Re: [Dnsmasq-discuss] [PATCH] Fix HAVE_CRYPOHASH build and tune GOST/ECDSA usage

11-2012 > support at the moment. That draft doesn't seem to propose an update of RFC8624 to make 34.10-2001 MUST NOT and it suggests that 34.11-2012 will be MAY, so I think we're fine to leave the 2001 code for now, and implement 2012 when Nettle provides it. Cheers, Simon. > >

Re: [Dnsmasq-discuss] [PATCH] Fix HAVE_CRYPOHASH build and tune GOST/ECDSA usage

11-2012 > support at the moment. That draft doesn't seem to propose an update of RFC8624 to make 34.10-2001 MUST NOT and it suggests that 34.11-2012 will be MAY, so I think we're fine to leave the 2001 code for now, and implement 2012 when Nettle provides it. Cheers, Simon. > >

Re: [Dnsmasq-discuss] [PATCH] Fix potential untracked tcp_request sub-processes

On 14/04/2021 11:24, Tijs Van Buggenhout wrote: > > I did not test in combination with TFTP (whether new TFTP connections can be > handled while tcp_pids is depleted). > TFTP uses UDP and doesn't fork new processes, so it shouldn't be a problem. I can use a lot of file descriptors, but that

Re: [Dnsmasq-discuss] Booting WinPE on Legacy and UEFI mode

On 08/04/2021 09:42, David Müller wrote: > Hello > > I'm trying to use Dnsmasq to boot WinPE (both in legacy and UEFI mode) > over PXE based on the instructions on > https://docs.microsoft.com/en-us/windows/deployment/configure-a-pxe-server-to-load-windows-pe > > > While the same "boot.sdi" and

Re: [Dnsmasq-discuss] [PATCH v3] Support Cisco Umbrella/OpenDNS Device ID & Remote IP

Patch applied. Cheers, Simon. On 09/04/2021 20:46, Brian Hartvigsen wrote: > This is based on the information at > https://docs.umbrella.com/umbrella-api/docs/identifying-dns-traffic and > https://docs.umbrella.com/umbrella-api/docs/identifying-dns-traffic2 . > Using --umbrella by itself will

Re: [Dnsmasq-discuss] [PATCH] Fix HAVE_CRYPOHASH build and tune GOST/ECDSA usage

On 10/04/2021 15:57, Vladislav Grishenko wrote: > Hello, > >   > > Recent nettle version detection changes in dnsmasq 2.85 have brought > build regression with HAVE_CRYPTOHASH defined due no MIN_VERSION macro > is defined. That's not good. I committed a slightly more comprehensive clean up that

Re: [Dnsmasq-discuss] Eviction statistics is always zero

-2.rds.amazonaws.com>. 5 IN A > 10.0.4.23 > > ;; Query time: 49 msec > ;; SERVER: 172.0.0.1#53(172.0.0.1) > ;; WHEN: Mon Apr 12 12:55:08 UTC 2021 > ;; MSG SIZE  rcvd: 157 > > > Is CNAME not cached?  > > On Fri, Apr 9, 2021 at 10:46 PM Geert Stappers <mailto

Re: [Dnsmasq-discuss] Stateful DHCP and DNS for both IPv4 and IPv6

On 03/04/2021 10:22, Guillermo López Alejos via Dnsmasq-discuss wrote: > Hi!, > > I'm working on a dockerized deployment of dnsmasq for my local network > (the base image is Debian 10.8-slim). My goal is to achieve stateful > DHCP and DNS for both IPv4 and IPv6. ^

Re: [Dnsmasq-discuss] [PATCH v2] Support Cisco Umbrella/OpenDNS Device ID & Remote IP

Much better, thank you. One error I can see, inline below. O > + if (daemon->umbrella_device) { > +PUTSHORT(UMBRELLA_DEVICE, u); > +PUTLONG(daemon->umbrella_device >> 32, u) > +PUTLONG(daemon->umbrella_device & 0x, u) > This isn't going to work: you populate daemon->umbrell

Re: [Dnsmasq-discuss] [PATCH] Support Cisco Umbrella/OpenDNS Device ID & Remote IP

On 08/04/2021 09:52, john doe wrote: > On 4/8/2021 1:32 AM, Brian Hartvigsen wrote: >> >> >>> On Apr 7, 2021, at 15:48, Simon Kelley wrote: >>> >>> 1) the version field is set to zero, but >>> https://docs.umbrella.com/umbrella-api/doc

Re: [Dnsmasq-discuss] [PATCH] Add DHCP6REPLY for DHCP6REBIND

On 09/04/2021 08:30, liaichun wrote: >> On Apr 8, 2021, at 16:01, Simon Kelley wrote: >>> Before this, we receive a DHCP6REBIND request and do not reply. >>> We should increase the number of responses to such packets. >>> >> >> Not good to have o

Re: [Dnsmasq-discuss] [PATCH] Chomp file ends

Patch applied. Thanks. Simon. On 05/04/2021 21:42, Geert Stappers via Dnsmasq-discuss wrote: > From: Geert Stappers > > Removed empty lines from end of src/*.[ch] files. > If the new last line became '#endif' > was the condition of the '#if' added. > --- > src/arp.c| 2 -- > src/a

Re: [Dnsmasq-discuss] [PATCH] Fix potential untracked tcp_request sub-processes

On 09/04/2021 11:04, Tijs Van Buggenhout wrote: > Hi all, > > We are using dnsmasq as part of OpenWrt for a managed VPN solution. As soon > as > the VPN is up, all DNS requests are forwarded to an upstream DNS server over > the VPN. > > In case of VPN transmission problems there is a delay unt

Re: [Dnsmasq-discuss] [PATCH] Add DHCP6REPLY for DHCP6REBIND

On 08/04/2021 10:16, Aichun Li wrote: > From: liaichun > > Before this, we receive a DHCP6REBIND request and do not reply. > We should increase the number of responses to such packets. > Not good to have omitted this for so long. Thanks for the patch. Since most of the code is the same for DHC

Re: [Dnsmasq-discuss] Eviction statistics is always zero

On 08/04/2021 10:37, Leonardo da Mata wrote: > Hello, recently I've done some experiments with dnsmasq reaching 4k qps > and, even with a very small cache size of 100 entries, I can't see the > evictions stats to increase. It always stays at zero. > > I'm wondering if anyone can see this data on t

Re: [Dnsmasq-discuss] [PATCH] Support Cisco Umbrella/OpenDNS Device ID & Remote IP

On 07/04/2021 14:42, Petr Menšík wrote: > > By the way, couldn't be used --add-cpe-id? It seems to me it serves > exactly the same purpose. Search EDNS0_OPTION_NOMCPEID in src/edns0.c. > Could just --add-cpe-id="orgid:deviceid" be used? > Seems like every organisation that wants to mess with th

Re: [Dnsmasq-discuss] [PATCH] Support Cisco Umbrella/OpenDNS Device ID & Remote IP

On 07/04/2021 03:45, Brian Hartvigsen wrote: > This is based on the information at > https://docs.umbrella.com/umbrella-api/docs/identifying-dns-traffic and > https://docs.umbrella.com/umbrella-api/docs/identifying-dns-traffic2 . Using > --umbrella by itself will enable Remote IP reporting. This

[Dnsmasq-discuss] Announce: dnsmasq-2.85

I just released dnsmasq-2.85, available from https://thekelleys.org.uk/dnsmasq/dnsmasq-2.85.tar.gz CHANGELOG below. This release has a security fix which is mainly relevant to users of NetworkManager, see CVE-2021-3448 for details. Simon. version 2.85 Fix problem with DNS retries i

Re: [Dnsmasq-discuss] Query retried "out of nothing"

On 04/04/2021 16:54, Dominik wrote: > Hey Simon, > > I'm currently testing the tip of dnsmasq master and noticed the following: > When running the test http://test-ipv6.com/ I do see some queries being > retried seemingly without any indication. > > Example from the log: > > Apr 4 17:43:58 dnsm

Re: [Dnsmasq-discuss] [PATCH] Retry queries only after giving the upstream server some time to respond

On 06/04/2021 23:18, Simon Kelley wrote: > > I think we should try something like your patch but remove the > configurablilty, and limit the time to 1-2 seconds. > It's there. tagged as 2.85rc3 2.85 will be soon. Simon. __

Re: [Dnsmasq-discuss] [PATCH] Retry queries only after giving the upstream server some time to respond

On 06/04/2021 19:49, Dominik Derigs wrote: > Hey Simon, > > your patch surely makes sense. > > On Mon, 2021-04-05 at 21:38 +0100, Simon Kelley wrote: >> Except that this all started because some clients don't retry from the >> same ID/source port and treating

Re: [Dnsmasq-discuss] [PATCH] Retry queries only after giving the upstream server some time to respond

On 05/04/2021 21:30, Dominik Derigs wrote: > To be even more precise: > > On Mon, 2021-04-05 at 22:16 +0200, Dominik Derigs wrote: >> This is the issue I'm concerned about. Some clients send the same >> query >> multiple times (they don't seem to have a local cache). > > These clients don't even

Re: [Dnsmasq-discuss] [PATCH] Retry queries only after giving the upstream server some time to respond

On 05/04/2021 21:16, Dominik Derigs wrote: > Hey Simon, > > On Mon, 2021-04-05 at 20:38 +0100, Simon Kelley wrote: >> Post 2.83, a the second query would be combined with the first, which >> can only reduce upstream traffic. The change in 2.85 is that the second >>

Re: [Dnsmasq-discuss] [PATCH] Retry queries only after giving the upstream server some time to respond

On 05/04/2021 20:38, Simon Kelley wrote: > I'll put up a patch in the next hour or so. Dominik, please could you > see if it improves the upstream traffic rate? If I've misunderstood or > mis-analysed this, I'll certainly look at you approach. > Patch there now:

Re: [Dnsmasq-discuss] [PATCH] Retry queries only after giving the upstream server some time to respond

On 05/04/2021 16:46, Dominik Derigs wrote: > Hey all, > > I've seeing a notable increase in upstream traffic with the current > dnsmasq release candidate. Some investigations have revealed that the > reason for this is the modified forwarding philosophy that *always* > triggers a retry whenever

Re: [Dnsmasq-discuss] Partial denial of service with dnsmasq on resource constrained systems

> > One other thing I saw while testing with large blocklists was a noticeable > latency increase, likely related to lookup times. I recall some discussion > on the ML where you mentioned work on a hash/tree solution was in > progress. Were those changes completed? > This seems to be the cru

Re: [Dnsmasq-discuss] 2.80 dnspooq v3 problem

On 31/03/2021 08:50, Petr Menšík wrote: > Hi Sunil, > > This is exactly the same issue I reported on thread [1]. Unfortunately > it haven't got merged separately, but it should be patched by > CVE-2021-3448 fix [2]. It happens only when you have rp_filter set to 1. > The root cause of this is th

Re: [Dnsmasq-discuss] 2.80 dnspooq v3 problem

The only possibility I know is https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=04490bf622ac84891aad6f2dd2edf83725decdee Do you see the same problems with the 2.85rc releases? Simon. On 30/03/2021 12:33, sunil rathod wrote: > With dnspooq patch dns resulation fails when I configur

Re: [Dnsmasq-discuss] issues resolving a DNSSEC domain with dnsmasq 2.76 [2.80 as well]

ests [2] under work. Should we include them, shall I send > a patch for it? > > 1. https://github.com/InfrastructureServices/dnsmasq-tests > 2. https://github.com/InfrastructureServices/dnsmasq/tree/unittests > I'd love to have a a unit test system as part of the dnsmasq code

Re: [Dnsmasq-discuss] Partial denial of service with dnsmasq on resource constrained systems

On 24/03/2021 19:55, Ian wrote: >   > > It seems that on resource constrained routers, it’s possible to execute > a non-critical denial of service attack against the router simply by > opening multiple tcp queries to dnsmasq, which then forks for each tcp > connection up to MAX_PROCS times, result

Re: [Dnsmasq-discuss] Support for older nettle 2.7

Patch applied. I also added a subsequent patch to use the new MIN_VERSION macro to replace an ad-hoc test. Simon. On 23/03/2021 14:49, Petr Menšík wrote: > Hi, > > I tried compilation on RHEL7 with nettle 2.7.1 and dnssec cannot be > enabled on that version. It took only few macro tweaks to com

Re: [Dnsmasq-discuss] Maybe another thinko in branch v2.85 master [PATCH]

Patch applied. Thanks both. Simon. On 23/03/2021 13:38, Petr Menšík wrote: > Of course it should. Thanks! I made more copy and paste mistakes in > replacing copy and paste code than I expected. > > Attached the fix and also one missing place, where it can be reused. > Checked three times for co

Re: [Dnsmasq-discuss] Cannot forward TCP query after v2.85rc1 (branch master)

Many thanks. Patch applied. Simon. On 22/03/2021 11:49, 黎醒聪 wrote: > Use dig to reproduce this bug, it will TCP timeout. > > dig example.com +tcp > > It should be introduced in commit 51f7bc924cbcdeb09cbb83249b70c121d1ffa31e > > I try to fix this typo and the TCP query w

Re: [Dnsmasq-discuss] Announce 2.85rc1 and security warning.

On 21/03/2021 12:12, Daniel via Dnsmasq-discuss wrote: > > Le 20/03/2021 à 22:55, Simon Kelley a écrit : >> >> On 20/03/2021 11:11, Daniel via Dnsmasq-discuss wrote: >>> Le 19/03/2021 à 23:37, Simon Kelley a écrit : >>>> On 18/03/2021 08:38, Daniel

Re: [Dnsmasq-discuss] issues resolving a DNSSEC domain with dnsmasq 2.76 [2.80 as well]

easier if they did, since backporting securirt fixes is often hard. The upcoming 2.85 release compiles without problem on a Buster system. Simon. > > # dnsmasq --version > Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley > Compile time options: IPv6 GNU-getopt DBus i18n I

Re: [Dnsmasq-discuss] Announce 2.85rc1 and security warning.

On 20/03/2021 11:11, Daniel via Dnsmasq-discuss wrote: > > Le 19/03/2021 à 23:37, Simon Kelley a écrit : >> On 18/03/2021 08:38, Daniel via Dnsmasq-discuss wrote: >>> Hello >>> >>> Le 17/03/2021 à 22:48, Simon Kelley a écrit : >>>> [...]

Re: [Dnsmasq-discuss] Announce 2.85rc1 and security warning.

>> >> 2) On *BSD this is moot anyway, since the index we're deriving is used >> for binding a UDP socket to an interface, and *BSD doesn't, as far as I >> know, have an equivalent of the SO_BINDTODEVICE linux ioctl, so it's not >> supported. Matthias, you can't test any code, since to do so you'

Re: [Dnsmasq-discuss] feature request : NXDOMAIN all domains on network

On 19/03/2021 16:23, dnsmasqlist2...@rscubed.com wrote: > > On Fri, 19 Mar 2021, James Feeney wrote: > >> On 3/17/21 7:19 PM, dnsmasqlist2...@rscubed.com wrote: > I would like to use it with the spamhaus DROP list (A list of bad > network blocks) to make all domains (known and currently u

Re: [Dnsmasq-discuss] Announce 2.85rc1 and security warning.

On 17/03/2021 23:53, Matthias Andree wrote: > Am 17.03.21 um 22:48 schrieb Simon Kelley: >> Please download >> >> https://thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.85rc1.tar.gz >> >> and test it thoroughly. Then look at the diff at > > Simon,

Re: [Dnsmasq-discuss] issues resolving a DNSSEC domain with dnsmasq 2.76

ennederland.nl to 208.67.220.220 >>> Mar 19 13:37:18 firewall01 dnsmasq[26888]: reply goededoelennederland.nl >>> is DNSKEY keytag 44143, algo 13 >>> Mar 19 13:37:18 firewall01 dnsmasq[26888]: dnssec-query[DNSKEY] >>> goededoelennederland.nl to 208.67.220.22

Re: [Dnsmasq-discuss] Announce 2.85rc1 and security warning.

On 18/03/2021 08:38, Daniel via Dnsmasq-discuss wrote: > Hello > > Le 17/03/2021 à 22:48, Simon Kelley a écrit : >> [...] >> >> https://thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.85rc1.tar.gz >> > > Thanks Simon. FYI I didn't get it c

Re: [Dnsmasq-discuss] Announce 2.85rc1 and security warning.

2.85 will go into Debian unstable on the day it's released and into testing after the normal delay. A backport to the 2.80 package in Buster will happen, but may take a little longer. Simon. On 17/03/2021 23:11, Amit wrote: > On Wed, Mar 17, 2021 at 2:55 PM Simon Kelley wrote: >>

[Dnsmasq-discuss] Announce 2.85rc1 and security warning.

I've just created the first release candidate for dnsmasq-2.85. Since 2.84 this has a couple of stand-alone configuration enhancements, a fix for DNS retries which addresses a regression in 2.84, and a large fix which address a historic error. Way back, when Dan Kaminsky revealed the birthday att

Re: [Dnsmasq-discuss] RDNSS lifetime support

ses them to write a resolv.conf file. Dnsmasq will read a resolv.conf file and re-read it when it changes, so that's fine. https://linux.die.net/man/8/rdnssd Cheers, Simon. > On Sun, Feb 28, 2021 at 2:23 PM Simon Kelley <mailto:si...@thekelleys.org.uk>> wrote: > >

Re: [Dnsmasq-discuss] feature request : NXDOMAIN all domains on network

On 15/03/2021 02:36, dnsmasqlist2...@rscubed.com wrote: > > Hello, > > Thanks for the many years of support for DNSMasq I have used it for a > long time as a filter for most of my machines and servers. > > Currently I think DNSMasq has the ability to sinkhole all domains on an > IP using the bog

Re: [Dnsmasq-discuss] dnsmasq to return NODATA for an A query

On 14/03/2021 14:35, Aaron Jones wrote: > On 07/03/2021 08:57, Geert Stappers via Dnsmasq-discuss wrote: >> --host-record=foo.example.org,NODATA,fd00::1 >> >> Says what is wanted. >> >> In `hosts` file >> >> fd00::1 foo.example.org >> NO4DATA foo.example.org >> >> and allow >> >> 192.168.0.

Re: [Dnsmasq-discuss] Client retries broken in 2.84

On 11/03/2021 11:19, Petr Menšík wrote: > Hi Simon and Nicholas, > > I think dnsmasq relying on driving retries by clients is not great > design. When clients starts bombarding dnsmasq with requests, dnsmasq > will in turn bombard upstream server(s) too. It seems unnecessary to me. > And even wron

Re: [Dnsmasq-discuss] How to add AAAA record for host with dynamic prefix?

On 01/03/2021 20:40, Fred F wrote: > Hi, > > On Sun, 28 Feb 2021 at 18:07, Simon Kelley wrote: >> It's actually rather easy to add an address field, such that >> >> interface-name=laptop.thekelleys.org.uk,[::2],eth0/6 >> >> and eth0 having 1:2:3:4::

Re: [Dnsmasq-discuss] Problem with domain names containing 3 or more minus in a row

Dnsmasq can be linked with the IDN library, which deals with non-ascii characters in domain names and converst them to punycode. I suspect that the IDN library may well barf when given a name containing punycode already. dnsmasq -v should tell you if IDn is in use or not, in the compile time opti

Re: [Dnsmasq-discuss] [PATCH] Another regression from v2.83 on bound interfaces

So, networkmanager is specifying a source address or interface with its servers? Slightly worrying that that inhibits random ports and reduces security anyway. I don't think your patch makes it any worse. I think it's possible to iterate over all the servers that a query could have been sent to us

Re: [Dnsmasq-discuss] [PATCH] --bind-dynamic and fast netlink changes

Cool. I just pushed two commits. One to implement --log-debug and one to enable it for those messages. Simon. On 09/03/2021 00:01, Petr Menšík wrote: > Hi, > > --debug-log is good as well, whatever suits you more. > > On 3/2/21 6:49 PM, Simon Kelley wrote: >> On 01/03/20

Re: [Dnsmasq-discuss] First question(s)

On 12/03/2021 15:47, Ken Gillett via Dnsmasq-discuss wrote: > Only just discovered dnsmasq and planning to use it on my LAN, but have a > couple of initial questions I hope can be answered here:- > > I want to allocate all IP addresses from specified range, but provide DNS > names for some hosts

Re: [Dnsmasq-discuss] [PATCH] --bind-dynamic and fast netlink changes

On 01/03/2021 10:56, Petr Menšík wrote: > On 3/1/21 1:02 AM, Simon Kelley wrote: >> That looks sensible except for one thing. I wasn't sure about the >> logging in the first place, and having to add Yet Another Config Option >> to control it is the last straw; I thin

Re: [Dnsmasq-discuss] [PATCH] --bind-dynamic and fast netlink changes

On 02/03/2021 17:49, Simon Kelley wrote: > > Maybe to should have a new option to control debug-level logging. > Without that set my_syslog could just discard any calls with LOG_LEVEL > set to DEBUG (which is just the ones we're talking about, as far as I > can see, but cou

Re: [Dnsmasq-discuss] [PATCH] --bind-dynamic and fast netlink changes

ht be better with --log-async. User would have to use > --log-listen if interested in watching listeners changes. > - Patch 0004 - Obtain MTU only in case it would be used. Attempt to > reduce innecessary syscall inside iface_enumerate loop in some cases. > > 1. https://github.com/Inf

Re: [Dnsmasq-discuss] RDNSS lifetime support

On 29/01/2021 09:23, Nguyen Ngo wrote: > Hello, > I was wondering if dnsmasq has support for the following RFC standard. I > couldn't find it anywhere in the documentation. > > RFC 8106 > Section 5.1 Recursive > DNS Server lifetime field. > Section

Re: [Dnsmasq-discuss] How to add AAAA record for host with dynamic prefix?

On 26/02/2021 15:54, Fred F wrote: > Hi Simon, > > thanks for your reply. Unfortunately ULA does not solve my problem, as > this host needs to be reachable through that address from the outside > world. And I'd like to use the DNS name as an alias in the firewall > (FreeBSD). So right now I am stu

Re: [Dnsmasq-discuss] Website and Dnsmasq pages

On 25/02/2021 14:27, - Neustradamus - wrote: > Hello Simon, > > Thanks for your last changes on the website! > > About the files currently in http://www.thekelleys.org.uk/dnsmasq/ > > It is possible: > - to move "all" into a subfolder and create a redirection to new place > - to rename the doc.h

Re: [Dnsmasq-discuss] [PATCH] --bind-dynamic and fast netlink changes

On 18/02/2021 11:56, Petr Menšík wrote: > Hi Simon and others, > > I have started checking behaviour of dnsmasq on fast netlink changes, > reported originally on RHEL7 bug[1]. Found commit 1627d577[2] helps a > lot on RHEL 7, which is already in current version. But for some reason, > even latest

Re: [Dnsmasq-discuss] DHCP hosts without active leaes not added to DNS cache

On 23/02/2021 09:13, Dominik Derigs wrote: > Hey list, > > When specifying a DHCP host like > > --dhcp-host=00:20:e0:3b:13:af,192.168.0.2,wap > > I'd expect dnsmasq to respond to `dig wap` with the IP address > `192.168.0.2`. Instead, NOERROR with empty answer RR is returned. > > Looking at

Re: [Dnsmasq-discuss] Client retries broken in 2.84

gets abandoned and client1 has to await client2s reply. In the meantime client3 ask for example.com.. Cheers, Simon. > Thanks, > Nick > > On Wed, Feb 17, 2021 at 4:03 PM Simon Kelley <mailto:si...@thekelleys.org.uk>> wrote: > > On 16/02/2021 00:42, Nichola

Re: [Dnsmasq-discuss] Website and Dnsmasq pages

On 23/01/2021 15:07, - Neustradamus - wrote: > Hello Simon, > > It is possible to rename https://thekelleys.org.uk/dnsmasq/doc.html to > https://thekelleys.org.uk/dnsmasq/index.html? > And create a redirection of doc.html to https://thekelleys.org.uk/dnsmasq/? https://thekelleys.org.uk/dnsmasq/

Re: [Dnsmasq-discuss] DKIM / DMARC emails.

folders. DMARC is a security standard for >>>>> accessing email authenticity. >>>>> >>>>> See my earlier patch: >>>>> - [PATCH v4] Connection track mark based DNS query filtering. >>>>> >>>>> Other mailing l

Re: [Dnsmasq-discuss] How to add AAAA record for host with dynamic prefix?

On 13/02/2021 19:22, Fred F wrote: > Dear all, > > I'd like to bump this question. Isn't there anybody who is using > dnsmasq in IPv6 networks with dynamic prefixes? > > Regards, > Frederik > > On Sat, 10 Oct 2020 at 16:59, Fred F wrote: >> >> Hi, >> >> I am using dnsmasq in an environment with

Re: [Dnsmasq-discuss] getting different responses from high traffic DNSmasq

On 18/02/2021 09:44, Boris Behrens wrote: > This happened after the update from v2.76 to v2.80 > > Is there a way how I can debug that deeper. The information you've given so far is useful, but not enough to allow someone to easily reproduce the problem, which is the key. Questions which need a

Re: [Dnsmasq-discuss] DKIM / DMARC emails.

gt;> >>> See my earlier patch: >>> - [PATCH v4] Connection track mark based DNS query filtering. >>> >>> Other mailing lists such as netfilter-de...@vger.kernel.org >>> do not share these DMARC problems. >>> >>> What is the preferred app

Re: [Dnsmasq-discuss] Temporary failure in name resolution when IPv6 is enabled

On 09/02/2021 04:08, Amit wrote: > On Wed, Feb 3, 2021 at 12:16 PM Geert Stappers wrote: >> > > [snip] > >> >> My guess: >> >> } } Where is the `ping www.google.com` done? >> } The ping is done at the end of the chain >> } } Where and how is IPv6 disabled? >> } Same machine, magic from Network

Re: [Dnsmasq-discuss] Client retries broken in 2.84

On 16/02/2021 00:42, Nicholas Mu wrote: > Hi,  > > I noticed a low level increase in DNS errors after upgrading to 2.84. > After doing some packet diving, it seems that retries behave differently > in the new version. For my testing, I'm using dnspython but I believe > this issue would affect any

Re: [Dnsmasq-discuss] DKIM / DMARC emails.

On 17/02/2021 13:54, Etan Kissling wrote: > When submitting a patch I noticed that the Dnsmasq mailing list modifies > the subject of the email (prefix [Dnsmasq-discuss]) as well as appends > 'Dnsmasq-discuss mailing list' information to the end of my message. > > These modifications break DKIM si

Re: [Dnsmasq-discuss] v2.84 temporary failure in name resolution when IPV6 is enabled

On 03/02/2021 01:57, Amit wrote: > I have been following discussions in "[Dnsmasq-discuss] v2.83 failed to > send packet: Network is unreachable" and was happy to hear it has been > resolved in dnsmasq v2.84-1 in debian testing. > > However, this still seems to affect me and I get the error: > >

Re: [Dnsmasq-discuss] Debian Buster Security Update?

In progress with the security team. Simon. On 02/02/2021 02:21, Andrew Miskell wrote: > That’s really up to the maintainer of the debian packages. I suspect they’ll > fix it at some point. > > Sent from my iPhone > >> On Feb 1, 2021, at 20:16, mailinglistno...@abwesend.de wrote: >> >> Hello

Re: [Dnsmasq-discuss] Announce: dnsmasq-2.84 - sort and semantic versioning

On 31/01/2021 11:21, Geert Stappers wrote: > > Besides not pretty, it is also not readable. > Plus '-k 1.6,1.6' looks very odd in that line. > > | sort -k1.2,1.5r -k1.6,1.7r -k1.8,1.9r -k1.10,1.11r > looks more "having a pattern" But it's wrong. The -k1.6,1.6 sorts on the first letter _after_

Re: [Dnsmasq-discuss] Announce: dnsmasq-2.84 - sort and semantic versioning

On 31/01/2021 19:27, Matthias Andree wrote: > Am 31.01.21 um 12:21 schrieb Geert Stappers: >> Lonnie Abelbeck's hint on another release was indeed very humble >> and very polite. And yes, he is right with expressing >> We do ourself and the rest of mankind a favour by avoiding >> version string

Re: [Dnsmasq-discuss] DNSpooq v2.80 backport patch

Good spot. I've just posted version 3, which addresses this, and also includes the changes to the Makefile, stupidly omitted from v2. https://www.thekelleys.org.uk/dnsmasq/dnspooq-patches/2.80-dnspooq.patch.v3 Cheers, Simon. On 01/02/2021 22:25, WU, CHRIS wrote: >> The patch does address all

Re: [Dnsmasq-discuss] Announce: dnsmasq-2.84 - sort and semantic versioning

On 26/01/2021 16:55, M. Buecher wrote: > > > On 2021-01-26 17:41, M. Buecher wrote: >> On 2021-01-26 00:43, Lonnie Abelbeck wrote: On Jan 25, 2021, at 5:21 PM, Lonnie Abelbeck wrote: > Get it here: > > http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.84.tar.gz

Re: [Dnsmasq-discuss] DNSpooq v2.80 backport patch

On 28/01/2021 17:48, Dave M wrote: > Hi all, > > The DNSpooq disclosure contains a total of 7 CVEs. > > Can someone confirm that the patch backport for v2.80 published > at http://www.thekelleys.org.uk/dnsmasq/dnspooq-patches/2.80-dnspooq.patch.v2  > addresses all > of them? > > I guess the pref

[Dnsmasq-discuss] Announce: dnsmasq-2.84

Last week's 2.83 release has proved to have a regression. The symptoms are random log messages reporting "failure to send packet" and the DNS query associated with this is lost. Retries of the query do not fail, so the operational effect of this is minimal. To trigger the bug, dnsmasq has to be und

Re: [Dnsmasq-discuss] v2.83 failed to send packet: Network is unreachable - roadmap?

On 24/01/2021 22:12, Simon Kelley wrote: > On 24/01/2021 11:38, Matthias Andree wrote: >> Am 23.01.21 um 02:34 schrieb Lonnie Abelbeck: >>>> On Jan 22, 2021, at 4:33 PM, Simon Kelley wrote: >>>> >>>> Apolgies about your wasted time. Once more with 2

Re: [Dnsmasq-discuss] v2.83 failed to send packet: Network is unreachable - roadmap?

On 24/01/2021 11:38, Matthias Andree wrote: > Am 23.01.21 um 02:34 schrieb Lonnie Abelbeck: >>> On Jan 22, 2021, at 4:33 PM, Simon Kelley wrote: >>> >>> Apolgies about your wasted time. Once more with 2.84test3 ? >> Thanks Simon, 2.84test3 solves all "fail

Re: [Dnsmasq-discuss] [PATCH] Rename HAVE_NETTLEHASH to HAVE_CRYPTOHASH

On 24/01/2021 14:30, Vladislav Grishenko wrote: > Hi, > >   > > Commit 2024f9729713fd657d65e64c2e4e471baa0a3e5b “Support hash function > from nettle (only)” has introduced HAVE_NETTLEHASH option (thanks, Petr!). > But, I think, there's no much sense to bind feature name to specific > cryptolib be

Re: [Dnsmasq-discuss] v2.83 failed to send packet: Network is unreachable

Apolgies about your wasted time. Once more with 2.84test3 ? Cheers, Simon On 22/01/2021 18:37, Hannu Nyman wrote: >> Update: I missed a case. > > > Possibly also something else. > > With 2.84test2, there are now three different errors: > > > Fri Jan 22 20:32:49 2021 daemon.info dnsmasq[120

Re: [Dnsmasq-discuss] v2.83 failed to send packet: Network is unreachable

Update: I missed a case. Simon. thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=12af2b171de0d678d98583e2190789e50e02 On 22/01/2021 17:47, Simon Kelley wrote: > On 22/01/2021 16:08, Hannu Nyman wrote: >> I bisected the dnsmasq commits, and looks like it is cause

Re: [Dnsmasq-discuss] v2.83 failed to send packet: Network is unreachable

On 22/01/2021 16:08, Hannu Nyman wrote: > I bisected the dnsmasq commits, and looks like it is caused by this: > > 15b60ddf935a531269bb8c68198de012a4967156  FAIL > 824461192ca5098043f9ca4ddeba7df1f65b30ba  Ok ? > > http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=15b60ddf935a531269bb8c68

Re: [Dnsmasq-discuss] v2.83 failed to send packet: Network is unreachable

On 22/01/2021 02:14, Steve Hirsch wrote: > Hi Lonnie, > >   > > I am also seeing an occasional “failed to send packet: Address family > not supported by protocol”.  However, it is mostly “Network Unreachable” > and they are pretty continuous (much more than the 10 you have).  > Dnscrypt is config

Re: [Dnsmasq-discuss] "multiple MAC addresses in a single dhcp-host" vs "multiple dhcp-host lines with the same IP address"

On 22/01/2021 11:22, Jaime wrote: > Hi. > > A long time ago [1], Simon wrote to the list saying: > > "Be aware that multiple MAC addresses in a single dhcp-host has > different semantics to multiple dhcp-host lines, each with one MAC > address but with the same IP address." > > Is this still tru

[Dnsmasq-discuss] Announce: security and release of dnsmasq-2.83.

Dnsmasq 2.83 is now available from https://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.83.tar.gz The main focus in this release is security fixes for a some newly announced flaws. See https://www.jsof-tech.com/disclosures/dnspooq for the details. There are broadly two sets of problems. The first i

Re: [Dnsmasq-discuss] dhcp-relay and option 82

On 07/12/2020 13:58, Mani Wieser wrote: > On 07.12.2020 00:38, Simon Kelley wrote: >> On 02/12/2020 10:33, Mani Wieser wrote: >>> Dear all >>> I am trying to use dnsmask as dhcp relay in dd-wrt as a substitution to >>> their buggy dhcpfwd solution. It w

Re: [Dnsmasq-discuss] Sad DNS vulnerability

On 08/12/2020 00:51, WU, CHRIS wrote: > Hello.  I read this story on ZDnet about a DNS cache poisoning > vulnerability and it mentions dnsmasq as one of the affected applications. > >   > > https://www.zdnet.com/article/dns-cache-poisoning-poised-for-a-comeback-sad-dns/ > >   > > Is there anyth

Re: [Dnsmasq-discuss] dhcp-relay and option 82

On 02/12/2020 10:33, Mani Wieser wrote: > Dear all > I am trying to use dnsmask as dhcp relay in dd-wrt as a substitution to > their buggy dhcpfwd solution. It works fine, but I can't find a way to > inject option 82. > I tried with > dhcp-circuitid=set:82,1,"ws-c" > dhcp-remoteid=set:"ws-c" > dhcp

Re: [Dnsmasq-discuss] [PATCH v2] pxe: support pxe clients with custom vendor-class

Patch applied. http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4ded96209e8346711f9d0b9e13a835d42835853d I've manually reviewed this, and done very minimal testing, please test it to make sure it's OK. Simon. On 04/12/2020 02:17, Wang Shanker wrote: > From 606d638918edb0e0ec07fe27eb

Re: [Dnsmasq-discuss] How do I disable the RDNS in the RA without disabling the DNS itself?

On 05/12/2020 22:47, Kristof Mattei wrote: > Hi all! > >   > > I have a dual stack network. > >   > > * IPv4: > o Subnet: 192.168.1.1/24, with DNSMASQ on 192.168.1.1 providing > the DHCP. > o DHCP via DNSMASQ > o DNS address 192.168.1.10 is sent to clients with dhcp-

Re: [Dnsmasq-discuss] [PATCH] pxe: support pxe clients with custom vendor-class

The patch looks fine in princple, but it doesn't apply to the current release (2.82) What version of dnsmasq were you patching? Cheers, Simon. On 02/12/2020 12:23, Wang Shanker wrote: > According to UEFI[1] and PXE[2] specs, PXE clients are required to have > `PXEClient` identfier in the vendo

Re: [Dnsmasq-discuss] Make dnsmasq distinguish local IPs

I think this is the crux. dnsmasq is listening on the wildcard address and accepting packets which arrive from lo. lo has address 127.0.0.20 (amongst others) and therefore dnsmasq is deciding that queries is sends to 127.0.0.20 will end up back at itself, and refusing to do that because it's a ba

Re: [Dnsmasq-discuss] TCP DNS requests fail with "communications error" / "end of file"

On 20/07/2020 14:11, Jinn Ko wrote: > Hi, > > While using dnsmasq as embedded in the pi-hole project I came across an issue > with how TCP > DNS requests are handled over Wireguard interfaces. > > A ticket was raised in the FTL project > (https://github.com/pi-hole/FTL/issues/824) and the > con

Re: [Dnsmasq-discuss] [PATCH] return responses without qname

I'm not sure that this is the correct solution to the problem. I'd argue that this is an unbound issue: A reply to a DNS query that doesn't echo the qname surely cannot be considered a valid reply? I'm not sure why unbound would do that. The query-id is only 16 bits, so can't be considered enough

[Dnsmasq-discuss] Announce: dnsmasq-2.82

I just publish version 2.82 of dnsmasq. This fixes a nasty problem introduced in 2.81 which causes random crashes on systems where there's significant DNS activity over TCP. It also fixes DNSSEC validation problems with zero-TTL DNSKEY and DS records. http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2

[Dnsmasq-discuss] dnsmasq-2.82rc1

I've just tagged the first release-candidate for dnsmasq-2.82. http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.82rc1.tar.gz This has some (but not all) the patches left over from 2.81, and a couple of new trivial fixes, but most importantly, it should fix a source of random cras

Re: [Dnsmasq-discuss] BOGUS DNSSEC responses

elleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.82rc1.tar.gz Please could you check if that fixes things? cheers, Simon. > > Edit: Resending the unbound.conf zipped since the unzipped version it > got held up by mailman. > > Cheers, > -- > László Károlyi > https://li

Re: [Dnsmasq-discuss] Fwd: [PATCH] Makefile: make variables overridable

On 12/07/2020 18:53, John Ericson wrote: > Hi, I am another NixOS maintainer. > > Yes, it is true that ?= in makefiles is somewhat rare, and that we can work > around this other ways. But it was I who proposed the ?= change on our > side[1], so let say why I think it's the right choice: > > Mos

Re: [Dnsmasq-discuss] Ability to not bind :: for DNS when binding wildcard

On 06/07/2020 14:05, Matthias May wrote: > Hi Dominik > > Well the system in question has > net.ipv6.conf.all.disable_ipv6 = 1 > thus the expected output would be that no IPv6 bindings exist at all. > I kind of understand that when IPv6 is disabled, that one would not expect to > see :::53 in ne

<    1   2   3   4   5   6   7   8   9   10   >