Dnsmasq Changelog

New in version 2.68

December 9th, 2013
  • Use random addresses for DHCPv6 temporary address allocations, instead of algorithmically determined stable addresses.
  • Fix bug which meant that the DHCPv6 DUID was not available in DHCP script runs during the lifetime of the dnsmasq process which created the DUID de-novo. Once the DUID was created and stored in the lease file and dnsmasq restarted, this bug disappeared.
  • Fix bug introduced in 2.67 which could result in erroneous NXDOMAIN returns to CNAME queries.
  • Fix build failures on MacOS X and openBSD.
  • Allow subnet specifications in --auth-zone to be interface names as well as address literals. This makes it possible to configure authoritative DNS when local address ranges are dynamic and works much better than the previous work-around which exempted contructed DHCP ranges from the IP address filtering. As a consequence, that work-around is removed. Under certain circumstances, this change wil break existing configuration: if you're relying on the contructed-range exception, you need to change --auth-zone to specify the same interface as is used to construct your DHCP ranges, probably with a trailing "/6" like this: --auth-zone=example.com,eth0/6 to limit the addresses to IPv6 addresses of eth0.
  • Fix problems when advertising deleted IPv6 prefixes. If the prefix is deleted (rather than replaced), it doesn't get advertised with zero preferred time. Thanks to Tsachi for the bug report.
  • Fix segfault with some locally configured CNAMEs. Thanks to Andrew Childs for spotting the problem.
  • Fix memory leak on re-reading /etc/hosts and friends, introduced in 2.67.
  • Check the arrival interface of incoming DNS and TFTP requests via IPv6, even in --bind-interfaces mode. This isn't possible for IPv4 and can generate scary warnings, but as it's always possible for IPv6 (the API always exists) then we should do it always.
  • Tweak the rules on prefix-lengths in --dhcp-range for IPv6. The new rule is that the specified prefix length must be larger than or equal to the prefix length of the corresponding address on the local interface.

New in version 2.63 (August 18th, 2012)

  • The main addition in this release is a new mode, --bind-dynamic, which both avoids binding the wildcard IP address and copes with dynamically created network interfaces, thus removing the main limitations of the two existing network modes.

New in version 2.61 (April 30th, 2012)

  • This version has a lot of extra work on the DHCPv6 code that debuted in 2.60.
  • Many bugs have been fixed and extra features added.
  • The router advertisement feature is now much more configurable, and there's a mode that allows dnsmasq to make AAAA DNS records for hosts that use SLAAC IPv6 addresses and DHCP IPv4 addresses.

New in version 2.59 (October 19th, 2011)

  • This version addresses a couple of issues that have surfaced with dnsmasq-2.58, which could cause problems at startup with IPv6 link-local addresses.
  • One is a regression in dnsmasq, and the other stems from a change in the behaviour of bridge interfaces in recent Linux kernels.

New in version 2.58 (August 29th, 2011)

  • version 2.58
  • Provide a definition of the SA_SIZE macro where it's missing. Fixes build failure on openBSD.
  • Don't include a zero terminator at the end of messages sent to /dev/log when /dev/log is a datagram socket. Thanks to Didier Rabound for spotting the problem.
  • Add --dhcp-sequential-ip flag, to force allocation of IP addresses in ascending order. Note that the default pseudo-random mode is in general better but some server-deployment applications need this.
  • Fix problem where a server-id of is sent to a client when a dhcp-relay is in use if a client renews a lease after dnsmasq restart and before any clients on the subnet get a new lease. Thanks to Mike Ruiz for assistance in chasing this one down.
  • Don't return NXDOMAIN to an AAAA query if we have CNAME which points to an A record only: NODATA is the correct reply in this case. Thanks to Tom Fernandes for spotting the problem.
  • Relax the need to supply a netmask in --dhcp-range for networks which use a DHCP relay. Whilst this is still desireable, in the absence of a netmask dnsmasq will use a default based on the class (A, B, or C) of the address. This should at least remove a cause of mysterious failure for people using RFC1918 addresses and relays.
  • Add support for Linux conntrack connection marking. If enabled with --conntrack, the connection mark for incoming DNS queries will be copied to the outgoing connections used to answer those queries. This allows clever firewall and accounting stuff. Only available if dnsmasq is compiled with HAVE_CONNTRACK and adds a dependency on libnetfilter-conntrack. Thanks to Ed Wildgoose for the initial idea, testing and sponsorship of this function.
  • Provide a sane error message when someone attempts to match a tag in --dhcp-host.
  • Tweak the behaviour of --domain-needed, to avoid problems with recursive nameservers downstream of dnsmasq. The new behaviour only stops A and AAAA queries, and returns NODATA rather than NXDOMAIN replies.
  • Efficiency fix for very large DHCP configurations, thanks to James Gartrell and Mike Ruiz for help with this.
  • Allow the TFTP-server address in --dhcp-boot to be a domain-name which is looked up in /etc/hosts. This can give multiple IP addresses which are used round-robin, thus doing TFTP server load-balancing. Thanks to Sushil Agrawal for the patch.
  • When two tagged dhcp-options for a particular option number are both valid, use the one which is valid without a tag from the dhcp-range. Allows overriding of the value of a DHCP option for a particular host as well as per-network values.
  • --dhcp-range=set:interface1,......
  • --dhcp-host=set:myhost,.....
  • --dhcp-option=tag:interface1,option:nis-domain,"domain1"
  • --dhcp-option=tag:myhost,option:nis-domain,"domain2"
  • will set the NIS-domain to domain1 for hosts in the range, but
  • override that to domain2 for a particular host.
  • Fix bug which resulted in truncated files and timeouts for some TFTP transfers. The bug only occurs with netascii transfers and needs an unfortunate relationship between file size, blocksize and the number of newlines in the last block before it manifests itself. Many thanks to Alkis Georgopoulos for spotting the problem and providing a comprehensive test-case.
  • Fix regression in TFTP server on *BSD platforms introduced in version 2.56, due to confusion with sockaddr length. Many thanks to Loïc Pefferkorn for finding this.
  • Support scope-ids in IPv6 addresses of nameservers from /etc/resolv.conf and in --server options. E
  • Eg nameserver fe80::202:a412:4512:7bbf%eth0
  • server=fe80::202:a412:4512:7bbf%eth0. Thanks to
  • Michael Stapelberg for the suggestion.
  • Update Polish translation, thanks to Jan Psota.
  • Update French translation. Thanks to Gildas Le Nadan.

New in version 2.57 (February 21st, 2011)

  • This version fixes a couple of regressions in the previous release and adds support for the Android platform.

New in version 2.56 (February 15th, 2011)

  • Add a patch to allow dnsmasq to get interface names right in a Solaris zone. Thanks to Dj Padzensky for this.
  • Improve data-type parsing heuristics so that --dhcp-option=option:domain-search,. treats the value as a string and not an IP address. Thanks to Clemens Fischer for spotting that.
  • Add IPv6 support to the TFTP server. Many thanks to Jan 'RedBully' Seiffert for the patches.
  • Log DNS queries at level LOG_INFO, rather then LOG_DEBUG. This makes things consistent with DHCP logging. Thanks to Adam Pribyl for spotting the problem.
  • Ensure that dnsmasq terminates cleanly when using--syslog-async even if it cannot make a connection to the syslogd.
  • Add --add-mac option. This is to support currently experimental DNS filtering facilities. Thanks to Benjamin Petrin for the orignal patch.
  • Fix bug which meant that tags were ignored in dhcp-range configuration specifying PXE-proxy service. Thanks to Cristiano Cumer for spotting this.
  • Raise an error if there is extra junk, not part of an option, on the command line.
  • Flag a couple of log messages in cache.c as coming from the DHCP subsystem. Thanks to Olaf Westrik for the patch.
  • Omit timestamps from logs when a) logging to stderr and b) --keep-in-forground is set. The logging facility on the other end of stderr can be assumned to supply them. Thanks to John Hallam for the patch.
  • Don't complain about strings longer than 255 characters in --txt-record, just split the long strings into 255character chunks instead.
  • Fix crash on double-free. This bug can only happen when dhcp-script is in use and then only in rare circumstances triggered by high DHCP transaction rate and a slow script. Thanks to Ferenc Wagner for finding the problem
  • Only log that a file has been sent by TFTP after the transfer has completed succesfully.
  • A good suggestion from Ferenc Wagner: extend the --domain option to allow this sort of thing: --domain=thekelleys.org.uk,,local which automatically creates
  • --local=/thekelleys.org.uk/
  • --local=/0.168.192.in-addr.arpa/
  • Tighten up syntax checking of hex contants in the config file. Thanks to Fred Damen for spotting this.
  • Add dnsmasq logo/icon, contributed by Justin Swift. Many thanks for that.
  • Never cache DNS replies which have the 'cd' bit set, or which result from queries forwarded with the 'cd' bit set. The 'cd' bit instructs a DNSSEC validating server upstream to ignore signature failures and return replies anyway. Without this change it's possible to pollute the dnsmasq cache with bad data by making a query with the 'cd' bit set and subsequent queries would return this data without its being marked as suspect. Thanks to Anders Kaseorg for pointing out this problem.
  • Add --proxy-dnssec flag, for compliance with RFC 4035. Dnsmasq will now clear the 'ad' bit in answers returned from upstream validating nameservers unless this option is set.
  • Allow a filename of "-" for --conf-file to read stdin. Suggestion from Timothy Redaelli.
  • Rotate the order of SRV records in replies, to provide round-robin load balancing when all the priorities are equal. Thanks to Peter McKinney for the suggestion.
  • Edit contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist so that it doesn't log all queries to a file by default. Thanks again to Peter McKinney.
  • By default, setting an IPv4 address for a domain but not an IPv6 address causes dnsmasq to return an NODATA reply for IPv6 (or vice-versa). So --address=/google.com/ stops IPv6 queries for *google.com from being forwarded. Make it possible to override this behaviour by defining the sematics if the same domain appears in both --server and--address. In that case, the --address has priority for the address family in which is appears, but the --server has priority of the address family which doesn't appear in--adddress
  • So:
  • --address=/google.com/
  • --server=/google.com/#
  • Will return for IPv4 queries for *.google.com but forward IPv6 queries to the normal upstream nameserver. Similarly when setting an IPv6 address only this will allow forwarding of IPv4 queries. Thanks to William for pointing out the need for this.
  • Allow more than one --dhcp-optsfile and --dhcp-hostsfile and make them understand directories as arguments in the same way as --addn-hosts. Suggestion from John Hanks.
  • Ignore rebinding requests for leases we don't know about. Rebind is broadcast, so we might get to overhear a request meant for another DHCP server. NAKing this is wrong. Thanks to Brad D'Hondt for assistance with this.
  • Fix cosmetic bug which produced strange output when dumping cache statistics with some configurations. Thanks to Fedor Kozhevnikov for spotting this.

New in version 2.55 (June 8th, 2010)

  • Fix crash when /etc/ethers is in use. Thanks to Gianluigi Tiesi for finding this.
  • Fix crash in netlink_multicast(). Thanks to Arno Wald for finding this one.
  • Allow the empty domain "." in dhcp domain-search (119) options.

New in version 2.53 (June 4th, 2010)

  • Fix failure to compile on Debian/kFreeBSD. Thanks to Axel Beckert and Petr Salinger. Fix code to avoid scary strict-aliasing warnings generated by gcc 4.4. Added FAQ entry warning about DHCP failures with Vista when firewalls block Fixed bug which caused bad things to happen if a resolv.conf file which exists is subsequently removed. Thanks to Nikolai Saoukh for the patch. Rationalised the DHCP tag system. Every configuration item which can set a tag does so by adding "set:< tag >" and every configuration item which is conditional on a tag is made so by "tag:< tag >". The NOT operator changes to '!', which is a bit more intuitive too. Dhcp-host directives can set more than one tag now. The old '#' NOT, "net:" prefix and no-prefixes are still honoured, so no existing config file needs to be changed, but the documentation and new-style config files should be much less confusing. Added --tag-if to allow boolean operations on tags. This allows complicated logic to be clearer and more general. A great suggestion from Richard Voigt. Add broadcast/unicast information to DHCP logging. Allow --dhcp-broadcast to be unconditional. Fixed incorrect behaviour with NOT < tag > conditionals in dhcp-options. Thanks to Max Turkewitz for assistance finding this. If we send vendor-class encapsulated options based on the vendor-class supplied by the client, and no explicit vendor-class option is given, echo back the vendor-class from the client. Fix bug which stopped dnsmasq from matching both a circuitid and a remoteid. Thanks to Ignacio Bravo for finding this. Add --dhcp-proxy, which makes it possible to configure dnsmasq to use a DHCP relay agent as a full proxy, with all DHCP messages passing through the proxy. This is useful if the relay adds extra information to the packets it forwards, but cannot be configured with the RFC 5107 server-override option. Added interface:< iface name > part to dhcp-range. The semantics of this are very odd at first sight, but it allows a single line of the form dhcp-range=interface:virt0,, to be added to dnsmasq configuration which then supplies DHCP and DNS services to that interface, without affecting what services are supplied to other interfaces and irrespective of the existance or lack of interface=< interface > lines elsewhere in the dnsmasq configuration. The idea is that such a line can be added automatically by libvirt or equivalent systems, without disturbing any manual configuration. Similarly to the above, allow --enable-tftp=< interface > Allow a TFTP root to be set separately for requests via different interfaces, --tftp-root=< path >,< interface > Correctly handle and log clashes between CNAMES and DNS names being given to DHCP leases. This fixes a bug which caused nonsense IP addresses to be logged. Thanks to Sergei Zhirikov for finding and analysing the problem. Tweak flush_log so as to avoid leaving the log file in non-blocking mode. O_NONBLOCK is a property of the file, not the process/descriptor. Fix contrib/Solaris10/create_package (/usr/man - > /usr/share/man) Thanks to Vita Batrla. Fix a problem where, if a client got a lease, then went to another subnet and got another lease, then moved back, it couldn't resume the old lease, but would instead get a new address. Thanks to Leonardo Rodrigues for spotting this and testing the fix. Fix weird bug which sometimes omitted certain characters from the start of quoted strings in dhcp-options. Thanks to Dayton Turner for spotting the problem. Add facility to redirect some domains to the standard upstream servers: this allows something like --server=/google.com/ --server=/www.google.com/# which will send queries for *.google.com to, except *www.google.com which will be forwarded as usual. Thanks to AJ Weber for prompting this addition. Improve the hash-algorithm used to generate IP addresses from MAC addresses during initial DHCP address allocation. This improves performance when large numbers of hosts with similar MAC addresses all try and get an IP address at the same time. Thanks to Paul Smith for his work on this. Tweak DHCP code so that --bridge-interface can be used to select which IP alias of an interface should be used for DHCP purposes on Linux. If eth0 has an alias eth0:dhcp then adding --bridge-interface=eth0:dhcp,eth0 will use the address of eth0:dhcp to determine the correct subnet for DHCP address allocation. Thanks to Pawel Golaszewski for prompting this and Eric Cooper for further testing. Add --dhcp-generate-names. Suggestion by Ferenc Wagner. Tweak DNS server selection algorithm when there is more than one server available for a domain, eg. --server=/mydomain/ --server=/mydomain/ Thanks to Alberto Cuesta-Canada for spotting a weakness here. Add --max-ttl. Thanks to Fredrik Ringertz for the patch. Allow --log-facility=- to force all logging to stderr. Suggestion from Clemens Fischer. Fix regression which caused configuration like --address=/.domain.com/ to be rejected. The dot to the left of the domain has been implied and not required for a long time, but it should be accepted for backward compatibility. Thanks to Andrew Burcin for spotting this. Add --rebind-domain-ok and --rebind-localhost-ok. Suggestion from Clemens Fischer. Log replies to queries of type TXT, when --log-queries is set. Fix compiler warnings when compiled with -DNO_DHCP. Thanks to Shantanu Gadgil for the patch. Updated French translation. Thanks to Gildas Le Nadan. Updated Polish translation. Thanks to Jan Psota. Updated German translation. Thanks to Matthias Andree. Added contrib/static-arp, thanks to Darren Hoo. Fix corruption of the domain when a name from /etc/hosts overrides one supplied by a DHCP client. Thanks to Fedor Kozhevnikov for spotting the problem. Updated Spanish translation. Thanks to Chris Chatham.