19907aec16- update to 2.91: * Fix spurious "resource limit exceeded messages". * Fix out-of-bounds heap read in order_qsort(). * Fix buffer overflow when configured lease-change script name is too long. * Improve behaviour in the face of non-responsive upstream TCP DNS servers. Without shorter timeouts, clients are blocked for too long and fail with their own timeouts. * Set --fast-dns-retries by default when doing DNSSEC. A single downstream query can trigger many upstream queries. On an unreliable network, there may not be enough downstream retries to ensure that all these queries complete. * Improve behaviour in the face of truncated answers to queries for DNSSEC records. Getting these answers by TCP doesn't now involve a faked truncated answer to the downstream client to force it to move to TCP. This improves performance and robustness in the face of broken clients which can't fall back to TCP. * No longer remove data from truncated upstream answers. If an upstream replies with a truncated answer, but the answer has some RRs included, return those RRs, rather than returning and empty answer. * Fix handling of EDNS0 UDP packet sizes. * Modify the behaviour of --synth-domain for IPv6. * Fix broken dhcp-relay on *BSD. * Add --dhcp-option-pxe config. This acts almost exactly like --dhcp-option except that the defined option is only sent when replying to PXE clients. More importantly, these options are sent in reply PXE clients when dnsmasq in acting in PXE proxy mode. In PXE proxy mode, the set of options sent is defined by the PXE standard and the normal set of options is not sent. This config allows arbitrary options in PXE-proxy replies. A typical use-case is to send option 175 to iPXE. * Support PXE proxy-DHCP and DHCP-relay at the same time. * Fix erroneous "DNSSEC validated" state with non-DNSSEC upstream servers. * Handle queries with EDNS client subnet fields better. If dnsmasq is configured to add an EDNS client subnet to a query, it is careful to suppress use of the cache, since a cached answer may not be valid for a query with a different client subnet. Extend this behaviour to queries which arrive a dnsmasq already carrying an EDNS client subnet. * Handle DS queries to auth zones. When dnsmasq is configured to act as an authoritative server and has an authoritative zone configured, and receives a query for that zone _as_forwarder_ it answers the query directly rather than forwarding it. This doesn't affect the answer, but it saves dnsmasq forwarding the query to the recursor upstream, which then bounces it back to dnsmasq in auth mode. The exception should be when the query is for the root of zone, for a DS RR. The answer to that has to come from the parent, via the recursor, and will typically be a proof-of-non-existence since dnsmasq doesn't support signed zones. This patch suppresses local answers and forces forwarding to the upstream recursor for such queries. It stops breakage when a DNSSEC validating client makes queries to dnsmasq acting as forwarder for a zone for which it is authoritative. * Implement "DNS-0x20 encoding", for extra protection against reply-spoof attacks. Since DNS queries are case-insensitive, it's possible to randomly flip the case of letters in a query and still get the correct answer back. * Fix a long-standing problem when two queries which are identical in every repect _except_ case, get combined by dnsmasq. If dnsmasq gets eg, two queries for example.com and Example.com in quick succession it will get the answer for example.com from upstream and send that answer to both requestors. This means that the query for Example.com will get an answer for example.com, and in the modern DNS, that answer may not be accepted.
devel
Marcus Meissner2025-05-24 09:59:40 +00:00
c90cde3178- Disable --nftset for SLE-15-SP3 and older. - bsc#1235517: Reintroduce nogroup for SLE-15-SP3 and older.Reinhard Max2025-01-14 11:39:29 +00:00
0cc8ed3dc1- update to 2.90: * CVE-2023-50387, CVE-2023-50868, bsc#1219823, bsc#1219826: Denial Of Service while trying to validate specially crafted DNSSEC responses * Fix reversion in --rev-server introduced in 2.88 which caused breakage if the prefix length is not exactly divisible by 8 (IPv4) or 4 (IPv6). * Fix possible SEGV when there server(s) for a particular domain are configured, but no server which is not qualified for a particular domain. * Set the default maximum DNS UDP packet sice to 1232. Obsoletes: dnsmasq-CVE-2023-28450.patch * Add --no-dhcpv4-interface and --no-dhcpv6-interface for better control over which inetrfaces are providing DHCP service. * Fix issue with stale caching * Add configurable caching for arbitrary RR-types. * Add --filter-rr option, to filter arbitrary RR-types.Reinhard Max2024-02-14 18:04:45 +00:00
c177936b94- bsc#1192529, dnsmasq-resolv-conf.patch: Fix a segfault when re-reading an empty resolv.conf - Remove "nogroup" membership from the dnsmasq user.Reinhard Max2021-11-18 14:11:14 +00:00
d5b765a964Accepting request 928184 from home:gmbr3:ActiveReinhard Max2021-11-18 13:53:24 +00:00
bcf4390ff2- SLE bugs that got fixed upstream between 2.79 and 2.86, but for which we need to keep references when syncing Factory to SLE: * bsc#1176076: dnsmasq-servfail.patch * bsc#1156543: dnsmasq-siocgstamp.patch * bsc#1138743: dnsmasq-cache-size.patch * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patchReinhard Max2021-09-23 08:59:05 +00:00
049fbc620b- Update to 2.86: * Handle DHCPREBIND requests in the DHCPv6 server code. * Fix bug which caused dnsmasq to lose track of processes forked to handle TCP DNS connections under heavy load. * Major rewrite of the DNS server and domain handling code. This should be largely transparent, but it drastically improves performance and reduces memory foot-print when configuring large numbers of domains. * Revise resource handling for number of concurrent DNS queries. * Improve efficiency of DNSSEC. * Connection track mark based DNS query filtering. * Allow smaller than 64 prefix lengths in synth-domain, with caveats. --synth-domain=1234:4567::/56,example.com is now valid. * Make domains generated by --synth-domain appear in replies when in authoritative mode. * Ensure CAP_NET_ADMIN capability is available when conntrack is configured. * When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are given a directory as argument, define the order in which files within that directory are read (alphabetical order of filename). - Added hardening to systemd service(s) (bsc#1181400).Reinhard Max2021-09-17 11:27:06 +00:00
dc54688f33Accepting request 918936 from home:jsegitz:branches:systemdhardening:networkReinhard Max2021-09-17 09:40:15 +00:00
755bed9cef- Update to 2.85: * Fix problem with DNS retries in 2.83/2.84. * Tweak sort order of tags in get-version. * Avoid treating a --dhcp-host which has an IPv6 address as eligible for use with DHCPv4 on the grounds that it has no address, and vice-versa. * Add --dynamic-host option: A and AAAA records which take their network part from the network of a local interface. Useful for routers with dynamically prefixes. * Teach --bogus-nxdomain and --ignore-address to take an IPv4 subnet. * CVE-2021-3448, bsc#1183709: Use random source ports where possible if source addresses/interfaces in use. * Change the method of allocation of random source ports for DNS. * Scale the size of the DNS random-port pool based on the value of the --dns-forward-max configuration. * Tweak TFTP code to check sender of all received packets, as specified in RFC 1350 para 4.Reinhard Max2021-04-19 21:50:31 +00:00
f38fa3d41b- Update to 2.83: * bsc#1177077: Fixed DNSpooq vulnerabilities * Use the values of --min-port and --max-port in outgoing TCP connections to upstream DNS servers. * Fix a remote buffer overflow problem in the DNSSEC code. Any dnsmasq with DNSSEC compiled in and enabled is vulnerable to this, referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 CVE-2020-25687. * Be sure to only accept UDP DNS query replies at the address from which the query was originated. This keeps as much entropy in the {query-ID, random-port} tuple as possible, to help defeat cache poisoning attacks. Refer: CVE-2020-25684. * Use the SHA-256 hash function to verify that DNS answers received are for the questions originally asked. This replaces the slightly insecure SHA-1 (when compiled with DNSSEC) or the very insecure CRC32 (otherwise). Refer: CVE-2020-25685 * Handle multiple identical near simultaneous DNS queries better. Previously, such queries would all be forwarded independently. This is, in theory, inefficent but in practise not a problem, _except_ that is means that an answer for any of the forwarded queries will be accepted and cached. An attacker can send a query multiple times, and for each repeat, another {port, ID} becomes capable of accepting the answer he is sending in the blind, to random IDs and ports. The chance of a succesful attack is therefore multiplied by the number of repeats of the query. The new behaviour detects repeated queries and merely stores the clients sending repeats so that when the first query completes, the answer can be sent to all the clients who asked. Refer: CVE-2020-25686.Reinhard Max2021-01-19 12:32:14 +00:00
Ana Guerrero
Marcus Meissner
Reinhard Max
Dominique Leuenberger
Dirk Mueller
Tomáš Chvátal
Stephan Kulow
James McDonough
Ismail Dönmez