dnsmasq-2.93/0000775000175000017500000000000015210265610011275 5ustar srksrkdnsmasq-2.93/Makefile0000664000175000017500000001640415210262712012742 0ustar srksrk# dnsmasq is Copyright (c) 2000-2026 Simon Kelley # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 dated June, 1991, or # (at your option) version 3 dated 29 June, 2007. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # NOTE: Building the i18n targets requires GNU-make # Variables you may well want to override. PREFIX = /usr/local BINDIR = $(PREFIX)/sbin MANDIR = $(PREFIX)/share/man LOCALEDIR = $(PREFIX)/share/locale BUILDDIR = $(SRC) DESTDIR = CFLAGS = -Wall -W -O2 LDFLAGS = COPTS = RPM_OPT_FLAGS = LIBS = LUA = lua ################################################################# # Variables you might want to override. PKG_CONFIG = pkg-config INSTALL = install MSGMERGE = msgmerge MSGFMT = msgfmt XGETTEXT = xgettext SRC = src PO = po MAN = man ################################################################# # pmake way. (NB no spaces to keep gmake 3.82 happy) top!=pwd # GNU make way. top?=$(CURDIR) dbus_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` dbus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` ubus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy '-lubox -lubus'` idn_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn` idn_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn` idn2_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --cflags libidn2` idn2_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --libs libidn2` ct_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --cflags libnetfilter_conntrack` ct_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack` lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags $(LUA)` lua_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs $(LUA)` nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags 'nettle hogweed'` nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs 'nettle hogweed'` gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp` sunos_libs = `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi` nft_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_NFTSET $(PKG_CONFIG) --cflags libnftables` nft_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_NFTSET $(PKG_CONFIG) --libs libnftables` version = -DVERSION='\"`$(top)/bld/get-version $(top)`\"' sum?=$(shell echo $(CC) -DDNSMASQ_COMPILE_FLAGS="$(CFLAGS)" -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' ') sum!=echo $(CC) -DDNSMASQ_COMPILE_FLAGS="$(CFLAGS)" -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' ' copts_conf = .copts_$(sum) objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ metrics.o domain-match.o nftset.o hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ dns-protocol.h radv-protocol.h ip6addr.h metrics.h all : $(BUILDDIR) @cd $(BUILDDIR) && $(MAKE) \ top="$(top)" \ build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags) $(nft_cflags)" \ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs) $(nft_libs)" \ -f $(top)/Makefile dnsmasq mostly_clean : rm -f $(BUILDDIR)/*.mo $(BUILDDIR)/*.pot rm -f $(BUILDDIR)/.copts_* $(BUILDDIR)/*.o $(BUILDDIR)/dnsmasq.a $(BUILDDIR)/dnsmasq clean : mostly_clean rm -f $(BUILDDIR)/dnsmasq_baseline rm -f core */core rm -f *~ contrib/*/*~ */*~ install : all $(INSTALL) -d $(DESTDIR)$(BINDIR) $(INSTALL) -d $(DESTDIR)$(MANDIR)/man8 $(INSTALL) -m 644 $(MAN)/dnsmasq.8 $(DESTDIR)$(MANDIR)/man8 $(INSTALL) -m 755 $(BUILDDIR)/dnsmasq $(DESTDIR)$(BINDIR) all-i18n : $(BUILDDIR) @cd $(BUILDDIR) && $(MAKE) \ top="$(top)" \ i18n=-DLOCALEDIR=\'\"$(LOCALEDIR)\"\' \ build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags) $(nft_cflags)" \ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs) $(nft_libs)" \ -f $(top)/Makefile dnsmasq for f in `cd $(PO); echo *.po`; do \ cd $(top) && cd $(BUILDDIR) && $(MAKE) top="$(top)" -f $(top)/Makefile $${f%.po}.mo; \ done install-i18n : all-i18n $(INSTALL) -d $(DESTDIR)$(BINDIR) $(INSTALL) -d $(DESTDIR)$(MANDIR)/man8 $(INSTALL) -m 644 $(MAN)/dnsmasq.8 $(DESTDIR)$(MANDIR)/man8 $(INSTALL) -m 755 $(BUILDDIR)/dnsmasq $(DESTDIR)$(BINDIR) cd $(BUILDDIR); $(top)/bld/install-mo $(DESTDIR)$(LOCALEDIR) $(INSTALL) cd $(MAN); ../bld/install-man $(DESTDIR)$(MANDIR) $(INSTALL) merge : @cd $(BUILDDIR) && $(MAKE) top="$(top)" -f $(top)/Makefile dnsmasq.pot for f in `cd $(PO); echo *.po`; do \ echo -n msgmerge $(PO)/$$f && $(MSGMERGE) --no-wrap -U $(PO)/$$f $(BUILDDIR)/dnsmasq.pot; \ done # Canonicalise .po file. %.po : @cd $(BUILDDIR) && $(MAKE) -f $(top)/Makefile dnsmasq.pot mv $(PO)/$*.po $(PO)/$*.po.orig && $(MSGMERGE) --no-wrap $(PO)/$*.po.orig $(BUILDDIR)/dnsmasq.pot >$(PO)/$*.po; $(BUILDDIR): mkdir -p $(BUILDDIR) # rules below are helpers for size tracking baseline : mostly_clean all @cd $(BUILDDIR) && \ mv dnsmasq dnsmasq_baseline bloatcheck : $(BUILDDIR)/dnsmasq_baseline mostly_clean all @cd $(BUILDDIR) && \ $(top)/bld/bloat-o-meter dnsmasq_baseline dnsmasq; \ size dnsmasq_baseline dnsmasq # rules below are targets in recursive makes with cwd=$(BUILDDIR) $(copts_conf): $(hdrs) @rm -f *.o .copts_* @touch $@ $(objs:.o=.c) $(hdrs): ln -s $(top)/$(SRC)/$@ . $(objs): $(copts_conf) $(hdrs) .c.o: $(CC) $(CFLAGS) $(COPTS) $(i18n) $(build_cflags) $(RPM_OPT_FLAGS) -c $< dnsmasq : $(objs) $(CC) $(LDFLAGS) -o $@ $(objs) $(build_libs) $(LIBS) dnsmasq.pot : $(objs:.o=.c) $(hdrs) $(XGETTEXT) -d dnsmasq --foreign-user --omit-header --keyword=_ -o $@ -i $(objs:.o=.c) %.mo : $(top)/$(PO)/%.po dnsmasq.pot $(MSGMERGE) -o - $(top)/$(PO)/$*.po dnsmasq.pot | $(MSGFMT) -o $*.mo - .PHONY : all clean mostly_clean install install-common all-i18n install-i18n merge baseline bloatcheck dnsmasq-2.93/CHANGELOG.archive0000664000175000017500000031503315210262712014134 0ustar srksrkrelease 0.4 - initial public release release 0.5 - added caching, removed compiler warning on linux PPC release 0.6 - TCP handling: close socket and return to connect state if we can't read the first byte. This corrects a problem seen very occasionally where dnsmasq would loop using all available CPU. Added a patch from Cris Bailiff to set SO_REUSEADDR on the tcp socket which stops problems when dnsmasq is restarted and old connections still exist. Stopped claiming in doc.html that smail is the default Debian mailer, since it isn't any longer. (Pointed out by David Karlin ) release 0.7 Create a pidfile at /var/run/dnsmasq.pid Extensive armouring against "poison packets" courtesy of Thomas Moestl Set sockaddr.sa_family on outgoing address, patch from David Symonds Patch to clear cache on SIGHUP from Jason L. Wagner Fix bad bug resulting from not initialising value-result address-length parameter to recvfrom() and accept() - it worked by luck before! release 0.95 Major rewrite: remove calls to gethostbyname() and talk directly to the upstream server(s) instead. This has many advantages. (1) Dnsmasq no longer blocks during long lookups. (2) All query types are handled now, (eg MX) not just internet address queries. Addresses are cached, all other queries are forwarded directly. (3) Time-to-live data from upstream server is read and used by dnsmasq to purge entries from the cache. (4) /etc/hosts is still read and its contents served (unless the -h option is given). (5) Dnsmasq can get its upstream servers from a file other than /etc/resolv.conf (-r option) this allows dnsmasq to serve names to the machine it is running on (put nameserver 127.0.0.1 in /etc/resolv.conf and give dnsmasq the option -r /etc/resolv.dnsmasq) (6) Dnsmasq will re-read its servers if the modification time of resolv.conf changes. Along with 4 above this allows nameservers to be set automatically by ppp or dhcp. A really clever NAT-like technique allows the daemon to have lots of queries in progress, but still remain very lightweight. Dnsmasq has a small footprint and normally doesn't allocate any more memory after start-up. The NAT-like forwarding was inspired by a suggestion from Eli Chen release 0.96 Fixed embarrassing thinko in cache linked-list code. release 0.98 Some enhancements and bug-fixes. Thanks to "Denis Carre" and Martin Otte (1) Dnsmasq now always sets the IP source address of its replies correctly. Older versions would not always do this on multi-homed and IP aliased hosts, which violates the RFC. (2) Dnsmasq no longer crashes if a server loop is created (ie dnsmasq is told to use itself as an upstream server.) Now it just logs the problem and doesn't use the bad server address. (3) Dnsmasq should now forward (but not cache) inverse queries and server status queries; this feature has not been tested. (4) Don't write the pid file when in non-daemon mode. (5) Create the pid file mode 644, rather then 666 (!). (6) Generate queries to upstream nameservers with unpredictable ids, to thwart DNS spoofers. (7) Dnsmasq no longer forwards queries when the "recursion desired" bit is not set in the header. (8) Fixed getopt code to work on compilers with unsigned char. release 0.991 Added -b flag: when set causes dnsmasq to always answer reverse queries on the RFC 1918 private IP space itself and never forward them to an upstream server. If the name is not in /etc/hosts, dnsmasq replies with the dotted-quad address. Fixed a bug which stopped dnsmasq working on a box with two or more interfaces with the same IP address. Fixed caching of CNAMEs. Previously, a CNAME which pointed to a name with many A records would not have all the addresses returned when being answered from the cache. Thanks to "Steve Hardy" for his input on these fixes. Fixed race which could cause dnsmasq to miss the second of two closely-spaced updates of resolv.conf (Thanks to Eli Chen for pointing this out.) Fixed a bug which could cause dnsmasq to fail to cache some dns names. release 0.992 Small change to memory allocation so that names in /etc/hosts don't use cache slots. Also make "-c 0" flag meaningfully disable caching completely. release 0.993 Return only the first (canonical) name from an entry in /etc/hosts as reply to reverse query. Handle wildcard queries for names/addresses in /etc/hosts this is mainly to allow reverse lookups by dig to succeed. (Bug reported by Simon J. Rowe" ) Subtle change to the logic which selects which of multiple upstream servers we send queries to. This fixes a problem where dnsmasq continuously sends queries to a server which is returning error codes and ignores one which is working. release 0.994 Fixed bug which broke lookup of names in /etc/hosts which have upper-case letters in them. Thanks for Joao Clemente for spotting that one. Output cache statistics on receipt of SIGUSR1. These go to syslog except in debug (-d) mode, when a complete cache dump goes to stdout. Suggestion from Joao Clemente, code based in John Volpe's. Accept GNU long options on the command line. Code from John Volpe for this. Split source code into multiple files and produced a proper makefile. Included code from John Volpe to parse dhcp.leases file written by ISC dhcpd. The hostnames in the leases file are added to the cache and updated as dhcpd updates the leases file. The code has been heavily re-worked by me, so any bugs are probably mine. release 0.995 Small tidy-ups to signal handling and cache code. release 0.996 Added negative caching: If dnsmasq gets a "no such domain" reply from an upstream nameserver, it will cache that information for a time specified by the SOA RR in the reply. See RFC 2308 for details. This is useful with resolver libraries which append assorted suffices to non-FQDN in an attempt to resolve them, causing useless cache misses. Added -i flag, which restricts dnsmasq to offering name service only on specified interfaces. release 0.997 Deleted INSTALL script and added "install" target to makefile. Stopped distributing binaries in the tarball to avoid libc version clashes. Fixed interface detection code to remove spurious startup errors in rare circumstances. Dnsmasq now changes its uid, irrevocably, to nobody after startup for security reasons. Thanks to Peter Bailey for this patch. Cope with infinite DHCP leases. Patch thanks to Yaacov Akiba Slama. Added rpm control files to .tar.gz distribution. Thanks to Peter Baldwin at ClarkConnect for those. Improved startup script for rpms. Thanks to Yaacov Akiba Slama. release 1.0 Stable release: dnsmasq is now considered feature-complete and stable. release 1.1 Added --user argument to allow user to change to a different userid. Added --mx-target argument to allow mail to be delivered away from the gateway machine running dnsmasq. Fixed highly obscure bug with wildcard queries for DHCP lease derived names. Moved manpage from section 1 to section 8. Added --no-poll option. Added Suse-rpm support. Thanks to Joerg Mayer for the last two. release 1.2 Added IPv6 DNS record support. AAAA records are cached and read from /etc/hosts. Reverse-lookups in the ip6.int and ip6.arpa domains are supported. Dnsmasq can talk to upstream servers via IPv6 if it finds IP6 addresses in /etc/resolv.conf and it offers DNS service automatically if IPv6 support is present in the kernel. Extended negative caching to NODATA replies. Re-vamped CNAME processing to cope with RFC 2317's use of CNAMES to PTR RRs in CIDR. Added config.h and a couple of symbols to aid compilation on non-linux systems. release 1.3 Some versions of the Linux kernel return EINVAL rather then ENPROTONOSUPPORT when IPv6 is not available, causing dnsmasq to bomb out. This release fixes that. Thanks to Steve Davis for pointing this one out. Trivial change to startup logic so that dnsmasq logs its stuff and reads config files straight away on starting, rather than after the first query - principle of least surprise applies here. release 1.4 Fix a bug with DHCP lease parsing which broke in non-UTC timezones. Thanks to Mark Wormgoor for spotting and diagnosing this. Fixed versions in the .spec files this time. Fixed bug in Suse startup script. Thanks to Didi Niklaus for pointing this out. release 1.5 Added --filterwin2k option which stops dnsmasq from forwarding "spam" queries from win2k boxes. This is useful to stop spurious connections over dial-on-demand links. Thanks to Steve Hardy for this code. Clear "truncated" bit in replies we return from upstream. This stops resolvers from switching to TCP, which is pointless since dnsmasq doesn't support TCP. This should solve problems in resolving hotmail.com domains. Don't include getopt.h when Gnu-long-options are disabled - hopefully this will allow compilation on FreeBSD. Added the --listen-address and --pid-file flags. Fixed a bug which caused old entries in the DHCP leases file to be used in preference to current ones under certain circumstances. release 1.6 If a machine gets named via DHCP and the DHCP name doesn't have a domain part and domain suffix is set using the -s flag, then that machine has two names with the same address, with and without the domain suffix. When doing a _reverse_ lookup to get the name, the "without suffix" name used to be returned, now the "with suffix" one gets returned instead. This change suggested by Arnold Schulz. Fixed assorted typos in the documentation. Thanks to David Kimdon. Subtle rearrangement to the downloadable tarball, and stopped distributing .debs, since dnsmasq is now an official Debian package. release 1.7 Fix a problem with cache not clearing properly on receipt of SIGHUP. Bug spotted by Sat Deshpande. In group-id changing code: 1) Drop supplementary groups. 2) Change gid before dropping root (patch from Soewono Effendi.) 3) Change group to "dip" if it exists, to allow access to /etc/ppp/resolv.conf (suggestion from Jorg Sommer.) Update docs to reflect above changes. Other documentation changes from David Miller. Added suggested script fragment for dhcpcd.exe. release 1.8 Fix unsafe use of tolower() macro - allows linking against ulibc. (Patches from Soewono Effendi and Bjorn Andersson.) Fix typo in usage string. Added advice about RedHat PPP configuration to documentation. (Thanks to C. Lee Taylor.) Patches to fix problems on BSD systems from Marc Huber and Can Erkin Acar. These add the options HAVE_ARC4RANDOM and HAVE_SOCKADDR_SA_LEN to config.h. Elaborated config.h - should really use autoconf. Fix time-to-live calculation when chasing CNAMEs. Fix use-after-free and missing initialisation bugs in the cache code. (Thanks to Marc Huber.) Builds on Solaris 9. (Thanks to Marc Huber.) release 1.9 Fixes to rpm .spec files. Don't put expired DHCP entries into the cache only to throw them away again. Put dnsmasq on a severe memory diet: this reduces both the amount of heap space used and the stack size required. The difference is not really visible with bloated libcs like glibc, but should dramatically reduce memory requirements when linked against ulibc for use on embedded routers, and that's the point really. Thanks to Matthew Natalier for prompting this. Changed debug mode (-d) so that all logging appears on stderr as well as going to syslogd. Added HAVE_IPV6 config symbol to allow compilation against a libc which doesn't have IPv6 support. Added a facility to log all queries, enabled with -q flag. Fixed packet size checking bug in address extraction code. Halved default cache size - 300 was way OTT in typical use. Added self-MX function, enabled by -e flag. Thanks to Lyonel Vincent for the patch. Added HAVE_FORK config symbol and stuff to support uClinux. Thanks to Matthew Natalier for uClinux stuff. release 1.10 Log warnings if resolv.conf or dhcp.leases are not accessible for any reason, as suggested by Hinrich Eilts. Fixed wrong address printing in error message about no interface with address. Updated docs and split installation instructions into setup.html. Fix bug in CNAME chasing code: One CNAME pointing to many A records would lose A records after the first. This bug was introduced in version 1.9. Log startup failures at level Critical as well as printing them to standard error. Exit with return code 1 when given bad options. Cleaned up code for no-cache operation. Added -o option which forces dnsmasq to use to upstream servers in the order they appear in /etc/resolv.conf. Added upstream server use logging. Log full cache dump on receipt of SIGUSR1 when query logging is enabled (-q switch). Added -S option to directly specify upstream servers and added ability to direct queries for specific domains to specific servers. Suggested by Jens Vonderheide. Upgraded random ID generation - patch from Rob Funk. Fixed reading of domains in arguments with capital letters or trailing periods. Fixed potential SEGV when given bad options. Read options from /etc/dnsmasq.conf if it exists. Do sensible things with missing parameters, eg "--resolv-file=" turns off reading /etc/resolv.conf. release 1.11 Actually implement the -R flag promised in the 1.10 man page. Improve and rationalise the return codes in answers to queries. In the case that there are no available upstream servers to forward a query to, return REFUSED. This makes sendmail work better on modem connected systems when the modem link is down (Thanks to Roger Plant). Cache and return the NXDOMAIN status of failed queries: this makes the `host` command work when traversing search paths (Thanks to Peter Bailey). Set the "authoritative" bit in replies containing names from /etc/hosts or DHCP. Tolerate MS-DOS style line ending codes in /etc/hosts and /etc/resolv.conf, for people who copy from winsock installations. Allow specification of more than one resolv.conf file. This is intended for laptops which connect via DHCP or PPP. Whichever resolv.conf was updated last is used. Allow -S flags which specify a domain but no server address. This gives local domains which are never forwarded. Add -E flag to automatically add the domain suffix to names in /etc/hosts -suggestion from Phil Harman. Always return a zero time-to-live for names derived from DHCP which stops anything else caching these names. Previously the TTL was derived from the lease time but that is incorrect since a lease can be given up early: dnsmasq would know this but anything with the name cached with long TTL would not be updated. Extended HAVE_IPV6 config flag to allow compilation on old systems which don't have modern library routines like inet_ntop(). Thanks to Phil Harman for the patch. release 1.12 Allow more than one domain in server config lines and make "local" a synonym for "server". This makes things like "local=/localnet/thekelleys.org.uk/" legal. Allow port to specified as part of server address. Allow whole domains to have an IP address specified in /etc/dnsmasq.conf. (/etc/hosts doesn't work domains). address=/doubleclick.net/127.0.0.1 should catch all those nasty banner ads. Inspired by a patch from Daniel Gryniewicz Log the source of each query when logging switched on. Fix bug in script fragment for dhcpcd - thanks to Barry Stewart. Fix bug which meant that strict-order and self-mx were always enabled. Builds with Linux libc5 now - for the Freesco project. Fixed Makefile installation script (patch from Silvan Minghetti) and added CC and CFLAGS variables. Improve resource allocation to reduce vulnerability to DOS attacks - the old version could have all queries blocked by a continuous high-speed stream of queries. Now some queries will succeed, and the excess will be rejected with a server fail error. This change also protects against server-loops; setting up a resolving loop between two instances of dnsmasq is no longer catastrophic. The servers will continue to run, looped queries fail and a warning is logged. Thanks to C. Lee Taylor for help with this. release 1.13 Added support for building rpms suitable for modern Suse systems. (patch from Andi ) Added options --group, --localmx, --local-ttl, --no-negcache, --addn-host. Moved all the various rpm-building bits into /rpm. Fix builds with glibc 2.1 (thanks to Cristian Ionescu-Idbohrn) Preserve case in domain names, as per RFC1035. Fixed ANY queries to domains with --address specification. Fixed FreeBSD build. (thanks to Steven Honson) Added -Q option which allows a specified port to be used to talk to upstream servers. Useful for people who want very paranoid firewalls which open individual UDP port. (thanks to David Coe for the patch) release 1.14 Fixed man page description of -b option which confused /etc/hosts with /etc/resolv.conf. (thanks to Christopher Weimann) Fixed config.h to allow building under MACOS X and glibc 2.0.x. (thanks to Matthew Gregan and Serge Caron) Added --except-interface option. (Suggested by Serge Caron) Added SIGUSR2 facility to re-scan for new interfaces. (Suggested by Serge Caron) Fixed SEGV in option-reading code for invalid options. (Thanks to Klaas Teschauer) Fixed man page to clarify effect of SIGUSR1 on /etc/resolv.conf. (Thanks to Klaas Teschauer) Check that received queries have only rfc1035-legal characters in them. This check is mainly to avoid bad strings being sent to syslog. Fixed &&/& confusion in option.c and added DESTDIR variable for "make install" (Thanks to Osvaldo Marques for the patch.) Fixed /etc/hosts parsing code to cope with MS-DOS line-ends in the file. This was supposed to be done in version 1.11, but something got missed. (Thanks to Doug Copestake for helping to find this.) Squash repeated name/address pairs read from hosts files. Tidied up resource handling in util.c (Thanks to Cristian Ionescu-Idbohrn). Added hashed searching of domain names. People are starting to use dnsmasq with larger loads now, and bigger caches, and large lists of ad-block addresses. This means doing linear searches can start to use lots of CPU so I added hashed searching and seriously optimised the cache code for algorithmic efficiency. Also upped the limit on cache size to 10000. Fixed logging of the source of names from the additional hosts file and from the "bogus private address" option. Fixed spurious re-reading of empty lease files. (Thanks to Lewis Baughman for spotting this.) Fixed building under uclibc (patch from Cristian Ionescu-Idbohrn) Do some socket tweaking to allow dnsmasq to co-exist with BIND. Thanks to Stefan 'Sec' Zehl for the patch. release 1.15 Added --bogus-nxdomain option. Restrict checking of resolv.conf and DHCP leases files to once per second. This is intended to improve performance under heavy loads. Also make a system call to get the current time once per query, rather than four times. Increased number of outstanding queries to 150 in config.h release 1.16 Allow "/" characters in domain names - this fixes caching of RFC 2317 CNAME-PTR records. Fixed brain-fart in -B option when GETOPT_LONG not enabled - thanks to Steven Young and Jason Miller for pointing this out. Generalised bogus-nxdomain code: allow more than one address to check, and deal with replies with multiple answer records. (Based on contribution from Humberto Massa.) Updated the documentation to include information about bogus-nxdomain and the Verisign tragedy. Added libraries needed on Solaris to Makefile. Added facility to set source address in queries to upstream nameservers. This is useful with multihomed hosts, especially when using VPNs. Thanks to Tom Fanning for suggesting this feature. Tweaked logging: log to facility LOCAL0 when in debug/no-daemon mode and changed level of query logging from INFO to DEBUG. Make log options controllable in config.h release 1.17 Fixed crash with DHCP hostnames > 40 characters. Fixed name-comparison routines to not depend on Locale, in theory this versions since 1.15 could lock up or give wrong results when run with locale != 'C'. Fix potential lockup in cache code. (thanks to Henning Glawe for help chasing this down.) Made lease-file reader bullet-proof. Added -D option, suggested by Peter Fichtner. release 1.18 Added round-robin DNS for names which have more than one address. In this case all the addresses will be returned, as before, but the order will change on each query. Remove stray tolower() and isalnum() calls missed in last release to complete LOCALE independence. Allow port numbers in source-address specifications. For hostnames without a domain part which don't get forwarded because -D is in effect, return NXDOMAIN not an empty reply. Add code to return the software version in response to the correct magic query in the same way as BIND. Use "dig version.bind chaos txt" to make the query. Added negative caching for PTR (address to name) records. Ensure that names of the form typically used in PTR queries (ie w.x.yz.in-addr.arpa and IPv6 equivalents) get correct answers when queried as other types. It's unlikely that anyone would do this, but the change makes things pedantically correct. Taught dnsmasq to understand "bitstring" names, as these are used for PTR lookups of IPv6 addresses by some resolvers and lookup tools. Dnsmasq now understands both the ip6.int domain and the ip6.arpa domain and both nibble and bitstring formats so it should work with any client code. Standards for this stuff have flip-flopped over the last few years, leaving many different clients in their wake. See RFC2673 for details of bitstrings. Allow '_' characters in domain names: Legal characters are now [a-z][A-Z].-_ Check names read from hosts files and leases files and reject illegal ones with a message in syslog. Make empty domain names in server and address options have the special meaning "unqualified names". (unqualified names are names without any dots in them). It's now possible to do server=//1.2.3.4 and have unqualified names sent to a special nameserver. release 2.0rc1 Moved source code into src/ directory. Fixes to cure compilation breakage when HAVE_IPV6 not set, thanks to Claas Hilbrecht. BIG CHANGE: added an integrated DHCP server and removed the code to read ISC dhcp.leases. This wins in terms of ease of setup and configuration flexibility and total machine resources consumed. Re-jiged the signal handling code to remove a race condition and to be more portable. release 2.0 Thanks to David Ashworth for feedback which informed many of the fixes below. Allow hosts to be specified by client ID in dhcp-hosts options. These are now one of dhcp-host=,.... dhcp-host=id:,..... dhcp-host=id:,..... Allow dhcp-host options to specify any IP address on the DHCP-served network, not just the range available for dynamic allocation. Allow dhcp-host options for the same host with different IP addresses where the correct one will be selected for the network the host appears on. Fix parsing of --dhcp-option to allow more than one IP address and to allow text-type options. Inhibit use of --dhcp-option to send hostname DHCP options. Update the DNS with DHCP information after re-reading /etc/hosts so that any DHCP derived names which have been shadowed by now-deleted hosts entries become visible. Fix typos in dnsmasq.conf.example Fixes to Makefile(s) to help pkgsrc packaging - patch from "pancake". Add dhcp-boot option to support network boot. Check for duplicate IP addresses in dhcp-hosts lines and refuse to run if found. If allowed to remain these can provoke an infinite loop in the DHCP protocol. Attempted to rationalise the .spec files for rpm building. There are now files for Redhat, Suse and Mandrake. I hope they work OK. Fixed hard-to-reproduce crash involving use of local domains and IPv6 queries. Thanks to Roy Marples for helping to track that one down. release 2.1 Thanks to Matt Swift and Dag Wieers for many suggestions which went into this release. Tweak include files to allow compilation on FreeBSD 5 Fix unaligned access warnings on BSD/Alpha. Allow empty DHCP options, like so: dhcp-option=44 Allow single-byte DHCP options like so: dhcp-option=20,1 Allow comments on the same line as options in /etc/dnsmasq.conf Don't complain when the same name and address is allocated to a host using DHCP and /etc/hosts. Added to the example configuration the dnsmasq equivalent of the ISC dhcpd settings given in http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt Fixed long-existing strangeness in Linux IPv6 interface discovery code. The flags field in /proc/net/if_inet6 is _not_ the interface flags. Fail gracefully when getting an ENODEV error when trying to bind an IPv6 socket, rather than bailing out. Thanks to Jan Ischebeck for feedback on that. Allow the name->address mapping for static DHCP leases to be set by /etc/hosts. It's now possible to have dhcp-host=,wibble or even dhcp-host=wibble and in /etc/hosts have wibble 1.2.3.4 and for the correct thing to happen. Note that some sort of dhcp-host line is still needed, it's not possible for random host to claim an address in /etc/hosts without some explicit configuration. Make 0.0.0.0 in a dhcp-option to mean "the machine running dnsmasq". Fix lease time spec when specified in dhcp-range and not in dhcp-host, previously this was always one hour. Fix problem with setting domains as "local only". - thanks to Chris Schank. Added support for max message size DHCP option. release 2.2 Fix total lack for DHCP functionality on Linux systems with IPv6 enabled. - thanks to Jonathon Hudson for spotting that. Move default config file under FreeBSD - patch from Steven Honson release 2.3 Fix "install" makefile target. (reported by Rob Stevens) Ensure that "local=/domain/" flag is obeyed for all queries on a domain, not just A and AAAA. (Reported by Peter Fichtner.) Handle DHCPDECLINE messages and provide an error message in DHCPNAK messages. Add "domain" setting example to dnsmasq.conf.example. Thanks to K P Kirchdorfer for spotting that it was missing. Subtle change to the DHCPREQUEST handling code to work around a bug in the DHCP client in HP Jetdirect printers. Thanks to Marko Stolle for finding this problem. Return DHCP T1 and T2 times, with "fuzz" to desynchronise lease renewals, as specified in the RFC. Ensure that the END option is always present in DHCP packets , even if the packet is too small to fit all the requested options. Handle larger-than-default DHCP packets if required, up to the ethernet MTU. Fix a couple of places where the return code from malloc() was not checked. Cope with a machine taking a DHCP lease and then moving network so that the lease address is no longer valid. The DHCP server will now work via a BOOTP relay - remote networks are configured with the dhcp-range option the same as directly connected ones, but they need an additional netmask parameter. Eg --dhcp-range=192.168.4.10,192.168.4.50,255.255,255.0 will enable DHCP service via a BOOTP relay on the 192.168.4.0 network. Add a limit on the number of available DHCP leases, otherwise the daemon could be DOSed by a malicious host. The default is 150, but it can be changed by the dhcp-lease-max option. Fixed compilation on OpenBSD (thanks to Frederic Brodbeck for help with that.) Reworked the DHCP network handling code for two good effects: (1) The limit of one network only for DHCP on FreeBSD is now gone, (2) The DHCP server copes with dynamically created interfaces. The one-interface limitation remains for OpenBSD, which is missing extensions to the socket API which have been in Linux since version 2.2 and FreeBSD since version 4.8. Reworked the DNS network code to also cope with dynamically created interfaces. dnsmasq will now listen to the wildcard address and port 53 by default, so if no --interface or --address options are given it will handle dynamically created interfaces. The old behaviour can be restored with --bind-interfaces for people running BIND on one interface and dnsmasq on another. Note that --interface and --address options still work, but the filtering is done by dnsmasq, rather then the kernel. This works on Linux, and FreeBSD>=5.0. On systems which don't support the required API extensions, the old behaviour is used, just as if --bind-interfaces had been set. Allow IPv6 support to be disabled at compile time. To do that, add -DNO_IPV6 to the CFLAGS. Thanks to Oleg I. Vdovikin for the suggestion to do that. Add ability to set DHCP options per network. This is done by giving a network an identifier like this: dhcp-range=red-net,192.168.0.10,192.168.0.50 and then labeling options intended for that network only like this: dhcp-option=red-net,6,1.1.1.1 Thanks to Oleg Vdovikin for arguing that one through. Made errors in the configuration file non-fatal: dnsmasq will now complain bitterly, but continue. Added --read-ethers option, to allow dnsmasq to pull static DHCP information from that file. Thanks to Andi Cambeis for that suggestion. Added HAVE_BROKEN_RTC compilation option to support embedded systems without a stable RTC. Oleg Vdovikin helped work out how to make that work. release 2.4 Fixed inability to start when the lease file doesn't already exist. Thanks to Dag Wieers for reporting that. Fixed problem were dhcp-host configuration options did not play well with entries in /etc/ethers for the same host. Thanks again to Dag Wieers. Tweaked DHCP code to favour moving to a newly-configured static IP address rather than an old lease when doing DHCP allocation. Added --alias configuration option. This provides IPv4 rewrite facilities like Cisco "DNS doctoring". Suggested by Chad Skeeters. Fixed bug in /etc/ethers parsing code triggered by tab characters. Kudos to Dag Wieers for helping to nail that one. Added "bind-interfaces" option correctly. release 2.5 Made "where are we allocating addresses?" code in DHCP server cope with requests via a relay which is on a directly connected network for which there is not a configured netmask. This strange state of affairs occurs with win4lin. Thanks to Alex Melt and Jim Horner for bug reports and testing with this. Fixed trivial-but-irritating missing #include which broke compilation on *BSD. Force --bind-interfaces if IP-aliased interface specifications are used, since the sockets API provides no other sane way to determine which alias of an interface a packet was sent to. Thanks to Javier Kohen for the bug report. release 2.6 Support Token Ring DHCP. Thanks to Dag Wieers for help testing. Note that Token ring support only works on Linux currently. Fix compilation on MacOS X. Thanks to Bernhard Ehlers for the patch. Added new "ignore" keyword for dhcp-host. "dhcp-host=11:22:33:44:55:66,ignore" will cause the DHCP server to ignore any host with the given MAC address, leaving it to other servers on the network. This also works with client-id and hostnames. Suggestion by Alex Melt. Fixed parsing of hex client IDs. Problem spotted by Peter Fichtner. Allow conf-file options in configuration file, to provide an include function. Re-read /etc/ethers on receipt of SIGHUP. Added back the ability to read ISC dhcpd lease files, by popular demand. Note that this is deprecated and for backwards compatibility only. You can get back the 4K of memory that the code occupies by undefining "HAVE_ISC_READER" in src/config.h Added ability to disable "pool" DHCP address allocation whilst leaving static leases working. The syntax is "dhcp-range=192.168.0.0,static" Thanks to Grzegorz Nosek for the suggestion. Generalized dnsmasq-rh.spec file to work on Mandrake too, and removed dnsmasq-mdk.spec. Thanks to Doug Keller. Allow DHCP options which are tied to specific static leases in the same way as to specific networks. Generalised the dhcp-option parser a bit to allow hex strings as parameters. This is now legal: dhcp-option=128,e4:45:74:68:00:00 Inspired by a patch from Joel Nordell. Changed the semantics of argument-less dhcp-options for the default-setting ones, ie 1, 3, 6 and 28. Now, doing eg, dhcp-option=3 stops dnsmasq from sending a default router option at all. Thanks to Scott Emmons for pointing out that this is useful. Fixed dnsmasq.conf parsing bug which interpreted port numbers in server= lines as a comment. To start a comment, a '#' character must now be a the start of a line or preceded by whitespace. Thanks to Christian Haggstrom for the bug report. release 2.7 Allow the dhcp-host specification of id:* which makes dnsmasq ignore any client-id. This is useful to ensure that a dual-boot machine sees the same lease when one OS gives a client-id and the other doesn't. It's also useful when PXE boot DHCP does not use client IDs but the OS it boots does. Thanks to Grzegorz Nosek for suggesting this enhancement. No longer assume that ciaddr is zero in received DHCPDISCOVER messages, just for security against broken clients. Set default of siaddr field to the address of the machine running dnsmasq when not explicitly set using dhcp-boot option. This is the ISC dhcpd behaviour. Send T1 and T2 options in DHCPOFFER packets. This is required by the DHCP client in some JetDirect printers. Thanks to Paul Mattal for work on this. Fixed bug with DHCP on OpenBSD reported by Dominique Jacquel. The code which added loopback interfaces to the list was confusing the DHCP code, which expected one interface only. Solved by adding loopback interfaces to address list instead. Add dhcp-vendorclass option to allow options to be sent only to certain classes of clients. Tweaked option search code so that if a netid-qualified option is used, any unqualified option is ignored. Changed the method of picking new dynamic IP addresses. This used to use the next consecutive address as long it was free, now it uses a hash from the client hardware address. This reduces the amount of address movement for clients which let their lease expire and allows consecutive DHCPOFFERS to the same host to (almost always) be for the same address, without storing state before a lease is granted. Tweaked option handling code to return all possible options rather than none when DHCP "requested options" field is missing. This fixes interoperability with ancient IBM LANMAN DHCP clients. Thanks to Jim Louvau for help with this. release 2.8 Pad DHCP packets to a minimum size of 300 bytes. This fixes interoperability problems with the Linux in-kernel DHCP/BOOTP client. Thanks to Richard Musil for diagnosing this and supplying a patch. Fixed option-parsing bug and potential memory leak. Patch from Richard Musil. Improved vendor class configuration and added user class configuration. Specifically: (1) options are matched on the netids from dhcp-range, dhcp-host, vendor class and user class(es). Multiple net-ids are allowed and options are searched on them all. (2) matches against vendor class and user class are now on a substring, if the given string is a substring of the vendor/user class, then a match occurs. Thanks again to Richard Musil for prompting this. Make "#" match any domain on --address and --server flags. --address=/#/1.2.3.4 will return 1.2.3.4 for _any_ domain not otherwise matched. Of course --server=/#/1.2.3.4 is exactly equivalent to --server=1.2.3.4. Special request from Josh Howlett. Fixed a nasty bug which would cause dnsmasq to lose track of leases for hosts which had a --dhcp-host flag without a name specification. The mechanism for this was that the hostname could get erroneously set as a zero-length string and then written to the leases file as a mal-formed line. Restarting dnsmasq would then lose the lease. Alex Hermann's work helped chase down this problem. Add checks against DHCP clients which return zero-length hostnames. This avoids the potential lease-loss problems referred to above. Also, if a client sends a hostname when it creates a lease but subsequently sends no or a zero-length hostname whilst renewing, continue to use the existing hostname, don't wipe it out. Tweaked option parsing to flag some parameter errors. release 2.9 Fixed interface filter code for two effects: 1) Fixed bug where queries sent via loopback interface but to the address of another interface were ignored unless the loopback interface was explicitly configured. 2) on OpenBSD failure to configure one interface now causes a fatal error on startup rather than a huge stream of log messages. Thanks to Erik Jan Tromp for finding that bug. Changed server selection strategy to improve performance when there are many available servers and some are broken. The new algorithm is to pick as before for the first try, but if a query is retried, to send to all available servers in parallel. The first one to reply then becomes preferred for the next query. This should improve reliability without generating significant extra upstream load. Fixed breakage of special servers/addresses for unqualified domains introduced in version 2.8 Allow fallback to "bind-interfaces" at runtime: Some versions of *BSD seem to have enough stuff in the header files to build but no kernel support. Also now log if "bind-interfaces" is forced on. Log replies from upstream servers which refuse to do recursion - dnsmasq is not a recursive nameserver and relies on upstream servers to do the recursion, this flags a configuration error. Disable client-id matching for hosts whose MAC address is read from /etc/ethers. Patch from Oleg I. Vdovikin. Extended --mx-host flag to allow arbitrary targets for MX records, suggested by Moritz Bunkus. Fixed build under NetBSD 2.0 - thanks to Felix Deichmann for the patch. Deal correctly with repeated addresses in /etc/hosts. The first name found is now returned for reverse lookups, rather than all of them. Add back fatal errors when nonexistent interfaces or interface addresses are given but only in "bind-interfaces" mode. Principle of least surprise applies. Allow # as the argument to --domain, meaning "read the domain from the first search directive in /etc.resolv.conf". Feature suggested by Evan Jones. release 2.10 Allow --query-port to be set to a low port by creating and binding the socket before dropping root. (Suggestion from Jamie Lokier) Support TCP queries. It turned out to be possible to do this with a couple of hundred lines of code, once I knew how. The executable size went up by a few K on i386. There are a few limitations: data obtained via TCP is not cached, and dynamically-created interfaces may break under certain circumstances. Source-address or query-port specifications are ignored for TCP. NAK attempts to renew a DHCP lease where the DHCP range has changed and the lease is no longer in the allowed range. Jamie Lokier pointed out this bug. NAK attempts to renew a pool DHCP lease when a statically allocated address has become available, forcing a host to move to its allocated address. Lots of people have suggested this change and been rebuffed (they know who they are) the straws that broke the camel's back were Tim Cutts and Jamie Lokier. Remove any nameserver records from answers which are modified by --alias flags. If the answer is modified, it cannot any longer be authoritative. Change behaviour of "bogus-priv" option to return NXDOMAIN rather than a PTR record with the dotted-quad address as name. The new behaviour doesn't provoke tcpwrappers like the old behavior did. Added a patch for the Suse rpm. That changes the default group to one suitable for Suse and disables inclusion of the ISC lease-file reader code. Thanks to Andy Cambeis for his ongoing work on Suse packaging. Support forwarding of EDNS.0 The maximum UDP packet size defaults to 1280, but may be changed with the --edns-packet-max option. Detect queries with the do bit set and always forward them, since DNSSEC records are not cached. This behaviour is required to make DNSSECbis work properly though dnsmasq. Thanks to Simon Josefsson for help with this. Move default config file location under OpenBSD from /usr/local/etc/dnsmasq.conf to /etc/dnsmasq.conf. Bug report from Jonathan Weiss. Use a lease with matching MAC address for a host which doesn't present a client-id, even if there was a client ID at some point in the past. This reduces surprises when changing DHCP clients, adding id:* to a host, and from the semantics change of /etc/ethers in 2.9. Thanks to Bernard Sammer for finding that. Added a "contrib" directory and in it the dnslist utility, from Thomas Tuttle. Fixed "fail to start up" problems under Linux with IPv6 enabled. It's not clear that these were an issue in released versions, but they manifested themselves when TCP support was added. Thanks to Michael Hamilton for assistance with this. version 2.11 Fixed DHCP problem which could result in two leases in the database with the same address. This looked much more alarming then it was, since it could only happen when a machine changes MAC address but kept the same name. The old lease would persist until it timed out but things would still work OK. Check that IP addresses in all dhcp-host directives are unique and die horribly if they are not, since otherwise endless protocol loops can occur. Use IPV6_RECVPKTINFO as socket option rather than IPV6_PKTINFO where available. This keeps late-model FreeBSD happy. Set source interface when replying to IPv6 UDP queries. This is needed to cope with link-local addresses. version 2.12 Added extra checks to ensure that DHCP created DNS entries cannot generate multiple DNS address->name entries. Thanks to Stefan Monnier for finding the exact set of configuration options which could create this. Don't set the the filterwin2k option in the example config file and add warnings that is breaks Kerberos. Thanks to Simon Josefsson and Timothy Folks for pointing that out. Log types of incoming queries as well as source and domain. Log NODATA replies generated as a result of the filterwin2k option. version 2.13 Fixed crash with un-named DHCP hosts introduced in 2.12. Thanks to Nicolo Wojewoda and Gregory Gathy for bug reports. version 2.14 Fix DHCP network detection for hosts which talk via a relay. This makes lease renewal for such hosts work correctly. Support RFC3011 subnet selectors in the DHCP server. Fix DHCP code to generate RFC-compliant responses to hosts in the INIT-REBOOT state. In the DHCP server, set the receive buffer size on the transmit-only packet socket to zero, to avoid waste of kernel buffers. Fix DHCP address allocation code to use the whole of the DHCP range, including the start and end addresses. Attempt an ICMP "ping" on new addresses before allocating them to leases, to avoid allocating addresses which are in use. Handle rfc951 BOOTP as well as DHCP for hosts which have MAC address to IP address mapping defined. Fix compilation under MacOS X. Thanks to Chris Tomlinson. Fix compilation under NetBSD. Thanks to Felix Deichmann. Added "keep-in-foreground" option. Thanks to Sean MacLennan for the patch. version 2.15 Fixed NXDOMAIN/NODATA confusion for locally known names. We now return a NODATA response for names which are locally known. Now a query for (eg AAAA or MX) for a name with an IPv4 address in /etc/hosts which fails upstream will generate a NODATA response. Note that the query is still tried upstream, but a NXDOMAIN reply gets converted to NODATA. Thanks to Eric de Thouars, Eric Spakman and Mike Mestnik for bug reports/testing. Allow multiple dhcp-ranges within the same network. The original intention was that there would be a dhcp-range option for each network served, but there's no real reason not to allow discontinuous ranges within a network so this release adds support for that. Check for dhcp-ranges which are inconsistent with their netmask, and generate errors or warnings. Improve error messages when there are problems with configuration. version 2.16 Fixed typo in OpenBSD-only code which stopped compilation under that OS. Chris Weinhaupl gets credit for reporting this. Added dhcp-authoritative option which restores non-RFC compliant but desirable behaviour of pre-2.14 versions and avoids long timeouts while DHCP clients try to renew leases which are unknown to dnsmasq. Thanks to John Mastwijk for help with this. Added support to the DHCP option code to allow RFC-3397 domain search DHCP option (119) to be sent. Set NONBLOCK on all listening sockets to workaround non-POSIX compliance in Linux 2.4 and 2.6. This fixes rare hangs which occurred when corrupted packets were received. Thanks to Joris van Rantwijk for chasing that down. Updated config.h for NetBSD. Thanks to Martin Lambers. Do a better job of distinguishing between retransmissions and new queries when forwarding. This fixes a bug triggered by the polipo web cache which sends A and AAAA queries both with the same transaction-ID. Thanks to Joachim Berdal Haga and Juliusz Chroboczek for help with this. Rewrote cache code to store CNAMES, rather then chasing them before storage. This eliminates bad situations when clients get inconsistent views depending on if data comes from the cache. Allow for more than one --addn-hosts flag. Clarify logged message when a DHCP lease clashes with an /etc/hosts entry. Thanks to Mat Swift for the suggestion. Added dynamic-dnsmasq from Peter Willis to the contrib section. version 2.17 Correctly deduce the size of numeric dhcp-options, rather than making wild guesses. Also cope with negative values. Fixed use of C library reserved symbol "index" which broke under certain combinations of library and compiler. Make bind-interfaces work for IPv6 interfaces too. Warn if an interface is given for listening which doesn't currently exist when not in bind-interfaces mode. (This is already a fatal error when bind-interfaces is set.) Allow the --interface and --except-interface options to take a comma-separated list of interfaces. Tweak --dhcp-userclass matching code to work with the ISC dhclient which violates RFC3004 unless its configuration is very warped. Thanks to Cedric Duval for the bug report. Allow more than one network-id tag in a dhcp-option. All the tags must match to enable the option. Added dhcp-ignore option to disable classes of hosts based on network-id tags. Also allow BOOTP options to be controlled by network tags. Fill in sname, file and siaddr fields in replies to DHCPINFORM messages. Don't send NAK replies to DHCPREQUEST packets for disabled clients. Credit to Cedric Duval for spotting this. Fix rare crash associated with long DNS names and CNAME records. Thanks to Holger Hoffstatte and especially Steve Grecni for help chasing that one down. version 2.18 Reworked the Linux interface discovery code (again) to cope with interfaces which have only IPv6 addresses and interfaces with more than one IPv6 address. Thanks to Martin Pels for help with that. Fix problems which occurred when more than one dhcp-range was specified in the same subnet: sometimes parameters (lease time, network-id tag) from the wrong one would be used. Thanks to Rory Campbell-Lange for the bug report. Reset cache statistics when clearing the cache. Enable long command line options on FreeBSD when the C library supports them. version 2.19 Tweaked the Linux-only interface discovery code to cope with interface-indexes larger than 8 bits in /proc/net/if_inet6. This only affects Linux, obviously. Thanks to Richard Atterer for the bug report. Check for under-length option fields in DHCP packets, a zero length client-id, in particular, could seriously confuse dnsmasq 'till now. Thanks to Will Murname for help with that. If a DHCP-allocated address has an associated name in /etc/hosts, and the client does not provide a hostname parameter and there is no hostname in a matching dhcp-host option, send the /etc/hosts name as the hostname in the DHCP lease. Thanks to Will Murname for the suggestion. version 2.20 Allow more than one instance of dnsmasq to run on a machine, each providing DHCP service on a different interface, provided that --bind-interfaces is set. This configuration used to work, but regressed in version 2.14 Fix compilation on Mac OS X. Thanks to Kevin Bullock. Protect against overlong names and overlong labels in configuration and from DHCP. Fix interesting corner case in CNAME handling. This occurs when a CNAME has a target which "shadowed" by a name in /etc/hosts or from DHCP. Resolving the CNAME would sneak the upstream value of the CNAME's target into the cache, alongside the local value. Now that doesn't happen, though resolving the CNAME still gives the unshadowed value. This is arguably wrong but rather difficult to fix. The main thing is to avoid getting strange results for the target due to the cache pollution when resolving the CNAME. Thanks to Pierre Habouzit for exploring the corner and submitting a very clear bug report. Fix subtle bug in the DNS packet parsing code. It's almost impossible to describe this succinctly, but the one known manifestation is the inability to cache the A record for www.apple.com. Thanks to Bob Alexander for spotting that. Support SRV records. Thanks to Robert Kean for the patches for this. Fixed sign confusion in the vendor-id matching code which could cause crashes sometimes. (Credit to Mark Wiater for help finding this.) Added the ability to match the netid tag in a dhcp-range. Combined with the ability to have multiple ranges in a single subnet, this provides a means to segregate hosts on different address ranges based on vendorclass or userclass. Thanks to Mark Wiater for prompting this enhancement. Added preference values for MX records. Added the --localise-queries option. version 2.21 Improve handling of SERVFAIL and REFUSED errors. Receiving these now initiates search for a new good server, and a server which returns them is not a candidate as a good server. Thanks to Istvan Varadi for pointing out the problem. Tweak the time code in BROKEN_RTC mode. Sanity check lease times in dhcp-range and dhcp-host configurations and force them to be at least two minutes (120s) leases shorter than a minute confuse some clients, notably Apple MacOS X. Rory Campbell-Lange found this problem. Only warn once about an upstream server which is refusing to do recursive queries. Fix DHCP address allocation problem when netid tags are in use. Thanks to Will Murname for the bug report and subsequent testing. Add an additional data section to the reply for MX and SRV queries. Add support for DNS TXT records. Thanks to Robert Kean and John Hampton for prompts and testing of these. Apply address rewriting to records in the additional data section of DNS packets. This makes things like MX records work with the alias function. Thanks to Chad Skeeters for pointing out the need for this. Added support for quoted strings in config file. Detect and defeat cache-poisoning attacks which attempt to send (malicious) answers to questions we didn't send. These are ignored now even if the attacker manages to guess a random query-id. Provide DHCP support for interfaces with multiple IP addresses or aliases. This in only enabled under Linux. See the FAQ entry for details. Revisit the MAC-address and client-id matching code to provide saner behaviour with PXE boots, where some requests have a client-id and some don't. Fixed off-by-one buffer overflow in lease file reading code. Thanks to Rob Holland for the bug report. Added wildcard matching for MAC addresses in dhcp-host options. A sensible suggestion by Nathaniel McCallum. version 2.22 Fixed build problems on (many) systems with older libc headers where is required before . Enabled HAVE_RTNETLINK under uclibc now that this fix is in place. Added support for encapsulated vendor-class-specific DHCP options. Thanks to Eric Shattow for help with this. Fix regression in 2.21 which broke commas in filenames and corrupted argv. Thanks to Eric Scott for the bugreport. Fixed stupid thinko which caused dnsmasq to wedge during startup with certain MX-record options. Another 2.21 regression. Fixed broken-ness when reading /etc/ethers. 2.21 broke this too. Fixed wedge with certain DHCP options. Yet another 2.21 regression. Rob Holland and Roy Marples chased this one down. version 2.23 Added a check to ensure that there cannot be more than one dhcp-host option for any one IP address, even if the addresses are assigned indirectly via a hostname and /etc/hosts. Include a "server identifier" in DHCPNAK replies, as required by RFC2131. Added method support for DBus (http://www.freedesktop.org/Software/dbus) This is a superior way to re-configure dnsmasq on-the-fly with different upstream nameservers, as the host moves between networks. DBus support must be enabled in src/config.h and should be considered experimental at this point. See DBus-interface for the specification of the DBus method calls supported. Added information to the FAQ about setting the DNS domain in windows XP and Mac OS X, thanks to Rick Hull. Added sanity check to resolv.conf polling code to cope with backwards-moving clocks. Thanks to Leonardo Canducci for help with this. Handle so-called "A-for-A" queries, which are queries for the address associated with a name which is already a dotted-quad address. These should be handled by the resolver code, but sometimes aren't and there's no point in forwarding them. Added "no-dhcp-interface" option to disable DHCP service on an interface, whilst still providing DNS. Fix format-string problem - config file names get passed to fprintf as a format string, so % characters could cause crashes. Thanks to Rob Holland for sleuthing that one. Fixed multiple compiler warnings from gcc 4. Thanks to Tim Cutts for the report. Send the hostname option on DHCP offer messages as well as DHCP ack messages. This is required by the Rio Digital Audio Receiver. Thanks to Ron Frederick for the patch. Add 'd' (for day) as a possible time multiplier in lease time specifications. Thanks to Michael Deegan. Make quoting suppress recognition of IP addresses, so dhcp-option=66,1.2.3.4 now means something different to dhcp-option=66,"1.2.3.4", which sets the option to a string value. Thanks to Brian Macauley for the bug report. Fixed the option parsing code to avoid segfaults from some invalid configurations. Thanks to Wookey for spotting that one. Provide information about which compile-time options were selected, both in the log at startup and as part of the output from dnsmasq --version. Thanks to Dirk Schenkewitz for the suggestion. Fix pathological behaviour when a broken client keeps sending DHCPDISCOVER messages repeatedly and fast. Because dealing with each of these takes a few seconds, (because of the ping) then a queue of DHCP packets could build up. Now, the results of a ping test are assumed to be valid for 30 seconds, so repeated waits are not required. Thanks to Luca Landi for finding this. Allow DHCPINFORM requests without hardware address information. These are generated by some browsers, looking for proxy information. Thanks to Stanley Jaddoe for the bug report on that. Add support of the "client FQDN" DHCP option. If present, this is used to allow the client to tell dnsmasq its name, in preference to (mis)using the hostname option. See http://tools.ietf.org/wg/dhc/draft-ietf-dhc-fqdn-option/\ draft-ietf-dhc-fqdn-option-10.txt for details of the draft spec. Added startup scripts for MacOS X Tiger/Panther to the contrib collection. Thanks to Tim Cutts. Tweak DHCP network selection so that clients which turn up on our network in REBINDING state and with a lease for a foreign network will get a NAK response. Thanks to Dan Shechter for work on this and an initial patch and thanks to Gyorgy Farkas for further testing. Fix DNS query forwarding for empty queries and forward queries even when the recursion-desired bit is clear. This allows "dig +trace" to work. Problem report from Uwe Gansert. Added "const" declarations where appropriate, thanks to Andreas Mohr for the patch. Added --bootp-dynamic option and associated functionality. Thanks to Josef Wolf for the suggestion. version 2.24 Updated contrib/openvpn/dnsmasq.patch from Joseph Tate. Tweaked DHCP NAK code, a DHCP NAK is now unicast as a fallback in cases where a broadcast is futile: namely in response to a unicast REQUEST from a non-local network which was not sent via a relay. Slightly changed the semantics of domain matching in --server and --address configs. --server=/domain.com/ still matches domain.com and sub.domain.com but does not now match newdomain.com The semantics of --server=/.domain.com/ are unchanged. Thanks to Chris Blaise for the patch. Added backwards-compatible internationalisation support. The existing make targets, (all, dnsmasq, install) work as before. New ones (all-i18n, and install-i18n) add gettext. The translations live in po/ There are not too many strings, so if anybody can provide translations (and for the manpage....) please send them in. Tweak behaviour on receipt of REFUSED or SERVFAIL rcodes, now the query gets retried on all servers before returning the error to the source of the query. Thanks to Javier Kohen for the report. Added Polish translation - thanks to Tomasz Sochanski. Changed default manpage install location from /usr/man to /usr/share/man Added Spanish translation - thanks to Christopher Chatham. Log a warning when a DHCP packet is truncated due to lack of space. (Thanks to Michael Welle for the prompt to do this.) Added French translation - thanks to Lionel Tricon. Added Indonesian translation - thanks to Salman AS. Tweaked the netlink code to cope with interface broadcast address not set, or set to 0.0.0.0. Fixed problem assigning fixed addresses to hosts when more than one dhcp-range is available. Thanks to Sorin Panca for help chasing this down. Added more explicit error messages to the hosts file and ethers file reading code. Markus Kaiserswerth suffered to make this happen. Ensure that a hostname supplied by a DHCP client can never override one configured on the server. Previously, any host claiming a name would be given it, even if that over-rode a dhcp-host declaration, leading to potentially confusing situations. Added Slackware package-build stuff into contrib/ The i18n effort broke the current scripts, and working ones were needed for testing, so they ended up here rather than make Pat re-invent the wheel. Added Romanian translation, thanks to Sorin Panca for that. version 2.25 Fixed RedHat spec file for FC4 - thanks to Werner Hoelzl and Andrew Bird. Fixed Suse spec file - thanks to Steven Springl. Fixed DHCP bug when two distinct subnets are on the same physical interface. Thanks to Pawel Zawora for finding this and suggesting the fix. Added logging to make it explicit when dnsmasq falls back from using RT-netlink sockets to the old ioctl API for getting information about interfaces. Doing this completely silently made remote debugging hard. Merged uclibc build fixes from the OpenWRT package into src/config.h Added Norwegian translation - thanks to Jan Erik Askildt. version 2.26 Fixed SuSe rpm patch problem - thanks to Steven Springl. Fixed crash when attempting to send a DHCP NAK to a host which believes it has a lease on an unknown network. Thanks to Lutz Pressler for the bug report and patch. version 2.27 Tweaked DHCP behaviour when a client attempts to renew a lease which dnsmasq doesn't know about. Previously that would always result in a DHCPNAK. Now, in dhcp-authoritative mode, the lease will be created, if it's legal. This makes dnsmasq work better if the lease database is lost, for example on an OpenWRT system which reboots. Thanks to Stephen Rose for work on this. Added the ability to support RFC-3442 style destination descriptors in dhcp-options. This makes classless static routes easy to do, eg dhcp-option=121,192.168.1.0/24,1.2.3.4 Added error-checking to the code which writes the lease file. If this fails for any reason, an error is logged, and a retry occurs after one minute. This should improve things eg when a filesystem is full. Thanks to Jens Holze for the bug report. Fixed breakage of the "/#/ matches any domain" facility which happened in 2.24. Thanks to Peter Surda for the bug report. Use "size_t" and "ssize_t" types where appropriate in the code. Fix buggy CNAME handling in mixed IPv4 and IPv6 queries. Thanks to Andreas Pelme for help finding that. Added some code to attempt to re-transmit DNS queries when a network interface comes up. This helps on DoD links, where frequently the packet which triggers dialling is a DNS query, which then gets lost. By re-sending, we can avoid the lookup failing. This function is only active when netlink support is compiled in, and therefore only under Linux. Thanks to Jean Wolter for help with this. Tweaked the DHCP tag-matching code to work correctly with NOT-tag conditions. Thanks to Lutz Pressler for finding the bug. Generalised netid-tag matching in dhcp-range statements to allow more than one tag. Added --dhcp-mac to do MAC address matching in the same way as vendorclass and userclass matching. A good suggestion from Lutz Pressler. Add workaround for buggy early Microsoft DHCP clients which need zero-termination in string options. Thanks to Fabiano Pires for help with this. Generalised the DHCP code to cope with any hardware address type, at least on Linux. *BSD is still limited to ethernet only. version 2.28 Eliminated all raw network access when running on Linux. All DHCP network activity now goes through the IP stack. Packet sockets are no longer required. Apart from being a neat hack, this should also allow DHCP over IPsec to work better. On *BSD and OS X, the old method of raw net access through BPF is retained. Simplified build options. Networking is now slimmed down to a choice of "linux" or "other". Netlink is always used under Linux. Since netlink has been available since 2.2 and non-optional in an IPv4-configured kernel since 2.4, and the dnsmasq netlink code is now well tested, this should work out fine. Removed decayed build support for libc5 and Solaris. Removed pselect code: use a pipe for race-free signal handling instead, as this works everywhere. No longer enable the ISC leasefile reading code in the distributed sources. I doubt there are many people left using this 1.x compatibility code. Those that are will have to explicitly enable it in src/config.h. Don't send the "DHCP maximum message size" option, even if requested. RFC2131 says this is a "MUST NOT". Support larger-than-minimum DHCP message. Dnsmasq is now happy to get larger than 576-byte DHCP messages, and will return large messages, if permitted by the "maximum message size" option of the message to which it is replying. There's now an arbitrary sanity limit of 16384 bytes. Added --no-ping option. This fixes an RFC2131 "SHOULD". Building on the 2.27 MAC-address changes, allow clients to provide no MAC address at all, relying on the client-id as a unique identifier. This should make things like DHCP for USB come easier. Fixed regression in netlink code under 2.2.x kernels which occurred in 2.27. Erik Jan Tromp is the vintage kernel fan who found this. P.S. It looks like this "netlink bind: permission denied" problem occurred in kernels at least as late a 2.4.18. Good information from Alain Richoux. Added a warning when it's impossible to give a host its configured address because the address is leased elsewhere. A sensible suggestion from Mircea Bardac. Added minimal support for RFC 3046 DHCP relay agent-id options. The DHCP server now echoes these back to the relay, as required by the RFC. Also, RFC 3527 link selection sub-options are honoured. Set the process "dumpable" flag when running in debug mode: this makes getting core dumps from root processes much easier. Fixed one-byte buffer overflow which seems to only cause problems when dnsmasq is linked with uclibc. Thanks to Eric House and Eric Spakman for help in chasing this down. Tolerate configuration screwups which lead to the DHCP server attempting to allocate its own address to a client; eg setting the whole subnet range as a DHCP range. Addresses in use by the server are now excluded from use by clients. Did some thinking about HAVE_BROKEN_RTC mode, and made it much simpler and better. The key is to just keep lease lengths in the lease file. Since these normally never change, even as the lease is renewed, the lease file never needs to change except when machines arrive on the network or leave. This eliminates the code for timed writes, and reduces the amount of wear on a flash filesystem to the absolute minimum. Also re-did the basic time function in this mode to use the portable times(), rather than parsing /proc/uptime. Believe the source port number when replying to unicast DHCP requests and DHCP requests via a relay, instead of always using the standard ports. This will allow relays on non-standard ports and DHCPINFORM from unprivileged ports to work. The source port sent by unconfigured clients is still ignored, since this may be unreliable. This means that a DHCP client must use the standard port to do full configuration. version 2.29 Fixed compilation on OpenBSD (thanks to Tom Hensel for the report). Fixed false "no interface" errors when --bind-interfaces is set along with --interface=lo or --listen-address. Thanks to Paul Wise for the report. Updated patch for SuSE rpm. Thanks to Steven Springl. It turns out that there are some Linux kernel configurations which make using the capability system impossible. If this situation occurs then continue, running as root, and log a warning. Thanks to Scott Wehrenberg for help tracking this down. version 2.30 Fixed crash when a DHCP client requested a broadcast reply. This problem was introduced in version 2.28. Thanks to Sandra Dekkers for the bug report. version 2.31 Added --dhcp-script option. There have been calls for this for a long time from many good people. Fabio Muzzi gets the prize for finally convincing me. Added example dbus config file and moved dbus stuff into its own directory. Removed horribly outdated Redhat RPM build files. These are obsolete now that dnsmasq in in Fedora extras. Thanks to Patrick "Jima" Laughton, the Fedora package maintainer. Added workaround for Linux kernel bug. This manifests itself as failure of DHCP on kernels with "support for classical IP over ATM" configured. That includes most Debian kernel packages. Many thanks to A. Costa and Benjamin Kudria for their huge efforts in chasing this down. Force-kill child processes when dnsmasq is sent a sigterm, otherwise an unclosed TCP connection could keep dnsmasq hanging round for a few minutes. Tweaked config.h logic for uclibc build. It will now pick up MMU and IPV6 status correctly on every system I tested. version 2.32 Attempt a better job of replacing previous configuration when re-reading /etc/hosts and /etc/ethers. SIGHUP is still not identical to a restart under all circumstances, but it is for the common case of name->MAC address in /etc/ethers and name->IP address in /etc/hosts. Fall back to broadcast for DHCP to an unconfigured client when the MAC address size is greater than 14 bytes. Fix problem in 2.28-onwards releases which breaks DNS on Mac OS X. Thanks to Doug Fields for the bug report and testing. Added fix to allow compilation on c89-only compilers. Thanks to John Mastwijk for the patch. Tweak resolv file polling code to work better if there is a race between updating the mtime and file contents. This is not normally a problem, but it can be on systems which replace nameservers whilst active. The code now continues to read resolv.conf until it gets at least one usable server. Thanks to Holger Mauermann for help with this. If a client DECLINEs an address which is allocated to it via dhcp-host or /etc/hosts, lock that address out of use for ten minutes, instead of forever, and log when it's not being used because of the lock-out. This should provide less surprising behaviour when a configured address can't be used. Thanks to Peter Surda and Heinz Deinhart for input on this. Fixed *BSD DHCP breakage with only some arches/compilers, depending on structure padding rules. Thanks to Jeb Campbell and Tom Hensel for help with this. Added --conf-dir option. Suggestion from Aaron Tygart. Applied patch from Brent Cook which allows netids in dhcp-option configuration lines to be prefixed by "net:". This is not required by the syntax, but it is consistent with other configuration items. Added --log-facility option. Suggestion from Fabio Muzzi. Major update to Spanish translation. Many thanks to Chris Chatham. Fixed gcc-4.1 strict-alias compilation warning. version 2.33 Remove bash-specific shellcode from the Makefile. Fix breakage with some DHCP relay implementations which was introduced in 2.28. Believing the source port in DHCP requests and sending the reply there is sometimes a bad thing to do, so I've reverted to always sending to the relay on port 68. Thanks to Daniel Hamlin and Alex (alde) for bug reports on this. Moved the SuSe packaging files to contrib. I will no longer attempt to maintain this in the source tarball. It will be done externally, in the same way as packaging for other distros. Suse packages are available from ftp://ftp.suse.com/pub/people/ug/ Merged patch from Gentoo to honour $LDFLAGS environment. Fix bug in resolv.conf processing when more than one file is being checked. Add --dns-forward-max option. Warn if --resolv-file flags are ignored because of --no-resolv. Thanks to Martin F Krafft for spotting this one. Add --leasefile-ro option which allows the use of an external lease database. Many thanks to Steve Horbachuk for assistance developing this feature. Provide extra information to lease-change script via its environment. If the host has a client-id, then DNSMASQ_CLIENT_ID will be set. Either the lease length (in DNSMASQ_LEASE_LENGTH) or lease expiry time (in DNSMASQ_LEASE_EXPIRES) will be set, depending on the HAVE_BROKEN_RTC compile-time option. This extra information should make it possible to maintain the lease database in external storage such as LDAP or a relational database. Note that while leasefile-ro is set, the script will be called with "old" events more often, since changes to the client-id and lease length (HAVE_BROKEN_RTC) or lease expiry time (otherwise) are now flagged. Add contrib/wrt/* which is an example implementation of an external persistent lease database for *WRT distros with the nvram command. Add contrib/wrt/dhcp_release.c which is a small utility which removes DHCP leases using DHCPRELEASE operation in the DHCP protocol. version 2.34 Tweak network-determination code for another corner case: in this case a host forced to move between dhcp-ranges on the same physical interface. Thanks to Matthias Andree. Improve handling of high DNS loads by throttling acceptance of new queries when resources are tight. This should be a better response than the "forwarding table full..." message which was logged before. Fixed intermittent infinite loop when re-reading /etc/ethers after SIGHUP. Thanks to Eldon Ziegler for the bug report. Provide extra information to the lease-change script: when a lease loses its hostname (because a new lease comes along and claims the same new), the "old" action is called with the current state of the lease, ie no name. The change is to provide the former name which the lease had in the environment variable DNSMASQ_OLD_HOSTNAME. This helps scripts which do stuff based on hostname, rather than IP address. Also provide vendor-class and user-class information to the lease-change script when a new lease is created in the DNSMASQ_VENDOR_CLASS and DNSMASQ_USER_CLASS environment variables. Suggestion from Francois-Xavier Le Bail. Run the lease change script as root, even when dnsmasq is configured to change UID to an unprivileged user. Since most uses of the lease change script need root, this allows its use whilst keeping the security advantages of running the daemon without privs. The script is invoked via a small helper process which keeps root UID, and validates all data received from the main process. To get root, an attacker would have to break dnsmasq and then break the helper through the restricted comms channel linking the two. Add contrib/port-forward/* which is a script to set up port-forwards using the DHCP lease-change script. It's possible to add a host to a config file by name, and when that host gets a DHCP lease, the script will use iptables to set up port-forwards to configured ports at the address which the host is allocated. The script also handles setting up the port-forward iptables entries after reboot, using the persistent lease database, and removing them when a host leaves and its DHCP lease expires. Fix unaligned access problem which caused wrong log messages with some clients on some architectures. Thanks to Francois-Xavier Le Bail for the bugreport. Fixed problem with DHCPRELEASE and multi-address interfaces. Enhanced contrib/wrt/dhcp_release to cope under these circumstances too. Thanks to Eldon Ziegler for input on this. Updated French translation: thanks to Gildas Le Nadan. Upgraded the name hash function in the DNS cache. Thanks to Oleg Khovayko for good work on this. Added --clear-on-reload flag. Suggestion from Johannes Stezenbach. Treat a nameserver address of 0.0.0.0 as "nothing". Erwin Cabrera spotted that specifying a nameserver as 0.0.0.0 breaks things badly; this is because the network stack treats is as "this host" and an endless loop ensues. Added Webmin module in contrib/webmin. Thanks to Neil Fisher for that. version 2.35 Generate an "old" script event when a client does a DHCPREQUEST in INIT-REBOOT or SELECTING state and the lease already exists. Supply vendor and user class information to these script calls. Added support for Dragonfly BSD to src/config.h Removed "Upgrading to 2.0" document, which is ancient history now. Tweak DHCP networking code for BSD, esp OpenBSD. Added a workaround for a bug in OpenBSD 4.0: there should finally be support for multiple interfaces under OpenBSD now. Note that no version of dnsmasq before 2.35 will work for DHCP under OpenBSD 4.0 because of a kernel bug. Thanks to Claudio Jeker, Jeb Campbell and Cristobal Palmer for help with this. Optimised the cache code for the case of large /etc/hosts. This is mainly to remove the O(n-squared) algorithm which made reading large (50000 lines) files slow, but it also takes into account the size of /etc/hosts when building hash tables, so overall performance should be better. Thanks to "koko" for pointing out the problem. version 2.36 Added --dhcp-ignore-names flag which tells dnsmasq not to use names provided by DHCP clients. Suggestion from Thomas M Steenholdt. Send netmask and broadcast address DHCP options always, even if the client doesn't request them. This makes a few odd clients work better. Added simple TFTP function, optimised for net-boot. It is now possible to net boot hosts using only dnsmasq. The TFTP server is read-only, binary-mode only, and designed to be secure; it adds about 4K to the dnsmasq binary. Support DHCP option 120, SIP servers, (RFC 3361). Both encodings are supported, so both --dhcp-option=120,192.168.2.3 and --dhcp-option=120,sip.example.net will work. Brian Candler pointed out the need for this. Allow spaces in domain names, to support DNS-SD. Add --ptr-record flag, again for DNS-SD. Thanks to Stephan Sokolow for the suggestion. Tolerate leading space on lines in the config file. Thanks to Luigi Rizzo for pointing this out. Fixed netlink.c to cope with headers from the Linux 2.6.19 kernel. Thanks to Philip Wall for the bug report. Added --dhcp-bridge option, but only to the FreeBSD build. This fixes an oddity with a particular bridged network configuration on FreeBSD. Thanks to Luigi Rizzo for the patch. Added FAQ entry about running dnsmasq in a Linux vserver. Thanks to Gildas le Nadan for the information. Fixed problem with option parsing which interpreted "/" as an address and not a string. Thanks to Luigi Rizzo for the patch. Ignore the --domain-needed flag when forwarding NS and SOA queries, since NS queries of TLDs are always legit. Marcus Better pointed out this problem. Take care to forward signed DNS requests bit-perfect, so as not to affect the validity of the signature. This should allow DDNS updates to be forwarded. version 2.37 Add better support for RFC-2855 DHCP-over-firewire and RFC -4390 DHCP-over-InfiniBand. A good suggestion from Karl Svec. Some efficiency tweaks to the cache code for very large /etc/hosts files. Should improve reverse (address->name) lookups and garbage collection. Thanks to Jan 'RedBully' Seiffert for input on this. Fix regression in 2.36 which made bogus-nxdomain and DNS caching unreliable. Thanks to Dennis DeDonatis and Jan Seiffert for bug reports. Make DHCP encapsulated vendor-class options sane. Be warned that some conceivable existing configurations using these may break, but they work in a much simpler and more logical way now. Prepending "vendor:" to an option encapsulates it in option 43, and the option is sent only if the client-supplied vendor-class substring-matches with the given client-id. Thanks to Dennis DeDonatis for help with this. Apply patch from Jan Seiffert to tidy up tftp.c Add support for overloading the filename and servername fields in DHCP packet. This gives extra option-space when these fields are not being used or with a modern client which supports moving them into options. Added a LIMITS section to the man-page, with guidance on maximum numbers of clients, file sizes and tuning. release 2.38 Fix compilation on *BSD. Thanks to Tom Hensel. Don't send length zero DHCP option 43 and cope with encapsulated options whose total length exceeds 255 octets by splitting them into multiple option 43 pieces. Avoid queries being retried forever when --strict-order is set and an upstream server returns a SERVFAIL error. Thanks to Johannes Stezenbach for spotting this. Fix BOOTP support, broken in version 2.37. Add example dhcp-options for Etherboot. Add \e (for ASCII ESCape) to the set of valid escapes in config-file strings. Added --dhcp-option-force flag and examples in the configuration file which use this to control PXELinux. Added --tftp-no-blocksize option. Set netid tag "bootp" when BOOTP (rather than DHCP) is in use. This makes it easy to customise which options are sent to BOOTP clients. (BOOTP allows only 64 octets for options, so it can be necessary to trim things.) Fix rare hang in cache code, a 2.37 regression. This probably needs an infinite DHCP lease and some bad luck to trigger. Thanks to Detlef Reichelt for bug reports and testing. release 2.39 Apply patch from Mike Baker/OpenWRT to ensure that names like "localhost." in /etc/hosts with trailing period are treated as fully-qualified. Tolerate and ignore spaces around commas in the configuration file in all circumstances. Note that this may change the meaning of a few existing config files, for instance txt-record=mydomain.com, string would have a leading space in the string before, and now will not. To get the old behaviour back, use quotes: txt-record=mydomain.com," string" /a is no longer a valid escape in quoted strings. Added symbolic DHCP option names. Instead of dhcp-option = 3, 1.2.3.4 it is now possible to do dhcp-option = option:router, 1.2.3.4 To see the list of known DHCP options, use the command "dnsmasq --help dhcp" Thanks to Luigi Rizzo for a patch and good work on this. Overhauled the log code so that logging can be asynchronous; dnsmasq then no longer blocks waiting for the syslog() library call. This is important on systems where syslog is being used to log over the network (and therefore doing DNS lookups) and syslog is using dnsmasq as its DNS server. Having dnsmasq block awaiting syslog under such circumstances can lead to syslog and dnsmasq deadlocking. The new behaviour is enabled with a new --log-async flag, which can also be used to tune the queue length. Paul Chambers found and diagnosed this trap for the unwary. He also did much testing of the solution along with Carlos Carvalho. --log-facility can now take a file-name instead of a facility name. When this is done, dnsmasq logs to the file and not via syslog. (Failures early in startup, whilst reading configuration, will still go to syslog, and syslog is used as a log-of-last-resort if the file cannot be written.) Added --log-dhcp flag. Suggestion from Carlos Carvalho. Made BINDIR, MANDIR and LOCALEDIR independently over-rideable in the makefile. Suggestion from Thomas Klausner. Added 127.0.0.0/8 and 169.254.0.0/16 to the address ranges affected by --bogus-priv. Thanks to Paul Chambers for the patch. Fixed failure of TFTP server with --listen-address. Thanks to William Dinkel for the bug report. Added --dhcp-circuitid and --dhcp-remoteid for RFC3046 relay agent data matching. Added --dhcp-subscrid for RFC3993 subscriber-id relay agent data matching. Correctly garbage-collect connections when upstream servers go away as a result of DBus transactions. Allow absolute paths for TFTP transfers even when --tftp-root is set, as long as the path matches the root, so /var/ftp/myfile is OK with tftp-root=/var/ftp. Thanks for Thomas Mizzi for the patch. Updated Spanish translation - thanks to Chris Chatham. Updated French translation - thanks to Gildas Le Nadan. Added to example conf file example of routing PTR queries for a subnet to a different nameserver. Suggestion from Jon Nicholson. Added --interface-name option. This provides a facility to add a domain name with a dynamic IP address taken from the address of a local network interface. Useful for networks with dynamic IPs. version 2.40 Make SIGUSR2 close-and-reopen the logfile when logging direct to a file. Thanks to Carlos Carvalho for suggesting this. When a logfile is created, change its ownership to the user dnsmasq will run as, don't leave it owned by root. Set a special tag, "known" for hosts which are matched by a dhcp-host or /etc/ethers line. This is especially useful to be able to do --dhcp-ignore=#known, like ISCs "deny unknown-clients". Explicitly set a umask before creating the leases file, rather than relying on whatever we inherited. The permissions are set to 644. Fix handling of fully-qualified names in --dhcp-host directives and in /etc/ethers. These are now rejected if the domain doesn't match that given by --domain, and used correctly otherwise. Before, putting a FQDN here could cause the whole FQDN to be used as hostname. Thanks to Michael Heimpold for the bug report. Massive but trivial edit to make the "daemon" variable global, instead of copying the same value around as the first argument to half the functions in the program. Updated Spanish manpage and message catalog. Thanks to Chris Chatham. Added patch for support of DNS LOC records in contrib/dns-loc. Thanks to Lorenz Schori. Fixed error in manpage: dhcp-ignore-name -> dhcp-ignore-names. Thanks to Daniel Mentz for spotting this. Use client-id as hash-seed for DHCP address allocation with Firewire and InfiniBand, as these don't supply a MAC address. Tweaked TFTP file-open code to make it behave sensibly when the filesystem changes under its feet. Added DNSMASQ_TIME_REMAINING environment variable to the lease-script. Always send replies to DHCPINFORM requests to the source of the request and not to the address in ciaddr. This allows third-party queries. Return "lease time remaining" in the reply to a DHCPINFORM request if there exists a lease for the host sending the request. Added --dhcp-hostsfile option. This gives a superset of the functionality provided by /etc/ethers. Thanks to Greg Kurtzer for the suggestion. Accept keyword "server" as a synonym for "nameserver" in resolv.conf. Thanks to Andrew Bartlett for the report. Add --tftp-unique-root option. Suggestion from Dermot Bradley. Tweak TFTP retry timer to avoid problems with difficult clients. Thanks to Dermot Bradley for assistance with this. Continue to use unqualified hostnames provided by DHCP clients, even if the domain part is illegal. (The domain is ignored, and an error logged.) Previously in this situation, the whole name would have been rejected. Thanks to Jima for the patch. Handle EINTR returns from wait() correctly and reap our children's children if necessary. This fixes a problem with zombie-creation under *BSD when using --dhcp-script. Escape spaces in hostnames when they are stored in the leases file and passed to the lease-change script. Suggestion from Ben Voigt. Re-run the lease change script with an "old" event for each lease when dnsmasq receives a SIGHUP. Added more useful exit codes, including passing on a non-zero exit code from the lease-script "init" call when --leasefile-ro is set. Log memory allocation failure whilst the daemon is running. Allocation failures during startup are fatal, but lack of memory whilst running is worked around. This used to be silent, but now is logged. Fixed misaligned memory access which caused problems on Blackfin CPUs. Thanks to Alex Landau for the patch. Don't include (useless) script-calling code when NO_FORK is set. Since this tends to be used on very small uclinux systems, it's worth-while to save some code-size. Don't set REUSEADDR on TFTP listening socket. There's no need to do so, and it creates confusing behaviour when inetd is also listening on the same port. Thanks to Erik Brown for spotting the problem. version 2.41 Remove deprecated calls when compiled against libdbus 1.1. Fix "strict-alias" warning in bpf.c Reduce dependency on Gnu-make in build system: dnsmasq now builds with system make under OpenBSD. Port to Solaris. Dnsmasq 1.x used to run under Solaris, and this release does so again, for Solaris 9 or better. Allow the DNS function to be completely disabled, by setting the port to zero "--port=0". The allows dnsmasq to be used as a simple DHCP server, simple TFTP server, or both, but without the DNS server getting in the way. Fix a bug where NXDOMAIN could be returned for a query even if the name's value was known for a different query type. This bug could be prodded with --local=/domain/ --address=/name.domain/1.2.3.4 An IPv6 query for name.domain would return NXDOMAIN, and not the correct NOERROR. Thanks to Lars Nooden for spotting the bug and Jima for diagnosis of the problem. Added per-server stats to the information logged when dnsmasq gets SIGUSR1. Added counts of queries forwarded and queries answered locally (from the cache, /etc/hosts or config). Fixed possible crash bug in DBus IPv6 code. Thanks to Matt Domsch and Jima. Tighten checks for clashes between hosts-file and DHCP-derived names. Multiple addresses associated with a name in hosts-file no longer confuses the check. Add --dhcp-no-override option to fix problems with some combinations of stage zero and stage one bootloaders. Thanks to Steve Alexander for the bug report. Add --tftp-port-range option. Thanks to Daniel Mierswa for the suggestion. Add --stop-dns-rebind option. Thanks to Collin Mulliner for the patch. Added GPL version 3 as a license option. Added --all-servers option. Thanks to Peter Naulls for the patch. Extend source address mechanism so that the interface used to contact an upstream DNS server can be nailed down. Something like "--server=1.2.3.4@eth1" will force the use of eth1 for traffic to DNS-server 1.2.3.4. This facility is only available on Linux and Solaris. Thanks to Peter Naulls for prompting this. Add --dhcp-optsfile option. Thanks to Carlos Carvalho for the suggestion. Fixed failure to set source address for server connections when using TCP. Thanks to Simon Capper for finding this bug. Refuse to give a DHCP client the address it asks for if the address range in question is not available to that particular host. Thanks to Cedric Duval for the bug report. Changed behavior of DHCP server to always return total length of a new lease in DHCPOFFER, even if an existing lease exists. (It used to return the time remaining on the lease when one existed.) This fixes problems with the Sony Ericsson K610i phone. Thanks to Hakon Stordahl for finding and fixing this. Add DNSMASQ_INTERFACE to the environment of the lease-change script. Thanks to Nikos Mavrogiannopoulos for the patch. Fixed broken --alias functionality. Thanks to Michael Meelis for the bug report. Added French translation of the man page. Thank to Gildas Le Nadan for that. Add --dhcp-match flag, to check for arbitrary options in DHCP messages from clients. This enables use of dnsmasq with iPXE. Thanks to Rance Hall for the suggestion. Added --dhcp-broadcast, to force broadcast replies to DHCP clients which need them but are too dumb or too old to ask. Thanks to Bodo Bellut for the suggestion. Disable path-MTU discovery on DHCP and TFTP sockets. This is never needed, and the presence of DF flags in the IP header confuses some broken PXE ROMS. Thanks again to Bodo Bellut for spotting this. Fix problems with addresses which have multiple PTR records - all but one of these could get lost. Fix bug with --address and ANY query type seeing REFUSED return code in replies. Thanks to Mike Wright for spotting the problem. Update Spanish translation. Thanks to Chris Chatham. Add --neg-ttl option. Add warnings about the bad effects of --filterwin2k on SIP, XMPP and Google-talk to the example config file. Fix va_list abuse in log.c. This fixes crashes on powerpc when debug mode is set. Thanks to Cedric Duval for the patch. version 2.42 Define _GNU_SOURCE to avoid problems with later glibc headers. Thanks to Jima for spotting the problem. Add --dhcp-alternate-port option. Thanks to Jan Psota for the suggestion. Fix typo in code which is only used on BSD, when Dbus and IPv6 support is enabled. Thanks to Roy Marples. Updated Polish translations - thank to Jan Psota. Fix OS detection logic to cope with GNU/FreeBSD. Fix uninitialised variable in DBus code - thanks to Roy Marples. Fix network enumeration code to work on later NetBSD - thanks to Roy Marples. Provide --dhcp-bridge on all BSD variants. Define _LARGEFILE_SOURCE which removes an arbitrary 2GB limit on logfiles. Thanks to Paul Chambers for spotting the problem. Fix RFC3046 agent-id echo code, broken for many releases. Thanks to Jeremy Laine for spotting the problem and providing a patch. Added Solaris 10 service manifest from David Connelly in contrib/Solaris10 Add --dhcp-scriptuser option. Support new capability interface on suitable Linux kernels, removes "legacy support in use" messages. Thanks to Jorge Bastos for pointing this out. Fix subtle bug in cache code which could cause dnsmasq to lock spinning CPU in rare circumstances. Thanks to Alex Chekholko for bug reports and help debugging. Support netascii transfer mode for TFTP. dnsmasq-2.93/FAQ0000664000175000017500000006560215210262712011640 0ustar srksrkQ: Why does dnsmasq open UDP ports >1024 as well as port 53. Is this a security problem/trojan/backdoor? A: The high ports that dnsmasq opens are for replies from the upstream nameserver(s). Queries from dnsmasq to upstream nameservers are sent from these ports and replies received to them. The reason for doing this is that most firewall setups block incoming packets _to_ port 53, in order to stop DNS queries from the outside world. If dnsmasq sent its queries from port 53 the replies would be _to_ port 53 and get blocked. This is not a security hole since dnsmasq will only accept replies to that port: queries are dropped. The replies must be to outstanding queries which dnsmasq has forwarded, otherwise they are dropped too. Addendum: dnsmasq now has the option "query-port" (-Q), which allows you to specify the UDP port to be used for this purpose. If not specified, the operating system will select an available port number just as it did before. Second addendum: following the discovery of a security flaw in the DNS protocol, dnsmasq from version 2.43 has changed behavior. It now uses a new, randomly selected, port for each query. The old default behaviour (use one port allocated by the OS) is available by setting --query-port=0, and setting the query port to a positive value still works. You should think hard and know what you are doing before using either of these options. Q: Why doesn't dnsmasq support DNS queries over TCP? Don't the RFC's specify that? A: Update: from version 2.10, it does. There are a few limitations: data obtained via TCP is not cached, and source-address or query-port specifications are ignored for TCP. Q: When I send SIGUSR1 to dump the contents of the cache, some entries have no IP address and are for names like mymachine.mydomain.com.mydomain.com. What are these? A: They are negative entries: that's what the N flag means. Dnsmasq asked an upstream nameserver to resolve that address and it replied "doesn't exist, and won't exist for hours" so dnsmasq saved that information so that if _it_ gets asked the same question it can answer directly without having to go back to the upstream server again. The strange repeated domains result from the way resolvers search short names. See "man resolv.conf" for details. Q: Will dnsmasq compile/run on non-Linux systems? A: Yes, there is explicit support for *BSD and MacOS X and Solaris. There are start-up scripts for MacOS X Tiger and Panther in /contrib. Dnsmasq will link with uclibc to provide small binaries suitable for use in embedded systems such as routers. (There's special code to support machines with flash filesystems and no battery-backed RTC.) If you encounter make errors with *BSD, try installing gmake from ports and building dnsmasq with "make MAKE=gmake" For other systems, try altering the settings in config.h. Q: My company's nameserver knows about some names which aren't in the public DNS. Even though I put it first in /etc/resolv.conf, it doesn't work: dnsmasq seems not to use the nameservers in the order given. What am I doing wrong? A: By default, dnsmasq treats all the nameservers it knows about as equal: it picks the one to use using an algorithm designed to avoid nameservers which aren't responding. To make dnsmasq use the servers in order, give it the -o flag. If you want some queries sent to a special server, think about using the -S flag to give the IP address of that server, and telling dnsmasq exactly which domains to use the server for. Q: OK, I've got queries to a private nameserver working, now how about reverse queries for a range of IP addresses? A: Use the standard DNS convention of .in-addr.arpa. For instance to send reverse queries on the range 192.168.0.0 to 192.168.0.255 to a nameserver at 10.0.0.1 do server=/0.168.192.in-addr.arpa/10.0.0.1 Note that the "bogus-priv" option take priority over this option, so the above will not work when the bogus-priv option is set. Q: Dnsmasq fails to start with an error like this: "dnsmasq: bind failed: Cannot assign requested address". What's the problem? A: This has been seen when a system is bringing up a PPP interface at boot time: by the time dnsmasq start the interface has been created, but not brought up and assigned an address. The easiest solution is to use --interface flags to specify which interfaces dnsmasq should listen on. Since you are unlikely to want dnsmasq to listen on a PPP interface and offer DNS service to the world, the problem is solved. Q: I'm running on BSD and dnsmasq won't accept long options on the command line. A: Dnsmasq when built on some BSD systems doesn't use GNU getopt by default. You can either just use the single-letter options or change config.h and the Makefile to use getopt-long. Note that options in /etc/dnsmasq.conf must always be the long form, on all platforms. Q: Names on the internet are working fine, but looking up local names from /etc/hosts or DHCP doesn't seem to work. A: Resolver code sometime does strange things when given names without any dots in. Win2k and WinXP may not use the DNS at all and just try and look up the name using WINS. On unix look at "options ndots:" in "man resolv.conf" for details on this topic. Testing lookups using "nslookup" or "dig" will work, but then attempting to run "ping" will get a lookup failure, appending a dot to the end of the hostname will fix things. (ie "ping myhost" fails, but "ping myhost." works. The solution is to make sure that all your hosts have a domain set ("domain" in resolv.conf, or set a domain in your DHCP server, see below for Windows XP and Mac OS X). Any domain will do, but "localnet" is traditional. Now when you resolve "myhost" the resolver will attempt to look up "myhost.localnet" so you need to have dnsmasq reply to that name. The way to do that is to include the domain in each name on /etc/hosts and/or to use the --expand-hosts and --domain options. Q: How do I set the DNS domain in Windows XP or MacOS X (ref: previous question)? A: for XP, Control Panel > Network Connections > { Connection to gateway / DNS } > Properties > { Highlight TCP/IP } > Properties > Advanced > DNS Tab > DNS suffix for this connection: A: for OS X, System Preferences > Network > {Connection to gateway / DNS } > Search domains: Q: Can I get dnsmasq to save the contents of its cache to disk when I shut my machine down and re-load when it starts again? A: No, that facility is not provided. Very few names in the DNS have their time-to-live set for longer than a few hours so most of the cache entries would have expired after a shutdown. For longer-lived names it's much cheaper to just reload them from the upstream server. Note that dnsmasq is not shut down between PPP sessions so go off-line and then on-line again will not lose the contents of the cache. Q: Who are Verisign, what do they have to do with the bogus-nxdomain option in dnsmasq and why should I wory about it? A: [note: this was written in September 2003, things may well change.] Verisign run the .com and .net top-level-domains. They have just changed the configuration of their servers so that unknown .com and .net domains, instead of returning an error code NXDOMAIN, (no such domain) return the address of a host at Verisign which runs a web server showing a search page. Most right-thinking people regard this new behaviour as broken :-). You can test to see if you are suffering Verisign brokenness by run a command like host jlsdajkdalld.com If you get "jlsdajkdalld.com" does not exist, then all is fine, if host returns an IP address, then the DNS is broken. (Try a few different unlikely domains, just in case you picked a weird one which really _is_ registered.) Assuming that your DNS is broken, and you want to fix it, simply note the IP address being returned and pass it to dnsmasq using the --bogus-nxdomain flag. Dnsmasq will check for results returning that address and substitute an NXDOMAIN instead. As of writing, the IP address in question for the .com and .net domains is is 64.94.110.11. Various other, less prominent, registries pull the same stunt; there is a list of them all, and the addresses to block, at http://winware.org/bogus-domains.txt Q: This new DHCP server is well and good, but it doesn't work for me. What's the problem? A: There are a couple of configuration gotchas which have been encountered by people moving from the ISC dhcpd to the dnsmasq integrated DHCP daemon. Both are related to differences in in the way the two daemons bypass the IP stack to do "ground up" IP configuration and can lead to the dnsmasq daemon failing whilst the ISC one works. The first thing to check is the broadcast address set for the ethernet interface. This is normally the address on the connected network with all ones in the host part. For instance if the address of the ethernet interface is 192.168.55.7 and the netmask is 255.255.255.0 then the broadcast address should be 192.168.55.255. Having a broadcast address which is not on the network to which the interface is connected kills things stone dead. The second potential problem relates to firewall rules: since the ISC daemon in some configurations bypasses the kernel firewall rules entirely, the ability to run the ISC daemon does not indicate that the current configuration is OK for the dnsmasq daemon. For the dnsmasq daemon to operate it's vital that UDP packets to and from ports 67 and 68 and broadcast packets with source address 0.0.0.0 and destination address 255.255.255.255 are not dropped by iptables/ipchains. Q: I'm running Debian, and my machines get an address fine with DHCP, but their names are not appearing in the DNS. A: By default, none of the DHCP clients send the host-name when asking for a lease. For most of the clients, you can set the host-name to send with the "hostname" keyword in /etc/network/interfaces. (See "man interfaces" for details.) That doesn't work for dhclient, were you have to add something like "send host-name daisy" to /etc/dhclient.conf [Update: the latest dhcpcd packages _do_ send the hostname by default. Q: I'm network booting my machines, and trying to give them static DHCP-assigned addresses. The machine gets its correct address whilst booting, but then the OS starts and it seems to get allocated a different address. A: What is happening is this: The boot process sends a DHCP request and gets allocated the static address corresponding to its MAC address. The boot loader does not send a client-id. Then the OS starts and repeats the DHCP process, but it it does send a client-id. Dnsmasq cannot assume that the two requests are from the same machine (since the client ID's don't match) and even though the MAC address has a static allocation, that address is still in use by the first incarnation of the machine (the one from the boot, without a client ID.) dnsmasq therefore has to give the machine a dynamic address from its pool. There are three ways to solve this: (1) persuade your DHCP client not to send a client ID, or (2) set up the static assignment to the client ID, not the MAC address. The default client-id will be 01:, so change the dhcp-host line from "dhcp-host=11:22:33:44:55:66,1.2.3.4" to "dhcp-host=id:01:11:22:33:44:55:66,1.2.3.4" or (3) tell dnsmasq to ignore client IDs for a particular MAC address, like this: dhcp-host=11:22:33:44:55:66,id:* Q: What network types are supported by the DHCP server? A: Ethernet (and 802.11 wireless) are supported on all platforms. On Linux all network types (including FireWire) are supported. Q: What are these strange "bind-interfaces" and "bind-dynamic" options? A: Dnsmasq from v2.63 can operate in one of three different "networking modes". This is unfortunate as it requires users configuring dnsmasq to take into account some rather bizarre constraints and select the mode which best fits the requirements of a particular installation. The origin of these are deficiencies in the Unix networking model and APIs and each mode has different advantages and problems. Just to add to the confusion, not all modes are available on all platforms (due the to lack of supporting network APIs).To further add to the confusion, the rules for the DHCP subsystem on dnsmasq are different to the rules for the DNS and TFTP subsystems. The three modes are "wildcard", "bind-interfaces" and "bind-dynamic". In "wildcard" mode, dnsmasq binds the wildcard IP address (0.0.0.0 or ::). This allows it to receive all the packets sent to the server on the relevant port. Access control (--interface, --except-interface, --listen-address, etc) is implemented by dnsmasq: it queries the kernel to determine the interface on which a packet was received and the address to which it was sent, and applies the configured rules. Wildcard mode is the default if neither of the other modes are specified. In "bind-interfaces" mode, dnsmasq runs through all the network interfaces available when it starts, finds the set of IP addresses on those interfaces, filters that set using the access control configuration, and then binds the set of IP addresses. Only packets sent to the allowed addresses are delivered by the kernel to dnsmasq. In "bind-dynamic" mode, access control filtering is done both by binding individual IP addresses, as for bind-interfaces, and by inspecting individual packets on arrival as for wildcard mode. In addition, dnsmasq notices when new interfaces appear or new addresses appear on existing interfaces, and the resulting IP addresses are bound automatically without having to restart dnsmasq. The mode chosen has four different effects: co-existence with other servers, semantics of --interface access control, effect of new interfaces, and legality of --interface specifications for non-existent interfaces. We will deal with these in order. A dnsmasq instance running in wildcard mode precludes a machine from running a second instance of dnsmasq or any other DNS, TFTP or DHCP server. Attempts to do so will fail with an "address in use" error. Dnsmasq running in --bind-interfaces or bind-dynamic mode allow other instances of dnsmasq or other servers, as long as no two servers are configured to listen on the same interface address. The semantics of --interface varies subtly between wildcard or bind-dynamic mode and bind-interfaces mode. The situation where this matters is a request which arrives via one interface (A), but with a destination address of a second interface (B) and when dnsmasq is configured to listen only on B. In wildcard or bind-dynamic mode, such a request will be ignored, in bind-interfaces mode, it will be accepted. The creation of new network interfaces after dnsmasq starts is ignored by dnsmasq when in --bind-interfaces mode. In wildcard or bind-dynamic mode, such interfaces are handled normally. An --interface specification for a non-existent interface is a fatal error at start-up when in --bind-interfaces mode, by just generates a warning in wildcard or bind-dynamic mode. Q: Why doesn't Kerberos work/why can't I get sensible answers to queries for SRV records. A: Probably because you have the "filterwin2k" option set. Note that it was on by default in example configuration files included in versions before 2.12, so you might have it set on without realising. Q: Can I get email notification when a new version of dnsmasq is released? A: Yes, new releases of dnsmasq are always announced through freshmeat.net, and they allow you to subscribe to email alerts when new versions of particular projects are released. New releases are also announced in the dnsmasq-discuss mailing list, subscribe at http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss Q: What does the dhcp-authoritative option do? A: The DHCP spec says that when a DHCP server receives a renewal request from a client it has no knowledge of, it should just ignore it. This is because it's supported to have more than one DHCP server on a network, and another DHCP server may be dealing with the client. This has the unfortunate effect that when _no_ DHCP replies to the client, it takes some time for the client to time-out and start to get a new lease. Setting this option makes dnsmasq violate the standard to the extent that it will send a NAK reply to the client, causing it to immediately start to get a new lease. This improves behaviour when machines move networks, and in the case that the DHCP lease database is lost. As long as there are not more tha one DHCP server on the network, it's safe to enable the option. Q: Why does my Gentoo box pause for a minute before getting a new lease? A: Because when a Gentoo box shuts down, it releases its lease with the server but remembers it on the client; this seems to be a Gentoo-specific patch to dhcpcd. On restart it tries to renew a lease which is long gone, as far as dnsmasq is concerned, and dnsmasq ignores it until is times out and restarts the process. To fix this, set the dhcp-authoritative flag in dnsmasq. Q: My laptop has two network interfaces, a wired one and a wireless one. I never use both interfaces at the same time, and I'd like the same IP and configuration to be used irrespective of which interface is in use. How can I do that? A: By default, the identity of a machine is determined by using the MAC address, which is associated with interface hardware. Once an IP is bound to the MAC address of one interface, it cannot be associated with another MAC address until after the DHCP lease expires. The solution to this is to use a client-id as the machine identity rather than the MAC address. If you arrange for the same client-id to sent when either interface is in use, the DHCP server will recognise the same machine, and use the same address. The method for setting the client-id varies with DHCP client software, dhcpcd uses the "-I" flag. Windows uses a registry setting, see http://www.jsiinc.com/SUBF/TIP2800/rh2845.htm Addendum: From version 2.46, dnsmasq has a solution to this which doesn't involve setting client-IDs. It's possible to put more than one MAC address in a --dhcp-host configuration. This tells dnsmasq that it should use the specified IP for any of the specified MAC addresses, and furthermore it gives dnsmasq permission to summarily abandon a lease to one of the MAC addresses if another one comes along. Note that this will work fine only as longer as only one interface is up at any time. There is no way for dnsmasq to enforce this constraint: if you configure multiple MAC addresses and violate this rule, bad things will happen. Addendum-II: The link above is dead, the former contents of the link are: ------------------------------------------------------------------------------ How can I keep the same DHCP client reservation, if the MAC address changes? When you reserve an IP address for a DHCP client, you provide the MAC address of the client's NIC. It is possible to use a custom identifier, which is sent as option 61 in the client's DHCP Discover and Request packet. The DhcpClientIdentifier is a REG_DWORD value that is located at: Windows NT 4.0 SP2+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\'X'\Parameters\Tcpip where is the NIC driver name and 'X' is the number of the NIC. Windows 2000 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TcpIp\Parameters\Interfaces\ where is the GUID of the NIC. The valid range of data is 0x0 - 0xFFFFFFFF. The custom identifier is send as 4 bytes, 8 hexadecimal character, in groups of 2 hexadecimal characters, with the groups being sent in reverse order. If the custom identifier is less than 8 hexadeciaml characters, it is zero padded at the end. Examples: Custom Client Client Reservation Identifier on DHCP Server 12345678 78563412 123456 56341200 1234 34120000 1234567 67452301 12345 45230100 123 23010000 A18F42 428FA100 CF432 32F40C00 C32D1BE BED1320C ------------------------------------------------------------------------------------------------------- Q: Can dnsmasq do DHCP on IP-alias interfaces? A: Yes, from version-2.21. The support is only available running under Linux, on a kernel which provides the RT-netlink facility. All 2.4 and 2.6 kernels provide RT-netlink and it's an option in 2.2 kernels. If a physical interface has more than one IP address or aliases with extra IP addresses, then any dhcp-ranges corresponding to these addresses can be used for address allocation. So if an interface has addresses 192.168.1.0/24 and 192.168.2.0/24 and there are DHCP ranges 192.168.1.100-192.168.1.200 and 192.168.2.100-192.168.2.200 then both ranges would be used for host connected to the physical interface. A more typical use might be to have one of the address-ranges as static-only, and have known hosts allocated addresses on that subnet using dhcp-host options, while anonymous hosts go on the other. Q: Dnsmasq sometimes logs "nameserver xxx.xxx.xxx.xxx refused to do a recursive query" and DNS stops working. What's going on? A: Probably the nameserver is an authoritative nameserver for a particular domain, but is not configured to answer general DNS queries for an arbitrary domain. It is not suitable for use by dnsmasq as an upstream server and should be removed from the configuration. Note that if you have more than one upstream nameserver configured dnsmasq will load-balance across them and it may be some time before dnsmasq gets around to using a particular nameserver. This means that a particular configuration may work for sometime with a broken upstream nameserver configuration. Q: Does the dnsmasq DHCP server probe addresses before allocating them, as recommended in RFC2131? A: Yes, dynamically allocated IP addresses are checked by sending an ICMP echo request (ping). If a reply is received, then dnsmasq assumes that the address is in use, and attempts to allocate an different address. The wait for a reply is between two and three seconds. Because the DHCP server is not re-entrant, it cannot serve other DHCP requests during this time. To avoid dropping requests, the address probe may be skipped when dnsmasq is under heavy load. Q: I'm using dnsmasq on a machine with the Firestarter firewall, and DHCP doesn't work. What's the problem? A: This a variant on the iptables problem. Explicit details on how to proceed can be found at http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2005q3/000431.html Q: I'm using dnsmasq on a machine with the shorewall firewall, and DHCP doesn't work. What's the problem? A: This a variant on the iptables problem. Explicit details on how to proceed can be found at http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2007q4/001764.html Q: Dnsmasq fails to start up with a message about capabilities. Why did that happen and what can do to fix it? A: Change your kernel configuration: either deselect CONFIG_SECURITY _or_ select CONFIG_SECURITY_CAPABILITIES. Alternatively, you can remove the need to set capabilities by running dnsmasq as root. Q: Where can I get .rpms Suitable for openSUSE/SLES? A: Dnsmasq is in openSUSE itself, and the latest releases are also available at http://download.opensuse.org/repositories/network/ Q: Can I run dnsmasq in a Linux vserver? A: Yes, as a DNS server, dnsmasq will just work in a vserver. To use dnsmasq's DHCP function you need to give the vserver extra system capabilities. Please note that doing so will lesser the overall security of your system. The capabilities required are NET_ADMIN and NET_RAW. NET_ADMIN is essential, NET_RAW is required to do an ICMP "ping" check on newly allocated addresses. If you don't need this check, you can disable it with --no-ping and omit the NET_RAW capability. Adding the capabilities is done by adding them, one per line, to either /etc/vservers//ccapabilities for a 2.4 kernel or /etc/vservers//bcapabilities for a 2.6 kernel (please refer to the vserver documentation for more information). Q: What's the problem with syslog and dnsmasq? A: In almost all cases: none. If you have the normal arrangement with local daemons logging to a local syslog, which then writes to disk, then there's never a problem. If you use network logging, then there's a potential problem with deadlock: the syslog daemon will do DNS lookups so that it can log the source of log messages, these lookups will (depending on exact configuration) go through dnsmasq, which also sends log messages. With bad timing, you can arrive at a situation where syslog is waiting for dnsmasq, and dnsmasq is waiting for syslog; they will both wait forever. This problem is fixed from dnsmasq-2.39, which introduces asynchronous logging: dnsmasq no longer waits for syslog and the deadlock is broken. There is a remaining problem in 2.39, where "log-queries" is in use. In this case most DNS queries generate two log lines, if these go to a syslog which is doing a DNS lookup for each log line, then those queries will in turn generate two more log lines, and a chain reaction runaway will occur. To avoid this, use syslog-ng and turn on syslog-ng's dns-cache function. Q: DHCP doesn't work with windows Vista, but everything else is fine. A: The DHCP client on windows Vista (and possibly later versions) demands that the DHCP server send replies as broadcasts. Most other clients don't do this. The broadcasts are send to 255.255.255.255. A badly configured firewall which blocks such packets will show exactly these symptoms (Vista fails, others work). Q: DHCP doesn't work with windows 7 but everything else is fine. A: There seems to be a problem if Windows 7 doesn't get a value for DHCP option 252 in DHCP packets it gets from the server. The symptoms have been variously reported as continual DHCPINFORM requests in an attempt to get an option-252, or even ignoring DHCP offers completely (and failing to get an IP address) if there is no option-252 supplied. DHCP option 252 is for WPAD, WWW Proxy Auto Detection and if you don't want or need to use that, then simplest fix seems to be to supply an empty option with: dhcp-option=252,"\n" dnsmasq-2.93/logo/0000775000175000017500000000000015210262712012235 5ustar srksrkdnsmasq-2.93/logo/README0000664000175000017500000000043015210262712013112 0ustar srksrkDnsmasq logo, contributed by Justin Clift. The source format is Inkscape SVG vector format, which is scalable and easy to export to other formats. For convenience I've included a 56x31 png export and a 16x16 ico suitable for use as a web favicon. Simon Kelley, 22/10/2010 dnsmasq-2.93/logo/favicon.ico0000664000175000017500000000257615210262712014370 0ustar srksrkh( ^effggcfhh o p n sty|~xx|(,178;z?@A{DAvGGFGIqOLPRRiUWWWa\Z]]__azdbfQyPy^99;?LJSCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC>>>CCCCCC>>>CCCB >>CC>>>CB ,5 >B,= @@"@@:>;@' 9@0,@#&% >C@6+.)$!%(*>CCC>@47132/-48>CCCCCCB>A>>CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCdnsmasq-2.93/logo/icon.svg0000664000175000017500000001375115210262712013715 0ustar srksrk image/svg+xml dnsmasq-2.93/logo/icon.png0000664000175000017500000000550615210262712013701 0ustar srksrkPNG  IHDR8/sBIT|d pHYs B(xtEXtSoftwarewww.inkscape.org< IDATX͙ypTEǿL&w2Ia0II@@aQPkr]]jK]-Z֋$rHB so׽{3/*k̼_׿7sB1~4TU T鼜0K)YHg ~_Qr ׅNo `)*O>I {7 ZM5BrEdF%WdE&nF Ʊ% PG 9,.*Kfmy%@xOgZ% \ lXt*P%(@ԉ()mM͵y‰n|5`'&L#-"b!4U̙? ӅXAc& ?'(anEe~80+.BC66mѪ]r`>y!3A%,Wum>'ltЬ a*#h܅vZT/oXݿ׃)kI!& [ʦOkA!% %N6c_$ox]Ihl&LHO WfZȫO 6pF\ MzgoGrIq{ * c8^xn&y_=Nr1U<2~LtFt  DH#m 7<]J<&f+VGfRH9׻p^a6q*ahޘ줫9W9< Ύ.zTD %C9]9]``*[B%˵5&ߊvxզ2v鋏e^d9(mZPPY4h5gp%Wutk^yy$T}+xդ~ĴH{li zH)/*s(U3[Bˁ~:B`*gj+[oI_̘ @3:v`Z?܌t3]X?p0 ;oQY}ec;I=lv邝EqB%vJG;`N !R,zN\O #8b 0۱7ÔF,n ]f.8Nu;sʪ5O\ӆMkWEI I߬ތIg (Dmc>$u'/GL8w*yɷչYuDtJ$1$JjCU*1DUM fv>>0^W-Jɩ篪|Y8{jJ߂Ip|w{̬1,Vrҧ >\JMvRwdxgW 6UR}ŌqLњGv%ye8CsKqm wPzs3 P  >5dl\*ͧŹb p۴0J]8  h#}^L!:h;(w/;X;NN_W -;ʮQjNIogcMÚ!<JFwi;3rtQn]yJaIq!$1@x%(w1Ys). ^ qPăGv)rNYO*KV,s7܁@9g݇ ޱbLuW4t Wt^ۨ~VF:Ηe#r˾B`xWcDES(}Ts5|+O&G$X4)qf=,GW"KoATXb1s 0j쩛C4M-rÔ]o37~}ICМnΣ#UDzi׮8gM6G잒Rh^ ̅Xfvw\-jۗǤ֣Q,l.72v|0vejgvusooJ~Qʰ:_UBת 'RDh|u/> wNGݻdd0qz&>ƯhlS6#}`6zz,!;ueX49mA ceY@j GLýؒmnGNMs. n񠀨G ; ۞X!ssv1]5K/:tq7.k ;3jcw}&KtdQjwYOQӧA44^# 42 @kδ,*-ׄDP m" "=QvMZ/˘mL?AGFԷwnfMphܕMh%'ӵӋ4Cjѷ>l1FY9$uR 4"nk:^Sƣh6Vqmk"Ƅ#M5ڤʺPݩ5 ngF{KBʺ;ƪ7}11lrm^c6VbOND=x!)?u&aR6u_6T)JIENDB`dnsmasq-2.93/doc.html0000664000175000017500000001317115210262712012733 0ustar srksrk Dnsmasq - network services for small networks.

Dnsmasq
Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It has also been widely used for tethering on smartphones and portable hotspots, and to support virtual networking in virtualisation frameworks. Supported platforms include Linux (with glibc and uclibc), Android, *BSD, and Mac OS X. Dnsmasq is included in most Linux distributions and the ports systems of FreeBSD, OpenBSD and NetBSD. Dnsmasq provides full IPv6 support.

The DNS subsystem provides a local DNS server for the network, with forwarding of all query types to upstream recursive DNS servers and caching of common record types (A, AAAA, CNAME and PTR, also DNSKEY and DS when DNSSEC is enabled).

  • Local DNS names can be defined by reading /etc/hosts, by importing names from the DHCP subsystem, or by configuration of a wide range of useful record types.
  • Upstream servers can be configured in a variety of convenient ways, including dynamic configuration as these change on moving upstream network.
  • Authoritative DNS mode allows local DNS names may be exported to zone in the global DNS. Dnsmasq acts as authoritative server for this zone, and also provides zone transfer to secondaries for the zone, if required.
  • DNSSEC validation may be performed on DNS replies from upstream nameservers, providing security against spoofing and cache poisoning.
  • Specified sub-domains can be directed to their own upstream DNS servers, making VPN configuration easy.
  • Internationalised domain names are supported.

    • The DHCP subsystem supports DHCPv4, DHCPv6, BOOTP and PXE.

  • Both static and dynamic DHCP leases are supported, along with stateless mode in DHCPv6.
  • The PXE system is a full PXE server, supporting netboot menus and multiple architecture support. It includes proxy-mode, where the PXE system co-operates with another DHCP server.
  • There is a built in read-only TFTP server to support netboot.
  • Machines which are configured by DHCP have their names automatically included in the DNS and the names can specified by each machine or centrally by associating a name with a MAC address or UID in the dnsmasq configuration file.
    •

    The Router Advertisement subsystem provides basic autoconfiguration for IPv6 hosts. It can be used stand-alone or in conjunction with DHCPv6.

  • The M and O bits are configurable, to control hosts' use of DHCPv6.
  • Router advertisements can include the RDNSS option.
  • There is a mode which uses name information from DHCPv4 configuration to provide DNS entries for autoconfigured IPv6 addresses which would otherwise be anonymous.
    •

    For extra compactness, unused features may be omitted at compile time.

    Get code.

    Download dnsmasq here. The tarball includes this documentation, source, and manpage. There is also a CHANGELOG and a FAQ. Dnsmasq has a git repository which contains the complete release history of version 2 and development history from 2.60. You can browse the repo, or get a copy using git protocol with the command 
    git clone git://thekelleys.org.uk/dnsmasq.git
    or 
    git clone http://thekelleys.org.uk/git/dnsmasq.git

    License.

    Dnsmasq is distributed under the GPL, version 2 or version 3 at your discretion. See the files COPYING and COPYING-v3 in the distribution for details.

    Contact.

    There is a dnsmasq mailing list at http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss which should be the first location for queries, bugreports, suggestions etc. The list is mirrored, with a search facility, at https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/. You can contact me at simon@thekelleys.org.uk.

    Donations.

    Dnsmasq is mainly written and maintained by Simon Kelley. For most of its life, dnsmasq has been a spare-time project. These days I'm working on it as my main activity. I don't have an employer or anyone who pays me regularly to work on dnsmasq. If you'd like to make a contribution towards my expenses, please use the donation button below.
    dnsmasq-2.93/Android.mk0000664000175000017500000000011415210262712013202 0ustar srksrkifneq ($(TARGET_SIMULATOR),true) include $(call all-subdir-makefiles) endif dnsmasq-2.93/COPYING-v30000664000175000017500000010451315210262712012662 0ustar srksrk GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS 0. Definitions. "This License" refers to version 3 of the GNU General Public License. "Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms. "Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Also add information on how to contact you by electronic and paper mail. If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode: Copyright (C) This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an "about box". You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see . The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read . dnsmasq-2.93/src/0000775000175000017500000000000015210262712012064 5ustar srksrkdnsmasq-2.93/src/domain-match.c0000664000175000017500000005300115210262712014570 0ustar srksrk/* dnsmasq is Copyright (c) 2000-2026 Simon Kelley This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 dated June, 1991, or (at your option) version 3 dated 29 June, 2007. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ #include "dnsmasq.h" static int order(char *qdomain, size_t qlen, struct server *serv); static int order_qsort(const void *a, const void *b); static int order_servers(struct server *s, struct server *s2); /* If the server is USE_RESOLV or LITERAL_ADDRESS, it lives on the local_domains chain. */ #define SERV_IS_LOCAL (SERV_USE_RESOLV | SERV_LITERAL_ADDRESS) void build_server_array(void) { struct server *serv; int count = 0; for (serv = daemon->servers; serv; serv = serv->next) #ifdef HAVE_LOOP if (!(serv->flags & SERV_LOOP)) #endif { count++; if (serv->flags & SERV_WILDCARD) daemon->server_has_wildcard = 1; } for (serv = daemon->local_domains; serv; serv = serv->next) { count++; if (serv->flags & SERV_WILDCARD) daemon->server_has_wildcard = 1; } daemon->serverarraysz = count; if (count > daemon->serverarrayhwm) { struct server **new; count += 10; /* A few extra without re-allocating. */ if ((new = whine_malloc(count * sizeof(struct server *)))) { if (daemon->serverarray) free(daemon->serverarray); daemon->serverarray = new; daemon->serverarrayhwm = count; } } count = 0; for (serv = daemon->servers; serv; serv = serv->next) #ifdef HAVE_LOOP if (!(serv->flags & SERV_LOOP)) #endif { daemon->serverarray[count] = serv; serv->serial = count; serv->last_server = -1; count++; } for (serv = daemon->local_domains; serv; serv = serv->next, count++) daemon->serverarray[count] = serv; /* serverarray may be unallocated if we have no servers yet. */ if (daemon->serverarray) qsort(daemon->serverarray, daemon->serverarraysz, sizeof(struct server *), order_qsort); /* servers need the location in the array to find all the whole set of equivalent servers from a pointer to a single one. */ for (count = 0; count < daemon->serverarraysz; count++) if (!(daemon->serverarray[count]->flags & SERV_IS_LOCAL)) daemon->serverarray[count]->arrayposn = count; } /* we're looking for the server whose domain is the longest exact match to the RH end of qdomain, or a local address if the flags match. Add '.' to the LHS of the query string so server=/.example.com/ works. A flag of F_SERVER returns an upstream server only. A flag of F_DNSSECOK disables NODOTS servers from consideration. A flag of F_DS returns parent domain server. A flag of F_DOMAINSRV returns a domain-specific server only. A flag of F_CONFIG returns anything that generates a local reply of IPv4 or IPV6. return 0 if nothing found, 1 otherwise. */ int lookup_domain(char *domain, int flags, int *lowout, int *highout) { int rc, crop_query, nodots; ssize_t qlen; int try, high, low = 0; int nlow = 0, nhigh = 0; char *cp, *qdomain; /* may be no configured servers. */ if (daemon->serverarraysz == 0) return 0; /* DS records should come from the parent domain. */ if (flags & F_DS) { if ((cp = strchr(domain, '.'))) domain = cp+1; else domain = ""; } qdomain = domain; /* find query length and presence of '.' */ for (cp = qdomain, nodots = 1, qlen = 0; *cp; qlen++, cp++) if (*cp == '.') nodots = 0; /* Handle empty name, and searches for DNSSEC queries without diverting to NODOTS servers. */ if (qlen == 0 || flags & F_DNSSECOK) nodots = 0; /* Search shorter and shorter RHS substrings for a match */ while (qlen >= 0) { /* Note that when we chop off a label, all the possible matches MUST be at a larger index than the nearest failing match with one more character, since the array is sorted longest to smallest. Hence we don't reset low to zero here, we can go further below and crop the search string to the size of the largest remaining server when this match fails. */ high = daemon->serverarraysz; crop_query = 1; /* binary search */ while (1) { try = (low + high)/2; if ((rc = order(qdomain, qlen, daemon->serverarray[try])) == 0) break; if (rc < 0) { if (high == try) { /* qdomain is longer or same length as longest domain, and try == 0 crop the query to the longest domain. */ crop_query = qlen - daemon->serverarray[try]->domain_len; break; } high = try; } else { if (low == try) { /* try now points to the last domain that sorts before the query, so we know that a substring of the query shorter than it is required to match, so find the largest domain that's shorter than try. Note that just going to try+1 is not optimal, consider searching bbb in (aaa,ccc,bb). try will point to aaa, since ccc sorts after bbb, but the first domain that has a chance to match is bb. So find the length of the first domain later than try which is is shorter than it. There's a nasty edge case when qdomain sorts before _any_ of the server domains, where try _doesn't point_ to the last domain that sorts before the query, since no such domain exists. In that case, the loop exits via the rc < 0 && high == try path above and this code is not executed. */ ssize_t len, old = daemon->serverarray[try]->domain_len; while (++try != daemon->serverarraysz) { if (old != (len = daemon->serverarray[try]->domain_len)) { crop_query = qlen - len; break; } } break; } low = try; } }; if (rc == 0) { int found = 1; if (daemon->server_has_wildcard) { /* if we have example.com and *example.com we need to check against *example.com, but the binary search may have found either. Use the fact that example.com is sorted before *example.com We favour example.com in the case that both match (ie www.example.com) */ while (try != 0 && order(qdomain, qlen, daemon->serverarray[try-1]) == 0) try--; if (!(qdomain == domain || *qdomain == 0 || *(qdomain-1) == '.')) { while (try < daemon->serverarraysz-1 && order(qdomain, qlen, daemon->serverarray[try+1]) == 0) try++; if (!(daemon->serverarray[try]->flags & SERV_WILDCARD)) found = 0; } } if (found && filter_servers(try, flags, &nlow, &nhigh)) /* We have a match, but it may only be (say) an IPv6 address, and if the query wasn't for an AAAA record, it's no good, and we need to continue generalising */ { /* We've matched a setting which says to use servers without a domain. Continue the search with empty query. We set the F_SERVER flag so that --address=/#/... doesn't match. */ if (daemon->serverarray[nlow]->flags & SERV_USE_RESOLV) { crop_query = qlen; flags |= F_SERVER; } else break; } } /* crop_query must be at least one always. */ if (crop_query == 0) crop_query = 1; /* strip chars off the query based on the largest possible remaining match, then continue to the start of the next label unless we have a wildcard domain somewhere, in which case we have to go one at a time. */ qlen -= crop_query; qdomain += crop_query; if (!daemon->server_has_wildcard) while (qlen > 0 && (*(qdomain-1) != '.')) qlen--, qdomain++; } /* domain has no dots, and we have at least one server configured to handle such, These servers always sort to the very end of the array. A configured server eg server=/lan/ will take precdence. */ if (nodots && (daemon->serverarray[daemon->serverarraysz-1]->flags & SERV_FOR_NODOTS) && (nlow == nhigh || daemon->serverarray[nlow]->domain_len == 0)) { filter_servers(daemon->serverarraysz-1, flags, &nlow, &nhigh); qlen = 0; } if (lowout) *lowout = nlow; if (highout) *highout = nhigh; /* qlen == -1 when we failed to match even an empty query, if there are no default servers. */ if (nlow == nhigh || qlen == -1) return 0; return 1; } int server_samegroup(struct server *a, struct server *b) { return order_servers(a, b) == 0; } int filter_servers(int seed, int flags, int *lowout, int *highout) { int nlow = seed, nhigh = seed; int i; /* expand nlow and nhigh to cover all the records with the same domain nlow is the first, nhigh - 1 is the last. nlow=nhigh means no servers, which can happen below. */ while (nlow > 0 && order_servers(daemon->serverarray[nlow-1], daemon->serverarray[nlow]) == 0) nlow--; while (nhigh < daemon->serverarraysz-1 && order_servers(daemon->serverarray[nhigh], daemon->serverarray[nhigh+1]) == 0) nhigh++; nhigh++; #define SERV_LOCAL_ADDRESS (SERV_6ADDR | SERV_4ADDR | SERV_ALL_ZEROS) if (flags & F_CONFIG) { /* We're just lookin for any matches that return an RR. */ for (i = nlow; i < nhigh; i++) if (daemon->serverarray[i]->flags & SERV_LOCAL_ADDRESS) break; /* failed, return failure. */ if (i == nhigh) nhigh = nlow; } else { /* Now the matching server records are all between low and high. order_qsort() ensures that they are in the order IPv6 addr, IPv4 addr, return zero for both, no-data return, "use resolvconf" servers, domain-specific upstream servers. See which of those match our query in that priority order and narrow (low, high) */ for (i = nlow; i < nhigh && (daemon->serverarray[i]->flags & SERV_6ADDR); i++); if (!(flags & F_SERVER) && i != nlow && (flags & F_IPV6)) nhigh = i; else { nlow = i; for (i = nlow; i < nhigh && (daemon->serverarray[i]->flags & SERV_4ADDR); i++); if (!(flags & F_SERVER) && i != nlow && (flags & F_IPV4)) nhigh = i; else { nlow = i; for (i = nlow; i < nhigh && (daemon->serverarray[i]->flags & SERV_ALL_ZEROS); i++); if (!(flags & F_SERVER) && i != nlow && (flags & (F_IPV4 | F_IPV6))) nhigh = i; else { nlow = i; /* now look for a NXDOMAIN answer --local=/domain/ */ for (i = nlow; i < nhigh && (daemon->serverarray[i]->flags & SERV_LITERAL_ADDRESS); i++); if (!(flags & (F_DOMAINSRV | F_SERVER)) && i != nlow) nhigh = i; else { nlow = i; /* return "use resolv.conf servers" if they exist */ for (i = nlow; i < nhigh && (daemon->serverarray[i]->flags & SERV_USE_RESOLV); i++); if (i != nlow) nhigh = i; else { /* If we want a server for a particular domain, and this one isn't, return nothing. */ if (nlow < daemon->serverarraysz && nlow != nhigh && (flags & F_DOMAINSRV) && daemon->serverarray[nlow]->domain_len == 0 && !(daemon->serverarray[nlow]->flags & SERV_FOR_NODOTS)) nlow = nhigh; } } } } } } *lowout = nlow; *highout = nhigh; return (nlow != nhigh); } int is_local_answer(time_t now, int first, char *name) { int flags = 0; int rc = 0; if ((flags = daemon->serverarray[first]->flags) & SERV_LITERAL_ADDRESS) { if (flags & SERV_4ADDR) rc = F_IPV4; else if (flags & SERV_6ADDR) rc = F_IPV6; else if (flags & SERV_ALL_ZEROS) rc = F_IPV4 | F_IPV6; else { /* argument first is the first struct server which matches the query type; now roll back to the server which is just the same domain, to check if that provides an answer of a different type. */ for (;first > 0 && order_servers(daemon->serverarray[first-1], daemon->serverarray[first]) == 0; first--); if ((daemon->serverarray[first]->flags & SERV_LOCAL_ADDRESS) || check_for_local_domain(name, now)) rc = F_NOERR; else rc = F_NXDOMAIN; } } return rc; } size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header *header, char *name, size_t limit, int first, int last, int ede) { int trunc = 0, anscount = 0; unsigned char *p; int start; union all_addr addr; char *out_end = ((char *)header) + limit; setup_reply(header, flags, ede); gotname &= ~(F_QUERY | F_DS); if (flags & (F_NXDOMAIN | F_NOERR)) log_query(flags | gotname | F_NEG | F_CONFIG | F_FORWARD, name, NULL, NULL, 0); if (flags & F_RCODE) { union all_addr a; a.log.rcode = RCODE(header); a.log.ede = ede; log_query(F_UPSTREAM | F_RCODE, "opcode", &a, NULL, 0); } if (!(p = skip_questions(header, size))) return 0; if (flags & gotname & F_IPV4) for (start = first; start != last; start++) { struct serv_addr4 *srv = (struct serv_addr4 *)daemon->serverarray[start]; if (srv->flags & SERV_ALL_ZEROS) memset(&addr, 0, sizeof(addr)); else addr.addr4 = srv->addr; if (add_resource_record(header, out_end, &trunc, sizeof(struct dns_header), &p, daemon->local_ttl, NULL, T_A, C_IN, "4", &addr)) anscount++; log_query((flags | F_CONFIG | F_FORWARD) & ~F_IPV6, name, (union all_addr *)&addr, NULL, 0); } if (flags & gotname & F_IPV6) for (start = first; start != last; start++) { struct serv_addr6 *srv = (struct serv_addr6 *)daemon->serverarray[start]; if (srv->flags & SERV_ALL_ZEROS) memset(&addr, 0, sizeof(addr)); else addr.addr6 = srv->addr; if (add_resource_record(header, out_end, &trunc, sizeof(struct dns_header), &p, daemon->local_ttl, NULL, T_AAAA, C_IN, "6", &addr)) anscount++; log_query((flags | F_CONFIG | F_FORWARD) & ~F_IPV4, name, (union all_addr *)&addr, NULL, 0); } if (trunc) { header->hb3 |= HB3_TC; if (!(p = skip_questions(header, size))) return 0; /* bad packet */ anscount = 0; } header->ancount = htons(anscount); return p - (unsigned char *)header; } #ifdef HAVE_DNSSEC int dnssec_server(struct server *server, char *keyname, int is_ds, int *firstp, int *lastp) { int first, last, index; /* Find server to send DNSSEC query to. This will normally be the same as for the original query, but may be another if servers for domains are involved. */ if (!lookup_domain(keyname, F_SERVER | F_DNSSECOK | (is_ds ? F_DS : 0), &first, &last)) return -1; for (index = first; index != last; index++) if (daemon->serverarray[index] == server) break; /* No match to server used for original query. Use newly looked up set. */ if (index == last) index = daemon->serverarray[first]->last_server == -1 ? first : daemon->serverarray[first]->last_server; if (firstp) *firstp = first; if (lastp) *lastp = last; return index; } #endif /* order by size, then by dictionary order */ static int order(char *qdomain, size_t qlen, struct server *serv) { size_t dlen = 0; /* servers for dotless names always sort last searched for name is never dotless. */ if (serv->flags & SERV_FOR_NODOTS) return -1; dlen = serv->domain_len; if (qlen < dlen) return 1; if (qlen > dlen) return -1; return hostname_order(qdomain, serv->domain); } static int order_servers(struct server *s1, struct server *s2) { int rc; /* need full comparison of dotless servers in order_qsort() and filter_servers() */ if (s1->flags & SERV_FOR_NODOTS) return (s2->flags & SERV_FOR_NODOTS) ? 0 : 1; if ((rc = order(s1->domain, s1->domain_len, s2)) != 0) return rc; /* For identical domains, sort wildcard ones first */ if (s1->flags & SERV_WILDCARD) return (s2->flags & SERV_WILDCARD) ? 0 : 1; return (s2->flags & SERV_WILDCARD) ? -1 : 0; } static int order_qsort(const void *a, const void *b) { int rc; struct server *s1 = *((struct server **)a); struct server *s2 = *((struct server **)b); rc = order_servers(s1, s2); /* Sort all literal NODATA and local IPV4 or IPV6 responses together, in a very specific order IPv6 literal, IPv4 literal, all-zero literal, NXDOMAIN literal. We also include SERV_USE_RESOLV in this, so that use-standard servers sort before ordinary servers. (SERV_USR_RESOLV set implies that none of SERV_LITERAL_ADDRESS,SERV_4ADDR,SERV_6ADDR,SERV_ALL_ZEROS are set) */ if (rc == 0) rc = ((s2->flags & (SERV_LITERAL_ADDRESS | SERV_4ADDR | SERV_6ADDR | SERV_ALL_ZEROS | SERV_USE_RESOLV))) - ((s1->flags & (SERV_LITERAL_ADDRESS | SERV_4ADDR | SERV_6ADDR | SERV_ALL_ZEROS | SERV_USE_RESOLV))); /* Finally, order by appearance in /etc/resolv.conf etc, for --strict-order */ if (rc == 0) if (!(s1->flags & SERV_IS_LOCAL) && !(s2->flags & SERV_IS_LOCAL)) rc = s1->serial - s2->serial; return rc; } /* When loading large numbers of server=.... lines during startup, there's no possibility that there will be server records that can be reused, but searching a long list for each server added grows as O(n^2) and slows things down. This flag is set only if is known there may be free server records that can be reused. There's a call to mark_servers(0) in read_opts() to reset the flag before main config read. */ static int maybe_free_servers = 0; /* Must be called before add_update_server() to set daemon->servers_tail */ void mark_servers(int flag) { struct server *serv, *next, **up; maybe_free_servers = !!flag; daemon->servers_tail = NULL; /* mark everything with argument flag */ for (serv = daemon->servers; serv; serv = serv->next) { if (serv->flags & flag) serv->flags |= SERV_MARK; else serv->flags &= ~SERV_MARK; daemon->servers_tail = serv; } /* --address etc is different: since they are expected to be 1) numerous and 2) not reloaded often. We just delete and recreate. */ if (flag) for (serv = daemon->local_domains, up = &daemon->local_domains; serv; serv = next) { next = serv->next; if (serv->flags & flag) { *up = next; free(serv->domain); free(serv); } else up = &serv->next; } } void cleanup_servers(void) { struct server *serv, *tmp, **up; /* unlink and free anything still marked. */ for (serv = daemon->servers, up = &daemon->servers, daemon->servers_tail = NULL; serv; serv = tmp) { tmp = serv->next; if (serv->flags & SERV_MARK) { server_gone(serv); *up = serv->next; free(serv->domain); free(serv); } else { up = &serv->next; daemon->servers_tail = serv; } } } int add_update_server(int flags, union mysockaddr *addr, union mysockaddr *source_addr, const char *interface, const char *domain, union all_addr *local_addr) { struct server *serv = NULL; char *alloc_domain; if (!domain) domain = ""; /* .domain == domain, for historical reasons. */ if (*domain == '.') while (*domain == '.') domain++; else if (*domain == '*') { domain++; if (*domain != 0) flags |= SERV_WILDCARD; } if (*domain == 0) alloc_domain = whine_malloc(1); else alloc_domain = canonicalise((char *)domain, NULL); if (!alloc_domain) return 0; if (flags & SERV_IS_LOCAL) { size_t size; if (flags & SERV_6ADDR) size = sizeof(struct serv_addr6); else if (flags & SERV_4ADDR) size = sizeof(struct serv_addr4); else size = sizeof(struct serv_local); if (!(serv = whine_malloc(size))) { free(alloc_domain); return 0; } serv->next = daemon->local_domains; daemon->local_domains = serv; if (flags & SERV_4ADDR) ((struct serv_addr4*)serv)->addr = local_addr->addr4; if (flags & SERV_6ADDR) ((struct serv_addr6*)serv)->addr = local_addr->addr6; } else { /* Upstream servers. See if there is a suitable candidate, if so unmark and move to the end of the list, for order. The entry found may already be at the end. */ struct server **up, *tmp; serv = NULL; if (maybe_free_servers) for (serv = daemon->servers, up = &daemon->servers; serv; serv = tmp) { tmp = serv->next; if ((serv->flags & SERV_MARK) && hostname_isequal(alloc_domain, serv->domain)) { /* Need to move down? */ if (serv->next) { *up = serv->next; daemon->servers_tail->next = serv; daemon->servers_tail = serv; serv->next = NULL; } break; } else up = &serv->next; } if (serv) { free(alloc_domain); alloc_domain = serv->domain; } else { if (!(serv = whine_malloc(sizeof(struct server)))) { free(alloc_domain); return 0; } memset(serv, 0, sizeof(struct server)); /* Add to the end of the chain, for order */ if (daemon->servers_tail) daemon->servers_tail->next = serv; else daemon->servers = serv; daemon->servers_tail = serv; } #ifdef HAVE_LOOP serv->uid = rand32(); #endif if (interface) safe_strncpy(serv->interface, interface, sizeof(serv->interface)); if (addr) serv->addr = *addr; if (source_addr) serv->source_addr = *source_addr; serv->tcpfd = -1; } serv->flags = flags; serv->domain = alloc_domain; serv->domain_len = strlen(alloc_domain); return 1; } dnsmasq-2.93/src/ipset.c0000664000175000017500000001417315210262712013362 0ustar srksrk/* ipset.c is Copyright (c) 2013 Jason A. Donenfeld . All Rights Reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 dated June, 1991, or (at your option) version 3 dated 29 June, 2007. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ #include "dnsmasq.h" #if defined(HAVE_LINUX_IPSET) #include #include #include #include #include #include /* We want to be able to compile against old header files Kernel version is handled at run-time. */ #define NFNL_SUBSYS_IPSET 6 #define IPSET_ATTR_DATA 7 #define IPSET_ATTR_IP 1 #define IPSET_ATTR_IPADDR_IPV4 1 #define IPSET_ATTR_IPADDR_IPV6 2 #define IPSET_ATTR_PROTOCOL 1 #define IPSET_ATTR_SETNAME 2 #define IPSET_CMD_ADD 9 #define IPSET_CMD_DEL 10 #define IPSET_MAXNAMELEN 32 #define IPSET_PROTOCOL 6 #ifndef NFNETLINK_V0 #define NFNETLINK_V0 0 #endif #ifndef NLA_F_NESTED #define NLA_F_NESTED (1 << 15) #endif #ifndef NLA_F_NET_BYTEORDER #define NLA_F_NET_BYTEORDER (1 << 14) #endif struct my_nlattr { __u16 nla_len; __u16 nla_type; }; struct my_nfgenmsg { __u8 nfgen_family; /* AF_xxx */ __u8 version; /* nfnetlink version */ __be16 res_id; /* resource id */ }; /* data structure size in here is fixed */ #define BUFF_SZ 256 #define NL_ALIGN(len) (((len)+3) & ~(3)) static const struct sockaddr_nl snl = { .nl_family = AF_NETLINK }; static int ipset_sock, old_kernel; static char *buffer; static inline void add_attr(struct nlmsghdr *nlh, uint16_t type, size_t len, const void *data) { struct my_nlattr *attr = (struct my_nlattr *)((u8 *)nlh + NL_ALIGN(nlh->nlmsg_len)); uint16_t payload_len = NL_ALIGN(sizeof(struct my_nlattr)) + len; attr->nla_type = type; attr->nla_len = payload_len; memcpy((u8 *)attr + NL_ALIGN(sizeof(struct my_nlattr)), data, len); nlh->nlmsg_len += NL_ALIGN(payload_len); } void ipset_init(void) { old_kernel = (daemon->kernel_version < KERNEL_VERSION(2,6,32)); if (old_kernel && (ipset_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) != -1) return; if (!old_kernel && (buffer = safe_malloc(BUFF_SZ)) && (ipset_sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER)) != -1 && (bind(ipset_sock, (struct sockaddr *)&snl, sizeof(snl)) != -1)) return; die (_("failed to create IPset control socket: %s"), NULL, EC_MISC); } static int new_add_to_ipset(const char *setname, const union all_addr *ipaddr, int af, int remove) { struct nlmsghdr *nlh; struct my_nfgenmsg *nfg; struct my_nlattr *nested[2]; uint8_t proto; int addrsz = (af == AF_INET6) ? IN6ADDRSZ : INADDRSZ; if (strlen(setname) >= IPSET_MAXNAMELEN) { errno = ENAMETOOLONG; return -1; } memset(buffer, 0, BUFF_SZ); nlh = (struct nlmsghdr *)buffer; nlh->nlmsg_len = NL_ALIGN(sizeof(struct nlmsghdr)); nlh->nlmsg_type = (remove ? IPSET_CMD_DEL : IPSET_CMD_ADD) | (NFNL_SUBSYS_IPSET << 8); nlh->nlmsg_flags = NLM_F_REQUEST; nfg = (struct my_nfgenmsg *)(buffer + nlh->nlmsg_len); nlh->nlmsg_len += NL_ALIGN(sizeof(struct my_nfgenmsg)); nfg->nfgen_family = af; nfg->version = NFNETLINK_V0; nfg->res_id = htons(0); proto = IPSET_PROTOCOL; add_attr(nlh, IPSET_ATTR_PROTOCOL, sizeof(proto), &proto); add_attr(nlh, IPSET_ATTR_SETNAME, strlen(setname) + 1, setname); nested[0] = (struct my_nlattr *)(buffer + NL_ALIGN(nlh->nlmsg_len)); nlh->nlmsg_len += NL_ALIGN(sizeof(struct my_nlattr)); nested[0]->nla_type = NLA_F_NESTED | IPSET_ATTR_DATA; nested[1] = (struct my_nlattr *)(buffer + NL_ALIGN(nlh->nlmsg_len)); nlh->nlmsg_len += NL_ALIGN(sizeof(struct my_nlattr)); nested[1]->nla_type = NLA_F_NESTED | IPSET_ATTR_IP; add_attr(nlh, (af == AF_INET ? IPSET_ATTR_IPADDR_IPV4 : IPSET_ATTR_IPADDR_IPV6) | NLA_F_NET_BYTEORDER, addrsz, ipaddr); nested[1]->nla_len = (u8 *)buffer + NL_ALIGN(nlh->nlmsg_len) - (u8 *)nested[1]; nested[0]->nla_len = (u8 *)buffer + NL_ALIGN(nlh->nlmsg_len) - (u8 *)nested[0]; while (retry_send(sendto(ipset_sock, buffer, nlh->nlmsg_len, 0, (struct sockaddr *)&snl, sizeof(snl)))); return errno == 0 ? 0 : -1; } static int old_add_to_ipset(const char *setname, const union all_addr *ipaddr, int remove) { socklen_t size; struct ip_set_req_adt_get { unsigned op; unsigned version; union { char name[IPSET_MAXNAMELEN]; uint16_t index; } set; char typename[IPSET_MAXNAMELEN]; } req_adt_get; struct ip_set_req_adt { unsigned op; uint16_t index; uint32_t ip; } req_adt; if (strlen(setname) >= sizeof(req_adt_get.set.name)) { errno = ENAMETOOLONG; return -1; } req_adt_get.op = 0x10; req_adt_get.version = 3; strcpy(req_adt_get.set.name, setname); size = sizeof(req_adt_get); if (getsockopt(ipset_sock, SOL_IP, 83, &req_adt_get, &size) < 0) return -1; req_adt.op = remove ? 0x102 : 0x101; req_adt.index = req_adt_get.set.index; req_adt.ip = ntohl(ipaddr->addr4.s_addr); if (setsockopt(ipset_sock, SOL_IP, 83, &req_adt, sizeof(req_adt)) < 0) return -1; return 0; } int add_to_ipset(const char *setname, const union all_addr *ipaddr, int flags, int remove) { int ret = 0, af = AF_INET; if (flags & F_IPV6) { af = AF_INET6; /* old method only supports IPv4 */ if (old_kernel) { errno = EAFNOSUPPORT ; ret = -1; } } if (ret != -1) ret = old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove); if (ret == -1) my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno)); return ret; } #endif dnsmasq-2.93/src/auth.c0000664000175000017500000006144415210262712013202 0ustar srksrk/* dnsmasq is Copyright (c) 2000-2026 Simon Kelley This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 dated June, 1991, or (at your option) version 3 dated 29 June, 2007. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ #include "dnsmasq.h" #ifdef HAVE_AUTH static struct addrlist *find_addrlist(struct addrlist *list, int flag, union all_addr *addr_u) { do { if (!(list->flags & ADDRLIST_IPV6)) { struct in_addr netmask, addr = addr_u->addr4; if (!(flag & F_IPV4)) continue; netmask.s_addr = htonl(~(in_addr_t)0 << (32 - list->prefixlen)); if (is_same_net(addr, list->addr.addr4, netmask)) return list; } else if (is_same_net6(&(addr_u->addr6), &list->addr.addr6, list->prefixlen)) return list; } while ((list = list->next)); return NULL; } static struct addrlist *find_subnet(struct auth_zone *zone, int flag, union all_addr *addr_u) { if (!zone->subnet) return NULL; return find_addrlist(zone->subnet, flag, addr_u); } static struct addrlist *find_exclude(struct auth_zone *zone, int flag, union all_addr *addr_u) { if (!zone->exclude) return NULL; return find_addrlist(zone->exclude, flag, addr_u); } static int filter_zone(struct auth_zone *zone, int flag, union all_addr *addr_u) { if (find_exclude(zone, flag, addr_u)) return 0; /* No subnets specified, no filter */ if (!zone->subnet) return 1; return find_subnet(zone, flag, addr_u) != NULL; } int in_zone(struct auth_zone *zone, char *name, char **cut) { size_t namelen = strlen(name); size_t domainlen = strlen(zone->domain); if (cut) *cut = NULL; if (namelen >= domainlen && hostname_isequal(zone->domain, &name[namelen - domainlen])) { if (namelen == domainlen) return 1; if (name[namelen - domainlen - 1] == '.') { if (cut) *cut = &name[namelen - domainlen - 1]; return 1; } } return 0; } size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr, int local_query) { char *name = daemon->namebuff; unsigned char *p, *ansp; int qtype, qclass, rc; int nameoffset, axfroffset = 0; int anscount = 0, authcount = 0; struct crec *crecp; int auth = !local_query, trunc = 0, nxdomain = 1, soa = 0, ns = 0, axfr = 0, out_of_zone = 0, notimp = 0; struct auth_zone *zone = NULL; struct addrlist *subnet = NULL; char *cut; struct mx_srv_record *rec, *move, **up; struct txt_record *txt; struct interface_name *intr; struct naptr *na; union all_addr addr; struct cname *a, *candidate; unsigned int wclen; unsigned int log_flags = local_query ? 0 : F_NOERR; if (ntohs(header->qdcount) != 1) return 0; /* determine end of question section (we put answers there) */ if (!(ansp = skip_questions(header, qlen))) return 0; /* bad packet */ p = (unsigned char *)(header+1); if (OPCODE(header) != QUERY) notimp = 1; else { unsigned int flag = 0; int found = 0; int cname_wildcard = 0; /* save pointer to name for copying into answers */ nameoffset = p - (unsigned char *)header; /* now extract name as .-concatenated string into name */ if (!extract_name(header, qlen, &p, name, EXTR_NAME_EXTRACT, 4)) return 0; /* bad packet */ GETSHORT(qtype, p); GETSHORT(qclass, p); if (qclass != C_IN) { auth = 0; out_of_zone = 1; goto done; } if ((qtype == T_PTR || qtype == T_SOA || qtype == T_NS) && (flag = in_arpa_name_2_addr(name, &addr)) && !local_query) { for (zone = daemon->auth_zones; zone; zone = zone->next) if ((subnet = find_subnet(zone, flag, &addr))) break; if (!zone) { out_of_zone = 1; auth = 0; goto done; } else if (qtype == T_SOA) soa = 1, found = 1; else if (qtype == T_NS) ns = 1, found = 1; } if (qtype == T_PTR && flag) { intr = NULL; if (flag == F_IPV4) for (intr = daemon->int_names; intr; intr = intr->next) { struct addrlist *addrlist; for (addrlist = intr->addr; addrlist; addrlist = addrlist->next) if (!(addrlist->flags & ADDRLIST_IPV6) && addr.addr4.s_addr == addrlist->addr.addr4.s_addr) break; if (addrlist) break; else while (intr->next && strcmp(intr->intr, intr->next->intr) == 0) intr = intr->next; } else if (flag == F_IPV6) for (intr = daemon->int_names; intr; intr = intr->next) { struct addrlist *addrlist; for (addrlist = intr->addr; addrlist; addrlist = addrlist->next) if ((addrlist->flags & ADDRLIST_IPV6) && IN6_ARE_ADDR_EQUAL(&addr.addr6, &addrlist->addr.addr6)) break; if (addrlist) break; else while (intr->next && strcmp(intr->intr, intr->next->intr) == 0) intr = intr->next; } if (intr) { if (local_query || in_zone(zone, intr->name, NULL)) { found = 1; log_query(log_flags | flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL, 0); if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, NULL, T_PTR, C_IN, "d", intr->name)) anscount++; } } if ((crecp = cache_find_by_addr(NULL, &addr, now, flag))) do { strcpy(name, cache_get_name(crecp)); if (crecp->flags & F_DHCP && !option_bool(OPT_DHCP_FQDN)) { char *p = strchr(name, '.'); if (p) *p = 0; /* must be bare name */ /* add external domain */ if (zone) { strcat(name, "."); strcat(name, zone->domain); } log_query(log_flags | flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid), 0); found = 1; if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, NULL, T_PTR, C_IN, "d", name)) anscount++; } else if (crecp->flags & (F_DHCP | F_HOSTS) && (local_query || in_zone(zone, name, NULL))) { log_query(log_flags | (crecp->flags & ~F_FORWARD), name, &addr, record_source(crecp->uid), 0); found = 1; if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, NULL, T_PTR, C_IN, "d", name)) anscount++; } else continue; } while ((crecp = cache_find_by_addr(crecp, &addr, now, flag))); if (!found && is_rev_synth(flag, &addr, name) && (local_query || in_zone(zone, name, NULL))) { log_query(log_flags | F_CONFIG | F_REVERSE | flag, name, &addr, NULL, 0); found = 1; if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, NULL, T_PTR, C_IN, "d", name)) anscount++; } if (found) nxdomain = 0; else log_query(log_flags | flag | F_NEG | F_NXDOMAIN | F_REVERSE | (auth ? F_AUTH : 0), NULL, &addr, NULL, 0); goto done; } cname_restart: if (found) /* NS and SOA .arpa requests have set found above. */ cut = NULL; else { for (zone = daemon->auth_zones; zone; zone = zone->next) if (in_zone(zone, name, &cut)) break; if (!zone) { out_of_zone = 1; auth = 0; goto done; } } for (rec = daemon->mxnames; rec; rec = rec->next) if (!rec->issrv && (rc = hostname_issubdomain(name, rec->name))) { nxdomain = 0; if (rc == 2 && qtype == T_MX) { found = 1; log_query(log_flags | F_CONFIG | F_RRNAME, name, NULL, "", 0); if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, NULL, T_MX, C_IN, "sd", rec->weight, rec->target)) anscount++; } } for (move = NULL, up = &daemon->mxnames, rec = daemon->mxnames; rec; rec = rec->next) if (rec->issrv && (rc = hostname_issubdomain(name, rec->name))) { nxdomain = 0; if (rc == 2 && qtype == T_SRV) { found = 1; log_query(log_flags | F_CONFIG | F_RRNAME, name, NULL, "", 0); if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, NULL, T_SRV, C_IN, "sssd", rec->priority, rec->weight, rec->srvport, rec->target)) anscount++; } /* unlink first SRV record found */ if (!move) { move = rec; *up = rec->next; } else up = &rec->next; } else up = &rec->next; /* put first SRV record back at the end. */ if (move) { *up = move; move->next = NULL; } for (txt = daemon->rr; txt; txt = txt->next) if ((rc = hostname_issubdomain(name, txt->name))) { nxdomain = 0; if (rc == 2 && txt->class == qtype) { found = 1; log_query(log_flags | F_CONFIG | F_RRNAME, name, NULL, NULL, txt->class); if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, NULL, txt->class, C_IN, "t", txt->len, txt->txt)) anscount++; } } for (txt = daemon->txt; txt; txt = txt->next) if (txt->class == C_IN && (rc = hostname_issubdomain(name, txt->name))) { nxdomain = 0; if (rc == 2 && qtype == T_TXT) { found = 1; log_query(log_flags | F_CONFIG | F_RRNAME, name, NULL, "", 0); if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, NULL, T_TXT, C_IN, "t", txt->len, txt->txt)) anscount++; } } for (na = daemon->naptr; na; na = na->next) if ((rc = hostname_issubdomain(name, na->name))) { nxdomain = 0; if (rc == 2 && qtype == T_NAPTR) { found = 1; log_query(log_flags | F_CONFIG | F_RRNAME, name, NULL, "", 0); if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, NULL, T_NAPTR, C_IN, "sszzzd", na->order, na->pref, na->flags, na->services, na->regexp, na->replace)) anscount++; } } if (qtype == T_A) flag = F_IPV4; if (qtype == T_AAAA) flag = F_IPV6; for (intr = daemon->int_names; intr; intr = intr->next) if ((rc = hostname_issubdomain(name, intr->name))) { struct addrlist *addrlist; nxdomain = 0; if (rc == 2 && flag) for (addrlist = intr->addr; addrlist; addrlist = addrlist->next) if (((addrlist->flags & ADDRLIST_IPV6) ? T_AAAA : T_A) == qtype && (local_query || filter_zone(zone, flag, &addrlist->addr))) { if (addrlist->flags & ADDRLIST_REVONLY) continue; found = 1; log_query(log_flags | F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL, 0); if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, NULL, qtype, C_IN, qtype == T_A ? "4" : "6", &addrlist->addr)) anscount++; } } if (!found && is_name_synthetic(flag, name, &addr) ) { nxdomain = 0; log_query(log_flags | F_FORWARD | F_CONFIG | flag, name, &addr, NULL, 0); if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, NULL, qtype, C_IN, qtype == T_A ? "4" : "6", &addr)) anscount++; } if (!cut) { nxdomain = 0; if (qtype == T_SOA) { auth = soa = 1; /* inhibits auth section */ log_query(log_flags | F_RRNAME | F_AUTH, zone->domain, NULL, "", 0); } else if (qtype == T_AXFR) { struct iname *peers; if (peer_addr->sa.sa_family == AF_INET) peer_addr->in.sin_port = 0; else { peer_addr->in6.sin6_port = 0; peer_addr->in6.sin6_scope_id = 0; } for (peers = daemon->auth_peers; peers; peers = peers->next) if (sockaddr_isequal(peer_addr, &peers->addr)) break; /* Refuse all AXFR unless --auth-sec-servers or auth-peers is set */ if ((!daemon->secondary_forward_server && !daemon->auth_peers) || (daemon->auth_peers && !peers)) { if (peer_addr->sa.sa_family == AF_INET) inet_ntop(AF_INET, &peer_addr->in.sin_addr, daemon->addrbuff, ADDRSTRLEN); else inet_ntop(AF_INET6, &peer_addr->in6.sin6_addr, daemon->addrbuff, ADDRSTRLEN); my_syslog(LOG_WARNING, _("ignoring zone transfer request from %s"), daemon->addrbuff); return 0; } auth = 1; soa = 1; /* inhibits auth section */ ns = 1; /* ensure we include NS records! */ axfr = 1; axfroffset = nameoffset; log_query(log_flags | F_RRNAME | F_AUTH, zone->domain, NULL, "", 0); } else if (qtype == T_NS) { auth = 1; ns = 1; /* inhibits auth section */ log_query(log_flags | F_RRNAME | F_AUTH, zone->domain, NULL, "", 0); } } if (!option_bool(OPT_DHCP_FQDN) && cut) { *cut = 0; /* remove domain part */ if (!strchr(name, '.') && (crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6))) { if (crecp->flags & F_DHCP) do { nxdomain = 0; if ((crecp->flags & flag) && (local_query || filter_zone(zone, flag, &(crecp->addr)))) { *cut = '.'; /* restore domain part */ log_query(log_flags | crecp->flags, name, &crecp->addr, record_source(crecp->uid), 0); *cut = 0; /* remove domain part */ if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, NULL, qtype, C_IN, qtype == T_A ? "4" : "6", &crecp->addr)) anscount++; } } while ((crecp = cache_find_by_name(crecp, name, now, F_IPV4 | F_IPV6))); } *cut = '.'; /* restore domain part */ } if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6))) { if ((crecp->flags & F_HOSTS) || (((crecp->flags & F_DHCP) && option_bool(OPT_DHCP_FQDN)))) do { nxdomain = 0; if ((crecp->flags & flag) && (local_query || filter_zone(zone, flag, &(crecp->addr)))) { log_query(log_flags | (crecp->flags & ~F_REVERSE), name, &crecp->addr, record_source(crecp->uid), 0); if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, NULL, qtype, C_IN, qtype == T_A ? "4" : "6", &crecp->addr)) anscount++; } } while ((crecp = cache_find_by_name(crecp, name, now, F_IPV4 | F_IPV6))); } /* Only supply CNAME if no record for any type is known. */ if (nxdomain) { /* Check for possible wildcard match against *.domain return length of match, to get longest. Note that if return length of wildcard section, so we match b.simon to _both_ *.simon and b.simon but return a longer (better) match to b.simon. */ for (wclen = 0, candidate = NULL, a = daemon->cnames; a; a = a->next) if (a->alias[0] == '*') { char *test = name; while ((test = strchr(test+1, '.'))) { if (hostname_isequal(test, &(a->alias[1]))) { if (strlen(test) > wclen && !cname_wildcard) { wclen = strlen(test); candidate = a; cname_wildcard = 1; } break; } } } else if (hostname_isequal(a->alias, name) && strlen(a->alias) > wclen) { /* Simple case, no wildcard */ wclen = strlen(a->alias); candidate = a; } if (candidate) { log_query(log_flags | F_CONFIG | F_CNAME, name, NULL, NULL, 0); strcpy(name, candidate->target); if (!strchr(name, '.')) { strcat(name, "."); strcat(name, zone->domain); } found = 1; if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, &nameoffset, T_CNAME, C_IN, "d", name)) anscount++; goto cname_restart; } else if (cache_find_non_terminal(name, now)) nxdomain = 0; log_query(log_flags | flag | F_NEG | (nxdomain ? F_NXDOMAIN : 0) | F_FORWARD | F_AUTH, name, NULL, NULL, 0); } } done: /* Add auth section */ if (auth && zone) { char *authname; int newoffset = ansp - (unsigned char *)header, offset = 0; if (!subnet) authname = zone->domain; else { /* handle NS and SOA for PTR records */ authname = name; if (!(subnet->flags & ADDRLIST_IPV6)) { in_addr_t a = ntohl(subnet->addr.addr4.s_addr) >> 8; char *p = name; if (subnet->prefixlen >= 24) p += sprintf(p, "%u.", a & 0xff); a = a >> 8; if (subnet->prefixlen >= 16 ) p += sprintf(p, "%u.", a & 0xff); a = a >> 8; sprintf(p, "%u.in-addr.arpa", a & 0xff); } else { char *p = name; int i; for (i = subnet->prefixlen-1; i >= 0; i -= 4) { int dig = ((unsigned char *)&subnet->addr.addr6)[i>>3]; p += sprintf(p, "%.1x.", (i>>2) & 1 ? dig & 15 : dig >> 4); } sprintf(p, "ip6.arpa"); } } /* handle NS and SOA in auth section or for explicit queries */ if (((anscount == 0 && !ns) || soa) && add_resource_record(header, limit, &trunc, 0, &ansp, daemon->auth_ttl, NULL, T_SOA, C_IN, "ddlllll", authname, daemon->authserver, daemon->hostmaster, daemon->soa_sn, daemon->soa_refresh, daemon->soa_retry, daemon->soa_expiry, daemon->auth_ttl)) { offset = newoffset; if (soa) anscount++; else authcount++; } if (anscount != 0 || ns) { struct name_list *secondary; /* Only include the machine running dnsmasq if it's acting as an auth server */ if (daemon->authinterface) { if (add_resource_record(header, limit, &trunc, -offset, &ansp, daemon->auth_ttl, NULL, T_NS, C_IN, "d", offset == 0 ? authname : NULL, daemon->authserver)) { if (offset == 0) offset = newoffset; if (ns) anscount++; else authcount++; } } if (!subnet) for (secondary = daemon->secondary_forward_server; secondary; secondary = secondary->next) if (add_resource_record(header, limit, &trunc, -offset, &ansp, daemon->auth_ttl, NULL, T_NS, C_IN, "d", offset == 0 ? authname : NULL, secondary->name)) { if (offset == 0) offset = newoffset; if (ns) anscount++; else authcount++; } } if (axfr) { for (rec = daemon->mxnames; rec; rec = rec->next) if (in_zone(zone, rec->name, &cut)) { if (cut) *cut = 0; if (rec->issrv) { if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl, NULL, T_SRV, C_IN, "sssd", cut ? rec->name : NULL, rec->priority, rec->weight, rec->srvport, rec->target)) anscount++; } else { if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl, NULL, T_MX, C_IN, "sd", cut ? rec->name : NULL, rec->weight, rec->target)) anscount++; } /* restore config data */ if (cut) *cut = '.'; } for (txt = daemon->rr; txt; txt = txt->next) if (in_zone(zone, txt->name, &cut)) { if (cut) *cut = 0; if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl, NULL, txt->class, C_IN, "t", cut ? txt->name : NULL, txt->len, txt->txt)) anscount++; /* restore config data */ if (cut) *cut = '.'; } for (txt = daemon->txt; txt; txt = txt->next) if (txt->class == C_IN && in_zone(zone, txt->name, &cut)) { if (cut) *cut = 0; if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl, NULL, T_TXT, C_IN, "t", cut ? txt->name : NULL, txt->len, txt->txt)) anscount++; /* restore config data */ if (cut) *cut = '.'; } for (na = daemon->naptr; na; na = na->next) if (in_zone(zone, na->name, &cut)) { if (cut) *cut = 0; if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl, NULL, T_NAPTR, C_IN, "sszzzd", cut ? na->name : NULL, na->order, na->pref, na->flags, na->services, na->regexp, na->replace)) anscount++; /* restore config data */ if (cut) *cut = '.'; } for (intr = daemon->int_names; intr; intr = intr->next) if (in_zone(zone, intr->name, &cut)) { struct addrlist *addrlist; if (cut) *cut = 0; for (addrlist = intr->addr; addrlist; addrlist = addrlist->next) if (!(addrlist->flags & ADDRLIST_IPV6) && (local_query || filter_zone(zone, F_IPV4, &addrlist->addr)) && add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl, NULL, T_A, C_IN, "4", cut ? intr->name : NULL, &addrlist->addr)) anscount++; for (addrlist = intr->addr; addrlist; addrlist = addrlist->next) if ((addrlist->flags & ADDRLIST_IPV6) && (local_query || filter_zone(zone, F_IPV6, &addrlist->addr)) && add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl, NULL, T_AAAA, C_IN, "6", cut ? intr->name : NULL, &addrlist->addr)) anscount++; /* restore config data */ if (cut) *cut = '.'; } for (a = daemon->cnames; a; a = a->next) if (in_zone(zone, a->alias, &cut)) { strcpy(name, a->target); if (!strchr(name, '.')) { strcat(name, "."); strcat(name, zone->domain); } if (cut) *cut = 0; if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl, NULL, T_CNAME, C_IN, "d", cut ? a->alias : NULL, name)) anscount++; } cache_enumerate(1); while ((crecp = cache_enumerate(0))) { if ((crecp->flags & (F_IPV4 | F_IPV6)) && !(crecp->flags & (F_NEG | F_NXDOMAIN)) && (crecp->flags & F_FORWARD)) { if ((crecp->flags & F_DHCP) && !option_bool(OPT_DHCP_FQDN)) { char *cache_name = cache_get_name(crecp); if (!strchr(cache_name, '.') && (local_query || filter_zone(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr))) && add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl, NULL, (crecp->flags & F_IPV6) ? T_AAAA : T_A, C_IN, (crecp->flags & F_IPV4) ? "4" : "6", cache_name, &crecp->addr)) anscount++; } if ((crecp->flags & F_HOSTS) || (((crecp->flags & F_DHCP) && option_bool(OPT_DHCP_FQDN)))) { strcpy(name, cache_get_name(crecp)); if (in_zone(zone, name, &cut) && (local_query || filter_zone(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr)))) { if (cut) *cut = 0; if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl, NULL, (crecp->flags & F_IPV6) ? T_AAAA : T_A, C_IN, (crecp->flags & F_IPV4) ? "4" : "6", cut ? name : NULL, &crecp->addr)) anscount++; } } } } /* repeat SOA as last record */ if (add_resource_record(header, limit, &trunc, axfroffset, &ansp, daemon->auth_ttl, NULL, T_SOA, C_IN, "ddlllll", daemon->authserver, daemon->hostmaster, daemon->soa_sn, daemon->soa_refresh, daemon->soa_retry, daemon->soa_expiry, daemon->auth_ttl)) anscount++; } } /* done all questions, set up header and return length of result */ /* clear authoritative and truncated flags, set QR flag */ header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC)) | HB3_QR; if (local_query) { /* set RA flag */ header->hb4 |= HB4_RA; } else { /* clear RA flag */ header->hb4 &= ~HB4_RA; } /* data is never DNSSEC signed. */ header->hb4 &= ~HB4_AD; /* authoritative */ if (auth) header->hb3 |= HB3_AA; /* truncation */ if (trunc) { header->hb3 |= HB3_TC; if (!(ansp = skip_questions(header, qlen))) return 0; /* bad packet */ anscount = authcount = 0; log_query(log_flags | F_AUTH, "reply", NULL, "truncated", 0); } if ((auth || local_query) && nxdomain) SET_RCODE(header, NXDOMAIN); else SET_RCODE(header, NOERROR); /* no error */ header->ancount = htons(anscount); header->nscount = htons(authcount); header->arcount = htons(0); if ((!local_query && out_of_zone) || notimp) { if (out_of_zone) { addr.log.rcode = REFUSED; addr.log.ede = EDE_NOT_AUTH; } else { addr.log.rcode = NOTIMP; addr.log.ede = EDE_UNSET; } SET_RCODE(header, addr.log.rcode); header->ancount = htons(0); header->nscount = htons(0); log_query(log_flags | F_UPSTREAM | F_RCODE, "error", &addr, NULL, 0); return resize_packet(header, ansp - (unsigned char *)header, NULL, 0); } return ansp - (unsigned char *)header; } #endif dnsmasq-2.93/src/dnsmasq.h0000664000175000017500000017344615210262712013722 0ustar srksrk/* dnsmasq is Copyright (c) 2000-2026 Simon Kelley This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 dated June, 1991, or (at your option) version 3 dated 29 June, 2007. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ #define COPYRIGHT "Copyright (c) 2000-2026 Simon Kelley" /* We do defines that influence behavior of stdio.h, so complain if included too early. */ #ifdef _STDIO_H # error "Header file stdio.h included too early!" #endif #ifndef NO_LARGEFILE /* Ensure we can use files >2GB (log files may grow this big) */ # define _LARGEFILE_SOURCE 1 # define _FILE_OFFSET_BITS 64 #endif /* Get linux C library versions and define _GNU_SOURCE for kFreeBSD. */ #if defined(__linux__) || defined(__GLIBC__) # ifndef __ANDROID__ # define _GNU_SOURCE # endif # include #endif /* Need these defined early */ #if defined(__sun) || defined(__sun__) # define _XPG4_2 # define __EXTENSIONS__ #endif #if (defined(__GNUC__) && __GNUC__ >= 3) || defined(__clang__) #define ATTRIBUTE_NORETURN __attribute__ ((noreturn)) #else #define ATTRIBUTE_NORETURN #endif #if __GNUC__ + 0 >= 8 // clang 20.1.0 does not yet support this #define ATTRIBUTE_NONSTRING __attribute__ ((nonstring)) #else #define ATTRIBUTE_NONSTRING #endif /* get these before config.h for IPv6 stuff... */ #include #include #ifdef __APPLE__ /* Define before netinet/in.h to select API. OSX Lion onwards. */ # define __APPLE_USE_RFC_3542 #endif #include /* Also needed before config.h. */ #include #include "config.h" #include "ip6addr.h" #include "metrics.h" typedef unsigned char u8; typedef unsigned short u16; typedef unsigned int u32; typedef unsigned long long u64; #define countof(x) (long)(sizeof(x) / sizeof(x[0])) #define MIN(a,b) ((a) < (b) ? (a) : (b)) #include "dns-protocol.h" #include "dhcp-protocol.h" #ifdef HAVE_DHCP6 #include "dhcp6-protocol.h" #include "radv-protocol.h" #endif #define gettext_noop(S) (S) #ifndef LOCALEDIR # define _(S) (S) #else # include # include # define _(S) gettext(S) #endif #include #include #include #if defined(HAVE_SOLARIS_NETWORK) # include #endif #include #include #include #include #include #include #if defined(HAVE_SOLARIS_NETWORK) && !defined(ifr_mtu) /* Some solaris net/if./h omit this. */ # define ifr_mtu ifr_ifru.ifru_metric #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__sun__) || defined (__sun) || defined (__ANDROID__) # include #else # include #endif #include #include #include #include #include #include #include #include #include #include #ifndef HAVE_LINUX_NETWORK # include #endif #if defined(HAVE_LINUX_NETWORK) #include #include #include /* There doesn't seem to be a universally-available userspace header for these. */ extern int capset(cap_user_header_t header, cap_user_data_t data); extern int capget(cap_user_header_t header, cap_user_data_t data); #define LINUX_CAPABILITY_VERSION_1 0x19980330 #define LINUX_CAPABILITY_VERSION_2 0x20071026 #define LINUX_CAPABILITY_VERSION_3 0x20080522 #include #elif defined(HAVE_SOLARIS_NETWORK) #include #endif #if defined(HAVE_DNSSEC) # include #endif /* daemon is function in the C library.... */ #define daemon dnsmasq_daemon #define ADDRSTRLEN INET6_ADDRSTRLEN /* Async event queue */ struct event_desc { int event, data, msg_sz; }; #define EVENT_RELOAD 1 #define EVENT_DUMP 2 #define EVENT_ALARM 3 #define EVENT_TERM 4 #define EVENT_CHILD 5 #define EVENT_REOPEN 6 #define EVENT_EXITED 7 #define EVENT_KILLED 8 #define EVENT_EXEC_ERR 9 #define EVENT_PIPE_ERR 10 #define EVENT_USER_ERR 11 #define EVENT_CAP_ERR 12 #define EVENT_PIDFILE 13 #define EVENT_HUSER_ERR 14 #define EVENT_GROUP_ERR 15 #define EVENT_DIE 16 #define EVENT_LOG_ERR 17 #define EVENT_FORK_ERR 18 #define EVENT_LUA_ERR 19 #define EVENT_TFTP_ERR 20 #define EVENT_INIT 21 #define EVENT_NEWADDR 22 #define EVENT_NEWROUTE 23 #define EVENT_TIME_ERR 24 #define EVENT_SCRIPT_LOG 25 #define EVENT_TIME 26 #define EVENT_LINK_ERR 27 #define EVENT_INOTFY_ERR 28 #define EVENT_TMSL_ERR 29 #define EVENT_RESOLV_ERR 30 #define EVENT_IFILE_ERR 31 /* Exit codes. */ #define EC_GOOD 0 #define EC_BADCONF 1 #define EC_BADNET 2 #define EC_FILE 3 #define EC_NOMEM 4 #define EC_MISC 5 #define EC_INIT_OFFSET 10 #define OPT_BOGUSPRIV 0 #define OPT_FILTER 1 #define OPT_LOG 2 #define OPT_SELFMX 3 #define OPT_NO_HOSTS 4 #define OPT_NO_POLL 5 #define OPT_DEBUG 6 #define OPT_ORDER 7 #define OPT_NO_RESOLV 8 #define OPT_EXPAND 9 #define OPT_LOCALMX 10 #define OPT_NO_NEG 11 #define OPT_NODOTS_LOCAL 12 #define OPT_NOWILD 13 #define OPT_ETHERS 14 #define OPT_RESOLV_DOMAIN 15 #define OPT_NO_FORK 16 #define OPT_AUTHORITATIVE 17 #define OPT_LOCALISE 18 #define OPT_DBUS 19 #define OPT_DHCP_FQDN 20 #define OPT_NO_PING 21 #define OPT_LEASE_RO 22 #define OPT_ALL_SERVERS 23 #define OPT_RELOAD 24 #define OPT_LOCAL_REBIND 25 #define OPT_TFTP_SECURE 26 #define OPT_TFTP_NOBLOCK 27 #define OPT_LOG_OPTS 28 #define OPT_TFTP_APREF_IP 29 #define OPT_NO_OVERRIDE 30 #define OPT_NO_REBIND 31 #define OPT_ADD_MAC 32 #define OPT_DNSSEC_PROXY 33 #define OPT_CONSEC_ADDR 34 #define OPT_CONNTRACK 35 #define OPT_FQDN_UPDATE 36 #define OPT_RA 37 #define OPT_TFTP_LC 38 #define OPT_CLEVERBIND 39 #define OPT_TFTP 40 #define OPT_CLIENT_SUBNET 41 #define OPT_QUIET_DHCP 42 #define OPT_QUIET_DHCP6 43 #define OPT_QUIET_RA 44 #define OPT_DNSSEC_VALID 45 #define OPT_DNSSEC_TIME 46 #define OPT_DNSSEC_DEBUG 47 #define OPT_DNSSEC_IGN_NS 48 #define OPT_LOCAL_SERVICE 49 #define OPT_LOOP_DETECT 50 #define OPT_EXTRALOG 51 #define OPT_TFTP_NO_FAIL 52 #define OPT_SCRIPT_ARP 53 #define OPT_MAC_B64 54 #define OPT_MAC_HEX 55 #define OPT_TFTP_APREF_MAC 56 #define OPT_RAPID_COMMIT 57 #define OPT_UBUS 58 #define OPT_IGNORE_CLID 59 #define OPT_SINGLE_PORT 60 #define OPT_LEASE_RENEW 61 #define OPT_LOG_DEBUG 62 #define OPT_UMBRELLA 63 #define OPT_UMBRELLA_DEVID 64 #define OPT_CMARK_ALST_EN 65 #define OPT_QUIET_TFTP 66 #define OPT_STRIP_ECS 67 #define OPT_STRIP_MAC 68 #define OPT_NORR 69 #define OPT_NO_IDENT 70 #define OPT_CACHE_RR 71 #define OPT_LOCALHOST_SERVICE 72 #define OPT_LOG_PROTO 73 #define OPT_NO_0x20 74 #define OPT_DO_0x20 75 #define OPT_AUTH_LOG 76 #define OPT_LEASEQUERY 77 #define OPT_LOG_ONLY_FAILED 78 #define OPT_LOG_MALLOC 79 #define OPT_LAST 80 #define OPTION_BITS (sizeof(unsigned int)*8) #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) ) #define option_var(x) (daemon->options[(x) / OPTION_BITS]) #define option_val(x) ((1u) << ((x) % OPTION_BITS)) #define option_bool(x) (option_var(x) & option_val(x)) /* extra flags for my_syslog, we use facilities since they are known not to occupy the same bits as priorities, no matter how syslog.h is set up. MS_DEBUG messages are suppressed unless --log-debug is set. */ #define MS_TFTP LOG_USER #define MS_DHCP LOG_DAEMON #define MS_SCRIPT LOG_MAIL #define MS_DEBUG LOG_NEWS /* Note that this is used widely as a container for IPv4/IPv6 addresses, so for that reason, was well as to avoid wasting memory in almost every cache entry, the other variants should not be larger than sizeof(struct in6_addr) - 16 bytes. */ union all_addr { struct in_addr addr4; struct in6_addr addr6; struct { union { struct crec *cache; char *name; } target; unsigned int uid; int is_name_ptr; /* disciminates target union */ } cname; struct { struct blockdata *keydata; unsigned short keylen, flags, keytag; unsigned char algo; } key; struct { struct blockdata *keydata; unsigned short keylen, keytag; unsigned char algo; unsigned char digest; } ds; /* for log_query */ struct { unsigned short keytag, algo, digest, rcode; int ede; } log; /* for arbitrary RR record stored in block */ struct { unsigned short rrtype; unsigned short datalen; struct blockdata *rrdata; } rrblock; /* for arbitrary RR record small enough to go in addr. NOTE: rrblock and rrdata are discriminated by the F_KEYTAG bit in the cache flags. */ struct datablock { unsigned short rrtype; unsigned char datalen; /* also length of SOA in negative records. */ char data[1]; } rrdata; }; #define RR_IMDATALEN (sizeof(union all_addr) - offsetof(struct datablock, data)) struct bogus_addr { int is6, prefix; union all_addr addr; struct bogus_addr *next; }; /* dns doctor param */ struct doctor { struct in_addr in, end, out, mask; struct doctor *next; }; struct mx_srv_record { char *name, *target; int issrv, srvport, priority, weight; unsigned int offset; struct mx_srv_record *next; }; struct naptr { char *name, *replace, *regexp, *services, *flags; unsigned int order, pref; struct naptr *next; }; #ifndef NO_ID #define TXT_STAT_CACHESIZE 1 #define TXT_STAT_INSERTS 2 #define TXT_STAT_EVICTIONS 3 #define TXT_STAT_MISSES 4 #define TXT_STAT_HITS 5 #define TXT_STAT_AUTH 6 #define TXT_STAT_SERVERS 7 #endif struct txt_record { char *name; unsigned char *txt; unsigned short class, len; int stat; struct txt_record *next; }; struct ptr_record { char *name, *ptr; struct ptr_record *next; }; struct cname { int ttl, flag; char *alias, *target; struct cname *next, *targetp; }; struct ds_config { char *name, *digest; int digestlen, class, algo, keytag, digest_type; struct ds_config *next; }; #define ADDRLIST_LITERAL 1 #define ADDRLIST_IPV6 2 #define ADDRLIST_REVONLY 4 #define ADDRLIST_PREFIX 8 #define ADDRLIST_WILDCARD 16 #define ADDRLIST_DECLINED 32 struct addrlist { union all_addr addr; int flags, prefixlen; time_t decline_time; struct addrlist *next; }; #define AUTH6 1 #define AUTH4 2 struct auth_zone { char *domain; struct auth_name_list { char *name; int flags; struct auth_name_list *next; } *interface_names; struct addrlist *subnet; struct addrlist *exclude; struct auth_zone *next; }; #define HR_6 1 #define HR_4 2 struct host_record { int ttl, flags; struct name_list { char *name; struct name_list *next; } *names; struct in_addr addr; struct in6_addr addr6; struct host_record *next; }; #define IN4 1 #define IN6 2 #define INP4 4 #define INP6 8 #define RW_WRITE 0 #define RW_READ 1 #define RW_WRITE_ONCE 2 #define RW_READ_ONCE 3 struct interface_name { char *name; /* domain name */ char *intr; /* interface name */ int flags; struct in_addr proto4; struct in6_addr proto6; struct addrlist *addr; struct interface_name *next; }; union bigname { char name[MAXDNAMESTR+1]; union bigname *next; /* freelist */ }; struct blockdata { struct blockdata *next; unsigned char key[KEYBLOCK_LEN]; }; struct crec { struct crec *next, *prev, *hash_next; union all_addr addr; time_t ttd; /* time to die */ /* used as class if DNSKEY/DS, index to source for F_HOSTS */ unsigned int uid; unsigned int flags; union { char sname[SMALLDNAME]; union bigname *bname; char *namep; } name; }; #define SIZEOF_BARE_CREC (sizeof(struct crec) - SMALLDNAME) #define SIZEOF_POINTER_CREC (sizeof(struct crec) + sizeof(char *) - SMALLDNAME) #define F_IMMORTAL (1u<<0) #define F_NAMEP (1u<<1) #define F_REVERSE (1u<<2) #define F_FORWARD (1u<<3) #define F_DHCP (1u<<4) #define F_NEG (1u<<5) #define F_HOSTS (1u<<6) #define F_IPV4 (1u<<7) #define F_IPV6 (1u<<8) #define F_BIGNAME (1u<<9) #define F_NXDOMAIN (1u<<10) #define F_CNAME (1u<<11) #define F_DNSKEY (1u<<12) #define F_CONFIG (1u<<13) #define F_DS (1u<<14) #define F_DNSSECOK (1u<<15) #define F_UPSTREAM (1u<<16) #define F_RRNAME (1u<<17) #define F_SERVER (1u<<18) #define F_QUERY (1u<<19) #define F_NOERR (1u<<20) #define F_AUTH (1u<<21) #define F_DNSSEC (1u<<22) #define F_KEYTAG (1u<<23) #define F_SECSTAT (1u<<24) #define F_NO_RR (1u<<25) #define F_IPSET (1u<<26) #define F_NOEXTRA (1u<<27) #define F_DOMAINSRV (1u<<28) #define F_RCODE (1u<<29) #define F_RR (1u<<30) #define F_STALE (1u<<31) #define UID_NONE 0 /* Values of uid in crecs with F_CONFIG bit set. */ #define SRC_CONFIG 1 #define SRC_HOSTS 2 #define SRC_AH 3 #define PIPE_OP_INSERT 1 /* Cache entry */ #define PIPE_OP_RESULT 2 /* Validation result */ #define PIPE_OP_STATS 3 /* Update parent's stats */ #define PIPE_OP_IPSET 4 /* Update IPset */ #define PIPE_OP_NFTSET 5 /* Update NFTset */ #define PIPE_OP_KILLED 6 /* child killed by SIGALARM */ /* struct sockaddr is not large enough to hold any address, and specifically not big enough to hold an IPv6 address. Blech. Roll our own. */ union mysockaddr { struct sockaddr sa; struct sockaddr_in in; struct sockaddr_in6 in6; }; /* bits in flag param to IPv6 callbacks from iface_enumerate() */ #define IFACE_TENTATIVE 1 #define IFACE_DEPRECATED 2 #define IFACE_PERMANENT 4 /* The actual values here matter, since we sort on them to get records in the order IPv6 addr, IPv4 addr, all zero return, no-data return, resolvconf servers, upstream server */ #define SERV_USE_RESOLV 1 /* forward this domain in the normal way */ #define SERV_LITERAL_ADDRESS 2 /* addr is the answer, or NoDATA is the answer, depending on the next four flags */ #define SERV_ALL_ZEROS 4 /* return all zeros for A and AAAA */ #define SERV_4ADDR 8 /* addr is IPv4 */ #define SERV_6ADDR 16 /* addr is IPv6 */ #define SERV_HAS_SOURCE 32 /* source address defined */ #define SERV_FOR_NODOTS 64 /* server for names with no domain part only */ #define SERV_WARNED_RECURSIVE 128 /* avoid warning spam */ #define SERV_FROM_DBUS 256 /* 1 if source is DBus */ #define SERV_MARK 512 /* for mark-and-delete and log code */ #define SERV_WILDCARD 1024 /* domain has leading '*' */ #define SERV_FROM_RESOLV 2048 /* 1 for servers from resolv, 0 for command line. */ #define SERV_FROM_FILE 4096 /* read from --servers-file */ #define SERV_LOOP 8192 /* server causes forwarding loop */ #define SERV_DO_DNSSEC 16384 /* Validate DNSSEC when using this server */ #define SERV_GOT_TCP 32768 /* Got some data from the TCP connection */ struct serverfd { int fd; union mysockaddr source_addr; char interface[IF_NAMESIZE+1]; unsigned int ifindex, used, preallocated; struct serverfd *next; }; struct randfd { struct server *serv; int fd; unsigned short refcount; /* refcount == 0xffff means overflow record. */ }; struct randfd_list { struct randfd *rfd; struct randfd_list *next; }; struct server { u16 flags, domain_len; char *domain; struct server *next; int serial, arrayposn; int last_server; union mysockaddr addr, source_addr; char interface[IF_NAMESIZE+1]; unsigned int ifindex; /* corresponding to interface, above */ struct serverfd *sfd; int tcpfd; unsigned int queries, failed_queries, nxdomain_replies, retrys; unsigned int query_latency, mma_latency; time_t forwardtime; int forwardcount; #ifdef HAVE_LOOP u32 uid; #endif }; /* First four fields must match struct server in next three definitions.. */ struct serv_addr4 { u16 flags, domain_len; char *domain; struct server *next; struct in_addr addr; }; struct serv_addr6 { u16 flags, domain_len; char *domain; struct server *next; struct in6_addr addr; }; struct serv_local { u16 flags, domain_len; char *domain; struct server *next; }; struct rebind_domain { char *domain; struct rebind_domain *next; }; struct ipsets { char **sets; char *domain; struct ipsets *next; }; struct allowlist { u32 mark, mask; char **patterns; struct allowlist *next; }; struct irec { union mysockaddr addr; struct in_addr netmask; /* only valid for IPv4 */ int tftp_ok, dhcp4_ok, dhcp6_ok, mtu, done, warned, dad; int dns_auth, index, multicast_done, found, label; char *name; struct irec *next; }; struct listener { int fd, tcpfd, tftpfd, used; union mysockaddr addr; struct irec *iface; /* only sometimes valid for non-wildcard */ struct listener *next; }; /* interface and address parms from command line. */ struct iname { char *name; union mysockaddr addr; int flags; struct iname *next; }; #define INAME_USED 1 #define INAME_4 2 #define INAME_6 4 struct rrlist { unsigned short rr; struct rrlist *next; }; /* subnet parameters from command line */ struct mysubnet { union mysockaddr addr; int addr_used; int mask; }; /* resolv-file parms from command-line */ struct resolvc { struct resolvc *next; int is_default, logged; time_t mtime; ino_t ino; char *name; #ifdef HAVE_INOTIFY int wd; /* inotify watch descriptor */ char *file; /* pointer to file part if path */ #endif }; /* adn-hosts parms from command-line (also dhcp-hostsfile and dhcp-optsfile and dhcp-hostsdir*/ #define AH_DIR 1 #define AH_INACTIVE 2 #define AH_WD_DONE 4 #define AH_HOSTS 8 #define AH_DHCP_HST 16 #define AH_DHCP_OPT 32 struct hostsfile { struct hostsfile *next; int flags; char *fname; unsigned int index; /* matches to cache entries for logging */ }; struct dyndir { struct dyndir *next; struct hostsfile *files; int flags; char *dname; #ifdef HAVE_INOTIFY int wd; /* inotify watch descriptor */ #endif }; /* packet-dump flags */ #define DUMP_QUERY 0x0001 #define DUMP_REPLY 0x0002 #define DUMP_UP_QUERY 0x0004 #define DUMP_UP_REPLY 0x0008 #define DUMP_SEC_QUERY 0x0010 #define DUMP_SEC_REPLY 0x0020 #define DUMP_BOGUS 0x0040 #define DUMP_SEC_BOGUS 0x0080 #define DUMP_DHCP 0x1000 #define DUMP_DHCPV6 0x2000 #define DUMP_RA 0x4000 #define DUMP_TFTP 0x8000 /* DNSSEC status values. */ #define STAT_SECURE 0x10000 #define STAT_INSECURE 0x20000 #define STAT_BOGUS 0x30000 #define STAT_NEED_DS 0x40000 #define STAT_NEED_KEY 0x50000 #define STAT_TRUNCATED 0x60000 #define STAT_OK 0x70000 #define STAT_ABANDONED 0x80000 #define STAT_ASYNC 0x90000 #define DNSSEC_FAIL_NYV 0x0001 /* key not yet valid */ #define DNSSEC_FAIL_EXP 0x0002 /* key expired */ #define DNSSEC_FAIL_INDET 0x0004 /* indetermined */ #define DNSSEC_FAIL_NOKEYSUP 0x0008 /* no supported key algo. */ #define DNSSEC_FAIL_NOSIG 0x0010 /* No RRsigs */ #define DNSSEC_FAIL_NOZONE 0x0020 /* No Zone bit set */ #define DNSSEC_FAIL_NONSEC 0x0040 /* No NSEC */ #define DNSSEC_FAIL_NODSSUP 0x0080 /* no supported DS algo. */ #define DNSSEC_FAIL_NOKEY 0x0100 /* no DNSKEY */ #define DNSSEC_FAIL_NSEC3_ITERS 0x0200 /* too many iterations in NSEC3 */ #define DNSSEC_FAIL_BADPACKET 0x0400 /* bad packet */ #define DNSSEC_FAIL_WORK 0x0800 /* too much crypto */ #define DNSSEC_FAIL_UPSTREAM 0x1000 /* SERVFAIL from UPSTREAM */ #define STAT_ISEQUAL(a, b) (((a) & 0xffff0000) == (b)) #define FREC_NOREBIND 1 #define FREC_CHECKING_DISABLED 2 #define FREC_NO_CACHE 4 #define FREC_DNSKEY_QUERY 8 #define FREC_DS_QUERY 16 #define FREC_AD_QUESTION 32 #define FREC_DO_QUESTION 64 #define FREC_HAS_PHEADER 128 #define FREC_GONE_TO_TCP 256 #define FREC_ANSWER 512 struct frec { struct frec_src { union mysockaddr source; union all_addr dest; unsigned int iface, log_id, encode_bitmap, *encode_bigmap; int fd; unsigned short orig_id, udp_pkt_size; struct frec_src *next; } frec_src; struct server *sentto; /* NULL means free */ struct randfd_list *rfds; unsigned short new_id; int forwardall, flags; time_t time; u32 forward_timestamp; int forward_delay; struct blockdata *stash; /* saved query or saved reply, whilst we validate */ size_t stash_len; #ifdef HAVE_DNSSEC int uid, class, work_counter, validate_counter; struct frec *dependent; /* Query awaiting internally-generated DNSKEY or DS query */ struct frec *next_dependent; /* list of above. */ struct frec *blocking_query; /* Query which is blocking us. */ #endif struct frec *next; }; /* flags in top of length field for DHCP-option tables */ #define OT_ADDR_LIST 0x8000 #define OT_RFC1035_NAME 0x4000 #define OT_INTERNAL 0x2000 #define OT_NAME 0x1000 #define OT_CSTRING 0x0800 #define OT_DEC 0x0400 #define OT_TIME 0x0200 /* actions in the daemon->helper RPC */ #define ACTION_DEL 1 #define ACTION_OLD_HOSTNAME 2 #define ACTION_OLD 3 #define ACTION_ADD 4 #define ACTION_TFTP 5 #define ACTION_ARP 6 #define ACTION_ARP_DEL 7 #define ACTION_RELAY_SNOOP 8 #define LEASE_NEW 1 /* newly created */ #define LEASE_CHANGED 2 /* modified */ #define LEASE_AUX_CHANGED 4 /* CLID or expiry changed */ #define LEASE_AUTH_NAME 8 /* hostname came from config, not from client */ #define LEASE_USED 16 /* used this DHCPv6 transaction */ #define LEASE_NA 32 /* IPv6 no-temporary lease */ #define LEASE_TA 64 /* IPv6 temporary lease */ #define LEASE_HAVE_HWADDR 128 /* Have set hwaddress */ #define LEASE_EXP_CHANGED 256 /* Lease expiry time changed */ #define LIMIT_SIG_FAIL 0 #define LIMIT_CRYPTO 1 #define LIMIT_WORK 2 #define LIMIT_NSEC3_ITERS 3 #define LIMIT_MAX 4 struct dhcp_lease { int clid_len; /* length of client identifier */ unsigned char *clid; /* clientid */ char *hostname, *fqdn; /* name from client-hostname option or config */ char *old_hostname; /* hostname before it moved to another lease */ int flags; time_t expires; /* lease expiry */ #ifdef HAVE_BROKEN_RTC unsigned int length; #endif int hwaddr_len, hwaddr_type; unsigned char hwaddr[DHCP_CHADDR_MAX]; struct in_addr addr, override, giaddr; unsigned char *extradata; unsigned int extradata_len, extradata_size; int last_interface; int new_interface; /* save possible originated interface */ int new_prefixlen; /* and its prefix length */ unsigned char *agent_id, *vendorclass; int agent_id_len, vendorclass_len; #ifdef HAVE_DHCP6 struct in6_addr addr6; unsigned int iaid; struct slaac_address { struct in6_addr addr; time_t ping_time; int backoff; /* zero -> confirmed */ struct slaac_address *next; } *slaac_address; int vendorclass_count; #endif struct dhcp_lease *next; }; struct dhcp_netid { char *net; struct dhcp_netid *next; }; struct dhcp_netid_list { struct dhcp_netid *list; struct dhcp_netid_list *next; }; struct tag_if { struct dhcp_netid_list *set; struct dhcp_netid *tag; struct tag_if *next; }; struct delay_config { int delay; struct dhcp_netid *netid; struct delay_config *next; }; struct hwaddr_config { int hwaddr_len, hwaddr_type; unsigned char hwaddr[DHCP_CHADDR_MAX]; unsigned int wildcard_mask; struct hwaddr_config *next; }; struct dhcp_config { unsigned int flags; int clid_len; /* length of client identifier */ unsigned char *clid; /* clientid */ char *hostname, *domain; struct dhcp_netid_list *netid; struct dhcp_netid *filter; #ifdef HAVE_DHCP6 struct addrlist *addr6; #endif struct in_addr addr; time_t decline_time; unsigned int lease_time; struct hwaddr_config *hwaddr; struct dhcp_config *next; }; #define have_config(config, mask) ((config) && ((config)->flags & (mask))) #define CONFIG_DISABLE 1 #define CONFIG_CLID 2 #define CONFIG_TIME 8 #define CONFIG_NAME 16 #define CONFIG_ADDR 32 #define CONFIG_NOCLID 128 #define CONFIG_FROM_ETHERS 256 /* entry created by /etc/ethers */ #define CONFIG_ADDR_HOSTS 512 /* address added by from /etc/hosts */ #define CONFIG_DECLINED 1024 /* address declined by client */ #define CONFIG_BANK 2048 /* from dhcp hosts file */ #define CONFIG_ADDR6 4096 #define CONFIG_ADDR6_HOSTS 16384 /* address added by from /etc/hosts */ struct dhcp_opt { int opt, len, flags; union { int encap; unsigned int wildcard_mask; unsigned char *vendor_class; } u; unsigned char *val; struct dhcp_netid *netid; struct dhcp_opt *next; }; #define DHOPT_ADDR 1 #define DHOPT_STRING 2 #define DHOPT_ENCAPSULATE 4 #define DHOPT_ENCAP_MATCH 8 #define DHOPT_FORCE 16 #define DHOPT_BANK 32 #define DHOPT_ENCAP_DONE 64 #define DHOPT_MATCH 128 #define DHOPT_VENDOR 256 #define DHOPT_HEX 512 #define DHOPT_VENDOR_MATCH 1024 #define DHOPT_RFC3925 2048 #define DHOPT_TAGOK 4096 #define DHOPT_ADDR6 8192 #define DHOPT_VENDOR_PXE 16384 #define DHOPT_PXE_OPT 32768 struct dhcp_boot { char *file, *sname, *tftp_sname; struct in_addr next_server; struct dhcp_netid *netid; struct dhcp_boot *next; }; struct dhcp_match_name { char *name; int wildcard; struct dhcp_netid *netid; struct dhcp_match_name *next; }; struct pxe_service { unsigned short CSA, type; char *menu, *basename, *sname; struct in_addr server; struct dhcp_netid *netid; struct pxe_service *next; }; #define DHCP_PXE_DEF_VENDOR "PXEClient" #define MATCH_VENDOR 1 #define MATCH_USER 2 #define MATCH_CIRCUIT 3 #define MATCH_REMOTE 4 #define MATCH_SUBSCRIBER 5 /* vendorclass, userclass, remote-id or circuit-id */ struct dhcp_vendor { int len, match_type; unsigned int enterprise; char *data; struct dhcp_netid netid; struct dhcp_vendor *next; }; struct dhcp_pxe_vendor { char *data; struct dhcp_pxe_vendor *next; }; struct dhcp_mac { unsigned int mask; int hwaddr_len, hwaddr_type; unsigned char hwaddr[DHCP_CHADDR_MAX]; struct dhcp_netid netid; struct dhcp_mac *next; }; struct dhcp_bridge { char iface[IF_NAMESIZE]; struct dhcp_bridge *alias, *next; }; struct cond_domain { char *domain, *prefix; /* prefix is text-prefix on domain name */ char *interface; /* These two set when domain comes from interface. */ struct addrlist *al; struct in_addr start, end; struct in6_addr start6, end6; int is6, indexed, prefixlen; struct cond_domain *next; }; struct ra_interface { char *name; char *mtu_name; int interval, lifetime, prio, mtu; struct ra_interface *next; }; struct dhcp_context { unsigned int lease_time, addr_epoch; struct in_addr netmask, broadcast; struct in_addr local, router; struct in_addr start, end; /* range of available addresses */ #ifdef HAVE_DHCP6 struct in6_addr start6, end6; /* range of available addresses */ struct in6_addr local6; int prefix, if_index; unsigned int valid, preferred, saved_valid; time_t ra_time, ra_short_period_start, address_lost_time; char *template_interface; #endif int flags; struct dhcp_netid netid, *filter; struct dhcp_context *next, *current; }; struct shared_network { int if_index; struct in_addr match_addr, shared_addr; #ifdef HAVE_DHCP6 /* shared_addr == 0 for IP6 entries. */ struct in6_addr match_addr6, shared_addr6; #endif struct shared_network *next; }; #define CONTEXT_STATIC (1u<<0) #define CONTEXT_NETMASK (1u<<1) #define CONTEXT_BRDCAST (1u<<2) #define CONTEXT_PROXY (1u<<3) #define CONTEXT_RA_ROUTER (1u<<4) #define CONTEXT_RA_DONE (1u<<5) #define CONTEXT_RA_NAME (1u<<6) #define CONTEXT_RA_STATELESS (1u<<7) #define CONTEXT_DHCP (1u<<8) #define CONTEXT_DEPRECATE (1u<<9) #define CONTEXT_TEMPLATE (1u<<10) /* create contexts using addresses */ #define CONTEXT_CONSTRUCTED (1u<<11) #define CONTEXT_GC (1u<<12) #define CONTEXT_RA (1u<<13) #define CONTEXT_CONF_USED (1u<<14) #define CONTEXT_USED (1u<<15) #define CONTEXT_OLD (1u<<16) #define CONTEXT_V6 (1u<<17) #define CONTEXT_RA_OFF_LINK (1u<<18) #define CONTEXT_SETLEASE (1u<<19) struct ping_result { struct in_addr addr; time_t time; unsigned int hash; struct ping_result *next; }; struct tftp_file { int refcount, fd; off_t size, posn; dev_t dev; ino_t inode; char filename[]; }; struct tftp_transfer { int sockfd; u16 block_hi, ackprev; time_t retransmit, start; unsigned int lastack, block, blocksize, windowsize, timeout, expansion; off_t offset; union mysockaddr peer; union all_addr source; int if_index; unsigned char opt_blocksize, opt_transize, opt_windowsize, opt_timeout, netascii, carrylf, lastcarrylf, backoff; struct tftp_file *file; struct tftp_transfer *next; }; struct addr_list { struct in_addr addr; struct addr_list *next; }; struct tftp_prefix { char *interface; char *prefix; int missing; struct tftp_prefix *next; }; struct dhcp_relay { union { struct in_addr addr4; struct in6_addr addr6; } local, server, uplink; char *interface; /* Allowable interface for replies from server, and dest for IPv6 multicast */ int iface_index; /* working - interface in which requests arrived, for return */ int port; /* Port of relay we forward to. */ int split_mode; /* Split address allocation and relay address. */ int warned, matchcount; #ifdef HAVE_SCRIPT struct snoop_record { struct in6_addr client, prefix; int prefix_len; struct snoop_record *next; } *snoop_records; #endif struct dhcp_relay *next; }; extern struct daemon { /* datastuctures representing the command-line and config file arguments. All set (including defaults) in option.c */ unsigned int options[OPTION_SIZE]; struct resolvc default_resolv, *resolv_files; time_t last_resolv; char *servers_file; struct mx_srv_record *mxnames; struct naptr *naptr; struct txt_record *txt, *rr; struct ptr_record *ptr; struct rrlist *cache_rr, *filter_rr; struct host_record *host_records, *host_records_tail; struct cname *cnames; struct auth_zone *auth_zones; struct interface_name *int_names; char *mxtarget; struct mysubnet *add_subnet4; struct mysubnet *add_subnet6; char *lease_file; char *username, *groupname, *scriptuser; char *luascript; char *authserver, *hostmaster; struct iname *authinterface; struct name_list *secondary_forward_server; int group_set, osport; char *domain_suffix; struct cond_domain *cond_domain, *synth_domains; char *runfile; char *lease_change_command; struct iname *if_names, *if_addrs, *if_except, *dhcp_except, *auth_peers, *tftp_interfaces; struct bogus_addr *bogus_addr, *ignore_addr, *leasequery_addr; struct server *servers, *servers_tail, *local_domains, **serverarray; struct rebind_domain *no_rebind; int server_has_wildcard; int serverarraysz, serverarrayhwm; struct ipsets *ipsets, *nftsets; u32 allowlist_mask; struct allowlist *allowlists; int log_fac; /* log facility */ char *log_file; /* optional log file */ int max_logs; /* queue limit */ int log_malloc; /* log malloc/realloc/free */ int randport_limit; /* Maximum number of source ports for query. */ int cachesize, ftabsize; int port, query_port, min_port, max_port; unsigned long local_ttl, neg_ttl, max_ttl, min_cache_ttl, max_cache_ttl, auth_ttl, dhcp_ttl, use_dhcp_ttl; char *dns_client_id; u32 umbrella_org; u32 umbrella_asset; u8 umbrella_device[8]; int host_index; struct hostsfile *addn_hosts; struct dhcp_context *dhcp, *dhcp6; struct ra_interface *ra_interfaces; struct dhcp_config *dhcp_conf; struct dhcp_opt *dhcp_opts, *dhcp_match, *dhcp_opts6, *dhcp_match6; struct dhcp_match_name *dhcp_name_match; struct dhcp_pxe_vendor *dhcp_pxe_vendors; struct dhcp_vendor *dhcp_vendors; struct dhcp_mac *dhcp_macs; struct dhcp_boot *boot_config; struct pxe_service *pxe_services; struct tag_if *tag_if; struct addr_list *override_relays; struct dhcp_relay *relay4, *relay6; struct delay_config *delay_conf; int override; int enable_pxe; int doing_ra, doing_dhcp6; struct dhcp_netid_list *dhcp_ignore, *dhcp_ignore_names, *dhcp_gen_names; struct dhcp_netid_list *force_broadcast, *bootp_dynamic; struct hostsfile *dhcp_hosts_file, *dhcp_opts_file; struct dyndir *dynamic_dirs; int dhcp_max, tftp_max, tftp_mtu; int dhcp_server_port, dhcp_client_port; int start_tftp_port, end_tftp_port; unsigned int min_leasetime; struct doctor *doctors; unsigned short edns_pktsz; char *tftp_prefix; struct tftp_prefix *if_prefix; /* per-interface TFTP prefixes */ unsigned int duid_enterprise, duid_config_len; unsigned char *duid_config; char *dbus_name; char *ubus_name; char *dump_file; int dump_mask; unsigned long soa_sn, soa_refresh, soa_retry, soa_expiry; u32 metrics[__METRIC_MAX]; int fast_retry_time, fast_retry_timeout; int cache_max_expiry; #ifdef HAVE_DNSSEC struct ds_config *ds; char *timestamp_file; #endif /* globally used stuff for DNS */ char *packet; /* packet buffer */ int packet_buff_sz; /* size of above */ char *namebuff; /* MAXDNAMESTR+1 size buffer */ char *workspacename; #ifdef HAVE_DNSSEC char *keyname, *cname; /* MAXDNAMESTR+1 size buffer */ unsigned long *rr_status; /* ceiling in TTL from DNSSEC or zero for insecure */ int rr_status_sz; int dnssec_no_time_check; int back_to_the_future; int limit[LIMIT_MAX]; struct frec *forward_to_tcp; struct dns_header *header_to_tcp; ssize_t plen_to_tcp; #endif struct frec *frec_list; struct frec_src *free_frec_src; int frec_src_count; struct serverfd *sfds; struct irec *interfaces; struct listener *listeners; void *srv_save; /* Used for resend on DoD and tftp prefetch */ size_t packet_len; /* " " */ int fd_save; /* " " */ pid_t *tcp_pids; int *tcp_pipes; int pipe_to_parent; int numrrand; struct randfd *randomsocks; struct randfd_list *rfl_spare, *rfl_poll; int v6pktinfo; struct addrlist *interface_addrs; /* list of all addresses/prefix lengths associated with all local interfaces */ int log_id, log_display_id; /* ids of transactions for logging */ union mysockaddr *log_source_addr; /* DHCP state */ int dhcpfd, helperfd, pxefd; #ifdef HAVE_INOTIFY int inotifyfd; #endif #if defined(HAVE_LINUX_NETWORK) int netlinkfd, kernel_version; #elif defined(HAVE_BSD_NETWORK) int dhcp_raw_fd, dhcp_icmp_fd, routefd; #endif struct iovec dhcp_packet; char *dhcp_buff, *dhcp_buff2, *dhcp_buff3; struct ping_result *ping_results; FILE *lease_stream; struct dhcp_bridge *bridges; struct shared_network *shared_networks; #ifdef HAVE_DHCP6 int duid_len; unsigned char *duid; struct iovec outpacket; int dhcp6fd, icmp6fd; # ifdef HAVE_SCRIPT struct snoop_record *free_snoops; # endif #endif /* DBus stuff */ /* void * here to avoid depending on dbus headers outside dbus.c */ void *dbus; #ifdef HAVE_DBUS struct watch *watches; #endif /* UBus stuff */ #ifdef HAVE_UBUS /* void * here to avoid depending on ubus headers outside ubus.c */ void *ubus; #endif /* TFTP stuff */ struct tftp_transfer *tftp_trans, *tftp_done_trans; /* utility string buffer, hold max sized IP address as string */ char *addrbuff; char *addrbuff2; /* only allocated when OPT_EXTRALOG */ #ifdef HAVE_DUMPFILE /* file for packet dumps. */ int dumpfd; #endif int max_procs; uint max_procs_used; } *daemon; struct server_details { union mysockaddr *addr, *source_addr; struct addrinfo *hostinfo, *orig_hostinfo; char *interface, *source, *scope_id, *interface_opt; int serv_port, source_port, addr_type, scope_index, valid; u16 *flags; }; /* cache.c */ void cache_init(void); unsigned short rrtype(char *in); void next_uid(struct crec *crecp); void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg, unsigned short type); char *record_source(unsigned int index); int cache_find_non_terminal(char *name, time_t now); struct crec *cache_find_by_addr(struct crec *crecp, union all_addr *addr, time_t now, unsigned int prot); struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsigned int prot); void cache_end_insert(void); void cache_start_insert(void); unsigned int cache_remove_uid(const unsigned int uid); int cache_recv_insert(time_t now, int fd); #ifdef HAVE_DNSSEC void cache_update_hwm(void); #endif #if defined(HAVE_IPSET) || defined(HAVE_NFTSET) void cache_send_ipset(unsigned char op, struct ipsets *sets, int flags, union all_addr *addr); #endif struct crec *cache_insert(char *name, union all_addr *addr, unsigned short class, time_t now, unsigned long ttl, unsigned int flags); void cache_reload(void); void cache_add_dhcp_entry(char *host_name, int prot, union all_addr *host_address, time_t ttd); struct in_addr a_record_from_hosts(char *name, time_t now); void cache_unhash_dhcp(void); void dump_cache(time_t now); #ifndef NO_ID int cache_make_stat(struct txt_record *t); #endif char *cache_get_name(struct crec *crecp); char *cache_get_cname_target(struct crec *crecp); struct crec *cache_enumerate(int init); int read_hostsfile(char *filename, unsigned int index, int cache_size, struct crec **rhash, int hashsz); /* blockdata.c */ void blockdata_init(void); void blockdata_report(void); struct blockdata *blockdata_alloc(char *data, size_t len); int blockdata_expand(struct blockdata *block, size_t oldlen, char *data, size_t newlen); void *blockdata_retrieve(struct blockdata *block, size_t len, void *data); struct blockdata *blockdata_read(int fd, size_t len); void blockdata_write(struct blockdata *block, size_t len, int fd); void blockdata_free(struct blockdata *blocks); /* domain.c */ char *get_domain(struct in_addr addr); char *get_domain6(struct in6_addr *addr); int is_name_synthetic(int flags, char *name, union all_addr *addr); int is_rev_synth(int flag, union all_addr *addr, char *name); /* rfc1035.c */ int do_doctor(struct dns_header *header, size_t qlen, char *namebuff); int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, char *name, int func, unsigned int parm); unsigned char *skip_name(unsigned char *ansp, struct dns_header *header, size_t plen, int extrabytes); unsigned char *skip_questions(struct dns_header *header, size_t plen); unsigned char *skip_section(unsigned char *ansp, int count, struct dns_header *header, size_t plen); unsigned int extract_request(struct dns_header *header, size_t qlen, char *name, unsigned short *typep, unsigned short *classp); void setup_reply(struct dns_header *header, unsigned int flags, int ede); int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t now, struct ipsets *ipsets, struct ipsets *nftsets, int check_rebind, int no_cache_dnssec, int secure); #if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS) void report_addresses(struct dns_header *header, size_t len, u32 mark); #endif size_t answer_request(struct dns_header *header, char *limit, size_t qlen, struct in_addr local_addr, struct in_addr local_netmask, time_t now, int ad_reqd, int do_bit, int no_cache, int *stale, int *filtered); int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name, time_t now); int check_for_ignored_address(struct dns_header *header, size_t qlen); int check_for_local_domain(char *name, time_t now); size_t resize_packet(struct dns_header *header, size_t plen, unsigned char *pheader, size_t hlen); int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp, unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...); int in_arpa_name_2_addr(char *namein, union all_addr *addrp); int private_net(struct in_addr addr, int ban_localhost); int private_net6(struct in6_addr *a, int ban_localhost); /* extract_name ops */ #define EXTR_NAME_EXTRACT 1 #define EXTR_NAME_COMPARE 2 #define EXTR_NAME_NOCASE 3 #define EXTR_NAME_FLIP 4 /* auth.c */ #ifdef HAVE_AUTH size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr, int local_query); int in_zone(struct auth_zone *zone, char *name, char **cut); #endif /* dnssec.c */ #ifdef HAVE_DNSSEC size_t dnssec_generate_query(struct dns_header *header, size_t outlen, char *name, int class, int id, int type); int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class, int *validate_count); int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class, int *validate_count); int cache_neg_ds(char *name, int flags, int class, time_t now, int neg_ttl); int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int check_unsigned, int *neganswer, int *prim_ok, int *nons, int *nsec_ttl, int *validate_count); int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen); size_t filter_rrsigs(struct dns_header *header, size_t plen); int setup_timestamp(void); int errflags_to_ede(int status); #endif /* crypto.c */ const struct nettle_hash *hash_find(char *name); int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp); int verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, unsigned char *digest, size_t digest_len, int algo); char *ds_digest_name(int digest); char *algo_digest_name(int algo); char *nsec3_digest_name(int digest); void nettle_digest_wrapper(const struct nettle_hash *hash, void *ctx, size_t length, uint8_t *dst); /* util.c */ void rand_init(void); unsigned short rand16(void); u32 rand32(void); u64 rand64(void); int rr_on_list(struct rrlist *list, unsigned short rr); int legal_hostname(char *name); char *canonicalise(char *in, int *nomem); unsigned char *do_rfc1035_name(unsigned char *p, char *sval, unsigned char *limit); void *safe_malloc(size_t size); void safe_strncpy(char *dest, const char *src, size_t size); void safe_pipe(int *fd, int read_noblock); #define malloc_log(x, y) malloc_log_real(__func__, __LINE__, (x), (y)) #define whine_malloc(x) whine_malloc_real(__func__, __LINE__, (x)) #define whine_realloc(x, y) whine_realloc_real(NULL, __func__, __LINE__, (x), (y)) #define expand_buf(x, y) expand_buf_real(__func__, __LINE__, (x), (y)) #define expand_workspace(x, y, z) expand_workspace_real(__func__, __LINE__, (x), (y), (z)) #define free(x) free_real(__func__, __LINE__, (x)) void malloc_log_real(const char *func, unsigned int line, void *mem, size_t size); void free_real(const char *func, unsigned int line, void *ptr); void *whine_malloc_real(const char *func, unsigned int line, size_t size); void *whine_realloc_real(const char *wrapper, const char *func, unsigned int line, void *ptr, size_t size); int expand_buf_real(const char *func, unsigned int line, struct iovec *iov, size_t size); int expand_workspace_real(const char *func, unsigned int line, unsigned char ***wkspc, int *szp, int new); int get_line_alloc(FILE *f, char **buffp, size_t *sizep); int sa_len(union mysockaddr *addr); int sockaddr_isequal(const union mysockaddr *s1, const union mysockaddr *s2); int sockaddr_isnull(const union mysockaddr *s); int hostname_order(const char *a, const char *b); int hostname_isequal(const char *a, const char *b); int hostname_issubdomain(char *a, char *b); time_t dnsmasq_time(void); u32 dnsmasq_milliseconds(void); int netmask_length(struct in_addr mask); int is_same_net(struct in_addr a, struct in_addr b, struct in_addr mask); int is_same_net_prefix(struct in_addr a, struct in_addr b, int prefix); int is_same_net6(struct in6_addr *a, struct in6_addr *b, int prefixlen); u64 addr6part(struct in6_addr *addr); void setaddr6part(struct in6_addr *addr, u64 host); int retry_send(ssize_t rc); void prettyprint_time(char *buf, unsigned int t); int prettyprint_addr(union mysockaddr *addr, char *buf); int parse_hex(char *in, unsigned char *out, int maxlen, unsigned int *wildcard_mask, int *mac_type); int memcmp_masked(unsigned char *a, unsigned char *b, int len, unsigned int mask); char *print_mac(unsigned char *mac, int len); int read_write(int fd, unsigned char *packet, int size, int rw); int read_writev(int fd, struct iovec *iov, int iovcnt, int rw); void close_fds(long max_fd, int spare1, int spare2, int spare3); int wildcard_match(const char* wildcard, const char* match); int wildcard_matchn(const char* wildcard, const char* match, int num); #ifdef HAVE_LINUX_NETWORK int kernel_version(void); #endif /* log.c */ void die(char *message, char *arg1, int exit_code) ATTRIBUTE_NORETURN; int log_start(struct passwd *ent_pw, int errfd); int log_reopen(char *log_file); void my_syslog(int priority, const char *format, ...); void set_log_writer(void); void check_log_writer(int force); void flush_log(void); /* option.c */ void read_opts (int argc, char **argv, char *compile_opts); char *option_string(int prot, unsigned int opt, unsigned char *val, int opt_len, char *buf, int buf_len); void reread_dhcp(void); void read_servers_file(void); void set_option_bool(unsigned int opt); void reset_option_bool(unsigned int opt); struct hostsfile *expand_filelist(struct hostsfile *list); char *parse_server(char *arg, struct server_details *sdetails); char *parse_server_addr(struct server_details *sdetails); int parse_server_next(struct server_details *sdetails); int option_read_dynfile(char *file, int flags); /* forward.c */ void reply_query(int fd, time_t now); void receive_query(struct listener *listen, time_t now); void return_reply(time_t now, struct frec *forward, struct dns_header *header, ssize_t n, int status); #ifdef HAVE_DNSSEC void pop_and_retry_query(struct frec *forward, int status, time_t now); int tcp_from_udp(time_t now, int status, struct dns_header *header, ssize_t *n, int class, char *name, struct server *server, int *keycount, int *validatecount); #endif void tcp_request(int confd, time_t now, struct iovec *bigbuff, union mysockaddr *local_addr, struct in_addr netmask, int auth_dns); void server_gone(struct server *server); int send_from(int fd, int nowild, char *packet, size_t len, union mysockaddr *to, union all_addr *source, unsigned int iface); void resend_query(void); int allocate_rfd(struct randfd_list **fdlp, struct server *serv); void free_rfds(struct randfd_list **fdlp); int fast_retry(time_t now); /* network.c */ int indextoname(int fd, int index, char *name); int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp); void pre_allocate_sfds(void); int reload_servers(char *fname); void check_servers(int no_loop_call); int enumerate_interfaces(int reset); void create_wildcard_listeners(void); void create_bound_listeners(int dienow); void warn_bound_listeners(void); void warn_wild_labels(void); void warn_int_names(void); int is_dad_listeners(void); int iface_check(int family, union all_addr *addr, char *name, int *auth); int loopback_exception(int fd, int family, union all_addr *addr, char *name); int label_exception(int index, int family, union all_addr *addr); int fix_fd(int fd); int tcp_interface(int fd, int af); int set_ipv6pktinfo(int fd); #ifdef HAVE_DHCP6 void join_multicast(int dienow); #endif #if defined(HAVE_LINUX_NETWORK) || defined(HAVE_BSD_NETWORK) void newaddress(time_t now); #endif /* dhcp.c */ #ifdef HAVE_DHCP void dhcp_init(void); void dhcp_packet(time_t now, int pxe_fd); struct dhcp_context *address_available(struct dhcp_context *context, struct in_addr taddr, struct dhcp_netid *netids); struct dhcp_context *narrow_context(struct dhcp_context *context, struct in_addr taddr, struct dhcp_netid *netids); struct ping_result *do_icmp_ping(time_t now, struct in_addr addr, unsigned int hash, int loopback); int address_allocate(struct dhcp_context *context, struct in_addr *addrp, unsigned char *hwaddr, int hw_len, struct dhcp_netid *netids, time_t now, int loopback); void dhcp_read_ethers(void); struct dhcp_config *config_find_by_address(struct dhcp_config *configs, struct in_addr addr); char *host_from_dns(struct in_addr addr); #endif /* lease.c */ #ifdef HAVE_DHCP void lease_update_file(time_t now); void lease_update_dns(int force); void lease_init(time_t now); struct dhcp_lease *lease4_allocate(struct in_addr addr); #ifdef HAVE_DHCP6 struct dhcp_lease *lease6_allocate(struct in6_addr *addrp, int lease_type); struct dhcp_lease *lease6_find(unsigned char *clid, int clid_len, int lease_type, unsigned int iaid, struct in6_addr *addr); void lease6_reset(void); struct dhcp_lease *lease6_find_by_client(struct dhcp_lease *first, int lease_type, unsigned char *clid, int clid_len, unsigned int iaid); struct dhcp_lease *lease6_find_by_addr(struct in6_addr *net, int prefix, u64 addr); struct dhcp_lease *lease6_find_by_plain_addr(struct in6_addr *addr); u64 lease_find_max_addr6(struct dhcp_context *context); void lease_ping_reply(struct in6_addr *sender, unsigned char *packet, char *interface); void lease_update_slaac(time_t now); void lease_set_iaid(struct dhcp_lease *lease, unsigned int iaid); void lease_make_duid(time_t now); #endif void lease_set_hwaddr(struct dhcp_lease *lease, const unsigned char *hwaddr, const unsigned char *clid, int hw_len, int hw_type, int clid_len, time_t now, int force); void lease_set_hostname(struct dhcp_lease *lease, const char *name, int auth, char *domain, char *config_domain); void lease_set_expires(struct dhcp_lease *lease, unsigned int len, time_t now); void lease_set_interface(struct dhcp_lease *lease, int interface, time_t now); void lease_set_agent_id(struct dhcp_lease *lease, unsigned char *new, int len); void lease_set_vendorclass(struct dhcp_lease *lease, unsigned char *new, int len); struct dhcp_lease *lease_find_by_client(unsigned char *hwaddr, int hw_len, int hw_type, unsigned char *clid, int clid_len); struct dhcp_lease *lease_find_by_addr(struct in_addr addr); struct in_addr lease_find_max_addr(struct dhcp_context *context); void lease_prune(struct dhcp_lease *target, time_t now); void lease_update_from_configs(void); int do_script_run(time_t now); void rerun_scripts(void); void lease_find_interfaces(time_t now); void lease_calc_fqdns(void); #ifdef HAVE_SCRIPT void lease_add_extradata(struct dhcp_lease *lease, unsigned char *data, unsigned int len, int delim); #endif #endif /* rfc2131.c */ #ifdef HAVE_DHCP size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index, size_t sz, time_t now, int unicast_dest, int loopback, int *is_inform, int pxe, struct in_addr fallback, time_t recvtime, struct in_addr leasequery_source); unsigned char *extended_hwaddr(int hwtype, int hwlen, unsigned char *hwaddr, int clid_len, unsigned char *clid, int *len_out); void relay_upstream4(struct in_addr iface_addr, int iface_index, struct dhcp_packet *mess, size_t sz, int unicast); unsigned int relay_reply4(struct dhcp_packet *mess, size_t sz, char *arrival_interface); #endif /* dnsmasq.c */ #ifdef HAVE_DHCP int make_icmp_sock(void); int icmp_ping(struct in_addr addr); int delay_dhcp(time_t start, int sec, int fd, uint32_t addr, unsigned short id); #endif void queue_event(int event); void send_alarm(time_t event, time_t now); void send_event(int fd, int event, int data, char *msg); void clear_cache_and_reload(time_t now); #ifdef HAVE_DNSSEC int swap_to_tcp(struct frec *forward, time_t now, int status, struct dns_header *header, ssize_t *plen, char *name, int class, struct server *server, int *keycount, int *validatecount); #endif /* netlink.c */ #ifdef HAVE_LINUX_NETWORK char *netlink_init(void); void netlink_multicast(void); #endif /* bpf.c */ #ifdef HAVE_BSD_NETWORK void init_bpf(void); void send_via_bpf(struct dhcp_packet *mess, size_t len, struct in_addr iface_addr, struct ifreq *ifr); void route_init(void); void route_sock(void); #endif /* bpf.c or netlink.c */ typedef union { int (*af_unspec)(int family, void *addrp, char *mac, size_t maclen, void *parmv); int (*af_inet)(struct in_addr local, int if_index, char *label, struct in_addr netmask, struct in_addr broadcast, void *vparam); int (*af_inet6)(struct in6_addr *local, int prefix, int scope, int if_index, int flags, unsigned int preferred, unsigned int valid, void *vparam); int (*af_local)(int index, unsigned int type, char *mac, size_t maclen, void *parm); } callback_t; int iface_enumerate(int family, void *parm, callback_t callback); /* dbus.c */ #ifdef HAVE_DBUS char *dbus_init(void); void check_dbus_listeners(void); void set_dbus_listeners(void); # ifdef HAVE_DHCP void emit_dbus_signal(int action, struct dhcp_lease *lease, char *hostname); # endif #endif /* ubus.c */ #ifdef HAVE_UBUS char *ubus_init(void); void set_ubus_listeners(void); void check_ubus_listeners(void); void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface); # ifdef HAVE_CONNTRACK void ubus_event_bcast_connmark_allowlist_refused(u32 mark, const char *name); void ubus_event_bcast_connmark_allowlist_resolved(u32 mark, const char *pattern, const char *ip, u32 ttl); # endif #endif /* ipset.c */ #ifdef HAVE_IPSET void ipset_init(void); int add_to_ipset(const char *setname, const union all_addr *ipaddr, int flags, int remove); #endif /* nftset.c */ #ifdef HAVE_NFTSET void nftset_init(void); int add_to_nftset(const char *setpath, const union all_addr *ipaddr, int flags, int remove); #endif /* pattern.c */ #ifdef HAVE_CONNTRACK int is_valid_dns_name(const char *value); int is_valid_dns_name_pattern(const char *value); int is_dns_name_matching_pattern(const char *name, const char *pattern); #endif /* helper.c */ #if defined(HAVE_SCRIPT) int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd); void helper_write(void); void queue_script(int action, struct dhcp_lease *lease, char *hostname, time_t now); #ifdef HAVE_TFTP void queue_tftp(off_t file_len, char *filename, union mysockaddr *peer); #endif void queue_arp(int action, unsigned char *mac, int maclen, int family, union all_addr *addr); int helper_buf_empty(void); #ifdef HAVE_DHCP6 void queue_relay_snoop(struct in6_addr *client, int if_index, struct in6_addr *prefix, int prefix_len); #endif #endif /* tftp.c */ #ifdef HAVE_TFTP void check_tftp_listeners(time_t now); int do_tftp_script_run(void); #endif /* conntrack.c */ #ifdef HAVE_CONNTRACK int get_incoming_mark(union mysockaddr *peer_addr, union all_addr *local_addr, int istcp, unsigned int *markp); #endif /* dhcp6.c */ #ifdef HAVE_DHCP6 void dhcp6_init(void); void dhcp6_packet(time_t now); struct dhcp_context *address6_allocate(struct dhcp_context *context, unsigned char *clid, int clid_len, int temp_addr, unsigned int iaid, int serial, struct dhcp_netid *netids, int plain_range, struct in6_addr *ans); struct dhcp_context *address6_available(struct dhcp_context *context, struct in6_addr *taddr, struct dhcp_netid *netids, int plain_range); struct dhcp_context *address6_valid(struct dhcp_context *context, struct in6_addr *taddr, struct dhcp_netid *netids, int plain_range); struct dhcp_config *config_find_by_address6(struct dhcp_config *configs, struct in6_addr *net, int prefix, struct in6_addr *addr); void make_duid(time_t now); void dhcp_construct_contexts(time_t now); void get_client_mac(struct in6_addr *client, int iface, unsigned char *mac, unsigned int *maclenp, unsigned int *mactypep, time_t now); #endif /* rfc3315.c */ #ifdef HAVE_DHCP6 unsigned short dhcp6_reply(struct dhcp_context *context, int multicast_dest, int interface, char *iface_name, struct in6_addr *fallback, struct in6_addr *ll_addr, struct in6_addr *ula_addr, size_t sz, struct in6_addr *client_addr, time_t now); int relay_upstream6(int iface_index, ssize_t sz, struct in6_addr *peer_address, u32 scope_id, time_t now); int relay_reply6( struct sockaddr_in6 *peer, ssize_t sz, char *arrival_interface); # ifdef HAVE_SCRIPT int do_snoop_script_run(void); # endif #endif /* dhcp-common.c */ #ifdef HAVE_DHCP void dhcp_common_init(void); ssize_t recv_dhcp_packet(int fd, struct msghdr *msg); struct dhcp_netid *run_tag_if(struct dhcp_netid *tags); int pxe_ok(struct dhcp_opt *opt, int pxemode); struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *context_tags, struct dhcp_opt *opts, int pxemode); int match_netid(struct dhcp_netid *check, struct dhcp_netid *pool, int tagnotneeded); char *strip_hostname(char *hostname); void log_tags(struct dhcp_netid *netid, u32 xid); int match_bytes(struct dhcp_opt *o, unsigned char *p, int len); void dhcp_update_configs(struct dhcp_config *configs); void display_opts(void); int lookup_dhcp_opt(int prot, char *name); int lookup_dhcp_len(int prot, int val); struct dhcp_config *find_config(struct dhcp_config *configs, struct dhcp_context *context, unsigned char *clid, int clid_len, unsigned char *hwaddr, int hw_len, int hw_type, char *hostname, struct dhcp_netid *filter); int config_has_mac(struct dhcp_config *config, unsigned char *hwaddr, int len, int type); #ifdef HAVE_LINUX_NETWORK char *whichdevice(void); int bind_dhcp_devices(char *bound_device); #endif # ifdef HAVE_DHCP6 void display_opts6(void); # endif void log_context(int family, struct dhcp_context *context); void log_relay(int family, struct dhcp_relay *relay); #endif /* outpacket.c */ #ifdef HAVE_DHCP6 void end_opt6(int container); void reset_counter(void); int save_counter(int newval); void *expand(size_t headroom); int new_opt6(int opt); void *put_opt6(void *data, size_t len); void put_opt6_long(unsigned int val); void put_opt6_short(unsigned int val); void put_opt6_char(unsigned int val); void put_opt6_string(char *s); #endif /* radv.c */ #ifdef HAVE_DHCP6 void ra_init(time_t now); void icmp6_packet(time_t now); time_t periodic_ra(time_t now); void ra_start_unsolicited(time_t now, struct dhcp_context *context); #endif /* slaac.c */ #ifdef HAVE_DHCP6 void slaac_add_addrs(struct dhcp_lease *lease, time_t now, int force); time_t periodic_slaac(time_t now, struct dhcp_lease *leases); void slaac_ping_reply(struct in6_addr *sender, unsigned char *packet, char *interface, struct dhcp_lease *leases); #endif /* loop.c */ #ifdef HAVE_LOOP void loop_send_probes(void); int detect_loop(char *query, int type); #endif /* inotify.c */ #ifdef HAVE_INOTIFY void inotify_dnsmasq_init(int errfd); int inotify_check(time_t now); void set_dynamic_inotify(int flag, int total_size, struct crec **rhash, int revhashsz); #endif /* poll.c */ void poll_reset(void); int poll_check(int fd, short event); void poll_listen(int fd, short event); int do_poll(int timeout); /* rrfilter.c */ size_t rrfilter(struct dns_header *header, size_t *plen, int mode); short *rrfilter_desc(int type); int to_wire(char *name); void from_wire(char *name); /* modes. */ #define RRFILTER_EDNS0 0 #define RRFILTER_DNSSEC 1 #define RRFILTER_CONF 2 /* edns0.c */ unsigned char *find_pseudoheader(struct dns_header *header, size_t plen, size_t *len, unsigned char **p, int *is_sign, int *is_last); size_t add_pseudoheader(struct dns_header *header, size_t plen, size_t out_size, int optno, unsigned char *opt, size_t optlen, int set_do, int replace); size_t add_do_bit(struct dns_header *header, size_t plen, size_t outlen); void edns0_needs_mac(union mysockaddr *addr, time_t now); size_t add_edns0_config(struct dns_header *header, size_t plen, size_t outlen, union mysockaddr *source, time_t now, int *cacheable); int check_source(struct dns_header *header, size_t plen, unsigned char *pseudoheader, union mysockaddr *peer); /* arp.c */ int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now); int do_arp_script_run(void); /* dump.c */ #ifdef HAVE_DUMPFILE void dump_init(void); void dump_packet_udp(int mask, void *packet, size_t len, union mysockaddr *src, union mysockaddr *dst, int fd); void dump_packet_icmp(int mask, void *packet, size_t len, union mysockaddr *src, union mysockaddr *dst); #endif /* domain-match.c */ void build_server_array(void); int lookup_domain(char *qdomain, int flags, int *lowout, int *highout); int filter_servers(int seed, int flags, int *lowout, int *highout); int is_local_answer(time_t now, int first, char *name); size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header *header, char *name, size_t limit, int first, int last, int ede); int server_samegroup(struct server *a, struct server *b); #ifdef HAVE_DNSSEC int dnssec_server(struct server *server, char *keyname, int is_ds, int *firstp, int *lastp); #endif void mark_servers(int flag); void cleanup_servers(void); int add_update_server(int flags, union mysockaddr *addr, union mysockaddr *source_addr, const char *interface, const char *domain, union all_addr *local_addr); dnsmasq-2.93/src/dns-protocol.h0000664000175000017500000002037415210262712014666 0ustar srksrk/* dnsmasq is Copyright (c) 2000-2026 Simon Kelley This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 dated June, 1991, or (at your option) version 3 dated 29 June, 2007. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ #define NAMESERVER_PORT 53 #define TFTP_PORT 69 #define MIN_PORT 1024 /* first non-reserved port */ #define MAX_PORT 65535u #define IN6ADDRSZ 16 #define INADDRSZ 4 /* Dnsmasq handles domains names internally as NULL-terminated C strings. The '.' characters in these strings are significant as label-seperators. '.' and /0 characters _within_ labels are escaped and take up two characters to allow labels to contain arbitrary characters. The maximum length of a domain name in wire format is 255 bytes. and the maximum length of this when coverted to a