Re: [Dnsmasq-discuss] Config Parcing Bug
The error is originating in the libidn2 library. Interestingly, compiling against libidn1, that library doesn't flag the error. Dnsmasq passes the input domain name to libidn[2] so that it can be translated to punycode if it contains non-ascii characters. I guess the authors of libidn2 would consider this valid behaviour if you reported it as a bug. A possible solution in this case would be to use the untranslated name (maybe with a warning) if it fails the translation call. Cheers, Simon. On 12/01/2019 00:22, Tasnad Kernetzky wrote: > Hi all, > > I wanted to report a bug (at least we belieave it is one). We had a > short discussion over at the archlinux bugtracker > (https://bugs.archlinux.org/task/60366). > > In short: > >> echo 'address=/ab--c.example.com/#' | dnsmasq --test -C - > >> dnsmasq: error at line 1 of stdin > > Althoug the URL is "forbidden": > >> host 'ab--c.example.com' >> host: 'ab--c.example.com' is not a legal IDNA2008 name (string > contains forbidden two hyphens pattern), use +noidnin > > it would be nice to be able to block it. We ended up there, since the > filter list from > https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts started > to include these kinds of URLs. > > > My feeling is, that parsing the two dashes somehow fails. Interestingly, > adding one more character before the dashes does not trigger the bug: > >> echo 'address=/abb--c.example.com/#' | dnsmasq --test -C - > >> dnsmasq: syntax check OK. > > > Escaping (ab\-\-c.example.com) allows dnsmasq to start, but renders the > line ineffective. > > > Do you know about this and is it intended behaviour? > > > Regards, > > Tasnad > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Config Parcing Bug
On 12.01.19 04:49, wkitt...@gmail.com wrote: > On 1/11/19 7:22 PM, Tasnad Kernetzky wrote: >> Hi all, >> >> I wanted to report a bug (at least we belieave it is one). We had a >> short discussion over at the archlinux bugtracker >> (https://bugs.archlinux.org/task/60366). >> >> In short: >> >>> echo 'address=/ab--c.example.com/#' | dnsmasq --test -C - >> >>> dnsmasq: error at line 1 of stdin >> >> Althoug the URL is "forbidden": >> >>> host 'ab--c.example.com' >>> host: 'ab--c.example.com' is not a legal IDNA2008 name (string >> contains forbidden two hyphens pattern), use +noidnin > > > is that a punycode domain name? all the one's i've seen are written as > > xn--codehere.invalid > > firefox has a specific option we set so we don't get taken in by > look-alike homographs... specifically the links with unicode > characters in them are displayed in their punycode form, > xn--blahblah... these links explain more if some folks don't know > about this aspect of the DNS system... > > https://en.wikipedia.org/wiki/Internationalized_domain_name#ASCII_spoofing_concerns > > https://en.wikipedia.org/wiki/IDN_homograph_attack > https://en.wikipedia.org/wiki/Punycode#Internationalized_domain_names > > I thought about that and I don't think so. AFAIK punycodes start with xn, right? Indeed, dnsmasq accepts 'echo 'address=/xn--74hc.com/#' | dnsmasq --test -C -'. The actual troublesome domains from the block list are "hm--test2.vergic.com", "-x3.vindicosuite.com" and (as regex) 'r\d---[\w\.\d-]+.(googlesyndication\.com|2mdn.net)'. I guess the question is now, how dnsmasq should deal with invalid domains in the config (or has there already been a discussion about that?). I see three options: 1) Keep current behaviour, but do not forward queries to upstream servers for invalid domains (actually dnsmasq does that). This way, we don't need to worry about them. 2) Accept invalid domains in the config, so that we can block them 3) Provide a config switch to select whether dnsmasq fails to start If there is an invalid domain in a config, or just issues a warning to the log. I would prefere 2), since that's the cleanest way. I don't see a reason why invalid domains should not be blockable. They somehow ended up in the block list anyways... ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Config Parcing Bug
On 12.01.19 10:55, Simon Kelley wrote: > Are you compiling dnsmasq with support for IDN? > > dnsmasq -v will tell you. > > Simon. > > > On 12/01/2019 00:22, Tasnad Kernetzky wrote: >> Hi all, >> >> I wanted to report a bug (at least we belieave it is one). We had a >> short discussion over at the archlinux bugtracker >> (https://bugs.archlinux.org/task/60366). >> >> In short: >> >>> echo 'address=/ab--c.example.com/#' | dnsmasq --test -C - >>> dnsmasq: error at line 1 of stdin >> Althoug the URL is "forbidden": >> >>> host 'ab--c.example.com' >>> host: 'ab--c.example.com' is not a legal IDNA2008 name (string >> contains forbidden two hyphens pattern), use +noidnin >> >> it would be nice to be able to block it. We ended up there, since the >> filter list from >> https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts started >> to include these kinds of URLs. >> >> >> My feeling is, that parsing the two dashes somehow fails. Interestingly, >> adding one more character before the dashes does not trigger the bug: >> >>> echo 'address=/abb--c.example.com/#' | dnsmasq --test -C - >>> dnsmasq: syntax check OK. >> >> Escaping (ab\-\-c.example.com) allows dnsmasq to start, but renders the >> line ineffective. >> >> >> Do you know about this and is it intended behaviour? >> >> >> Regards, >> >> Tasnad >> >> >> >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss I think yes, I'm using the default from arch linux: Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley Compile time options: IPv6 GNU-getopt DBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Config Parcing Bug
Are you compiling dnsmasq with support for IDN? dnsmasq -v will tell you. Simon. On 12/01/2019 00:22, Tasnad Kernetzky wrote: > Hi all, > > I wanted to report a bug (at least we belieave it is one). We had a > short discussion over at the archlinux bugtracker > (https://bugs.archlinux.org/task/60366). > > In short: > >> echo 'address=/ab--c.example.com/#' | dnsmasq --test -C - > >> dnsmasq: error at line 1 of stdin > > Althoug the URL is "forbidden": > >> host 'ab--c.example.com' >> host: 'ab--c.example.com' is not a legal IDNA2008 name (string > contains forbidden two hyphens pattern), use +noidnin > > it would be nice to be able to block it. We ended up there, since the > filter list from > https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts started > to include these kinds of URLs. > > > My feeling is, that parsing the two dashes somehow fails. Interestingly, > adding one more character before the dashes does not trigger the bug: > >> echo 'address=/abb--c.example.com/#' | dnsmasq --test -C - > >> dnsmasq: syntax check OK. > > > Escaping (ab\-\-c.example.com) allows dnsmasq to start, but renders the > line ineffective. > > > Do you know about this and is it intended behaviour? > > > Regards, > > Tasnad > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Config Parcing Bug
On 1/11/19 7:22 PM, Tasnad Kernetzky wrote: Hi all, I wanted to report a bug (at least we belieave it is one). We had a short discussion over at the archlinux bugtracker (https://bugs.archlinux.org/task/60366). In short: echo 'address=/ab--c.example.com/#' | dnsmasq --test -C - dnsmasq: error at line 1 of stdin Althoug the URL is "forbidden": host 'ab--c.example.com' host: 'ab--c.example.com' is not a legal IDNA2008 name (string contains forbidden two hyphens pattern), use +noidnin is that a punycode domain name? all the one's i've seen are written as xn--codehere.invalid firefox has a specific option we set so we don't get taken in by look-alike homographs... specifically the links with unicode characters in them are displayed in their punycode form, xn--blahblah... these links explain more if some folks don't know about this aspect of the DNS system... https://en.wikipedia.org/wiki/Internationalized_domain_name#ASCII_spoofing_concerns https://en.wikipedia.org/wiki/IDN_homograph_attack https://en.wikipedia.org/wiki/Punycode#Internationalized_domain_names -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list unless* *a signed and pre-paid contract is in effect with us.* ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss