[Dnsmasq-discuss] IPv6 link-local upstream servers with «@if» no longer works

[Tore Anderson]

Hello,

Prior to commit «3934155 Cope with multiple interfaces with the same LL
address.» this worked fine:

$ dnsmasq -dqhRS fe80::1234@eth0

After the mentioned commit this no longer works. I can confirm (using
tcpdump) that the queries are forwarded just fine to fe80::1234 on the
eth0 interface. However it appears that dnsmasq simply ignores the
responses that come back, thus no responses are being returned to the
stub resolver (which eventually times out).

Since commit «7de060b import of dnsmasq-2.58.tar.gz» it is possible to
use «%» as a delimiter instead of «@», and this works fine. However, it
seems as if that there is no longer a method of specifying an IPv6
link-local upstream server that works regardless of dnsmasq version.

For the record, the change broke NetworkManager, which explicitly uses
«@» as the delimiter in order to support dnsmasq versions prior to 2.58:

https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/dns-manager/nm-dns-dnsmasq.c#n141

The change clearly broke backwards compatibility, but seeing how there
are no warnings about that in the changelog I assuming it was
unintentional and thus a bug?

Tore

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Insecure DS reply received, do upstream DNS servers support DNSSEC?

[Tore Anderson]

* Simon Kelley

> I just pushed
> 
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=fef2f1c75eba56b7355cbe729e4362474d558aa4
> 
> Which makes the following changes:
> 
> 1) No longer fail to validate a reply proving that a DS record doesn't
> exist if RRs in the auth section other the the NSEC/NSEC3 records needed
> for non-existence proof are not signed.
> 
> 2) Use the TTL of the NSEC record when caching the non-existence of DS
> records.
> 
> I'm currently testing this live here, and I'd appreciate it if you could
> give it a whirl too.

Excellent. I've been running it for a few hours now, no problems whatsoever so 
far.

In comparison, with HEAD^1, I could hardly use my computer for anything 
Internet-related.

So this is very promising indeed. Thanks!

Tore

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

[Tore Anderson]

Hi Simon,

> A quick bit of differential analysis of the first query reveals that the
> problem is the mythic-beasts.com DNSKEY RRset.
> 
> 8.8.8.8, and the mythic-beasts authoritative server I tried gives the
> following answer for that RRset.
> 
> ;; ANSWER SECTION:
> mythic-beasts.com.86400   IN  DNSKEY  257 3 10
> AwEAAaXuiwGP7BTBwrhYj8V+J7VQ+nalXaK3Mo5pXI4x//xD4O8ZN9ZF
> CMuvKYhPW+VjsDWYO/QT6KqcqHEErWgYjv/c5vdxJAkM5zfa8UJiOp0q
> X2S7RJinMkGqXz05YNp7o+ZE5W/Yykzwfn3k036Mrf4NY9FYKU5uznrc
> fzW4vP8vQzXLNBEn+/ErWfbG3mYFjmhYxVsvw0yoIAmhL6xzagdQHJId
> vc1G00tqjIFWXwqm3med63G/SX0ggiT/QPwe/D618wibbXu7cUpSjSpP
> NxSZg+pX+hejg1DTU6x3UJ6EwMIZWzCccAg0S4KJIy8uOZrifACD4okB OM6yRjFq+TM=
> mythic-beasts.com.86400   IN  DNSKEY  256 3 10
> AwEAAc5oGCn44Da0km1yuWnqDWJV41f/ieZFaxZxdeRTwsTllcnw3H6a
> IHsgYwArtkWqVe9CatuXjBpVmdbS9xJ1V4KrSsGdasCnZpXbtoKKy7Be
> tCDUES89uhMG3noqi55rEU5OS3htgmx8fNIuVLuUto5KCbp3O9Rp3+9C
> 5yQbW3eZuuDwBDEJ2DgbikiTU80MexCzkhEB3ihXhYYOnEuk4n71cSYB
> IM1YcEFaECkLN/meQ077fiAgyF+hkMIzs/VFlA/mOtkNhJeP81lUVT37
> Gjo1w46qWilFtRq1TJTfB47XXDxoLHZZcFmtW9fk6BR/a+4NlxL7X8xI dII0Z9B3I40=
> mythic-beasts.com.86400   IN  DNSKEY  256 3 10
> AwEAAbiUu+uoyM7HirzFV/VsIO+j0vLNBMcursO6mgjX8cZPrEHKZV0O
> NENhRZKrNL0hFVvpjW5I60qxGaBQ+VbcJyK8XMPPnYRnsRDRez9f5I92
> yOJDqjXNca0fj8iqqx9PztolU8SPUebhJgW22GQd2PHkKPDZaUa1Oag2
> OUq6JJRUPwmeZO9dMMtXa3kY/11nj5YoD8FpJPwCZv8VMbVFrORt0kMc
> HlpB/hLYpaxzPWKIs95V1o2rL0zxlIkKSwxuZCli7W5ipORB5NM2Vawq
> c6m6UfoOabP2SJUm/aTKlom/ZtS4kDaO/9DIeN0F3bG1nLFRRUwRaC4M UjNs4eHCapE=
> mythic-beasts.com.86400   IN  RRSIG   DNSKEY 10 2 86400 20191002000509
> 20190901230509 42918 mythic-beasts.com.
> UltVyLHHD+qVowOQIqZLtTc9cA5T/O4t72EiLsgiH9oRjLz7D0MgB+F2
> 0TXv8OoufV3mzf2bjaou1ziIi6FBb5j1RQSqGT44O1zJyQmX40z3LQ3L
> UUB6hQU5eh9Q4JTgChHNDpvlvWBTnObTy6NuJn5hdtQKtGN8yZ4gGHM7
> gGB+Y2N595abpWcz9xq2mtXQgGbVJUshe+JfQ3JgU034eDTlvLBTdM73
> HVjpfbxCoMboXOCtjndEB0200gloJSumqdEnlFufWfISqXhruSIB6IKP
> 5o2yUSv4mtQUOtVm+RPwcIoprm6ON5Ln2tFHJlgquuJA5vhrIIl+/e99 qarI4Q==
> 
> 
> Note, three DNSKEY records and the signature that signs the RRset. Note
> that this is a self-signature: the signature, along with key 41918 signs
> the digest of the set of three records. key 41918 is proved to be valid
> by a separate DS record that propagates the chain of trust down from the
> .com zone.
> 
> The answer to the same query in your pcap has only two DNSKEY RRs. The
> value of the signature is different, so it's possible that this still a
> valid, but different, RRset. However dnsmasq thinks it is not valid, and
> my feeling is that we should try and answer the question "where has this
> RRset come from" before we assume it's valid and dnsmasq is mistaken.
> 
> So, what happens when you ask your upstream server the query
> 
> dig +dnssec DNSKEY mythic-beasts.com
> 
> ?

; <<>> DiG 9.11.10-RedHat-9.11.10-1.fc30 <<>> @87.238.33.1 +dnssec DNSKEY 
mythic-beasts.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50476
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mythic-beasts.com. IN  DNSKEY

;; ANSWER SECTION:
mythic-beasts.com.  86397   IN  DNSKEY  256 3 10 
AwEAAbiUu+uoyM7HirzFV/VsIO+j0vLNBMcursO6mgjX8cZPrEHKZV0O 
NENhRZKrNL0hFVvpjW5I60qxGaBQ+VbcJyK8XMPPnYRnsRDRez9f5I92 
yOJDqjXNca0fj8iqqx9PztolU8SPUebhJgW22GQd2PHkKPDZaUa1Oag2 
OUq6JJRUPwmeZO9dMMtXa3kY/11nj5YoD8FpJPwCZv8VMbVFrORt0kMc 
HlpB/hLYpaxzPWKIs95V1o2rL0zxlIkKSwxuZCli7W5ipORB5NM2Vawq 
c6m6UfoOabP2SJUm/aTKlom/ZtS4kDaO/9DIeN0F3bG1nLFRRUwRaC4M UjNs4eHCapE=
mythic-beasts.com.  86397   IN  DNSKEY  256 3 10 
AwEAAc5oGCn44Da0km1yuWnqDWJV41f/ieZFaxZxdeRTwsTllcnw3H6a 
IHsgYwArtkWqVe9CatuXjBpVmdbS9xJ1V4KrSsGdasCnZpXbtoKKy7Be 
tCDUES89uhMG3noqi55rEU5OS3htgmx8fNIuVLuUto5KCbp3O9Rp3+9C 
5yQbW3eZuuDwBDEJ2DgbikiTU80MexCzkhEB3ihXhYYOnEuk4n71cSYB 
IM1YcEFaECkLN/meQ077fiAgyF+hkMIzs/VFlA/mOtkNhJeP81lUVT37 
Gjo1w46qWilFtRq1TJTfB47XXDxoLHZZcFmtW9fk6BR/a+4NlxL7X8xI dII0Z9B3I40=
mythic-beasts.com.  86397   IN  DNSKEY  257 3 10 
AwEAAaXuiwGP7BTBwrhYj8V+J7VQ+nalXaK3Mo5pXI4x//xD4O8ZN9ZF 
CMuvKYhPW+VjsDWYO/QT6KqcqHEErWgYjv/c5vdxJAkM5zfa8UJiOp0q 
X2S7RJinMkGqXz05YNp7o+ZE5W/Yykzwfn3k036Mrf4NY9FYKU5uznrc 
fzW4vP8vQzXLNBEn+/ErWfbG3mYFjmhYxVsvw0yoIAmhL6xzagdQHJId 
vc1G00tqjIFWXwqm3med63G/SX0ggiT/QPwe/D618wibbXu7cUpSjSpP 
NxSZg+pX+hejg1DTU6x3UJ6EwMIZWzCccAg0S4KJIy8uOZrifACD4okB OM6yRjFq+TM=
mythic-beasts.com.  86397   IN  RRSIG   DNSKEY 10 2 86400 
20191002000509 20190901230509 42918 mythic-beasts.com. 
UltVyLHHD+qVowOQIqZLtTc9cA5T/O4t72EiLsgiH9oRjLz7D0MgB+F2 
0TXv8OoufV3mzf2bjaou1ziIi6FBb5j1RQSqGT44O1zJyQmX40z3LQ3L 
UUB6hQU5eh9Q4JTgChHNDpvlvWBTnObTy6NuJn5hdtQKtGN8yZ4gGHM7 
gGB+Y2N595abpWcz9xq2mtXQgGbVJUshe+JfQ3JgU034eDTlvLBTdM73 
HVjpfbxCoMboXOCtjndEB0200gloJSumqdEnlFufWfISqXhruSIB6IKP 
5o2yUSv4mtQUOtVm+RPwcIoprm6ON5Ln2tFHJlgquuJA5vhrIIl+/e99 qarI4Q==

Re: [Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

[Tore Anderson]

Hi again,

> OK. scratch that. Looks like we just captured an irrelevant key-rollover.
> 
> The problem here is that the reply to the original query contains an
> unsigned RRset of NS records in the auth section. Said NS records are in
> a signed zone, which flags them as bogus. As far as I can see, that's
> correct for records in the answer section, but for records in the auth
> section, it merely renders the reply as insecure. That would seem to
> make the AD bit rather useless, but I guess it's useless anyway.
> 
> 
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=69a0477b741c1f8195c64417fec4a92a50c9291a
> 
> Attempts to fix this.
> 
> Thanks again for your work testing and diagnosing this.

I can confirm that Dnsmasq 69a0477 resolves www.linuxquestions.org and 
www.ipv6.org.uk as expected (DNSSEC state insecure). Great work, thanks!

Tore


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

[Tore Anderson]

* Tore Anderson

> Apologies, I botched my test (using the wrong upstream server). It does *not* 
> work, but the error is different:
> 
> $ src/dnsmasq -d -p 5353
> dnsmasq: started, version 2.80-71-g69a0477 cachesize 150
> dnsmasq: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN2 DHCP 
> DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify dumpfile
> dnsmasq: DNSSEC validation enabled
> dnsmasq: configured with trust anchor for  keytag 20326
> dnsmasq: configured with trust anchor for  keytag 19036
> dnsmasq: using nameserver 87.238.33.1#53
> dnsmasq: cleared cache
> dnsmasq: query[A] www.ipv6.org.uk from 127.0.0.1
> dnsmasq: forwarded www.ipv6.org.uk to 87.238.33.1
> dnsmasq: dnssec-query[DS] uk to 87.238.33.1
> dnsmasq: dnssec-query[DNSKEY] . to 87.238.33.1
> dnsmasq: reply . is DNSKEY keytag 59944, algo 8
> dnsmasq: reply . is DNSKEY keytag 20326, algo 8
> dnsmasq: reply uk is DS keytag 43876, algo 8, digest 2
> dnsmasq: dnssec-query[DS] org.uk to 87.238.33.1
> dnsmasq: dnssec-query[DNSKEY] uk to 87.238.33.1
> dnsmasq: reply uk is DNSKEY keytag 43876, algo 8
> dnsmasq: reply uk is DNSKEY keytag 43056, algo 8
> dnsmasq: reply org.uk is DS keytag 41523, algo 8, digest 2
> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
> dnsmasq: dnssec-query[DNSKEY] org.uk to 87.238.33.1
> dnsmasq: reply org.uk is DNSKEY keytag 41523, algo 8
> dnsmasq: reply ipv6.org.uk is no DS
> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
> dnsmasq: reply ipv6.org.uk is no DS
> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
> dnsmasq: reply ipv6.org.uk is no DS
> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
> dnsmasq: reply ipv6.org.uk is no DS
> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
> dnsmasq: reply ipv6.org.uk is no DS
> [...]
> 
> This query is repeated ~44 times in a tight loop. It makes a total of 50 
> queries before giving up, I guess it hits a built-in limit.
> 
> PCAP attached.
> 
> It seems to happen with *all* Insecure domain names (not only those that have 
> CNAMES pointing to other Secure domain names).

Bisected:

ae7a3b9d2e8705af203a1347c397718a24331747 is the first bad commit
commit ae7a3b9d2e8705af203a1347c397718a24331747
Author: Simon Kelley 
Date:   Tue Sep 3 14:40:47 2019 +0100

DNSSEC: implement RFC-4036 para 5.3.3. rules on TTL values.

:04 04 52d7ead3d28019308dff0cb0dfcd80e4ef0341de 
60ff380eb9c6b813d5081dee470d276be2109480 M  src

If I revert this one, www.ipv6.org.uk and www.linuxquestions.org both resolve 
fine (as Insecure). So the fix in 69a0477 seems good.

Tore

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Insecure DS reply received, do upstream DNS servers support DNSSEC?

[Tore Anderson]

Hi Simon,

> Now, it's certainly possible to verify that the DS record doesn't exist
> without relying on the data in the SOA record. BUT there is a problem:
> having determined securely that the DS record doesn't exist, dnsmasq
> caches that information, and it uses data from the SOA record to
> determine the time-to-live of that cache record.
> 
> So, in theory, and attacker could replace the SOA record in the reply
> with one which gave, say, a very long TTL for the cached negative DS
> record. I don't know is that's real weakness, but if so, the solution
> may be not to cache the DS record if the SOA record is not signed.

I think it is more logical to use the TTL of the NSEC[3] record that proved the 
non-existence of the DS record in the first place.

These RFCs says the TTL on NSEC[3] records should be identical with the SOA 
minimum:

https://tools.ietf.org/html/rfc4035#section-2.3
https://tools.ietf.org/html/rfc5155#section-3

Also, this one «allows validating resolvers to respond with a negative answer 
immediately if the name in question falls into a range expressed by an NSEC[3] 
resource record already in the cache»:

https://tools.ietf.org/html/rfc8198

My ISP's name server does consistently include RRSIGs for the NSEC[3] records 
it answers with in the authority section, so the proof of non-existence is 
Secure and it does come with a lifetime.

Another approach would be to explicitly query for the SOA record (if its RRSIG 
was not included in the authority section of the DS response to begin with). My 
ISP's name server will consistently include the SOA RRSIG in the answer section 
when answering such queries, for what it is worth. This should allow Dnsmasq to 
determine that the SOA provided is Secure so it can safely use its minimum 
field for the negative cache lifetime.

Tore

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

[Tore Anderson]

I've noticed that Dnsmasq git master (2.80-68-gfef2f1c) will sometimes 
incorrectly return SERVFAIL and log a Bogus verdict when looking up domain 
names which are Insecure CNAMEs for a Secure names.

For example:

www.ipv6.org.uk. IN CNAME proxy.mythic-beasts.com.
www.linuxquestions.org. IN CNAME www.linuxquestions.org.cdn.cloudflare.net.

ipv6.org.uk and linuxquestions.org are both Insecure (non-existence of DS 
record in parent zone is proven with signed NSEC3).

proxy.mythic-beasts.com and www.linuxquestions.org.cdn.cloudflare.net are 
Secure, on the other hand.

See http://dnsviz.net/d/www.ipv6.org.uk/dnssec/ and 
http://dnsviz.net/d/www.linuxquestions.org/dnssec/ for detailed analysis.

I have more examples, but I figured two was probably enough.

/etc/dnsmasq.conf contains:

dnssec
conf-file = /usr/share/dnsmasq/trust-anchors.conf
log-queries
no-hosts
no-resolv
server=87.238.33.1

When I try to look up the two problematic hostnames (using "dig @127.0.0.1 -p 
5353  IN A") I get the following (blank lines inserted for clarity):

$ dnsmasq -d -p 5353
dnsmasq: started, version 2.80-68-gfef2f1c cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN2 DHCP 
DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify dumpfile
dnsmasq: DNSSEC validation enabled
dnsmasq: configured with trust anchor for  keytag 20326
dnsmasq: configured with trust anchor for  keytag 19036
dnsmasq: using nameserver 87.238.33.1#53
dnsmasq: cleared cache

dnsmasq: query[A] www.ipv6.org.uk from 127.0.0.1
dnsmasq: forwarded www.ipv6.org.uk to 87.238.33.1
dnsmasq: dnssec-query[DS] uk to 87.238.33.1
dnsmasq: dnssec-query[DNSKEY] . to 87.238.33.1
dnsmasq: reply . is DNSKEY keytag 20326, algo 8
dnsmasq: reply . is DNSKEY keytag 59944, algo 8
dnsmasq: reply uk is DS keytag 43876, algo 8, digest 2
dnsmasq: dnssec-query[DS] org.uk to 87.238.33.1
dnsmasq: dnssec-query[DNSKEY] uk to 87.238.33.1
dnsmasq: reply uk is DNSKEY keytag 43876, algo 8
dnsmasq: reply uk is DNSKEY keytag 43056, algo 8
dnsmasq: reply org.uk is DS keytag 41523, algo 8, digest 2
dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
dnsmasq: dnssec-query[DNSKEY] org.uk to 87.238.33.1
dnsmasq: reply org.uk is DNSKEY keytag 41523, algo 8
dnsmasq: reply ipv6.org.uk is no DS
dnsmasq: dnssec-query[DS] com to 87.238.33.1
dnsmasq: reply com is DS keytag 30909, algo 8, digest 2
dnsmasq: dnssec-query[DS] mythic-beasts.com to 87.238.33.1
dnsmasq: dnssec-query[DNSKEY] com to 87.238.33.1
dnsmasq: reply com is DNSKEY keytag 30909, algo 8
dnsmasq: reply com is DNSKEY keytag 17708, algo 8
dnsmasq: reply mythic-beasts.com is DS keytag 42918, algo 10, digest 2
dnsmasq: dnssec-query[DNSKEY] mythic-beasts.com to 87.238.33.1
dnsmasq: reply mythic-beasts.com is DNSKEY keytag 42918, algo 10
dnsmasq: reply mythic-beasts.com is DNSKEY keytag 39980, algo 10
dnsmasq: validation www.ipv6.org.uk is BOGUS
dnsmasq: reply www.ipv6.org.uk is 
dnsmasq: reply proxy.mythic-beasts.com is 46.235.225.189
dnsmasq: reply proxy.mythic-beasts.com is 93.93.129.174

dnsmasq: query[A] www.linuxquestions.org from 127.0.0.1
dnsmasq: forwarded www.linuxquestions.org to 87.238.33.1
dnsmasq: dnssec-query[DS] org to 87.238.33.1
dnsmasq: reply org is DS keytag 9795, algo 7, digest 2
dnsmasq: reply org is DS keytag 9795, algo 7, digest 1
dnsmasq: dnssec-query[DS] linuxquestions.org to 87.238.33.1
dnsmasq: dnssec-query[DNSKEY] org to 87.238.33.1
dnsmasq: reply org is DNSKEY keytag 9795, algo 7
dnsmasq: reply org is DNSKEY keytag 17883, algo 7
dnsmasq: reply org is DNSKEY keytag 47612, algo 7
dnsmasq: reply org is DNSKEY keytag 44078, algo 7
dnsmasq: reply linuxquestions.org is no DS
dnsmasq: dnssec-query[DS] net to 87.238.33.1
dnsmasq: reply net is DS keytag 35886, algo 8, digest 2
dnsmasq: dnssec-query[DS] cloudflare.net to 87.238.33.1
dnsmasq: dnssec-query[DNSKEY] net to 87.238.33.1
dnsmasq: reply net is DNSKEY keytag 59540, algo 8
dnsmasq: reply net is DNSKEY keytag 35886, algo 8
dnsmasq: reply net is DNSKEY keytag 2129, algo 8
dnsmasq: reply cloudflare.net is DS keytag 2371, algo 13, digest 2
dnsmasq: dnssec-query[DNSKEY] cloudflare.net to 87.238.33.1
dnsmasq: reply cloudflare.net is DNSKEY keytag 34505, algo 13
dnsmasq: reply cloudflare.net is DNSKEY keytag 2371, algo 13
dnsmasq: validation www.linuxquestions.org is BOGUS
dnsmasq: reply www.linuxquestions.org is 
dnsmasq: reply www.linuxquestions.org.cdn.cloudflare.net is 104.25.158.7
dnsmasq: reply www.linuxquestions.org.cdn.cloudflare.net is 104.25.159.7

The upstream DNS server is running BIND 9.9.5 with DNSSEC validation enabled.

I suspect the problem might be related to something in the Authority or 
Additional sections of the answer packet, since I don't get this problem if I 
use 1.1.1.1 or 8.8.8.8 as the upstream server.

I tested Knot Resolver towards the same upstream server, and it gave the 
correct Insecure verdict for both queries.

If I query for the CNAME directly (using "dig @127.0.0.1 -p 5353  IN 
CNAME"), I 

Re: [Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

[Tore Anderson]

* Simon Kelley

> OK. I think I see the problem..
> 
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e24abf28a29574069717af78c1d3e0ede64388ff
> 
> should fix.

It does indeed. Good catch!

(By the way, I did send the promised PCAP yesterday. However, because the 
message was >40KB, it was queued for moderation by the mailing list 
administrator.)

Tore

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

[Tore Anderson]

* Tore Anderson

> I can confirm that Dnsmasq 69a0477 resolves www.linuxquestions.org and 
> www.ipv6.org.uk as expected (DNSSEC state insecure). Great work, thanks!

Apologies, I botched my test (using the wrong upstream server). It does *not* 
work, but the error is different:

$ src/dnsmasq -d -p 5353
dnsmasq: started, version 2.80-71-g69a0477 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN2 DHCP 
DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify dumpfile
dnsmasq: DNSSEC validation enabled
dnsmasq: configured with trust anchor for  keytag 20326
dnsmasq: configured with trust anchor for  keytag 19036
dnsmasq: using nameserver 87.238.33.1#53
dnsmasq: cleared cache
dnsmasq: query[A] www.ipv6.org.uk from 127.0.0.1
dnsmasq: forwarded www.ipv6.org.uk to 87.238.33.1
dnsmasq: dnssec-query[DS] uk to 87.238.33.1
dnsmasq: dnssec-query[DNSKEY] . to 87.238.33.1
dnsmasq: reply . is DNSKEY keytag 59944, algo 8
dnsmasq: reply . is DNSKEY keytag 20326, algo 8
dnsmasq: reply uk is DS keytag 43876, algo 8, digest 2
dnsmasq: dnssec-query[DS] org.uk to 87.238.33.1
dnsmasq: dnssec-query[DNSKEY] uk to 87.238.33.1
dnsmasq: reply uk is DNSKEY keytag 43876, algo 8
dnsmasq: reply uk is DNSKEY keytag 43056, algo 8
dnsmasq: reply org.uk is DS keytag 41523, algo 8, digest 2
dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
dnsmasq: dnssec-query[DNSKEY] org.uk to 87.238.33.1
dnsmasq: reply org.uk is DNSKEY keytag 41523, algo 8
dnsmasq: reply ipv6.org.uk is no DS
dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
dnsmasq: reply ipv6.org.uk is no DS
dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
dnsmasq: reply ipv6.org.uk is no DS
dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
dnsmasq: reply ipv6.org.uk is no DS
dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
dnsmasq: reply ipv6.org.uk is no DS
[...]

This query is repeated ~44 times in a tight loop. It makes a total of 50 
queries before giving up, I guess it hits a built-in limit.

PCAP attached.

It seems to happen with *all* Insecure domain names (not only those that have 
CNAMES pointing to other Secure domain names).

Tore


foo.pcap
Description: application/vnd.tcpdump.pcap
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] TCP queries are refused if upstream server is specified with interface

[Tore Anderson]

Start out with the following /etc/dnsmasq.conf, replacing «wlp2s0» as 
appropriate:

log-queries
no-hosts
no-resolv
server=1.1.1.1@wlp2s0

Start Dnsmasq and send it a TCP query:

$ src/dnsmasq -d -p 5333
dnsmasq: started, version 2.80-72-ge24abf2 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN 
DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify 
dumpfile
dnsmasq: using nameserver 1.1.1.1#53(via wlp2s0)
dnsmasq: cleared cache

$ dig @127.0.0.1 -p 5333 fud.no A +vc | grep HEADER
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 2916

Output from Dnsmasq following the above query:

dnsmasq: query[A] fud.no from 127.0.0.1
dnsmasq: config error is REFUSED

It makes no attempt to contact the upstream server.

If I remove «@wlp2s0» from the server config, it works fine.

A practical consequence of this bug is that I cannot resolve any domain names 
under *.org with DNSSEC enabled. The initial UDP query results in a truncated 
answer, so libc/dig retries in TCP mode and fails.

Note that NetworkManager automatically configures the upstream DNS servers with 
a specific interface via D-Bus, this behaviour appears hard-coded.

Tore


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] TCP queries are refused if upstream server is specified with interface

[Tore Anderson]

* Tore Anderson

> Start out with the following /etc/dnsmasq.conf, replacing «wlp2s0» as 
> appropriate:
> 
> log-queries
> no-hosts
> no-resolv
> server=1.1.1.1@wlp2s0
> 
> Start Dnsmasq and send it a TCP query:
> 
> $ src/dnsmasq -d -p 5333

Bisected:

305ffb5ef0ba5ab1df32ef80f266a4c9e395ca13 is the first bad commit
commit 305ffb5ef0ba5ab1df32ef80f266a4c9e395ca13
Author: Simon Kelley 
Date:   Sat Mar 16 18:17:17 2019 +

Improve kernel-capability manipulation code under Linux.

Dnsmasq now fails early if a required capability is not available,
and tries not to request capabilities not required by its
configuration.

:100644 100644 b942ec269cc6c1b7614a9d57cb0b9468507f031c 
f2d38a0f9bb73b4f480cd323f49cd574fc3e2744 M  CHANGELOG
:04 04 a4dd29e7fbdac449dd9b502e012beb2c25a47387 
7b0eb0f197c0cb857981c607be8b08d62cee9ff3 M  src

After some more debugging I realised that this is a heisenbug.

Starting Dnsmasq with the «-d» option does not accurately reproduce the 
problem, since it will not drop privileges in debug mode.

To me it looks as if using a server specified with an interface requires root 
privileges.

Thus, to trigger the actual bug, there are two options:

1) Start Dnsmasq as non-root (broken on any version, at least since v2.80).
2) Start Dnsmasq as root (this works in v2.80, but is broken since 305ffb5 
presumably because Dnsmasq now drops privileges it is going to need later on).

Tore

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] TCP queries are refused if upstream server is specified with interface

[Tore Anderson]

* B. Cook

> I can't find the actual documentation at the moment..

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=man/dnsmasq.8;h=bc5ae6360f5459d99cafb78d34c532e5b087abf6;hb=HEAD#l474
> iirc dnsmasq port designation is # not @

While that is true, it is irrelevant, as I am not specifying a port, nor am I 
attempting to do so.

What I am specifying is the outgoing interface, through which 1.1.1.1 is 
reachable perfectly fine (to answer Geert Stappers's comment).

> but Cloudflare doesn't do unencrypted DNS..

Yes they do, but again, that is irrelevant as no packets are being sent to the 
upstream server.

> Not sure if the @ is something new..

Not at all. According to git blame it was added in:

commit 824af85bdf7a19ea2281b85826180696fed22125 (tag: v2.41)
Author: Simon Kelley 
Date:   Tue Feb 12 20:43:05 2008 +

import of dnsmasq-2.41.tar.gz

Tore

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] TCP queries are refused if upstream server is specified with interface

[Tore Anderson]

* Simon Kelley

> I got the wrong capability, it needs CAP_NET_RAW, not CAP_NET_ADMIN. Fix
> pushed to git.

Works now, thanks!

Tore

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] TCP queries are refused if upstream server is specified with interface

[Tore Anderson]

* Simon Kelley

> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=90d7c6b97dbae2c913e7bb7af9c6c0f874493092
> 
> should fix this, if I've understood it right.

Hi Simon,

Not quite. With this patch, Dnsmasq does refuse to start as non-root:

$ src/dnsmasq 
dnsmasq: process is missing required capability NET_ADMIN

However, when started as root, it still answers REFUSED:

$ sudo src/dnsmasq & sleep 1; dig @127.0.0.1 -p 5353 fud.no A +vc +short
[1] 14179
dnsmasq[14181]: started, version 2.80-73-g90d7c6b cachesize 150
dnsmasq[14181]: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n 
no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect 
inotify dumpfile
dnsmasq[14181]: using nameserver 1.1.1.1#53(via wlp2s0)
dnsmasq[14181]: cleared cache
dnsmasq[14186]: query[A] fud.no from 127.0.0.1
dnsmasq[14186]: config error is REFUSED

It is clearly related to privileges, because if I add «-d» to the Dnsmasq 
command line, it works:

$ sudo src/dnsmasq -d & sleep 1; dig @127.0.0.1 -p 5353 fud.no A +vc +short
[1] 15333
dnsmasq[15335]: started, version 2.80-73-g90d7c6b cachesize 150
dnsmasq[15335]: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n 
no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect 
inotify dumpfile
dnsmasq[15335]: using nameserver 1.1.1.1#53(via wlp2s0)
dnsmasq[15335]: cleared cache
dnsmasq[15335]: query[A] fud.no from 127.0.0.1
dnsmasq[15335]: forwarded fud.no to 1.1.1.1
dnsmasq[15335]: reply fud.no is 87.238.59.19
87.238.59.19

/etc/dnsmasq.conf contains:

keep-in-foreground
log-facility=-
log-queries
no-hosts
no-resolv
port=5353
server=1.1.1.1@wlp2s0

Tore

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] CPU spinning bug, possibly related to SSHFP queries

[Tore Anderson]

* Geert Stappers

>> Here are the corresponding log lines from Dnsmasq:
>>
>> nov. 29 07:15:53.964856 sloth.fud.no dnsmasq[48069]: query[A] 
>> l1-g9-osl2.n.bitbit.net from 127.0.0.1
>> nov. 29 07:15:53.965060 sloth.fud.no dnsmasq[48069]: forwarded 
>> l1-g9-osl2.n.bitbit.net to 87.238.33.1
>> nov. 29 07:15:53.965155 sloth.fud.no dnsmasq[48069]: query[] 
>> l1-g9-osl2.n.bitbit.net from 127.0.0.1
>> nov. 29 07:15:53.965273 sloth.fud.no dnsmasq[48069]: forwarded 
>> l1-g9-osl2.n.bitbit.net to 87.238.33.1
>> nov. 29 07:15:54.039407 sloth.fud.no dnsmasq[48069]: reply 
>> l1-g9-osl2.n.bitbit.net is 
>> nov. 29 07:15:54.039461 sloth.fud.no dnsmasq[48069]: reply 
>> eth0.l1-g9-osl2.n.bitbit.net is 10.20.120.102
>> nov. 29 07:15:54.039666 sloth.fud.no dnsmasq[48069]: reply 
>> l1-g9-osl2.n.bitbit.net is 
>> nov. 29 07:15:54.039700 sloth.fud.no dnsmasq[48069]: reply 
>> eth0.l1-g9-osl2.n.bitbit.net is NODATA-IPv6
>> nov. 29 07:15:54.964042 sloth.fud.no dnsmasq[48069]: query[type=44] 
>> l1-g9-osl2.n.bitbit.net from 127.0.0.1
>> (CPU starts spinning at this point, no further log lines appear)
> 
> The pcap file says / shows
> 
> 07:15:53.964639 IP localhost.58896 > localhost.domain: 26883+ [1au] A?
> l1-g9-osl2.n.bitbit.net. (52)
> 07:15:53.964696 IP localhost.58896 > localhost.domain: 9742+ [1au] ?
> l1-g9-osl2.n.bitbit.net. (52)

1+2: A and  queries from libc stub resolver to Dnsmasq

> 07:15:53.964955 IP 100.66.5.6.46462 > dns.i.bitbit.net.domain: 45004+
> [1au] A? l1-g9-osl2.n.bitbit.net. (52)
> 07:15:53.965208 IP 100.66.5.6.46462 > dns.i.bitbit.net.domain: 42294+
> [1au] ? l1-g9-osl2.n.bitbit.net. (52)

3+4: Dnsmasq forwarding the queries in packets 1+2 to upstream DNS server

> 07:15:54.039175 IP dns.i.bitbit.net.domain > 100.66.5.6.46462: 45004*
> 2/3/7 CNAME eth0.l1-g9-osl2.n.bitbit.net., A 10.20.120.102 (284)
> 07:15:54.039273 IP dns.i.bitbit.net.domain > 100.66.5.6.46462: 42294*
> 1/1/1 CNAME eth0.l1-g9-osl2.n.bitbit.net. (145)

5+6: Upstream DNS server answers Dnsmasq's queries in packets 3+4

> 07:15:54.039525 IP localhost.domain > localhost.58896: 26883* 2/3/7
> CNAME eth0.l1-g9-osl2.n.bitbit.net., A 10.20.120.102 (284)
> 07:15:54.039735 IP localhost.domain > localhost.58896: 9742* 1/1/1 CNAME
> eth0.l1-g9-osl2.n.bitbit.net. (145)

7+8: Answers to queries 1+2 from Dnsmasq to libc stub resolver

(At this point, the SSH client proceeds to connect to the SSH server, and 
approx. 1 second later it has received a host key that wants to verify.)

> 07:15:54.963758 IP localhost.49114 > localhost.domain: 35496+ [1au]
> SSHFP? l1-g9-osl2.n.bitbit.net. (52)

9: SSHFP query from libc stub resolver to Dnsmasq (unanswered but logged). 
Dnsmasq breaks and starts spinning on the CPU.

> 07:15:58.440050 IP localhost.60721 > localhost.domain: 17459+ [1au] A?
> mattermost.redpill-linpro.com. (58)
> 07:15:58.440064 IP localhost.60721 > localhost.domain: 44236+ [1au]
> ? mattermost.redpill-linpro.com. (58)
> 07:15:59.968059 IP localhost.49114 > localhost.domain: 35496+ [1au]
> SSHFP? l1-g9-osl2.n.bitbit.net. (52)
> 07:16:02.394821 IP localhost.56180 > localhost.domain: 61011+ ?
> fedoraproject.org. (35)
> 07:16:03.445058 IP localhost.60721 > localhost.domain: 17459+ [1au] A?
> mattermost.redpill-linpro.com. (58)
> 07:16:03.445071 IP localhost.60721 > localhost.domain: 44236+ [1au]
> ? mattermost.redpill-linpro.com. (58)
> 07:16:07.399014 IP localhost.56180 > localhost.domain: 61011+ ?
> fedoraproject.org. (35)

10-16: Various queries from libc stub resolver to Dnsmasq (unanswered and not 
logged)

> The 07:15:54.039273 packet is last where source host and destination
> host differ.  After that packet are the remaining packets only between
> localhost and localhost.
> 
> Looking closer reveals that the first two packets are also between
> localhost.
> 
> Strange, but probably not the problem.

I am not sure how this is strange?

To me, the packet capture annotated above is exactly what I'd expect, given the 
symptom of «SSHFP query makes Dnsmasq break».

> | $ host l1-g9-osl2.n.bitbit.net
> | l1-g9-osl2.n.bitbit.net is an alias for eth0.l1-g9-osl2.n.bitbit.net.
> | eth0.l1-g9-osl2.n.bitbit.net has address 10.20.120.102
> | $ host -t unknowntype l1-g9-osl2.n.bitbit.net
> | host: invalid type: unknowntype
> |
> | $ host -t sshfp l1-g9-osl2.n.bitbit.net
> | l1-g9-osl2.n.bitbit.net is an alias for eth0.l1-g9-osl2.n.bitbit.net.
> | $ dig -t sshfp  l1-g9-osl2.n.bitbit.net
> |
> | ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> -t sshfp l1-g9-osl2.n.bitbit.net
> | ;; global options: +cmd
> | ;; Got answer:
> | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13365
> | ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
> |
> | ;; OPT PSEUDOSECTION:
> | ; EDNS: version: 0, flags:; udp: 4096
> | ; COOKIE: 905e71c3631f8577e2d927615de0d63aaa0a6211eb0ec2e1 (good)
> | ;; QUESTION SECTION:
> | ;l1-g9-osl2.n.bitbit.net.    IN    SSHFP
> |
> | ;; ANSWER SECTION:
> | l1-g9-osl2.n.bitbit.net. 86103   

Re: [Dnsmasq-discuss] CPU spinning bug, possibly related to SSHFP queries

[Tore Anderson]

* Geert Stappers

> Could caching be involved?  That we are seeing only when it fails,
> not seeing in the libpcap file what led to the fail?

I think you are right.

It is a cache miss - the bug occurs when SSH-ing to an FQDN for the first time 
after Dnsmasq has started, so the SSHFP record is not found in cache.

Tracing it in GDB with breakpoints on answer_request() and cache_find_by_name():

Breakpoint 2, cache_find_by_name (crecp=crecp@entry=0x0, 
name=name@entry=0x1fbfa50 "cr1-osl4.n.bitbit.net", 
now=now@entry=1575100445, prot=prot@entry=2048) at cache.c:810
810 {
(gdb) bt
#0  cache_find_by_name (crecp=crecp@entry=0x0, name=name@entry=0x1fbfa50 
"cr1-osl4.n.bitbit.net", 
now=now@entry=1575100445, prot=prot@entry=2048) at cache.c:810
#1  0x0040d442 in answer_request (header=header@entry=0x1fc2220, 
limit=0x1fc26d0 "", qlen=qlen@entry=50, 
local_addr=..., local_addr@entry=..., local_netmask=..., 
local_netmask@entry=..., now=now@entry=1575100445, 
ad_reqd=1, do_bit=1, have_pseudoheader=1) at rfc1035.c:1367
#2  0x0041c8c6 in receive_query (listen=listen@entry=0x1fc07d0, 
now=now@entry=1575100445) at forward.c:1563
#3  0x00420e19 in check_dns_listeners (now=now@entry=1575100445) at 
dnsmasq.c:1760
#4  0x00406638 in main (argc=, argv=) at 
dnsmasq.c:1192
(gdb) cont
Continuing.

Breakpoint 2, cache_find_by_name (crecp=crecp@entry=0x0, 
name=name@entry=0x1fbfa50 "cr1-osl4.n.bitbit.net", 
now=now@entry=1575100445, prot=prot@entry=2048) at cache.c:810
810 {
(gdb) bt
#0  cache_find_by_name (crecp=crecp@entry=0x0, name=name@entry=0x1fbfa50 
"cr1-osl4.n.bitbit.net", 
now=now@entry=1575100445, prot=prot@entry=2048) at cache.c:810
#1  0x0040d442 in answer_request (header=header@entry=0x1fc2220, 
limit=0x1fc26d0 "", qlen=qlen@entry=50, 
local_addr=..., local_addr@entry=..., local_netmask=..., 
local_netmask@entry=..., now=now@entry=1575100445, 
ad_reqd=1, do_bit=1, have_pseudoheader=1) at rfc1035.c:1367
#2  0x0041c8c6 in receive_query (listen=listen@entry=0x1fc07d0, 
now=now@entry=1575100445) at forward.c:1563
#3  0x00420e19 in check_dns_listeners (now=now@entry=1575100445) at 
dnsmasq.c:1760
#4  0x00406638 in main (argc=, argv=) at 
dnsmasq.c:1192
(gdb) cont
Continuing.

Breakpoint 2, cache_find_by_name (crecp=crecp@entry=0x0, 
name=name@entry=0x1fbfa50 "cr1-osl4.n.bitbit.net", 
now=now@entry=1575100445, prot=prot@entry=2048) at cache.c:810
810 {
(gdb) bt
#0  cache_find_by_name (crecp=crecp@entry=0x0, name=name@entry=0x1fbfa50 
"cr1-osl4.n.bitbit.net", 
now=now@entry=1575100445, prot=prot@entry=2048) at cache.c:810
#1  0x0040d442 in answer_request (header=header@entry=0x1fc2220, 
limit=0x1fc26d0 "", qlen=qlen@entry=50, 
local_addr=..., local_addr@entry=..., local_netmask=..., 
local_netmask@entry=..., now=now@entry=1575100445, 
ad_reqd=1, do_bit=1, have_pseudoheader=1) at rfc1035.c:1367
#2  0x0041c8c6 in receive_query (listen=listen@entry=0x1fc07d0, 
now=now@entry=1575100445) at forward.c:1563
#3  0x00420e19 in check_dns_listeners (now=now@entry=1575100445) at 
dnsmasq.c:1760
#4  0x00406638 in main (argc=, argv=) at 
dnsmasq.c:1192
(gdb) cont
Continuing.

Breakpoint 2, cache_find_by_name (crecp=crecp@entry=0x0, 
name=name@entry=0x1fbfa50 "cr1-osl4.n.bitbit.net", 
now=now@entry=1575100445, prot=prot@entry=2048) at cache.c:810
810 {
(gdb) bt
#0  cache_find_by_name (crecp=crecp@entry=0x0, name=name@entry=0x1fbfa50 
"cr1-osl4.n.bitbit.net", 
now=now@entry=1575100445, prot=prot@entry=2048) at cache.c:810
#1  0x0040d442 in answer_request (header=header@entry=0x1fc2220, 
limit=0x1fc26d0 "", qlen=qlen@entry=50, 
local_addr=..., local_addr@entry=..., local_netmask=..., 
local_netmask@entry=..., now=now@entry=1575100445, 
ad_reqd=1, do_bit=1, have_pseudoheader=1) at rfc1035.c:1367
#2  0x0041c8c6 in receive_query (listen=listen@entry=0x1fc07d0, 
now=now@entry=1575100445) at forward.c:1563
#3  0x00420e19 in check_dns_listeners (now=now@entry=1575100445) at 
dnsmasq.c:1760
#4  0x00406638 in main (argc=, argv=) at 
dnsmasq.c:1192
(gdb)

[]

I think that this while loop goes on forever:

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/rfc1035.c;h=502744bd1f847441e8a6dbf485fd9032f2a52e9f;hb=HEAD#l1367

Tore

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] CPU spinning bug, possibly related to SSHFP queries

[Tore Anderson]

Hello,

I've noticed that Dnsmasq on my system sometimes enters a defective state where 
it starts spinning on the CPU. When it has entered this state, I need to send 
it SIGKILL to get rid of it - SIGTERM is ignored.

The version is current Git master (2.80-93-g6ebdc95).

I've enabled query logging and grabbed the final log lines of a few incidents 
(slightly anonymised):

Example 1:

forwarded git.i.example.org to 192.168.33.1
reply git.i.example.org is 
reply git01-osl3.i.example.org is 10.22.3.196
reply git.i.example.org is 
reply git01-osl3.i.example.org is 2001:db8:400:c:18:59ff:fe7a:73c4
query[type=44] git.i.example.org from 127.0.0.1
(CPU spin begins)

Example 2:

query[A] s2-a8-osl3.n.example.org from 127.0.0.1
forwarded s2-a8-osl3.n.example.org to 192.168.33.1
query[] s2-a8-osl3.n.example.org from 127.0.0.1
forwarded s2-a8-osl3.n.example.org to 192.168.33.1
reply s2-a8-osl3.n.example.org is 
reply lo.s2-a8-osl3.n.example.org is 2001:db8:1::4:1
reply s2-a8-osl3.n.example.org is 
reply lo.s2-a8-osl3.n.example.org is 192.168.63.11
query[type=44] s2-a8-osl3.n.example.org from 127.0.0.1
(CPU spin begins)

Example 3:

query[A] s1-a8-osl3.n.example.org from 127.0.0.1
forwarded s1-a8-osl3.n.example.org to 192.168.33.1
query[] s1-a8-osl3.n.example.org from 127.0.0.1
forwarded s1-a8-osl3.n.example.org to 192.168.33.1
reply s1-a8-osl3.n.example.org is 
reply lo.s1-a8-osl3.n.example.org is 192.168.63.10
reply s1-a8-osl3.n.example.org is 
reply lo.s1-a8-osl3.n.example.org is 2001:db8:1::4:0
query[type=44] s1-a8-osl3.n.example.org from 127.0.0.1
(CPU spin begins)

All of them ends with an incoming query for SSHFP records (type 44), which I 
find highly suspect. The SSHFP requests comes from the SSH client (due to 
VerifyHostKeyDNS being set in my ~/.ssh/config).

None of the hostnames in question do have SSHFP records published, but that 
does not seem to matter, as the query does not seem to be forwarded upstream in 
the first place. When the bug does not occur, Dnsmasq does log that it forwards 
the query upstream, like so:

query[type=44] l1-a9-osl3.n.example.org from 127.0.0.1
forwarded l1-a9-osl3.n.example.org to 192.168.33.1

Dnsmasq is invoked from NetworkManager, using the following command line:

/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces 
--pid-file=/run/NetworkManager/dnsmasq.pid --listen-address=127.0.0.1 
--cache-size=400 --clear-on-reload --conf-file=/dev/null --proxy-dnssec 
--enable-dbus=org.freedesktop.NetworkManager.dnsmasq 
--conf-dir=/etc/NetworkManager/dnsmasq.d

Additional configuration in /etc/NetworkManager/dnsmasq.d/dnssec.conf:

dnssec
conf-file = /usr/share/dnsmasq/trust-anchors.conf
log-queries

Finally, my environment contains RES_OPTIONS=edns0 in case that is relevant 
(this is required for SSH's VerifyHostKeyDNS feature to work correctly).

I cannot reliably reproduce the issue. It seems to happen regularly (several 
times a day) during normal usage - I use the SSH client quite frequently.

I would be happy to provide additional debugging information, if given 
instructions on how to obtain it.'

Tore

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] CPU spinning bug, possibly related to SSHFP queries

[Tore Anderson]

* Vladislav Grishenko

> Can you try to capture dns exchange to dnsmasq (on lo interface) and from it 
> (on your nic interface) both at the same time?
> $ tcpdump -i lo port 53 -w /path/to/dns-lo.pcap
> $ tcpdump -i  port 53 -w /path/to/dns-ext.pcap
> Highly possible that trigger query (or reply) can't be logged in usual way, 
> but will be captured by tcpdump.
> Next, I'd like to take a look at them, will there be something after/near the 
> last logged query before spinning starts.
> 
> p.s. Caution, pcap files will contain all your dns traffic, sending it to 
> mail list might be not a really good idea.

Hi,

PCAP attached. I used «tcpdump -i any», so it's a single file with the internal 
and external traffic interleaved.

It is apparent that the initial SSHFP query is not forwarded upstream, and that 
the subsequent queries from the stub resolver (a retransmission of the SSHFP 
query plus some other unrelated queries) are neither logged nor forwarded.

Here are the corresponding log lines from Dnsmasq:

nov. 29 07:15:53.964856 sloth.fud.no dnsmasq[48069]: query[A] 
l1-g9-osl2.n.bitbit.net from 127.0.0.1
nov. 29 07:15:53.965060 sloth.fud.no dnsmasq[48069]: forwarded 
l1-g9-osl2.n.bitbit.net to 87.238.33.1
nov. 29 07:15:53.965155 sloth.fud.no dnsmasq[48069]: query[] 
l1-g9-osl2.n.bitbit.net from 127.0.0.1
nov. 29 07:15:53.965273 sloth.fud.no dnsmasq[48069]: forwarded 
l1-g9-osl2.n.bitbit.net to 87.238.33.1
nov. 29 07:15:54.039407 sloth.fud.no dnsmasq[48069]: reply 
l1-g9-osl2.n.bitbit.net is 
nov. 29 07:15:54.039461 sloth.fud.no dnsmasq[48069]: reply 
eth0.l1-g9-osl2.n.bitbit.net is 10.20.120.102
nov. 29 07:15:54.039666 sloth.fud.no dnsmasq[48069]: reply 
l1-g9-osl2.n.bitbit.net is 
nov. 29 07:15:54.039700 sloth.fud.no dnsmasq[48069]: reply 
eth0.l1-g9-osl2.n.bitbit.net is NODATA-IPv6
nov. 29 07:15:54.964042 sloth.fud.no dnsmasq[48069]: query[type=44] 
l1-g9-osl2.n.bitbit.net from 127.0.0.1
(CPU starts spinning at this point, no further log lines appear)

Tore


cpu-spin.pcap.gz
Description: application/gzip
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [PATCH] DHCPv6 - List or Range reservation for single host

[Tore Anderson]

* Simon Kelley

> I have an alternative suggestion for the syntax of dhcp-host.
> It's less flexible, but simpler and easier to understand and to explain,
> and uses existing semantics rather than adding new keywords.
> 
> The idea is just to add a prefix-length to the address. That allows you
> to define (eg) 1,2,4,8, or 16 addresses for use by a host simply and
> easily in a way which makes it difficult to accidentally overlap address
> ranges, and is fairly obvious to anyone who has done done any IPv6
> network configuration.
> 
> for instance to reserve four addresses for each host we cold do:
> 
> dhcp-host=00:11:22:33:44:55,[fd12:3456::aa00/62]
> dhcp-host=00:11:22:33:44:56,[fd12:3456::aa04/62]
> dhcp-host=00:11:22:33:44:57,[fd12:3456::aa08/62]
> 
> As a sanity check, if the "host part" of the address isn't zero,
> 
> ie [fd12:3456::aa01/62]
> 
> that could be rejected with an error.

I have done quite a bit of IPv6 networking, but the use of /62 here is anything 
but «fairly obvious» to me.

It would have been much more intuitive to use /126, in my opinion.

Tore

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss