[Dnsmasq-discuss] dnsmasq-2.43rc3 available.

Simon Kelley simon at thekelleys.org.uk
Wed Jul 9 21:26:17 BST 2008

2.43rc3 is available here.


This is a reaction to the DNS security farago of the last few days. I'm 
still not completely clear if dnsmasq is affected, since it doesn't do 
recursive name resolution, but this significantly strengthens the 
resistance to spoofing attacks anyway. It implements the same 
countermeasures as the patches to BIND et al, as far as I am aware.

The default behaviour now becomes to randomise the source port for 
upstream queries. Each query will get a new, randomly allocated port. 
Under very heavy load, this degenerates into choosing a port from a 
constantly-rotating pool of 64 random ports. --query-port and the 
source-port specifications in --server are still honoured. Setting 
--source-port=0 reverts to the historical behavior, using a single port 
allocated by the OS.

Additionally, the random number generator has been changed. *BSD 
platforms still use arc4random() but everything else, which used to use 
the rand() or random() libc functions now use the SURF RNG from djbdns-1.05

This is quite a large change, and there's some time pressure to release, 
so I'd appreciate it if as many people as possible could try this out as 
soon as possible and get back to me with results.



More information about the Dnsmasq-discuss mailing list