./net/dnsmasq, Lightweight, easy to configure DNS forwarder

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 2.87, Package name: dnsmasq-2.87, Maintainer: pkgsrc-users

Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
server. It is designed to provide DNS and, optionally, DHCP, to a
small network. It can serve the names of local machines which are not
in the global DNS. The DHCP server integrates with the DNS server and
allows machines with DHCP-allocated addresses to appear in the DNS
with names configured either in each host or in a central
configuration file. Dnsmasq supports static and dynamic DHCP leases
and BOOTP for network booting of diskless machines.

Required to build:

Package options: inet6

Master sites:

Filesize: 527.859 KB

Version history: (Expand)

CVS history: (Expand)

   2022-09-26 15:23:31 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
dnsmasq: updated to 2.87

version 2.87

Allow arbitrary prefix lengths in --rev-server and

Replace --address=/#/..... functionality which got
missed in the 2.86 domain search rewrite.

Add --nftset option, like --ipset but for the newer nftables.
Thanks to Chen Zhenge for the patch.

Add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6
addresses from DNS answers.

Fix crash doing netbooting when --port is set to zero
to disable the DNS server. Thanks to Drexl Johannes
for the bug report.

Generalise --dhcp-relay. Sending via broadcast/multicast is
now supported for both IPv4 and IPv6 and the configuration
syntax made easier (but backwards compatible).

Add snooping of IPv6 prefix-delegations to the DHCP-relay system.

Finesse parsing of --dhcp-remoteid and --dhcp-subscrid. To be treated
as hex, the pattern must consist of only hex digits AND contain
at least one ':'. Thanks to Bengt-Erik Sandstrom who tripped
over a pattern consisting of a decimal number which was interpreted

Include client address in TFTP file-not-found error reports.
Thanks to Stefan Rink for the initial patch, which has been
re-worked by me (srk). All bugs mine.

Note in manpage the change in behaviour of -address. This behaviour
actually changed in v2.86, but was undocumented there. From 2.86 on,
(eg) --address=/example.com/ ONLY applies to A queries. All other
types of query will be sent upstream. Pre 2.86, that would catch the
whole example.com domain and queries for other types would get
a local NODATA answer. The pre-2.86 behaviour is still available,
by configuring --address=/example.com/ --local=/example.com/

Fix problem with binding DHCP sockets to an individual interface.
Despite the fact that the system call tales the interface _name_ as
a parameter, it actually, binds the socket to interface _index_.
Deleting the interface and creating a new one with the same name
leaves the socket bound to the old index. (Creating new sockets
always allocates a fresh index, they are not reused). We now
take this behaviour into account and keep up with changing indexes.

Add --conf-script configuration option.

Enhance --domain to accept, for instance,
--domain=net2.thekelleys.org.uk,eth2 so that hosts get a domain
which relects the interface they are attached to in a way which
doesn't require hard-coding addresses. Thanks to Sten Spans for
the idea.

Fix write-after-free error in DHCPv6 server code.
CVE-2022-0934 refers.

Add the ability to specify destination port in
DHCP-relay mode. This change also removes a previous bug
where --dhcp-alternate-port would affect the port used
to relay _to_ as well as the port being listened on.
The new feature allows configuration to provide bug-for-bug
compatibility, if required. Thanks to Damian Kaczkowski
for the feature suggestion.

Bound the value of UDP packet size in the EDNS0 header of
forwarded queries to the configured or default value of
edns-packet-max. There's no point letting a client set a larger
value if we're unable to return the answer. Thanks to Bertie
Taylor for pointing out the problem and supplying the patch.

Fix problem with the configuration

--server=/some.domain/# --address=/#/<ip> --server=<server_ip>

This would return <ip> for queries in some.domain, rather than
forwarding the query via the default server.

Tweak DHCPv6 relay code so that packets relayed towards a server
have source address on the server-facing network, not the
client facing network. Thanks to Luis Thomas for spotting this
and initial patch.
   2021-10-26 13:07:15 by Nia Alarie | Files touched by this commit (958)
Log message:
net: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts...):


The following distfiles could not be fetched (fetched conditionally?):

./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch
   2021-10-07 16:43:07 by Nia Alarie | Files touched by this commit (962)
Log message:
net: Remove SHA1 hashes for distfiles
   2021-09-17 23:04:40 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
dnsmasq: updated to 2.86

version 2.86

Handle DHCPREBIND requests in the DHCPv6 server code.
Thanks to Aichun Li for spotting this omission, and the initial

Fix bug which caused dnsmasq to lose track of processes forked
to handle TCP DNS connections under heavy load. The code
checked that at least one free process table slot was
available before listening on TCP sockets, but didn't take
into account that more than one TCP connection could
arrive, so that check was not sufficient to ensure that
there would be slots for all new processes. It compounded
this error by silently failing to store the process when
it did run out of slots. Even when this bug is triggered,
all the right things happen, and answers are still returned.
Only under very exceptional circumstances, does the bug
manifest itself: see
Thanks to Tijs Van Buggenhout for finding the conditions under
which the bug manifests itself, and then working out
exactly what was going on.

Major rewrite of the DNS server and domain handling code.
This should be largely transparent, but it drastically
improves performance and reduces memory foot-print when
configuring large numbers domains of the form
Lookup times now grow as log-to-base-2 of the number of domains,
rather than greater than linearly, as before.
The change makes multiple addresses associated with a domain work
It also handles multiple upstream servers for a domain better; using
the same try/retry algorithms as non domain-specific servers. This
also applies to DNSSEC-generated queries.
Finally, some of the oldest and gnarliest code in dnsmasq has had
a significant clean-up. It's far from perfect, but it _is_ better.

Revise resource handling for number of concurrent DNS queries. This
used to have a global limit, but that has a problem when using
different servers for different upstream domains. Queries which are
routed by domain to an upstream server which is not responding will
build up and trigger the limit, which breaks DNS service for
all other domains which could be handled by other servers. The
change is to make the limit per server-group, where a server group
is the set of servers configured for a particular domain. In the
common case, where only default servers are declared, there is
no effective change.

Improve efficiency of DNSSEC. The sharing point for DNSSEC RR data
used to be when it entered the cache, having been validated. After
that queries requiring the KEY or DS records would share the cached
values. There is a common case in dual-stack hosts that queries for
A and AAAA records for the same domain are made simultaneously.
If required keys were not in the cache, this would result in two
requests being sent upstream for the same key data (and all the
subsequent chain-of-trust queries.) Now we combine these requests
and elide the duplicates, resulting in fewer queries upstream
and better performance. To keep a better handle on what's
going on, the "extra" logging mode has been modified to associate
queries and answers  for DNSSEC queries in the same way as ordinary
queries. The requesting address and port have been removed from
DNSSEC logging lines, since this is no longer strictly defined.

Connection track mark based DNS query filtering. Thanks to
Etan Kissling for implementing this It extends query filtering
support beyond what is currently possible
with the `--ipset` configuration option, by adding support for:
1) Specifying allowlists on a per-client basis, based on their
   associated Linux connection track mark.
2) Dynamic configuration of allowlists via Ubus.
3) Reporting when a DNS query resolves or is rejected via Ubus.
4) DNS name patterns containing wildcards.
Disallowed queries are not forwarded; they are rejected
with a REFUSED error code.

Allow smaller than 64 prefix lengths in synth-domain, with caveats.
--synth-domain=1234:4567::/56,example.com is now valid.

Make domains generated by --synth-domain appear in replies
when in authoritative mode.

Ensure CAP_NET_ADMIN capability is available when
conntrack is configured. Thanks to Yick Xie for spotting
the lack of this.

When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
given a directory as argument, define the order in which
files within that directory are read (alphabetical order
of filename). Thanks to Ed Wildgoose for the initial patch
and motivation for this.
   2021-04-12 12:06:45 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
dnsmasq: updated to 2.85

version 2.85

Fix problem with DNS retries in 2.83/2.84.
The new logic in 2.83/2.84 which merges distinct requests
for the same domain causes problems with clients which do
retries as distinct requests (differing IDs and/or source ports.)
The retries just get piggy-backed on the first, failed, request.
The logic is now changed so that distinct requests for repeated
queries still get merged into a single ID/source port, but
they now always trigger a re-try upstream.
Thanks to Nicholas Mu for his analysis.

Tweak sort order of tags in get-version. v2.84 sorts
before v2.83, but v2.83 sorts before v2.83rc1 and 2.83rc1
sorts before v2.83test1. This fixes the problem which lead
to 2.84 announcing itself as 2.84rc2.

Avoid treating a --dhcp-host which has an IPv6 address
as eligible for use with DHCPv4 on the grounds that it has
no address, and vice-versa. Thanks to Viktor Papp for
spotting the problem. (This bug was fixed was back in 2.67, and
then regressed in 2.81).

Add --dynamic-host option: A and AAAA records which take their
network part from the network of a local interface. Useful
for routers with dynamically prefixes. Thanks
to Fred F for the suggestion.

Teach --bogus-nxdomain and --ignore-address to take an IPv4 subnet.

Use random source ports where possible if source
addresses/interfaces in use.
CVE-2021-3448 applies. Thanks to Petr Menšík for spotting this.
It's possible to specify the source address or interface to be
used when contacting upstream name servers: server=
or server= or server=, and all of
these have, until now, used a single socket, bound to a fixed
port. This was originally done to allow an error (non-existent
interface, or non-local address) to be detected at start-up. This
means that any upstream servers specified in such a way don't use
random source ports, and are more susceptible to cache-poisoning
We now use random ports where possible, even when the
source is specified, so server= or
server= will use random source
ports. server= or any use of --query-port will
use the explicitly configured port, and should only be done with
understanding of the security implications.
Note that this change changes non-existing interface, or non-local
source address errors from fatal to run-time. The error will be
logged and communication with the server not possible.

Change the method of allocation of random source ports for DNS.
Previously, without min-port or max-port configured, dnsmasq would
default to the compiled in defaults for those, which are 1024 and
65535. Now, when neither are configured, it defaults instead to
the kernel's ephemeral port range, which is typically
32768 to 60999 on Linux systems. This change eliminates the
possibility that dnsmasq may be using a registered port > 1024
when a long-running daemon starts up and wishes to claim it.
This change does likely slightly reduce the number of random ports
and therefore the protection from reply spoofing. The older
behaviour can be restored using the min-port and max-port config
switches should that be a concern.

Scale the size of the DNS random-port pool based on the
value of the --dns-forward-max configuration.

Tweak TFTP code to check sender of all received packets, as
specified in RFC 1350 para 4.
   2021-02-05 21:04:43 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
dnsmasq: updated to 2.84

version 2.84
Unknown changes

version 2.83
Use the values of --min-port and --max-port in outgoing
TCP connections to upstream DNS servers.

Fix a remote buffer overflow problem in the DNSSEC code. Any
dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683

Be sure to only accept UDP DNS query replies at the address
from which the query was originated. This keeps as much entropy
in the {query-ID, random-port} tuple as possible, to help defeat
cache poisoning attacks. Refer: CVE-2020-25684.

Use the SHA-256 hash function to verify that DNS answers
received are for the questions originally asked. This replaces
the slightly insecure SHA-1 (when compiled with DNSSEC) or
the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.

Handle multiple identical near simultaneous DNS queries better.
Previously, such queries would all be forwarded
independently. This is, in theory, inefficent but in practise
not a problem, _except_ that is means that an answer for any
of the forwarded queries will be accepted and cached.
An attacker can send a query multiple times, and for each repeat,
another {port, ID} becomes capable of accepting the answer he is
sending in the blind, to random IDs and ports. The chance of a
succesful attack is therefore multiplied by the number of repeats
of the query. The new behaviour detects repeated queries and
merely stores the clients sending repeats so that when the
first query completes, the answer can be sent to all the
clients who asked. Refer: CVE-2020-25686.
   2020-07-27 18:41:11 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
dnsmasq: updated to 2.82

version 2.82

Improve behaviour in the face of network interfaces which come
and go and change index. Thanks to Petr Mensik for the patch.

Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user
to a warning.

Allow IPv6 addresses ofthe form [::ffff:] in --dhcp-option.

Fix crash under heavy TCP connection load introduced in 2.81.
Thanks to Frank for good work chasing this down.

Change default lease time for DHCPv6 to one day.

Alter calculation of preferred and valid times in router
advertisements, so that these do not have a floor applied
of the lease time in the dhcp-range if this is not explicitly
specified and is merely the default.
   2020-05-22 12:56:49 by Adam Ciarcinski | Files touched by this commit (624)
Log message:
revbump after updating security/nettle