Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update embedded dnsmasq to v2.90 (Pi-hole v5) #1881

Merged
merged 24 commits into from
Feb 13, 2024
Merged

Update embedded dnsmasq to v2.90 (Pi-hole v5) #1881

merged 24 commits into from
Feb 13, 2024

Commits on Feb 8, 2024

  1. Log truncated DNS replies. 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 8, 2024
    Configuration menu
    Copy the full SHA
    b650631 View commit details
    Browse the repository at this point in the history

  2. Necessary changed to handle the most recent dnsmasq changes in FTL 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @DL6ER
    DL6ER committed Feb 8, 2024
    Configuration menu
    Copy the full SHA
    d38a0a6 View commit details
    Browse the repository at this point in the history

  3. Behave better when attempting to contact unresponsive TCP servers. 

    By default TCP connect takes minutes to fail when trying to
connect a server which is not responding and for which the
network layer doesn't generate HOSTUNREACH errors.

This is doubled because having failed to connect in FASTOPEN
mode, the code then tries again with a call to connect().

We set TCP_SYNCNT to 2, which make the timeout about 10 seconds.
This in an unportable Linux feature, so it doesn't work on other
platforms.

No longer try connect() if sendmsg in fastopen mode fails with
ETIMEDOUT or EHOSTUNREACH since the story will just be the same.

Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 8, 2024
    Configuration menu
    Copy the full SHA
    6b48e6d View commit details
    Browse the repository at this point in the history

  4. =/== typo in last commit. 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 8, 2024
    Configuration menu
    Copy the full SHA
    6cc10f7 View commit details
    Browse the repository at this point in the history

  5. Update changed indentation of known DNSMASQ warning 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @DL6ER
    DL6ER committed Feb 8, 2024
    Configuration menu
    Copy the full SHA
    0a90f07 View commit details
    Browse the repository at this point in the history

Commits on Feb 9, 2024

  1. Force-update embedded dnsmasq version. We are loosing the individual … 

    …dnsmasq history of the ~ last year, however, given the multitude of merge conflicts and the fact that this code will soon(ish) be replaced by development-v6 (where the history is 100% intact), this isn't much of an issue

Signed-off-by: DL6ER <dl6er@dl6er.de>
    @DL6ER
    DL6ER committed Feb 9, 2024
    Configuration menu
    Copy the full SHA
    45c342a View commit details
    Browse the repository at this point in the history

Commits on Feb 13, 2024

  1. Tweak logging and special handling of T_ANY in rr-filter code. 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    cc98853 View commit details
    Browse the repository at this point in the history

  2. Make --filter-rr=ANY filter the answer to ANY queries. 

    Thanks to Dominik Derigs for an earlier patch which inspired this.

Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    9091f18 View commit details
    Browse the repository at this point in the history

  3. Update embedded dnsmasq version to 2.90test4 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @DL6ER
    DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    91b924d View commit details
    Browse the repository at this point in the history

  4. Protection against pathalogical DNSSEC domains. 

    An attacker can create DNSSEC signed domains which need a lot of
work to verfify. We limit the number of crypto operations to
avoid DoS attacks by CPU exhaustion.

Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    108ab67 View commit details
    Browse the repository at this point in the history

  5. Update header with new EDE values. 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    bf17dd3 View commit details
    Browse the repository at this point in the history

  6. Update NSEC3 iterations handling to conform with RFC 9276. 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    70b0431 View commit details
    Browse the repository at this point in the history

  7. Measure cryptographic work done by DNSSEC. 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    dd11688 View commit details
    Browse the repository at this point in the history

  8. Fix error introduced in 635bc51cac3d5d7dd49ce9e27149cf7e402b7e79 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    2e0d8ff View commit details
    Browse the repository at this point in the history

  9. Parameterise work limits for DNSSEC validation. 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    a133029 View commit details
    Browse the repository at this point in the history

  10. Update EDE code -> text conversion. 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    8b9c5d3 View commit details
    Browse the repository at this point in the history

  11. Rework validate-by-DS to avoid DoS vuln without arbitrary limits. 

    By calculating the hash of a DNSKEY once for each digest algo,
we reduce the hashing work from (no. DS) x (no. DNSKEY) to
(no. DNSKEY) x (no. distinct digests)

The number of distinct digests can never be more than 255 and
it's limited by which hashes we implement, so currently only 4.

Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    0ce9541 View commit details
    Browse the repository at this point in the history

  12. Overhaul data checking in NSEC code. 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    c32b467 View commit details
    Browse the repository at this point in the history

  13. Better stats and logging from DNSSEC resource limiting. 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    a389bcc View commit details
    Browse the repository at this point in the history

  14. Better allocation code for DS digest cache. 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    c3bc0f9 View commit details
    Browse the repository at this point in the history

  15. Add --dnssec-limits option. 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    fbc5713 View commit details
    Browse the repository at this point in the history

  16. Reverse suppression of ANY query answer logging. 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @simonkelley @DL6ER
    simonkelley authored and DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    65402b1 View commit details
    Browse the repository at this point in the history

  17. Update expected dnsmasq warnings 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @DL6ER
    DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    3e32d96 View commit details
    Browse the repository at this point in the history

  18. Update dnsmasq version to 2.90 

    Signed-off-by: DL6ER <dl6er@dl6er.de>
    @DL6ER
    DL6ER committed Feb 13, 2024
    Configuration menu
    Copy the full SHA
    3bb1fcf View commit details
    Browse the repository at this point in the history