Respond to any local name also withou rd bit set (#1647464)
This commit is contained in:
parent
c8684b8c32
commit
0461a69019
@ -0,0 +1,91 @@
|
|||||||
|
From d070ba529bf3be2c6c1e2fe52120820cc83ced68 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
|
Date: Fri, 12 Apr 2019 15:29:00 +0200
|
||||||
|
Subject: [PATCH] Restore ability to answer non-recursive requests
|
||||||
|
|
||||||
|
Instead, check only local configured entries are answered without
|
||||||
|
rdbit set. All cached replies are still denied, but locally configured
|
||||||
|
names are available with both recursion and without it.
|
||||||
|
|
||||||
|
Fixes commit 4139298d287eb5c57f4aa53c459cb02fc5be2495 unintended
|
||||||
|
behaviour.
|
||||||
|
|
||||||
|
(cherry-picked from 29ae3083981ea82f535f77ea54bbd538f1224a9e)
|
||||||
|
---
|
||||||
|
src/rfc1035.c | 23 ++++++++++++++---------
|
||||||
|
1 file changed, 14 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/rfc1035.c b/src/rfc1035.c
|
||||||
|
index a943ecb..efc7009 100644
|
||||||
|
--- a/src/rfc1035.c
|
||||||
|
+++ b/src/rfc1035.c
|
||||||
|
@@ -1273,7 +1273,11 @@ static unsigned long crec_ttl(struct crec *crecp, time_t now)
|
||||||
|
else
|
||||||
|
return daemon->max_ttl;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+
|
||||||
|
+static int cache_validated(const struct crec *crecp)
|
||||||
|
+{
|
||||||
|
+ return (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK));
|
||||||
|
+}
|
||||||
|
|
||||||
|
/* return zero if we can't answer from cache, or packet size if we can */
|
||||||
|
size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
||||||
|
@@ -1292,17 +1296,20 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
||||||
|
int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
|
||||||
|
struct mx_srv_record *rec;
|
||||||
|
size_t len;
|
||||||
|
+ int rd_bit;
|
||||||
|
+
|
||||||
|
// Make sure we do not underflow here too.
|
||||||
|
if (qlen > (limit - ((char *)header))) return 0;
|
||||||
|
|
||||||
|
/* never answer queries with RD unset, to avoid cache snooping. */
|
||||||
|
- if (!(header->hb3 & HB3_RD) ||
|
||||||
|
- ntohs(header->ancount) != 0 ||
|
||||||
|
+ if (!ntohs(header->ancount) != 0 ||
|
||||||
|
ntohs(header->nscount) != 0 ||
|
||||||
|
ntohs(header->qdcount) == 0 ||
|
||||||
|
OPCODE(header) != QUERY )
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
+ rd_bit = (header->hb3 & HB3_RD);
|
||||||
|
+
|
||||||
|
/* Don't return AD set if checking disabled. */
|
||||||
|
if (header->hb4 & HB4_CD)
|
||||||
|
sec_data = 0;
|
||||||
|
@@ -1467,9 +1474,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
||||||
|
/* Don't use cache when DNSSEC data required, unless we know that
|
||||||
|
the zone is unsigned, which implies that we're doing
|
||||||
|
validation. */
|
||||||
|
- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
|
||||||
|
- !do_bit ||
|
||||||
|
- (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
|
||||||
|
+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
|
||||||
|
+ (rd_bit && (!do_bit || cache_validated(crecp)) ))
|
||||||
|
{
|
||||||
|
do
|
||||||
|
{
|
||||||
|
@@ -1666,8 +1672,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
||||||
|
|
||||||
|
/* If the client asked for DNSSEC don't use cached data. */
|
||||||
|
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
|
||||||
|
- !do_bit ||
|
||||||
|
- (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
|
||||||
|
+ (rd_bit && (!do_bit || cache_validated(crecp)) ))
|
||||||
|
do
|
||||||
|
{
|
||||||
|
/* don't answer wildcard queries with data not from /etc/hosts
|
||||||
|
@@ -1751,7 +1756,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
||||||
|
{
|
||||||
|
if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) &&
|
||||||
|
(qtype == T_CNAME || (crecp->flags & F_CONFIG)) &&
|
||||||
|
- ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))
|
||||||
|
+ ((crecp->flags & F_CONFIG) || (rd_bit && (!do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))))
|
||||||
|
{
|
||||||
|
if (!(crecp->flags & F_DNSSECOK))
|
||||||
|
sec_data = 0;
|
||||||
|
--
|
||||||
|
2.21.1
|
||||||
|
|
@ -13,7 +13,7 @@
|
|||||||
|
|
||||||
Name: dnsmasq
|
Name: dnsmasq
|
||||||
Version: 2.80
|
Version: 2.80
|
||||||
Release: 12%{?extraversion:.%{extraversion}}%{?dist}
|
Release: 13%{?extraversion:.%{extraversion}}%{?dist}
|
||||||
Summary: A lightweight DHCP/caching DNS server
|
Summary: A lightweight DHCP/caching DNS server
|
||||||
|
|
||||||
License: GPLv2 or GPLv3
|
License: GPLv2 or GPLv3
|
||||||
@ -43,6 +43,8 @@ Patch12: dnsmasq-2.81-Extend-79aba0f10ad0157fb4f48afbbcb03f094caff97a.pat
|
|||||||
Patch13: dnsmasq-2.81-adjust-changes-to-version-2.80.patch
|
Patch13: dnsmasq-2.81-adjust-changes-to-version-2.80.patch
|
||||||
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=52ec7836139e7a11374971905e5ac0d2d02e32c0
|
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=52ec7836139e7a11374971905e5ac0d2d02e32c0
|
||||||
Patch14: dnsmasq-2.81-tag-filtering-of-dhcp-host-directives.patch
|
Patch14: dnsmasq-2.81-tag-filtering-of-dhcp-host-directives.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1647464
|
||||||
|
Patch15: dnsmasq-2.81-restore-ability-to-answer-non-recursive-requests.patch
|
||||||
|
|
||||||
# This is workaround to nettle bug #1549190
|
# This is workaround to nettle bug #1549190
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
|
||||||
@ -175,6 +177,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
|
|||||||
%{_mandir}/man1/dhcp_*
|
%{_mandir}/man1/dhcp_*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Mar 10 2020 Petr Menšík <pemensik@redhat.com> - 2.80-13
|
||||||
|
- Respond to any local name also withou rd bit set (#1647464)
|
||||||
|
|
||||||
* Wed Mar 04 2020 Petr Menšík <pemensik@redhat.com> - 2.80-12
|
* Wed Mar 04 2020 Petr Menšík <pemensik@redhat.com> - 2.80-12
|
||||||
- Support multiple static leases for single mac on IPv6 (#1810172)
|
- Support multiple static leases for single mac on IPv6 (#1810172)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user