[Dnsmasq-discuss] resolving specific domains with dnsmasq

2017-10-02 Thread Nikolay Borisov 
Hello,


I'd like to use dnsmasq to resolve only certain domains with specific
dns server and everything else with my router's dns. Here is the config
that I have:
===dnsmasq.conf===
domain-needed
listen-address=127.0.0.1
server=/xx/8.8.8.8
server=/xx/8.8.8.8
server=/imap.suse.de/#
except-interface=virbr0,tun0
conf-file=/etc/dnsmasq.d/domains.conf
interface=br0
bind-interfaces
dhcp-range=192.168.8.2,192.168.8.254

 domains.conf 

server=/xx/10.160.0.1
server=/xx/10.160.0.1
server=/xxx/10.160.0.1
server=/xxx/10.160.2.88
server=/x/10.160.2.88
server=/xxx/10.160.2.88
server=/.10.in-addr.arpa/10.160.2.88


/var/run/dnsmasq/resolv.conf===
nameserver 10.160.0.1
nameserver 10.160.2.88
nameserver 10.20.1.1

So 10.160.x are the dns server that come from a vpn connection and
10.20.1.1 is the dns that my router gives me (the default, catch-all one).

The problem is that due to the presence of the vpn dns's in
dnsmasq/resolv.conf they are being used also for resolving upstream
domains such as google.com. I tried removing the 10.160x servers from
resolv.conf and they got re-added automatically upon restarting dnsmasq.
I'm using ubuntu 16.04 and also disabled dnsmasq management from
NetworkManager side:

cat /etc/NetworkManager/NetworkManager.conf
[main]
#dns=dnsmasq

However, that didn't help.

What I want to achieve seems to be one of the cannonical uses of dnsmasq
but I don't know how to limit the vpn dns's to be used _only_ for the
domains in domains.conf and not being added as generic upstream servers
in nameserver.


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] IMPORTANT SECURITY INFORMATION.

2017-10-02 Thread Simon Kelley 
I've just released dnsmasq-2.78, which addresses a series of serious
security vulnerabilities which have been found in dnsmasq by the Google
security team. Some of these, including the most serious, have been in
dnsmasq since prehistoric times, and have remained undetected through
multiple previous security audits.

Google's release about this can be found at:

https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

Information on these bugs has been made available in advance through the
usual channels and updates to distribution packages, firmware images and
Android should be available now or very soon.

I'd like to take this opportunity to thank the people at Google who've
been working with me on this. Releasing information of vulnerabilities
like this in a responsible and organised manner is a fairly daunting
prospect for the uninitiated, and they've been very helpful in helping
to work through the processes. Especial thanks go to Matt Linton and
Kevin Stadmeyer.

Cheers,

Simon.




signature.asc
Description: OpenPGP digital signature
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Announce: dnsmasq-2.78.

2017-10-02 Thread Simon Kelley 
I've just released a new stable version of dnsmasq 2.78

Download is available at

http://thekelleys.org.uk/dnsmasq/dnsmasq-2.78.tar.gz


This is a bugfix release, and, amongst other things, addresses a set of
serious security vulnerabilities. Update should be mandatory.

CHANGELOG is attached below.

version 2.78
Fix logic of appending "." to PXE basename. Thanks to
Chris Novakovic for the patch.

Revert ping-check of address in DHCPDISCOVER if there
already exists a lease for the address. Under some
circumstances, and netbooted windows installation can reply
to pings before if has a DHCP lease and block allocation
of the address it already used during netboot. Thanks to
Jan Psota for spotting this.

Fix DHCP relaying, broken in 2.76 and 2.77 by commit
ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
John Fitzgibbon for the diagnosis and patch.

Try other servers if first returns REFUSED when
--strict-order active. Thanks to Hans Dedecker
for the patch

Fix regression in 2.77, ironically added as a security
improvement, which resulted in a crash when a DNS
query exceeded 512 bytes (or the EDNS0 packet size,
if different.) Thanks to Christian Kujau, Arne Woerner
Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
chasing this one down.  CVE-2017-13704 applies.

Fix heap overflow in DNS code. This is a potentially serious
security hole. It allows an attacker who can make DNS
requests to dnsmasq, and who controls the contents of
a domain, which is thereby queried, to overflow
(by 2 bytes) a heap buffer and either crash, or
even take control of, dnsmasq.
CVE-2017-14491 applies.
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
Kevin Hamacher and Ron Bowes of the Google Security Team for
finding this.
Fix heap overflow in IPv6 router advertisement code.
This is a potentially serious security hole, as a
crafted RA request can overflow a buffer and crash or
control dnsmasq. Attacker must be on the local network.
CVE-2017-14492 applies.
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
and Kevin Hamacher of the Google Security Team for
finding this.

Fix stack overflow in DHCPv6 code. An attacker who can send
a DHCPv6 request to dnsmasq can overflow the stack frame and
crash or control dnsmasq.
CVE-2017-14493 applies.
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
Kevin Hamacher and Ron Bowes of the Google Security Team for
finding this.

Fix information leak in DHCPv6. A crafted DHCPv6 packet can
cause dnsmasq to forward memory from outside the packet
buffer to a DHCPv6 server when acting as a relay.
CVE-2017-14494 applies.
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
Kevin Hamacher and Ron Bowes of the Google Security Team for
finding this.

Fix DoS in DNS. Invalid boundary checks in the
add_pseudoheader function allows a memcpy call with negative
size An attacker which can send malicious DNS queries
to dnsmasq can trigger a DoS remotely.
dnsmasq is vulnerable only if one of the following option is
specified: --add-mac, --add-cpe-id or --add-subnet.
CVE-2017-14496 applies.
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
Kevin Hamacher and Ron Bowes of the Google Security Team for
finding this.

Fix out-of-memory Dos vulnerability. An attacker which can
send malicious DNS queries to dnsmasq can trigger memory
allocations in the add_pseudoheader function
The allocated memory is never freed which leads to a DoS
through memory exhaustion. dnsmasq is vulnerable only
if one of the following option is specified:
--add-mac, --add-cpe-id or --add-subnet.
CVE-2017-14495 applies.
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
Kevin Hamacher and Ron Bowes of the Google Security Team for
finding this.






signature.asc
Description: OpenPGP digital signature
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] DNS server in DHCP reply

2017-10-02 Thread dnsmasqyq . xpt 
My dnsmasq acts as both DNS server and DHCP server (I've disabled the
DHCP/DNS service in my router). However, this is my `resolv.conf`:


$ cat /etc/resolv.conf
# Generated by NetworkManager
search my.dns.name
nameserver 127.0.1.1

I.e., the `nameserver` in `resolv.conf` is not pointing to my DHCP/DNS
server. It should be setup according to the proper DHCP reply, right? How
can tell my dnsmasq to give proper DHCP reply so as to point the DNS server
to my home DHCP/DNS server?

Thx
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss