./net/dnsmasq, Lightweight, easy to configure DNS forwarder

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 2.76, Package name: dnsmasq-2.76, Maintainer: pkgsrc-users

Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
server. It is designed to provide DNS and, optionally, DHCP, to a
small network. It can serve the names of local machines which are not
in the global DNS. The DHCP server integrates with the DNS server and
allows machines with DHCP-allocated addresses to appear in the DNS
with names configured either in each host or in a central
configuration file. Dnsmasq supports static and dynamic DHCP leases
and BOOTP for network booting of diskless machines.

Required to build:

Package options: inet6

Master sites:

SHA1: 3cb264e2505a06705203d616883db5ee6ac00026
RMD160: ad7c271b90c8aaeb6f642eb63539cc5c52d7f9a7
Filesize: 680.851 KB

Version history: (Expand)

CVS history: (Expand)

   2017-03-21 10:18:15 by Filip Hajny | Files touched by this commit (2)
Log message:
Fix build on SunOS with IPv6.
   2016-11-08 12:59:05 by Makoto Fujiwara | Files touched by this commit (3) | Package updated
Log message:
Updated net/dnsmasq to 2.76
version 2.76
            Include in DNS rebind checks. This range
	    translates to hosts on  the local network, or, at
	    least, accesses the local host, so could
	    be targets for DNS rebinding. See RFC 5735 section 3
	    for details. Thanks to Stephen R旦ttger for the bug report.

	    Enhance --add-subnet to allow arbitrary subnet addresses.
            Thanks to Ed Barsley for the patch.

	    Respect the --no-resolv flag in inotify code. Fixes bug
	    which caused dnsmasq to fail to start if a resolv-file
	    was a dangling symbolic link, even of --no-resolv set.
	    Thanks to Alexander Kurtz for spotting the problem.

	    Fix crash when an A or AAAA record is defined locally,
	    in a hosts file, and an upstream server sends a reply
	    that the same name is empty. Thanks to Edwin T旦r旦k for
	    the patch.

	    Fix failure to correctly calculate cache-size when
	    reading a hosts-file fails. Thanks to Andr辿 Gl端pker
	    for the patch.

	    Fix wrong answer to simple name query when --domain-needed
	    set, but no upstream servers configured. Dnsmasq returned
	    REFUSED, in this case, when it should be the same as when
	    upstream servers are configured - NOERROR. Thanks to
	    Allain Legacy for spotting the problem.

	    Return REFUSED when running out of forwarding table slots,
	    not SERVFAIL.

            Add --max-port configuration. Thanks to Hans Dedecker for
	    the patch.

	    Add --script-arp and two new functions for the dhcp-script.
	    These are "arp" and "arp-old" which announce the arrival and
	    removal of entries in the ARP or nieghbour tables.

	    Extend --add-mac to allow a new encoding of the MAC address
	    as base64, by configurting --add-mac=base64

	    Add --add-cpe-id option.

            Don't crash with divide-by-zero if an IPv6 dhcp-range
	    is declared as a whole /64.
	    (ie xx::0 to xx::ffff:ffff:ffff:ffff)
	    Thanks to Laurent Bendel for spotting this problem.

	    Add support for a TTL parameter in --host-record and

	    Add --dhcp-ttl option.

	    Add --tftp-mtu option. Thanks to Patrick McLean for the
	    initial patch.

	    Check return-code of inet_pton() when parsing dhcp-option.
	    Bad addresses could fail to generate errors and result in
	    garbage dhcp-options being sent. Thanks to Marc Branchaud
	    for spotting this.

	    Fix wrong value for EDNS UDP packet size when using
	    --servers-file to define upstream DNS servers. Thanks to
	    Scott Bonar for the bug report.

	    Move the dhcp_release and dhcp_lease_time tools from
	    contrib/wrt to contrib/lease-tools.

	    Add dhcp_release6 to contrib/lease-tools. Many thanks
	    to Sergey Nechaev for this code.

	    To avoid filling logs in configurations which define
	    many upstream nameservers, don't log more that 30 servers.
	    The number to be logged can be changed as SERVERS_LOGGED
	    in src/config.h.

	    Swap the values if BC_EFI and x86-64_EFI in --pxe-service.
	    These were previously wrong due to an error in RFC 4578.
	    If you're using BC_EFI to boot 64-bit EFI machines, you
	    will need to update your config.

	    Add ARM32_EFI and ARM64_EFI as valid architectures in

            Fix PXE booting for UEFI architectures. Modify PXE boot
	    sequence in this case to force the client to talk to dnsmasq
	    over port 4011. This makes PXE and especially proxy-DHCP PXE
	    work with these archictectures.

	    Workaround problems with UEFI PXE clients. There exist
	    in the wild PXE clients which have problems with PXE
	    boot menus. To work around this, when there's a single
	    --pxe-service which applies to client, then that target
	    will be booted directly, rather then sending a
	    single-item boot menu.

            Many thanks to Jarek Polok, Michael Kuron and Dreamcat4
	    for their work on the long-standing UEFI PXE problem.

	    Subtle change in the semantics of "basename" in
	    --pxe-service. The historical behaviour has always been
	    that the actual filename downloaded from the TFTP server
	    is <basename>.<layer> where <layer> is an integer which
	    corresponds to the layer parameter supplied by the client.
	    It's not clear what the function of the "layer"
	    actually is in the PXE protocol, and in practise layer
	    is always zero, so the filename is <basename>.0
	    The new behaviour is the same as the old, except when
	    <basename> includes a file suffix, in which case
	    the layer suffix is no longer added. This allows
	    sensible suffices to be used, rather then the
	    meaningless ".0". Only in the unlikely event that you
	    have a config with a basename which already has a
	    suffix, is this an incompatible change, since the file
	    downloaded will change from name.suffix.0 to justy
   2016-06-08 12:02:27 by Jonathan Perkin | Files touched by this commit (44)
Log message:
Change the service_bundle name to "export" to reduce diffs between the
original manifest.xml file and the output from "svccfg export".
   2016-02-25 17:20:53 by Jonathan Perkin | Files touched by this commit (47)
Log message:
   2015-11-04 01:35:47 by Alistair G. Crooks | Files touched by this commit (748)
Log message:
Add SHA512 digests for distfiles for net category

Problems found with existing digests:
	Package haproxy distfile haproxy-1.5.14.tar.gz
	159f5beb8fdc6b8059ae51b53dc935d91c0fb51f [recorded]
	da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated]

Problems found locating distfiles:
	Package bsddip: missing distfile bsddip-1.02.tar.Z
	Package citrix_ica: missing distfile citrix_ica-10.6.115659/en.linuxx86.tar.gz
	Package djbdns: missing distfile djbdns-1.05-test25.diff.bz2
	Package djbdns: missing distfile djbdns-cachestats.patch
	Package djbdns: missing distfile 0002-dnscache-cache-soa-records.patch
	Package gated: missing distfile gated-3-5-11.tar.gz
	Package owncloudclient: missing distfile owncloudclient-2.0.2.tar.xz
	Package poink: missing distfile poink-1.6.tar.gz
	Package ra-rtsp-proxy: missing distfile rtspd-src-
	Package ucspi-ssl: missing distfile ucspi-ssl-0.70-ucspitls-0.1.patch
	Package waste: missing distfile waste-source.tar.gz

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.
   2015-08-15 14:38:17 by Leonardo Taccari | Files touched by this commit (2) | Package updated
Log message:
Update net/dnsmasq to dnsmasq-2.75, based on patches from Benedek Gergely via

ok wiz@

pkgsrc changes:
o Pass COPTS via MAKE_FLAGS. This avoid to completely rebuild dnsmasq when dbus
option is selected.

version 2.75
            Fix reversion on 2.74 which caused 100% CPU use when a
            dhcp-script is configured. Thanks to Adrian Davey for
            reporting the bug and testing the fix.

version 2.74
            Fix reversion in 2.73 where --conf-file would attempt to
            read the default file, rather than no file.

            Fix inotify code to handle dangling symlinks better and
            not SEGV in some circumstances.

            DNSSEC fix. In the case of a signed CNAME generated by a
            wildcard which pointed to an unsigned domain, the wrong
            status would be logged, and some necessary checks omitted.
   2015-07-14 11:57:13 by Filip Hajny | Files touched by this commit (4) | Package updated
Log message:
Update net/dnsmasq to 2.73.
Fix build on SunOS.

Version 2.73
  Fix crash at startup when an empty suffix is supplied to
  --conf-dir, also trivial memory leak. Thanks to
  Tomas Hozza for spotting this.

  Remove floor of 4096 on advertised EDNS0 packet size when
  DNSSEC in use, the original rationale for this has long gone.
  Thanks to Anders Kaseorg for spotting this.

  Use inotify for checking on updates to /etc/resolv.conf and
  friends under Linux. This fixes race conditions when the files are
  updated rapidly and saves CPU by noy polling. To build
  a binary that runs on old Linux kernels without inotify,

  Fix breakage of --domain=<domain>,<subnet>,local - only reverse
  queries were intercepted. THis appears to have been broken
  since 2.69. Thanks to Josh Stone for finding the bug.

  Eliminate IPv6 privacy addresses and deprecated addresses from
  the answers given by --interface-name. Note that reverse queries
  (ie looking for names, given addresses) are not affected.
  Thanks to Michael Gorbach for the suggestion.

  Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
  for the bug report.

  Add --ignore-address option. Ignore replies to A-record
  queries which include the specified address. No error is
  generated, dnsmasq simply continues to listen for another
  reply. This is useful to defeat blocking strategies which
  rely on quickly supplying a forged answer to a DNS
  request for certain domains, before the correct answer can
  arrive. Thanks to Glen Huang for the patch.

  Revisit the part of DNSSEC validation which determines if an
  unsigned answer is legit, or is in some part of the DNS
  tree which should be signed. Dnsmasq now works from the
  DNS root downward looking for the limit of signed
  delegations, rather than working bottom up. This is
  both more correct, and less likely to trip over broken
  nameservers in the unsigned parts of the DNS tree
  which don't respond well to DNSSEC queries.

  Add --log-queries=extra option, which makes logs easier
  to search automatically.

  Add --min-cache-ttl option. I've resisted this for a long
  time, on the grounds that disbelieving TTLs is never a
  good idea, but I've been persuaded that there are
  sometimes reasons to do it. (Step forward, GFW).
  To avoid misuse, there's a hard limit on the TTL
  floor of one hour. Thansk to RinSatsuki for the patch.

  Cope with multiple interfaces with the same link-local
  address. (IPv6 addresses are scoped, so this is allowed.)
  Thanks to Cory Benfield for help with this.

  Add --dhcp-hostsdir. This allows addition of new host
  configurations to a running dnsmasq instance much more
  cheaply than having dnsmasq re-read all its existing
  configuration each time.

  Don't reply to DHCPv6 SOLICIT messages if we're not
  configured to do stateful DHCPv6. Thanks to Win King Wan
  for the patch.

  Fix broken DNSSEC validation of ECDSA signatures.

  Add --dnssec-timestamp option, which provides an automatic
  way to detect when the system time becomes valid after
  boot on systems without an RTC, whilst allowing DNS
  queries before the clock is valid so that NTP can run.
  Thanks to Kevin Darbyshire-Bryant for developing this idea.

  Add --tftp-no-fail option. Thanks to Stefan Tomanek for
  the patch.

  Fix crash caused by looking up servers.bind, CHAOS text
  record, when more than about five --servers= lines are
  in the dnsmasq config. This causes memory corruption
  which causes a crash later. Thanks to Matt Coddington for
  sterling work chasing this down.

  Fix crash on receipt of certain malformed DNS requests.
  Thanks to Nick Sampanis for spotting the problem.
  Note that this is could allow the dnsmasq process's
  memory to be read by an attacker under certain
  circumstances, so it has a CVE, CVE-2015-3294

  Fix crash in authoritative DNS code, if a .arpa zone
  is declared as authoritative, and then a PTR query which
  is not to be treated as authoritative arrived. Normally,
  directly declaring .arpa zone as authoritative is not
  done, so this crash wouldn't be seen. Instead the
  relevant .arpa zone should be specified as a subnet
  in the auth-zone declaration. Thanks to Johnny S. Lee
  for the bugreport and initial patch.

  Fix authoritative DNS code to correctly reply to NS
  and SOA queries for .arpa zones for which we are
  declared authoritative by means of a subnet in auth-zone.
  Previously we provided correct answers to PTR queries
  in such zones (including NS and SOA) but not direct
  NS and SOA queries. Thanks to Johnny S. Lee for
  pointing out the problem.

  Fix logging of DHCPREPLY which should be suppressed
  by quiet-dhcp6. Thanks to J. Pablo Abonia for
  spotting the problem.

  Try and handle net connections with broken fragmentation
  that lose large UDP packets. If a server times out,
  reduce the maximum UDP packet size field in the EDNS0
  header to 1280 bytes. If it then answers, make that
  change permanent.

  Check IPv4-mapped IPv6 addresses when --stop-rebind
  is active. Thanks to Jordan Milne for spotting this.

  Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
  Thanks to Kevin Benton for patches and work on this.

  Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
  in the correct subnet, even of not in dynamic address
  allocation range. Thanks to Steve Hirsch for spotting
  the problem.

  Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
  to Nicolas Cavallari for the patch.

  Allow configuration of router advertisements without the
  "on-link" bit set. Thanks to Neil Jerram for the patch.

  Extend --bridge-interface to DHCPv6 and router
  advertisements. Thanks to Neil Jerram for the patch.
   2015-05-06 08:08:48 by Makoto Fujiwara | Files touched by this commit (4) | Package updated
Log message:
Update 2.67 to 2.72
version 2.72
            Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.

	    Add support for "ipsets" in *BSD, using pf. Thanks to
	    Sven Falempim for the patch.

	    Fix race condition which could lock up dnsmasq when an
	    interface goes down and up rapidly. Thanks to Conrad
	    Kostecki for helping to chase this down.

	    Add DBus methods SetFilterWin2KOption and SetBogusPrivOption
	    Thanks to the Smoothwall project for the patch.

	    Fix failure to build against Nettle-3.0. Thanks to Steven
	    Barth for spotting this and finding the fix.

	    When assigning existing DHCP leases to intefaces by comparing
	    networks, handle the case that two or more interfaces have the
	    same network part, but different prefix lengths (favour the
	    longer prefix length.) Thanks to Lung-Pin Chang for the

	    Add a mode which detects and removes DNS forwarding loops, ie
	    a query sent to an upstream server returns as a new query to
	    dnsmasq, and would therefore be forwarded again, resulting in
	    a query which loops many times before being dropped. Upstream
	    servers which loop back are disabled and this event is logged.
	    Thanks to Smoothwall for their sponsorship of this feature.

	    Extend --conf-dir to allow filtering of files. So
	    will load all the files in /etc/dnsmasq.d which end in .conf

            Fix bug when resulted in NXDOMAIN answers instead of NODATA in
            some circumstances.

	    Fix bug which caused dnsmasq to become unresponsive if it
	    failed to send packets due to a network interface disappearing.
	    Thanks to Niels Peen for spotting this.

            Fix problem with --local-service option on big-endian platforms
	    Thanks to Richard Genoud for the patch.

version 2.71
            Subtle change to error handling to help DNSSEC validation
	    when servers fail to provide NODATA answers for
	    non-existent DS records.

	    Tweak code which removes DNSSEC records from answers when
	    not required. Fixes broken answers when additional section
	    has real records in it. Thanks to Marco Davids for the bug

	    Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
	    for spotting that too.

	    Fix total DNS failure and 100% CPU use if cachesize set to zero,
	    regression introduced in 2.69. Thanks to James Hunt and
	    the Ubuntu crowd for assistance in fixing this.

version 2.70
            Fix crash, introduced in 2.69, on TCP request when dnsmasq
	    compiled with DNSSEC support, but running without DNSSEC
	    enabled. Thanks to Manish Sing for spotting that one.

	    Fix regression which broke ipset functionality. Thanks to
	    Wang Jian for the bug report.

version 2.69
	    Implement dynamic interface discovery on *BSD. This allows
	    the contructor: syntax to be used in dhcp-range for DHCPv6
	    on the BSD platform. Thanks to Matthias Andree for
	    valuable research on how to implement this.

	    Fix infinite loop associated with some --bogus-nxdomain
	    configs. Thanks fogobogo for the bug report.

	    Fix missing RA RDNS option with configuration like
	    --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
	    for spotting the problem.

	    Add [fd00::] and [fe80::] as special addresses in DHCPv6
	    options, analogous to [::]. [fd00::] is replaced with the
	    actual ULA of the interface on the machine running
	    dnsmasq, [fe80::] with the link-local address.
	    Thanks to Tsachi Kimeldorfer for championing this.

	    DNSSEC validation and caching. Dnsmasq needs to be
	    compiled with this enabled, with

	    make dnsmasq COPTS=-DHAVE_DNSSEC

	    this add dependencies on the nettle crypto library and the
	    gmp maths library. It's possible to have these linked
	    statically with


	    which bloats the dnsmasq binary, but saves the size of
	    the shared libraries which are much bigger.

	    To enable, DNSSEC, you will need a set of
	    trust-anchors. Now that the TLDs are signed, this can be
	    the keys for the root zone, and for convenience they are
	    included in trust-anchors.conf in the dnsmasq
	    distribution. You should of course check that these are
	    legitimate and up-to-date. So, adding


	    to your config is all thats needed to get things
	    working. The upstream nameservers have to be DNSSEC-capable
	    too, of course. Many ISP nameservers aren't, but the
	    Google public nameservers ( and are.
	    When DNSSEC is configured, dnsmasq validates any queries
	    for domains which are signed. Query results which are
	    bogus are replaced with SERVFAIL replies, and results
	    which are correctly signed have the AD bit set. In
	    addition, and just as importantly, dnsmasq supplies
	    correct DNSSEC information to clients which are doing
	    their own validation, and caches DNSKEY, DS and RRSIG
	    records, which significantly improve the performance of
	    downstream validators. Setting --log-queries will show
	    DNSSEC in action.

	    If a domain is returned from an upstream nameserver without
	    DNSSEC signature, dnsmasq by default trusts this. This
	    means that for unsigned zone (still the majority) there
	    is effectively no cost for having DNSSEC enabled. Of course
	    this allows an attacker to replace a signed record with a
	    false unsigned record. This is addressed by the
	    --dnssec-check-unsigned flag, which instructs dnsmasq
	    to prove that an unsigned record is legitimate, by finding
	    a secure proof that the zone containing the record is not
	    signed. Doing this has costs (typically one or two extra
	    upstream queries). It also has a nasty failure mode if
	    dnsmasq's upstream nameservers are not DNSSEC capable.
	    Without --dnssec-check-unsigned using such an upstream
	    server will simply result in not queries being validated;
	    with --dnssec-check-unsigned enabled and a
	    DNSSEC-ignorant upstream server, _all_ queries will fail.

	    Note that DNSSEC requires that the local time is valid and
	    accurate, if not then DNSSEC validation will fail. NTP
	    should be running. This presents a problem for routers
	    without a battery-backed clock. To set the time needs NTP
	    to do DNS lookups, but lookups will fail until NTP has run.
	    To address this, there's a flag, --dnssec-no-timecheck
	    which disables the time checks (only) in DNSSEC. When dnsmasq
	    is started and the clock is not synced, this flag should
	    be used. As soon as the clock is synced, SIGHUP dnsmasq.
	    The SIGHUP clears the cache of partially-validated data and
	    resets the no-timecheck flag, so that all DNSSEC checks
	    henceforward will be complete.

	    The development of DNSSEC in dnsmasq was started by
	    Giovanni Bajo, to whom huge thanks are owed. It has been
	    supported by Comcast, whose techfund grant has allowed for
	    an invaluable period of full-time work to get it to
	    a workable state.

	    Add --rev-server. Thanks to Dave Taht for suggesting this.

	    Add --servers-file. Allows dynamic update of upstream servers
	    full access to configuration.

	    Add --local-service. Accept DNS queries only from hosts
            whose address is on a local subnet, ie a subnet for which
            an interface exists on the server. This option
            only has effect if there are no --interface --except-interface,
            --listen-address or --auth-server options. It is intended
            to be set as a default on installation, to allow
            unconfigured installations to be useful but also safe from
	    being used for DNS amplification attacks.

	    Fix crashes in cache_get_cname_target() when dangling CNAMEs
	    encountered. Thanks to Andy and the rt-n56u project for
	    find this and helping to chase it down.

	    Fix wrong RCODE in authoritative DNS replies to PTR queries. The
	    correct answer was included, but the RCODE was set to NXDOMAIN.
	    Thanks to Craig McQueen for spotting this.

	    Make statistics available as DNS queries in the .bind TLD as
	    well as logging them.

version 2.68
            Use random addresses for DHCPv6 temporary address
            allocations, instead of algorithmically determined stable

	    Fix bug which meant that the DHCPv6 DUID was not available
	    in DHCP script runs during the lifetime of the dnsmasq
	    process which created the DUID de-novo. Once the DUID was
	    created and stored in the lease file and dnsmasq
	    restarted, this bug disappeared.

	    Fix bug introduced in 2.67 which could result in erroneous
	    NXDOMAIN returns to CNAME queries.

	    Fix build failures on MacOS X and openBSD.

	    Allow subnet specifications in --auth-zone to be interface
	    names as well as address literals. This makes it possible
	    to configure authoritative DNS when local address ranges
	    are dynamic and works much better than the previous
	    work-around which exempted contructed DHCP ranges from the
	    IP address filtering. As a consequence, that work-around
	    is removed. Under certain circumstances, this change wil
	    break existing configuration: if you're relying on the
	    contructed-range exception, you need to change --auth-zone
	    to specify the same interface as is used to construct your
	    DHCP ranges, probably with a trailing "/6" like this:
	    --auth-zone=example.com,eth0/6 to limit the addresses to
	    IPv6 addresses of eth0.

	    Fix problems when advertising deleted IPv6 prefixes. If
	    the prefix is deleted (rather than replaced), it doesn't
	    get advertised with zero preferred time. Thanks to Tsachi
	    for the bug report.

	    Fix segfault with some locally configured CNAMEs. Thanks
	    to Andrew Childs for spotting the problem.

	    Fix memory leak on re-reading /etc/hosts and friends,
	    introduced in 2.67.

	    Check the arrival interface of incoming DNS and TFTP
	    requests via IPv6, even in --bind-interfaces mode. This
	    isn't possible for IPv4 and can generate scary warnings,
	    but as it's always possible for IPv6 (the API always
	    exists) then we should do it always.

	    Tweak the rules on prefix-lengths in --dhcp-range for
	    IPv6. The new rule is that the specified prefix length
	    must be larger than or equal to the prefix length of the
	    corresponding address on the local interface.