I see that Miriam will work on this one (thanks!).
I was able to reproduce the issue (thank you Gordon for the great bug
description), and confirmed that it manifests on Jammy but is fixed in
Lunar. I'm trying to reproduce it on Kinetic; will update the bug with
results once I have them.
** Also affects: dnsmasq (Ubuntu Jammy)
Importance: Undecided
Status: New
** Changed in: dnsmasq (Ubuntu Jammy)
Status: New => Triaged
** Changed in: dnsmasq (Ubuntu Jammy)
Assignee: (unassigned) => Miriam España Acebal (mirespace)
** Changed in: dnsmasq (Ubuntu)
Status: New => Fix Released
** Changed in: dnsmasq (Ubuntu)
Assignee: Miriam España Acebal (mirespace) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dnsmasq in Ubuntu.
https://bugs.launchpad.net/bugs/2015562
Title:
Segfault in dnsmasq when using certain static domain entries + DoH
(bugfix possibly exists upstream)
Status in dnsmasq package in Ubuntu:
Fix Released
Status in dnsmasq source package in Jammy:
Triaged
Bug description:
Hi folks,
I've been using dnsmasq for my home DNS needs, which includes
returning null entries for certain domain queries. The specific case
in which I found this segfault was returning null AAAA records for
Netflix (to ensure Netflix does not try to use my IPv6 tunnel to
egress traffic through).
I've been using very simple configuration snippet to achieve this,
this is attached as netflix-nov6.conf (the full file contains more
entries).
Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept
segfaulting at random occasions. I also attempted do an apt
update&&upgrade, but there are no newer versions of this package
available.
Further research into this issue showed that a surefire way to trigger
this segfault was to go to a website blocked via this method (for
testing purposes, a dig query works quite well). The segfault can be
reproduced reliably, and always occurs after one or a few queries
towards the "blocked" domain entries.
I found a commit in the upstream dnsmasq git repo which seems to fix this
issue, the fix made it into 2.87:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b
Would it be possible to backport this into the version used in the
current LTS Ubuntu release? Thanks!
------
$ lsb_release -d
Description: Ubuntu 22.04.2 LTS
$ apt-cache policy dnsmasq
dnsmasq:
Installed: 2.86-1.1ubuntu0.2
Candidate: 2.86-1.1ubuntu0.2
Version table:
*** 2.86-1.1ubuntu0.2 500
500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64
Packages
100 /var/lib/dpkg/status
2.86-1.1ubuntu0.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64
Packages
2.86-1.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
------
Excerpt from the dnsmasq logs, with debugging enabled, after I loaded
fast.com:
Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and
caching DNS server.
Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65]
fast.dradis.netflix.com from 192.168.10.82
Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network
error)
Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65]
ichnaea-web.netflix.com from 192.168.10.82
Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited,
code=dumped, status=11/SEGV
Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result
'core-dump'.
Core dump is also attached.
Reproduction steps:
- 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq
2.86)
- 1.5. Configure one or multiple DNS servers for dnsmasq
- 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/
- 3. Restart/reload dnsmasq
- 3.5 Verify that dnsmasq resolves domains correctly:
root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1
185.125.190.21
185.125.190.20
185.125.190.29
root@budgie:~# dig +short -tAAAA ubuntu.com @127.0.0.1
2620:2d:4000:1::28
2620:2d:4000:1::26
2620:2d:4000:1::27
- 4. Perform a type65 / HTTPS recordtype query for netflix.com towards
the dnsmasq server once or twice:
root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1
root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
;; no servers could be reached
- 5. Check logs to verify segfault:
Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and
caching DNS server.
Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from
127.0.0.1
Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network
error)
Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from
127.0.0.1
Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited,
code=dumped, status=11/SEGV
Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result
'core-dump'.
--
netflix-nov6.conf:
# Null AAAA response on these domains
server=/netflix.com/#
address=/netflix.com/::
server=/netflix.net/#
address=/netflix.net/::
server=/nflxext.com/#
address=/nflxext.com/::
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2015562/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
