./net/dnsmasq, Lightweight, easy to configure DNS forwarder

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.80nb1, Package name: dnsmasq-2.80nb1, Maintainer: pkgsrc-users

Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
server. It is designed to provide DNS and, optionally, DHCP, to a
small network. It can serve the names of local machines which are not
in the global DNS. The DHCP server integrates with the DNS server and
allows machines with DHCP-allocated addresses to appear in the DNS
with names configured either in each host or in a central
configuration file. Dnsmasq supports static and dynamic DHCP leases
and BOOTP for network booting of diskless machines.


Required to build:
[pkgtools/cwrappers]

Package options: inet6

Master sites:

SHA1: 45317f3ce129c670c812428f97b92273b5286df0
RMD160: 5a26def1ae9a47a2debe08845dfc41d14f3bfa2e
Filesize: 489.328 KB

Version history: (Expand)


CVS history: (Expand)


   2019-07-21 00:46:59 by Thomas Klausner | Files touched by this commit (595)
Log message:
*: recursive bump for nettle 3.5.1
   2018-10-30 12:16:07 by Jonathan Perkin | Files touched by this commit (2)
Log message:
dnsmasq: Add compat IPDEFTTL define.
   2018-10-27 09:57:10 by Maya Rashish | Files touched by this commit (3) | Package updated
Log message:
dnsmasq: update to 2.80. add dnssec option (default disabled)
From i3endek, thanks!

version 2.80
	Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
	for the initial patch and motivation.

	Alter the default for dnssec-check-unsigned. Versions of
	dnsmasq prior to 2.80 defaulted to not checking unsigned
	replies, and used --dnssec-check-unsigned to switch
        this on. Such configurations will continue to work as before,
        but those which used the default of no checking will need to be
        altered to explicitly select no checking. The new default is
        because switching off checking for unsigned replies is
	inherently dangerous. Not only does it open the possiblity of forged
        replies, but it allows everything to appear to be working even
        when the upstream namesevers do not support DNSSEC, and in this
        case no DNSSEC validation at all is occuring.

        Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
	are set. Thanks to Daniel Miess for help with this.

	Add a facilty to store DNS packets sent/recieved in a
	pcap-format file for later debugging. The file location
	is given by the --dumpfile option, and a bitmap controlling
	which packets should be dumped is given by the --dumpmask
	option.

	Handle the case of both standard and constructed dhcp-ranges on the
	same interface better. We don't now contruct a dhcp-range if there's
	already one specified. This allows the specified interface to
	have different parameters and avoids advertising the same
	prefix twice. Thanks to Luis Marsano for spotting this case.

	Allow zone transfer in authoritative mode if auth-peer is specified,
	even if auth-sec-servers is not. Thanks to Raphaël Halimi for
	the suggestion.

	Fix bug which sometimes caused dnsmasq to wrongly return answers
	without DNSSEC RRs to queries with the do-bit set, but only when
	DNSSEC validation was not enabled.
	Thanks to Petr Menšík for spotting this.

	Fix missing fatal errors with some malformed options
	(server, local, address, rebind-domain-ok, ipset, alias).
	Thanks to Eugene Lozovoy for spotting the problem.

	Fix crash on startup with a --synth-domain which has no prefix.
	Introduced in 2.79. Thanks to Andreas Engel for the bug report.

	Fix missing EDNS0 section in some replies generated by local
	DNS configuration which confused systemd-resolvd. Thanks to
	Steve Dodd for characterising the problem.

	Add --dhcp-name-match config option.

	Add --caa-record config option.

	Implement --address=/example.com/# as (more efficient) syntactic
	sugar for --address=/example.com/0.0.0.0 and
	--address=/example.com/::
	Returning null addresses is a useful technique for ad-blocking.
	Thanks to Peter Russell for the suggestion.

	Change anti cache-snooping behaviour with queries with the
	recursion-desired bit unset. Instead to returning SERVFAIL, we
	now always forward, and never answer from the cache. This
	allows "dig +trace" command to work.

	Include in the example config file a formulation which
	stops DHCP clients from claiming the DNS name "wpad".
	This is a fix for the CERT Vulnerability VU#598349.
   2018-03-23 13:58:43 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
dnsmasq: updated to 2.79

version 2.79
Fix parsing of CNAME arguments, which are confused by extra spaces.
Thanks to Diego Aguirre for spotting the bug.

Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
upstream servers to an interface, rather than SO_BINDTODEVICE.
Thanks to Beniamino Galvani for the patch.

Always return a SERVFAIL answer to DNS queries without the
recursion desired bit set, UNLESS acting as an authoritative
DNS server. This avoids a potential route to cache snooping.

Add support for Ed25519 signatures in DNSSEC validation.

No longer support RSA/MD5 signatures in DNSSEC validation,
since these are not secure. This behaviour is mandated in
RFC-6944.

Fix incorrect error exit code from dhcp_release6 utility.
Thanks Gaudenz Steinlin for the bug report.

Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
time validation when --dnssec-no-timecheck is in use.
Note that this is an incompatible change from earlier releases.

Allow more than one --bridge-interface option to refer to an
interface, so that we can use
--bridge-interface=int1,alias1
--bridge-interface=int1,alias2
as an alternative to
--bridge-interface=int1,alias1,alias2
Thanks to Neil Jerram for work on this.

Fix for DNSSEC with wildcard-derived NSEC records.
It's OK for NSEC records to be expanded from wildcards,
but in that case, the proof of non-existence is only valid
starting at the wildcard name, *.<domain> NOT the name expanded
from the wildcard. Without this check it's possible for an
attacker to craft an NSEC which wrongly proves non-existence.
Thanks to Ralph Dolmans for finding this, and co-ordinating
the vulnerability tracking and fix release.
CVE-2017-15107 applies.

Remove special handling of A-for-A DNS queries. These
are no longer a significant problem in the global DNS.
http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
Thanks to Mattias Hellström for the initial patch.

Fix failure to delete dynamically created dhcp options
from files in -dhcp-optsdir directories. Thanks to
Lindgren Fredrik for the bug report.

Add to --synth-domain the ability to create names using
sequential numbers, as well as encodings of IP addresses.
For instance,
--synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
creates 21 domain names of the form
internal-4.thekelleys.org.uk over the address range given, with
internal-0.thekelleys.org.uk being 192.168.0.50 and
internal-20.thekelleys.org.uk being 192.168.0.70
Thanks to Andy Hawkins for the suggestion.

Tidy up Crypto code, removing workarounds for ancient
versions of libnettle. We now require libnettle 3.
   2017-10-24 03:04:19 by Pierre Pronchery | Files touched by this commit (1)
Log message:
Add support for LDFLAGS

This notably fixes building with RELRO enabled.
   2017-10-02 17:50:55 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
dnsmasq: update to 2.78.

version 2.78
        Fix logic of appending ".<layer>" to PXE basename. \ 
Thanks to Chris
	Novakovic for the patch.

	Revert ping-check of address in DHCPDISCOVER if there
	already exists a lease for the address. Under some
	circumstances, and netbooted windows installation can reply
	to pings before if has a DHCP lease and block allocation
	of the address it already used during netboot. Thanks to
	Jan Psota for spotting this.

	Fix DHCP relaying, broken in 2.76 and 2.77 by commit
	ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
	John Fitzgibbon for the diagnosis and patch.

        Try other servers if first returns REFUSED when
	--strict-order active. Thanks to Hans Dedecker
	for the patch

	Fix regression in 2.77, ironically added as a security
	improvement, which resulted in a crash when a DNS
	query exceeded 512 bytes (or the EDNS0 packet size,
	if different.) Thanks to Christian Kujau, Arne Woerner
	Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
	chasing this one down.  CVE-2017-13704 applies.

	Fix heap overflow in DNS code. This is a potentially serious
	security hole. It allows an attacker who can make DNS
	requests to dnsmasq, and who controls the contents of
	a domain, which is thereby queried, to overflow
	(by 2 bytes) a heap buffer and either crash, or
	even take control of, dnsmasq.
	CVE-2017-14491 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix heap overflow in IPv6 router advertisement code.
	This is a potentially serious security hole, as a
	crafted RA request can overflow a buffer and crash or
	control dnsmasq. Attacker must be on the local network.
	CVE-2017-14492 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	and Kevin Hamacher of the Google Security Team for
	finding this.

	Fix stack overflow in DHCPv6 code. An attacker who can send
	a DHCPv6 request to dnsmasq can overflow the stack frame and
	crash or control dnsmasq.
	CVE-2017-14493 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix information leak in DHCPv6. A crafted DHCPv6 packet can
	cause dnsmasq to forward memory from outside the packet
	buffer to a DHCPv6 server when acting as a relay.
	CVE-2017-14494 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix DoS in DNS. Invalid boundary checks in the
	add_pseudoheader function allows a memcpy call with negative
	size An attacker which can send malicious DNS queries
	to dnsmasq can trigger a DoS remotely.
	dnsmasq is vulnerable only if one of the following option is
	specified: --add-mac, --add-cpe-id or --add-subnet.
	CVE-2017-14496 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix out-of-memory Dos vulnerability. An attacker which can
	send malicious DNS queries to dnsmasq can trigger memory
	allocations in the add_pseudoheader function
	The allocated memory is never freed which leads to a DoS
	through memory exhaustion. dnsmasq is vulnerable only
	if one of the following option is specified:
	--add-mac, --add-cpe-id or --add-subnet.
	CVE-2017-14495 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.
   2017-06-02 10:37:49 by Adam Ciarcinski | Files touched by this commit (5)
Log message:
version 2.77
	    Generate an error when configured with a CNAME loop,
	    rather than a crash. Thanks to George Metz for
	    spotting this problem.

	    Calculate the length of TFTP error reply packet
	    correctly. This fixes a problem when the error
	    message in a TFTP packet exceeds the arbitrary
	    limit of 500 characters. The message was correctly
	    truncated, but not the packet length, so
	    extra data was appended. This is a possible
	    security risk, since the extra data comes from
	    a buffer which is also used for DNS, so that
	    previous DNS queries or replies may be leaked.

	    Fix logic error in Linux netlink code. This could
	    cause dnsmasq to enter a tight loop on systems
	    with a very large number of network interfaces.

	    Fix problem with --dnssec-timestamp whereby receipt
	    of SIGHUP would erroneously engage timestamp checking.

	    Bump zone serial on reloading /etc/hosts and friends
	    when providing authoritative DNS.

	    Handle v4-mapped IPv6 addresses sanely in --synth-domain.
	    These have standard representation like ::ffff:1.2.3.4
	    and are now converted to names like
	    <prefix>--ffff-1-2-3-4.<domain>

	    Handle binding upstream servers to an interface
	    (--server=1.2.3.4@eth0) when the named interface
	    is destroyed and recreated in the kernel.

	    Allow wildcard CNAME records in authoritative zones.
	    For example --cname=*.example.com,default.example.com

more...
   2017-03-21 10:18:15 by Filip Hajny | Files touched by this commit (2)
Log message:
Fix build on SunOS with IPv6.