dnsmasq

mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00

Author	SHA1	Message	Date
Simon Kelley	597378cdf5	Turn "used" member of struct iname into flags in preparation for more.	2023-04-12 16:25:49 +01:00
Simon Kelley	df242de5c6	Bump copyrights to 2023.	2023-04-05 12:34:34 +01:00
Simon Kelley	a3c8b75972	Add filtering of arbitrary RR-types.	2023-03-29 22:43:21 +01:00
Simon Kelley	638c7c4d20	Add --cache-rr to enable caching of arbitrary RR types.	2023-03-23 17:15:35 +00:00
Simon Kelley	c0e731d545	Further optimisation of --port-limit. No longer try and fail to open every port when the port range is in complete use; go straight to re-using an existing socket. Die at startup if port range is smaller than --port-limit, since the code behaves badly in this case.	2022-09-09 23:15:50 +01:00
Simon Kelley	d334e7c34f	Add --use-stale-cache option.	2022-09-06 22:43:33 +01:00
Simon Kelley	d21438a7df	Add --fast-dns-retry option. This gives dnsmasq the ability to originate retries for upstream DNS queries itself, rather than relying on the downstream client. This is most useful when doing DNSSEC over unreliable upstream network. It comes with some cost in memory usage and network bandwidth.	2022-09-06 22:43:33 +01:00
袁建鹏	1a98d1a94f	Add inode compare while checking resolv file change Fix a bug found on OpenWrt when IPv4/6 dual stack enabled: The resolv file is located on tmpfs whose mtime resolution is 1 second. If the resolv file is updated twice within one second dnsmasq may can't notice the second update. netifd updates the resolv file with method: write temp then move, so adding an inode check fixes this bug.	2022-04-18 15:25:54 +01:00
Simon Kelley	fa580ad3eb	Handle changing interface indexes when binding DHCP sockets.	2022-02-03 17:26:28 +00:00
Simon Kelley	c6d4c33d61	Bump copyright to 2022.	2022-01-24 15:19:00 +00:00
Simon Kelley	4165c1331b	Fix fail to build when NO_SCRIPT set.	2022-01-03 23:31:15 +00:00
Simon Kelley	d242cbffa4	Add snooping of DHCPv6 prefix delegation to the DHCP-relay function.	2021-12-30 21:20:37 +00:00
Dominik Derigs	72fac0810c	dnsmasq.h has to be included first as it sources config.h Signed-off-by: DL6ER <dl6er@dl6er.de>	2021-10-07 09:28:34 +01:00
Petr Menšík	ad32ca18a7	Enable locale support for IDN at startup --address=/münchen.de/ is not accepted unless LOCALEDIR is defined on build. It is not by default. If LIBIDN1 or 2 is defined, call setlocale to initialize locale required to translate domains to ascii form. Signed-off-by: Petr Menšík <pemensik@redhat.com>	2021-10-06 23:23:51 +01:00
Simon Kelley	d290630d31	Fix crash after re-reading an empty resolv.conf file. If dnsmasq re-reads a resolv file, and it's empty, it will retry after a delay. In the meantime, the old servers from the resolv file have been deleted, but the servers_array doesn't get updated, leading to dangling pointers and crashes. Thanks to Brad Jorsch for finding and analysing this bug. This problem was introduced in 2.86.	2021-10-06 22:31:06 +01:00
Simon Kelley	47aefca5e4	Add --nftset option, like --ipset but for the newer nftables. Thanks to Chen Zhenge for the original patch, which I've reworked. Any bugs down to SRK.	2021-09-27 21:49:28 +01:00
Petr Menšík	e3651367b3	Fix coverity detected issues in dnsmasq.c Error: DEADCODE (CWE-561): [#def12] dnsmasq-2.86rc3/src/dnsmasq.c:37: assignment: Assigning: "bind_fallback" = "0". dnsmasq-2.86rc3/src/dnsmasq.c:927: const: At condition "bind_fallback", the value of "bind_fallback" must be equal to 0. dnsmasq-2.86rc3/src/dnsmasq.c:927: dead_error_condition: The condition "bind_fallback" cannot be true. dnsmasq-2.86rc3/src/dnsmasq.c:928: dead_error_line: Execution cannot reach this statement: "my_syslog(4, "setting --bin...". dnsmasq-2.86rc3/src/dnsmasq.c:928: effectively_constant: Local variable "bind_fallback" is assigned only once, to a constant value, making it effectively constant throughout its scope. If this is not the intent, examine the logic to see if there is a missing assignment that would make "bind_fallback" not remain constant. # 926\| # 927\| if (bind_fallback) # 928\|-> my_syslog(LOG_WARNING, _("setting --bind-interfaces option because of OS limitations")); # 929\| # 930\| if (option_bool(OPT_NOWILD)) Error: REVERSE_NEGATIVE (CWE-191): [#def13] dnsmasq-2.86rc3/src/dnsmasq.c:383: negative_sink_in_call: Passing "dnsmasq_daemon->pxefd" to a parameter that cannot be negative. dnsmasq-2.86rc3/src/dnsmasq.c:1086: check_after_sink: You might be using variable "dnsmasq_daemon->pxefd" before verifying that it is >= 0. # 1084\| { # 1085\| poll_listen(daemon->dhcpfd, POLLIN); # 1086\|-> if (daemon->pxefd != -1) # 1087\| poll_listen(daemon->pxefd, POLLIN); # 1088\| } Error: CHECKED_RETURN (CWE-252): [#def18] dnsmasq-2.86rc3/src/dnsmasq.c:1582: check_return: Calling "fcntl(dnsmasq_daemon->helperfd, 4, i & 0xfffffffffffff7ff)" without checking return value. This library function may fail and return an error code. # 1580\| /* block in writes until all done / # 1581\| if ((i = fcntl(daemon->helperfd, F_GETFL)) != -1) # 1582\|-> fcntl(daemon->helperfd, F_SETFL, i & ~O_NONBLOCK); # 1583\| do { # 1584\| helper_write(); Error: CHECKED_RETURN (CWE-252): [#def22] dnsmasq-2.86rc3/src/dnsmasq.c:1991: check_return: Calling "fcntl(confd, 4, flags & 0xfffffffffffff7ff)" without checking return value. This library function may fail and return an error code. # 1989\| Reset that here. / # 1990\| if ((flags = fcntl(confd, F_GETFL, 0)) != -1) # 1991\|-> fcntl(confd, F_SETFL, flags & ~O_NONBLOCK); # 1992\| # 1993\| buff = tcp_request(confd, now, &tcp_addr, netmask, auth_dns); Error: CHECKED_RETURN (CWE-252): [#def26] dnsmasq-2.86rc3/src/dnssec.c:727: check_return: Calling "extract_name" without checking return value (as is done elsewhere 9 out of 10 times). dnsmasq-2.86rc3/src/dnssec.c:459: example_checked: Example 1: "extract_name(header, plen, &p, keyname, 1, 0)" has its value checked in "extract_name(header, plen, &p, keyname, 1, 0)". dnsmasq-2.86rc3/src/dnssec.c:269: example_checked: Example 2: "extract_name(header, plen, &state->ip, state->buff, 1, 0)" has its value checked in "extract_name(header, plen, &state->ip, state->buff, 1, 0)". dnsmasq-2.86rc3/src/dnssec.c:569: example_checked: Example 3: "extract_name(header, plen, &p, keyname, 1, 0)" has its value checked in "extract_name(header, plen, &p, keyname, 1, 0)". dnsmasq-2.86rc3/src/rfc1035.c:648: example_checked: Example 4: "extract_name(header, qlen, &p1, name, 1, 0)" has its value checked in "extract_name(header, qlen, &p1, name, 1, 0)". dnsmasq-2.86rc3/src/rfc1035.c:787: example_checked: Example 5: "extract_name(header, qlen, &p1, name, 1, 0)" has its value checked in "extract_name(header, qlen, &p1, name, 1, 0)". # 725\| /* namebuff used for workspace above, restore to leave unchanged on exit / # 726\| p = (unsigned char)(rrset[0]); # 727\|-> extract_name(header, plen, &p, name, 1, 0); # 728\| # 729\| if (key) Error: CHECKED_RETURN (CWE-252): [#def27] dnsmasq-2.86rc3/src/dnssec.c:1020: check_return: Calling "extract_name" without checking return value (as is done elsewhere 7 out of 8 times). dnsmasq-2.86rc3/src/auth.c:140: example_checked: Example 1: "extract_name(header, qlen, &p, name, 1, 4)" has its value checked in "extract_name(header, qlen, &p, name, 1, 4)". dnsmasq-2.86rc3/src/dnssec.c:771: example_checked: Example 2: "extract_name(header, plen, &p, name, 1, 4)" has its value checked in "extract_name(header, plen, &p, name, 1, 4)". dnsmasq-2.86rc3/src/hash-questions.c:57: example_checked: Example 3: "extract_name(header, plen, &p, name, 1, 4)" has its value checked in "extract_name(header, plen, &p, name, 1, 4)". dnsmasq-2.86rc3/src/rfc1035.c:1028: example_checked: Example 4: "extract_name(header, qlen, &p, name, 1, 4)" has its value checked in "extract_name(header, qlen, &p, name, 1, 4)". dnsmasq-2.86rc3/src/rfc1035.c:1438: example_checked: Example 5: "extract_name(header, qlen, &p, name, 1, 4)" has its value checked in "extract_name(header, qlen, &p, name, 1, 4)". # 1018\| # 1019\| p = (unsigned char )(header+1); # 1020\|-> extract_name(header, plen, &p, name, 1, 4); # 1021\| p += 4; / qtype, qclass */ # 1022\|	2021-09-11 22:08:14 +01:00
Simon Kelley	daddc8cb80	Merge branch 'master' of ssh://thekelleys.org.uk/var/local/git/dnsmasq	2021-08-10 23:15:46 +01:00
Petr Menšík	527c3c7d0d	Remove remaining uses of deprecated inet_ntoa()	2021-08-10 22:50:33 +01:00
Simon Kelley	a163c63787	CONNTRACK needs CAP_NET_ADMIN.	2021-08-05 23:40:04 +01:00
Simon Kelley	06df5ad7d0	Tidy up interface to dbus and ubus modules. Consistently treat a non-NULL return from [ud]bus-init() as a fatal error: either die() if still starting, or log an error and disable the relevant module if dnsmasq has already started. Also rationalise calls to set and check listeners depending on configuration.	2021-06-27 20:56:58 +01:00
Simon Kelley	85bc7534da	Rationalise --server parsing and datastructure building. Use add_update_server for everything.	2021-06-25 22:09:08 +01:00
Simon Kelley	25ff956c7d	Tidy up name buffer use in report_addresses(). Buffer may need to be twice MAXDNAME is escaping is enabled in extract_name. The name may include weird characters.	2021-06-21 15:05:28 +01:00
Simon Kelley	3236f358f8	Revise resource handling for number of concurrent DNS queries. This used to have a global limit, but that has a problem when using different servers for different upstream domains. Queries which are routed by domain to an upstream server which is not responding will build up and trigger the limit, which breaks DNS service for all other domains which could be handled by other servers. The change is to make the limit per server-group, where a server group is the set of servers configured for a particular domain. In the common case, where only default servers are declared, there is no effective change.	2021-06-13 21:29:22 +01:00
Simon Kelley	3c93e8eb41	Re-order UBus initialisation to avoid logging before logs set up.	2021-06-08 23:13:48 +01:00
Simon Kelley	ad90eb075d	Fix bug in TCP process handling. Fix bug which caused dnsmasq to lose track of processes forked to handle TCP DNS connections under heavy load. The code checked that at least one free process table slot was available before listening on TCP sockets, but didn't take into account that more than one TCP connection could arrive, so that check was not sufficient to ensure that there would be slots for all new processes. It compounded this error by silently failing to store the process when it did run out of slots. Even when this bug is triggered, all the right things happen, and answers are still returned. Only under very exceptional circumstances, does the bug manifest itself: see https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/014976.html Thanks to Tijs Van Buggenhout for finding the conditions under which the bug manifests itself, and then working out exactly what was going on.	2021-04-09 16:08:05 +01:00
Simon Kelley	ea28d0ef8a	Scale the DNS random scket pool on the value of dns-forward-max.	2021-03-26 22:02:04 +00:00
Simon Kelley	4a8c098840	Change the method of allocation of random source ports for DNS. Previously, without min-port or max-port configured, dnsmasq would default to the compiled in defaults for those, which are 1024 and 65535. Now, when neither are configured, it defaults instead to the kernel's ephemeral port range, which is typically 32768 to 60999 on Linux systems. This change eliminates the possibility that dnsmasq may be using a registered port > 1024 when a long-running daemon starts up and wishes to claim it. This change does likely slighly reduce the number of random ports and therefore the protection from reply spoofing. The older behaviour can be restored using the min-port and max-port config switches should that be a concern.	2021-03-26 21:19:39 +00:00
Simon Kelley	74d4fcd756	Use random source ports where possible if source addresses/interfaces in use. CVE-2021-3448 applies. It's possible to specify the source address or interface to be used when contacting upstream nameservers: server=8.8.8.8@1.2.3.4 or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of these have, until now, used a single socket, bound to a fixed port. This was originally done to allow an error (non-existent interface, or non-local address) to be detected at start-up. This means that any upstream servers specified in such a way don't use random source ports, and are more susceptible to cache-poisoning attacks. We now use random ports where possible, even when the source is specified, so server=8.8.8.8@1.2.3.4 or server=8.8.8.8@eth0 will use random source ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will use the explicitly configured port, and should only be done with understanding of the security implications. Note that this change changes non-existing interface, or non-local source address errors from fatal to run-time. The error will be logged and communiction with the server not possible.	2021-03-17 20:39:33 +00:00
Simon Kelley	c8e8f5c204	Bump copyright notices for 2021. Happy New Year!	2021-01-24 21:59:37 +00:00
Simon Kelley	e75069f79a	Tidy initialisation in hash_questions.c	2021-01-22 22:50:25 +00:00
Simon Kelley	e2cb655958	Thorough clean-up following `8270648da1`.	2020-06-20 22:30:12 +01:00
Frank	8270648da1	Fix memory corruption on EAGAIN return from pipe during TCP requests. This patch fixes a buffer overflow in TCP requests. Since the read is not actually being retried, the byte written by the child can be left in the pipe. When that happens, cache_recv_insert() reads the length of the name, which is now multiplied by 256 due to the extra 0 byte (8 bit shift) and results in daemon->namebuff being overflowed. Namebuff is immediately before the daemon struct in memory so it ends up corrupting the beginning of the daemon struct.	2020-06-20 15:17:56 +01:00
Petr Mensik	951a22165c	Compare address and interface index for allowed interface If interface is recreated with the same address but different index, it would not change any other parameter. Test also address family on incoming TCP queries.	2020-04-29 00:04:29 +01:00
Simon Kelley	913fa15fb1	Convert failure of setsockopt(..., SOL_NETLINK, NETLINK_NO_ENOBUFS, ...) into warning. We call this, which avoids POLLERR returns from netlink on a loaded system, if the kernel is new enough to support it. Sadly, qemu-user doesn't support the socket option, so if it fails despite the kernel being new enough to support it, we just emit a warning, rather than failing hard.	2020-04-19 23:16:52 +01:00
Geert Stappers	ba26d3485b	[PATCH] src/dnsmasq.c: Labeled a lonely #endif	2020-04-06 15:42:39 +01:00
Simon Kelley	8caf3d7c6c	Fix rare problem allocating frec for DNSSEC. A call to get_new_frec() for a DNSSEC query could manage to free the original frec that we're doing the DNSSEC query to validate. Bad things then happen. This requires that the original frec is old, so it doesn't happen in practice. I found it when running under gdb, and there have been reports of SEGV associated with large system-clock warps which are probably the same thing.	2020-04-04 17:00:32 +01:00
Simon Kelley	0506a5ed4e	Handle old kernels that don't do NETLINK_NO_ENOBUFS. Deal with both old kernel header files that don't define it, and old kernels that don't implement it. Also generalise Linux kernel version handling.	2020-03-19 21:56:45 +00:00
Kevin Darbyshire-Bryant	70c50efd0d	suppress non linux network unused var warnings Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>	2020-03-08 15:09:44 +00:00
Simon Kelley	0541a1adf7	Factor out closing all file descriptors for later optimisation.	2020-03-02 17:10:25 +00:00
Simon Kelley	77476580ed	Fix problem with netlink socket and TCP DNS. When dnsmasq forks a child to handle a TCP connection, that child inherits the netlink socket that the main process has open. The child never uses that socket, but there's a chance that when the main process uses the netlink socket, the answer will go to a child process which has a copy of the socket. This causes the main process to block forever awaiting the answer which never comes. The solution is for the child process to close the netlink socket it inherits after the fork(). There's a nasty race because the error decribed above could still occur in the window between the fork() and the close() syscalls. That's fixed by blocking the parent awaiting a single byte sent though the pipe the two processes share. This byte is sent by the child after calling close() on the netlink socket. Thanks to Alin Năstac for spotting this.	2020-02-09 23:19:41 +00:00
Simon Kelley	2ac4cf0146	Tweaks to TFTP. Fail on overlarge files (block numbers are limited to 16 bits) Honour tftp-max setting in single port mode. Tweak timeouts, and fix logic which suppresses errors if the last ACK is missing.	2020-01-06 23:39:33 +00:00
Simon Kelley	2a8710ac2f	Update copyrights to 2020.	2020-01-05 16:40:06 +00:00
Simon Kelley	66f62650c3	Add --tftp-single-port option.	2020-01-05 16:21:24 +00:00
Simon Kelley	defd6b1d85	Fix `90d7c6b97d` CAP_NET_RAW, not CAP_NET_ADMIN.	2019-09-16 23:02:12 +01:00
Simon Kelley	90d7c6b97d	Keep suitable capabilities if we may bind server sockets to interface or port.	2019-09-14 21:13:03 +01:00
Simon Kelley	ae7a3b9d2e	DNSSEC: implement RFC-4036 para 5.3.3. rules on TTL values.	2019-09-03 14:40:47 +01:00
Jan Willem Janssen	a2b8220f4e	Improved UBus supported - aligned the handling of UBus connections with the DBus code as it makes it a bit easier to comprehend; - added logging to the various UBus calls to aid debugging from an enduser point of view, but be careful to not flood the logs; - show the (lack of) support for UBus in the configuration string.	2019-04-04 15:58:07 +01:00
Simon Kelley	5fc639cf9a	Don't retry close() syscalls after an EINTR errors. http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012953.html	2019-03-29 21:29:43 +00:00
Simon Kelley	305ffb5ef0	Improve kernel-capability manipulation code under Linux. Dnsmasq now fails early if a required capability is not available, and tries not to request capabilities not required by its configuration.	2019-03-16 18:17:17 +00:00

1 2 3 4 5

241 Commits