KumiSystems/openwrtv3
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

dnsmasq: Change behavior when RD bit unset in queries.

Browse source 
Backport upstream commit

Change anti cache-snooping behaviour with queries with the
recursion-desired bit unset. Instead to returning SERVFAIL, we
now always forward, and never answer from the cache. This
allows "dig +trace" command to work.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This commit is contained in:
Kevin Darbyshire-Bryant 2018-09-20 18:26:33 +01:00
parent 95b3f8ec8d
commit 6c4cbe94bd
2 changed files with 55 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
package/network/services/dnsmasq/Makefile
View file

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq PKG_NAME:=dnsmasq
PKG_VERSION:=2.80test6 PKG_VERSION:=2.80test6
PKG_RELEASE:=2 PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases

54
package/network/services/dnsmasq/patches/0002-Change-behavior-when-RD-bit-unset-in-queries.patch Normal file
View file

@ -0,0 +1,54 @@
From 4139298d287eb5c57f4aa53c459cb02fc5be2495 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 19 Sep 2018 22:27:11 +0100
Subject: [PATCH 2/2] Change behavior when RD bit unset in queries.
Change anti cache-snooping behaviour with queries with the
recursion-desired bit unset. Instead to returning SERVFAIL, we
now always forward, and never answer from the cache. This
allows "dig +trace" command to work.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
CHANGELOG | 7 ++++++-
src/rfc1035.c | 8 +++-----
2 files changed, 9 insertions(+), 6 deletions(-)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -59,7 +59,12 @@ version 2.80
Returning null addresses is a useful technique for ad-blocking.
Thanks to Peter Russell for the suggestion.
-
+ Change anti cache-snooping behaviour with queries with the
+ recursion-desired bit unset. Instead to returning SERVFAIL, we
+ now always forward, and never answer from the cache. This
+ allows "dig +trace" command to work.
+
+
version 2.79
Fix parsing of CNAME arguments, which are confused by extra spaces.
Thanks to Diego Aguirre for spotting the bug.
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1293,16 +1293,14 @@ size_t answer_request(struct dns_header
struct mx_srv_record *rec;
size_t len;
- if (ntohs(header->ancount) != 0 ||
+ /* never answer queries with RD unset, to avoid cache snooping. */
+ if (!(header->hb3 & HB3_RD) ||
+ ntohs(header->ancount) != 0 ||
ntohs(header->nscount) != 0 ||
ntohs(header->qdcount) == 0 ||
OPCODE(header) != QUERY )
return 0;
- /* always servfail queries with RD unset, to avoid cache snooping. */
- if (!(header->hb3 & HB3_RD))
- return setup_reply(header, qlen, NULL, F_SERVFAIL, 0);
-
/* Don't return AD set if checking disabled. */
if (header->hb4 & HB4_CD)
sec_data = 0;