Dnsmasq

Dnsmasq is an open source, completely free, easy to configure and lightweight command-line software designed from the offset to act as a DHCP (Dynamic Host Configuration Protocol) server and DNS (Domain Name System) forwarder on GNU/Linux and UNIX-like operating systems.

The software has been engineered in such a way that it provides DNS, as well as DHCP functionality to a small network. It is capable of serving the names of local machines that aren’t in the global DNS and contains numerous attractive features.

Powerful command-line options

A wide range of command-line options are available for this project, which can be viewed at a glance by running the ‘dnsmasq --help’ command in a Terminal app. Among these, we can mention the ability to specify a local address to listen on, to specify the size of the cache in entries, as well as to specify a custom configuration file.

Getting started with Dnsmasq

Installing Dnsmasq on a GNU/Linux operating system is does the same way as you would do with any other open source program that is distributed as a source archive. First you download the package, save it on your computer (preferably your Home directory), and extract its contents using an archive manager utility.

Then, move to the location where you have extracted the archive file in a terminal emulator (e.g. cd /home/softoware/dnsmasq-2.72 - replace ‘softoware’ with your username), run the ‘./configure && make’ command to configure and compile the program, followed by the ‘sudo make install’ command to install it system wide.

Runs on GNU/Linux, BSD and Mac OS X

Dnsmasq supports for multiple operating systems, including Linux (Debian, Gentoo, Slackware, Smoothwall, SUSE, IP-Cop, Firebox, floppyfw, LEAF, CoyoteLinux, Clarkconnect, Freesco, etc.), BSD (FreeBSD), and Mac OS X. It runs on 32-bit and 64-bit computer platforms.

What is new in this release:

• Generate an error when configured with a CNAME loop, rather than a crash. Thanks to George Metz for spotting this problem.
• Calculate the length of TFTP error reply packet correctly. This fixes a problem when the error message in a TFTP packet exceeds the arbitrary limit of 500 characters. The message was correctly truncated, but not the packet length, so extra data was appended. This is a possible security risk, since the extra data comes from a buffer which is also used for DNS, so that previous DNS queries or replies may be leaked. Thanks to Mozilla for funding the security audit which spotted this bug.
• Fix logic error in Linux netlink code. This could cause dnsmasq to enter a tight loop on systems with a very large number of network interfaces. Thanks to Ivan Kokshaysky for the diagnosis and patch.
• Fix problem with --dnssec-timestamp whereby receipt of SIGHUP would erroneously engage timestamp checking. Thanks to Kevin Darbyshire-Bryant for this work.
• Bump zone serial on reloading /etc/hosts and friends when providing authoritative DNS. Thanks to Harrald Dunkel for spotting this.
• Handle v4-mapped IPv6 addresses sanely in --synth-domain. These have standard representation like ::ffff:1.2.3.4 and are now converted to names like --ffff-1-2-3-4.
• Handle binding upstream servers to an interface (--server=1.2.3.4@eth0) when the named interface is destroyed and recreated in the kernel. Thanks to Beniamino Galvani for the patch.
• Allow wildcard CNAME records in authoritative zones. For example --cname=*.example.com,default.example.com Thanks to Pro Backup for sponsoring this development.
• Bump the allowed backlog of TCP connections from 5 to 32, and make this a compile-time configurable option. Thanks to Donatas Abraitis for diagnosing this as a potential problem.
• Add DNSMASQ_REQUESTED_OPTIONS environment variable to the lease-change script. Thanks to ZHAO Yu for the patch.
• Fix foobar in rrfilter code, that could cause malformed replies, especially when DNSSEC validation on, and the upstream server returns answer with the RRs in a particular order. The only DNS server known to tickle this is Nominum's. Thanks to Dave Taht for spotting the bug and assisting in the fix.
• Fix the manpage which lied that only the primary address of an interface is used by --interface-name.
• Make --localise-queries apply to names from --interface-name. Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen for pushing this.
• Improve connection handling when talking to TCP upstream servers. Specifically, be prepared to open a new TCP connection when we want to make multiple queries but the upstream server accepts fewer queries per connection.
• Improve logging of upstream servers when there are a lot of "local addresses only" entries. Thanks to Hannu Nyman for the patch.
• Make --bogus-priv apply to IPv6, for the prefixes specified in RFC6303. Thanks to Kevin Darbyshire-Bryant for work on this.
• Allow use of MAC addresses with --tftp-unique-root. Thanks to Floris Bos for the patch.
• Add --dhcp-reply-delay option. Thanks to Floris Bos for the patch.
• Add mtu setting facility to --ra-param. Thanks to David Flamand for the patch.
• Capture STDOUT and STDERR output from dhcp-script and log it as part of the dnsmasq log stream. Makes life easier for diagnosing unexpected problems in scripts. Thanks to Petr Mensik for the patch.
• Generate fatal errors when failing to parse the output of the dhcp-script in "init" mode. Avoids strange errors when the script accidentally emits error messages. Thanks to Petr Mensik for the patch.
• Make --rev-server for an RFC1918 subnet work even in the presence of the --bogus-priv flag. Thanks to Vladislav Grishenko for the patch.
• Extend --ra-param mtu: field to allow an interface name. This allows the MTU of a WAN interface to be advertised on the internal interfaces of a router. Thanks to Vladislav Grishenko for the patch.
• Do ICMP-ping check for address-in-use for DHCPv4 when the client specifies an address in DHCPDISCOVER, and when an address in configured locally. Thanks to Alin Nastac for spotting the problem.
• Add new DHCP tag "known-othernet" which is set when only a dhcp-host exists for another subnet. Can be used to ensure that privileged hosts are not given "guest" addresses by accident. Thanks to Todd Sanket for the suggestion.
• Remove historic automatic inclusion of IDN support when building internationalisation support. This doesn't fit now there is a choice of IDN libraries. Be sure to include either -DHAVE_IDN or -DHAVE_LIBIDN2 for IDN support.

What is new in version 2.72:

• Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
• Add support for "ipsets" in *BSD, using pf. Thanks to Sven Falempim for the patch.
• Fix race condition which could lock up dnsmasq when an interface goes down and up rapidly. Thanks to Conrad Kostecki for helping to chase this down.
• Add DBus methods SetFilterWin2KOption and SetBogusPrivOption. Thanks to the Smoothwall project for the patch.
• Fix failure to build against Nettle-3.0. Thanks to Steven Barth for spotting this and finding the fix. When assigning existing DHCP leases to intefaces by comparing networks, handle the case that two or more interfaces have the same network part, but different prefix lengths (favour the longer prefix length.) Thanks to Lung-Pin Chang for the patch.
• Add a mode which detects and removes DNS forwarding loops, ie a query sent to an upstream server returns as a new query to dnsmasq, and would therefore be forwarded again, resulting in a query which loops many times before being dropped. Upstream servers which loop back are disabled and this event is logged. Thanks to Smoothwall for their sponsorship of this feature.
• Extend --conf-dir to allow filtering of files. So --conf-dir=/etc/dnsmasq.d,*.conf will load all the files in /etc/dnsmasq.d which end in .conf
• Fix bug when resulted in NXDOMAIN answers instead of NODATA in some circumstances.
• Fix bug which caused dnsmasq to become unresponsive if it failed to send packets due to a network interface disappearing. Thanks to Niels Peen for spotting this.
• Fix problem with --local-service option on big-endian platforms. Thanks to Richard Genoud for the patch.

What is new in version 2.68:

• Use random addresses for DHCPv6 temporary address allocations, instead of algorithmically determined stable addresses.
• Fix bug which meant that the DHCPv6 DUID was not available in DHCP script runs during the lifetime of the dnsmasq process which created the DUID de-novo. Once the DUID was created and stored in the lease file and dnsmasq restarted, this bug disappeared.
• Fix bug introduced in 2.67 which could result in erroneous NXDOMAIN returns to CNAME queries.
• Fix build failures on MacOS X and openBSD.
• Allow subnet specifications in --auth-zone to be interface names as well as address literals. This makes it possible to configure authoritative DNS when local address ranges are dynamic and works much better than the previous work-around which exempted contructed DHCP ranges from the IP address filtering. As a consequence, that work-around is removed. Under certain circumstances, this change wil break existing configuration: if you're relying on the contructed-range exception, you need to change --auth-zone to specify the same interface as is used to construct your DHCP ranges, probably with a trailing "/6" like this: --auth-zone=example.com,eth0/6 to limit the addresses to IPv6 addresses of eth0.
• Fix problems when advertising deleted IPv6 prefixes. If the prefix is deleted (rather than replaced), it doesn't get advertised with zero preferred time. Thanks to Tsachi for the bug report.
• Fix segfault with some locally configured CNAMEs. Thanks to Andrew Childs for spotting the problem.
• Fix memory leak on re-reading /etc/hosts and friends, introduced in 2.67.
• Check the arrival interface of incoming DNS and TFTP requests via IPv6, even in --bind-interfaces mode. This isn't possible for IPv4 and can generate scary warnings, but as it's always possible for IPv6 (the API always exists) then we should do it always.
• Tweak the rules on prefix-lengths in --dhcp-range for IPv6. The new rule is that the specified prefix length must be larger than or equal to the prefix length of the corresponding address on the local interface.

What is new in version 2.63:

• The main addition in this release is a new mode, --bind-dynamic, which both avoids binding the wildcard IP address and copes with dynamically created network interfaces, thus removing the main limitations of the two existing network modes.

What is new in version 2.61:

• This version has a lot of extra work on the DHCPv6 code that debuted in 2.60.
• Many bugs have been fixed and extra features added.
• The router advertisement feature is now much more configurable, and there's a mode that allows dnsmasq to make AAAA DNS records for hosts that use SLAAC IPv6 addresses and DHCP IPv4 addresses.

What is new in version 2.59:

• This version addresses a couple of issues that have surfaced with dnsmasq-2.58, which could cause problems at startup with IPv6 link-local addresses.
• One is a regression in dnsmasq, and the other stems from a change in the behaviour of bridge interfaces in recent Linux kernels.

What is new in version 2.58:

• version 2.58
• Provide a definition of the SA_SIZE macro where it's missing. Fixes build failure on openBSD.
• Don't include a zero terminator at the end of messages sent to /dev/log when /dev/log is a datagram socket. Thanks to Didier Rabound for spotting the problem.
• Add --dhcp-sequential-ip flag, to force allocation of IP addresses in ascending order. Note that the default pseudo-random mode is in general better but some server-deployment applications need this.
• Fix problem where a server-id of 0.0.0.0 is sent to a client when a dhcp-relay is in use if a client renews a lease after dnsmasq restart and before any clients on the subnet get a new lease. Thanks to Mike Ruiz for assistance in chasing this one down.
• Don't return NXDOMAIN to an AAAA query if we have CNAME which points to an A record only: NODATA is the correct reply in this case. Thanks to Tom Fernandes for spotting the problem.
• Relax the need to supply a netmask in --dhcp-range for networks which use a DHCP relay. Whilst this is still desireable, in the absence of a netmask dnsmasq will use a default based on the class (A, B, or C) of the address. This should at least remove a cause of mysterious failure for people using RFC1918 addresses and relays.
• Add support for Linux conntrack connection marking. If enabled with --conntrack, the connection mark for incoming DNS queries will be copied to the outgoing connections used to answer those queries. This allows clever firewall and accounting stuff. Only available if dnsmasq is compiled with HAVE_CONNTRACK and adds a dependency on libnetfilter-conntrack. Thanks to Ed Wildgoose for the initial idea, testing and sponsorship of this function.
• Provide a sane error message when someone attempts to match a tag in --dhcp-host.
• Tweak the behaviour of --domain-needed, to avoid problems with recursive nameservers downstream of dnsmasq. The new behaviour only stops A and AAAA queries, and returns NODATA rather than NXDOMAIN replies.
• Efficiency fix for very large DHCP configurations, thanks to James Gartrell and Mike Ruiz for help with this.
• Allow the TFTP-server address in --dhcp-boot to be a domain-name which is looked up in /etc/hosts. This can give multiple IP addresses which are used round-robin, thus doing TFTP server load-balancing. Thanks to Sushil Agrawal for the patch.
• When two tagged dhcp-options for a particular option number are both valid, use the one which is valid without a tag from the dhcp-range. Allows overriding of the value of a DHCP option for a particular host as well as per-network values.
• --dhcp-range=set:interface1,......
• --dhcp-host=set:myhost,.....
• --dhcp-option=tag:interface1,option:nis-domain,"domain1"
• --dhcp-option=tag:myhost,option:nis-domain,"domain2"
• will set the NIS-domain to domain1 for hosts in the range, but
• override that to domain2 for a particular host.
• Fix bug which resulted in truncated files and timeouts for some TFTP transfers. The bug only occurs with netascii transfers and needs an unfortunate relationship between file size, blocksize and the number of newlines in the last block before it manifests itself. Many thanks to Alkis Georgopoulos for spotting the problem and providing a comprehensive test-case.
• Fix regression in TFTP server on *BSD platforms introduced in version 2.56, due to confusion with sockaddr length. Many thanks to LoA¯c Pefferkorn for finding this.
• Support scope-ids in IPv6 addresses of nameservers from /etc/resolv.conf and in --server options. E
• Eg nameserver fe80::202:a412:4512:7bbf%eth0
• server=fe80::202:a412:4512:7bbf%eth0. Thanks to
• Michael Stapelberg for the suggestion.
• Update Polish translation, thanks to Jan Psota.
• Update French translation. Thanks to Gildas Le Nadan.

What is new in version 2.57:

• This version fixes a couple of regressions in the previous release and adds support for the Android platform.

What is new in version 2.56:

• Add a patch to allow dnsmasq to get interface names right in a Solaris zone. Thanks to Dj Padzensky for this.
• Improve data-type parsing heuristics so that --dhcp-option=option:domain-search,. treats the value as a string and not an IP address. Thanks to Clemens Fischer for spotting that.
• Add IPv6 support to the TFTP server. Many thanks to Jan 'RedBully' Seiffert for the patches.
• Log DNS queries at level LOG_INFO, rather then LOG_DEBUG. This makes things consistent with DHCP logging. Thanks to Adam Pribyl for spotting the problem.
• Ensure that dnsmasq terminates cleanly when using--syslog-async even if it cannot make a connection to the syslogd.
• Add --add-mac option. This is to support currently experimental DNS filtering facilities. Thanks to Benjamin Petrin for the orignal patch.
• Fix bug which meant that tags were ignored in dhcp-range configuration specifying PXE-proxy service. Thanks to Cristiano Cumer for spotting this.
• Raise an error if there is extra junk, not part of an option, on the command line.
• Flag a couple of log messages in cache.c as coming from the DHCP subsystem. Thanks to Olaf Westrik for the patch.
• Omit timestamps from logs when a) logging to stderr and b) --keep-in-forground is set. The logging facility on the other end of stderr can be assumned to supply them. Thanks to John Hallam for the patch.
• Don't complain about strings longer than 255 characters in --txt-record, just split the long strings into 255character chunks instead.
• Fix crash on double-free. This bug can only happen when dhcp-script is in use and then only in rare circumstances triggered by high DHCP transaction rate and a slow script. Thanks to Ferenc Wagner for finding the problem
• Only log that a file has been sent by TFTP after the transfer has completed succesfully.
• A good suggestion from Ferenc Wagner: extend the --domain option to allow this sort of thing: --domain=thekelleys.org.uk,192.168.0.0/24,local which automatically creates
• --local=/thekelleys.org.uk/
• --local=/0.168.192.in-addr.arpa/
• Tighten up syntax checking of hex contants in the config file. Thanks to Fred Damen for spotting this.
• Add dnsmasq logo/icon, contributed by Justin Swift. Many thanks for that.
• Never cache DNS replies which have the 'cd' bit set, or which result from queries forwarded with the 'cd' bit set. The 'cd' bit instructs a DNSSEC validating server upstream to ignore signature failures and return replies anyway. Without this change it's possible to pollute the dnsmasq cache with bad data by making a query with the 'cd' bit set and subsequent queries would return this data without its being marked as suspect. Thanks to Anders Kaseorg for pointing out this problem.
• Add --proxy-dnssec flag, for compliance with RFC 4035. Dnsmasq will now clear the 'ad' bit in answers returned from upstream validating nameservers unless this option is set.
• Allow a filename of "-" for --conf-file to read stdin. Suggestion from Timothy Redaelli.
• Rotate the order of SRV records in replies, to provide round-robin load balancing when all the priorities are equal. Thanks to Peter McKinney for the suggestion.
• Edit contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist so that it doesn't log all queries to a file by default. Thanks again to Peter McKinney.
• By default, setting an IPv4 address for a domain but not an IPv6 address causes dnsmasq to return an NODATA reply for IPv6 (or vice-versa). So --address=/google.com/1.2.3.4 stops IPv6 queries for *google.com from being forwarded. Make it possible to override this behaviour by defining the sematics if the same domain appears in both --server and--address. In that case, the --address has priority for the address family in which is appears, but the --server has priority of the address family which doesn't appear in--adddress
• So:
• --address=/google.com/1.2.3.4
• --server=/google.com/#
• Will return 1.2.3.4 for IPv4 queries for *.google.com but forward IPv6 queries to the normal upstream nameserver. Similarly when setting an IPv6 address only this will allow forwarding of IPv4 queries. Thanks to William for pointing out the need for this.
• Allow more than one --dhcp-optsfile and --dhcp-hostsfile and make them understand directories as arguments in the same way as --addn-hosts. Suggestion from John Hanks.
• Ignore rebinding requests for leases we don't know about. Rebind is broadcast, so we might get to overhear a request meant for another DHCP server. NAKing this is wrong. Thanks to Brad D'Hondt for assistance with this.
• Fix cosmetic bug which produced strange output when dumping cache statistics with some configurations. Thanks to Fedor Kozhevnikov for spotting this.

What is new in version 2.55:

• Fix crash when /etc/ethers is in use. Thanks to Gianluigi Tiesi for finding this.
• Fix crash in netlink_multicast(). Thanks to Arno Wald for finding this one.
• Allow the empty domain "." in dhcp domain-search (119) options.