[Dnsmasq-discuss] dnsmasq-2.43rc3 available.
simon at thekelleys.org.uk
Wed Jul 9 21:26:17 BST 2008
2.43rc3 is available here.
This is a reaction to the DNS security farago of the last few days. I'm
still not completely clear if dnsmasq is affected, since it doesn't do
recursive name resolution, but this significantly strengthens the
resistance to spoofing attacks anyway. It implements the same
countermeasures as the patches to BIND et al, as far as I am aware.
The default behaviour now becomes to randomise the source port for
upstream queries. Each query will get a new, randomly allocated port.
Under very heavy load, this degenerates into choosing a port from a
constantly-rotating pool of 64 random ports. --query-port and the
source-port specifications in --server are still honoured. Setting
--source-port=0 reverts to the historical behavior, using a single port
allocated by the OS.
Additionally, the random number generator has been changed. *BSD
platforms still use arc4random() but everything else, which used to use
the rand() or random() libc functions now use the SURF RNG from djbdns-1.05
This is quite a large change, and there's some time pressure to release,
so I'd appreciate it if as many people as possible could try this out as
soon as possible and get back to me with results.
More information about the Dnsmasq-discuss