Dnsmasq Changelog

New in version 2.72

January 9th, 2015
  • Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
  • Add support for "ipsets" in *BSD, using pf. Thanks to Sven Falempim for the patch.
  • Fix race condition which could lock up dnsmasq when an interface goes down and up rapidly. Thanks to Conrad Kostecki for helping to chase this down.
  • Add DBus methods SetFilterWin2KOption and SetBogusPrivOption. Thanks to the Smoothwall project for the patch.
  • Fix failure to build against Nettle-3.0. Thanks to Steven Barth for spotting this and finding the fix. When assigning existing DHCP leases to intefaces by comparing networks, handle the case that two or more interfaces have the same network part, but different prefix lengths (favour the longer prefix length.) Thanks to Lung-Pin Chang for the patch.
  • Add a mode which detects and removes DNS forwarding loops, ie a query sent to an upstream server returns as a new query to dnsmasq, and would therefore be forwarded again, resulting in a query which loops many times before being dropped. Upstream servers which loop back are disabled and this event is logged. Thanks to Smoothwall for their sponsorship of this feature.
  • Extend --conf-dir to allow filtering of files. So --conf-dir=/etc/dnsmasq.d,\*.conf will load all the files in /etc/dnsmasq.d which end in .conf
  • Fix bug when resulted in NXDOMAIN answers instead of NODATA in some circumstances.
  • Fix bug which caused dnsmasq to become unresponsive if it failed to send packets due to a network interface disappearing. Thanks to Niels Peen for spotting this.
  • Fix problem with --local-service option on big-endian platforms. Thanks to Richard Genoud for the patch.

New in version 2.68 (December 9th, 2013)

  • Use random addresses for DHCPv6 temporary address allocations, instead of algorithmically determined stable addresses.
  • Fix bug which meant that the DHCPv6 DUID was not available in DHCP script runs during the lifetime of the dnsmasq process which created the DUID de-novo. Once the DUID was created and stored in the lease file and dnsmasq restarted, this bug disappeared.
  • Fix bug introduced in 2.67 which could result in erroneous NXDOMAIN returns to CNAME queries.
  • Fix build failures on MacOS X and openBSD.
  • Allow subnet specifications in --auth-zone to be interface names as well as address literals. This makes it possible to configure authoritative DNS when local address ranges are dynamic and works much better than the previous work-around which exempted contructed DHCP ranges from the IP address filtering. As a consequence, that work-around is removed. Under certain circumstances, this change wil break existing configuration: if you're relying on the contructed-range exception, you need to change --auth-zone to specify the same interface as is used to construct your DHCP ranges, probably with a trailing "/6" like this: --auth-zone=example.com,eth0/6 to limit the addresses to IPv6 addresses of eth0.
  • Fix problems when advertising deleted IPv6 prefixes. If the prefix is deleted (rather than replaced), it doesn't get advertised with zero preferred time. Thanks to Tsachi for the bug report.
  • Fix segfault with some locally configured CNAMEs. Thanks to Andrew Childs for spotting the problem.
  • Fix memory leak on re-reading /etc/hosts and friends, introduced in 2.67.
  • Check the arrival interface of incoming DNS and TFTP requests via IPv6, even in --bind-interfaces mode. This isn't possible for IPv4 and can generate scary warnings, but as it's always possible for IPv6 (the API always exists) then we should do it always.
  • Tweak the rules on prefix-lengths in --dhcp-range for IPv6. The new rule is that the specified prefix length must be larger than or equal to the prefix length of the corresponding address on the local interface.

New in version 2.63 (August 18th, 2012)

  • The main addition in this release is a new mode, --bind-dynamic, which both avoids binding the wildcard IP address and copes with dynamically created network interfaces, thus removing the main limitations of the two existing network modes.

New in version 2.61 (April 30th, 2012)

  • This version has a lot of extra work on the DHCPv6 code that debuted in 2.60.
  • Many bugs have been fixed and extra features added.
  • The router advertisement feature is now much more configurable, and there's a mode that allows dnsmasq to make AAAA DNS records for hosts that use SLAAC IPv6 addresses and DHCP IPv4 addresses.

New in version 2.59 (October 19th, 2011)

  • This version addresses a couple of issues that have surfaced with dnsmasq-2.58, which could cause problems at startup with IPv6 link-local addresses.
  • One is a regression in dnsmasq, and the other stems from a change in the behaviour of bridge interfaces in recent Linux kernels.

New in version 2.58 (August 29th, 2011)

  • version 2.58
  • Provide a definition of the SA_SIZE macro where it's missing. Fixes build failure on openBSD.
  • Don't include a zero terminator at the end of messages sent to /dev/log when /dev/log is a datagram socket. Thanks to Didier Rabound for spotting the problem.
  • Add --dhcp-sequential-ip flag, to force allocation of IP addresses in ascending order. Note that the default pseudo-random mode is in general better but some server-deployment applications need this.
  • Fix problem where a server-id of is sent to a client when a dhcp-relay is in use if a client renews a lease after dnsmasq restart and before any clients on the subnet get a new lease. Thanks to Mike Ruiz for assistance in chasing this one down.
  • Don't return NXDOMAIN to an AAAA query if we have CNAME which points to an A record only: NODATA is the correct reply in this case. Thanks to Tom Fernandes for spotting the problem.
  • Relax the need to supply a netmask in --dhcp-range for networks which use a DHCP relay. Whilst this is still desireable, in the absence of a netmask dnsmasq will use a default based on the class (A, B, or C) of the address. This should at least remove a cause of mysterious failure for people using RFC1918 addresses and relays.
  • Add support for Linux conntrack connection marking. If enabled with --conntrack, the connection mark for incoming DNS queries will be copied to the outgoing connections used to answer those queries. This allows clever firewall and accounting stuff. Only available if dnsmasq is compiled with HAVE_CONNTRACK and adds a dependency on libnetfilter-conntrack. Thanks to Ed Wildgoose for the initial idea, testing and sponsorship of this function.
  • Provide a sane error message when someone attempts to match a tag in --dhcp-host.
  • Tweak the behaviour of --domain-needed, to avoid problems with recursive nameservers downstream of dnsmasq. The new behaviour only stops A and AAAA queries, and returns NODATA rather than NXDOMAIN replies.
  • Efficiency fix for very large DHCP configurations, thanks to James Gartrell and Mike Ruiz for help with this.
  • Allow the TFTP-server address in --dhcp-boot to be a domain-name which is looked up in /etc/hosts. This can give multiple IP addresses which are used round-robin, thus doing TFTP server load-balancing. Thanks to Sushil Agrawal for the patch.
  • When two tagged dhcp-options for a particular option number are both valid, use the one which is valid without a tag from the dhcp-range. Allows overriding of the value of a DHCP option for a particular host as well as per-network values.
  • --dhcp-range=set:interface1,......
  • --dhcp-host=set:myhost,.....
  • --dhcp-option=tag:interface1,option:nis-domain,"domain1"
  • --dhcp-option=tag:myhost,option:nis-domain,"domain2"
  • will set the NIS-domain to domain1 for hosts in the range, but
  • override that to domain2 for a particular host.
  • Fix bug which resulted in truncated files and timeouts for some TFTP transfers. The bug only occurs with netascii transfers and needs an unfortunate relationship between file size, blocksize and the number of newlines in the last block before it manifests itself. Many thanks to Alkis Georgopoulos for spotting the problem and providing a comprehensive test-case.
  • Fix regression in TFTP server on *BSD platforms introduced in version 2.56, due to confusion with sockaddr length. Many thanks to Loïc Pefferkorn for finding this.
  • Support scope-ids in IPv6 addresses of nameservers from /etc/resolv.conf and in --server options. E
  • Eg nameserver fe80::202:a412:4512:7bbf%eth0
  • server=fe80::202:a412:4512:7bbf%eth0. Thanks to
  • Michael Stapelberg for the suggestion.
  • Update Polish translation, thanks to Jan Psota.
  • Update French translation. Thanks to Gildas Le Nadan.

New in version 2.57 (February 21st, 2011)

  • This version fixes a couple of regressions in the previous release and adds support for the Android platform.

New in version 2.56 (February 15th, 2011)

  • Add a patch to allow dnsmasq to get interface names right in a Solaris zone. Thanks to Dj Padzensky for this.
  • Improve data-type parsing heuristics so that --dhcp-option=option:domain-search,. treats the value as a string and not an IP address. Thanks to Clemens Fischer for spotting that.
  • Add IPv6 support to the TFTP server. Many thanks to Jan 'RedBully' Seiffert for the patches.
  • Log DNS queries at level LOG_INFO, rather then LOG_DEBUG. This makes things consistent with DHCP logging. Thanks to Adam Pribyl for spotting the problem.
  • Ensure that dnsmasq terminates cleanly when using--syslog-async even if it cannot make a connection to the syslogd.
  • Add --add-mac option. This is to support currently experimental DNS filtering facilities. Thanks to Benjamin Petrin for the orignal patch.
  • Fix bug which meant that tags were ignored in dhcp-range configuration specifying PXE-proxy service. Thanks to Cristiano Cumer for spotting this.
  • Raise an error if there is extra junk, not part of an option, on the command line.
  • Flag a couple of log messages in cache.c as coming from the DHCP subsystem. Thanks to Olaf Westrik for the patch.
  • Omit timestamps from logs when a) logging to stderr and b) --keep-in-forground is set. The logging facility on the other end of stderr can be assumned to supply them. Thanks to John Hallam for the patch.
  • Don't complain about strings longer than 255 characters in --txt-record, just split the long strings into 255character chunks instead.
  • Fix crash on double-free. This bug can only happen when dhcp-script is in use and then only in rare circumstances triggered by high DHCP transaction rate and a slow script. Thanks to Ferenc Wagner for finding the problem
  • Only log that a file has been sent by TFTP after the transfer has completed succesfully.
  • A good suggestion from Ferenc Wagner: extend the --domain option to allow this sort of thing: --domain=thekelleys.org.uk,,local which automatically creates
  • --local=/thekelleys.org.uk/
  • --local=/0.168.192.in-addr.arpa/
  • Tighten up syntax checking of hex contants in the config file. Thanks to Fred Damen for spotting this.
  • Add dnsmasq logo/icon, contributed by Justin Swift. Many thanks for that.
  • Never cache DNS replies which have the 'cd' bit set, or which result from queries forwarded with the 'cd' bit set. The 'cd' bit instructs a DNSSEC validating server upstream to ignore signature failures and return replies anyway. Without this change it's possible to pollute the dnsmasq cache with bad data by making a query with the 'cd' bit set and subsequent queries would return this data without its being marked as suspect. Thanks to Anders Kaseorg for pointing out this problem.
  • Add --proxy-dnssec flag, for compliance with RFC 4035. Dnsmasq will now clear the 'ad' bit in answers returned from upstream validating nameservers unless this option is set.
  • Allow a filename of "-" for --conf-file to read stdin. Suggestion from Timothy Redaelli.
  • Rotate the order of SRV records in replies, to provide round-robin load balancing when all the priorities are equal. Thanks to Peter McKinney for the suggestion.
  • Edit contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist so that it doesn't log all queries to a file by default. Thanks again to Peter McKinney.
  • By default, setting an IPv4 address for a domain but not an IPv6 address causes dnsmasq to return an NODATA reply for IPv6 (or vice-versa). So --address=/google.com/ stops IPv6 queries for *google.com from being forwarded. Make it possible to override this behaviour by defining the sematics if the same domain appears in both --server and--address. In that case, the --address has priority for the address family in which is appears, but the --server has priority of the address family which doesn't appear in--adddress
  • So:
  • --address=/google.com/
  • --server=/google.com/#
  • Will return for IPv4 queries for *.google.com but forward IPv6 queries to the normal upstream nameserver. Similarly when setting an IPv6 address only this will allow forwarding of IPv4 queries. Thanks to William for pointing out the need for this.
  • Allow more than one --dhcp-optsfile and --dhcp-hostsfile and make them understand directories as arguments in the same way as --addn-hosts. Suggestion from John Hanks.
  • Ignore rebinding requests for leases we don't know about. Rebind is broadcast, so we might get to overhear a request meant for another DHCP server. NAKing this is wrong. Thanks to Brad D'Hondt for assistance with this.
  • Fix cosmetic bug which produced strange output when dumping cache statistics with some configurations. Thanks to Fedor Kozhevnikov for spotting this.

New in version 2.55 (June 8th, 2010)

  • Fix crash when /etc/ethers is in use. Thanks to Gianluigi Tiesi for finding this.
  • Fix crash in netlink_multicast(). Thanks to Arno Wald for finding this one.
  • Allow the empty domain "." in dhcp domain-search (119) options.