Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
2,276 Commits 8 Branches 0 Tags
9e67099ce73c1105da3db9b611480bfadbf60c73
Commit Graph

79 Commits

Author SHA1 Message Date
Simon Kelley
9e67099ce7 Tidy up replies to non-QUERY DNS opcodes in auth mode. 2025-04-22 18:07:24 +01:00
Simon Kelley
e3a2c8dadf Add --log-queries=auth option. 2025-04-20 22:20:52 +01:00
Simon Kelley
6e6a45a7d9 Bump copyrights to 2025. 2025-01-23 17:08:39 +00:00
Simon Kelley
995a16ca0c Implement "DNS-0x20 encoding". 
This provides extra protection against reply-spoof attacks.

Since DNS queries are case-insensitive, it's possible to randomly flip
the case of letters in a query and still get the correct answer back.
This adds an extra dimension for a cache-poisoning attacker to guess
when sending replies in-the-blind since it's expected that the
legitimate answer will have the same pattern of upper and lower case
as the query, so any replies which don't can be ignored as
malicious.

The amount of extra entropy clearly depends on the number
of a-z and A-Z characters in the query, and this implementation puts a
hard limit of 32 bits to make rescource allocation easy. This about
doubles entropy over the standard random ID and random port
combination.
 2025-01-19 21:54:58 +00:00
Simon Kelley
b72ecb3a59 Fix log message fields in wrong order in some auth replies. 2025-01-18 23:56:23 +00:00
Simon Kelley
481ff0ed10 Logging tweaks. 2024-11-25 10:17:50 +00:00
Simon Kelley
04d7693d86 Tweak logging for truncated replies. 2024-11-24 22:13:44 +00:00
Simon Kelley
163c05c61d Make locally generated truncated answers consistent. 
process_reply() is no longer doing this.
 2024-11-24 08:42:33 +00:00
Simon Kelley
d2790914df More edns0 rationalisation. 2024-11-24 00:37:40 +00:00
Simon Kelley
b5820d1fd8 Bump copyright to 2024. 2024-01-13 22:20:04 +00:00
Simon Kelley
df242de5c6 Bump copyrights to 2023. 2023-04-05 12:34:34 +01:00
Simon Kelley
c6d4c33d61 Bump copyright to 2022. 2022-01-24 15:19:00 +00:00
Petr Menšík
e52b4b1466 Fix bunch of warnings in auth.c 
Error: CLANG_WARNING: [#def7]
dnsmasq-2.86test7/src/auth.c:420:5: warning[deadcode.DeadStores]: Value stored to 'found' is never read
 #  418|          if (!found && is_name_synthetic(flag, name, &addr) )
 #  419|   	 {
 #  420|-> 	   found = 1;
 #  421|   	   nxdomain = 0;
 #  422|

Error: CLANG_WARNING: [#def8]
dnsmasq-2.86test7/src/auth.c:436:8: warning[deadcode.DeadStores]: Value stored to 'found' is never read
 #  434|   	    {
 #  435|   	      auth = soa = 1; /* inhibits auth section */
 #  436|-> 	      found = 1;
 #  437|   	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<SOA>");
 #  438|   	    }

Error: CLANG_WARNING: [#def9]
dnsmasq-2.86test7/src/auth.c:472:8: warning[deadcode.DeadStores]: Value stored to 'found' is never read
 #  470|   	      ns = 1; /* ensure we include NS records! */
 #  471|   	      axfr = 1;
 #  472|-> 	      found = 1;
 #  473|   	      axfroffset = nameoffset;
 #  474|   	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<AXFR>");

Error: CLANG_WARNING: [#def10]
dnsmasq-2.86test7/src/auth.c:480:8: warning[deadcode.DeadStores]: Value stored to 'found' is never read
 #  478|   	      auth = 1;
 #  479|   	      ns = 1; /* inhibits auth section */
 #  480|-> 	      found = 1;
 #  481|   	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<NS>");
 #  482|   	    }

Error: CLANG_WARNING: [#def11]
dnsmasq-2.86test7/src/auth.c:501:4: warning[deadcode.DeadStores]: Value stored to 'found' is never read
 #  499|   			log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid));
 #  500|   			*cut  = 0; /* remove domain part */
 #  501|-> 			found = 1;
 #  502|   			if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
 #  503|   						daemon->auth_ttl, NULL, qtype, C_IN,

Error: CLANG_WARNING: [#def12]
dnsmasq-2.86test7/src/auth.c:522:8: warning[deadcode.DeadStores]: Value stored to 'found' is never read
 #  520|   		   {
 #  521|   		     log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid));
 #  522|-> 		     found = 1;
 #  523|   		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
 #  524|   					     daemon->auth_ttl, NULL, qtype, C_IN,

Error: CLANG_WARNING: [#def13]
dnsmasq-2.86test7/src/auth.c:617:8: warning[deadcode.DeadStores]: Value stored to 'p' is never read
 #  615|   		p += sprintf(p, "%u.", a & 0xff);
 #  616|   	      a = a >> 8;
 #  617|-> 	      p += sprintf(p, "%u.in-addr.arpa", a & 0xff);
 #  618|
 #  619|   	    }

Error: CPPCHECK_WARNING (CWE-758): [#def14]
dnsmasq-2.86test7/src/auth.c:627: warning[objectIndex]: The address of local variable 'addr6' might be accessed at non-zero index.
 #  625|   	      for (i = subnet->prefixlen-1; i >= 0; i -= 4)
 #  626|   		{
 #  627|-> 		  int dig = ((unsigned char *)&subnet->addr.addr6)[i>>3];
 #  628|   		  p += sprintf(p, "%.1x.", (i>>2) & 1 ? dig & 15 : dig >> 4);
 #  629|   		}

Error: CLANG_WARNING: [#def15]
dnsmasq-2.86test7/src/auth.c:630:8: warning[deadcode.DeadStores]: Value stored to 'p' is never read
 #  628|   		  p += sprintf(p, "%.1x.", (i>>2) & 1 ? dig & 15 : dig >> 4);
 #  629|   		}
 #  630|-> 	      p += sprintf(p, "ip6.arpa");
 #  631|
 #  632|   	    }
 2021-09-11 17:56:01 +01:00
Dominik DL6ER
e0ce3c12f2 Add all current RR types to the table of type names used for query logging. 
This patch also changes the method of calling querystr() such that
it is only called when logging is enabled, to eliminate any
possible performance problems from searching the larger table.
 2021-09-10 23:13:53 +01:00
Simon Kelley
f83c6cf51a Return REFUSED in auth mode when we are not authoritative for the query. 2021-07-20 17:15:36 +01:00
Simon Kelley
c068b3ae2f --synth-domain now works in auth mode. 2021-07-19 09:38:48 +01:00
Geert Stappers
3573ca0eec Chomp file ends 
Removed empty lines from end of src/*.[ch] files.
If the new last line became '#endif'
was the condition of the '#if' added.
 2021-04-09 17:27:36 +01:00
Simon Kelley
c8e8f5c204 Bump copyright notices for 2021. Happy New Year! 2021-01-24 21:59:37 +00:00
Simon Kelley
b43585c34b Fix nameserver list in auth mode. 
If dnsmasq is not acting as an authoritative nameserver (no second
argument to --auth-server) then it should not appear in the NS RRset.

This leaves simply the list of servers specified in --auth-sec-servers.
 2020-03-28 17:41:06 +00:00
Simon Kelley
2a8710ac2f Update copyrights to 2020. 2020-01-05 16:40:06 +00:00
Simon Kelley
dc6a57ffb8 Always force AD bit to zero in authoritative DNS answers. 2019-08-20 23:17:27 +01:00
Simon Kelley
5b99eae59d Cache SRV records. 
Inpsired by a patch from Jeremy Allison, but completely re-rolled
by srk. All bugs are mine.
 2019-01-06 23:09:50 +00:00
Simon Kelley
cc921df9ce Remove nested struct/union in cache records and all_addr. 2019-01-02 22:48:59 +00:00
Simon Kelley
ee8750451b Remove ability to compile without IPv6 support. 
This was the source of a large number of #ifdefs, originally
included for use with old embedded libc versions. I'm
sure no-one wants or needs IPv6-free code these days, so this
is a move towards more maintainable code.
 2018-10-23 22:10:17 +01:00
Simon Kelley
b758b67c37 Improve logging of RRs from --dns-rr. 2018-08-23 21:41:23 +01:00
Simon Kelley
b6f926fbef Don't return NXDOMAIN to empty non-terminals. 
When a record is defined locally, eg an A record for one.two.example then
we already know that if we forward, eg an AAAA query for one.two.example,
and get back NXDOMAIN, then we need to alter that to NODATA. This is handled
by  check_for_local_domain(). But, if we forward two.example, because
one.two.example exists, then the answer to two.example should also be
a NODATA.

For most local records this is easy, just to substring matching.
for A, AAAA and CNAME records that are in the cache, it's more difficult.
The cache has no efficient way to find such records. The fix is to
insert empty (none of F_IPV4, F_IPV6 F_CNAME set) records for each
non-terminal.

The same considerations apply in auth mode, and the same basic mechanism
is used there too.
 2018-08-21 17:46:52 +01:00
Simon Kelley
090856c7e6 Allow zone transfer in authoritative mode whenever auth-peer is specified. 2018-06-02 18:37:07 +01:00
Simon Kelley
d1ced3ae38 Update copyrights to 2018. 2018-01-01 22:18:03 +00:00
Simon Kelley
63437ffbb5 Fix CVE-2017-13704, which resulted in a crash on a large DNS query. 
A DNS query recieved by UDP which exceeds 512 bytes (or the EDNS0 packet size,
if different.) is enough to cause SIGSEGV.
 2017-09-06 22:34:21 +01:00
Rosen Penev
cbd29e5da8 Printf related fixes. 2017-06-27 22:29:51 +01:00
Simon Kelley
50ca85504c Bump year in copyrights. 2017-06-24 22:43:18 +01:00
Simon Kelley
62f9c0d470 Fix CNAME wildcard in auth-mode. 
A domain can only have a CNAME if it has not other records.

Don't return a CNAME when there are records of other types on the name.
 2017-02-19 23:07:01 +00:00
Josh Soref
730c6745f0 Comprehensive spelling/typo fixes. 
Thanks to Josh Soref for generating these fixes.
 2017-02-06 16:14:04 +00:00
Simon Kelley
b637d7815d Allow wildcard CNAME records in authoritative zones. 2016-12-13 16:44:11 +00:00
Mathias Kresin
094bfaeb4f auth-zone: allow to exclude ip addresses from answer. 2016-07-24 14:15:22 +01:00
Simon Kelley
fa78573778 Zero packet buffers before building output, to reduce risk of information leakage. 2016-07-22 20:56:01 +01:00
Simon Kelley
c7f3bd2ac8 Replace incoming EDNS0_OPTION_NOMDEVICEID and EDNS0_OPTION_NOMCPEID options. 2016-02-28 21:48:34 +00:00
Simon Kelley
c49778df4a Update copyright notices. Happy new year! 2016-01-06 18:52:33 +00:00
Simon Kelley
fa14bec83b Major tidy up of EDNS0 handling and computation/use of udp packet size. 2015-12-20 17:12:16 +00:00
Simon Kelley
78c6184752 Auth: correct replies to NS and SOA in .arpa zones. 2015-04-16 15:05:30 +01:00
Simon Kelley
38440b204d Fix crash in auth code with odd configuration. 2015-04-12 21:52:47 +01:00
Simon Kelley
aff3396280 Update copyrights for dawn of 2015. 2015-01-31 20:13:40 +00:00
Simon Kelley
393415597c Cope with multiple interfaces with the same LL address. 2015-01-18 22:11:10 +00:00
Simon Kelley
476693678e Eliminate IPv6 privacy addresses from --interface-name answers. 2014-12-17 12:41:56 +00:00
Richard Genoud
10cfc0ddb3 Fix length->netmask conversions to avoid undefined behaviour. 2014-09-17 21:17:39 +01:00
Simon Kelley
10068600f8 Fix NXDOMAIN RCODE in auth PTR replies. 2014-04-03 21:16:40 +01:00
Simon Kelley
c47e3ba446 Update copyright for 2014. 2014-01-08 17:07:54 +00:00
Simon Kelley
c50f25a3ea Allow empty subnet list in --auth-zone 2013-11-21 11:29:27 +00:00
Simon Kelley
587ad4f271 Fix crash introduced in 376d48c7f1 2013-11-15 15:47:51 +00:00
Simon Kelley
376d48c7f1 Allow interface name to specify subnets in --auth-zone. 2013-11-13 13:04:30 +00:00