Re: [Dnsmasq-discuss] [PATCH] Two small fixes
Hey Petr, On Wed, 2021-09-29 at 22:48 +0200, Petr Menšík wrote: > Source based response rules are in general cache unfriendly. What do you > need it for? Is the dnsmasq instance always the only source for name > resolution? We add many features on top of dnsmasq. One example is our support for blocking lists with (dozens of) millions of domains still fitting into a few megabytes of memory. We use a B-tree for this, as there is no need to know the full name if you have other means to know you have an exact match. Anohter example are regular expressions for all sort of things like blocking, enforcing specific replies (not only A/ but also NXDOMAIN/NODATA/REFUSED). And there is more. You may not want to apply the same rules to all devices so you can group them together and then associate clients to these groups. Group selectors can be IP addresses, MAC addresses, hostnames or the interface a query arrived on (for easy, say, VPN/WiFi/ethernet rules). In the latter case, we need to know the label. If it turns out keeping/using label is out of scope for dnsmasq, I will add the label variable myself into our local dnsmasq fork. One thing that is important to us, however, is to keep the difference between our fork and dnsmasq minimal. Even with all the stuff we do on top, the diff between our fork and the main project is less than 100 lines and the vast majority of patches to this mailing list applies cleanly right away. Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNS from dhcp-host while client is offline
Hey Petr, On Mon, 2021-10-04 at 11:45 +0200, Petr Menšík wrote: > Perhaps a flag could be added to dhcp-range, requesting also > addition of dhcp-hosts to static dns. Maybe this flag would better be set on --dhcp-host and --dhcp- hostsfile if this is used? This would feel more "natural" to me. Initially, I've myself found this an odd behavior to only serve only DHCP host names that are known to be "alive". I do see some value in not serving A records when we know the server is offline, however, the very same happens on the Internet all the time: no DNS server I'm aware of checks if an A record is reachable before giving you the reply. I've seen other systems using dnsmasq (it may or not have been DD-WRT, no promises!) that created two files from static leases: A dhcp-hostsfile and an addn-hosts file. Having an option to make the latter obsolete sounds like a good idea. Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Latest master may not compile
Hey Simon, ad32ca18a753c264bb702e2b6f19e2d7f1de1612 added > +#if defined(HAVE_IDN) || defined(HAVE_LIBIDN2) || > defined(LOCALEDIR) > +#include > +#endif above > #include "dnsmasq.h" However, many projects (incl. ours) define the compile-time options in config.h which is sourced through dnsmasq.h dnsmasq cannot be compiled within these projects. The attached patch fixes this. Best, Dominik From 776cdcdad6c8164593804d2b0a3f063923385e7e Mon Sep 17 00:00:00 2001 From: Dominik Derigs Date: Thu, 7 Oct 2021 09:30:31 +0200 Subject: [PATCH] dnsmasq.h has to be included first as it sources config.h Signed-off-by: DL6ER --- src/dnsmasq.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/dnsmasq.c b/src/dnsmasq.c index d3f2c13..2fe9808 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c @@ -17,10 +17,12 @@ /* Declare static char *compiler_opts in config.h */ #define DNSMASQ_COMPILE_OPTS +/* dnsmasq.h has to be included first as it sources config.h */ +#include "dnsmasq.h" + #if defined(HAVE_IDN) || defined(HAVE_LIBIDN2) || defined(LOCALEDIR) #include #endif -#include "dnsmasq.h" struct daemon *daemon; -- 2.25.1 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] config error is REFUSED (EDE: not ready) since v2.86
Hey Jean-Philippe, The config is different in your two tries, but I guess this is just a typo. > --address='/#/127.0.1' > --address='/#/127.0.0.1' Anyway, I repeated your test on latest master and it is still showing the same as v2.86. On Wed, 2021-09-22 at 12:29 +0200, Jean-Philippe Lambert wrote: > Is this a bug I guess so and it is likely linked to On Wed, 2021-09-22 at 12:29 +0200, Jean-Philippe Lambert wrote: > dnsmasq: warning: no upstream servers configured Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] REFUSED after dropped packets
Hey Simon and Johannes, I'm pretty sure I've seen On Mon, 2021-09-20 at 23:16 +0100, Simon Kelley wrote: > config error is REFUSED when dnsmasq used up all upstream servers, i.e., all of them are considered to be broken. In Johannes'case dnsmasq manages to send queries upstream but never receives a reply, hence, considers all of them as dead. Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNS from dhcp-host while client is offline
Hey Michael, On Tue, 2021-10-05 at 05:43 -0700, Michael wrote: > Maybe I am misunderstanding the issue, but dnsmasq already give > the ability that is being asked for I believe. if you go back one mail earlier than my last mail, you'd see that the we're discussing specifically to not need two independent files but serve DHCP and DNS from a single source of knowledge. Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] --local is broken
Hey Simon,
Since commit "Fix --address=/#/.. which was lost in 2.86"
(26bbf5a314d833beaf0f147d24409969f05f3dba) --local being a
synonym for --server is broken as --local became a synonym for --
address.
The attached patch fixes this.
This was reported on the Pi-hole forums:
> I have local=/fritz.box/192.168.0.1 in my /etc/dnsmasq.d/02-
> localdns.conf config file. This worked fine until upgrading
> pihole last night. Now all queries to FQDNs such as google.com
> get responded with google.com.fritz.box and ip address
> 192.186.0.1.
>
> Changing the line to server=/fritz.box/192.168.0.1 restores the
> previous handling. However, according to the dnsmasq manpage "-
> -local is a synonym for --server to make configuration files
> clearer in this case."
Best,
Dominik
From 57461836c48deda17c468ae3c2033d0cc3dc34ec Mon Sep 17 00:00:00 2001
From: DL6ER
Date: Tue, 5 Oct 2021 10:15:21 +0200
Subject: [PATCH] --local should behave as --server, not as --address according
to the man page
Signed-off-by: DL6ER
---
src/option.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/option.c b/src/option.c
index 5307f01..dc1efd3 100644
--- a/src/option.c
+++ b/src/option.c
@@ -2758,7 +2758,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
if (!arg || !*arg)
flags = SERV_LITERAL_ADDRESS;
- else if (option != 'S')
+ else if (option == 'A')
{
/* # as literal address means return zero address for 4 and 6 */
if (strcmp(arg, "#") == 0)
@@ -2790,7 +2790,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
flags &= ~SERV_FOR_NODOTS;
/* address=/#/ matches the same as without domain */
- if (option != 'S' && domain[0] == '#' && domain[1] == 0)
+ if (option == 'A' && domain[0] == '#' && domain[1] == 0)
domain[0] = 0;
}
--
2.25.1
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] unittests
Hey Petr and others, On Tue, 2021-10-05 at 17:13 +0200, Petr Menšík wrote: > It would be beneficial to have also behavior tests. it may be the time to mention that we do exactly this for Pi-hole FTL which embeds the full dnsmasq for the DNS part. On every commit, a virtual machine is started which firstly compiles our project (including dnsmasq) and secondly runs it with standard parameters and starts a full test bench with more than a hundred individual tests. While the majority of tests are for extensions we made to dnsmasq (regular expressions, database integration, CNAME inspection, etc), we also have some standard DNS tests sending some A, , PTR, CNAME, SRV, SOA, ANY, TXT, NAPTR, MX, DS, RRSIG, etc. queries to specific domains and checking the answers. We then also check the logs and if anything is still working. For instance, our tests complained when merging my patch adding all the known DNS RR types because "query[type=5]" changes to "query[CNAME]". This was not a bug but you see the tests have noticed it. Even when this isn't directly applicable to the dnsmasq core project, it is still something that tests dnsmasq, even when embedded in another project. There is no unittest library whatsoever involved. The tests simply run on a compiled binary. You can find everything here if you're curious: https://github.com/pi-hole/FTL/tree/master/test Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Internal error in cache
Hey Hartmut, > I'm using dnsmasq on OpenWrt. Since update dnsmasq from > > commit 51d56df7a3a125e117b3278cab16281c85500287 > Add RFC 4833 DHCP options "posix-timezone" and "tzdb-timezone". > > to > > commit 4ac517e4ac19eca65910c145868914587ea46b3b > Fix coverity issues in dnssec.c > > I get the following error message: > > Sun Dec 19 12:22:25 2021 daemon.err dnsmasq[3321]: Internal > error in cache. This is a somewhat concerning warning and points to a bug in the cache. I'm not very familiar with OpenWrt, can you pick any individual commit or are you limited to specific ones? In the former case, would you be willing to test a few more commits in between them? This would allow us to isolate the cause to the commit introducing the error. > This occurs ~12 hours after booting the router. This suggests maybe a correlation with a domain that is early requested and has a TTL of 12 hours (entirely hypothetical at this point). > Currently I'm using this version: > > commit 1176cd58c90fc37bf98a6f774b26fc1adc8fd8e9 > Fix regression in --rebind-domain-ok in 2.86 Does it show the error? I guess the answer is yes as this is the most recent commit. Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] The filterwin2k option will make the dig command fail to query SOA.
Hey Andreas, On Sat, 2022-01-01 at 16:27 +0100, Andreas Metzler wrote: > The manpage says "The requests blocked are for records [...] > where the requested name has underscores". The test-query shown > above is not for a name with underscores. So, afaict not working > as documented. you have removed relevant parts when quoting that changed meaning. The man page says > The requests blocked are for records of types SOA and SRV, and > type ANY where the requested name has underscores, to catch LDAP > requests. where two parts are mentioned: > records of types SOA and SRV, and > and type ANY where the requested name has underscores I just checked the code. This is exactly what happens SOA and SRV are always blocked, ANY only with underscores. To me, this seems clear from the man text because of the first and exclusively connecting SOA and SRV and then ANY + underscores following thereafter. I see the man page wording could be improved. Happy New Year! Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] reducing DNS packet size for nameserver 127.0.0.1 to 1280
Hey Justin, On Tue, 2022-01-04 at 17:34 +0800, Justin wrote: > Recently i see lots of logs in dnsmasq: > reducing DNS packet size for nameserver 127.0.0.1 to 1280 > almost one per minute > > my conf: > [...] > server=127.0.0.1#5353 once per minute sounds like this is happening all the time (dnsmasq doesn't warn for one minute if it happened once). You should either increase the EDNS buffer size on the server running at 127.0.0.1#5353 or add the config line edns-packet-max=1280 to your config to adhere to the limit. Furthermore, What server is running on port 5353 of your machine? I suggest reading this discussion, Pi-hole runs dnsmasq at its heart and everything is directly applicable to your situation: https://discourse.pi-hole.net/t/dnsmasq-warn-reducing-dns-packet-size/51803 Maximum packet sizes for some commonly used server are here https://discourse.pi-hole.net/t/dnsmasq-warn-reducing-dns-packet-size/51803/31 Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Two small fixes
Hey Petr,
while Simon is still away, we can discuss this a little further.
On Wed, 2021-09-29 at 22:48 +0200, Petr Menšík wrote:
> If no --bind-interface is given, iface->name pointing to eth0
> rather
> than eth0:0 is correct. Alias is useful only for reading of the
> address
> from the interface name. Otherwise it works as the interface
> itself.
> Thas was reason behind warn_bound_listeners creation. When
> incoming
> packet is checked for acceptance, it is compared to primary
> interface
> identified by ifindex. I think we may even remove name from
> struct irec
> and get the name on few places it needs to be printed. It makes
> debugging more comfortable, but is not required anyway.
I checked once again why I created the patch initially and found
the following bug/misbehavior (whatever you wanna call it):
Real interface is eth0. an alias is created as eth0:0
1. Config --interface=eth0
Queries on eth0 and eth0:0 are accepted because dnsmasq only
compares the physical interface name string.
2. Config --interface=eth0:0
Queries on eth0 and eth0:0 are rejected (at first!) because of
the physical interface's name mismatch. But there is another
check "label_expection()" that does said iteration and would lead
to accepting the eth0:0 query. The eth0 query is correctly
rejected.
In an ideal world, we should reject also the eth0:0 query when
configured with "--interface=eth0". It can rather easily be done
when comparing the configured interface's IP addresses instead of
the name strings (or ifindex).
When doing this, the warn_wild_listeners() can be dropped
altogether as the strange behavior we used to warn about is
fixed.
I addressed this in the attached patch and would appreciate if
you could take a look (I don't want to break any other features).
The patch isn't highly optimized but prepared for readability.
Best,
Dominik
From 763f46948844eab25859e7ab72816733be3e533c Mon Sep 17 00:00:00 2001
From: Dominik Derigs
Date: Fri, 19 Nov 2021 10:59:25 +0100
Subject: [PATCH] Don't accept queries ariving on alias interface if configured
not to do this.
Signed-off-by: DL6ER
---
src/dnsmasq.c | 2 --
src/dnsmasq.h | 3 +--
src/forward.c | 16 +++-
src/network.c | 13 ++---
src/tftp.c| 11 ++-
5 files changed, 20 insertions(+), 25 deletions(-)
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 2fe9808..b3c8d54 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -945,8 +945,6 @@ int main (int argc, char **argv)
if (option_bool(OPT_NOWILD))
warn_bound_listeners();
- else if (!option_bool(OPT_CLEVERBIND))
-warn_wild_labels();
warn_int_names();
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index bf7685d..4aff343 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1449,12 +1449,11 @@ int enumerate_interfaces(int reset);
void create_wildcard_listeners(void);
void create_bound_listeners(int dienow);
void warn_bound_listeners(void);
-void warn_wild_labels(void);
void warn_int_names(void);
int is_dad_listeners(void);
int iface_check(int family, union all_addr *addr, char *name, int *auth);
int loopback_exception(int fd, int family, union all_addr *addr, char *name);
-int label_exception(int index, int family, union all_addr *addr);
+int label_match(int index, int family, union all_addr *addr);
int fix_fd(int fd);
int tcp_interface(int fd, int af);
int set_ipv6pktinfo(int fd);
diff --git a/src/forward.c b/src/forward.c
index 04635b3..b1d03e6 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -1484,12 +1484,18 @@ void receive_query(struct listener *listen, time_t now)
if (!indextoname(listen->fd, if_index, ifr.ifr_name))
return;
- if (!iface_check(family, _addr, ifr.ifr_name, _dns))
+ if (!option_bool(OPT_CLEVERBIND))
+ enumerate_interfaces(0);
+ /* interface=eth0 and query over eth0 -> ifchk = 1, label = 1 - ACCEPTED */
+ /* interface=eth0 and query over eth0:0 -> ifchk = 1, label = 0 - REJECTED */
+ /* interface=eth0:0 and query over eth0:0 -> ifchk = 0, label = 1 - ACCEPTED */
+ /* interface=eth0:0 and query over eth0:0 -> ifchk = 0, label = 0 - REJECTED */
+ /* If the interace is not IPv4, label_match return 2 and we use iface_check */
+ const int label = label_match(if_index, family, _addr);
+ const int ifchk = iface_check(family, _addr, ifr.ifr_name, _dns);
+ if (label == 0 || (label == 2 && !ifchk))
{
- if (!option_bool(OPT_CLEVERBIND))
- enumerate_interfaces(0);
- if (!loopback_exception(listen->fd, family, _addr, ifr.ifr_name) &&
- !label_exception(if_index, family, _addr))
+ if (!loopback_exception(listen->fd, family, _addr, ifr.ifr_name))
return;
}
diff --git a/src/network.c b/src/network.c
index 3c1c176..b930553 100644
--- a/src/network.c
+++ b/src/network.c
@@ -207,13 +207,13 @@ int loopback_exception(int fd, int family, union all_ad
Re: [Dnsmasq-discuss] CNAME responses are not processed through address=/ ... / filter
Hey Alex, On Thu, 2021-11-25 at 11:05 -0600, Alex Rainchik wrote: > Not sure if it’s a bug or feature request :) The latter. The observed behavior is expected. Note that dnsmasq is a DNS *forwarder* equipped with a local cache. It is not a *recursive* server. Dnsmasq has to forward queries where no local answers exist to upstream DNS servers and relies on external recursion. On Thu, 2021-11-25 at 11:05 -0600, Alex Rainchik wrote: > Expected behavior would be for setup.icloud.com query to get > "10.10.10.10" response, same as for setup.fe.apple-dns.net. > Because setup.icloud.com is a CNAME pointing to setup.fe.apple- > dns.net As Geert already mentioned, dnsmasq is neither meant nor designed to post-process replies from upstream DNS server. Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] localise-queries on ipv6 server does not work with ipv4-only hosts
Hey, On Fri, 2021-07-16 at 02:22 +0200, f...@gmx.de wrote: > If i ask dnsmasq BY ipv6, ALL A recorrd are returned (there is no ) man dnsmasq explicitly says: > localise-queries > Return answers to DNS queries from /etc/hosts and --interface-name > and --dynamic-host which depend on the interface over which the query > was received. If a name has more than one address associated with it, > and at least one of those addresses is on the same subnet as the > interface to which the query was sent, then return only the address(es) > on that subnet. This allows for a server to have multiple addresses in > /etc/hosts corresponding to each of its interfaces, and hosts will get > the correct address based on which network they are attached to. > Currently this facility is limited to IPv4. Emphasis on > Currently this facility is limited to IPv4. This is not a bug but actually rather expected behavior. The IPv6 address of the arriving query does not match the subnet of any of the two A records you defined. Hence, dnsmasq is unable to determine what is the best fit and returns all known A records. This lets the client chose the one it can reach and seems meaningful. What you request would be adding an interface-dependent address lookup: is there any suitable IPv4 address on the same interface. However,a few things need to be clarified in this case: how to handle multiple IPv4 addresses on the same interface each of which having a valid record? It is just not possible to localize queries in the same way when it is not clear which IPv4 subnet the client is in. My advice: There is no advantage in reaching a DNS server internally over IPv6 in a dual-stack network. Ensure your clients query dnsmasq over IPv4 and your problem is solved in both the simplest and also most reliable way. Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] localise-queries on ipv6 server does not work with ipv4-only hosts
Hey,
there is some confusion about IPv4/IPv6 addresses and A/ records
here, so I'll clarify a bit: You can make any query (may it be A or
) over IPv4 or IPv6 and there will be no difference (when
"localise-queries" is not used!). This is also the nomenclature used by
the dnsmasq man page.
On Fri, 2021-07-16 at 12:00 +0200, f...@gmx.de wrote:
> > > localise-queries
> > > Return answers to DNS queries from /etc/hosts and --
> > > interface-name
> > > and --dynamic-host which DEPENDS ON THE INTERFACE over which the
> > > query
> > > was received.
> My "interface" has an ipv4 and an ipv6!
> And im requesting BY ipv6 an ipv4 (as the host has no ipv6) at an
> interface
> which is in 1 of the subnets of the returned host.
>
> If this should not be supported ("bug") the manpage should be fixed
> and the word "interface" avoided.
Yes, the man page could be updated to say "address" instead of
"interface" here to be crystal clear on this. It is still not wrong how
it is written.
> > > Currently this facility is limited to IPv4.
> Yes, im asking for an ipv4
No, you are not. You are asking for an A record. This comment refers to
the connection used to make the query.
As I already said above, you can make any query (may it be A or )
over IPv4 or IPv6 and there will be no difference when "localise-
queries" is NOT used. There will, however, be a difference when it is
used but only when asking over IPv4. This is what the man page says and
aligns perfectly with what you observe.
> > What you request would be adding an interface-dependent address
> > lookup:
> > is there any suitable IPv4 address on the same interface. However,a
> > few
> > things need to be clarified in this case: how to handle multiple
> > IPv4
> > addresses on the same interface each of which having a valid
> > record? It
> > is just not possible to localize queries in the same way when it is
> > not
> > clear which IPv4 subnet the client is in.
>
> - Dnsmasq know the incomming/destination ip of the request.
> - At daemon start it build and list with interfaces+all its ipV 4+6
> - And if an ipv4 sould be returned by ipv6 this list is first used.
> In case it still fails (many subnets at 1 interfce) it could the old
> "return all" method be used
> I dont know dnsmasq source code, but it sound not so hard
>
> For the multi-subnets exists a workaround to make it fully working:
> assign only 1 IPv4 per IF and move the other IPv4s to "eth0:n"
>
Yes, it does not sound hard, but it is not available. This is a request
for a new feature.
> > My advice: There is no advantage in reaching a DNS server
> > internally
> > over IPv6 in a dual-stack network. Ensure your clients query
> > dnsmasq
> > over IPv4 and your problem is solved in both the simplest and also
> > most
> > reliable way.
> I think i dont like it, as i want the DNS be reachable by v4+v6, eg
> when ipv4 is down.
> Maybe i could use different hostnames for the same device in differen
> subnets. This is not so smart, devices could be switches by vlans.
> And this host in multiple subnets has some cnames
I've seen a lot of networks with interesting configurations. Network
admins tend to take painful ways too often. In like 99% of all cases a
DNS+DHCP server serves the goal better and causes a lot less
maintenance work. Will IPv4 ever be down in your network and IPv6 still
working fine? I somehow doubt this is a realistic threat. You do not
need to prepare for a worst case scenario that will never happen.
As always, this is just advise indented to be helpful to you. I'm not
intending the slightest to tell you how you should do things. I'm
merely pointing into the direction of least pain.
To me this is a new feature requested for dnsmasq (requesting to remove
an existing limitation stated in the man page) and not a bug report.
All developers are reading this mailing list. Feature submissions via
git patches are welcomed also on this list and are known to accelerate
feature realization drastically.
Best,
Dominik
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Dnsmasq replying with refuse without forwarding request to upstream server.
Hey Sunil, I encountered this situation only when dnsmasq didn't have any working upstream server it could forward your query to. Could you please 1. add "log-queries=extra" and "log-facility=/tmp/dnsmasq.log" to your configuration, 2. restart dnsmasq, 3. do the DNS query that ends up in REFUSED, and 4. send us the generated log file Maybe it reveals something of interest. Best, Dominik On Fri, 2021-07-23 at 10:58 +0530, sunil rathod wrote: > > Hello Simon, I still see the problem after removing interface from > server= config. I restarted dnsmasq, for some reason dnsmasq not > liking the dns query. As soon as it receives the query sends back > the REFUSE response without forwarding to upstream server. > > Sunil. > > On Fri, Jul 23, 2021, 03:05 Simon Kelley > wrote: > > Two possible reasons: 1) resource exhaustion - the limit on the > > number > > of "in-flight" queries has been reached. 2) Network errors sending > > the > > query upstream. As a start of debugging, I'd try without the @eth0 > > interface specifier. > > > > Simon. > > > > > > On 22/07/2021 18:21, sunil rathod wrote: > > > Hi All, > > > Any thoughts why dnsmasq is replying with REFUSE response without > > > forwarding the query to upstream server? Nslookup always fails > > with > > > refuse response from the external client. I have the upstream > > server > > > configured on conf file as > > > server=8.8.8.8@eth0 > > > Regards, > > > Sunil > > > > > > > > > ___ > > > Dnsmasq-discuss mailing list > > > Dnsmasq-discuss@lists.thekelleys.org.uk > > > > > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > > > > > > > ___ > > Dnsmasq-discuss mailing list > > Dnsmasq-discuss@lists.thekelleys.org.uk > > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] strict-order with no-resolv; multi ignore-address
Hey Justin, On Sun, 2022-01-09 at 13:51 +0800, Justin wrote: > 3) > > --all-servers says: > > By default, when dnsmasq has more than one up‐ > stream server available, it will send queries to > just one server. > > --strict-order says: > > By default, dnsmasq will send queries to any of > the upstream servers it knows about and tries to > favour servers that are known to be up. > > what on earth is the default behavior? Both. dnsmasq sends to the one server it prefers. When this server stops responding, dnsmasq will retry to others. Furthermore, dnsmasq sends a query to all servers to check again which one responds fastest ever now (by default ever 20 seconds or every 50 queries - it is a compile-time setting). > > > On Sun, Jan 9, 2022 at 13:46 Justin > wrote: > > Hello > > > > I have 2 questions: > > > > 1) > > > > if no-resolv is set, will stric-order apply to > > server=dns1 > > server=dns2 > > ... > > > > on man page, it only mentions /etc/resolv.conf > > Yes, strict-order applies to all server configuration, regardless where it was defined. > > 2) > > > > can i have multiple ignore-address= ? > > > > Yes. > > > > -- > > > > Regards > > Justin He Best, Dominik > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Alternative to previously submitted patch
Hey Simon,
this is alternative PR to previously submitted patch (title
"Don't accept queries arriving on alias interface if configured
not to do this "). In contrast to the other patch, this one does
not fix the bug of listening on both interfaces when asked only
to listen on the alias interface (see other PR for details).
Instead, it only adds logging for which interface is actually
used when a different was configured.
I personally prefer the other fix as this one would be a mere
bandaid and not fixing the actual issue.
Best,
Dominik
From 33605d70b01f0ae2c60112d12c43762032865502 Mon Sep 17 00:00:00 2001
From: Dominik Derigs
Date: Sun, 26 Dec 2021 10:29:14 +0100
Subject: [PATCH 1/2] Log which interface is actually used when a different was
configured
Signed-off-by: DL6ER
---
src/dnsmasq.h | 2 +-
src/network.c | 6 --
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 1b00298..7af973c 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -632,7 +632,7 @@ struct irec {
union mysockaddr addr;
struct in_addr netmask; /* only valid for IPv4 */
int tftp_ok, dhcp_ok, mtu, done, warned, dad, dns_auth, index, multicast_done, found, label;
- char *name;
+ char *name, *slabel;
struct irec *next;
};
diff --git a/src/network.c b/src/network.c
index 3c1c176..e3879cf 100644
--- a/src/network.c
+++ b/src/network.c
@@ -544,9 +544,11 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
iface->done = iface->multicast_done = iface->warned = 0;
iface->index = if_index;
iface->label = is_label;
- if ((iface->name = whine_malloc(strlen(ifr.ifr_name)+1)))
+ if ((iface->slabel = whine_malloc(strlen(label)+1)) &&
+ (iface->name = whine_malloc(strlen(ifr.ifr_name)+1)))
{
strcpy(iface->name, ifr.ifr_name);
+ strcpy(iface->slabel, label);
iface->next = daemon->interfaces;
daemon->interfaces = iface;
return 1;
@@ -1221,7 +1223,7 @@ void warn_wild_labels(void)
for (iface = daemon->interfaces; iface; iface = iface->next)
if (iface->found && iface->name && iface->label)
- my_syslog(LOG_WARNING, _("warning: using interface %s instead"), iface->name);
+ my_syslog(LOG_WARNING, _("warning: using interface %s instead of %s"), iface->name, iface->slabel);
}
void warn_int_names(void)
--
2.25.1
From f48372b12f45ff808e0a6e2c4a93f940171816e9 Mon Sep 17 00:00:00 2001
From: Dominik Derigs
Date: Sun, 26 Dec 2021 10:35:00 +0100
Subject: [PATCH 2/2] Compare label instead of interface name against
dhcp_except and tftp interfaces to extend their scope to interface aliases.
The man page does not mention that they are limited to "real" interfaces and
stop working once an alias interface is specified (even if valid).
Signed-off-by: DL6ER
---
src/network.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/network.c b/src/network.c
index e3879cf..9f4917b 100644
--- a/src/network.c
+++ b/src/network.c
@@ -506,7 +506,7 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
}
else
for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
- if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
+ if (tmp->name && wildcard_match(tmp->name, label))
{
tftp_ok = 0;
dhcp_ok = 0;
@@ -520,7 +520,7 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
/* dedicated tftp interface list */
tftp_ok = 0;
for (tmp = daemon->tftp_interfaces; tmp; tmp = tmp->next)
- if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
+ if (tmp->name && wildcard_match(tmp->name, label))
tftp_ok = 1;
}
#endif
--
2.25.1
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Log source of ignored query when local-service is used
Hey Simon,
this patch adds logging of the source of ignored query when --
local-service is used. The warning itself may not be enough to
investigate possible firewall holes, etc. As before, only one
message is printed but they may already give enough information
for users to fix their firewall issues.
This already has proven helpful when resolving a VLAN induced
issue (2 hops away) here:
https://discourse.pi-hole.net/t/dnsmasq-warn-ignoring-query-from-non-local-network/52346/14?u=dl6er
Best,
Dominik
From 9f4df221c014bb7ee8492a5bd8996dc7529cb1e6 Mon Sep 17 00:00:00 2001
From: Dominik Derigs
Date: Wed, 29 Dec 2021 14:06:53 +0100
Subject: [PATCH] Log source of ignored query when local-service is used
Signed-off-by: DL6ER
---
src/forward.c | 14 --
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/forward.c b/src/forward.c
index f22c080..d97c1ed 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -1423,7 +1423,12 @@ void receive_query(struct listener *listen, time_t now)
static int warned = 0;
if (!warned)
{
- my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
+ char addrstr[INET6_ADDRSTRLEN];
+ if(family == AF_INET6)
+ inet_ntop(AF_INET6, _addr.in6.sin6_addr, addrstr, sizeof(addrstr));
+ else
+ inet_ntop(AF_INET, _addr.in.sin_addr, addrstr, sizeof(addrstr));
+ my_syslog(LOG_WARNING, _("Ignoring UDP query from non-local network %s (logged only once)"), addrstr);
warned = 1;
}
return;
@@ -1950,7 +1955,12 @@ unsigned char *tcp_request(int confd, time_t now,
}
if (!addr)
{
- my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
+ char addrstr[INET6_ADDRSTRLEN];
+ if(peer_addr.sa.sa_family == AF_INET6)
+ inet_ntop(AF_INET6, _addr.in6.sin6_addr, addrstr, sizeof(addrstr));
+ else
+ inet_ntop(AF_INET, _addr.in.sin_addr, addrstr, sizeof(addrstr));
+ my_syslog(LOG_WARNING, _("Ignoring TCP query from non-local network %s"), addrstr);
return packet;
}
}
--
2.25.1
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Don't accept queries arriving on alias interface if configured not to do this
Hey Simon,
I found the following bug/misbehavior (whatever you wanna call
it):
Real interface is eth0. an alias is created as eth0:0
Config --interface=eth0
Queries on eth0 and eth0:0 are accepted because dnsmasq only
compares the physical interface name string.
Config --interface=eth0:0
Queries on eth0 and eth0:0 are rejected (at first!) because of
the physical interface's name mismatch. But there is another
check "label_expection()" that does said iteration and would lead
to accepting the eth0:0 query. The eth0 query is correctly
rejected.
In an ideal world, we should reject also the eth0:0 query when
configured with "--interface=eth0". It can rather easily be done
when comparing the configured interface's IP addresses instead of
the name strings (or ifindex).
When doing this, the warn_wild_listeners() can be dropped
altogether as the strange behavior we used to warn about is
fixed.
The patch addresses this.
The second patch ensures we compare label instead of interface
name against dhcp_except and tftp interfaces to extend their
scope to interface aliases. The man page does not mention that
they are limited to "real" interfaces and stop working once an
alias interface is specified (even if valid).
Best,
Dominik
[resubmission of rebased patches, original submission in
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q4/015938.html]
From cc07a92ba26c3d9b3142a97e1c750fdb1a09e6e5 Mon Sep 17 00:00:00 2001
From: Dominik Derigs
Date: Fri, 19 Nov 2021 10:59:25 +0100
Subject: [PATCH 1/2] Don't accept queries ariving on alias interface if
configured not to do this.
Signed-off-by: DL6ER
---
src/dnsmasq.c | 2 --
src/dnsmasq.h | 3 +--
src/forward.c | 16 +++-
src/network.c | 13 ++---
src/tftp.c| 11 ++-
5 files changed, 20 insertions(+), 25 deletions(-)
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 0de8d18..15c9620 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -949,8 +949,6 @@ int main (int argc, char **argv)
if (option_bool(OPT_NOWILD))
warn_bound_listeners();
- else if (!option_bool(OPT_CLEVERBIND))
-warn_wild_labels();
warn_int_names();
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 1b00298..7fb4e3b 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1463,12 +1463,11 @@ int enumerate_interfaces(int reset);
void create_wildcard_listeners(void);
void create_bound_listeners(int dienow);
void warn_bound_listeners(void);
-void warn_wild_labels(void);
void warn_int_names(void);
int is_dad_listeners(void);
int iface_check(int family, union all_addr *addr, char *name, int *auth);
int loopback_exception(int fd, int family, union all_addr *addr, char *name);
-int label_exception(int index, int family, union all_addr *addr);
+int label_match(int index, int family, union all_addr *addr);
int fix_fd(int fd);
int tcp_interface(int fd, int af);
int set_ipv6pktinfo(int fd);
diff --git a/src/forward.c b/src/forward.c
index f22c080..a35d897 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -1497,12 +1497,18 @@ void receive_query(struct listener *listen, time_t now)
if (!indextoname(listen->fd, if_index, ifr.ifr_name))
return;
- if (!iface_check(family, _addr, ifr.ifr_name, _dns))
+ if (!option_bool(OPT_CLEVERBIND))
+ enumerate_interfaces(0);
+ /* interface=eth0 and query over eth0 -> ifchk = 1, label = 1 - ACCEPTED */
+ /* interface=eth0 and query over eth0:0 -> ifchk = 1, label = 0 - REJECTED */
+ /* interface=eth0:0 and query over eth0:0 -> ifchk = 0, label = 1 - ACCEPTED */
+ /* interface=eth0:0 and query over eth0:0 -> ifchk = 0, label = 0 - REJECTED */
+ /* If the interace is not IPv4, label_match return 2 and we use iface_check */
+ const int label = label_match(if_index, family, _addr);
+ const int ifchk = iface_check(family, _addr, ifr.ifr_name, _dns);
+ if (label == 0 || (label == 2 && !ifchk))
{
- if (!option_bool(OPT_CLEVERBIND))
- enumerate_interfaces(0);
- if (!loopback_exception(listen->fd, family, _addr, ifr.ifr_name) &&
- !label_exception(if_index, family, _addr))
+ if (!loopback_exception(listen->fd, family, _addr, ifr.ifr_name))
return;
}
diff --git a/src/network.c b/src/network.c
index 3c1c176..b930553 100644
--- a/src/network.c
+++ b/src/network.c
@@ -207,13 +207,13 @@ int loopback_exception(int fd, int family, union all_addr *addr, char *name)
on the relevant address, but the name of the arrival interface, derived from the
index won't match the config. Check that we found an interface address for the arrival
interface: daemon->interfaces must be up-to-date. */
-int label_exception(int index, int family, union all_addr *addr)
+int label_match(int index, int family, union all_addr *addr)
{
struct irec *iface;
/* labels only supported on IPv4 addresses. */
if (family != AF_INET)
-return 0;
+retu
[Dnsmasq-discuss] [PATCH] DNS flag day 2020: Minimum safe size is 1232
Hey Simon, Minimum safe size is recommended to be 1232. See https://dnsflagday.net/2020/, relevant parts below: > This year, we are focusing on problems with IP fragmentation of DNS packets. > > IP fragmentation is unreliable on the Internet today, and can cause transmission failures when large DNS messages are sent via UDP. Even when fragmentation does work, it may not be secure; it is theoretically possible to spoof parts of a fragmented DNS message, without easy detection at the receiving end. > > - Bonica R. et al, “IP Fragmentation Considered Fragile”, Work in Progress, July 2018 > - Huston G., “IPv6, Large UDP Packets and the DNS”, August 2017 > - Fujiwara K., “Measures against cache poisoning attacks using IP fragmentation in DNS”, May 2019 > - Fujiwara K. et al, “Avoid IP fragmentation in DNS”, September 2019 > > Recently, there was an paper and presentation Defragmenting DNS - Determining the optimal maximum UDP response size for DNS by Axel Koolhaas, and Tjeerd Slokker in collaboration with NLnet Labs that explored the real world data using the RIPE Atlas probes and the researchers suggested different values for IPv4 and IPv6 and in different scenarios. This is practical for the server operators that know their environment, and **the defaults in the DNS software should reflect the minimum safe size which is 1232.** This PR reduces the minimum safe size to said 1232 bytes. Actually, the DNS flag day asks us to reduce `EDNS_PKTSZ` (currently `4096`) to ensure fragmentation will never happen, but I don't think we really want to do this given the steady growth in DNSSEC-enabled zones (see trend graphs on https://stats.dnssec-tools.org). Best, Dominik From 1113ef0c3102adb9106a21a8c1c97137fa21cd32 Mon Sep 17 00:00:00 2001 From: Dominik Derigs Date: Tue, 28 Dec 2021 11:03:40 +0100 Subject: [PATCH] Minimum safe size is recommended to be 1232. See https://dnsflagday.net/2020/ Signed-off-by: DL6ER --- src/config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/config.h b/src/config.h index 2bb6683..227fb1f 100644 --- a/src/config.h +++ b/src/config.h @@ -20,7 +20,7 @@ #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ #define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ -#define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */ +#define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */ #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ #define TIMEOUT 10 /* drop UDP queries after TIMEOUT seconds */ -- 2.25.1 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] DNS flag day 2020: Minimum safe size is 1232
Hey Petr, at least one popular upstream DNS provider (Quad9 at 9.9.9.9 and their other addresses) switched from 1280 to 1232. This means the "should always work" size of dnsmasq is slightly too large for them and might fails for those queries where the payload lies in between these two values. Hence, I still find it meaningful to reduce the number. Otherwise, I perfectly agree with you on that 1232 is some guesswork and that there will be no ultimate answer. Best, Dominik On Tue, 2022-01-11 at 11:52 +0100, Petr Menšík wrote: > I doubt that small difference matters. 1280 or 1232 is almost > the same. > It is about the smallest packet supported by IPv6. I think size > 1232 was > invented by more or less sophisticated guessing. I am not sure > this is > required to be exactly this value. I would leave it at the > current value > unless we know a case where it is insufficient. > > Cheers, > Petr > > On 1/9/22 11:06, Dominik Derigs wrote: > > Hey Simon, > > > > Minimum safe size is recommended to be 1232. See > > https://dnsflagday.net/2020/, relevant parts below: > > > > > This year, we are focusing on problems with IP > > > fragmentation of > > DNS packets. > > > IP fragmentation is unreliable on the Internet today, and > > > can > > cause transmission failures when large DNS messages are sent > > via > > UDP. Even when fragmentation does work, it may not be secure; > > it > > is theoretically possible to spoof parts of a fragmented DNS > > message, without easy detection at the receiving end. > > > - Bonica R. et al, “IP Fragmentation Considered Fragile”, > > > Work > > in Progress, July 2018 > > > - Huston G., “IPv6, Large UDP Packets and the DNS”, August > > > 2017 > > > - Fujiwara K., “Measures against cache poisoning attacks > > > using > > IP fragmentation in DNS”, May 2019 > > > - Fujiwara K. et al, “Avoid IP fragmentation in DNS”, > > > September > > 2019 > > > Recently, there was an paper and presentation Defragmenting > > > DNS > > - Determining the optimal maximum UDP response size for DNS > > by > > Axel Koolhaas, and Tjeerd Slokker in collaboration with NLnet > > Labs that explored the real world data using the RIPE Atlas > > probes and the researchers suggested different values for > > IPv4 > > and IPv6 and in different scenarios. This is practical for > > the > > server operators that know their environment, and **the > > defaults > > in the DNS software should reflect the minimum safe size > > which is > > 1232.** > > > > This PR reduces the minimum safe size to said 1232 bytes. > > Actually, the DNS flag day asks us to reduce `EDNS_PKTSZ` > > (currently `4096`) to ensure fragmentation will never happen, > > but > > I don't think we really want to do this given the steady > > growth > > in DNSSEC-enabled zones (see trend graphs on > > https://stats.dnssec-tools.org). > > > > Best, > > Dominik > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Strip EDNS(0) Client Subnet / MAC information
Hey Simon,
a series of patches (multiple mails) follows. This is the first
one:
Strip EDNS(0) Client Subnet / MAC information if --strip-subnet
or --strip-mac is set.
If BOTH the add and strip options are set, incoming EDNS0 options
are REPLACED.
This ensures we do not unintentionally forward client information
somewhere upstream when ECS is used in lower DNS layers in our
local network. Some upstream servers, for instance, Google DNS,
even refuse to answer when ECS contains a 192.168.0.0/16 address.
Best,
Dominik
From cb72bf20ce317a8d4c727d7818b2e20b33832eae Mon Sep 17 00:00:00 2001
From: Dominik Derigs
Date: Fri, 7 Jan 2022 06:11:53 +0100
Subject: [PATCH] Strip EDNS(0) Client Subnet / MAC information if
--strip-subnet or --strip-mac is set. If both the add and strip options are
set, incoming EDNS0 options are replaced. This ensures we do not
unintentionally forward client information somewhere upstream when ECS is
used in lower DNS layers in our local network.
Signed-off-by: DL6ER
---
src/dnsmasq.h | 4 +++-
src/edns0.c | 33 ++---
src/option.c | 6 ++
3 files changed, 35 insertions(+), 8 deletions(-)
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 1b00298..7384a1a 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -277,7 +277,9 @@ struct event_desc {
#define OPT_QUIET_TFTP 66
#define OPT_FILTER_A 67
#define OPT_FILTER_68
-#define OPT_LAST 69
+#define OPT_STRIP_ECS 69
+#define OPT_STRIP_MAC 70
+#define OPT_LAST 71
#define OPTION_BITS (sizeof(unsigned int)*8)
#define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
diff --git a/src/edns0.c b/src/edns0.c
index 5de6cb2..1599040 100644
--- a/src/edns0.c
+++ b/src/edns0.c
@@ -291,7 +291,7 @@ static size_t add_dns_client(struct dns_header *header, size_t plen, unsigned ch
static size_t add_mac(struct dns_header *header, size_t plen, unsigned char *limit,
- union mysockaddr *l3, time_t now, int *cacheablep)
+ union mysockaddr *l3, time_t now, int *cacheablep, const int replace)
{
int maclen;
unsigned char mac[DHCP_CHADDR_MAX];
@@ -299,8 +299,13 @@ static size_t add_mac(struct dns_header *header, size_t plen, unsigned char *lim
if ((maclen = find_mac(l3, mac, 1, now)) != 0)
{
*cacheablep = 0;
- plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_MAC, mac, maclen, 0, 0);
+ plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_MAC, mac, maclen, 0, replace);
}
+ else if(replace > 0)
+ {
+/* Asked to replace MAC address but it is not available here. We just remove whatever might be there */
+plen = add_pseudoheader(header, plen, (unsigned char *)limit, daemon->edns_pktsz, EDNS0_OPTION_MAC, NULL, 0, 0, 2);
+ }
return plen;
}
@@ -378,7 +383,8 @@ static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source,
return len + 4;
}
-static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned char *limit, union mysockaddr *source, int *cacheable)
+static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned char *limit,
+ union mysockaddr *source, int *cacheable, const int replace)
{
/* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
@@ -386,7 +392,7 @@ static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned c
struct subnet_opt opt;
len = calc_subnet_opt(, source, cacheable);
- return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *), len, 0, 0);
+ return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *), len, 0, replace);
}
int check_source(struct dns_header *header, size_t plen, unsigned char *pseudoheader, union mysockaddr *peer)
@@ -498,11 +504,19 @@ size_t add_edns0_config(struct dns_header *header, size_t plen, unsigned char *l
*check_subnet = 0;
*cacheable = 1;
+ /* OPT_ADD_MAC = MAC is added (if available)
+ OPT_ADD_MAC + OPT_STRIP_MAC = MAC is replaced, if not available, it is only removed
+ OPT_STRIP_MAC = MAC is removed */
if (option_bool(OPT_ADD_MAC))
-plen = add_mac(header, plen, limit, source, now, cacheable);
-
+plen = add_mac(header, plen, limit, source, now, cacheable, option_bool(OPT_STRIP_MAC) ? 1 : 0);
+ else if (option_bool(OPT_STRIP_MAC))
+plen = add_pseudoheader(header, plen, (unsigned char *)limit, daemon->edns_pktsz, EDNS0_OPTION_MAC, NULL, 0, 0, 2);
+
+ /* Use --strip-mac also for --add-mac=hex and --add-mac=text */
if (option_bool(OPT_MAC_B64) || option_bool(OPT_MAC_HEX))
plen = add_dns_client(header, plen, limit, source, now, cacheable);
+ else if (option_bool(OPT_STRIP_MAC))
+plen = add_pseudoheader(header, plen, (unsigned char *)limit, daemon->edns_pktsz, EDNS0_OPTION_NOMDEVICEID, N
[Dnsmasq-discuss] Fwd: [PATCH] Addressing hostsdir shortcomings
Dear Simon,
Second resubmission of my patches.
They still apply cleanly to current master.
Best,
Dominik
Forwarded Message
From: Dominik Derigs
To: dnsmasq-discuss@lists.thekelleys.org.uk
, Simon Kelley
Subject: [PATCH] Addressing hostsdir shortcomings
Date: Sat, 08 Jan 2022 11:45:32 +0100
Hey Simon,
dnsmasq v2.73 added --hostsdir which is an efficient way of re-
loading only parts of the cache. When we tried to use hostsdir
yesterday, we identified three problems. They are described
below. Patches addressing them are attached.
--- ISSUE 1 --- Logging imprecision
Assume you have multiple files in hostsdir, dnsmasq can only log
the directory not the file that was the real source:
dnsmasq: read /home/test/hostsdir/hosts1 - 1 addresses
dnsmasq: read /home/test/hostsdir/hosts2 - 1 addresses
dnsmasq: read /home/test/hostsdir/hosts3 - 1 addresses
dnsmasq: 1 127.0.0.1/34170 query[A] aaa from 127.0.0.1
dnsmasq: 1 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 1 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.1
dnsmasq: 1 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
This happens because the cache entries all use the same index
that is the directory name.
--- ISSUE 2 --- Outdated entries are not removed
When hostsdir re-reads the file, it does not remove outdated
entries. Assume you modify "192.168.1.1 aaa" to "192.168.1.2
aaa", dnsmasq will now serve two A records for "aaa". This may be
considered okay, however, if I add "192.168.1.1 bbb", PTR
requests for this domain will still be replied with "aaa" which
might be completely outdated information.
--- ISSUE 3 --- Ever growing replies under certain situations
When a users uses an editor that creates (temporary) files during
editing (like "sed -i") or uses a script that writes files line
by line (like "echo '' >> file"), they can quickly end up with
strange things like
dnsmasq: 3 127.0.0.1/34170 query[A] aaa from 127.0.0.1
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.1
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
which is not very meaningful. We check for duplicates before
inserting into the cache, however, duplicate checking can be
foiled here: add_hosts_entry() calls cache_find_by_name() only
once (say it returned "192.168.1.1") so the memcmp() on the
address fails and we can add an arbitrary amount of 192.168.1.2
entries.
For addressing issue 1, I added a new struct *dyndir having a
linked list of struct *hostsfile. With this, cache_insert() can
get the correct index. If a file is newly added, we just add a
new *hostsfile entry to the list (index++).
Issue 2 is an easy one as we can selectively clean the cache when
we know the uid to be removed. This can be called before running
read_hostsfile() to insert new stuff. I added MOVE_FROM and
DELETE to inotify_add_watch() so we catch if a file was removed.
In this case, we only remove old entries.
Issue 3 is fixed by adding a loop over cache_find_by_name() in
add_hosts_entry() to check possible multiple records.
Best,
Dominik
[sent earlier as
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q3/015704.html
,
resubmitting patches rebased on latest master]
From 7873cc3dbfce3edeb534bf4d0a0030894aaa152a Mon Sep 17 00:00:00 2001
From: Dominik Derigs
Date: Wed, 29 Sep 2021 08:22:05 +0200
Subject: [PATCH 1/3] Extend hostsdir to store the individual files as sources
for loggin
Signed-off-by: DL6ER
---
src/cache.c | 9 +++--
src/dnsmasq.h | 13 ++-
src/inotify.c | 103 ++
src/option.c | 40
4 files changed, 111 insertions(+), 54 deletions(-)
diff --git a/src/cache.c b/src/cache.c
index 246c3f2..e86d69b 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -1839,6 +1839,7 @@ void dump_cache(time_t now)
char *record_source(unsigned int index)
{
struct hostsfile *ah;
+ struct dyndir *dd;
if (index == SRC_CONFIG)
return "config";
@@ -1850,9 +1851,11 @@ char *record_source(unsigned int index)
return ah->fname;
#ifdef HAVE_INOTIFY
- for (ah = daemon->dynamic_dirs; ah; ah = ah->next)
- if (ah->index == index)
- return ah->fname;
+ /* Dynamic directories contain multiple files */
+ for (dd = daemon->dynamic_dirs; dd; dd = dd->next)
+for (ah = dd->files; ah; ah = ah->next)
+ if (ah->index == index)
+ return a
[Dnsmasq-discuss] Extend server to accept hostnames for upstream resolver
Dear Simon,
In docker swarm and compose configurations, other containers are
only reachable via hostnames. It is not always possible to assign
IP addresses beforehand. Hence, the upstream server IP is not
known at dnsmasq start when the upstream is part of the deployed
configuration, e.g., a local cloudflared or unbound container.
So far, getting dnsmasq to run in such a case requires hacks that
somehow try to determine the IP address before starting dnsmasq.
An example for such a hack (not invented by me):
https://github.com/tschaffter/docker-dnsmasq/blob/54b5d5d551746b6f1708fbf4a705e2de66c2eaee/docker-entrypoint.sh#L14-L23
This patch implements name resolution functionality for
server=... by querying the system resolver for a hostname. It is
only used when a user supplied something that is not a valid IP
address (dnsmasq currently fails hard in this case so this isn't
a breaking change) and can be omitted by a compile time flag (I
think it's worthwhile to have it).
I know my proposal does sound somewhat strange (resolving a DNS
server name) but this is something that is somewhat frequently
needed and currently only possible through external hacks.
From 93f597e943283124af2e39620e748635cc6a04d6 Mon Sep 17 00:00:00 2001
From: Dominik Derigs
Date: Thu, 3 Feb 2022 16:12:16 +0100
Subject: [PATCH] Extend server to accept hostnames for upstream resolver
Signed-off-by: DL6ER
---
man/dnsmasq.8 | 4 +++
src/config.h | 3 +++
src/option.c | 69 ++-
3 files changed, 75 insertions(+), 1 deletion(-)
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 9af4ec8..87486a5 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -511,6 +511,10 @@ The query-port flag is ignored for any servers which have a
source address specified but the port may be specified directly as
part of the source address. Forcing queries to an interface is not
implemented on all platforms supported by dnsmasq.
+
+If dnsmasq is compiled with HAVE_RESOLVESERVER, the upstream server may be specified with a hostname
+rather than an IP address. In this case, dnsmasq will try to use the system resolver to get the IP
+address of a server during startup. If name resolution fails, starting dnsmasq fails.
.TP
.B --rev-server=[/][,][#][@][@[#]]
This is functionally the same as
diff --git a/src/config.h b/src/config.h
index 227fb1f..20b9487 100644
--- a/src/config.h
+++ b/src/config.h
@@ -138,6 +138,9 @@ HAVE_LOOP
HAVE_INOTIFY
use the Linux inotify facility to efficiently re-read configuration files.
+HAVE_RESOLVESERVER
+ lookup servers if specified via hostnames instead of IP addresses.
+
NO_ID
Don't report *.bind CHAOS info to clients, forward such requests upstream instead.
NO_TFTP
diff --git a/src/option.c b/src/option.c
index 5230eaf..bf1087a 100644
--- a/src/option.c
+++ b/src/option.c
@@ -19,6 +19,10 @@
#include "dnsmasq.h"
#include
+#ifdef HAVE_RESOLVESERVER
+#include
+#endif
+
static volatile int mem_recover = 0;
static jmp_buf mem_jmp;
static int one_file(char *file, int hard_opt);
@@ -846,6 +850,11 @@ char *parse_server(char *arg, union mysockaddr *addr, union mysockaddr *source_a
char *interface_opt = NULL;
int scope_index = 0;
char *scope_id;
+ int addr_type = 0;
+#ifdef HAVE_RESOLVESERVER
+ int ecode = 0;
+ struct addrinfo *hostinfo, hints = { 0 };
+#endif
*interface = 0;
@@ -882,6 +891,64 @@ char *parse_server(char *arg, union mysockaddr *addr, union mysockaddr *source_a
}
if (inet_pton(AF_INET, arg, >in.sin_addr) > 0)
+ addr_type = AF_INET;
+ else if (inet_pton(AF_INET6, arg, >in6.sin6_addr) > 0)
+ addr_type = AF_INET6;
+#ifdef HAVE_RESOLVESERVER
+ /* if the argument is neither an IPv4 not an IPv6 address, it might be a
+ hostname and we should try to resolve it to a suitable address */
+ else
+{
+ memset(, 0, sizeof(hints));
+ /* The AI_ADDRCONFIG flag ensures that then IPv4 addresses are returned in
+ the result only if the local system has at least one IPv4 address
+ configured, and IPv6 addresses are returned only if the local system
+ has at least one IPv6 address configured. The loopback address is not
+ considered for this case as valid as a configured address. This flag is
+ useful on, for example, IPv4-only systems, to ensure that getaddrinfo()
+ does not return IPv6 socket addresses that would always fail in
+ subsequent connect() or bind() attempts. */
+ hints.ai_flags = AI_ADDRCONFIG;
+#if defined(HAVE_IDN) && defined(AI_IDN)
+ /* If the AI_IDN flag is specified and we have glibc 2.3.4 or newer, then
+ the node name given in node is converted to IDN format if necessary.
+ The source encoding is that of the current locale. */
+ hints.ai_flags |= AI_IDN;
+#endif
+ /* The value AF_UNSPEC indicates that getaddrinfo() should return socket
+ addresses for any addre
[Dnsmasq-discuss] [PATCH] Log server port when forwarding upstream
Hey Simon,
another patch:
Log server port when forwarding upstream to avoid ambiguities
when running multiple upstream destinations at the same IP but on
different ports. The port is already logged in other places, like
after starting dnsmasq:
Nov 17 18:03:16 dnsmasq[123]: using nameserver 127.0.0.1#5001
Nov 17 18:03:16 dnsmasq[123]: using nameserver 127.0.0.1#5002 for
domain network (no DNSSEC)
Nov 17 18:03:16 dnsmasq[123]: using nameserver 127.0.0.1#5003 for
domain example2.com (no DNSSEC)
Nov 17 18:03:16 dnsmasq[123]: using nameserver 127.0.0.1#5004 for
unqualified names (no DNSSEC)
Best,
Dominik
From eba5c590bc98b3cd5ca54ff59f654cb9da1aee8c Mon Sep 17 00:00:00 2001
From: Dominik Derigs
Date: Fri, 19 Nov 2021 10:08:01 +0100
Subject: [PATCH] Log server port when forwarding upstream
Signed-off-by: DL6ER
---
src/cache.c | 8 ++--
src/dnsmasq.h | 1 +
src/forward.c | 10 --
src/option.c | 4 +++-
4 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/src/cache.c b/src/cache.c
index 246c3f2..7b136ce 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -1992,8 +1992,12 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
}
}
else if (flags & (F_IPV4 | F_IPV6))
- inet_ntop(flags & F_IPV4 ? AF_INET : AF_INET6,
- addr, daemon->addrbuff, ADDRSTRLEN);
+ {
+ inet_ntop(flags & F_IPV4 ? AF_INET : AF_INET6,
+ addr, daemon->addrbuff, ADDRSTRLEN);
+ if (flags & F_SERVER) /* Append upstream server port if forwarding */
+ sprintf(strchr(daemon->addrbuff, '\0'), "#%u", daemon->log_port);
+ }
else
dest = arg;
}
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 1b00298..50789d4 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1264,6 +1264,7 @@ extern struct daemon {
/* file for packet dumps. */
int dumpfd;
#endif
+ in_port_t log_port;
} *daemon;
/* cache.c */
diff --git a/src/forward.c b/src/forward.c
index f22c080..d361170 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -122,9 +122,15 @@ static void set_outgoing_mark(struct frec *forward, int fd)
static void log_query_mysockaddr(unsigned int flags, char *name, union mysockaddr *addr, char *arg, unsigned short type)
{
if (addr->sa.sa_family == AF_INET)
-log_query(flags | F_IPV4, name, (union all_addr *)>in.sin_addr, arg, type);
+{
+ daemon->log_port = ntohs(addr->in.sin_port);
+ log_query(flags | F_IPV4, name, (union all_addr *)>in.sin_addr, arg, type);
+}
else
-log_query(flags | F_IPV6, name, (union all_addr *)>in6.sin6_addr, arg, type);
+{
+ daemon->log_port = ntohs(addr->in6.sin6_port);
+ log_query(flags | F_IPV6, name, (union all_addr *)>in6.sin6_addr, arg, type);
+}
}
static void server_send(struct server *server, int fd,
diff --git a/src/option.c b/src/option.c
index 7134ee7..a61451b 100644
--- a/src/option.c
+++ b/src/option.c
@@ -5405,7 +5405,9 @@ void read_opts(int argc, char **argv, char *compile_opts)
daemon = opt_malloc(sizeof(struct daemon));
memset(daemon, 0, sizeof(struct daemon));
daemon->namebuff = buff;
- daemon->addrbuff = safe_malloc(ADDRSTRLEN);
+ /* Space for IP address plus port (used when logging
+ upstream server forwarding) */
+ daemon->addrbuff = safe_malloc(ADDRSTRLEN + 10);
/* Set defaults - everything else is zero or NULL */
daemon->cachesize = CACHESIZ;
--
2.25.1
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Improve cache dump
Hey Simon,
These patches improve the cache dump triggered by sending
SIGUSR1.
1. The width of the host and address fields are 30 and 40
characters, respectively. Fix the header and add a head
separation line to highlight how long the fields can be.
2. Add "!" as type for non-terminals, new flag "C" for config-
provided and log source where applicable.
I attached the examples below once more as plain text file to
avoid word wrapping.
Before:
Host Address
Flags Expires
imap.strato.de 2a01:238:20a:202:54f0::1103
6F Wed Dec 15 20:51:59 2021
imap.strato.de 81.169.145.103
4F Wed Dec 15 20:51:59 2021
some-hostrecord192.168.2.3
4FRI H
ip6-localhost ::1
6FRI H
arpa
F I
20326 8 2
SF I
Now:
Host Address
Flags Expires Source
-- --
-- --
imap.strato.de 2a01:238:20a:202:54f0::1103
6F Wed Dec 15 20:51:59 2021
imap.strato.de 81.169.145.103
4F Wed Dec 15 20:51:59 2021
some-hostrecord192.168.2.3
4FRI HC config
ip6-localhost ::1
6FRI H/etc/hosts
arpa
!F IC
20326 8 2
SF IC config
Best,
Dominik
From be26a63372b18bd0dd567c4a40ed285e292fe7d5 Mon Sep 17 00:00:00 2001
From: Dominik Derigs
Date: Sat, 18 Dec 2021 10:08:01 +0100
Subject: [PATCH 1/2] Fix header of cache dump. The width of the host and
address fields are 30 and 40 characters, respectively.
Signed-off-by: DL6ER
---
src/cache.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/cache.c b/src/cache.c
index 246c3f2..cfa9fbe 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -1757,7 +1757,8 @@ void dump_cache(time_t now)
{
struct crec *cache ;
int i;
- my_syslog(LOG_INFO, "Host AddressFlags Expires");
+ my_syslog(LOG_INFO, "Host Address Flags Expires");
+ my_syslog(LOG_INFO, "-- - ");
for (i=0; ihash_next)
--
2.25.1
From c6c881aa5ec750ace877034c4c9b8017e5770c0b Mon Sep 17 00:00:00 2001
From: Dominik Derigs
Date: Thu, 30 Dec 2021 10:53:24 +0100
Subject: [PATCH 2/2] Extend cache dump: "!" as type for non-terminals, new
flag "C" for config-provided and log source when applicable.
Signed-off-by: DL6ER
---
src/cache.c | 19 ---
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/src/cache.c b/src/cache.c
index cfa9fbe..173022c 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -1757,8 +1757,8 @@ void dump_cache(time_t now)
{
struct crec *cache ;
int i;
- my_syslog(LOG_INFO, "Host Address Flags Expires");
- my_syslog(LOG_INFO, "-- - ");
+ my_syslog(LOG_INFO, "Host Address Flags Expires Source");
+ my_syslog(LOG_INFO, "-- -- ");
for (i=0; ihash_next)
@@ -1816,7 +1816,10 @@ void dump_cache(time_t now)
else if (cache->flags & F_DNSKEY)
t = "K";
#endif
- p += sprintf(p, "%-40.40s %s%s%s%s%s%s%s%s%s ", a, t,
+ else /* non-terminal */
+ t = "!";
+
+ p += sprintf(p, "%-40.40s %s%s%s%s%s%s%s%s%s%s ", a, t,
cache->flags & F_FORWARD ? "F" : " ",
cache->flags & F_REVERSE ? "R" : " ",
cache->flags & F_IMMORTAL ? "I" : " ",
@@ -1824,14 +1827,16 @@ void dump_cache(time_t now)
cache->flags & F_NEG ? "N" : " ",
cache->flags & F_NXDOMAIN ? "X" : " ",
cache->flags & F_HOSTS ? "H" : " ",
+ cache->flags & F_CONFI
[Dnsmasq-discuss] [PATCH] Addressing hostsdir shortcomings
Hey Simon,
dnsmasq v2.73 added --hostsdir which is an efficient way of re-
loading only parts of the cache. When we tried to use hostsdir
yesterday, we identified three problems. They are described
below. Patches addressing them are attached.
--- ISSUE 1 --- Logging imprecision
Assume you have multiple files in hostsdir, dnsmasq can only log
the directory not the file that was the real source:
dnsmasq: read /home/test/hostsdir/hosts1 - 1 addresses
dnsmasq: read /home/test/hostsdir/hosts2 - 1 addresses
dnsmasq: read /home/test/hostsdir/hosts3 - 1 addresses
dnsmasq: 1 127.0.0.1/34170 query[A] aaa from 127.0.0.1
dnsmasq: 1 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 1 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.1
dnsmasq: 1 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
This happens because the cache entries all use the same index
that is the directory name.
--- ISSUE 2 --- Outdated entries are not removed
When hostsdir re-reads the file, it does not remove outdated
entries. Assume you modify "192.168.1.1 aaa" to "192.168.1.2
aaa", dnsmasq will now serve two A records for "aaa". This may be
considered okay, however, if I add "192.168.1.1 bbb", PTR
requests for this domain will still be replied with "aaa" which
might be completely outdated information.
--- ISSUE 3 --- Ever growing replies under certain situations
When a users uses an editor that creates (temporary) files during
editing (like "sed -i") or uses a script that writes files line
by line (like "echo '' >> file"), they can quickly end up with
strange things like
dnsmasq: 3 127.0.0.1/34170 query[A] aaa from 127.0.0.1
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.1
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
which is not very meaningful. We check for duplicates before
inserting into the cache, however, duplicate checking can be
foiled here: add_hosts_entry() calls cache_find_by_name() only
once (say it returned "192.168.1.1") so the memcmp() on the
address fails and we can add an arbitrary amount of 192.168.1.2
entries.
For addressing issue 1, I added a new struct *dyndir having a
linked list of struct *hostsfile. With this, cache_insert() can
get the correct index. If a file is newly added, we just add a
new *hostsfile entry to the list (index++).
Issue 2 is an easy one as we can selectively clean the cache when
we know the uid to be removed. This can be called before running
read_hostsfile() to insert new stuff. I added MOVE_FROM and
DELETE to inotify_add_watch() so we catch if a file was removed.
In this case, we only remove old entries.
Issue 3 is fixed by adding a loop over cache_find_by_name() in
add_hosts_entry() to check possible multiple records.
Best,
Dominik
[sent earlier as
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q3/015704.html,
resubmitting patches rebased on latest master]
From 7873cc3dbfce3edeb534bf4d0a0030894aaa152a Mon Sep 17 00:00:00 2001
From: Dominik Derigs
Date: Wed, 29 Sep 2021 08:22:05 +0200
Subject: [PATCH 1/3] Extend hostsdir to store the individual files as sources
for loggin
Signed-off-by: DL6ER
---
src/cache.c | 9 +++--
src/dnsmasq.h | 13 ++-
src/inotify.c | 103 ++
src/option.c | 40
4 files changed, 111 insertions(+), 54 deletions(-)
diff --git a/src/cache.c b/src/cache.c
index 246c3f2..e86d69b 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -1839,6 +1839,7 @@ void dump_cache(time_t now)
char *record_source(unsigned int index)
{
struct hostsfile *ah;
+ struct dyndir *dd;
if (index == SRC_CONFIG)
return "config";
@@ -1850,9 +1851,11 @@ char *record_source(unsigned int index)
return ah->fname;
#ifdef HAVE_INOTIFY
- for (ah = daemon->dynamic_dirs; ah; ah = ah->next)
- if (ah->index == index)
- return ah->fname;
+ /* Dynamic directories contain multiple files */
+ for (dd = daemon->dynamic_dirs; dd; dd = dd->next)
+for (ah = dd->files; ah; ah = ah->next)
+ if (ah->index == index)
+ return ah->fname;
#endif
return "";
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 1b00298..c6efb6b 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -681,10 +681,17 @@ struct hostsfile {
struct hostsfile *next;
int flags;
char *fname;
+ unsigned int index; /* matches to cache entries for logging
[Dnsmasq-discuss] [PATCH] Log upstream port for dnssec-retry
Dear Simon et al., The current version of dnsmasq logs the upstream port like > Feb 21 22:02:18 dnsmasq[8991]: dnssec-query[DS] microsoft.net to 127.0.0.1#5053 when sending queries upstream. However, it is missing for dnssec- retry like > Feb 21 22:02:18 dnsmasq[8991]: dnssec-retry[DS] microsoft.net to 127.0.0.1 This is added by this patch implementing it in the same way as used already when logging "dnssec-query" in the code. Best, Dominik From 00b8789e4119a25da7f286ca1cefd5fe66383b30 Mon Sep 17 00:00:00 2001 From: Dominik Derigs Date: Sat, 2 Apr 2022 21:45:47 +0200 Subject: [PATCH] Also log upstream port for dnssec-retry Signed-off-by: DL6ER --- src/forward.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/forward.c b/src/forward.c index c17541b..b522c1f 100644 --- a/src/forward.c +++ b/src/forward.c @@ -527,8 +527,8 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, } #ifdef HAVE_DNSSEC else - log_query_mysockaddr(F_NOEXTRA | F_DNSSEC, daemon->namebuff, >addr, - "dnssec-retry", (forward->flags & FREC_DNSKEY_QUERY) ? T_DNSKEY : T_DS); + log_query_mysockaddr(F_NOEXTRA | F_DNSSEC | F_SERVER, daemon->namebuff, >addr, + (forward->flags & FREC_DNSKEY_QUERY) ? "dnssec-retry[DNSKEY]" : "dnssec-retry[DS]", 0); #endif srv->queries++; -- 2.25.1 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Possible to reuse Cache over restats?
Hey Tobias, On Wed, 2022-06-29 at 18:37 +, Tobias Hochgürtel wrote: > There isn't a feature to reuse the dns-cache? > or a plan to add this feature? > There is no such feature and there is also nothing planned at the moment (not that I'd be aware of). However, restarting dnsmasq once per hour surely is the least optimal solution to circumvent what you are observing. On Wed, 2022-06-29 at 18:37 +, Tobias Hochgürtel wrote: > I also don't know how I can analyse that behavior. You could use some widely known and used tools like Wireshark where various tutorial are available to see whether the issue is dnsmasq not responding or the queries not making their way to dnsmasq or if something happens to the queries sent upstream to the forward destionation, or whatever else may be happening. We can surely give some assistance here, if you want. Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Log upstream port for dnssec-retry
Dear Geert, On Fri, 2022-04-15 at 10:17 +0200, Geert Stappers via Dnsmasq- discuss wrote: > > - log_query_mysockaddr(F_NOEXTRA | F_DNSSEC, > > daemon->namebuff, >addr, > > - "dnssec-retry", (forward- > > >flags & FREC_DNSKEY_QUERY) ? T_DNSKEY : T_DS); > > + log_query_mysockaddr(F_NOEXTRA | F_DNSSEC | > > F_SERVER, daemon->namebuff, >addr, > > + (forward->flags & > > FREC_DNSKEY_QUERY) ? "dnssec-retry[DNSKEY]" : "dnssec- > > retry[DS]", 0); > > I see more changes as commit message says. What do you see in addition? It is a minimal invasive change that fixes the omission in a previous commit as already said in the first mail: On Sun, 2022-04-10 at 10:46 +0200, Dominik Derigs wrote: > This is added by this patch implementing it in the same way as > used already when logging "dnssec-query" in the code. This is the commit, if you want to compare the change yourself: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=ff43d35aeef6178f7471c6f37e91845c9a72bd2f Happy Easter and best regards, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Fwd: Fwd: [PATCH] Addressing hostsdir shortcomings
Hey all,
and here comes the third resubmission of my patches. I do still
believe that they are improvements. Even one year after writing
them, them do still apply cleanly on the master branch.
Best,
Dominik
Forwarded Message
From: Dominik Derigs
To: dnsmasq-discuss@lists.thekelleys.org.uk
, Simon Kelley
Subject: Fwd: [PATCH] Addressing hostsdir shortcomings
Date: Sat, 02 Apr 2022 21:32:30 +0200
Dear Simon,
Second resubmission of my patches.
They still apply cleanly to current master.
Best,
Dominik
Forwarded Message
From: Dominik Derigs
To: dnsmasq-discuss@lists.thekelleys.org.uk
, Simon Kelley
Subject: [PATCH] Addressing hostsdir shortcomings
Date: Sat, 08 Jan 2022 11:45:32 +0100
Hey Simon,
dnsmasq v2.73 added --hostsdir which is an efficient way of re-
loading only parts of the cache. When we tried to use hostsdir
yesterday, we identified three problems. They are described
below. Patches addressing them are attached.
--- ISSUE 1 --- Logging imprecision
Assume you have multiple files in hostsdir, dnsmasq can only log
the directory not the file that was the real source:
dnsmasq: read /home/test/hostsdir/hosts1 - 1 addresses
dnsmasq: read /home/test/hostsdir/hosts2 - 1 addresses
dnsmasq: read /home/test/hostsdir/hosts3 - 1 addresses
dnsmasq: 1 127.0.0.1/34170 query[A] aaa from 127.0.0.1
dnsmasq: 1 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 1 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.1
dnsmasq: 1 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
This happens because the cache entries all use the same index
that is the directory name.
--- ISSUE 2 --- Outdated entries are not removed
When hostsdir re-reads the file, it does not remove outdated
entries. Assume you modify "192.168.1.1 aaa" to "192.168.1.2
aaa", dnsmasq will now serve two A records for "aaa". This may be
considered okay, however, if I add "192.168.1.1 bbb", PTR
requests for this domain will still be replied with "aaa" which
might be completely outdated information.
--- ISSUE 3 --- Ever growing replies under certain situations
When a users uses an editor that creates (temporary) files during
editing (like "sed -i") or uses a script that writes files line
by line (like "echo '' >> file"), they can quickly end up with
strange things like
dnsmasq: 3 127.0.0.1/34170 query[A] aaa from 127.0.0.1
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.1
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
dnsmasq: 3 127.0.0.1/34170 /home/test/hostsdir aaa is 192.168.1.2
which is not very meaningful. We check for duplicates before
inserting into the cache, however, duplicate checking can be
foiled here: add_hosts_entry() calls cache_find_by_name() only
once (say it returned "192.168.1.1") so the memcmp() on the
address fails and we can add an arbitrary amount of 192.168.1.2
entries.
For addressing issue 1, I added a new struct *dyndir having a
linked list of struct *hostsfile. With this, cache_insert() can
get the correct index. If a file is newly added, we just add a
new *hostsfile entry to the list (index++).
Issue 2 is an easy one as we can selectively clean the cache when
we know the uid to be removed. This can be called before running
read_hostsfile() to insert new stuff. I added MOVE_FROM and
DELETE to inotify_add_watch() so we catch if a file was removed.
In this case, we only remove old entries.
Issue 3 is fixed by adding a loop over cache_find_by_name() in
add_hosts_entry() to check possible multiple records.
Best,
Dominik
[sent earlier as
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q3/015704.html
,
resubmitting patches rebased on latest master]
From 7873cc3dbfce3edeb534bf4d0a0030894aaa152a Mon Sep 17 00:00:00 2001
From: Dominik Derigs
Date: Wed, 29 Sep 2021 08:22:05 +0200
Subject: [PATCH 1/3] Extend hostsdir to store the individual files as sources
for loggin
Signed-off-by: DL6ER
---
src/cache.c | 9 +++--
src/dnsmasq.h | 13 ++-
src/inotify.c | 103 ++
src/option.c | 40
4 files changed, 111 insertions(+), 54 deletions(-)
diff --git a/src/cache.c b/src/cache.c
index 246c3f2..e86d69b 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -1839,6 +1839,7 @@ void dump_cache(time_t now)
char *record_source(unsigned int index)
{
struct hostsfile *ah;
+ struct dyndir *dd;
if (index == SRC_CONFIG)
return "config";
@@ -1850,9 +18
Re: [Dnsmasq-discuss] Extend server to accept hostnames for upstream resolver
Hey Simon, when setting up a new docker server this morning I desperately missed the specify-server-by-host feature in dnsmasq. I revived my initial patch and added what was requested: I removed the compile-time option and changed the code to always use all suitable addresses (IPv6 is not suitable when source is IPv4 and vice versa). Along the way, I found a small bug: IPv6 source addresses are incorrectly interpreted as interface names for IPv4 server addresses (and vice versa). This is fixed in my patch: BEFORE: --server=1.2.3.4@fe80:: dnsmasq: using nameserver 1.2.3.4#53(via fe80::) NOW: --server=1.2.3.4@fe80:: dnsmasq: bad command line options: cannot use IPv4 server address with IPv6 source address Examples: --server=localhost dnsmasq: using nameserver 127.0.0.1#53 --server=a.test.dl6er.de@fe80:: dnsmasq: warning: no upstream servers configured --server=both.test.dl6er.de@fe80:: dnsmasq: using nameserver dead:beef::#53 --server=both.test.dl6er.de@10.0.0.1 dnsmasq: using nameserver 1.2.3.4#53 --server=both.test.dl6er.de dnsmasq: using nameserver dead:beef::#53 dnsmasq: using nameserver 1.2.3.4#53 --server=amazon.com dnsmasq: using nameserver 54.239.28.85#53 dnsmasq: using nameserver 52.94.236.248#53 dnsmasq: using nameserver 205.251.242.103#53 --server=does-not-exist-4615465468435.com dnsmasq: bad command line options: Name or service not known (dnsmasq refuses to start) What do you think? I'm undecided if dnsmasq should fail hard on the second example (no IPv6 address for a hostname but IPv6 source address given) but this may be a real edge-case where we can expect users to understand what they're doing and read the logs. Catching this would require extra logic (valid hostnames are returned but none is used -> error out). Best, Dominik On Thu, 2022-04-07 at 12:24 +0100, Simon Kelley wrote: > This seems like a sensible idea, but it does need a clear > warning in the > documentation that it will only work if the dnsmasq instance > being > configured is not the one providing DNS to the local system. > > Two comments about the patch. > > 1) Geert's point is a good one: This patch uses only libc: it > doesn't > add any build dependencies and it's small. There's no reason to > make it > a compile-time option. > > 2) Not handling multiple addresses from getaddrinfo() feels > like a > mistake. What should happen in that case is obvious and the > obvious > behaviour is useful. If it's not done now, we'll end up doing > it later > when someone falls foul of this short-cut. the implementation > is more > complex, but I think returning the struct addrinfo * linked > list from > getaddrinfo instead of a single address should work: the caller > of > parse_server becomes responsible for freeing the struct > addrinfos > > 3) One error that needs to be handled is if a source address is > specified, and the address family of the source address doesn't > match > the address family of an address returned from getaddrinfo. My > initial > thought was to make this a fatal error, but that has the > problem that > > server=dns.example.com@192.168.7.1 > > will work fine until an record is added for > dns.example.com, when > dnsmasq would no longer start. Better I thing to only use DNS > records > that match the source address type if it's specified. > > > Cheers, > > Simon. > > > > > > On 02/04/2022 20:40, Dominik Derigs wrote: > > Dear Simon, > > > > In docker swarm and compose configurations, other containers > > are > > only reachable via hostnames. It is not always possible to > > assign > > IP addresses beforehand. Hence, the upstream server IP is not > > known at dnsmasq start when the upstream is part of the > > deployed > > configuration, e.g., a local cloudflared or unbound > > container. > > > > So far, getting dnsmasq to run in such a case requires hacks > > that > > somehow try to determine the IP address before starting > > dnsmasq. > > An example for such a hack (not invented by me): > > https://github.com/tschaffter/docker-dnsmasq/blob/54b5d5d551746b6f1708fbf4a705e2de66c2eaee/docker-entrypoint.sh#L14-L23 > > > > This patch implements name resolution functionality for > > server=... by querying the system resolver for a hostname. It > > is > > only used when a user supplied something that is not a valid > > IP > > address (dnsmasq currently fails hard in this case so this > > isn't > > a breaking change) and can be omitted by a compile time flag > > (I > > think it's worthwhile to have it). > > > > I know my proposal does sound somewhat strange (resolving a > > DNS > > server name) but
[Dnsmasq-discuss] [PATCH] Make use-stale-cache configurable
Hey Simon,
We observed a few cache oddities with the current release-
candidate of dnsmasq and have been able to pin this down to the
use of the new use-stale-cache option. The issue happens with
cached content being served when the actual domain data has moved
on. This is, of course, unavoidable with this option, however, it
made me wanting a way to configure "serve stale data but only if
it is not too old". This is added by this patch adding an
optional argument:
--use-stale-cache[=]
In fact RFC 8767 "Serving Stale Data to Improve DNS Resiliency"
even states that
> The maximum stale timer should be configurable
The RFC suggests a "value is between 1 and 3 days" and later
states that "Shorter values, even less than a day, can
effectively handle the vast majority of outages." Hence, my patch
also changes the current (so far, unreleased) behavior from
serving expired content forever to a default value of one day.
This is freely configurable (I will set it down to one hour on
our systems) and can even be made serving forever, just as before
by explicitly setting the optional value to 0.
Best,
Dominik
Internal tracking is happening here:
https://github.com/pi-hole/dnsmasq/pull/11
From de4c49ff02b1cf5e553f185942ccc75c51c763bc Mon Sep 17 00:00:00 2001
From: DL6ER
Date: Thu, 24 Nov 2022 19:15:04 +0100
Subject: [PATCH] Make use-stale-cache configurable. The default is to stop
serving from cache once records are expired by more than a day.
---
man/dnsmasq.8 | 5 +++--
src/cache.c | 16
src/config.h | 1 +
src/dnsmasq.h | 6 +++---
src/option.c | 22 --
5 files changed, 39 insertions(+), 11 deletions(-)
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 53bccb8..2495ed1 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -828,11 +828,12 @@ name on successive queries, for load-balancing. This turns off that
behaviour, so that the records are always returned in the order
that they are received from upstream.
.TP
-.B --use-stale-cache
+.B --use-stale-cache[=]
When set, if a DNS name exists in the cache, but its time-to-live has expired, dnsmasq will return the data anyway. (It attempts to refresh the
data with an upstream query after returning the stale data.) This can improve speed and reliability. It comes at the expense
of sometimes returning out-of-date data and less efficient cache utilisation, since old data cannot be flushed when its TTL expires, so the cache becomes
-strictly least-recently-used.
+mostly least-recently-used. To mitigate issues caused by massively outdated DNS replies, the maximum overaging of cached records can be specified in seconds
+(defaulting to not serve anything older than one day). Setting the TTL excess time to zero will serve stale cache data regardless how long it has expired.
.TP
.B \-0, --dns-forward-max=
Set the maximum number of concurrent DNS queries. The default value is
diff --git a/src/cache.c b/src/cache.c
index 119cf9f..b3c38c0 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -380,9 +380,17 @@ static int is_outdated_cname_pointer(struct crec *crecp)
static int is_expired(time_t now, struct crec *crecp)
{
- /* Don't dump expired entries if we're using them, cache becomes strictly LRU in that case.
- Never use expired DS or DNSKEY entries. */
- if (option_bool(OPT_STALE_CACHE) && !(crecp->flags & (F_DS | F_DNSKEY)))
+ /* Don't dump expired entries if they are within the accepted timeout range.
+ The cache becomes approx. LRU. Never use expired DS or DNSKEY entries.
+ Possible values for daemon->cache_max_expiry:
+ -1 == serve cached content regardless how long ago it expired
+ 0 == the option is disabled, expired content isn't served
+ == serve cached content only if it expire less than seconds
+ ago (where n is a positive integer) */
+ if (daemon->cache_max_expiry != 0 &&
+ (daemon->cache_max_expiry == -1 ||
+ difftime(now, crecp->ttd) < daemon->cache_max_expiry) &&
+ !(crecp->flags & (F_DS | F_DNSKEY)))
return 0;
if (crecp->flags & F_IMMORTAL)
@@ -1762,7 +1770,7 @@ void dump_cache(time_t now)
daemon->cachesize, daemon->metrics[METRIC_DNS_CACHE_LIVE_FREED], daemon->metrics[METRIC_DNS_CACHE_INSERTED]);
my_syslog(LOG_INFO, _("queries forwarded %u, queries answered locally %u"),
daemon->metrics[METRIC_DNS_QUERIES_FORWARDED], daemon->metrics[METRIC_DNS_LOCAL_ANSWERED]);
- if (option_bool(OPT_STALE_CACHE))
+ if (daemon->cache_max_expiry != 0)
my_syslog(LOG_INFO, _("queries answered from stale cache %u"), daemon->metrics[METRIC_DNS_STALE_ANSWERED]);
#ifdef HAVE_AUTH
my_syslog(LOG_INFO, _("queries for authoritative zones %u"), daemon->metrics[METRIC_DNS_AUTH_ANSWERED]);
diff --git a/src/config.h b/src/config.h
index df1d985..1e7b30f 100644
--- a/src/con
[Dnsmasq-discuss] Show host names in dnsmasq's log
Dear all, I'm trying to show host names (rather than IP addresses, if available) in dnsmasq's log for A and queries, as well as for the forward destinations, i.e. I want to replace Feb 4 18:02:22 dnsmasq[14001]: query[A] clients6.google.com from 10.8.0.2 Feb 4 18:02:22 dnsmasq[14001]: forwarded clients6.google.com to 2620:fe::fe by Feb 4 18:02:22 dnsmasq[14001]: query[A] clients6.google.com from android.lan Feb 4 18:02:22 dnsmasq[14001]: forwarded clients6.google.com to dns.quad9.net For doing this, I tried various attempts: Firstly, I tried a simple approach using gethostbyaddr() to resolve the IP addresses to host names. Unfortunately, it seems like gethostbyaddr() cannot be used inside the DNS resolver process itself, as it always immediately fails with Unknown host (error code 1) for everything (incl. e.g. 127.0.0.1). I know that this would have some drawbacks (like causing a PTR request on every logging), but I would have solved them with various tricks like building my own lookup tables, etc. I tested my code in a small standalone application and here name resolution works perfectly. Secondly, I build a wrapper around dnsmasq's routine cache_find_by_addr() to query dnsmasq's log for the host name. Obviously, this has two major drawbacks: This code is kind of cumbersome (esp. for IPv6) as I first have to format the IPs in the format that is expected by this routine and secondly that does, of course, only work for entries that are already in the cache. If a cache entry for dns.quad9.net is already present (since someone queried that manually), then this works just fine. However, if nobody did that, then there will also be no cache entry and there is no result. My question is now: I would, of course, prefer to use the first version ( using gethostbyaddr() ) but that does not seem to work at all. I'm not sure if it's maybe related to that a process cannot connect to its own UDP socket or something, but I'd obviously prefer a rather simple solution. Any suggestions are highly appreciated. Best regards, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] NXDOMAIN TTL
Dear all, on the dnsmasq man page, I found the following: *--neg-ttl=* Negative replies from upstream servers normally contain time-to-live information in SOA records which dnsmasq uses for caching. If the replies from upstream servers omit this information, dnsmasq does not cache the reply. This option gives a default value for time-to-live (in seconds) which dnsmasq uses to cache negative replies even in the absence of an SOA record. However, when specifying a local record using, e.g., "server=/nxdomaintest.com/" and querying this domain from dnsmasq, it seems like the clients aren't getting a TTL value with this A/ query. Is it possible to have dnsmasq sending out a TTL for locally defined NXDOMAINs ? Best regards, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Blockdata SIGSEGV on master
Dear Simon, CC mailing list, today I've received a report of latest dnsmasq embedded into Pi-hole crashing when www.facebook.com is visited (but only when logged in). I was able to reproduce this myself after creating a (fake) account. The hit/miss ratio is not 100% but it should be possible to trigger the crash within a couple of tries. I tried Google Chrome on Linux for reproducing the crash (the report was Chrome on Windows). For this test, I used only one upstream server: 8.8.8.8 A PCAP I recorded using dumpmask=0x is attached. When the SIGSEGV happens, it can happen in a few different but related code places, let me summarize the two location I found most often below: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/blockdata.c;h=444a03a6798fce5da839f199df4a9326ab17188a;hb=HEAD#l217 Thread 1 "pihole-FTL" received signal SIGSEGV, Segmentation fault. blockdata_retrieve (block=, len=13, data=0x556b98069ac0, data@entry=0x0) at /app/FTL/src/dnsmasq/blockdata.c:217 217 memcpy(d, b->key, blen); (gdb) where #0 blockdata_retrieve (block=, len=13, data=0x556b98069ac0, data@entry=0x0) at /app/FTL/src/dnsmasq/blockdata.c:217 #1 0x556b95cd2092 in answer_request (header=header@entry=0x556b9800e290, limit=limit@entry=0x556b9800e490 "", qlen=qlen@entry=31, local_addr=..., local_addr@entry=..., local_netmask=..., local_netmask@entry=..., now=now@entry=1693587354, ad_reqd=, do_bit=, have_pseudoheader=, stale=, filtered=) at /app/FTL/src/dnsmasq/rfc1035.c:2175 #2 0x556b95cac02d in receive_query (listen=listen@entry=0x556b98002d60, now=now@entry=1693587354) at /app/FTL/src/dnsmasq/forward.c:1921 #3 0x556b95c99b61 in check_dns_listeners (now=now@entry=1693587354) at /app/FTL/src/dnsmasq/dnsmasq.c:1864 #4 0x556b95c9bd2d in main_dnsmasq (argc=, argv=) at /app/FTL/src/dnsmasq/dnsmasq.c:1271 #5 0x556b95bfaf76 in main (argc=, argv=0x76ee9598) at /app/FTL/src/main.c:152 sometimes the crash happens in https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/blockdata.c;h=444a03a6798fce5da839f199df4a9326ab17188a;hb=HEAD#l177 Thread 1 "pihole-FTL" received signal SIGSEGV, Segmentation fault. blockdata_free (blocks=0x3368023268020600) at /app/FTL/src/dnsmasq/blockdata.c:177 177 void blockdata_free(struct blockdata *blocks) (gdb) where #0 blockdata_free (blocks=0x3368023268020600) at /app/FTL/src/dnsmasq/blockdata.c:177 #1 0x560c710c9715 in cache_scan_free (name=name@entry=0x560c7272f6d0 "star.c10r.facebook.com", addr=addr@entry=0x7ffe4bdaa9a0, class=class@entry=1, now=now@entry=1693587879, flags=flags@entry=1082130440, target_crec=target_crec@entry=0x7ffe4bdaa870, target_uid=0x7ffe4bdaa86c) at /app/FTL/src/dnsmasq/cache.c:541 #2 0x560c710cd43e in really_insert (name=0x560c7272f6d0 "star.c10r.facebook.com", addr=0x7ffe4bdaa9a0, class=1, now=1693587879, ttl=60, flags=1082130440) at /app/FTL/src/dnsmasq/cache.c:657 #3 0x560c7110aa6e in extract_addresses (header=header@entry=0x560c7273f290, qlen=, name=0x560c7272f6d0 "star.c10r.facebook.com", now=now@entry=1693587879, ipsets=ipsets@entry=0x0, nftsets=nftsets@entry=0x0, is_sign=0, check_rebind=0, no_cache_dnssec=0, secure=0, doctored=0x7ffe4bdaaa9c) at /app/FTL/src/dnsmasq/rfc1035.c:921 #4 0x560c710e39b6 in process_reply (header=header@entry=0x560c7273f290, now=now@entry=1693587879, server=0x560c7273d6d0, n=, n@entry=157, check_rebind=0, no_cache=no_cache@entry=0, cache_secure=0, bogusanswer=0, ad_reqd=0, do_bit=0, added_pheader=128, query_source=0x560c7278e150, limit=0x560c7273f760 "", ede=) at /app/FTL/src/dnsmasq/forward.c:833 #5 0x560c710e86c0 in return_reply (now=now@entry=1693587879, forward=forward@entry=0x560c7278e150, header=header@entry=0x560c7273f290, n=157, n@entry=140730171042832, status=) at /app/FTL/src/dnsmasq/forward.c:1397 #6 0x560c710e8c70 in dnssec_validate (forward=forward@entry=0x560c7278e150, header=header@entry=0x560c7273f290, plen=140730171042832, status=, status@entry=524288, now=now@entry=1693587879) at /app/FTL/src/dnsmasq/forward.c:1109 #7 0x560c710e8c1a in dnssec_validate (forward=forward@entry=0x560c72731a70, header=header@entry=0x560c7273f290, plen=plen@entry=855, status=status@entry=524288, now=now@entry=1693587879) at /app/FTL/src/dnsmasq/forward.c:1124 #8 0x560c710e9674 in reply_query (fd=, now=now@entry=1693587879) at /app/FTL/src/dnsmasq/forward.c:1319 #9 0x560c710d5dff in check_dns_listeners (now=now@entry=1693587879) at /app/FTL/src/dnsmasq/dnsmasq.c:1836 #10 0x560c710d7d2d in main_dnsmasq (argc=, argv=) at /app/FTL/src/dnsmasq/dnsmasq.c:1271 #11 0x560c71036f76 in main (argc=, argv=0x7ffe4bdab088) at /app/FTL/src/main.c:152 Best, Dominik chrome_fb.pcap Description: application/vnd.tcpdump.pcap ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] New query type RESINFO
Hey Simon,
today the IANA started listing a new query type RESINFO that was
assigned to RR Type no. 261. The simple attached patch adds this RR Type
to dnsmasq.
Best,
Dominik
From a6331078d3b22c960df8ad78106da567cb76e82c Mon Sep 17 00:00:00 2001
From: DL6ER
Date: Thu, 2 Nov 2023 17:57:54 +0100
Subject: [PATCH] New querytype 261 RESINFO
Signed-off-by: DL6ER
---
src/cache.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/cache.c b/src/cache.c
index 9f64a05..e28fad4 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -124,6 +124,7 @@ static const struct {
{ 258, "AVC" }, /* Application Visibility and Control [Wolfgang_Riedel] AVC/avc-completed-template 2016-02-26*/
{ 259, "DOA" }, /* Digital Object Architecture [draft-durand-doa-over-dns] DOA/doa-completed-template 2017-08-30*/
{ 260, "AMTRELAY" }, /* Automatic Multicast Tunneling Relay [RFC8777] AMTRELAY/amtrelay-completed-template 2019-02-06*/
+ { 261, "RESINFO" }, /* Resolver Information as Key/Value Pairs https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/06/ */
{ 32768, "TA" }, /* DNSSEC Trust Authorities [Sam_Weiler][http://cameo.library.cmu.edu/][ Deploying DNSSEC Without a Signed Root. Technical Report 1999-19, Information Networking Institute, Carnegie Mellon University, April 2004.] 2005-12-13*/
{ 32769, "DLV" }, /* DNSSEC Lookaside Validation (OBSOLETE) [RFC8749][RFC4431] */
};
--
2.34.1
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Add run-time option to disable CHAOS TXT records
Dear mailing list members,
In 2016, dnsmasq got the option to prevent serving the
server version, some statistics and even the used upstream
DNS servers to its clients. Compiling with -DNO_ID removes
the entire *.bind info structure. However, setting -DNO_ID
requires a (re-)compilation from source.
This patch adds a new run-time option --no-ident to achieve
the same without the need for recompiling.
I wish you some nice and hopefully relaxing Christmas days!
Best regards,
Dominik
From bb796f57bdf6a3ad9517e930096dd38cfebf937a Mon Sep 17 00:00:00 2001
From: DL6ER
Date: Fri, 23 Dec 2022 12:36:11 +0100
Subject: [PATCH] Add --no-ident option to disable CHAOS TXT records providing
server details and statistics.
Signed-off-by: DL6ER
---
man/dnsmasq.8 | 23 ++-
src/dnsmasq.h | 3 ++-
src/option.c | 37 ++---
3 files changed, 38 insertions(+), 25 deletions(-)
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 2495ed1..3d1d96a 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -2215,6 +2215,20 @@ exit 0
and /share/ads-domains.gz containing a compressed
list of ad server domains will save disk space with large ad-server blocklists.
+.TP
+.B --no-ident
+Do not respond to class CHAOS and type TXT in domain bind queries.
+
+Without this option being set, the cache statistics are also available in the
+DNS as answers to queries of class CHAOS and type TXT in domain bind. The domain
+names are cachesize.bind, insertions.bind, evictions.bind, misses.bind,
+hits.bind, auth.bind and servers.bind unless disabled at compile-time. An
+example command to query this, using the
+.B dig
+utility would be
+
+dig +short chaos txt cachesize.bind
+
.SH CONFIG FILE
At startup, dnsmasq reads
.I /etc/dnsmasq.conf,
@@ -2264,15 +2278,6 @@ resulted in an error. In
mode or when full logging is enabled (\fB--log-queries\fP), a complete dump of the
contents of the cache is made.
-The cache statistics are also available in the DNS as answers to
-queries of class CHAOS and type TXT in domain bind. The domain names are cachesize.bind, insertions.bind, evictions.bind,
-misses.bind, hits.bind, auth.bind and servers.bind. An example command to query this, using the
-.B dig
-utility would be
-
-dig +short chaos txt cachesize.bind
-
-.PP
When it receives SIGUSR2 and it is logging direct to a file (see
.B --log-facility
)
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index aaa6d62..fe9aa07 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -281,7 +281,8 @@ struct event_desc {
#define OPT_STRIP_ECS 69
#define OPT_STRIP_MAC 70
#define OPT_NORR 71
-#define OPT_LAST 72
+#define OPT_NO_IDENT 72
+#define OPT_LAST 73
#define OPTION_BITS (sizeof(unsigned int)*8)
#define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
diff --git a/src/option.c b/src/option.c
index 8e61a6b..61c1849 100644
--- a/src/option.c
+++ b/src/option.c
@@ -185,6 +185,7 @@ struct myoption {
#define LOPT_FAST_RETRY376
#define LOPT_STALE_CACHE 377
#define LOPT_NORR 378
+#define LOPT_NO_IDENT 379
#ifdef HAVE_GETOPT_LONG
static const struct option opts[] =
@@ -374,6 +375,7 @@ static const struct myoption opts[] =
{ "port-limit", 1, 0, LOPT_RANDPORT_LIM },
{ "fast-dns-retry", 2, 0, LOPT_FAST_RETRY },
{ "use-stale-cache", 2, 0 , LOPT_STALE_CACHE },
+{ "no-ident", 0, 0, LOPT_NO_IDENT },
{ NULL, 0, 0, 0 }
};
@@ -570,6 +572,7 @@ static struct {
{ LOPT_UMBRELLA, ARG_ONE, "[=]", gettext_noop("Send Cisco Umbrella identifiers including remote IP."), NULL },
{ LOPT_QUIET_TFTP, OPT_QUIET_TFTP, NULL, gettext_noop("Do not log routine TFTP."), NULL },
{ LOPT_NORR, OPT_NORR, NULL, gettext_noop("Suppress round-robin ordering of DNS records."), NULL },
+ { LOPT_NO_IDENT, OPT_NO_IDENT, NULL, gettext_noop("Do not log routine TFTP."), NULL },
{ 0, 0, NULL, NULL, NULL }
};
@@ -5757,21 +5760,6 @@ void read_opts(int argc, char **argv, char *compile_opts)
daemon->randport_limit = 1;
daemon->host_index = SRC_AH;
-#ifndef NO_ID
- add_txt("version.bind", "dnsmasq-" VERSION, 0 );
- add_txt("authors.bind", "Simon Kelley", 0);
- add_txt("copyright.bind", COPYRIGHT, 0);
- add_txt("cachesize.bind", NULL, TXT_STAT_CACHESIZE);
- add_txt("insertions.bind", NULL, TXT_STAT_INSERTS);
- add_txt("evictions.bind", NULL, TXT_STAT_EVICTIONS);
- add_txt("misses.bind", NULL, TXT_STAT_MISSES);
- add_txt("hits.bind", NULL, TXT_STAT_HITS);
-#ifdef HAVE_AUTH
- add_txt("auth.bind", NULL, TXT_STAT_AUTH);
-#endif
- add_txt("servers.bind", NULL, TXT_STAT_SERVERS);
-#endif
-
/* See comment above make_servers(). Optimises server-read code. */
mark_servers(0);
@@ -5861,6 +5849,
Re: [Dnsmasq-discuss] [PATCH] Add run-time option to disable CHAOS TXT records
Hey Simon and Petr, CC list,
Thanks for pointing this out. I fixed it and rebased on
latest master. New patch attached.
The name "--no-ident" has been chosen as the corresponding
compile-time option is called NO_ID - my feeling is that
this corresponds to "no identification (strings)".
I thought about adding the possibility to only disable a
subset of these CHAOS records but it seems to just add to
much code complexity for such a small feature. Hence a "all
or nothing" seems the best fit for me here.
Best,
Dominik
On Tue, 2023-01-03 at 10:48 +, Petr Menšík wrote:
> Hi Dominik,
>
> Good idea. But there is copy error on line 572, no
> help
> description is changed for new option. What does --no-
> ident stand for by
> the way? Wouldn't be --no-chaos more descriptive? Should
> we support
> optional argument to disable only some parts of provided
> records? For
> example cache statistics might be restricted to localhost
> only or
> provided only by DBus, while version might be still useful
> to report.
>
> Cheers,
> Petr
On Fri, 2022-12-23 at 12:54 +0100, Dominik Derigs wrote:
> Dear mailing list members,
>
> In 2016, dnsmasq got the option to prevent serving the
> server version, some statistics and even the used upstream
> DNS servers to its clients. Compiling with -DNO_ID removes
> the entire *.bind info structure. However, setting -DNO_ID
> requires a (re-)compilation from source.
>
> This patch adds a new run-time option --no-ident to achieve
> the same without the need for recompiling.
>
> I wish you some nice and hopefully relaxing Christmas days!
>
> Best regards,
> Dominik
From d16d26f5740fc9c90b4ec1580a878b34feed82ac Mon Sep 17 00:00:00 2001
From: DL6ER
Date: Fri, 23 Dec 2022 12:36:11 +0100
Subject: [PATCH] Add --no-ident option to disable CHAOS TXT records providing
server details and statistics.
Signed-off-by: DL6ER
---
man/dnsmasq.8 | 23 ++-
src/dnsmasq.h | 3 ++-
src/option.c | 37 ++---
3 files changed, 38 insertions(+), 25 deletions(-)
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 2495ed1..3d1d96a 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -2215,6 +2215,20 @@ exit 0
and /share/ads-domains.gz containing a compressed
list of ad server domains will save disk space with large ad-server blocklists.
+.TP
+.B --no-ident
+Do not respond to class CHAOS and type TXT in domain bind queries.
+
+Without this option being set, the cache statistics are also available in the
+DNS as answers to queries of class CHAOS and type TXT in domain bind. The domain
+names are cachesize.bind, insertions.bind, evictions.bind, misses.bind,
+hits.bind, auth.bind and servers.bind unless disabled at compile-time. An
+example command to query this, using the
+.B dig
+utility would be
+
+dig +short chaos txt cachesize.bind
+
.SH CONFIG FILE
At startup, dnsmasq reads
.I /etc/dnsmasq.conf,
@@ -2264,15 +2278,6 @@ resulted in an error. In
mode or when full logging is enabled (\fB--log-queries\fP), a complete dump of the
contents of the cache is made.
-The cache statistics are also available in the DNS as answers to
-queries of class CHAOS and type TXT in domain bind. The domain names are cachesize.bind, insertions.bind, evictions.bind,
-misses.bind, hits.bind, auth.bind and servers.bind. An example command to query this, using the
-.B dig
-utility would be
-
-dig +short chaos txt cachesize.bind
-
-.PP
When it receives SIGUSR2 and it is logging direct to a file (see
.B --log-facility
)
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index aaa6d62..fe9aa07 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -281,7 +281,8 @@ struct event_desc {
#define OPT_STRIP_ECS 69
#define OPT_STRIP_MAC 70
#define OPT_NORR 71
-#define OPT_LAST 72
+#define OPT_NO_IDENT 72
+#define OPT_LAST 73
#define OPTION_BITS (sizeof(unsigned int)*8)
#define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
diff --git a/src/option.c b/src/option.c
index 8e61a6b..1ea529e 100644
--- a/src/option.c
+++ b/src/option.c
@@ -185,6 +185,7 @@ struct myoption {
#define LOPT_FAST_RETRY376
#define LOPT_STALE_CACHE 377
#define LOPT_NORR 378
+#define LOPT_NO_IDENT 379
#ifdef HAVE_GETOPT_LONG
static const struct option opts[] =
@@ -374,6 +375,7 @@ static const struct myoption opts[] =
{ "port-limit", 1, 0, LOPT_RANDPORT_LIM },
{ "fast-dns-retry", 2, 0, LOPT_FAST_RETRY },
{ "use-stale-cache", 2, 0 , LOPT_STALE_CACHE },
+{ "no-ident", 0, 0, LOPT_NO_IDENT },
{ NULL, 0, 0, 0 }
};
@@ -570,6 +572,7 @@ static struct {
{ LOPT_UMBRELLA, ARG_ONE, "[=]", gettext_noop("Send Cisco Umbrella identifiers including remote IP."), NULL },
{ LOPT_QUIET_TFTP, OPT_QUI
Re: [Dnsmasq-discuss] [PATCH] Add run-time option to disable CHAOS TXT records
Hey Simon,
totally an oversight on my side. Updated patch attached.
Best
Dominik
On Mon, 2023-01-16 at 22:46 +, Simon Kelley wrote:
> The patch moves the relevant code to after processing of command-line
> arguments, but not reading configuration file(s). I can't think of any
> reason why you wouldn't want to put
>
> no-ident
>
> into /etc/dnsmasq.conf
>
> Have I missed something?
>
>
> Cheers,
>
> Simon.
>
>
>
> On 15/01/2023 08:01, Dominik Derigs wrote:
> >
> > Hey Simon and Petr, CC list,
> >
> > Thanks for pointing this out. I fixed it and rebased on
> > latest master. New patch attached.
> >
> > The name "--no-ident" has been chosen as the corresponding
> > compile-time option is called NO_ID - my feeling is that
> > this corresponds to "no identification (strings)".
> >
> > I thought about adding the possibility to only disable a
> > subset of these CHAOS records but it seems to just add to
> > much code complexity for such a small feature. Hence a "all
> > or nothing" seems the best fit for me here.
> >
> > Best,
> > Dominik
> >
> > On Tue, 2023-01-03 at 10:48 +, Petr Menšík wrote:
> > > Hi Dominik,
> > >
> > > Good idea. But there is copy error on line 572, no
> > > help
> > > description is changed for new option. What does --no-
> > > ident stand for by
> > > the way? Wouldn't be --no-chaos more descriptive? Should
> > > we support
> > > optional argument to disable only some parts of provided
> > > records? For
> > > example cache statistics might be restricted to localhost
> > > only or
> > > provided only by DBus, while version might be still useful
> > > to report.
> > >
> > > Cheers,
> > > Petr
> >
> >
> > On Fri, 2022-12-23 at 12:54 +0100, Dominik Derigs wrote:
> > > Dear mailing list members,
> > >
> > > In 2016, dnsmasq got the option to prevent serving the
> > > server version, some statistics and even the used upstream
> > > DNS servers to its clients. Compiling with -DNO_ID removes
> > > the entire *.bind info structure. However, setting -DNO_ID
> > > requires a (re-)compilation from source.
> > >
> > > This patch adds a new run-time option --no-ident to achieve
> > > the same without the need for recompiling.
> > >
> > > I wish you some nice and hopefully relaxing Christmas days!
> > >
> > > Best regards,
> > > Dominik
> >
From 6d59ea6add5bb7b10bfade76e4906c1c8f1b42cc Mon Sep 17 00:00:00 2001
From: DL6ER
Date: Fri, 23 Dec 2022 12:36:11 +0100
Subject: [PATCH] Add --no-ident option to disable CHAOS TXT records providing
server details and statistics.
Signed-off-by: DL6ER
---
man/dnsmasq.8 | 23 ++-
src/dnsmasq.h | 3 ++-
src/option.c | 37 ++---
3 files changed, 38 insertions(+), 25 deletions(-)
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 2495ed1..3d1d96a 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -2215,6 +2215,20 @@ exit 0
and /share/ads-domains.gz containing a compressed
list of ad server domains will save disk space with large ad-server blocklists.
+.TP
+.B --no-ident
+Do not respond to class CHAOS and type TXT in domain bind queries.
+
+Without this option being set, the cache statistics are also available in the
+DNS as answers to queries of class CHAOS and type TXT in domain bind. The domain
+names are cachesize.bind, insertions.bind, evictions.bind, misses.bind,
+hits.bind, auth.bind and servers.bind unless disabled at compile-time. An
+example command to query this, using the
+.B dig
+utility would be
+
+dig +short chaos txt cachesize.bind
+
.SH CONFIG FILE
At startup, dnsmasq reads
.I /etc/dnsmasq.conf,
@@ -2264,15 +2278,6 @@ resulted in an error. In
mode or when full logging is enabled (\fB--log-queries\fP), a complete dump of the
contents of the cache is made.
-The cache statistics are also available in the DNS as answers to
-queries of class CHAOS and type TXT in domain bind. The domain names are cachesize.bind, insertions.bind, evictions.bind,
-misses.bind, hits.bind, auth.bind and servers.bind. An example command to query this, using the
-.B dig
-utility would be
-
-dig +short chaos txt cachesize.bind
-
-.PP
When it receives SIGUSR2 and it is logging direct to a file (see
.B --log-facility
)
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index aaa6d62..fe9aa07 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -281,7 +281,8 @@ struct event_desc {
#define OPT_STRIP_ECS 69
#define OPT_STRIP_MAC 70
#define OPT_NORR 71
-#define
[Dnsmasq-discuss] [PATCH] Fix --rev-server option
Hey Simon, CC list,
the --rev-server option is currently broken in the released
version of dnsmasq for any non-dividable-by-eight CIDR
subnets.
It got broken in commit 1db9943 when resolving upstream
servers by name was extended to --rev-server without
accounting for the fact that rev-server is a special edge-
case. Re-using one and the same upstream server for each of
the x.y.z.in-addr.arpa is actually a wanted feature and
should not be suppressed.
A very simple patch for this is attached.
The offending commit on our mirror:
https://github.com/pi-hole/dnsmasq/commit/1db9943c6879c160a5fbef885d5ceadd3668b74d
The proposed fix:
https://github.com/pi-hole/dnsmasq/pull/13
Best,
Dominik
From 6f39ec984e00aad03c045f2b7f9e814f671099bf Mon Sep 17 00:00:00 2001
From: DL6ER
Date: Fri, 3 Mar 2023 18:05:26 +0100
Subject: [PATCH] Fix --rev-server option. It was broken in
1db9943c6879c160a5fbef885d5ceadd3668b74d when resolving upstream servers by
name was extended to --rev-server without accounting for the fact that
re-using one and the same upstream server for each of the x.y.z.in-addr.arpa
is actually a wanted feature
Signed-off-by: DL6ER
---
src/option.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/src/option.c b/src/option.c
index 1090bca..2e208ba 100644
--- a/src/option.c
+++ b/src/option.c
@@ -1159,6 +1159,9 @@ static char *domain_rev4(int from_file, char *server, struct in_addr *addr4, int
}
else
{
+ /* Always reset server as valid here, so we can add the same upstream
+ server address multiple times for each x.y.z.in-addr.arpa */
+ sdetails.valid = 1;
while (parse_server_next())
{
if ((string = parse_server_addr()))
@@ -1244,6 +1247,9 @@ static char *domain_rev6(int from_file, char *server, struct in6_addr *addr6, in
}
else
{
+ /* Always reset server as valid here, so we can add the same upstream
+ server address multiple times for each x.y.z.ip6.arpa */
+ sdetails.valid = 1;
while (parse_server_next())
{
if ((string = parse_server_addr()))
--
2.34.1
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] proxy-dnssec, how does it work (with unbound as upstream)
Hey Simon, On Thu, 2023-04-13 at 22:15 +0100, Simon Kelley wrote: > I'd like to know how EDE replies are being used, and what the changes > referred to in this statement by Peter are. > > "Note that the changes made by the pi-hole developers have been > implemented in pi-hole-FTL, the dnsmasq code for proxy-dnssec hasn't > been changed, so using EDE only works with pi-hole, not with the > official dnsmasq v2.89" When dnsmasq validates DNSSEC, the returned status (SECURE/INSECURE/BOGUS/ABANDONED) is being shown next to the query on the Pi-hole web interface. Without DNSSEC validation, all queries remain in UNKNOWN DNSSEC status as far as Pi-hole is concerned. This has recently been changed with adding support for proxy-dnssec. When this option is used, Pi-hole checks the reply from dnsmasq for the AD bit to tell apart IN-/SECURE. When SERVFAIL happens, EDE codes are used to differentiate "normal" from DNSSEC-related reasons. As I have mentioned before and we have discussed here, relying on the AD bit for the IN-/SECURE determination is the best we have with proxy- dnssec but it is by far not very good. --dnssec still seems the best option to me. Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] proxy-dnssec, how does it work (with unbound as upstream)
Hey Peter, On Thu, 2023-04-13 at 08:37 +0200, Peter Russel wrote: > Hi Simon > > Unfortunately, it looks like I've been shouting victory a little soon. > > The results are perfect when using dig, however, when using a browser > (firefox, edge) the results are unreliable / inconsistent. > > The assumption is that adding the setting "add-cpe-id=01234" ensures > dnsmasq will ALWAYS request EDE information from upstream (unbound). > Can you confirm this? > it is not possible to "request" EDE codes. What happens here is that a client has to signal EDNS(0) capability. unbound then adds EDE *at its own discretion*. Adding the "add-cpe-id" option ensures that dnsmasq always signals EDNS capability upstream - even when the client didn't do so. Whether unbound then replies with EDE data is entire up to unbound. > There are currently 2 possible causes why it doesn't work perfectly. > > 1. the dnsmasq setting "add-cpe-id=01234" doesn't do what is expected > (always request EDE) > > 2. unbound doesn't store the EDE information in it's cache. Apparently > there are two PRs that haven't been merged in to master yet, that > would accomplish this, see the unbound issue > https://github.com/NLnetLabs/unbound/issues/873, comment from gthess. Following the ubound issue, this makes some sense: EDE information will not be available from cached queries. > > Note that I also have knot-resolver installed on my system (using it > for script related tasks - normally inactive). > The pi-hole scripts will use knot-resolver as upstream (configured > using server= dnsmasq setting, example > "server=/v.firebog.net/127.10.10.5#"). The results from queries > with knot-resolver as upstream are also inconsistent. I have no idea > if knot-resolver caches EDE info, there is a lot less info available > for knot-resolver... > When you provide PCAPs (dnsmasq "dumpfile" option) with knot-resolver as upstream, we can easily check if the replies contain EDNS. However, I also encourage you to load them in Wireshark and play around yourself, exploring what you see in the "additional records" section. > I'm waiting for the unbound PR's to be merged in to master, so I can > compile unbound with these changes, possibly excluding or confirming > this as the cause. > > Could you confirm the setting "add-cpe-id=01234" does instruct dnsmasq > to always request EDE, if NOT, is it possible to do this in another > way? See above, this is not what this option is doing. Adding it merely ensures that dnsmasq *always* tells unbound that it can process EDNS data - regardless of the client further downstream can do it. > Note that the changes made by the pi-hole developers have been > implemented in pi-hole-FTL, the dnsmasq code for proxy-dnssec hasn't > been changed, so using EDE only works with pi-hole, not with the > official dnsmasq v2.89 I don't think dnsmasq does anything more than forwarding EDE codes it received from upstream. There is no interpretation happening in dnsmasq. > Don't know if you have a direct line with the pi-hole developer, if > you do, you could discuss this directly, I'm just the middle man here, > knowledgeable enough to test, not to change the code... We listen and respond here, too, when we have something valuable to contribute :-) Dest, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Report filtered A or AAAA records via EDE code
Hey Simon, On Thu, 2023-03-30 at 18:28 +0100, Simon Kelley wrote: > I just merged the branch I've been working on for the last week which > includes this patch, but much modified because the surrounding code has > changed. The function is unaltered. > > The other changes are adding the ability to cache any RR-type, and the > ability to filter any RR-type. There's quite a bit of code cleanup in > the affected code paths too. The new man page says: > By default, dnsmasq caches A, , CNAME and SRV DNS record types. This option adds other record types to the cache. [...] I wonder how useful this really is. Won't it cause config files to explode with lines like (possibly line-per-line): --cache- rr=NS,MD,MF,SOA,MB,MG,MR,NULL,WKS,PTR,HINFO,MINFO,MX,TXT,RP, AFSDB,X25,ISDN,RT,NSAP,NSAP_PTR,SIG,KEY,PX,GPOS,LOC,NXT,EID, NIMLOC,ATMA,NAPTR,KX,CERT,A6,DNAME,SINK,OPT,APL,DS,SSHFP,IPS ECKEY,RRSIG,NSEC,DNSKEY,DHCID,NSEC3,NSEC3PARAM,TLSA,SMIMEA,H IP,NINFO,RKEY,TALINK,CDS,CDNSKEY,OPENPGPKEY,CSYNC,ZONEMD,SVC B,HTTPS,SPF,UINFO,UID,GID,UNSPEC,NID,L32,L64,LP,EUI48,EUI64, TKEY,TSIG,IXFR,AXFR,MAILB,MAILA,ANY,URI,CAA,AVC,DOA,AMTRELAY ,TA,DLV if I want to cache all types known to dnsmasq by name (yes, this does not include proprietary extensions by numbers). It also seems inefficient to always loop over these 86 RR types when we check if this RR is to be cached. Looking at this new option, it seems really counter- intuitive to specify "I want to cache ANY but not TXT". Is there a real-world scenario where someone would not like to cache a specific type? I suppose these queries should arguably have a TTL of 0 from upstream to prevent caching. My feeling is that we should really have at least a shortcut to specify "cache everything you can". May this be "--cache- rr" without options, some special "--cache-rr=all" or maybe a dedicated option like "--cache-all". Others than that - thanks for working on this! I already started testing (using the long command above) and will report any oddities I come across. Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] proxy-dnssec, how does it work (with unbound as upstream)
Hey Peter, On Thu, 2023-04-13 at 12:15 +0200, Peter Russel wrote: > > Dominik, your questions and comments. > > Thanks for explaining "add-cpe-id=01234", meaning that it informs > upstream that it is capable of processing EDNS data, nothing more. > This implies dnsmasq cannot be the cause of "not receiving EDE" data? Yes. > As I understood from you comments on discourse, the same could be > achieved with "add-mac=base64"? Yes. > Since you "somewhat" agree this might be caused by unbound, NOT > caching EDE data, it was my intention to wait for the unbound PRs to > be merged into master, than restart testing (unless instructed > otherwise by one of you). Disabling unbound's cache should reveal already now if this is cache- related. Every resolution will be slow when all caches are disabled, however, they should at least be consistent. > I started posting only, because another pi-hole user is also testing > the feature (proxy-dnssec), and noticed the same inconsistencies, be > it under different circumstances (docker, using dnsmasq > cache-size=1, no redis, ...) Check out the dnsmasq man page entry for proxy-dnssec: Note that caching the Authenticated Data bit correctly in all cases is not technically possible. And indeed, when querying something like posteo.de, you will see the AD bit being set for the first (forwarded) but never for any later (cached) reply. As Pi-hole has no other chance than looking at the AD bit in proxy-dnssec mode, this translates into the first query being SECURE and all later ones are INSECURE. > I don't really understand why dig queries (both on the pi-hole > terminal and from a remote windows machine always provide the correct > status (SECURE), while site visits, using a browser provide > inconsistent statuses (SECURE / INSECURE) I assume dig replies are > also cached... To sum this up: I agree with the man page sentiment that using "dnssec" is the better option. Yes, validation work will be duplicated, however, no additional traffic should be generated as your unbound already had to get all the DS and DNSKEY for its own validation so this all can be served from unbound's cache. I'm running dnsmasq with "dnssec" and am also running a local unbound for almost a decade in validation mode, too. Not that I could remember any issues in the past few years. Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Filtering non-latin1 or non-ASCIII dns requests?
Hey Burton and Petr, On Wed, 2023-05-10 at 21:12 -0500, B@us wrote: > domains that don’t match \.[A-Za-z0-9]\. You'd probably want to allow for - and _ too but Petr has the better idea how to achieve this: On Thu, 2023-05-11 at 17:56 +0200, Petr Menšík wrote: > reject all IDN names, which start with xn-- prefix Even when truly non-ASCII domains would be possible (dig äöü), none of the larger registrars allow registering such domains directly and will always Punycode translation of the Unicode representation of the language-specific alphabet. Burton, the feature you are asking for would be blocking IDNA domains? Petr, I concur that this should be handled at a larger scale, however, I do also think it'd be okay to have such a feature when the administrator of a local dnsmasq says that international domains aren't something that will happen at their place and wants some extra protection against such letter confusion "attacks". Best Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] New option --no-ANY
Hey Simon,
this patch adds a method for deprecating ANY queries (following RFC
8482: Providing Minimal-Sized Responses to DNS Queries That Have
QTYPE=ANY). This conforms to how many of the large scale upstream DNS
providers (Google, Cloudflare to name only a few) are dealing with the
use_less_ness of ANY in general on one hand but the unfortunate
use_full_ness in DNS amplification attacks on the other hand. Another
solution could be only disallowing ANY queries over UDP and forcing
clients to re-try over TCP but - given how useless ANY is - it doesn't
seem worth implementing this more complex path.
The proposed option --no-ANY simply ensures dnsmasq will not add any RRs
for such questions.
We are looking forward to enable it by default in Pi-hole v6.0+ given
this patch is accepted.
Best,
Dominik
From ac3134c48ef3ee6ec9be2f3b0993f710ac36f8f8 Mon Sep 17 00:00:00 2001
From: DL6ER
Date: Tue, 6 Feb 2024 17:51:22 +0100
Subject: [PATCH] Add option --no-ANY providing minimal-sized responses to ANY
queries (RFC 8482)
Signed-off-by: DL6ER
---
CHANGELOG | 4
man/dnsmasq.8 | 9 +
src/dnsmasq.h | 3 ++-
src/option.c | 3 +++
src/rfc1035.c | 8
5 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/CHANGELOG b/CHANGELOG
index 2ce53a8..75575b5 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -25,6 +25,10 @@ version 2.90
end up in the query also. This bug only seems to cause problems
when the usptream server is a DOH/DOT proxy. Thanks to Justin He
for the bug report.
+
+ Add --no-ANY option to stop processing ANY queries.
+ The ANY type has been deprecated by RFC 8482, and is a common vector
+ for DNS amplification attacks.
version 2.89
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index bb8da54..1a7a280 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -388,6 +388,15 @@ Remove records from answers. No IPv6 addresses will be returned.
.B --filter-rr=[,...]
Remove records of the specified type(s) from answers.
.TP
+.B --no-ANY
+Provide minimal-sized responses to ANY DNS queries instead of processing them.
+Queries with QTYPE=ANY are frequently observed as part of reflection attacks,
+since a relatively small query can be used to elicit a large response. This is a desirable
+characteristic if the goal is to maximize the amplification potential of a DNS server as
+part of a volumetric attack. With this option being enabled, minimal responses are returned making
+dnsmasq a much less useful amplifier.
+The follows RFC 8482 which effectively deprecates the DNS ANY query type.
+.TP
.B --cache-rr=[,...]
By default, dnsmasq caches A, , CNAME and SRV DNS record types.
This option adds other record types to the cache. The RR-type can be given
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 129e2c9..9ec4d39 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -282,7 +282,8 @@ struct event_desc {
#define OPT_NO_IDENT 70
#define OPT_CACHE_RR 71
#define OPT_LOCALHOST_SERVICE 72
-#define OPT_LAST 73
+#define OPT_NO_ANY 73
+#define OPT_LAST 74
#define OPTION_BITS (sizeof(unsigned int)*8)
#define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
diff --git a/src/option.c b/src/option.c
index 0cb691e..a5297eb 100644
--- a/src/option.c
+++ b/src/option.c
@@ -191,6 +191,7 @@ struct myoption {
#define LOPT_NO_DHCP6 382
#define LOPT_NO_DHCP4 383
#define LOPT_MAX_PROCS 384
+#define LOPT_NO_ANY385
#ifdef HAVE_GETOPT_LONG
static const struct option opts[] =
@@ -231,6 +232,7 @@ static const struct myoption opts[] =
{ "filter-A", 0, 0, LOPT_FILTER_A },
{ "filter-", 0, 0, LOPT_FILTER_ },
{ "filter-rr", 1, 0, LOPT_FILTER_RR },
+{ "no-ANY", 0, 0, LOPT_NO_ANY },
{ "pid-file", 2, 0, 'x' },
{ "strict-order", 0, 0, 'o' },
{ "server", 1, 0, 'S' },
@@ -416,6 +418,7 @@ static struct {
{ LOPT_FILTER_A, ARG_DUP, NULL, gettext_noop("Don't include IPv4 addresses in DNS answers."), NULL },
{ LOPT_FILTER_, ARG_DUP, NULL, gettext_noop("Don't include IPv6 addresses in DNS answers."), NULL },
{ LOPT_FILTER_RR, ARG_DUP, "", gettext_noop("Don't include resource records of the given type in DNS answers."), NULL },
+ { LOPT_NO_ANY, OPT_NO_ANY, NULL, gettext_noop("Don't reply to ANY requests"), NULL },
{ 'F', ARG_DUP, ",...", gettext_noop("Enable DHCP in the range given with lease duration."), NULL },
{ 'g', ARG_ONE, "", gettext_noop("Change to this group after startup (defaults to %s)."), CHGRP },
{ 'G', ARG_DUP, "", gettext_noop("Set address or hostname for a specified machine."), NULL },
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 04b1472..423a4b4 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1550,6 +1550,14 @@ size_t answer_request(struct
Re: [Dnsmasq-discuss] Caching of NS and SOA records
Hey Evandro, see my reply to your other question as the questions are just two aspects of the same thing: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2023q4/017363.html Best, Dominik P.S. Your address evandro+dnsm...@gcc.gnu.org throws an "user unknown" error. On Thu, 2023-12-07 at 15:44 -0600, Evandro Menezes via Dnsmasq-discuss wrote: > Before I went and hacked it, I figured that it’d be better to float the idea, > in case it’d been discussed before and deemed not worthy the while. > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Caching of HTTPS and SVCB records
Hey Evandro, chaching of arbitrary types has been added this year in March and is available in the latest master code (option --cache-rr). You can even add --cache-rr=ANY to cache all records. See https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=638c7c4d20004c0f320820098e29df62a27dd2a1 and https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=c244d92d8a3f96e3a16b53f733190faa17004ae3 and the corresponding man page entry: --cache-rr=[,...] By default, dnsmasq caches A, , CNAME and SRV DNS record types. This option adds other record types to the cache. The RR-type can be given as a name such as TXT or MX or a decimal number. A single --cache- rr option can take a comma-separated list or RR-types and more than one --cache-rr option is allowed. Use --cache-rr=ANY to enable caching for all RR-types. This feature is included in the current Pi-hole v6.0 beta testing to get a wide testing audience (it is enabled to cache ANY in Pi-hole) but more testing is always welcome! Best, Dominik On Thu, 2023-12-07 at 14:05 -0600, Evandro Menezes via Dnsmasq-discuss wrote: > Current OSes are now using the HTTPS record to query the addresses and the > canonical name, as well other information important to browsers, rather than > using the A and records as they used to. > > In my anecdotal experience, HTTPS queries amount to over a third of the > queries. It might make sense to cache their replies, if not to decode them > and also populate the cache with any information for A, and CNAME the > they may contain. > > Another record that is rising in usage in SVCB, primarily by browsers and IoT > devices, to discover the DNS resolvers for DNS over HTTPS, DNS over TLS and > DNS over QUIC. Along with HTTPS, it would be interesting to add a > configuration option for these records. > > If these suggestions are considered worthwhile, I’d be glad to contribute > patches. > > Cheers, > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Use-after-free with DHCP + use-stale-cache
Hey Simon, we found a bug resulting in a use-after-free returning garbage data and possibly crash when using DHCP + stale cache data. The bug is triggered when using DHCP and a lease expires. It's name is then free'd in kill_name() + do_script_run(). When the PTR record is queried thereafter and use-stale-cache is enabled, dnsmasq accesses this dangling pointer and returns random data - often a string containing a few control characters, once dnsmasq even SEGFAULTed. Related dnsmasq.log: |May 5 19:00:00 dnsmasq[4395]: query[PTR] 141.2.168.192.in-addr.arpa from 127.0.0.1 May 5 19:00:00 dnsmasq[4395]: DHCP 192.168.2.141 is May 5 19:00:00 dnsmasq[4395]: forwarded 141.2.168.192.in-addr.arpa to 1.0.0.1| The final immediate "forwarded" line comes from dnsmasq itself and confirms that this was triggered by use-stale-cache. Best, Dominik P.S.: The patch recently sent by Erik Karlsson doesn't fix this, it touches other code. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Use-after-free with DHCP + use-stale-cache
Hey Erik,
sorry for the late reply.. I wanted to err on the side of caution this
time. We have been testing with your patch applied on top of latest
master for almost four days now and - so far - no new use-after-free
events occurred. Before, it happened at least once a day. Seems I have
misinterpreted when SIGALRM is used so I thought your patch wouldn't be
effective in our case. Sorry for this and thanks for challenging my
earlier statement.
Best,
Dominik
On 06.05.24 11:39, Erik Karlsson wrote:
Hi Dominik,
Are you sure the patch I sent does not solve this? I think it should
or are there more places where a lease_update_dns(0) is missing?
Alternatively, can there be dangling pointers left even
after lease_update_dns has been run?
Best regards,
Erik
Den mån 6 maj 2024 07:14Dominik Derigs via Dnsmasq-discuss
skrev:
Hey Simon,
we found a bug resulting in a use-after-free returning garbage
data and possibly crash when using DHCP + stale cache data.
The bug is triggered when using DHCP and a lease expires. It's
name is then free'd in kill_name() + do_script_run(). When the PTR
record is queried thereafter and use-stale-cache is enabled,
dnsmasq accesses this dangling pointer and returns random data -
often a string containing a few control characters, once dnsmasq
even SEGFAULTed.
Related dnsmasq.log:
|May 5 19:00:00 dnsmasq[4395]: query[PTR]
141.2.168.192.in-addr.arpa from 127.0.0.1 May 5 19:00:00
dnsmasq[4395]: DHCP 192.168.2.141 is May 5
19:00:00 dnsmasq[4395]: forwarded 141.2.168.192.in-addr.arpa to
1.0.0.1|
The final immediate "forwarded" line comes from dnsmasq itself and
confirms that this was triggered by use-stale-cache.
Best,
Dominik
P.S.: The patch recently sent by Erik Karlsson doesn't fix this,
it touches other code.
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] shortcuts for REFUSED / RCODE
Hey Ercolino, In the context of adblocking I am told certain browsers/systems react much better when the DNS server returns FORBIDDEN (I guess they mean REFUSED which is return code 5 https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6) as this instructs the query generator (app) to stops hammering again for such domain. Have you actually tried this? A few years back, the Pi-hole team explored various possibilities for blocking requests. REFUSED was among them. However, in our testing, devices did not stop to request when they received REFUSED but continued hammering the server. This was especially true for embedded devices where any kind of DNS "error" may simply trigger endless repetitions. The best compromise we could come up with was in fact defining a "valid" response (A 0.0.0.0, ::) for blocking. Best, Dominik It seems like this behavior can be achieved in dnsmasq via the syntax local=/example.com/127.0.0.1 Great. Since we run this on routers (Tomato) the dsnamsq configuration file size matters. Bottom line: Could we have a shortcut char for REFUSED as well e.g. local/example.com/% As an alternative request... is it a good idea to re-thing the shortcut approach and simply allow the rfc's RCODE after the latest slash to return the correspondent RCODE name? e.g. local/example.com/2 // ServFail local/example.com/9 // notAuth etc? Thanks ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Update DNS records after pruning DHCP leases
Dear list,
we have added this commit to the currently running Pi-hole v6.0 beta. It
was confirmed by multiple users to fix aforementioned issues.
https://github.com/pi-hole/FTL/pull/1965
Have a great weekend!
Dominik
On 29.04.24 20:44, Erik Karlsson wrote:
From: Erik Karlsson
Not doing so can result in a use after free since the name for DHCP
derived DNS records is represented as a pointer into the DHCP lease
table. Update will only happen when necessary since lease_update_dns
tests internally on dns_dirty and the force argument is zero.
Signed-off-by: Erik Karlsson
---
src/dnsmasq.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index a9f26ae..1be3b82 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -1518,6 +1518,7 @@ static void async_event(int pipe, time_t now)
{
lease_prune(NULL, now);
lease_update_file(now);
+ lease_update_dns(0);
}
#ifdef HAVE_DHCP6
else if (daemon->doing_ra)
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Fix double free() corruption due to config
Hey Simon,
the attached patch fixes a double free() corruption leading to a crash
during startup of dnsmasq. The crash can be reproduced by using a
rev-server addresses with a prefix length != {8,16,24,32}, e.g.
rev-server=192.168.0.0/25,home.mydomain.com
The crash is caused by freeing too early (within the loop). The crash
does not happen for prefix lengths {8,16,24,32} as the loop runs only
once. However, for other prefixes, the loop runs more often (e.g. 128x
for /25 networks as above).
Best,
Dominik
From bf4c149f814ce2826f7db487a44d3eef7209ba14 Mon Sep 17 00:00:00 2001
From: DL6ER
Date: Mon, 17 Jun 2024 17:36:43 +0200
Subject: [PATCH] Fix crash caused by double free() corruption encountered with
rev-server addresses with prefix lengths != {8,16,24,32}
Signed-off-by: DL6ER
---
src/option.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/option.c b/src/option.c
index f4ff7c0..8fc2950 100644
--- a/src/option.c
+++ b/src/option.c
@@ -1188,11 +1188,11 @@ static char *domain_rev4(int from_file, char *server, struct in_addr *addr4, int
if (!add_update_server(flags, _addr, _addr, interface, domain, NULL))
return _("error");
}
-
- if (sdetails.orig_hostinfo)
- freeaddrinfo(sdetails.orig_hostinfo);
}
}
+
+if (sdetails.orig_hostinfo)
+ freeaddrinfo(sdetails.orig_hostinfo);
return NULL;
}
@@ -1276,11 +1276,11 @@ static char *domain_rev6(int from_file, char *server, struct in6_addr *addr6, in
if (!add_update_server(flags, _addr, _addr, interface, domain, NULL))
return _("error");
}
-
- if (sdetails.orig_hostinfo)
- freeaddrinfo(sdetails.orig_hostinfo);
}
}
+
+if (sdetails.orig_hostinfo)
+ freeaddrinfo(sdetails.orig_hostinfo);
return NULL;
}
--
2.34.1
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] New query type WALLET
Hey Simon,
yesterday, the IANA started listing a new query type WALLET that was
assigned RRType 262.
Best,
Dominik
From 4b7b659503cacdccbcdffc48bfecea54a7da1f64 Mon Sep 17 00:00:00 2001
From: Dominik Derigs
Date: Fri, 21 Jun 2024 20:59:04 +0200
Subject: [PATCH] Add newly assigned RRTYPE WALLET (262)
Signed-off-by: Dominik Derigs
---
src/cache.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/cache.c b/src/cache.c
index 0eacec9..89031ec 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -125,6 +125,7 @@ static const struct {
{ 259, "DOA" }, /* Digital Object Architecture [draft-durand-doa-over-dns] DOA/doa-completed-template 2017-08-30*/
{ 260, "AMTRELAY" }, /* Automatic Multicast Tunneling Relay [RFC8777] AMTRELAY/amtrelay-completed-template 2019-02-06*/
{ 261, "RESINFO" }, /* Resolver Information as Key/Value Pairs https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/06/ */
+ { 262, "WALLET" }, /* Public wallet address https://www.iana.org/assignments/dns-parameters/WALLET/wallet-completed-template */
{ 32768, "TA" }, /* DNSSEC Trust Authorities [Sam_Weiler][http://cameo.library.cmu.edu/][ Deploying DNSSEC Without a Signed Root. Technical Report 1999-19, Information Networking Institute, Carnegie Mellon University, April 2004.] 2005-12-13*/
{ 32769, "DLV" }, /* DNSSEC Lookaside Validation (OBSOLETE) [RFC8749][RFC4431] */
};
--
2.34.1
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
