 21:33:28 +01001810 Add IPv6 support to the TFTP server. Many thanks to Jan
1811 'RedBully' Seiffert for the patches.
Simon Kelley28866e92011-02-14 20:19:14 +00001812
Simon Kelley32be32e2017-06-25 21:33:28 +01001813 Log DNS queries at level LOG_INFO, rather then
1814 LOG_DEBUG. This makes things consistent with DHCP
1815 logging. Thanks to Adam Pribyl for spotting the problem.
Simon Kelley28866e92011-02-14 20:19:14 +00001816
Simon Kelley32be32e2017-06-25 21:33:28 +01001817 Ensure that dnsmasq terminates cleanly when using
1818 --syslog-async even if it cannot make a connection to the
1819 syslogd.
Simon Kelley28866e92011-02-14 20:19:14 +00001820
Simon Kelley32be32e2017-06-25 21:33:28 +01001821 Add --add-mac option. This is to support currently
1822 experimental DNS filtering facilities. Thanks to Benjamin
1823 Petrin for the original patch.
Simon Kelley28866e92011-02-14 20:19:14 +00001824
Simon Kelley32be32e2017-06-25 21:33:28 +01001825 Fix bug which meant that tags were ignored in dhcp-range
1826 configuration specifying PXE-proxy service. Thanks to
1827 Cristiano Cumer for spotting this.
Simon Kelley28866e92011-02-14 20:19:14 +00001828
Simon Kelley32be32e2017-06-25 21:33:28 +01001829 Raise an error if there is extra junk, not part of an
1830 option, on the command line.
Simon Kelley28866e92011-02-14 20:19:14 +00001831
Simon Kelley32be32e2017-06-25 21:33:28 +01001832 Flag a couple of log messages in cache.c as coming from
1833 the DHCP subsystem. Thanks to Olaf Westrik for the patch.
Simon Kelley28866e92011-02-14 20:19:14 +00001834
Simon Kelley32be32e2017-06-25 21:33:28 +01001835 Omit timestamps from logs when a) logging to stderr and
1836 b) --keep-in-foreground is set. The logging facility on the
1837 other end of stderr can be assumed to supply them. Thanks
1838 to John Hallam for the patch.
Simon Kelley28866e92011-02-14 20:19:14 +00001839
Simon Kelley32be32e2017-06-25 21:33:28 +01001840 Don't complain about strings longer than 255 characters in
1841 --txt-record, just split the long strings into 255
1842 character chunks instead.
Simon Kelley28866e92011-02-14 20:19:14 +00001843
Simon Kelley32be32e2017-06-25 21:33:28 +01001844 Fix crash on double-free. This bug can only happen when
1845 dhcp-script is in use and then only in rare circumstances
1846 triggered by high DHCP transaction rate and a slow
1847 script. Thanks to Ferenc Wagner for finding the problem.
Simon Kelley28866e92011-02-14 20:19:14 +00001848
Simon Kelley32be32e2017-06-25 21:33:28 +01001849 Only log that a file has been sent by TFTP after the
1850 transfer has completed successfully.
Simon Kelley28866e92011-02-14 20:19:14 +00001851
Simon Kelley32be32e2017-06-25 21:33:28 +01001852 A good suggestion from Ferenc Wagner: extend
1853 the --domain option to allow this sort of thing:
1854 --domain=thekelleys.org.uk,192.168.0.0/24,local
1855 which automatically creates
1856 --local=/thekelleys.org.uk/
1857 --local=/0.168.192.in-addr.arpa/
Simon Kelley28866e92011-02-14 20:19:14 +00001858
Simon Kelley32be32e2017-06-25 21:33:28 +01001859 Tighten up syntax checking of hex constants in the config
1860 file. Thanks to Fred Damen for spotting this.
Simon Kelley28866e92011-02-14 20:19:14 +00001861
Simon Kelley32be32e2017-06-25 21:33:28 +01001862 Add dnsmasq logo/icon, contributed by Justin Swift. Many
1863 thanks for that.
Simon Kelley28866e92011-02-14 20:19:14 +00001864
Simon Kelley32be32e2017-06-25 21:33:28 +01001865 Never cache DNS replies which have the 'cd' bit set, or
1866 which result from queries forwarded with the 'cd' bit
1867 set. The 'cd' bit instructs a DNSSEC validating server
1868 upstream to ignore signature failures and return replies
1869 anyway. Without this change it's possible to pollute the
1870 dnsmasq cache with bad data by making a query with the
1871 'cd' bit set and subsequent queries would return this data
1872 without its being marked as suspect. Thanks to Anders
1873 Kaseorg for pointing out this problem.
Simon Kelley28866e92011-02-14 20:19:14 +00001874
Simon Kelley32be32e2017-06-25 21:33:28 +01001875 Add --proxy-dnssec flag, for compliance with RFC
1876 4035. Dnsmasq will now clear the 'ad' bit in answers returned
1877 from upstream validating nameservers unless this option is
1878 set.
Simon Kelley28866e92011-02-14 20:19:14 +00001879
Simon Kelley32be32e2017-06-25 21:33:28 +01001880 Allow a filename of "-" for --conf-file to read
1881 stdin. Suggestion from Timothy Redaelli.
Simon Kelley28866e92011-02-14 20:19:14 +00001882
Simon Kelley32be32e2017-06-25 21:33:28 +01001883 Rotate the order of SRV records in replies, to provide
1884 round-robin load balancing when all the priorities are
1885 equal. Thanks to Peter McKinney for the suggestion.
Simon Kelley28866e92011-02-14 20:19:14 +00001886
Simon Kelley32be32e2017-06-25 21:33:28 +01001887 Edit
1888 contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist
1889 so that it doesn't log all queries to a file by
1890 default. Thanks again to Peter McKinney.
Simon Kelley28866e92011-02-14 20:19:14 +00001891
Simon Kelley32be32e2017-06-25 21:33:28 +01001892 By default, setting an IPv4 address for a domain but not
1893 an IPv6 address causes dnsmasq to return
Ville Skyttäfaaf3062018-01-14 17:32:52 +00001894 a NODATA reply for IPv6 (or vice-versa). So
Simon Kelley32be32e2017-06-25 21:33:28 +01001895 --address=/google.com/1.2.3.4 stops IPv6 queries for
1896 *google.com from being forwarded. Make it possible to
1897 override this behaviour by defining the semantics if the
1898 same domain appears in both --server and --address.
1899 In that case, the --address has priority for the address
1900 family in which is appears, but the --server has priority
1901 of the address family which doesn't appear in --address
1902 So:
1903 --address=/google.com/1.2.3.4
1904 --server=/google.com/#
1905 will return 1.2.3.4 for IPv4 queries for *.google.com but
1906 forward IPv6 queries to the normal upstream nameserver.
1907 Similarly when setting an IPv6 address
1908 only this will allow forwarding of IPv4 queries. Thanks to
1909 William for pointing out the need for this.
Simon Kelley28866e92011-02-14 20:19:14 +00001910
Simon Kelley32be32e2017-06-25 21:33:28 +01001911 Allow more than one --dhcp-optsfile and --dhcp-hostsfile
1912 and make them understand directories as arguments in the
1913 same way as --addn-hosts. Suggestion from John Hanks.
Simon Kelley28866e92011-02-14 20:19:14 +00001914
Simon Kelley32be32e2017-06-25 21:33:28 +01001915 Ignore rebinding requests for leases we don't know
1916 about. Rebind is broadcast, so we might get to overhear a
1917 request meant for another DHCP server. NAKing this is
1918 wrong. Thanks to Brad D'Hondt for assistance with this.
1919
1920 Fix cosmetic bug which produced strange output when
1921 dumping cache statistics with some configurations. Thanks
1922 to Fedor Kozhevnikov for spotting this.
Simon Kelley28866e92011-02-14 20:19:14 +00001923
1924
Simon Kelleyc52e1892010-06-07 22:01:39 +01001925version 2.55
Simon Kelley32be32e2017-06-25 21:33:28 +01001926 Fix crash when /etc/ethers is in use. Thanks to
1927 Gianluigi Tiesi for finding this.
Simon Kelleyc52e1892010-06-07 22:01:39 +01001928
Simon Kelley32be32e2017-06-25 21:33:28 +01001929 Fix crash in netlink_multicast(). Thanks to Arno Wald for
1930 finding this one.
Simon Kelleyc52e1892010-06-07 22:01:39 +01001931
Simon Kelley32be32e2017-06-25 21:33:28 +01001932 Allow the empty domain "." in dhcp domain-search (119)
1933 options.
Simon Kelleyc52e1892010-06-07 22:01:39 +01001934
1935
1936version 2.54
Simon Kelley32be32e2017-06-25 21:33:28 +01001937 There is no version 2.54 to avoid confusion with 2.53,
1938 which incorrectly identifies itself as 2.54.
Simon Kelleyc52e1892010-06-07 22:01:39 +01001939
1940
Simon Kelley8ef5ada2010-06-03 19:42:45 +01001941version 2.53
Simon Kelley32be32e2017-06-25 21:33:28 +01001942 Fix failure to compile on Debian/kFreeBSD. Thanks to
1943 Axel Beckert and Petr Salinger.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01001944
Simon Kelley32be32e2017-06-25 21:33:28 +01001945 Fix code to avoid scary strict-aliasing warnings
1946 generated by gcc 4.4.
1947
1948 Added FAQ entry warning about DHCP failures with Vista
1949 when firewalls block 255.255.255.255.
1950
1951 Fixed bug which caused bad things to happen if a
1952 resolv.conf file which exists is subsequently removed.
1953 Thanks to Nikolai Saoukh for the patch.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01001954
Simon Kelley32be32e2017-06-25 21:33:28 +01001955 Rationalised the DHCP tag system. Every configuration item
1956 which can set a tag does so by adding "set:<tag>" and
1957 every configuration item which is conditional on a tag is
1958 made so by "tag:<tag>". The NOT operator changes to '!',
1959 which is a bit more intuitive too. Dhcp-host directives
1960 can set more than one tag now. The old '#' NOT,
1961 "net:" prefix and no-prefixes are still honoured, so
1962 no existing config file needs to be changed, but
1963 the documentation and new-style config files should be
1964 much less confusing.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01001965
Simon Kelley32be32e2017-06-25 21:33:28 +01001966 Added --tag-if to allow boolean operations on tags.
1967 This allows complicated logic to be clearer and more
1968 general. A great suggestion from Richard Voigt.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01001969
Simon Kelley32be32e2017-06-25 21:33:28 +01001970 Add broadcast/unicast information to DHCP logging.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01001971
Simon Kelley32be32e2017-06-25 21:33:28 +01001972 Allow --dhcp-broadcast to be unconditional.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01001973
Simon Kelley32be32e2017-06-25 21:33:28 +01001974 Fixed incorrect behaviour with NOT <tag> conditionals in
1975 dhcp-options. Thanks to Max Turkewitz for assistance
1976 finding this.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01001977
Simon Kelley32be32e2017-06-25 21:33:28 +01001978 If we send vendor-class encapsulated options based on the
1979 vendor-class supplied by the client, and no explicit
1980 vendor-class option is given, echo back the vendor-class
1981 from the client.
1982
1983 Fix bug which stopped dnsmasq from matching both a
1984 circuitid and a remoteid. Thanks to Ignacio Bravo for
1985 finding this.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01001986
Simon Kelley32be32e2017-06-25 21:33:28 +01001987 Add --dhcp-proxy, which makes it possible to configure
1988 dnsmasq to use a DHCP relay agent as a full proxy, with
1989 all DHCP messages passing through the proxy. This is
1990 useful if the relay adds extra information to the packets
1991 it forwards, but cannot be configured with the RFC 5107
1992 server-override option.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01001993
Simon Kelley32be32e2017-06-25 21:33:28 +01001994 Added interface:<iface name> part to dhcp-range. The
1995 semantics of this are very odd at first sight, but it
1996 allows a single line of the form
1997 dhcp-range=interface:virt0,192.168.0.4,192.168.0.200
1998 to be added to dnsmasq configuration which then supplies
1999 DHCP and DNS services to that interface, without affecting
2000 what services are supplied to other interfaces and
2001 irrespective of the existence or lack of
2002 interface=<interface>
2003 lines elsewhere in the dnsmasq configuration. The idea is
2004 that such a line can be added automatically by libvirt
2005 or equivalent systems, without disturbing any manual
2006 configuration.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002007
Simon Kelley32be32e2017-06-25 21:33:28 +01002008 Similarly to the above, allow --enable-tftp=<interface>
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002009
Simon Kelley32be32e2017-06-25 21:33:28 +01002010 Allow a TFTP root to be set separately for requests via
2011 different interfaces, --tftp-root=<path>,<interface>
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002012
Simon Kelley32be32e2017-06-25 21:33:28 +01002013 Correctly handle and log clashes between CNAMES and
2014 DNS names being given to DHCP leases. This fixes a bug
2015 which caused nonsense IP addresses to be logged. Thanks to
2016 Sergei Zhirikov for finding and analysing the problem.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002017
Simon Kelley32be32e2017-06-25 21:33:28 +01002018 Tweak flush_log so as to avoid leaving the log
2019 file in non-blocking mode. O_NONBLOCK is a property of the
2020 file, not the process/descriptor.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002021
Simon Kelley32be32e2017-06-25 21:33:28 +01002022 Fix contrib/Solaris10/create_package
2023 (/usr/man -> /usr/share/man) Thanks to Vita Batrla.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002024
Simon Kelley32be32e2017-06-25 21:33:28 +01002025 Fix a problem where, if a client got a lease, then went
2026 to another subnet and got another lease, then moved back,
2027 it couldn't resume the old lease, but would instead get
2028 a new address. Thanks to Leonardo Rodrigues for spotting
2029 this and testing the fix.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002030
Simon Kelley32be32e2017-06-25 21:33:28 +01002031 Fix weird bug which sometimes omitted certain characters
2032 from the start of quoted strings in dhcp-options. Thanks
2033 to Dayton Turner for spotting the problem.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002034
Simon Kelley32be32e2017-06-25 21:33:28 +01002035 Add facility to redirect some domains to the standard
2036 upstream servers: this allows something like
2037 --server=/google.com/1.2.3.4 --server=/www.google.com/#
2038 which will send queries for *.google.com to 1.2.3.4,
2039 except *www.google.com which will be forwarded as usual.
2040 Thanks to AJ Weber for prompting this addition.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002041
Simon Kelley32be32e2017-06-25 21:33:28 +01002042 Improve the hash-algorithm used to generate IP addresses
2043 from MAC addresses during initial DHCP address
2044 allocation. This improves performance when large numbers
2045 of hosts with similar MAC addresses all try and get an IP
2046 address at the same time. Thanks to Paul Smith for his
2047 work on this.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002048
Simon Kelley32be32e2017-06-25 21:33:28 +01002049 Tweak DHCP code so that --bridge-interface can be used to
2050 select which IP alias of an interface should be used for
2051 DHCP purposes on Linux. If eth0 has an alias eth0:dhcp
2052 then adding --bridge-interface=eth0:dhcp,eth0 will use
2053 the address of eth0:dhcp to determine the correct subnet
2054 for DHCP address allocation. Thanks to Pawel Golaszewski
2055 for prompting this and Eric Cooper for further testing.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002056
Simon Kelley32be32e2017-06-25 21:33:28 +01002057 Add --dhcp-generate-names. Suggestion by Ferenc Wagner.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002058
Simon Kelley32be32e2017-06-25 21:33:28 +01002059 Tweak DNS server selection algorithm when there is more
2060 than one server available for a domain, eg.
2061 --server=/mydomain/1.1.1.1
2062 --server=/mydomain/2.2.2.2
2063 Thanks to Alberto Cuesta-Canada for spotting a weakness
2064 here.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002065
Simon Kelley32be32e2017-06-25 21:33:28 +01002066 Add --max-ttl. Thanks to Fredrik Ringertz for the patch.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002067
Simon Kelley32be32e2017-06-25 21:33:28 +01002068 Allow --log-facility=- to force all logging to
2069 stderr. Suggestion from Clemens Fischer.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002070
Simon Kelley32be32e2017-06-25 21:33:28 +01002071 Fix regression which caused configuration like
2072 --address=/.domain.com/1.2.3.4 to be rejected. The dot to the
2073 left of the domain has been implied and not required for a
2074 long time, but it should be accepted for backward
2075 compatibility. Thanks to Andrew Burcin for spotting this.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002076
Simon Kelley32be32e2017-06-25 21:33:28 +01002077 Add --rebind-domain-ok and --rebind-localhost-ok.
2078 Suggestion from Clemens Fischer.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002079
Simon Kelley32be32e2017-06-25 21:33:28 +01002080 Log replies to queries of type TXT, when --log-queries
2081 is set.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002082
Simon Kelley32be32e2017-06-25 21:33:28 +01002083 Fix compiler warnings when compiled with -DNO_DHCP. Thanks
2084 to Shantanu Gadgil for the patch.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002085
Simon Kelley32be32e2017-06-25 21:33:28 +01002086 Updated French translation. Thanks to Gildas Le Nadan.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002087
Simon Kelley32be32e2017-06-25 21:33:28 +01002088 Updated Polish translation. Thanks to Jan Psota.
2089
2090 Updated German translation. Thanks to Matthias Andree.
2091
2092 Added contrib/static-arp, thanks to Darren Hoo.
2093
2094 Fix corruption of the domain when a name from /etc/hosts
2095 overrides one supplied by a DHCP client. Thanks to Fedor
2096 Kozhevnikov for spotting the problem.
2097
2098 Updated Spanish translation. Thanks to Chris Chatham.
Simon Kelley8ef5ada2010-06-03 19:42:45 +01002099
2100
Simon Kelley316e2732010-01-22 20:16:09 +00002101version 2.52
Simon Kelley32be32e2017-06-25 21:33:28 +01002102 Work around a Linux kernel bug which insists that the
2103 length of the option passed to setsockopt must be at least
2104 sizeof(int) bytes, even if we're calling SO_BINDTODEVICE
2105 and the device name is "lo". Note that this is fixed
2106 in kernel 2.6.31, but the workaround is harmless and
2107 allows earlier kernels to be used. Also fix dnsmasq
2108 bug which reported the wrong address when this failed.
2109 Thanks to Fedor for finding this.
Simon Kelley316e2732010-01-22 20:16:09 +00002110
Simon Kelley32be32e2017-06-25 21:33:28 +01002111 The API for IPv6 PKTINFO changed around Linux kernel
2112 2.6.14. Workaround the case where dnsmasq is compiled
2113 against newer headers, but then run on an old kernel:
2114 necessary for some *WRT distros.
Simon Kelley316e2732010-01-22 20:16:09 +00002115
Simon Kelley32be32e2017-06-25 21:33:28 +01002116 Re-read the set of network interfaces when re-loading
2117 /etc/resolv.conf if --bind-interfaces is not set. This
2118 handles the case that loopback interfaces do not exist
2119 when dnsmasq is first started.
Simon Kelley316e2732010-01-22 20:16:09 +00002120
Simon Kelley32be32e2017-06-25 21:33:28 +01002121 Tweak the PXE code to support port 4011. This should
2122 reduce broadcasts and make things more reliable when other
2123 servers are around. It also improves inter-operability
2124 with certain clients.
Simon Kelley316e2732010-01-22 20:16:09 +00002125
Simon Kelley32be32e2017-06-25 21:33:28 +01002126 Make a pxe-service configuration with no filename or boot
2127 service type legal: this does a local boot. eg.
2128 pxe-service=x86PC, "Local boot"
Simon Kelley316e2732010-01-22 20:16:09 +00002129
Simon Kelley32be32e2017-06-25 21:33:28 +01002130 Be more conservative in detecting "A for A"
2131 queries. Dnsmasq checks if the name in a type=A query looks
2132 like a dotted-quad IP address and answers the query itself
2133 if so, rather than forwarding it. Previously dnsmasq
2134 relied in the library function inet_addr() to convert
2135 addresses, and that will accept some things which are
2136 confusing in this context, like 1.2.3 or even just
2137 1234. Now we only do A for A processing for four decimal
2138 numbers delimited by dots.
Simon Kelley316e2732010-01-22 20:16:09 +00002139
Simon Kelley32be32e2017-06-25 21:33:28 +01002140 A couple of tweaks to fix compilation on Solaris. Thanks
2141 to Joel Macklow for help with this.
Simon Kelley316e2732010-01-22 20:16:09 +00002142
Simon Kelley32be32e2017-06-25 21:33:28 +01002143 Another Solaris compilation tweak, needed for Solaris
2144 2009.06. Thanks to Lee Essen for that.
Simon Kelley316e2732010-01-22 20:16:09 +00002145
Simon Kelley32be32e2017-06-25 21:33:28 +01002146 Added extract packaging stuff from Lee Essen to
2147 contrib/Solaris10.
Simon Kelley316e2732010-01-22 20:16:09 +00002148
Simon Kelley32be32e2017-06-25 21:33:28 +01002149 Increased the default limit on number of leases to 1000
2150 (from 150). This is mainly a defence against DoS attacks,
2151 and for the average "one for two class C networks"
2152 installation, IP address exhaustion does that just as
2153 well. Making the limit greater than the number of IP
2154 addresses available in such an installation removes a
2155 surprise which otherwise can catch people out.
Simon Kelley316e2732010-01-22 20:16:09 +00002156
Simon Kelley32be32e2017-06-25 21:33:28 +01002157 Removed extraneous trailing space in the value of the
2158 DNSMASQ_TIME_REMAINING DNSMASQ_LEASE_LENGTH and
2159 DNSMASQ_LEASE_EXPIRES environment variables. Thanks to
2160 Gildas Le Nadan for spotting this.
Simon Kelley316e2732010-01-22 20:16:09 +00002161
Simon Kelley32be32e2017-06-25 21:33:28 +01002162 Provide the network-id tags for a DHCP transaction to
2163 the lease-change script in the environment variable
2164 DNSMASQ_TAGS. A good suggestion from Gildas Le Nadan.
Simon Kelley316e2732010-01-22 20:16:09 +00002165
Simon Kelley32be32e2017-06-25 21:33:28 +01002166 Add support for RFC3925 "Vendor-Identifying Vendor
2167 Options". The syntax looks like this:
2168 --dhcp-option=vi-encap:<enterprise number>, .........
Simon Kelley316e2732010-01-22 20:16:09 +00002169
Simon Kelley32be32e2017-06-25 21:33:28 +01002170 Add support to --dhcp-match to allow matching against
2171 RFC3925 "Vendor-Identifying Vendor Classes". The syntax
2172 looks like this:
2173 --dhcp-match=tag,vi-encap<enterprise number>, <value>
Simon Kelley316e2732010-01-22 20:16:09 +00002174
Simon Kelley32be32e2017-06-25 21:33:28 +01002175 Add some application specific code to assist in
2176 implementing the Broadband forum TR069 CPE-WAN
2177 specification. The details are in contrib/CPE-WAN/README
Simon Kelley316e2732010-01-22 20:16:09 +00002178
Simon Kelley32be32e2017-06-25 21:33:28 +01002179 Increase the default DNS packet size limit to 4096, as
2180 recommended by RFC5625 section 4.4.3. This can be
2181 reconfigured using --edns-packet-max if needed. Thanks to
2182 Francis Dupont for pointing this out.
Simon Kelley316e2732010-01-22 20:16:09 +00002183
Simon Kelley32be32e2017-06-25 21:33:28 +01002184 Rewrite query-ids even for TSIG signed packets, since
2185 this is allowed by RFC5625 section 4.5.
Simon Kelley316e2732010-01-22 20:16:09 +00002186
Simon Kelley32be32e2017-06-25 21:33:28 +01002187 Use getopt_long by default on OS X. It has been supported
2188 since version 10.3.0. Thanks to Arek Dreyer for spotting
2189 this.
Simon Kelley316e2732010-01-22 20:16:09 +00002190
Simon Kelley32be32e2017-06-25 21:33:28 +01002191 Added up-to-date startup configuration for MacOSX/launchd
2192 in contrib/MacOSX-launchd. Thanks to Arek Dreyer for
2193 providing this.
Simon Kelley316e2732010-01-22 20:16:09 +00002194
Simon Kelley32be32e2017-06-25 21:33:28 +01002195 Fix link error when including Dbus but excluding DHCP.
2196 Thanks to Oschtan for the bug report.
Simon Kelley316e2732010-01-22 20:16:09 +00002197
Simon Kelley32be32e2017-06-25 21:33:28 +01002198 Updated French translation. Thanks to Gildas Le Nadan.
2199
2200 Updated Polish translation. Thanks to Jan Psota.
2201
2202 Updated Spanish translation. Thanks to Chris Chatham.
2203
2204 Fixed confusion about domains, when looking up DHCP hosts
2205 in /etc/hosts. This could cause spurious "Ignoring
2206 domain..." messages. Thanks to Fedor Kozhevnikov for
2207 finding and analysing the problem.
2208
2209
Simon Kelley1f15b812009-10-13 17:49:32 +01002210version 2.51
Simon Kelley32be32e2017-06-25 21:33:28 +01002211 Add support for internationalised DNS. Non-ASCII characters
2212 in domain names found in /etc/hosts, /etc/ethers and
2213 /etc/dnsmasq.conf will be correctly handled by translation to
2214 punycode, as specified in RFC3490. This function is only
2215 available if dnsmasq is compiled with internationalisation
2216 support, and adds a dependency on GNU libidn. Without i18n
2217 support, dnsmasq continues to be compilable with just
2218 standard tools. Thanks to Yves Dorfsman for the
2219 suggestion.
Simon Kelley1f15b812009-10-13 17:49:32 +01002220
Simon Kelley32be32e2017-06-25 21:33:28 +01002221 Add two more environment variables for lease-change scripts:
2222 First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname
2223 supplied by a client, even if the actual hostname used is
2224 over-ridden by dhcp-host or dhcp-ignore-names directives.
2225 Also DNSMASQ_RELAY_ADDRESS which gives the address of
2226 a DHCP relay, if used.
2227 Suggestions from Michael Rack.
Simon Kelley1f15b812009-10-13 17:49:32 +01002228
Simon Kelley32be32e2017-06-25 21:33:28 +01002229 Fix regression which broke echo of relay-agent
2230 options. Thanks to Michael Rack for spotting this.
Simon Kelley1f15b812009-10-13 17:49:32 +01002231
Simon Kelley32be32e2017-06-25 21:33:28 +01002232 Don't treat option 67 as being interchangeable with
2233 dhcp-boot parameters if it's specified as
2234 dhcp-option-force.
Simon Kelley1f15b812009-10-13 17:49:32 +01002235
Simon Kelley32be32e2017-06-25 21:33:28 +01002236 Make the code to call scripts on lease-change compile-time
2237 optional. It can be switched off by editing src/config.h
2238 or building with "make COPTS=-DNO_SCRIPT".
Simon Kelley1f15b812009-10-13 17:49:32 +01002239
Simon Kelley32be32e2017-06-25 21:33:28 +01002240 Make the TFTP server cope with filenames from Windows/DOS
2241 which use '\' as pathname separator. Thanks to Ralf for
2242 the patch.
Simon Kelley1f15b812009-10-13 17:49:32 +01002243
Simon Kelley32be32e2017-06-25 21:33:28 +01002244 Updated Polish translation. Thanks to Jan Psota.
Simon Kelley1f15b812009-10-13 17:49:32 +01002245
Simon Kelley32be32e2017-06-25 21:33:28 +01002246 Warn if an IP address is duplicated in /etc/ethers. Thanks
2247 to Felix Schwarz for pointing this out.
Simon Kelley1f15b812009-10-13 17:49:32 +01002248
Simon Kelley32be32e2017-06-25 21:33:28 +01002249 Teach --conf-dir to take an option list of file suffices
2250 which will be ignored when scanning the directory. Useful
2251 for backup files etc. Thanks to Helmut Hullen for the
2252 suggestion.
Simon Kelley1f15b812009-10-13 17:49:32 +01002253
Simon Kelley32be32e2017-06-25 21:33:28 +01002254 Add new DHCP option named tftpserver-address, which
2255 corresponds to the third argument of dhcp-boot. This
2256 allows the complete functionality of dhcp-boot to be
2257 replicated with dhcp-option. Useful when using
2258 dhcp-optsfile.
Simon Kelley1f15b812009-10-13 17:49:32 +01002259
Simon Kelley32be32e2017-06-25 21:33:28 +01002260 Test which upstream nameserver to use every 10 seconds
2261 or 50 queries and not just when a query times out and
2262 is retried. This should improve performance when there
2263 is a slow nameserver in the list. Thanks to Joe for the
2264 suggestion.
Simon Kelley1f15b812009-10-13 17:49:32 +01002265
Simon Kelley32be32e2017-06-25 21:33:28 +01002266 Don't do any PXE processing, even for clients with the
2267 correct vendorclass, unless at least one pxe-prompt or
2268 pxe-service option is given. This stops dnsmasq
2269 interfering with proxy PXE subsystems when it is just
2270 the DHCP server. Thanks to Spencer Clark for spotting this.
2271
2272 Limit the blocksize used for TFTP transfers to a value
2273 which avoids packet fragmentation, based on the MTU of the
2274 local interface. Many netboot ROMs can't cope with
2275 fragmented packets.
2276
2277 Honour dhcp-ignore configuration for PXE and proxy-PXE
2278 requests. Thanks to Niels Basjes for the bug report.
2279
2280 Updated French translation. Thanks to Gildas Le Nadan.
Simon Kelley1f15b812009-10-13 17:49:32 +01002281
2282
Simon Kelley77e94da2009-08-31 17:32:17 +01002283version 2.50
Simon Kelley32be32e2017-06-25 21:33:28 +01002284 Fix security problem which allowed any host permitted to
2285 do TFTP to possibly compromise dnsmasq by remote buffer
2286 overflow when TFTP enabled. Thanks to Core Security
2287 Technologies and Iván Arce, Pablo Hernán Jorge, Alejandro
2288 Pablo Rodriguez, Martín Coco, Alberto Soliño Testa and
2289 Pablo Annetta. This problem has Bugtraq id: 36121
2290 and CVE: 2009-2957
Simon Kelley77e94da2009-08-31 17:32:17 +01002291
Simon Kelley32be32e2017-06-25 21:33:28 +01002292 Fix a problem which allowed a malicious TFTP client to
2293 crash dnsmasq. Thanks to Steve Grubb at Red Hat for
2294 spotting this. This problem has Bugtraq id: 36120 and
2295 CVE: 2009-2958
Simon Kelley77e94da2009-08-31 17:32:17 +01002296
2297
Simon Kelley03a97b62009-06-10 20:55:49 +01002298version 2.49
Simon Kelley32be32e2017-06-25 21:33:28 +01002299 Fix regression in 2.48 which disables the lease-change
2300 script. Thanks to Jose Luis Duran for spotting this.
Simon Kelley03a97b62009-06-10 20:55:49 +01002301
Simon Kelley32be32e2017-06-25 21:33:28 +01002302 Log TFTP "file not found" errors. These were not logged,
2303 since a normal PXELinux boot generates many of them, but
2304 the lack of the messages seems to be more confusing than
2305 routinely seeing them when there is no real error.
Simon Kelley03a97b62009-06-10 20:55:49 +01002306
Simon Kelley32be32e2017-06-25 21:33:28 +01002307 Update Spanish translation. Thanks to Chris Chatham.
2308
Simon Kelley03a97b62009-06-10 20:55:49 +01002309
Simon Kelley7622fc02009-06-04 20:32:05 +01002310version 2.48
Simon Kelley32be32e2017-06-25 21:33:28 +01002311 Archived the extensive, backwards, changelog to
2312 CHANGELOG.archive. The current changelog now runs from
2313 version 2.43 and runs conventionally.
Simon Kelley9e4abcb2004-01-22 19:47:41 +00002314
Simon Kelley32be32e2017-06-25 21:33:28 +01002315 Fixed bug which broke binding of servers to physical
2316 interfaces when interface names were longer than four
2317 characters. Thanks to MURASE Katsunori for the patch.
Simon Kelley9e4abcb2004-01-22 19:47:41 +00002318
Simon Kelley32be32e2017-06-25 21:33:28 +01002319 Fixed netlink code to check that messages come from the
2320 correct source, and not another userspace process. Thanks
2321 to Steve Grubb for the patch.
Simon Kelley9e4abcb2004-01-22 19:47:41 +00002322
Simon Kelley32be32e2017-06-25 21:33:28 +01002323 Maintainability drive: removed bug and missing feature
2324 workarounds for some old platforms. Solaris 9, OpenBSD
2325 older than 4.1, Glibc older than 2.2, Linux 2.2.x and
2326 DBus older than 1.1.x are no longer supported.
Simon Kelley9e4abcb2004-01-22 19:47:41 +00002327
Simon Kelley32be32e2017-06-25 21:33:28 +01002328 Don't read included configuration files more than once:
2329 allows complex configuration structures without problems.
Simon Kelley9e4abcb2004-01-22 19:47:41 +00002330
Simon Kelley32be32e2017-06-25 21:33:28 +01002331 Mark log messages from the various subsystems in dnsmasq:
2332 messages from the DHCP subsystem now have the ident string
2333 "dnsmasq-dhcp" and messages from TFTP have ident
2334 "dnsmasq-tftp". Thanks to Olaf Westrik for the patch.
Simon Kelley9e4abcb2004-01-22 19:47:41 +00002335
Simon Kelley32be32e2017-06-25 21:33:28 +01002336 Fix possible infinite DHCP protocol loop when an IP
2337 address nailed to a hostname (not a MAC address) and a
2338 host sometimes provides the name, sometimes not.
Simon Kelley9e4abcb2004-01-22 19:47:41 +00002339
Simon Kelley32be32e2017-06-25 21:33:28 +01002340 Allow --addn-hosts to take a directory: all the files
2341 in the directory are read. Thanks to Phil Cornelius for
2342 the suggestion.
Simon Kelley9e4abcb2004-01-22 19:47:41 +00002343
Simon Kelley32be32e2017-06-25 21:33:28 +01002344 Support --bridge-interface on all platforms, not just BSD.
Simon Kelley1ab84e22004-01-29 16:48:35 +00002345
Simon Kelley32be32e2017-06-25 21:33:28 +01002346 Added support for advanced PXE functions. It's now
2347 possible to define a prompt and menu options which will
2348 be displayed when a client PXE boots. It's also possible to
2349 hand-off booting to other boot servers. Proxy-DHCP, where
2350 dnsmasq just supplies the PXE information and another DHCP
2351 server does address allocation, is also allowed. See the
2352 --pxe-prompt and --pxe-service keywords. Thanks to
2353 Alkis Georgopoulos for the suggestion and Guilherme Moro
2354 and Michael Brown for assistance.
2355
2356 Improvements to DHCP logging. Thanks to Tom Metro for
2357 useful suggestions.
2358
2359 Add ability to build dnsmasq without DHCP support. To do
2360 this, edit src/config.h or build with
2361 "make COPTS=-DNO_DHCP". Thanks to Mahavir Jain for the patch.
2362
2363 Added --test command-line switch - syntax check
2364 configuration files only.
2365
2366 Updated French translation. Thanks to Gildas Le Nadan.
Simon Kelley9009d742008-11-14 20:04:27 +00002367
Simon Kelley73a08a22009-02-05 20:28:08 +00002368
2369version 2.47
Simon Kelley32be32e2017-06-25 21:33:28 +01002370 Updated French translation. Thanks to Gildas Le Nadan.
Simon Kelley73a08a22009-02-05 20:28:08 +00002371
Simon Kelley32be32e2017-06-25 21:33:28 +01002372 Fixed interface enumeration code to work on NetBSD
2373 5.0. Thanks to Roy Marples for the patch.
Simon Kelley73a08a22009-02-05 20:28:08 +00002374
Simon Kelley32be32e2017-06-25 21:33:28 +01002375 Updated config.h to use the same location for the lease
2376 file on NetBSD as the other *BSD variants. Also allow
2377 LEASEFILE and CONFFILE symbols to be overridden in CFLAGS.
Simon Kelley73a08a22009-02-05 20:28:08 +00002378
Simon Kelley32be32e2017-06-25 21:33:28 +01002379 Handle duplicate address detection on IPv6 more
2380 intelligently. In IPv6, an interface can have an address
2381 which is not usable, because it is still undergoing DAD
2382 (such addresses are marked "tentative"). Attempting to
2383 bind to an address in this state returns an error,
2384 EADDRNOTAVAIL. Previously, on getting such an error,
2385 dnsmasq would silently abandon the address, and never
2386 listen on it. Now, it retries once per second for 20
2387 seconds before generating a fatal error. 20 seconds should
2388 be long enough for any DAD process to complete, but can be
2389 adjusted in src/config.h if necessary. Thanks to Martin
2390 Krafft for the bug report.
Simon Kelley73a08a22009-02-05 20:28:08 +00002391
Simon Kelley32be32e2017-06-25 21:33:28 +01002392 Add DBus introspection. Patch from Jeremy Laine.
Simon Kelley73a08a22009-02-05 20:28:08 +00002393
Simon Kelley32be32e2017-06-25 21:33:28 +01002394 Update Dbus configuration file. Patch from Colin Walters.
2395 Fix for this bug:
2396 http://bugs.freedesktop.org/show_bug.cgi?id=18961
Simon Kelley73a08a22009-02-05 20:28:08 +00002397
Simon Kelley32be32e2017-06-25 21:33:28 +01002398 Support arbitrarily encapsulated DHCP options, suggestion
2399 and initial patch from Samium Gromoff. This is useful for
Geert Stappersc7e6aea2018-01-13 17:56:37 +00002400 (eg) iPXE, which expect all its private options to be
Simon Kelley32be32e2017-06-25 21:33:28 +01002401 encapsulated inside a single option 175. So, eg,
Simon Kelley73a08a22009-02-05 20:28:08 +00002402
Simon Kelley32be32e2017-06-25 21:33:28 +01002403 dhcp-option = encap:175, 190, "iscsi-client0"
2404 dhcp-option = encap:175, 191, "iscsi-client0-secret"
Simon Kelley73a08a22009-02-05 20:28:08 +00002405
Geert Stappersc7e6aea2018-01-13 17:56:37 +00002406 will provide iSCSI parameters to iPXE.
Simon Kelley73a08a22009-02-05 20:28:08 +00002407
Simon Kelley32be32e2017-06-25 21:33:28 +01002408 Enhance --dhcp-match to allow testing of the contents of a
2409 client-sent option, as well as its presence. This
2410 application in mind for this is RFC 4578
2411 client-architecture specifiers, but it's generally useful.
2412 Joey Korkames suggested the enhancement.
Simon Kelley73a08a22009-02-05 20:28:08 +00002413
Simon Kelley32be32e2017-06-25 21:33:28 +01002414 Move from using the IP_XMIT_IF ioctl to IP_BOUND_IF on
2415 OpenSolaris. Thanks to Bastian Machek for the heads-up.
Simon Kelley73a08a22009-02-05 20:28:08 +00002416
Simon Kelley32be32e2017-06-25 21:33:28 +01002417 No longer complain about blank lines in
2418 /etc/ethers. Thanks to Jon Nelson for the patch.
Simon Kelley73a08a22009-02-05 20:28:08 +00002419
Simon Kelley32be32e2017-06-25 21:33:28 +01002420 Fix binding of servers to physical devices, eg
2421 --server=/domain/1.2.3.4@eth0 which was broken from 2.43
2422 onwards unless --query-port=0 set. Thanks to Peter Naulls
2423 for the bug report.
Simon Kelley73a08a22009-02-05 20:28:08 +00002424
Simon Kelley32be32e2017-06-25 21:33:28 +01002425 Reply to DHCPINFORM requests even when the supplied ciaddr
2426 doesn't fall in any dhcp-range. In this case it's not
2427 possible to supply a complete configuration, but
2428 individually-configured options (eg PAC) may be useful.
Simon Kelley73a08a22009-02-05 20:28:08 +00002429
Simon Kelley32be32e2017-06-25 21:33:28 +01002430 Allow the source address of an alias to be a range:
2431 --alias=192.168.0.0,10.0.0.0,255.255.255.0 maps the whole
2432 subnet 192.168.0.0->192.168.0.255 to 10.0.0.0->10.0.0.255,
2433 as before.
2434 --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
2435 maps only the 192.168.0.10->192.168.0.40 region. Thanks to
2436 Ib Uhrskov for the suggestion.
Simon Kelley73a08a22009-02-05 20:28:08 +00002437
Simon Kelley32be32e2017-06-25 21:33:28 +01002438 Don't dynamically allocate DHCP addresses which may break
2439 Windows. Addresses which end in .255 or .0 are broken in
2440 Windows even when using supernetting.
2441 --dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0 means
2442 192.168.0.255 is a valid IP address, but not for Windows.
2443 See Microsoft KB281579. We therefore no longer allocate
2444 these addresses to avoid hard-to-diagnose problems.
Simon Kelley73a08a22009-02-05 20:28:08 +00002445
Simon Kelley32be32e2017-06-25 21:33:28 +01002446 Update Polish translation. Thanks to Jan Psota.
2447
2448 Delete the PID-file when dnsmasq shuts down. Note that by
2449 this time, dnsmasq is normally not running as root, so
2450 this will fail if the PID-file is stored in a root-owned
2451 directory; such failure is silently ignored. To take
2452 advantage of this feature, the PID-file must be stored in a
2453 directory owned and write-able by the user running
2454 dnsmasq.
Simon Kelley7622fc02009-06-04 20:32:05 +01002455
2456
2457version 2.46
Simon Kelley32be32e2017-06-25 21:33:28 +01002458 Allow --bootp-dynamic to take a netid tag, so that it may
2459 be selectively enabled. Thanks to Olaf Westrik for the
2460 suggestion.
Simon Kelley7622fc02009-06-04 20:32:05 +01002461
Simon Kelley32be32e2017-06-25 21:33:28 +01002462 Remove ISC-leasefile reading code. This has been
2463 deprecated for a long time, and last time I removed it, it
2464 ended up going back by request of one user. This time,
2465 it's gone for good; otherwise it would need to be
2466 re-worked to support multiple domains (see below).
Simon Kelley7622fc02009-06-04 20:32:05 +01002467
Simon Kelley32be32e2017-06-25 21:33:28 +01002468 Support DHCP clients in multiple DNS domains. This is a
2469 long-standing request. Clients are assigned to a domain
2470 based in their IP address.
Simon Kelley7622fc02009-06-04 20:32:05 +01002471
Simon Kelley32be32e2017-06-25 21:33:28 +01002472 Add --dhcp-fqdn flag, which changes behaviour if DNS names
2473 assigned to DHCP clients. When this is set, there must be
2474 a domain associated with each client, and only
2475 fully-qualified domain names are added to the DNS. The
2476 advantage is that the only the FQDN needs to be unique,
2477 so that two or more DHCP clients can share a hostname, as
2478 long as they are in different domains.
Simon Kelley7622fc02009-06-04 20:32:05 +01002479
Simon Kelley32be32e2017-06-25 21:33:28 +01002480 Set environment variable DNSMASQ_DOMAIN when invoking
2481 lease-change script. This may be useful information to
2482 have now that it's variable.
Simon Kelley7622fc02009-06-04 20:32:05 +01002483
Simon Kelley32be32e2017-06-25 21:33:28 +01002484 Tighten up data-checking code for DNS packet
2485 handling. Thanks to Steve Dodd who found certain illegal
2486 packets which could crash dnsmasq. No memory overwrite was
2487 possible, so this is not a security issue beyond the DoS
2488 potential.
Simon Kelley7622fc02009-06-04 20:32:05 +01002489
Simon Kelley32be32e2017-06-25 21:33:28 +01002490 Update example config dhcp option 47, the previous
2491 suggestion generated an illegal, zero-length,
2492 option. Thanks to Matthias Andree for finding this.
Simon Kelley7622fc02009-06-04 20:32:05 +01002493
Simon Kelley32be32e2017-06-25 21:33:28 +01002494 Rewrite hosts-file reading code to remove the limit of
2495 1024 characters per line. John C Meuser found this.
Simon Kelley7622fc02009-06-04 20:32:05 +01002496
Simon Kelley32be32e2017-06-25 21:33:28 +01002497 Create a net-id tag with the name of the interface on
2498 which the DHCP request was received.
Simon Kelley7622fc02009-06-04 20:32:05 +01002499
Simon Kelley32be32e2017-06-25 21:33:28 +01002500 Fixed minor memory leak in DBus code, thanks to Jeremy
2501 Laine for the patch.
Simon Kelley7622fc02009-06-04 20:32:05 +01002502
Simon Kelley32be32e2017-06-25 21:33:28 +01002503 Emit DBus signals as the DHCP lease database
2504 changes. Thanks to Jeremy Laine for the patch.
Simon Kelley7622fc02009-06-04 20:32:05 +01002505
Simon Kelley32be32e2017-06-25 21:33:28 +01002506 Allow for more that one MAC address in a dhcp-host
2507 line. This configuration tells dnsmasq that it's OK to
2508 abandon a DHCP lease of the fixed address to one MAC
2509 address, if another MAC address in the dhcp-host statement
2510 asks for an address. This is useful to give a fixed
2511 address to a host which has two network interfaces
2512 (say, a laptop with wired and wireless interfaces.)
2513 It's very important to ensure that only one interface
2514 at a time is up, since dnsmasq abandons the first lease
2515 and re-uses the address before the leased time has
2516 elapsed. John Gray suggested this.
Simon Kelley7622fc02009-06-04 20:32:05 +01002517
Simon Kelley32be32e2017-06-25 21:33:28 +01002518 Tweak the response to a DHCP request packet with a wrong
2519 server-id when --dhcp-authoritative is set; dnsmasq now
2520 returns a DHCPNAK, rather than silently ignoring the
2521 packet. Thanks to Chris Marget for spotting this
2522 improvement.
Simon Kelley7622fc02009-06-04 20:32:05 +01002523
Simon Kelley32be32e2017-06-25 21:33:28 +01002524 Add --cname option. This provides a limited alias
2525 function, usable for DHCP names. Thanks to AJ Weber for
2526 suggestions on this.
Simon Kelley7622fc02009-06-04 20:32:05 +01002527
Simon Kelley32be32e2017-06-25 21:33:28 +01002528 Updated contrib/webmin with latest version from Neil
2529 Fisher.
Simon Kelley7622fc02009-06-04 20:32:05 +01002530
Simon Kelley32be32e2017-06-25 21:33:28 +01002531 Updated Polish translation. Thanks to Jan Psota.
Simon Kelley7622fc02009-06-04 20:32:05 +01002532
Simon Kelley32be32e2017-06-25 21:33:28 +01002533 Correct the text names for DHCP options 64 and 65 to be
2534 "nis+-domain" and "nis+-servers".
Simon Kelley7622fc02009-06-04 20:32:05 +01002535
Simon Kelley32be32e2017-06-25 21:33:28 +01002536 Updated Spanish translation. Thanks to Chris Chatham.
2537
2538 Force re-reading of /etc/resolv.conf when an "interface
2539 up" event occurs.
Simon Kelley7622fc02009-06-04 20:32:05 +01002540
2541
2542version 2.45
Simon Kelley32be32e2017-06-25 21:33:28 +01002543 Fix total DNS failure in release 2.44 unless --min-port
2544 specified. Thanks to Steven Barth and Grant Coady for
2545 bugreport. Also reject out-of-range port spec, which could
2546 break things too: suggestion from Gilles Espinasse.
2547
Simon Kelley7622fc02009-06-04 20:32:05 +01002548
2549version 2.44
Simon Kelley32be32e2017-06-25 21:33:28 +01002550 Fix crash when unknown client attempts to renew a DHCP
2551 lease, problem introduced in version 2.43. Thanks to
2552 Carlos Carvalho for help chasing this down.
Simon Kelley7622fc02009-06-04 20:32:05 +01002553
Simon Kelley32be32e2017-06-25 21:33:28 +01002554 Fix potential crash when a host which doesn't have a lease
2555 does DHCPINFORM. Again introduced in 2.43. This bug has
2556 never been reported in the wild.
Simon Kelley7622fc02009-06-04 20:32:05 +01002557
Simon Kelley32be32e2017-06-25 21:33:28 +01002558 Fix crash in netlink code introduced in 2.43. Thanks to
2559 Jean Wolter for finding this.
Simon Kelley7622fc02009-06-04 20:32:05 +01002560
Simon Kelley32be32e2017-06-25 21:33:28 +01002561 Change implementation of min_port to work even if min-port
2562 is large.
Simon Kelley7622fc02009-06-04 20:32:05 +01002563
Simon Kelley32be32e2017-06-25 21:33:28 +01002564 Patch to enable compilation of latest Mac OS X. Thanks to
2565 David Gilman.
Simon Kelley7622fc02009-06-04 20:32:05 +01002566
Simon Kelley32be32e2017-06-25 21:33:28 +01002567 Update Spanish translation. Thanks to Christopher Chatham.
Simon Kelley7622fc02009-06-04 20:32:05 +01002568
2569
2570version 2.43
Simon Kelley32be32e2017-06-25 21:33:28 +01002571 Updated Polish translation. Thanks to Jan Psota.
Simon Kelley7622fc02009-06-04 20:32:05 +01002572
Simon Kelley32be32e2017-06-25 21:33:28 +01002573 Flag errors when configuration options are repeated
2574 illegally.
Simon Kelley7622fc02009-06-04 20:32:05 +01002575
Simon Kelley32be32e2017-06-25 21:33:28 +01002576 Further tweaks for GNU/kFreeBSD
Simon Kelley7622fc02009-06-04 20:32:05 +01002577
Simon Kelley32be32e2017-06-25 21:33:28 +01002578 Add --no-wrap to msgmerge call - provides nicer .po file
2579 format.
Simon Kelley7622fc02009-06-04 20:32:05 +01002580
Simon Kelley32be32e2017-06-25 21:33:28 +01002581 Honour lease-time spec in dhcp-host lines even for
2582 BOOTP. The user is assumed to known what they are doing in
2583 this case. (Hosts without the time spec still get infinite
2584 leases for BOOTP, over-riding the default in the
2585 dhcp-range.) Thanks to Peter Katzmann for uncovering this.
Simon Kelley7622fc02009-06-04 20:32:05 +01002586
Simon Kelley32be32e2017-06-25 21:33:28 +01002587 Fix problem matching relay-agent ids. Thanks to Michael
2588 Rack for the bug report.
Simon Kelley7622fc02009-06-04 20:32:05 +01002589
Simon Kelley32be32e2017-06-25 21:33:28 +01002590 Add --naptr-record option. Suggestion from Johan
2591 Bergquist.
Simon Kelley7622fc02009-06-04 20:32:05 +01002592
Simon Kelley32be32e2017-06-25 21:33:28 +01002593 Implement RFC 5107 server-id-override DHCP relay agent
2594 option.
Simon Kelley7622fc02009-06-04 20:32:05 +01002595
Simon Kelley32be32e2017-06-25 21:33:28 +01002596 Apply patches from Stefan Kruger for compilation on
2597 Solaris 10 under Sun studio.
Simon Kelley7622fc02009-06-04 20:32:05 +01002598
Simon Kelley32be32e2017-06-25 21:33:28 +01002599 Yet more tweaking of Linux capability code, to suppress
2600 pointless wingeing from kernel 2.6.25 and above.
Simon Kelley7622fc02009-06-04 20:32:05 +01002601
Simon Kelley32be32e2017-06-25 21:33:28 +01002602 Improve error checking during startup. Previously, some
2603 errors which occurred during startup would be worked
2604 around, with dnsmasq still starting up. Some were logged,
2605 some silent. Now, they all cause a fatal error and dnsmasq
2606 terminates with a non-zero exit code. The errors are those
2607 associated with changing uid and gid, setting process
2608 capabilities and writing the pidfile. Thanks to Uwe
2609 Gansert and the Suse security team for pointing out
2610 this improvement, and Bill Reimers for good implementation
2611 suggestions.
Simon Kelley7622fc02009-06-04 20:32:05 +01002612
Simon Kelley32be32e2017-06-25 21:33:28 +01002613 Provide NO_LARGEFILE compile option to switch off largefile
2614 support when compiling against versions of uclibc which
2615 don't support it. Thanks to Stephane Billiart for the patch.
Simon Kelley7622fc02009-06-04 20:32:05 +01002616
Simon Kelley32be32e2017-06-25 21:33:28 +01002617 Implement random source ports for interactions with
2618 upstream nameservers. New spoofing attacks have been found
2619 against nameservers which do not do this, though it is not
2620 clear if dnsmasq is vulnerable, since to doesn't implement
2621 recursion. By default dnsmasq will now use a different
2622 source port (and socket) for each query it sends
2623 upstream. This behaviour can suppressed using the
2624 --query-port option, and the old default behaviour
2625 restored using --query-port=0. Explicit source-port
2626 specifications in --server configs are still honoured.
Simon Kelley7622fc02009-06-04 20:32:05 +01002627
Simon Kelley32be32e2017-06-25 21:33:28 +01002628 Replace the random number generator, for better
2629 security. On most BSD systems, dnsmasq uses the
2630 arc4random() RNG, which is secure, but on other platforms,
2631 it relied on the C-library RNG, which may be
2632 guessable and therefore allow spoofing. This release
2633 replaces the libc RNG with the SURF RNG, from Daniel
2634 J. Berstein's DJBDNS package.
Simon Kelley7622fc02009-06-04 20:32:05 +01002635
Simon Kelley32be32e2017-06-25 21:33:28 +01002636 Don't attempt to change user or group or set capabilities
2637 if dnsmasq is run as a non-root user. Without this, the
2638 change from soft to hard errors when these fail causes
2639 problems for non-root daemons listening on high
2640 ports. Thanks to Patrick McLean for spotting this.
2641
2642 Updated French translation. Thanks to Gildas Le Nadan.
Simon Kelley1f15b812009-10-13 17:49:32 +01002643
2644
2645version 2.42
Simon Kelley32be32e2017-06-25 21:33:28 +01002646 The changelog for version 2.42 and earlier is
2647 available in CHANGELOG.archive.