Respond to any local name also withou rd bit set (#1647464)

2020-03-10 15:57:18 +01:00 · 2020-03-10 15:57:18 +01:00 · 0461a69019
commit 0461a69019
parent c8684b8c32
2 changed files with 97 additions and 1 deletions
--- a/dnsmasq-2.81-restore-ability-to-answer-non-recursive-requests.patch
+++ b/dnsmasq-2.81-restore-ability-to-answer-non-recursive-requests.patch
@ -0,0 +1,91 @@
+From d070ba529bf3be2c6c1e2fe52120820cc83ced68 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Fri, 12 Apr 2019 15:29:00 +0200
+Subject: [PATCH] Restore ability to answer non-recursive requests
+
+Instead, check only local configured entries are answered without
+rdbit set. All cached replies are still denied, but locally configured
+names are available with both recursion and without it.
+
+Fixes commit 4139298d287eb5c57f4aa53c459cb02fc5be2495 unintended
+behaviour.
+
+(cherry-picked from 29ae3083981ea82f535f77ea54bbd538f1224a9e)
+---
+ src/rfc1035.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index a943ecb..efc7009 100644
+--- a/src/rfc1035.c
+++ b/src/rfc1035.c
+@@ -1273,7 +1273,11 @@ static unsigned long crec_ttl(struct crec *crecp, time_t now)
+   else
+     return daemon->max_ttl;
+ }
+-  
+
+static int cache_validated(const struct crec *crecp)
+{
+  return (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK));
+}
+ 
+ /* return zero if we can't answer from cache, or packet size if we can */
+ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,  
+@@ -1292,17 +1296,20 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
+   int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
+   struct mx_srv_record *rec;
+   size_t len;
+  int rd_bit;
+
+   // Make sure we do not underflow here too.
+   if (qlen > (limit - ((char *)header))) return 0;
+ 
+   /* never answer queries with RD unset, to avoid cache snooping. */
+-  if (!(header->hb3 & HB3_RD) ||
+-      ntohs(header->ancount) != 0 ||
+  if (!ntohs(header->ancount) != 0 ||
+       ntohs(header->nscount) != 0 ||
+       ntohs(header->qdcount) == 0 || 
+       OPCODE(header) != QUERY )
+     return 0;
+ 
+  rd_bit = (header->hb3 & HB3_RD);
+
+   /* Don't return AD set if checking disabled. */
+   if (header->hb4 & HB4_CD)
+     sec_data = 0;
+@@ -1467,9 +1474,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
+ 		  /* Don't use cache when DNSSEC data required, unless we know that
+ 		     the zone is unsigned, which implies that we're doing
+ 		     validation. */
+-		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || 
+-		      !do_bit || 
+-		      (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
+		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
+		      (rd_bit && (!do_bit || cache_validated(crecp)) ))
+ 		    {
+ 		      do 
+ 			{ 
+@@ -1666,8 +1672,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
+ 
+ 		  /* If the client asked for DNSSEC  don't use cached data. */
+ 		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
+-		      !do_bit ||
+-		      (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
+		      (rd_bit && (!do_bit || cache_validated(crecp)) ))
+ 		    do
+ 		      { 
+ 			/* don't answer wildcard queries with data not from /etc/hosts
+@@ -1751,7 +1756,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
+ 	    {
+ 	      if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) &&
+ 		  (qtype == T_CNAME || (crecp->flags & F_CONFIG)) &&
+-		  ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))
+		  ((crecp->flags & F_CONFIG) || (rd_bit && (!do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))))
+ 		{
+ 		  if (!(crecp->flags & F_DNSSECOK))
+ 		    sec_data = 0;
+-- 
+2.21.1
+
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@ -13,7 +13,7 @@

 Name:           dnsmasq
 Version:        2.80
-Release:        12%{?extraversion:.%{extraversion}}%{?dist}
+Release:        13%{?extraversion:.%{extraversion}}%{?dist}
 Summary:        A lightweight DHCP/caching DNS server

 License:        GPLv2 or GPLv3
@ -43,6 +43,8 @@ Patch12:        dnsmasq-2.81-Extend-79aba0f10ad0157fb4f48afbbcb03f094caff97a.pat
 Patch13:        dnsmasq-2.81-adjust-changes-to-version-2.80.patch
 # http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=52ec7836139e7a11374971905e5ac0d2d02e32c0
 Patch14:        dnsmasq-2.81-tag-filtering-of-dhcp-host-directives.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1647464
+Patch15:        dnsmasq-2.81-restore-ability-to-answer-non-recursive-requests.patch

 # This is workaround to nettle bug #1549190
 # https://bugzilla.redhat.com/show_bug.cgi?id=1549190
@ -175,6 +177,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
 %{_mandir}/man1/dhcp_*

 %changelog
+* Tue Mar 10 2020 Petr Menšík <pemensik@redhat.com> - 2.80-13
+- Respond to any local name also withou rd bit set (#1647464)
+
 * Wed Mar 04 2020 Petr Menšík <pemensik@redhat.com> - 2.80-12
 - Support multiple static leases for single mac on IPv6 (#1810172)