~samiam/MaraDNS

ref: 3.5.0021 MaraDNS/maradns-win32/Update-guide.txt -rw-r--r-- 5.7 KiB
ca00f282 — Sam Trenholme MaraDNS release 3.5.0021 4 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
Deadwood 3.5.0007 now prefers to use ip_blocklist instead of 
ip_blacklist.  The older ip_blacklist name still works as before.

--

Deadwood 3.5.0004 no longer needs to have maximum_cache_elements
increased to store upstream_servers, root_servers, ip4, ip6, or
blocklist entries.

---

Deadwood 3.5.0002 no longer needs to use mkSecretTxt.exe nor a file
named secret.txt to get entropy.  Instead, it uses CryptAcquireContext()
to get random numbers.

---

Deadwood 3.4.01 and Deadwood 3.4.02 do not change any Deadwood code 
relative to Deadwood 3.3.03.

---

Deadwood 3.3.03 is updated to use the https://quad9.net upstream DNS
servers as the default.  If the old behavior of using the ICANN name
servers as root servers is desired, add the following lines to one's
dwood3rc.txt file:

root_servers = {}
root_servers["."]="198.41.0.4, 199.9.14.201, 192.33.4.12, 199.7.91.13,"
root_servers["."]+="192.203.230.10, 192.5.5.241, 192.112.36.4, "
root_servers["."]+="198.97.190.53, 192.36.148.17, 192.58.128.30, "
root_servers["."]+="193.0.14.129, 199.7.83.42, 202.12.27.33"

PLEASE NOTE: The above list of IPs is current as of 2019-04-07, and
was last changed in October of 2017.

Please go to https://root-servers.org to get an up-to-date list of root
servers.

---

Deadwood 3.3.02 introduces a new parameter: ip6
No changes to configuration files need to be made for this release.

---

Deadwood 3.3.01 introduces a new parameter: ip4
No changes to configuration files need to be made for this release.

---

Deadwood 3.2.14 is a bugfix update. No changes to configuration files
need to be made for this release.

---

Deadwood 3.2.12 is a security update.  No changes to configuration files
need to be made for this release.

A couple of minor changes that affect configuration since 3.2.02:

* Deadwood now exits with a fatal error when there are over 20,000
  upstream/root server entries in dwood3rc (older Deadwood releases would
  silently not work)

* Default file name for entropy in Windows is now "secret.txt"

* Default maxprocs increased to 1024; maximum maxprocs increased to 
  8,388,608 

---

Deadwood 3.2.02 is a stable release.  This release has a new parameter:
max_ttl, which limits how long an entry can stay in the cache; the default
TTL cap is one day (86400 seconds).  

---

Deadwood 3.2.01 is a stable release.  The default timeout has been decreased
from 2 to 1 second.  This will make resolution faster for the majority of
users; for users on slow connections with problems resolving domains,
add the following line to a dwood3rc file:

timeout_seconds = 3

num_retries now has a default value of 5 instead of 2.  To restore the
old value, add this to the dwood3rc file:

num_retries = 2

---

Deadwood 3.0.04, in addition to fixing a number of bugs, has added some
features.  In particular:

  * I consider it a bug if any valid dwood3rc file does not parse in Python 2.
    That in mind, I have updated the dwood3rc parser to not allow parameters to
    have any leading whitespace (since whitespace is significant in Python).

    This is OK:

recursive_acl = "127.0.0.1/16, 192.168.1.1/24"

    But this will raise an error:

  recursive_acl = "127.0.0.1/16, 192.168.1.1/24"

    (Observe the extra space in the left of the second example)

  * It is no longer allowed to set both root_servers or upstream_servers for a
    given name. In other words, a configuration like this will now raise an
    error:

upstream_servers = {}
upstream_servers["example.com."] = "127.0.0.1"
root_servers = {}
root_servers["example.com."] = "192.168.1.1"

  * Deadwood now raises a warning when the same name is set more than once.
    This will now trigger a warning:

upstream_servers = {}
upstream_servers["example.net."] = "10.1.2.3"
upstream_servers["example.net."] = "192.168.1.1"

    I was tempted to make this fatal, but decided not to because making this
    fatal would make it more difficult to manage large anti-phish/malware
    blocklists.

  * It is no longer permitted to initialize root_servers or upstream_servers
    more than once. This will now raise an error:

upstream_servers = {}
upstream_servers["example.net."] = "10.1.2.3"
upstream_servers = {}
upstream_servers["example.com."] = "192.168.1.1"

  * Deadwood will now raise an error for invalid lists of root or upstream
    servers. This is now fatal:

root_servers = {}
root_servers["."] = "foo"

  * Deadwood now requires that any bind_address is in the recursive ACL.  
    This is now fatal:

bind_address = "127.0.0.1, 192.168.1.42"
recursive_acl = "127.0.0.1/16"

    It can be fixed thusly:

bind_address = "127.0.0.1, 192.168.1.42"
recursive_acl = "127.0.0.1/16, 192.168.1.1/24"


---

Deadwood 3.0.03 is a bugfix-only upgrade of Deadwood 3.0.02.  No changes made
will impact users.

---

Deadwood 3.0.02 is a bugfix-only upgrade of Deadwood 3.0.01.  

The one update that will noticably impact users is the fact that
filter_rfc1918 now filters more DNS replies.  In particular, DNS
answers with the following IP ranges are now filtered by default:

     * 192.168.x.x
     * 172.[16-31].x.x
     * 10.x.x.x
     * 127.x.x.x
     * 169.254.x.x
     * 224.x.x.x
     * 0.0.x.x

If one of the above IPs is detected in a DNS reply, and filter_rfc1918
has a value of 1, Deadwood will return a synthetic "this host does not
reply" response (a SOA record in the NS section) instead of the A record.

The reason for this is to provide a "dnswall" that protects users for
some kinds of attacks, as described at http://crypto.stanford.edu/dns/

If it is desired to have DNS answers with these IPs, add the following
line to dwood3rc.txt:

filter_rfc1918 = 0