Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update embedded dnsmasq to v2.89 #1522

Merged
merged 7 commits into from
Feb 7, 2023
Merged

Update embedded dnsmasq to v2.89 #1522

merged 7 commits into from
Feb 7, 2023

Conversation

DL6ER
Copy link
Member

@DL6ER DL6ER commented Jan 15, 2023

What does this implement/fix?

Update the embedded dnsmasq to v2.89

This fixes a very severe albeit almost impossible to trigger internal cache bug.

CHANGELOG

version 2.89
        Fix bug introduced in 2.88 (commit fe91134b) which can result
	in corruption of the DNS cache internal data structures and
	logging of "cache internal error". This has only been seen
	in one place in the wild, and it took considerable effort
	to even generate a test case to reproduce it, but there's
	no way to be sure it won't strike, and the effect is to break
	the cache badly. Installations with DNSSEC enabled are more
	likely to see the problem, but not running DNSSEC does not
	guarantee that it won't happen. Thanks to Timo van Roermund
	for reporting the bug and for his great efforts in chasing
	it down.

This release furthermore adds a Pi-hole provided feature to reduce the footprint/identificability of your DNS server.


By submitting this pull request, I confirm the following:

  1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
  2. I have commented my proposed changes within the code.
  3. I am willing to help maintain this change if there are issues with it later.
  4. It is compatible with the EUPL 1.2 license
  5. I have squashed any insignificant commits. (git rebase)

Checklist:

  • The code change is tested and works locally.
  • I based my code and PRs against the repositories developmental branch.
  • I signed off all commits. Pi-hole enforces the DCO for all contributions
  • I signed all my commits. Pi-hole requires signatures to verify authorship
  • I have read the above and my PR is ready for review.

simonkelley and others added 7 commits January 15, 2023 07:54
This is code which should never run, but if it does,
we now log information useful for debugging.

Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
If there are multiple cache records with the same name but different
F_REVERSE and/or F_IMMORTAL flags, the code added in fe9a134b could
concievable break the REVERSE-FORWARD-IMMORTAL order invariant.

Reproducing this is damn near impossible, but it is responsible
for rare and otherwise inexplicable reversion between 2.87 and 2.88
which manifests itself as a cache internal error. All observed
cases have depended on DNSSEC being enabled, but the bug could in
theory manifest itself without DNSSEC

Thanks to Timo van Roermund for reporting the bug and huge
efforts to isolate it.

Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER DL6ER marked this pull request as ready for review February 7, 2023 18:12
@DL6ER DL6ER requested a review from a team February 7, 2023 18:12
@DL6ER DL6ER merged commit a8a75d8 into development Feb 7, 2023
@pralor-bot
Copy link

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/pi-hole-ftl-v5-21-web-v5-18-4-and-core-v5-15-4-released/61096/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants