Re: [Dnsmasq-discuss] Separate logging facilities for dns queries and "standard" logs

2019-12-12 Thread Simon Kelley
On 12/11/2019 20:04, Diane wrote:
> Hello,
> 
> I have a need regarding Dnsmasq:
> 
> I want to have "standard" (i.e. logs that are enabled by defualt) logs
> in syslog, and I also want to retrieve every DNS query / config /
> response, as to be able to build some stats on them.
> 
> I have the following constraints that make using the current
> implementation unusable for this need:
> 
> - I don't want to pollute syslog with DNS query logs *at all*, but
> journald still doesn't provide a way to propery filter / redirect logs;
> - I still want to have my standard dnsmasq logs in the syslog;
> - I don't want to depend on the underlying syslog implementation (being
> rsyslog, syslog-ng, or anything else), partly due to the fact that this
> need is encountered on multiple linux distros with their own syslog
> choice;
> - Some of those log facilities may not support log dropping (i.e.
> keeping "standard" logs, and drop every redirected logs).
> 
> Now, I'm trying to find some solutions.
> 
> Would the best way really be to have a small log facility daemon
> running for this specific process? That seems cumbersome.
> 
> The configuration key `log-queries` exists, wouldn't it be possible to
> add the following behaviour?
> 
> - If `log-queries=` is defined but has an empty value, use the current
> behaviour;
> - If `log-queries=` points towards a filesystem path, exclusively write
> query logs into the given file;
> - If `log-queries=` is equal to, let's say "syslog", or a non-
> filesystem value (e.g. a syslog id), write query logs into the used
> syslog, but with *a different process key*, as to defer log handling,
> but as to avoid mixing both logs.
> 
> Any idea or solution for this issue?
> 
> 

One possibility would be to ignore the logging facility entirely, and
use the packet-dump options to write the queries and/or answers in pcap
format to a file which you could then run through tcpdump or a DNS
packet analyser of your choice, see the --dumpfile option for details.


Simon.




signature.asc
Description: OpenPGP digital signature
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] Segmentation fault when providing invalid --dhcp-match command line option

2019-12-12 Thread Simon Kelley
On 03/12/2019 22:52, Klaus Eisentraut wrote:
> Hi,
> 
> I recently did some fuzzing with afl-fuzz in the config file parsing
> part of dnsmasq. I know it is not very useful, but it was very easy to
> start with.
> 
> Anyway, I found a (non-exploitable) crash in dnsmasq which can be
> triggered by providing an invalid configuration file or an invalid
> command line option. In order to reproduce it, just run
> 
>   dnsmasq --dhcp-match=a,120,
> 
> The bug is in line 1473 of option.c where the statement "m[0] = 0" is
> executed while m is set to NULL.
> 
>> (gdb) run --dhcp-match=a,120,
>> Starting program: dnsmasq --dhcp-match=a,120,
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x5556aaf8 in parse_dhcp_opt (errstr=0x555c06b0 "",
>> arg=0x555c02a6 "", flags=128) at option.c:1473
>> 1473 m[0] = 0;
>> (gdb) p m
>> $1 = (unsigned char *) 0x0
> 
> Is this interesting for you at all?

It is.   Fix committed.


Cheers,

Simon.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] [PATCH] Remove empty tailing lines

2019-12-12 Thread Geert Stappers
On Sun, Oct 13, 2019 at 11:37:15PM +0200, Geert Stappers wrote:
> From: Geert Stappers 
> 
> Several .c files have empty lines at their end.
> Because there is no need to keep them, are they now removed.

Find attached the same patch.

The purpose of this patch retransmit is getting it reviewed.


Regards
Geert Stappers

>From 372bed26359ec62f2746a81d08f54133a89c6491 Mon Sep 17 00:00:00 2001
From: Geert Stappers 
Date: Sun, 13 Oct 2019 23:05:42 +0200
Subject: [PATCH 1/4] Remove empty tailing lines

Several .c files have empty lines at their end.
Because there is no need to keep them, are they now removed.
---
 src/arp.c   | 2 --
 src/auth.c  | 3 ---
 src/blockdata.c | 1 -
 src/bpf.c   | 2 --
 src/cache.c | 2 --
 src/conntrack.c | 3 ---
 src/dhcp6.c | 2 --
 src/dnsmasq.c   | 2 --
 src/forward.c   | 5 -
 src/helper.c| 3 ---
 src/inotify.c   | 1 -
 src/lease.c | 4 
 src/netlink.c   | 2 --
 src/network.c   | 5 -
 src/rfc2131.c   | 7 ---
 15 files changed, 44 deletions(-)

diff --git a/src/arp.c b/src/arp.c
index 6cfe014..66ecfb5 100644
--- a/src/arp.c
+++ b/src/arp.c
@@ -230,5 +230,3 @@ int do_arp_script_run(void)
 
   return 0;
 }
-
-
diff --git a/src/auth.c b/src/auth.c
index 854af0d..f12ce4d 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -863,6 +863,3 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 }
   
 #endif  
-  
-
-
diff --git a/src/blockdata.c b/src/blockdata.c
index e6e625f..89a049d 100644
--- a/src/blockdata.c
+++ b/src/blockdata.c
@@ -174,4 +174,3 @@ struct blockdata *blockdata_read(int fd, size_t len)
 {
   return blockdata_alloc_real(fd, NULL, len);
 }
-
diff --git a/src/bpf.c b/src/bpf.c
index 982318d..6561f1a 100644
--- a/src/bpf.c
+++ b/src/bpf.c
@@ -440,5 +440,3 @@ void route_sock(void)
 }
 
 #endif /* HAVE_BSD_NETWORK */
-
-
diff --git a/src/cache.c b/src/cache.c
index 6168073..a360469 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -1967,5 +1967,3 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg)
   else
 my_syslog(LOG_INFO, "%s %s %s %s", source, name, verb, dest);
 }
-
- 
diff --git a/src/conntrack.c b/src/conntrack.c
index d41de54..a11fedd 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -83,6 +83,3 @@ static int callback(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, vo
 }
 
 #endif
-  
-
-
diff --git a/src/dhcp6.c b/src/dhcp6.c
index ce682db..1a2085d 100644
--- a/src/dhcp6.c
+++ b/src/dhcp6.c
@@ -827,5 +827,3 @@ void dhcp_construct_contexts(time_t now)
 }
 
 #endif
-
-
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 7842538..b635413 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -2082,5 +2082,3 @@ int delay_dhcp(time_t start, int sec, int fd, uint32_t addr, unsigned short id)
   return 0;
 }
 #endif
-
- 
diff --git a/src/forward.c b/src/forward.c
index e4745a3..f488b90 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -2405,8 +2405,3 @@ static unsigned short get_id(void)
   
   return ret;
 }
-
-
-
-
-
diff --git a/src/helper.c b/src/helper.c
index 62ac9cf..97f0dfb 100644
--- a/src/helper.c
+++ b/src/helper.c
@@ -887,6 +887,3 @@ void helper_write(void)
 }
 
 #endif
-
-
-
diff --git a/src/inotify.c b/src/inotify.c
index 7107833..7d9c56b 100644
--- a/src/inotify.c
+++ b/src/inotify.c
@@ -295,4 +295,3 @@ int inotify_check(time_t now)
 }
 
 #endif  /* INOTIFY */
-  
diff --git a/src/lease.c b/src/lease.c
index 081d90e..58bd73e 100644
--- a/src/lease.c
+++ b/src/lease.c
@@ -1201,7 +1201,3 @@ void lease_add_extradata(struct dhcp_lease *lease, unsigned char *data, unsigned
 #endif
 
 #endif
-	  
-
-  
-
diff --git a/src/netlink.c b/src/netlink.c
index eaa772d..91913ac 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -367,5 +367,3 @@ static void nl_async(struct nlmsghdr *h)
 queue_event(EVENT_NEWADDR);
 }
 #endif
-
-  
diff --git a/src/network.c b/src/network.c
index c1077b4..aed820d 100644
--- a/src/network.c
+++ b/src/network.c
@@ -1683,8 +1683,3 @@ void newaddress(time_t now)
 lease_find_interfaces(now);
 #endif
 }
-
-
-
-
-
diff --git a/src/rfc2131.c b/src/rfc2131.c
index 0058747..35b792f 100644
--- a/src/rfc2131.c
+++ b/src/rfc2131.c
@@ -2743,10 +2743,3 @@ static void apply_delay(u32 xid, time_t recvtime, struct dhcp_netid *netid)
 }
 
 #endif
-  
-
-  
-  
-
-
-  
-- 
2.1.4

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] "--all-servers" always on?

2019-12-12 Thread John Siu
I see. I did a rapid chain of dig in one line and see the behavior you
described. Thank you for the explanation!!


On Thu, Dec 12, 2019 at 1:16 PM Simon Kelley  wrote:
>
> By default, dnsmasq send a query to all the upstream servers over 50
> queries or every 20 seconds. If you're testing and doing queries slowly,
> the 20 second rule can make it look like _every_ query gets broadcast.
>
> If this is a problem, you can edit src/config.h and recompile.
>
>
> #define FORWARD_TEST 50 /* try all servers every 50 queries */
> #define FORWARD_TIME 20 /* or 20 seconds */
>
>
>
> Cheers,
>
> Simon.
>
>
> On 10/12/2019 16:41, John Siu wrote:
> > You will need "log-queries=extra" in config to see it. Then use
> > nslookup/dig to different domains.
> >
> > On Tue, Dec 10, 2019 at 11:35 AM John Siu  wrote:
> >>
> >> I see it doing it for every single request.
> >>
> >> On Tue, Dec 10, 2019 at 11:12 AM Simon Rettberg
> >>  wrote:
> >>>
> >>> Am Mon, 9 Dec 2019 11:58:22 -0500
> >>> schrieb John Siu :
> >>>
> >>> dnsmasq sends queries to all servers occasionally to determine which
> >>> one replies fastest, and then keeps using that one exclusively for a
> >>> while. Do you see every single query sent to all servers, or just the
> >>> first one after restarting dnsmasq?
> >>>
> >>> - Simon
> >>>
>  OS: Ubuntu 18.04 with all updates
>  dnsmasq version: 2.79-1
> 
>  According to man page:
> 
>  --all-servers
>  By default, when dnsmasq has more than one upstream server
>  available, it will send queries to just one server. Setting this flag
>  forces dnsmasq to send all queries to all available servers. The
>  reply  from  the  server which  answers first will be returned to the
>  original requester.
> 
>  I don't have that flag in command line or in the config file. However
>  with "log-queries=extra" in config file, I am seeing following:
> 
>  Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 query[A]
>  news.com from 10.10.10.101
>  Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
>  news.com to 2001:1998:f00:2::1
>  Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
>  news.com to 2001:1998:f00:1::1
>  Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
>  news.com to 2606:4700:4700::1001
>  Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
>  news.com to 2606:4700:4700::
>  Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
>  news.com to 2001:4860:4860::8844
>  Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
>  news.com to 2001:4860:4860::
>  Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
>  news.com to 209.18.47.63
>  Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
>  news.com to 209.18.47.62
>  Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
>  news.com to 209.18.47.61
>  Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
>  news.com to 1.0.0.1
>  Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
>  news.com to 1.1.1.1
>  Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
>  news.com to 8.8.4.4
>  Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
>  news.com to 8.8.8.8
>  Dec 09 11:29:25 door dnsmasq[9403]: 3640 10.10.10.101/49351 reply
>  news.com is 35.190.79.82
> 
>  Is --all-servers behavior changed to default on? Is there a way to
>  revert it?
> 
>  Thank you!
> 
>  John Siu
> >>>
> >
> > ___
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss@lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
>
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] Overriding DNS server for the guest WiFi interface

2019-12-12 Thread Geert Stappers
On Thu, Dec 12, 2019 at 08:44:31AM +0100, Geert Stappers wrote:
> On 12-12-2019 04:52, Old account wrote:
> 
> > Hi,
> >
> > I have an RT-N56U (I'm using a Padavan firmware for some context)
> > router with an isolated guest wifi setup for my IOT devices. This
> > guest network is both AP clients and LAN isolated, which I confirmed
> > to be true. I have the DNS set to pihole 192.168.1.100 for my entire
> > network, but I'd like any clients that are connected to the guest wifi
> > to use 8.8.8.8 since it's not possible for any of the guest clients to
> > communicate with the pihole.
> >
> > I've been able to do this by manually tagging all of my iot devices
> > one by one with:
> > dhcp-host=XX:XX:XX:XX:XX:XX,set:dnsoverride
> > dhcp-option=tag:dnsoverride,option:dns-server,8.8.8.8
> >
> > This works on any devices that I've tagged with dnsoverride, but it's
> > host-dependent rather than interface dependent.
> >
> > I've confirmed that the 2.4GHz wifi interface is rai1 with ifconfig
> > and based on the firmware docs:
> > https://bitbucket.org/padavan/rt-n56u/wiki/EN/CommonTips#!what-are-the-existing-network-interfaces-transcript-naming-interfaces.
> > I've tried the following without success - it seems like it gets
> > ignored for any clients connecting to the guest network:
> > - dhcp-option=tag:rai1,option:dns-server,8.8.8.8
> > - dhcp-option=interface:rai1,option:dns-server,8.8.8.8
> > - dhcp-option=rai1,option:dns-server,8.8.8.8
> >
> > Is it not possible to set the dns server based on the interface?
> >
> Yes, it is possible.
> 
> But I have the correct syntax not at hand. The mailinglist archive has
> within the last four, maybe six, weeks a report on succesfull tag of
> interface name.

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q4/013501.html

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] "--all-servers" always on?

2019-12-12 Thread Simon Kelley
By default, dnsmasq send a query to all the upstream servers over 50
queries or every 20 seconds. If you're testing and doing queries slowly,
the 20 second rule can make it look like _every_ query gets broadcast.

If this is a problem, you can edit src/config.h and recompile.


#define FORWARD_TEST 50 /* try all servers every 50 queries */
#define FORWARD_TIME 20 /* or 20 seconds */



Cheers,

Simon.


On 10/12/2019 16:41, John Siu wrote:
> You will need "log-queries=extra" in config to see it. Then use
> nslookup/dig to different domains.
> 
> On Tue, Dec 10, 2019 at 11:35 AM John Siu  wrote:
>>
>> I see it doing it for every single request.
>>
>> On Tue, Dec 10, 2019 at 11:12 AM Simon Rettberg
>>  wrote:
>>>
>>> Am Mon, 9 Dec 2019 11:58:22 -0500
>>> schrieb John Siu :
>>>
>>> dnsmasq sends queries to all servers occasionally to determine which
>>> one replies fastest, and then keeps using that one exclusively for a
>>> while. Do you see every single query sent to all servers, or just the
>>> first one after restarting dnsmasq?
>>>
>>> - Simon
>>>
 OS: Ubuntu 18.04 with all updates
 dnsmasq version: 2.79-1

 According to man page:

 --all-servers
 By default, when dnsmasq has more than one upstream server
 available, it will send queries to just one server. Setting this flag
 forces dnsmasq to send all queries to all available servers. The
 reply  from  the  server which  answers first will be returned to the
 original requester.

 I don't have that flag in command line or in the config file. However
 with "log-queries=extra" in config file, I am seeing following:

 Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 query[A]
 news.com from 10.10.10.101
 Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
 news.com to 2001:1998:f00:2::1
 Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
 news.com to 2001:1998:f00:1::1
 Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
 news.com to 2606:4700:4700::1001
 Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
 news.com to 2606:4700:4700::
 Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
 news.com to 2001:4860:4860::8844
 Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
 news.com to 2001:4860:4860::
 Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
 news.com to 209.18.47.63
 Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
 news.com to 209.18.47.62
 Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
 news.com to 209.18.47.61
 Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
 news.com to 1.0.0.1
 Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
 news.com to 1.1.1.1
 Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
 news.com to 8.8.4.4
 Dec 09 11:29:24 door dnsmasq[9403]: 3640 10.10.10.101/49351 forwarded
 news.com to 8.8.8.8
 Dec 09 11:29:25 door dnsmasq[9403]: 3640 10.10.10.101/49351 reply
 news.com is 35.190.79.82

 Is --all-servers behavior changed to default on? Is there a way to
 revert it?

 Thank you!

 John Siu
>>>
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] How to update ipv6 for own interface? (Updated info)

2019-12-12 Thread Simon Kelley
On 10/12/2019 03:31, John Siu wrote:
> Ok, let me elaborate more.
> 
> I have following setup:
> 
> Linux router server:
> - OS: Ubuntu 18.04
> - wide-dhcp-client on external(internet facing) nic
> - dnsmasq on lan interface(hostname: router) as dns, ipv4 + ipv6 dhcp
> - lan interface IPv6 configure by wide-dhcp-client, IPv4
> static(172.16.168.1) via netplan
> - internal domain: int.johnsiu.com (configure in
> dnsmasq)
> 
> Servers on LAN
> - couple mac, linux machines on lan network
> - all have static dhcp ipv4 from dnsmasq.
> - all have ipv4 entry in router /etc/hosts
> 
> dnsmasq is able to do dns resolve for all linux machines for both ipv4
> and ipv6. eg:
> 
> ssh -4 test.int.johnsiu.com 
> ssh -6 test.int.johnsiu.com 
> 
> However, this does not work for the router lan interface. I already did
> following:
> 
> In /etc/hosts:
> 
>   172.16.168.1 router
> 
> In /etc/dnsmasq.d/lan.conf, I have following lines for router:
> 
>   dhcp-host=e2:1d:6b:2d:33:e7,172.16.168.1,router,infinite
> 
> While "ssh -4 router.int.johnsiu.com "
> works, "ssh -6 router.int.johnsiu.com "
> doesn't.
> 
> Is there a way to make it happen?
> 
>

There is indeed.

interface-name=router,

Unless specifically configured otherwise, this works for IPv4 and IPv6
for your partial solution is no longer required.

Cheers,

Simon.




___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] error: not giving name to the DHCP lease because the name exists in /etc/hosts

2019-12-12 Thread Simon Kelley


There's probably an existing lease for 192.168.0.121. Depending on
exactly how the client behaves, these can be difficult to get rid of.
Clearing the leases file is also more difficult than it might seem.


TL;DR If it's working now, that's fine. Ignore it.


Simon.


On 10/12/2019 03:30, isidore.ler...@free.fr wrote:
> Dear all
> 
> I have been trying to resolve that issue for the past 2 days.
> 
> I am using dnsmasq for dns and dhcp, and using the hosts file to statically 
> assigned ip to known hosts.
> 
> It doesn't work with the following error message:
> 
> "not giving name myhost.example.com to the DHCP lease of 192.168.0.121 
> because the name exists in /etc/hosts with address 192.168.0.7"
> 
> I have cleared the leases file.
> 
> If I had the host in the conf file, it works:
> 
> "dhcp-host=myhost,192.168.0.7"
> 
> /etc/dnsmasq.conf
> 
> #***
> listen-address=127.0.0.1
> listen-address=192.168.0.1
> 
> server=127.0.0.1 #dnsmasq
> server=208.67.222.222 #OpenDNS
> server=208.67.220.220 #OpenDNS
> 
> interface=eno2
> port=53
> bind-interfaces
> dhcp-authoritative
> 
> domain=example.com
> local=/example.com/
> 
> dhcp-option=eno2,3,192.168.0.1 # gateway
> dhcp-option=eno2,6,192.168.0.1 # DNS
> dhcp-range=eno2,192.168.0.100,192.168.0.254,24h # DHCP
> 
> domain-needed
> expand-hosts
> 
> no-poll
> no-resolv
> bogus-priv
> #***
> 
> /etc/hosts
> 
> #***
> 192.168.0.7  myhost
> #***
> 
> Thanks
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] Out-of-bound heap write when parsing invalid --dhcp-mac option

2019-12-12 Thread Simon Kelley
On 10/12/2019 00:01, Klaus Eisentraut wrote:
> Hi,
> 
> I found another crash in parsing code of a configuration file or command
> line options. To reproduce it, simply run
> 
>   dnsmasq --dhcp-mac=,A...A
> 
> with "a lot of" A (>=89 with dnsmasq 2.80 on Linux 5.4.2-arch1-1). If
> you run dnsmasq without Address Sanitizer (ASAN), it won't crash
> immediately, but instead overwrite glibc metadata and crash later on:
> 
>> $ dnsmasq --dhcp-mac=,A...A
>> malloc(): invalid next size (unsorted)
>> Terminated (core dumped)
> 
> If you compile & run it with -fsanitize=address, you can see the actual
> root cause:
> 
>> $ ./dnsmasq-asan --dhcp-mac=,A...A
>> =
>> ==32920==ERROR: AddressSanitizer: heap-buffer-overflow on address
>> 0x60600118 at pc 0x55f58e931e2d bp 0x7ffc8a3af1a0 sp
>> 0x7ffc8a3af190
>> WRITE of size 1 at 0x60600118 thread T0
>>  #0 0x55f58e931e2c in parse_hex /tmp/dnsmasq/src/util.c:573
>>  #1 0x55f58e95d6b9 in one_opt /tmp/dnsmasq/src/option.c:3690
>>  #2 0x55f58e992879 in read_opts /tmp/dnsmasq/src/option.c:5045
>>  #3 0x55f58e8e198e in main /tmp/dnsmasq/src/dnsmasq.c:95
>>  #4 0x7f1fff40d152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
>>  #5 0x55f58e8edfbd in _start (/home/klaus/dnsmasq-fuzzing/src/dnsmasq-
>> asan+0x2ffbd)
>>
>> 0x60600118 is located 0 bytes to the right of 56-byte region
>> [0x606000e0,0x60600118)
>> allocated by thread T0 here:
>>   #0 0x7f1fff6bdcd8 in __interceptor_calloc /build/gcc/src
>> /gcc/libsanitizer/asan/asan_malloc_linux.cc:153
>>#1 0x55f58e92e5a8 in safe_malloc /tmp/dnsmasq/src/util.c:278
>>
>> SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/dnsmasq
>> /src/util.c:573 in parse_hex
> 
>>From a quick grep in the code, there may be other, more interesting ways
> to reach the parse_hex(...) function, too.
> 
>

Thanks for finding that. None of the uses of parse_hex is with untrusted
data, so this is an annoyance, not a security hole.

Patch pushed to git.


Cheers,

Simon.


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] Overriding DNS server for the guest WiFi interface

2019-12-12 Thread Geert Stappers
On 12-12-2019 04:52, Old account wrote:

> Hi,
>
> I have an RT-N56U (I'm using a Padavan firmware for some context)
> router with an isolated guest wifi setup for my IOT devices. This
> guest network is both AP clients and LAN isolated, which I confirmed
> to be true. I have the DNS set to pihole 192.168.1.100 for my entire
> network, but I'd like any clients that are connected to the guest wifi
> to use 8.8.8.8 since it's not possible for any of the guest clients to
> communicate with the pihole.
>
> I've been able to do this by manually tagging all of my iot devices
> one by one with:
> dhcp-host=XX:XX:XX:XX:XX:XX,set:dnsoverride
> dhcp-option=tag:dnsoverride,option:dns-server,8.8.8.8
>
> This works on any devices that I've tagged with dnsoverride, but it's
> host-dependent rather than interface dependent.
>
> I've confirmed that the 2.4GHz wifi interface is rai1 with ifconfig
> and based on the firmware docs:
> https://bitbucket.org/padavan/rt-n56u/wiki/EN/CommonTips#!what-are-the-existing-network-interfaces-transcript-naming-interfaces.
> I've tried the following without success - it seems like it gets
> ignored for any clients connecting to the guest network:
> - dhcp-option=tag:rai1,option:dns-server,8.8.8.8
> - dhcp-option=interface:rai1,option:dns-server,8.8.8.8
> - dhcp-option=rai1,option:dns-server,8.8.8.8
>
> Is it not possible to set the dns server based on the interface?
>
Yes, it is possible.

But I have the correct syntax not at hand. The mailinglist archive has
within the last four, maybe six, weeks a report on succesfull tag of
interface name.


Regards

Geert Stappers



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss