[Dnsmasq-discuss] dnsmasq version 2.43 released.

Simon Kelley simon at thekelleys.org.uk
Fri Jul 11 11:19:34 BST 2008

Dnsmmasq version 2.43 is now available at:


This release includes the fixes needed to secure dnsmasq against the
security problems described in CERT VU#800113


The changes from 2.42 are as follows.

            Updated Polish translation. Thanks to Jan Psota.

            Flag errors when configuration options are repeated

            Further tweaks for GNU/kFreeBSD

            Add --no-wrap to msgmerge call - provides nicer .po file

            Honour lease-time spec in dhcp-host lines even for
            BOOTP. The user is assumed to known what they are doing in
            this case. (Hosts without the time spec still get infinite
            leases for BOOTP, over-riding the default in the
            dhcp-range.) Thanks to Peter Katzmann for uncovering this.

            Fix problem matching relay-agent ids. Thanks to Michael
            Rack for the bug report.

            Add --naptr-record option. Suggestion from Johan

            Implement RFC 5107 server-id-override DHCP relay agent

            Apply patches from Stefan Kruger for compilation on
            Solaris 10 under Sun studio.

            Yet more tweaking of Linux capability code, to suppress
            pointless wingeing from kernel 2.6.25 and above.

            Improve error checking during startup. Previously, some
            errors which occurred during startup would be worked
            around, with dnsmasq still starting up. Some were logged,
            some silent. Now, they all cause a fatal error and dnsmasq
            terminates with a non-zero exit code. The errors are those
            associated with changing uid and gid, setting process
            capabilities and writing the pidfile. Thanks to Uwe
            Gansert and the Suse security team for pointing out
            this improvement, and Bill Reimers for good implementation

            Provide NO_LARGEFILE compile option to switch off largefile
            support when compiling against versions of uclibc which
            don't support it. Thanks to Stephane Billiart for the patch.

            Implement random source ports for interactions with
            upstream nameservers. New spoofing attacks have been found
            against nameservers which do not do this, though it is not
            clear if dnsmasq is vulnerable, since to doesn't implement
            recursion. By default dnsmasq will now use a different
            source port (and socket) for each query it sends
            upstream. This behaviour can suppressed using the
            --query-port option, and the old default behaviour
            restored using --query-port=0. Explicit source-port
            specifications in --server configs are still honoured.

            Replace the random number generator, for better
            security. On most BSD systems, dnsmasq uses the
            arc4random() RNG, which is secure, but on other platforms,
            it relied on the C-library RNG, which may be
            guessable and therefore allow spoofing. This release
            replaces the libc RNG with the SURF RNG, from Daniel
            J. Berstein's DJBDNS package.

            Don't attempt to change user or group or set capabilities
            if dnsmasq is run as a non-root user. Without this, the
            change from soft to hard errors when these fail causes
            problems for non-root daemons listening on high
            ports. Thanks to Patrick McLean for spotting this.

            Updated French translation. Thanks to Gildas Le Nadan.

In addition to those people mentioned in the changelog, many thanks are
due to the members of the dnsmasq-discuss mailing list who did the rapid
testing needed to get this release out in a timely manner.



More information about the Dnsmasq-discuss mailing list