[Dnsmasq-discuss] [PATCH] fix entries in /etc/hosts disabling static leases

2019-01-12 Thread Steven Siloti
It is possible for a config entry to have one address family specified by a
dhcp-host directive and the other added from /etc/hosts. This is especially
common on OpenWrt because it uses odhcpd for DHCPv6 and IPv6 leases are
imported into dnsmasq via a hosts file.

To handle this case there need to be separate *_HOSTS flags for IPv4 and IPv6.
Otherwise when the hosts file is reloaded it will clear the CONFIG_ADDR(6) flag
which was set by the dhcp-host directive.
---
 src/dhcp-common.c | 8 ++--
 src/dnsmasq.h | 1 +
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/dhcp-common.c b/src/dhcp-common.c
index d1254d9..7eb3761 100644
--- a/src/dhcp-common.c
+++ b/src/dhcp-common.c
@@ -372,7 +372,11 @@ void dhcp_update_configs(struct dhcp_config *configs)
 
   for (config = configs; config; config = config->next)
 if (config->flags & CONFIG_ADDR_HOSTS)
-  config->flags &= ~(CONFIG_ADDR | CONFIG_ADDR6 | CONFIG_ADDR_HOSTS);
+  config->flags &= ~(CONFIG_ADDR | CONFIG_ADDR_HOSTS);
+#ifdef HAVE_DHCP6
+if (config->flags & CONFIG_ADDR6_HOSTS)
+  config->flags &= ~(CONFIG_ADDR6 | CONFIG_ADDR6_HOSTS);
+#endif
 
 #ifdef HAVE_DHCP6 
  again:  
@@ -421,7 +425,7 @@ void dhcp_update_configs(struct dhcp_config *configs)
(!(conf_tmp = config_find_by_address6(configs, 
>addr.addr6, 128, 0)) || conf_tmp == config))
  {
memcpy(>addr6, >addr.addr6, IN6ADDRSZ);
-   config->flags |= CONFIG_ADDR6 | CONFIG_ADDR_HOSTS;
+   config->flags |= CONFIG_ADDR6 | CONFIG_ADDR6_HOSTS;
continue;
  }
 #endif
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 95559c7..0dc1de9 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -789,6 +789,7 @@ struct dhcp_config {
 #define CONFIG_BANK   2048/* from dhcp hosts file */
 #define CONFIG_ADDR6  4096
 #define CONFIG_WILDCARD   8192
+#define CONFIG_ADDR6_HOSTS   16384/* address added by from /etc/hosts */
 
 struct dhcp_opt {
   int opt, len, flags;
-- 
2.20.1


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] Config Parcing Bug

2019-01-12 Thread Tasnad Kernetzky

On 12.01.19 04:49, wkitt...@gmail.com wrote:
> On 1/11/19 7:22 PM, Tasnad Kernetzky wrote:
>> Hi all,
>>
>> I wanted to report a bug (at least we belieave it is one). We had a
>> short discussion over at the archlinux bugtracker
>> (https://bugs.archlinux.org/task/60366).
>>
>> In short:
>>
>>> echo 'address=/ab--c.example.com/#' | dnsmasq --test -C -
>>
>>> dnsmasq: error at line 1 of stdin
>>
>> Althoug the URL is "forbidden":
>>
>>> host 'ab--c.example.com'
>>> host: 'ab--c.example.com' is not a legal IDNA2008 name (string
>> contains forbidden two hyphens pattern), use +noidnin
>
>
> is that a punycode domain name? all the one's i've seen are written as
>
>   xn--codehere.invalid
>
> firefox has a specific option we set so we don't get taken in by
> look-alike homographs... specifically the links with unicode
> characters in them are displayed in their punycode form,
> xn--blahblah... these links explain more if some folks don't know
> about this aspect of the DNS system...
>
> https://en.wikipedia.org/wiki/Internationalized_domain_name#ASCII_spoofing_concerns
>
> https://en.wikipedia.org/wiki/IDN_homograph_attack
> https://en.wikipedia.org/wiki/Punycode#Internationalized_domain_names
>
>
I thought about that and I don't think so. AFAIK punycodes start with
xn, right? Indeed, dnsmasq accepts 'echo 'address=/xn--74hc.com/#' |
dnsmasq --test -C -'.

The actual troublesome domains from the block list are
"hm--test2.vergic.com", "-x3.vindicosuite.com" and (as regex)
'r\d---[\w\.\d-]+.(googlesyndication\.com|2mdn.net)'.

I guess the question is now, how dnsmasq should deal with invalid
domains in the config (or has there already been a discussion about that?).

I see three options:

1) Keep current behaviour, but do not forward queries to upstream
servers for invalid domains (actually dnsmasq does that). This way, we
don't need to worry about them.

2) Accept invalid domains in the config, so that we can block them

3) Provide a config switch to select whether dnsmasq fails to start If
there is an invalid domain in a config, or just issues a warning to the
log.


I would prefere 2), since that's the cleanest way. I don't see a reason
why invalid domains should not be blockable. They somehow ended up in
the block list anyways...



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] Config Parcing Bug

2019-01-12 Thread Tasnad Kernetzky

On 12.01.19 10:55, Simon Kelley wrote:
> Are you compiling dnsmasq with support for IDN?
>
> dnsmasq -v will tell you.
>
> Simon.
>
>
> On 12/01/2019 00:22, Tasnad Kernetzky wrote:
>> Hi all,
>>
>> I wanted to report a bug (at least we belieave it is one). We had a
>> short discussion over at the archlinux bugtracker
>> (https://bugs.archlinux.org/task/60366).
>>
>> In short:
>>
>>> echo 'address=/ab--c.example.com/#' | dnsmasq --test -C -
>>> dnsmasq: error at line 1 of stdin
>> Althoug the URL is "forbidden":
>>
>>> host 'ab--c.example.com'
>>> host: 'ab--c.example.com' is not a legal IDNA2008 name (string
>> contains forbidden two hyphens pattern), use +noidnin
>>
>> it would be nice to be able to block it. We ended up there, since the
>> filter list from
>> https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts started
>> to include these kinds of URLs.
>>
>>
>> My feeling is, that parsing the two dashes somehow fails. Interestingly,
>> adding one more character before the dashes does not trigger the bug:
>>
>>> echo 'address=/abb--c.example.com/#' | dnsmasq --test -C -
>>> dnsmasq: syntax check OK.
>>
>> Escaping (ab\-\-c.example.com) allows dnsmasq to start, but renders the
>> line ineffective.
>>
>>
>> Do you know about this and is it intended behaviour?
>>
>>
>> Regards,
>>
>> Tasnad
>>
>>
>>
>> ___
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss@lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


I think yes, I'm using the default from arch linux:

Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN2 DHCP DHCPv6 no-Lua
TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile





signature.asc
Description: OpenPGP digital signature
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] Config Parcing Bug

2019-01-12 Thread Simon Kelley
Are you compiling dnsmasq with support for IDN?

dnsmasq -v will tell you.

Simon.


On 12/01/2019 00:22, Tasnad Kernetzky wrote:
> Hi all,
> 
> I wanted to report a bug (at least we belieave it is one). We had a
> short discussion over at the archlinux bugtracker
> (https://bugs.archlinux.org/task/60366).
> 
> In short:
> 
>> echo 'address=/ab--c.example.com/#' | dnsmasq --test -C -
> 
>> dnsmasq: error at line 1 of stdin
> 
> Althoug the URL is "forbidden":
> 
>> host 'ab--c.example.com'
>> host: 'ab--c.example.com' is not a legal IDNA2008 name (string
> contains forbidden two hyphens pattern), use +noidnin
> 
> it would be nice to be able to block it. We ended up there, since the
> filter list from
> https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts started
> to include these kinds of URLs.
> 
> 
> My feeling is, that parsing the two dashes somehow fails. Interestingly,
> adding one more character before the dashes does not trigger the bug:
> 
>> echo 'address=/abb--c.example.com/#' | dnsmasq --test -C -
> 
>> dnsmasq: syntax check OK.
> 
> 
> Escaping (ab\-\-c.example.com) allows dnsmasq to start, but renders the
> line ineffective.
> 
> 
> Do you know about this and is it intended behaviour?
> 
> 
> Regards,
> 
> Tasnad
> 
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss