version 2.92
        Redesign the interaction between DNSSEC validation and per-domain
	servers, specified as --server=/<domain>/<ip-address>. This should
	just work in all cases now. If the normal chain-of-trust exists into
	the delegated domain then whether the domain is signed or not, DNSSEC
	validation will function normally. In the case the delegated domain
	is an "overlay" on top of the global DNS and no NS and/or DS records
	exist connecting it to the global dns, then if the domain is
	unsigned the situation will be handled by synthesising a
	proof-of-non-existence-of-DS for the domain and queries will be
	answered unvalidated; this action will be logged. A signed domain
	without chain-of-trust can be validated if a suitable trust-anchor
	is provided using --trust-anchor. This change should be backwards
	compatible for all existing working configurations; it extends the
	space of possible configurations which are functional.

	Fix a couple of problems with DNSSEC validation and DNAME. One
	could cause validation failure on correct domains, and the other
	would fail to spot an invalid domain. Thanks to Graham Clinch
	for spotting the problem.

	Add --log-queries=auth option to only log replies from the auth DNS
	facility.

	Fix some edge-cases with domains and --address and --server. There
	has been some regressions with this in previous releases. This change
	fixes the priority order from lower to highest as:
	--address with a IPv4 or IPv6 address (as long as the query matches the type)
        --address with # for all-zeros, as long as the query is A or AAAA)
        --address with no address, which returns NXDOMAIN or NOERROR for all types.
        --server with address set to # to use the unqualified servers.
        --server with matching domain.
        --server without domain or from /etc/resolv.conf.

	Fix problems with ipset or nftset and TCP DNS transport. Previously
	this was racy, and insertion of addresses could fail on a busy server
	when DNS-over-TCP transport was involved.

	DNSSEC validation change for reverse lookups in RFC-1918 ranges and friends.
    	The large public DNS services seem not to return proof-of-nonexistence
	for DS records at the start of RFC-1918 in-addr.arpa domains and the their
	IPv6 equivalents. 10.in-addr.arpa, 168.192.in-addr.arpa etc.
	Since dnsmasq already has an option which instructs it not bother
	upstream servers with pointless queries about these address ranges,
	namely --bogus-priv, we extend that to enable behaviour which allows
	dnsmasq to assume that insecure NXDOMAIN replies for these domains
	are expected and to assume that the domains are legitimately unsigned.
	This behaviour only matters when some address range is directed to
	another upstream server using --rev-server. In that case it allows
	replies from that server to pass DNSSEC validation. Without such a
	server configured, queries are never sent upstream so they are never
	validated and the new behaviour is moot.

	Add support for leasequery to the dnsmasq DHCPv4 server.
	This has to be specifically enabled with the --leasequery option.
	Many thanks to JAXPORT, Jacksonville Port Authority for sponsoring
	this enhancement to dnsmasq.

	Fix failure to cache PTR RRs when a reply contains more than one answer.
	Thanks to Dmitry for spotting this.

	Add TFTP options windowsize (RFC 7440) and timeout (RFC 2349).
	
	Change the behaviour of the DHCPv6 server when a REBIND message
	is received but no lease exists. Under these circumstances a new
	lease is created _only_ when the --dhcp-authoritative option is
	set. This matches the behavior of the DHCPv4 server.

	Add --dhcp-split-relay option. This makes a DHCPv4 relay which
	is functional when client and server networks aren't mutually
	route-able.

	Fix failure to add client MAC address to queries in TCP mode.
	The options which cause	dnsmasq	to decorate a DNS query	with the MAC
	address	on the originating client can fail when the query is sent
	using TCP. Thanks to Bruno Ravara for spotting and
	characterising this bug.

	
version 2.91
	Fix spurious "resource limit exceeded messages". Thanks to 
	Dominik Derigs for the bug report.

	Fix out-of-bounds heap read in order_qsort().
	We only need to order two server records on the ->serial field.
	Literal address records are smaller and don't have
	this field and don't need to be ordered on it.
	To actually provoke this bug seems to need the same server-literal
	to be repeated twice, e.g., --address=/a/1.1.1.1 --address-/a/1.1.1.1
	which is clearly rare in the wild, but if it did exist it could
	provoke a SIGSEGV. Thanks to Daniel Rhea for fuzzing this one.

	Fix buffer overflow when configured lease-change script name
	is too long.
	Thanks to Daniel Rhea for finding this one.

	Improve behaviour in the face of non-responsive upstream TCP DNS
	servers. Without shorter timeouts, clients are blocked for too long
	and fail with their own timeouts.

	Set --fast-dns-retries by default when doing DNSSEC. A single
	downstream query can trigger many upstream queries. On an
	unreliable network, there may not be enough downstream retries
	to ensure that all these queries complete.

	Improve behaviour in the face of truncated answers to queries
	for DNSSEC records. Getting these answers by TCP doesn't now
	involve a faked truncated answer to the downstream client to
	force it to move to TCP. This improves performance and robustness
	in the face of broken clients which can't fall back to TCP.

	No longer remove data from truncated upstream answers. If an
	upstream replies with a truncated answer, but the answer has some
	RRs included, return those RRs, rather than returning and
	empty answer.

	Fix handling of EDNS0 UDP packet sizes.
	When talking upstream we always add a pseudo header, and set the
        UDP packet size to --edns-packet-max. Answering queries from
	downstream, we get the answer (either from upstream or local
	data) If local data won't fit the advertised size (or 512 if
	there's not an EDNS0 header) return truncated. If upstream
        returns truncated, do likewise. If upstream is OK, but the
	answer is too big for downstream, truncate the answer.

	Modify the behaviour of --synth-domain for IPv6.
	When deriving a domain name from an IPv6 address, an address
	such as 1234:: would become 1234--.example.com, which is
	not legal in IDNA2008. Stop using the :: compression method,
	so 1234:: becomes
	1234-0000-0000-0000-0000-0000-0000-0000.example.com

	Fix broken dhcp-relay on *BSD. Thanks to Harold for finding
	this problem.

	Add --dhcp-option-pxe config. This acts almost exactly like
	--dhcp-option except that the defined option is only sent when
	replying to PXE clients. More importantly, these options are sent
	in reply PXE clients when dnsmasq in acting in PXE proxy mode. In
	PXE proxy mode, the set of options sent is defined by the PXE standard
	and the normal set of options is not sent. This config allows arbitrary
	options in PXE-proxy replies. A typical use-case is to send option
	175 to iPXE. Thanks to Jason Berry for finding the requirement for
	this.

	Support PXE proxy-DHCP and DHCP-relay at the same time.
        When using PXE proxy-DHCP, dnsmasq supplies PXE information to
        the client, which also talks to another "normal" DHCP server
        for address allocation and similar. The normal DHCP server may
        be on the local network, but it may also be remote, and accessed via
        a DHCP relay. This change allows dnsmasq to act as both a
        PXE proxy-DHCP server AND a DHCP relay for the same network.

	Fix erroneous "DNSSEC validated" state with non-DNSSEC
	upstream servers.  Thanks to Dominik Derigs for the bug report.

	Handle queries with EDNS client subnet fields better. If dnsmasq
	is configured to add an EDNS client subnet to a query, it is careful
	to suppress use of the cache, since a cached answer may not be valid
	for a query with a different client subnet. Extend this behaviour
	to queries which arrive a dnsmasq already carrying an EDNS client
	subnet.

	Handle DS queries to auth zones. When dnsmasq is configured to
	act as an authoritative server and has an authoritative zone
	configured, and receives a query for that zone _as_forwarder_
	it answers the query directly rather than forwarding it. This
	doesn't affect the answer, but it saves dnsmasq forwarding the
	query to the recursor upstream, which then bounces it back to dnsmasq
	in auth mode. The exception should be when the query is for the root
	of zone, for a DS RR. The answer to that has to come from the parent,
	via the recursor, and will typically be a proof-of-non-existence
	since dnsmasq doesn't support signed zones. This patch suppresses
	local answers and forces forwarding to the upstream recursor for such
	queries. It stops breakage when a DNSSEC validating client makes
	queries to dnsmasq acting as forwarder for a zone for which it is
	authoritative.

	Implement "DNS-0x20 encoding", for extra protection against
	reply-spoof attacks. Since DNS queries are case-insensitive,
	it's possible to randomly flip the case of letters in a query
	and still get the correct answer back.
	This adds an extra dimension for a cache-poisoning attacker
	to guess when sending replies in-the-blind since it's expected
	that the legitimate answer will have the same  pattern of upper
	and lower case as the query, so any replies which don't can be
	ignored as malicious. The amount of extra entropy clearly depends
	on the number of a-z and A-Z characters in the query, and this
	implementation puts a hard limit of 32 bits to make resource
	allocation easy. This about doubles entropy over the standard
	random ID and random port combination. This technique can interact
	badly with rare broken DNS servers which don't preserve the case
	of the query in their reply. The first time a reply is returned
	which matches the query in all respects except case, a warning
	will be logged. In this release, 0x020-encoding is default-off
	and must be explicitly enabled with --do-0x20-encoding. In future
	releases it may default on. You can avoid a future release
	changing the behaviour of an installation with --no-x20-encode.
	
	Fix a long-standing problem when two queries which are identical
	in every respect _except_ case, get combined by dnsmasq. If
	dnsmasq gets eg, two queries for example.com and Example.com
	in quick succession it will get the answer for example.com from
	upstream and send that answer to both requestors. This means that
	the query for Example.com will get an answer for example.com, and
	in the modern DNS, that answer may not be accepted.

	
version 2.90
	Fix reversion in --rev-server introduced in 2.88 which
	caused breakage if the prefix length is not exactly divisible
	by 8 (IPv4) or 4 (IPv6).

	Fix possible SEGV when there server(s) for a particular
	domain are configured, but no server which is not qualified
	for a particular domain. Thanks to Daniel Danzberger for
	spotting this bug.

	Set the default maximum DNS UDP packet size to 1232. This
	has been the recommended value since 2020 because it's the
	largest value that avoid fragmentation, and fragmentation
	is just not reliable on the modern internet, especially
	for IPv6. It's still possible to override this with
	--edns-packet-max for special circumstances.

	Add --no-dhcpv4-interface and --no-dhcpv6-interface for
	better control over which interfaces are providing DHCP service.

	Fix issue with stale caching: After replying with stale data,
	dnsmasq sends the query upstream to refresh the cache asynchronously
	and sometimes sends the wrong packet: packet length can be wrong,
	and if an EDE marking stale data is added to the answer that can
	end up in the query also. This bug only seems to cause problems
	when the upstream server is a DOH/DOT proxy. Thanks to Justin He
	for the bug report.

	Add configurable caching for arbitrary RR-types.

	Add --filter-rr option, to filter arbitrary RR-types.
	--filter-rr=ANY has a special meaning: it filters the
	answers to queries for the ANY RR-type.
	
	Add limits on the resources used to do DNSSEC validation.
	DNSSEC introduces a potential CPU DoS, because a crafted domain
	can force a validator to a large number of cryptographic
	operations whilst attempting to do validation. When using TCP
	transport a DNSKEY RRset contain thousands of members and any
	RRset can have thousands of signatures. The potential number
	of signature validations to follow the RFC for validation
	for one RRset is the cross product of the keys and signatures,
	so millions. In practice, the actual numbers are much lower,
	so attacks can be mitigated by limiting the amount of
	cryptographic "work" to a much lower amount. The actual
	limits are number a signature validation fails per RRset(20),
	number of signature validations and hash computations
	per query(200), number of sub-queries  to fetch  DS and DNSKEY
	RRsets per query(40), and the number of iterations in a
	NSEC3 record(150). These values are sensible, but there is, as yet,
	no standardisation on the values for a "conforming" domain, so a
	new option --dnssec-limit is provided should they need to be altered.
	The algorithm to validate DS records has also been altered to reduce
	the maximum work from cross product of the number of DS records and
	number of DNSKEYs to the cross product of the number of DS records
	and supported DS digest types. As the number of DS digest types
	is in single figures, this reduces the exposure.

	Credit is due to Elias Heftrig, Haya Schulmann, Niklas Vogel,
	and Michael Waidner from the German National Research Center for
	Applied Cybersecurity ATHENE for finding this vulnerability.

	CVE 2023-50387 and CVE 2023-50868 apply.
	Note that this a security vulnerability only when DNSSEC validation
	is enabled.
	
	Fix memory-leak when attempting to cache SRV records with zero TTL.
	Thanks to Damian Sawicki for the bug report.

	Add --max-tcp-connections option to make limit on TCP handling
	processes configurable.  Also keep stats on how near the limit
	we're getting, to help with tuning. Patch from Damian Sawicki.

	
version 2.89
        Fix bug introduced in 2.88 (commit fe91134b) which can result
	in corruption of the DNS cache internal data structures and
	logging of "cache internal error". This has only been seen
	in one place in the wild, and it took considerable effort
	to even generate a test case to reproduce it, but there's
	no way to be sure it won't strike, and the effect is to break
	the cache badly. Installations with DNSSEC enabled are more
	likely to see the problem, but not running DNSSEC does not
	guarantee that it won't happen. Thanks to Timo van Roermund
	for reporting the bug and for his great efforts in chasing
	it down.


version 2.88
	Fix bug in --dynamic-host when an interface has /16 IPv4
  	address. Thanks to Mark Dietzer for spotting this.

	Add --fast-dns-retry option. This gives dnsmasq the ability
	to originate retries for upstream DNS queries itself, rather
	than relying on the downstream client. This is most useful
	when doing DNSSEC over unreliable upstream networks. It comes
	with some cost in memory usage and network bandwidth.

	Add --use-stale-cache option. When set, if a DNS name exists
	in the cache, but its time-to-live has expired, dnsmasq will
	return the data anyway. (It attempts to refresh the
	data with an upstream query after returning the stale data.)
	This can improve speed and reliability. It comes
	at the expense of sometimes returning out-of-date data and
	less efficient cache utilisation, since old data cannot be
	flushed when its TTL expires, so the cache becomes
	strictly least-recently-used.

	Add --port-limit option which allows tuning for robustness in
	the face of some upstream network errors. Thanks to
	Prashant Kumar Singh, Ravi Nagayach and Mike Danilov,
	all of Amazon Web Services, for their efforts in developing this
	and the stale-cache and fast-retry options.

	Make --hostsdir (but NOT --dhcp-hostsdir and --dhcp-optsdir)
	handle removal of whole files or entries within files.
	Thanks to Dominik Derigs for the initial patches for this.

	Fix bug, introduced in 2.87, which could result in DNS
	servers being removed from the configuration when reloading
	server configuration from DBus, or re-reading /etc/resolv.conf
	Only servers from the same source should be replaced, but some
	servers from other sources (i.e., hard coded or another dynamic source)
	could mysteriously disappear. Thanks to all reporting this,
	but especially Christopher J. Madsen who reduced the problem
	to an easily reproducible case which saved much labour in
	finding it.

	Add --no-round-robin option.

	Allow domain names as well as IP addresses when specifying
	upstream DNS servers. There are some gotchas associated with this
	(it will mysteriously fail to work if the dnsmasq instance
	being started is in the path from the system resolver to the DNS),
	and a seemingly sensible configuration like
	--server=domain.name@1.2.3.4 is unactionable if domain.name
	only resolves to an IPv6 address). There are, however,
	cases where is can be useful. Thanks to Dominik Derigs for
	the patch.

	Handle DS records for unsupported crypto algorithms correctly.
	Such a DS, as long as it is validated, should allow answers
	in the domain it attests to be returned as unvalidated, and not
	as a validation error.

	Optimise reading large numbers of --server options. When re-reading
	upstream servers from /etc/resolv.conf or other sources that
	can change dnsmasq tries to avoid memory fragmentation by re-using
	existing records that are being re-read unchanged. This involves
	searching all the server records for each new one installed.
	During startup this search is pointless, and can cause long
	start times with thousands of --server options because the work
	needed is O(n^2). Handle this case more intelligently.
	Thanks to Ye Zhou for spotting the problem and an initial patch.
	
	If we detect that a DNS reply from upstream is malformed don't
	return it to the requestor; send a SEVFAIL rcode instead.

	
version 2.87
        Allow arbitrary prefix lengths in --rev-server and
	--domain=....,local

	Replace --address=/#/..... functionality which got
	missed in the 2.86 domain search rewrite.

	Add --nftset option, like --ipset but for the newer nftables.
	Thanks to Chen Zhenge for the patch.
	
	Add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6
	addresses from DNS answers.

	Fix crash doing netbooting when --port is set to zero
	to disable the DNS server. Thanks to Drexl Johannes
	for the bug report.

	Generalise --dhcp-relay. Sending via broadcast/multicast is
	now supported for both IPv4 and IPv6 and the configuration
	syntax made easier (but backwards compatible).
	
	Add snooping of IPv6 prefix-delegations to the DHCP-relay system.

	Finesse parsing of --dhcp-remoteid and --dhcp-subscrid. To be treated
	as hex, the pattern must consist of only hex digits AND contain
	at least one ':'. Thanks to Bengt-Erik Sandstrom who tripped
	over a pattern consisting of a decimal number which was interpreted
	surprisingly.

	Include client address in TFTP file-not-found error reports.
	Thanks to Stefan Rink for the initial patch, which has been
	re-worked by me (srk). All bugs mine.

	Note in manpage the change in behaviour of -address. This behaviour
	actually changed in v2.86, but was undocumented there. From 2.86 on,
	(eg) --address=/example.com/1.2.3.4 ONLY applies to A queries. All other
	types of query will be sent upstream. Pre 2.86, that would catch the
	whole example.com domain and queries for other types would get
	a local NODATA answer. The pre-2.86 behaviour is still available,
	by configuring --address=/example.com/1.2.3.4 --local=/example.com/

        Fix problem with binding DHCP sockets to an individual interface.
	Despite the fact that the system call tales the interface _name_ as
	a parameter, it actually, binds the socket to interface _index_.
	Deleting the interface and creating a new one with the same name
	leaves the socket bound to the old index. (Creating new sockets
	always allocates a fresh index, they are not reused). We now
	take this behaviour into account and keep up with changing indexes.

	Add --conf-script configuration option.

	Enhance --domain to accept, for instance,
	--domain=net2.thekelleys.org.uk,eth2 so that hosts get a domain
	which reflects the interface they are attached to in a way which
	doesn't require hard-coding addresses. Thanks to Sten Spans for
	the idea.

	Fix write-after-free error in DHCPv6 server code.
	CVE-2022-0934 refers.
	
	Add the ability to specify destination port in
	DHCP-relay mode. This change also removes a previous bug
	where --dhcp-alternate-port would affect the port used
	to relay _to_ as well as the port being listened on.
	The new feature allows configuration to provide bug-for-bug
	compatibility, if required. Thanks to Damian Kaczkowski 
	for the feature suggestion.

	Bound the value of UDP packet size in the EDNS0 header of
	forwarded queries to the configured or default value of
	edns-packet-max. There's no point letting a client set a larger
	value if we're unable to return the answer. Thanks to Bertie
	Taylor for pointing out the problem and supplying the patch.
	
	Fix problem with the configuration
	
	--server=/some.domain/# --address=/#/<ip> --server=<server_ip>

	This would return <ip> for queries in some.domain, rather than
	forwarding the query via the default server.

	Tweak DHCPv6 relay code so that packets relayed towards a server
	have source address on the server-facing network, not the
	client facing network. Thanks to Luis Thomas for spotting this
	and initial patch.


version 2.86
	Handle DHCPREBIND requests in the DHCPv6 server code.
	Thanks to Aichun Li for spotting this omission, and the initial
	patch.

	Fix bug which caused dnsmasq to lose track of processes forked
	to handle TCP DNS connections under heavy load. The code
	checked that at least one free process table slot was
	available before listening on TCP sockets, but didn't take
	into account that more than one TCP connection could
	arrive, so that check was not sufficient to ensure that
	there would be slots for all new processes. It compounded
	this error by silently failing to store the process when
	it did run out of slots. Even when this bug is triggered,
	all the right things happen, and answers are still returned.
	Only under very exceptional circumstances, does the bug
	manifest itself: see
	https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/014976.html
	Thanks to Tijs Van Buggenhout for finding the conditions under
	which the bug manifests itself, and then working out
	exactly what was going on.

	Major rewrite of the DNS server and domain handling code.
	This should be largely transparent, but it drastically
	improves performance and reduces memory foot-print when
	configuring large numbers domains of the form
	local=/adserver.com/
	or
	local=/adserver.com/#
	Lookup times now grow as log-to-base-2 of the number of domains,
	rather than greater than linearly, as before.
	The change makes multiple addresses associated with a domain work
	address=/example.com/1.2.3.4
	address=/example.com/5.6.7.8
	It also handles multiple upstream servers for a domain better; using
	the same try/retry algorithms as non domain-specific servers. This
	also applies to DNSSEC-generated queries.
	Finally, some of the oldest and gnarliest code in dnsmasq has had
	a significant clean-up. It's far from perfect, but it _is_ better.

	Revise resource handling for number of concurrent DNS queries. This
	used to have a global limit, but that has a problem when using
	different servers for different upstream domains. Queries which are
	routed by domain to an upstream server which is not responding will
	build up and trigger the limit, which breaks DNS service for
	all other domains which could be handled by other servers. The
	change is to make the limit per server-group, where a server group
	is the set of servers configured for a particular domain. In the
	common case, where only default servers are declared, there is
	no effective change.

	Improve efficiency of DNSSEC. The sharing point for DNSSEC RR data
	used to be when it entered the cache, having been validated. After
	that queries requiring the KEY or DS records would share the cached
	values. There is a common case in dual-stack hosts that queries for
	A and AAAA records for the same domain are made simultaneously.
	If required keys were not in the cache, this would result in two
	requests being sent upstream for the same key data (and all the
	subsequent chain-of-trust queries.) Now we combine these requests
	and elide the duplicates, resulting in fewer queries upstream
	and better performance. To keep a better handle on what's
	going on, the "extra" logging mode has been modified to associate
	queries and answers  for DNSSEC queries in the same way as ordinary
	queries. The requesting address and port have been removed from
	DNSSEC logging lines, since this is no longer strictly defined.

	Connection track mark based DNS query filtering. Thanks to
	Etan Kissling for implementing this It extends query filtering
	support beyond what is currently possible
	with the `--ipset` configuration option, by adding support for:
	1) Specifying allowlists on a per-client basis, based on their
	   associated Linux connection track mark.
	2) Dynamic configuration of allowlists via Ubus.
	3) Reporting when a DNS query resolves or is rejected via Ubus.
	4) DNS name patterns containing wildcards.
	Disallowed queries are not forwarded; they are rejected
	with a REFUSED error code.

	Allow smaller than 64 prefix lengths in synth-domain, with caveats.
	--synth-domain=1234:4567::/56,example.com is now valid.

	Make domains generated by --synth-domain appear in replies
	when in authoritative mode.

	Ensure CAP_NET_ADMIN capability is available when
	conntrack is configured. Thanks to Yick Xie for spotting
	the lack of this.

	When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
	given a directory as argument, define the order in which
	files within that directory are read (alphabetical order
	of filename). Thanks to Ed Wildgoose for the initial patch
	and motivation for this.

	Allow adding IP address to nftables set in addition to
	ipset.

	
version 2.85
        Fix problem with DNS retries in 2.83/2.84.
        The new logic in 2.83/2.84 which merges distinct requests
	for the same domain causes problems with clients which do
	retries as distinct requests (differing IDs and/or source ports.)
	The retries just get piggy-backed on the first, failed, request.
        The logic is now changed so that distinct requests for repeated
        queries still get merged into a single ID/source port, but
	they now always trigger a re-try upstream.
        Thanks to Nicholas Mu for his analysis.

	Tweak sort order of tags in get-version. v2.84 sorts
	before v2.83, but v2.83 sorts before v2.83rc1 and 2.83rc1
	sorts before v2.83test1. This fixes the problem which lead
	to 2.84 announcing itself as 2.84rc2.

 	Avoid treating a --dhcp-host which has an IPv6 address
	as eligible for use with DHCPv4 on the grounds that it has
	no address, and vice-versa. Thanks to Viktor Papp for
	spotting the problem. (This bug was fixed was back in 2.67, and
	then regressed in 2.81).

	Add --dynamic-host option: A and AAAA records which take their
	network part from the network of a local interface. Useful
	for routers with dynamically prefixes. Thanks
	to Fred F for the suggestion.

	Teach --bogus-nxdomain and --ignore-address to take an IPv4 subnet.

	Use random source ports where possible if source
	addresses/interfaces in use.
	CVE-2021-3448 applies. Thanks to Petr Menšík for spotting this.
	It's possible to specify the source address or interface to be
	used when contacting upstream name servers: server=8.8.8.8@1.2.3.4
	or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of
	these have, until now, used a single socket, bound to a fixed
	port. This was originally done to allow an error (non-existent
	interface, or non-local address) to be detected at start-up. This
	means that any upstream servers specified in such a way don't use
	random source ports, and are more susceptible to cache-poisoning
	attacks.
	We now use random ports where possible, even when the
	source is specified, so server=8.8.8.8@1.2.3.4 or
	server=8.8.8.8@eth0 will use random source
	ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will
	use the explicitly configured port, and should only be done with
	understanding of the security implications.
	Note that this change changes non-existing interface, or non-local
	source address errors from fatal to run-time. The error will be
	logged and communication with the server not possible.

	Change the method of allocation of random source ports for DNS.
	Previously, without min-port or max-port configured, dnsmasq would
	default to the compiled in defaults for those, which are 1024 and
	65535. Now, when neither are configured, it defaults instead to
	the kernel's ephemeral port range, which is typically
	32768 to 60999 on Linux systems. This change eliminates the
	possibility that dnsmasq may be using a registered port > 1024
	when a long-running daemon starts up and wishes to claim it.
	This change does likely slightly reduce the number of random ports
	and therefore the protection from reply spoofing. The older
	behaviour can be restored using the min-port and max-port config
	switches should that be a concern.

	Scale the size of the DNS random-port pool based on the
	value of the --dns-forward-max configuration.

	Tweak TFTP code to check sender of all received packets, as
	specified in RFC 1350 para 4.

	Support some wildcard matching of input tags to --tag-if.
	Thanks to Geoff Back for the idea and the patch.

	
version 2.84
	Fix a problem, introduced in 2.83, which could see DNS replies
	being sent via the wrong socket. On machines running both
	IPv4 and IPv6 this could result in sporadic messages of
	the form "failed to send packet: Network is unreachable" and
	the lost of the query. Since the error is sporadic and of
	low probability, the client retry would normally succeed.

	Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH.


version 2.83
	Use the values of --min-port and --max-port in outgoing
	TCP connections to upstream DNS servers.

	Fix a remote buffer overflow problem in the DNSSEC code. Any
	dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
	referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
	CVE-2020-25687.

	Be sure to only accept UDP DNS query replies at the address
	from which the query was originated. This keeps as much entropy
	in the {query-ID, random-port} tuple as possible, to help defeat
	cache poisoning attacks. Refer: CVE-2020-25684.

	Use the SHA-256 hash function to verify that DNS answers
	received are for the questions originally asked. This replaces
	the slightly insecure SHA-1 (when compiled with DNSSEC) or
	the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.

	Handle multiple identical near simultaneous DNS queries better.
	Previously, such queries would all be forwarded
	independently. This is, in theory, inefficient but in practise
	not a problem, _except_ that is means that an answer for any
	of the forwarded queries will be accepted and cached.
	An attacker can send a query multiple times, and for each repeat,
	another {port, ID} becomes capable of accepting the answer he is
	sending in the blind, to random IDs and ports. The chance of a
	successful attack is therefore multiplied by the number of repeats
	of the query. The new behaviour detects repeated queries and
	merely stores the clients sending repeats so that when the
	first query completes, the answer can be sent to all the
	clients who asked. Refer: CVE-2020-25686.
	

version 2.82
	Improve behaviour in the face of network interfaces which come
	and go and change index. Thanks to Petr Mensik for the patch.

	Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user
	to a warning.

	Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option.

	Fix crash under heavy TCP connection load introduced in 2.81.
	Thanks to Frank for good work chasing this down.

	Change default lease time for DHCPv6 to one day.

	Alter calculation of preferred and valid times in router
	advertisements, so that these do not have a floor applied
	of the lease time in the dhcp-range if this is not explicitly
	specified and is merely the default.
	Thanks to Martin-Éric Racine for suggestions on this.

	
version 2.81
	Improve cache behaviour for TCP connections. For ease of
	implementation, dnsmasq has always forked a new process to handle
	each incoming TCP connection. A side-effect of this is that
	any DNS queries answered from TCP connections are not cached:
	when TCP connections were rare, this was not a problem.
	With the coming of DNSSEC, it is now the case that some
	DNSSEC queries have answers which spill to TCP, and if,
	for instance, this applies to the keys for the root, then
	those never get cached, and performance is very bad.
	This fix passes cache entries back from the TCP child process to
	the main server process, and fixes the problem.

	Remove the NO_FORK compile-time option, and support for uclinux.
	In an era where everything has an MMU, this looks like
	an anachronism, and it adds to (Ok, multiplies!) the
	combinatorial explosion of compile-time options. Thanks to
	Kevin Darbyshire-Bryant for the patch.

	Fix line-counting when reading /etc/hosts and friends; for
	correct error messages. Thanks to Christian Rosentreter
	for reporting this.

	Fix bug in DNS non-terminal code, added in 2.80, which could
	sometimes cause a NODATA rather than an NXDOMAIN reply.
	Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
	for spotting and diagnosing the bug and providing patches.

	Support TCP-fastopen (RFC-7413) on both incoming and
	outgoing TCP connections, if supported and enabled in the OS.

	Improve kernel-capability manipulation code under Linux. Dnsmasq
	now fails early if a required capability is not available, and
	tries not to request capabilities not required by its
	configuration.

	Add --shared-network config. This enables allocation of addresses
	by the DHCP server in subnets where the server (or relay) does not
	have an interface on the network in that subnet. Many thanks to
	kamp.de for sponsoring this feature.
	
	Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
	validation check got borked in commit 2b38e382 and release 2.80.
	Thanks to Tomasz Szajner for spotting this.

	Fix compilation against nettle version 3.5 and later.

	Fix spurious DNSSEC validation failures when the auth section
	of a reply contains unsigned RRs from a signed zone, 
	with the exception that NSEC and NSEC3 RRs must always be signed.
        Thanks to Tore Anderson for spotting and diagnosing the bug.

	Add --dhcp-ignore-clid. This disables reading of DHCP client
	identifier option (option 61), so clients are only identified by
	MAC addresses.

	Fix a bug which stopped --dhcp-name-match from working when a hostname
	is supplied in --dhcp-host. Thanks to James Feeney for spotting this.

	Fix bug which caused very rarely caused zero-length DHCPv6 packets.
	Thanks to Dereck Higgins for spotting this.

	Add --tftp-single-port option.

	Enhance --conf-dir to load files in a deterministic order. Thanks to
	Evgenii Seliavka for the suggestion and initial patch.

	In the router advert code, handle case where we have two
	different interfaces on the same IPv6 net, and we are doing
	RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
	for spotting this case and making the initial patch.

	Support prefixed ranges of ipv6 addresses in dhcp-host.
	This eases problems chain-netbooting, where each link in the
	chain requests an address using a different UID. With a single
	address, only one gets the "static" address, but with this
	fix, enough addresses can be reserved for all the stages of the
	boot. Many thanks to Harald Jensås for his work on this idea and
	earlier patches.

	Add filtering by tag of --dhcp-host directives. Based on a patch
	by Harald Jensås.

	Allow empty server spec in --rev-server, to match --server.
	
	Remove DSA signature verification from DNSSEC, as specified in
	RFC 8624. Thanks to Loganaden Velvindron for the original patch.

	Add --script-on-renewal option.

	
version 2.80
	Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
	for the initial patch and motivation.

	Alter the default for dnssec-check-unsigned. Versions of
	dnsmasq prior to 2.80 defaulted to not checking unsigned
	replies, and used --dnssec-check-unsigned to switch
        this on. Such configurations will continue to work as before,
        but those which used the default of no checking will need to be
        altered to explicitly select no checking. The new default is
        because switching off checking for unsigned replies is
	inherently dangerous. Not only does it open the possibility of forged
        replies, but it allows everything to appear to be working even
        when the upstream namesevers do not support DNSSEC, and in this
        case no DNSSEC validation at all is occurring.

        Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
	are set. Thanks to Daniel Miess for help with this.

	Add a facility to store DNS packets sent/received in a
	pcap-format file for later debugging. The file location
	is given by the --dumpfile option, and a bitmap controlling
	which packets should be dumped is given by the --dumpmask
	option.

	Handle the case of both standard and constructed dhcp-ranges on the
	same interface better. We don't now construct a dhcp-range if there's
	already one specified. This allows the specified interface to
	have different parameters and avoids advertising the same
	prefix twice. Thanks to Luis Marsano for spotting this case.

	Allow zone transfer in authoritative mode if auth-peer is specified,
	even if auth-sec-servers is not. Thanks to Raphaël Halimi for
	the suggestion.

	Fix bug which sometimes caused dnsmasq to wrongly return answers
	without DNSSEC RRs to queries with the do-bit set, but only when
	DNSSEC validation was not enabled.
	Thanks to Petr Menšík for spotting this.

	Fix missing fatal errors with some malformed options
	(server, local, address, rebind-domain-ok, ipset, alias).
	Thanks to Eugene Lozovoy for spotting the problem.

	Fix crash on startup with a --synth-domain which has no prefix.
	Introduced in 2.79. Thanks to Andreas Engel for the bug report.

	Fix missing EDNS0 section in some replies generated by local
	DNS configuration which confused systemd-resolvd. Thanks to
	Steve Dodd for characterising the problem.

	Add --dhcp-name-match config option. 

	Add --caa-record config option.

	Implement --address=/example.com/# as (more efficient) syntactic
	sugar for --address=/example.com/0.0.0.0 and
	--address=/example.com/::
	Returning null addresses is a useful technique for ad-blocking.
	Thanks to Peter Russell for the suggestion.
	
	Change anti cache-snooping behaviour with queries with the
	recursion-desired bit unset. Instead to returning SERVFAIL, we
	now always forward, and never answer from the cache. This
	allows "dig +trace" command to work. 
	
	Include in the example config file a formulation which
	stops DHCP clients from claiming the DNS name "wpad".
	This is a fix for the CERT Vulnerability VU#598349.

	
version 2.79
	Fix parsing of CNAME arguments, which are confused by extra spaces.
	Thanks to Diego Aguirre for spotting the bug.

	Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
	upstream servers to an interface, rather than SO_BINDTODEVICE.
	Thanks to Beniamino Galvani for the patch.

	Always return a SERVFAIL answer to DNS queries without the
	recursion desired bit set, UNLESS acting as an authoritative
	DNS server. This avoids a potential route to cache snooping.

	Add support for Ed25519 signatures in DNSSEC validation.

	No longer support RSA/MD5 signatures in DNSSEC validation,
	since these are not secure. This behaviour is mandated in
	RFC-6944.

	Fix incorrect error exit code from dhcp_release6 utility.
	Thanks Gaudenz Steinlin for the bug report.

	Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
	time validation when --dnssec-no-timecheck is in use.
	Note that this is an incompatible change from earlier releases.

	Allow more than one --bridge-interface option to refer to an
	interface, so that we can use
	--bridge-interface=int1,alias1
	--bridge-interface=int1,alias2
	as an alternative to
	--bridge-interface=int1,alias1,alias2
	Thanks to Neil Jerram for work on this.

	Fix for DNSSEC with wildcard-derived NSEC records.
	It's OK for NSEC records to be expanded from wildcards,
	but in that case, the proof of non-existence is only valid
	starting at the wildcard name, *.<domain> NOT the name expanded
	from the wildcard. Without this check it's possible for an
	attacker to craft an NSEC which wrongly proves non-existence.
	Thanks to Ralph Dolmans for finding this, and co-ordinating 
	the vulnerability tracking and fix release.
	CVE-2017-15107 applies.

	Remove special handling of A-for-A DNS queries. These
	are no longer a significant problem in the global DNS.
	http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
	Thanks to Mattias Hellström for the initial patch.

	Fix failure to delete dynamically created dhcp options
	from files in -dhcp-optsdir directories. Thanks to
	Lindgren Fredrik for the bug report.

	Add to --synth-domain the ability to create names using
	sequential numbers, as well as encodings of IP addresses.
	For instance,
	--synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
	creates 21 domain names of the form
	internal-4.thekelleys.org.uk over the address range given, with
	internal-0.thekelleys.org.uk being 192.168.0.50 and
	internal-20.thekelleys.org.uk being 192.168.0.70
	Thanks to Andy Hawkins for the suggestion.

	Tidy up Crypto code, removing workarounds for ancient
	versions of libnettle. We now require libnettle 3.


version 2.78
        Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
	Novakovic for the patch.

	Revert ping-check of address in DHCPDISCOVER if there
	already exists a lease for the address. Under some
	circumstances, and netbooted windows installation can reply
	to pings before if has a DHCP lease and block allocation
	of the address it already used during netboot. Thanks to
	Jan Psota for spotting this.

	Fix DHCP relaying, broken in 2.76 and 2.77 by commit
	ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
	John Fitzgibbon for the diagnosis and patch.

        Try other servers if first returns REFUSED when
	--strict-order active. Thanks to Hans Dedecker
	for the patch

	Fix regression in 2.77, ironically added as a security
	improvement, which resulted in a crash when a DNS
	query exceeded 512 bytes (or the EDNS0 packet size,
	if different.) Thanks to Christian Kujau, Arne Woerner
	Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
	chasing this one down.  CVE-2017-13704 applies.

	Fix heap overflow in DNS code. This is a potentially serious
	security hole. It allows an attacker who can make DNS
	requests to dnsmasq, and who controls the contents of
	a domain, which is thereby queried, to overflow
	(by 2 bytes) a heap buffer and either crash, or
	even take control of, dnsmasq.
	CVE-2017-14491 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix heap overflow in IPv6 router advertisement code.
	This is a potentially serious security hole, as a
	crafted RA request can overflow a buffer and crash or
	control dnsmasq. Attacker must be on the local network.
	CVE-2017-14492 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	and Kevin Hamacher of the Google Security Team for
	finding this.

	Fix stack overflow in DHCPv6 code. An attacker who can send
	a DHCPv6 request to dnsmasq can overflow the stack frame and
	crash or control dnsmasq.
	CVE-2017-14493 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix information leak in DHCPv6. A crafted DHCPv6 packet can
	cause dnsmasq to forward memory from outside the packet
	buffer to a DHCPv6 server when acting as a relay.
	CVE-2017-14494 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix DoS in DNS. Invalid boundary checks in the
	add_pseudoheader function allows a memcpy call with negative
	size An attacker which can send malicious DNS queries
	to dnsmasq can trigger a DoS remotely.
	dnsmasq is vulnerable only if one of the following option is
	specified: --add-mac, --add-cpe-id or --add-subnet.
	CVE-2017-14496 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix out-of-memory Dos vulnerability. An attacker which can
	send malicious DNS queries to dnsmasq can trigger memory
	allocations in the add_pseudoheader function
	The allocated memory is never freed which leads to a DoS
	through memory exhaustion. dnsmasq is vulnerable only
	if one of the following option is specified:
	--add-mac, --add-cpe-id or --add-subnet.
