diff options
| author | Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> | 2017-10-05 14:07:29 +0300 |
|---|---|---|
| committer | Zoltan HERPAI <wigyori@uid0.hu> | 2017-10-05 14:08:47 +0300 |
| commit | 2b616837b1738ac7499ac393a2c1f3b75ece66ef (patch) | |
| tree | 4b995f012e967daa9fa8afe84296c1dde5b76aba | |
| parent | cb9d25245f78609d8b3413263509774af12ea537 (diff) | |
dnsmasq: update to dnsmasq 2.77test1
Bump to dnsmasq 2.77test1 - this includes a number of fixes since 2.76
and allows dropping of 2 LEDE carried patches.
Notable fix in rrfilter code when talking to Nominum's DNS servers
especially with DNSSEC.
A patch to switch dnsmasq back to 'soft fail' for SERVFAIL responses
from dns servers is also included. This mean dnsmasq tries all
configured servers before giving up.
A 'localise queries' enhancement has also been backported (it will
appear in test2/rc'n') this is especially important if using the
recently imported to LEDE 'use dnsmasq standalone' feature 9525743c
I have been following dnsmasq HEAD ever since 2.76 release.
Compile & Run tested: ar71xx, Archer C7 v2
Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
5 files changed, 144 insertions, 107 deletions
diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index 3f70275b92..105f80a352 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq -PKG_VERSION:=2.76 +PKG_VERSION:=2.77test1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq -PKG_MD5SUM:=00f5ee66b4e4b7f14538bf62ae3c9461 +PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases +PKG_MD5SUM:=1e07d46ed3b9b81fa16ceed7f7e92c87 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING diff --git a/package/network/services/dnsmasq/patches/010-localise-queries-apply-to-interface-names.patch b/package/network/services/dnsmasq/patches/010-localise-queries-apply-to-interface-names.patch new file mode 100644 index 0000000000..229eaa4eb2 --- /dev/null +++ b/package/network/services/dnsmasq/patches/010-localise-queries-apply-to-interface-names.patch @@ -0,0 +1,99 @@ +From d42d4706bbcce3b5a40ad778a5a356a997db6b34 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Thu, 2 Feb 2017 16:52:06 +0000 +Subject: [PATCH] Make --localise-queries apply to names from + --interface-name. + +--- + CHANGELOG | 7 +++++++ + man/dnsmasq.8 | 9 +++++---- + src/rfc1035.c | 21 ++++++++++++++++++++- + 3 files changed, 32 insertions(+), 5 deletions(-) + +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -58,6 +58,13 @@ version 2.77 + this is Nominum's. Thanks to Dave Täht for spotting the + bug and assisting in the fix. + ++ Fix the manpage which lied that only the primary address ++ of an interface is used by --interface-name. ++ ++ Make --localise-queries apply to names from --interface-name. ++ Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen ++ for pushing this. ++ + + version 2.76 + Include 0.0.0.0/8 in DNS rebind checks. This range +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -289,8 +289,8 @@ option requires non-standard networking + under Linux. On other platforms it falls-back to --bind-interfaces mode. + .TP + .B \-y, --localise-queries +-Return answers to DNS queries from /etc/hosts which depend on the interface over which the query was +-received. If a name in /etc/hosts has more than one address associated with ++Return answers to DNS queries from /etc/hosts and --interface-name which depend on the interface over which the query was ++received. If a name has more than one address associated with + it, and at least one of those addresses is on the same subnet as the + interface to which the query was sent, then return only the + address(es) on that subnet. This allows for a server to have multiple +@@ -604,7 +604,7 @@ given by the hex data, which may be of t + 012345 or any mixture of these. + .TP + .B --interface-name=<name>,<interface>[/4|/6] +-Return a DNS record associating the name with the primary address on ++Return DNS records associating the name with the address(es) of + the given interface. This flag specifies an A or AAAA record for the given + name in the same way as an /etc/hosts line, except that the address is + not constant, but taken from the given interface. The interface may be +@@ -614,7 +614,8 @@ down, not configured or non-existent, an + matching PTR record is also created, mapping the interface address to + the name. More than one name may be associated with an interface + address by repeating the flag; in that case the first instance is used +-for the reverse address-to-name mapping. ++for the reverse address-to-name mapping. Note that a name used in ++--interface-name may not appear in /etc/hosts. + .TP + .B --synth-domain=<domain>,<address range>[,<prefix>] + Create artificial A/AAAA and PTR records for an address range. The +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -1516,9 +1516,24 @@ size_t answer_request(struct dns_header + if (intr) + { + struct addrlist *addrlist; +- int gotit = 0; ++ int gotit = 0, localise = 0; + + enumerate_interfaces(0); ++ ++ /* See if a putative address is on the network from which we recieved ++ the query, is so we'll filter other answers. */ ++ if (local_addr.s_addr != 0 && option_bool(OPT_LOCALISE) && type == T_A) ++ for (intr = daemon->int_names; intr; intr = intr->next) ++ if (hostname_isequal(name, intr->name)) ++ for (addrlist = intr->addr; addrlist; addrlist = addrlist->next) ++#ifdef HAVE_IPV6 ++ if (!(addrlist->flags & ADDRLIST_IPV6)) ++#endif ++ if (is_same_net(*((struct in_addr *)&addrlist->addr), local_addr, local_netmask)) ++ { ++ localise = 1; ++ break; ++ } + + for (intr = daemon->int_names; intr; intr = intr->next) + if (hostname_isequal(name, intr->name)) +@@ -1528,6 +1543,10 @@ size_t answer_request(struct dns_header + if (((addrlist->flags & ADDRLIST_IPV6) ? T_AAAA : T_A) == type) + #endif + { ++ if (localise && ++ !is_same_net(*((struct in_addr *)&addrlist->addr), local_addr, local_netmask)) ++ continue; ++ + #ifdef HAVE_IPV6 + if (addrlist->flags & ADDRLIST_REVONLY) + continue; diff --git a/package/network/services/dnsmasq/patches/100-fix-dhcp-no-address-warning.patch b/package/network/services/dnsmasq/patches/100-fix-dhcp-no-address-warning.patch deleted file mode 100644 index 5fc62ffab3..0000000000 --- a/package/network/services/dnsmasq/patches/100-fix-dhcp-no-address-warning.patch +++ /dev/null @@ -1,47 +0,0 @@ ---- a/src/dhcp.c -+++ b/src/dhcp.c -@@ -147,7 +147,7 @@ void dhcp_packet(time_t now, int pxe_fd) - ssize_t sz; - int iface_index = 0, unicast_dest = 0, is_inform = 0; - int rcvd_iface_index; -- struct in_addr iface_addr; -+ struct in_addr iface_addr, *addrp = NULL; - struct iface_param parm; - #ifdef HAVE_LINUX_NETWORK - struct arpreq arp_req; -@@ -277,11 +277,9 @@ void dhcp_packet(time_t now, int pxe_fd) - { - ifr.ifr_addr.sa_family = AF_INET; - if (ioctl(daemon->dhcpfd, SIOCGIFADDR, &ifr) != -1 ) -- iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr; -- else - { -- my_syslog(MS_DHCP | LOG_WARNING, _("DHCP packet received on %s which has no address"), ifr.ifr_name); -- return; -+ addrp = &iface_addr; -+ iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr; - } - - for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next) -@@ -300,7 +298,7 @@ void dhcp_packet(time_t now, int pxe_fd) - parm.relay_local.s_addr = 0; - parm.ind = iface_index; - -- if (!iface_check(AF_INET, (struct all_addr *)&iface_addr, ifr.ifr_name, NULL)) -+ if (!iface_check(AF_INET, (struct all_addr *)addrp, ifr.ifr_name, NULL)) - { - /* If we failed to match the primary address of the interface, see if we've got a --listen-address - for a secondary */ -@@ -320,6 +318,12 @@ void dhcp_packet(time_t now, int pxe_fd) - complete_context(match.addr, iface_index, NULL, match.netmask, match.broadcast, &parm); - } - -+ if (!addrp) -+ { -+ my_syslog(MS_DHCP | LOG_WARNING, _("DHCP packet received on %s which has no address"), ifr.ifr_name); -+ return; -+ } -+ - if (!iface_enumerate(AF_INET, &parm, complete_context)) - return; - diff --git a/package/network/services/dnsmasq/patches/110-ipset-remove-old-kernel-support.patch b/package/network/services/dnsmasq/patches/110-ipset-remove-old-kernel-support.patch index 61b09d5b2c..88e334b0fc 100644 --- a/package/network/services/dnsmasq/patches/110-ipset-remove-old-kernel-support.patch +++ b/package/network/services/dnsmasq/patches/110-ipset-remove-old-kernel-support.patch @@ -44,67 +44,22 @@ (buffer = safe_malloc(BUFF_SZ)) && (ipset_sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER)) != -1 && (bind(ipset_sock, (struct sockaddr *)&snl, sizeof(snl)) != -1)) -@@ -168,62 +149,16 @@ static int new_add_to_ipset(const char * - } - - --static int old_add_to_ipset(const char *setname, const struct all_addr *ipaddr, int remove) --{ -- socklen_t size; -- struct ip_set_req_adt_get { -- unsigned op; -- unsigned version; -- union { -- char name[IPSET_MAXNAMELEN]; -- uint16_t index; -- } set; -- char typename[IPSET_MAXNAMELEN]; -- } req_adt_get; -- struct ip_set_req_adt { -- unsigned op; -- uint16_t index; -- uint32_t ip; -- } req_adt; -- -- if (strlen(setname) >= sizeof(req_adt_get.set.name)) -- { -- errno = ENAMETOOLONG; -- return -1; -- } -- -- req_adt_get.op = 0x10; -- req_adt_get.version = 3; -- strcpy(req_adt_get.set.name, setname); -- size = sizeof(req_adt_get); -- if (getsockopt(ipset_sock, SOL_IP, 83, &req_adt_get, &size) < 0) -- return -1; -- req_adt.op = remove ? 0x102 : 0x101; -- req_adt.index = req_adt_get.set.index; -- req_adt.ip = ntohl(ipaddr->addr.addr4.s_addr); -- if (setsockopt(ipset_sock, SOL_IP, 83, &req_adt, sizeof(req_adt)) < 0) -- return -1; -- -- return 0; --} -- -- -- - int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int flags, int remove) - { - int af = AF_INET; - - #ifdef HAVE_IPV6 +@@ -217,17 +198,10 @@ int add_to_ipset(const char *setname, co if (flags & F_IPV6) -- { + { af = AF_INET6; - /* old method only supports IPv4 */ - if (old_kernel) -- return -1; -- } +- { +- errno = EAFNOSUPPORT ; +- ret = -1; +- } + } #endif -- return old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove); -+ return new_add_to_ipset(setname, ipaddr, af, remove); - } +- if (ret != -1) +- ret = old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove); ++ ret = new_add_to_ipset(setname, ipaddr, af, remove); - #endif + if (ret == -1) + my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno)); diff --git a/package/network/services/dnsmasq/patches/220-try-all-servers-on-fail.patch b/package/network/services/dnsmasq/patches/220-try-all-servers-on-fail.patch new file mode 100644 index 0000000000..501eefebb5 --- /dev/null +++ b/package/network/services/dnsmasq/patches/220-try-all-servers-on-fail.patch @@ -0,0 +1,30 @@ +From 94a8815892f538b334d640012eebcafc2c7fa284 Mon Sep 17 00:00:00 2001 +From: Martin Wetterwald <martin.wetterwald@corp.ovh.com> +Date: Thu, 27 Oct 2016 12:17:03 +0200 +Subject: [PATCH] Consider SERVFAIL as a non-successful response + +Treat Servfail as a recoverable error instead of a hard error. + +A misconfigured dns forwarder upstream can return a Servfail faster than +a correctly configured one. + +In the case of a dnssec misbehaving, it will misbehave on all correctly +configured upstreams. In the case of a normal DNS query, the original +behavior of dnsmasq here was more robust. + +--- + src/forward.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/src/forward.c ++++ b/src/forward.c +@@ -853,7 +853,8 @@ void reply_query(int fd, int family, tim + we get a good reply from another server. Kill it when we've + had replies from all to avoid filling the forwarding table when + everything is broken */ +- if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != REFUSED) ++ if (forward->forwardall == 0 || --forward->forwardall == 1 ++ || (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL)) + { + int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0; + |