Re: [Dnsmasq-discuss] Method to get Dnsmasq serve address of a host from interface address
This is really the function of the dnsmasq.conf.example file that's ditsributed with the source code for dnsmasq. Unfortunately that has become rather out-of-date. It could do with a major overhaul. Simon. On 14/03/2023 07:55, Olivier wrote: Hello, Could it be possible to add an example in interface-name section of dnsmasq.conf man page as IMHO, current content is not very easy to understand. Best regards ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] State of blocking type=65 requests?
I do not like attempts to filter out valid queries from clients on the side of dns cache. It should cache the HTTPS type, which it currently does not. That makes those kind of queries much more expensive. I think it should be fixed on the side of clients instead. If they ask for all addresses, just give them when they do exist. If the network is very expensive (can you be more concrete about type of connection?) then find a way to tell clients what it does provide (and what it does not). It does not provide IPv6? Well, then clients should not ask for it without a reason. They also have to be special on such expensive network, haven't they? I expect they have to be tuned somehow to avoid unnecessary network communication anyway. What is a good response for record, which may exist, but we pretend it does not? NODATA or REFUSED? All similar quirks break DNSSEC deployment. Would you want also EDNS0 extension stripped from forwarded queries? Or at least reset DO bit to 0 always? I would prefer if it could return REFUSED to queries it does not want to forward. Faking empty responses is poor man's choice just to dodge assumptions on multiple sides. But if it does not want to forward something , I think REFUSED would be correct response. It would also solve problem to decide whether to send NOERROR or NXDOMAIN. And would cause no forwarded queries of unwanted types. If it would work the same way as faking empty responses, I would vote for --reject-rrset=https instead of --filter-rrset=https. would be probably more difficult, because getaddrinfo(AF_UNSPEC) implementations may not handle REFUSED just one one of two queries well. But if browsers doing HTTPS would handle it better, please try that first. I admit I haven't tried. But HTTPS should not have similar legacy problems, it may work better. Regards, Petr On 06. 03. 23 23:36, Ed W wrote: Hi, can I get a leg up in understanding the options for blocking dns queries for a specific resource type, specifically type 65 queries I see there was a patch to implement a "filter-http" option here: https://github.com/rozahp/dnsmasq It possibly seems like there is a filter- implemented in dnsmasq already, so I wonder if there is appetite for the filter-http to also be accepted? My motivation for needing this is that we operate a firewalling system for a very bandwidth constrained system (even DNS is extremely expensive) and we operate a 'blocked unless whitelisted' firewalling system. The type 65 queries are currently inhibiting some of the whitelisting capability. Whilst we can potentially improve things, the short term solution would be to block type 65 I see that there is an option in pi-hole, but I'm looking for an option within dnsmasq, ideally without maintaining my own out of tree patch Have I missed a solution that is possible within vanilla dnsmasq? Has the idea to implement a filter-http option been rejected already? (I'm happy to send a patch if not?) Thanks Ed W ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss -- Petr Menšík Software Engineer, RHEL Red Hat, http://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Report filtered A or AAAA records via EDE code
Hi!
I have raised filtering topic on DNS-OARC chat. One of proposals were to
mark at least filtered records by EDE status, which current dnsmasq
supports already. I like it. We create fake answer on when --filter-A or
--filter- options is used. It should be marked somehow.
There is also proposal for more verbose error and contact information
[1], but at least marking the response somehow synthetized is a good
start. I attached a change to rrfilter to report number of modified
records. Then it marks any filtered response with Filtered EDE code. I
expect the same should be possible for any other record type filtered,
except EDNS0 and DNSSEC records.
Credits for the idea goes to Vladimír Čunát. It might allow potential
DNSSEC validator to not emit SERVFAIL on bogus answer we made. If that
would trust our response for any reason.
What do you think?
By the way, maybe we should strip also RRSIG for those records if
present. It looks like a bug to me. But would not make validating
resolvers more happy anyway.
; <<>> DiG 9.18.12 <<>> -4 @localhost -p 2053 example.org a +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21029
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1220
; COOKIE: b2ad85a9275d948e02176a79641381dce6990a257f089ec5 (good)
; EDE: 17 (Filtered)
;; QUESTION SECTION:
;example.org. IN A
;; ANSWER SECTION:
example.org. 32748 IN RRSIG A 8 2 86400 20230323193411
20230302075235 43798 example.org.
QwrK73kR5vStRzG6IPOpYU2exzSIOatl1p8DffKi4PP2Ig8yAL43AhVu
2bsA0I0EFINH3xvF2IiM7eyR/fMm8rfeAsG1pokOFOOhlYQQHhglgfu6
mgNJnFrHUs3M+JNBNyAay42aSSDt5gXcvk77nx32uWv40pfknU7wH2Xc rP4=
[1] https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/
--
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
From acb66a570a5e338a79160a8dd2b9e072ab8c5a81 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?=
Date: Thu, 16 Mar 2023 21:15:40 +0100
Subject: [PATCH] Report number of modified records from rrfilter()
Set EDE_FILTERED when filter-A or filter- caused some change. Pass
length value by pointer instead returning its new value. It assigned
into the same variable in all uses anyway.
---
src/dnsmasq.h | 2 +-
src/edns0.c| 2 +-
src/forward.c | 12
src/rrfilter.c | 46 --
4 files changed, 34 insertions(+), 28 deletions(-)
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index fe9aa07..92cc291 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1811,7 +1811,7 @@ void poll_listen(int fd, short event);
int do_poll(int timeout);
/* rrfilter.c */
-size_t rrfilter(struct dns_header *header, size_t plen, int mode);
+size_t rrfilter(struct dns_header *header, size_t *plen, int mode);
u16 *rrfilter_desc(int type);
int expand_workspace(unsigned char ***wkspc, int *szp, int new);
/* modes. */
diff --git a/src/edns0.c b/src/edns0.c
index c498eb1..567101b 100644
--- a/src/edns0.c
+++ b/src/edns0.c
@@ -178,7 +178,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
memcpy(buff, datap, rdlen);
/* now, delete OPT RR */
- plen = rrfilter(header, plen, RRFILTER_EDNS0);
+ rrfilter(header, &plen, RRFILTER_EDNS0);
/* Now, force addition of a new one */
p = NULL;
diff --git a/src/forward.c b/src/forward.c
index 0f03818..b95aa80 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -721,7 +721,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
if (added_pheader)
{
/* client didn't send EDNS0, we added one, strip it off before returning answer. */
- n = rrfilter(header, n, RRFILTER_EDNS0);
+ rrfilter(header, &n, RRFILTER_EDNS0);
pheader = NULL;
}
else
@@ -814,11 +814,15 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
/* Before extract_addresses() */
if (rcode == NOERROR)
{
+ size_t modified = 0;
if (option_bool(OPT_FILTER_A))
- n = rrfilter(header, n, RRFILTER_A);
+ modified = rrfilter(header, &n, RRFILTER_A);
if (option_bool(OPT_FILTER_))
- n = rrfilter(header, n, RRFILTER_);
+ modified += rrfilter(header, &n, RRFILTER_);
+
+ if (modified > 0)
+ ede = EDE_FILTERED;
}
switch (extract_addresses(header, n, daemon->namebuff, now, ipsets, nftsets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
@@ -860,7 +864,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
/* If the requestor didn't set the DO bit, don't return DNSSEC info. */
if (!do_bit)
- n = rrfilter(header, n, RRFILTER_DNSSEC);
+ rrfilter(header, &n, RRFILTER_DNSSEC);
}
#endif
diff --git a/src/rr
[Dnsmasq-discuss] Picking up the patches
Hi, How can I help that patches get the attention that they deserve? Groeten Geert Stappers On Wed, Mar 08, 2023 at 03:38:02PM +, Simon Kelley wrote: > On 07/03/2023 23:20, Clayton Craft wrote: > > On Thu, 23 Feb 2023 21:40:10 -0800 Clayton Craft wrote: > > > On Fri, 10 Feb 2023 13:53:05 -0800 Clayton Craft wrote: > > > > > > Any chance this could get merged? Being able to set filters at runtime is > > > very > > > useful for multi-homed phones and other devices in cases where we need to > > > restrict DNS response answers based on IP protocol. > > > > > > Please let me know if I need to make changes so that it is acceptable. > > > > Is this patch something that could be accepted? > > > > Apologies for ignoring you. Patch looks fine. Applied to git repo. > > > Cheers, > Simon. -- Silence is hard to parse ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
