Update embedded dnsmasq to v2.87test8 #1281

DL6ER · 2022-01-12T20:14:11Z

By submitting this pull request, I confirm the following:

I have read and understood the contributors guide.
I have checked that another pull request for this purpose does not exist.
I have considered, and confirmed that this submission will be valuable to others.
I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
I give this submission freely, and claim no ownership to its content.

How familiar are you with the codebase?:

10

Highlights:

DNSSEC improvements:
- When searching for an in-flight DNSSEC query to use (rather than starting a new one), compare the already sent query, rather than using the hash of the query. This is probably faster (no hash calculation) and eliminates having to worry about the consequences of a hash collision.
- Check for dependency loops in DNSSEC validation, say validating A requires DS B and validating DS B requires DNSKEY C and validating DNSKEY C requires DS B. This should never happen in correctly signed records, but it's likely the case that sufficiently broken ones can cause our validation code requests to exhibit cycles. The result is that the ->blocking_query list can form a cycle, and under certain circumstances that can lock us in an infinite loop. Instead we transform the situation into an ABANDONED state.
- Fix DNSSEC failure to validate unsigned NoDATA replies. A reply with an empty answer section would not always be checked for either suitable NSEC records or proof of non-existence of the relevant DS record.
Log port numbers in server addresses when non-standard ports in use (Pi-hole contribution)
Fix header of cache dump (Pi-hole contribution)
Extend cache dump: "!" as type for non-terminals, new flag "C" for config-provided and log source when applicable. (Pi-hole contribution)
Log source of ignored query when local-service is used. (Pi-hole contribution)
Minimum safe size is recommended to be 1232. (Pi-hole contribution)
Extend packet dump system to RA, DHCP and TFTP
Handle changing interface indexes when binding DHCP sockets.
Add --conf-script to generate dnsmasq config using a script rather than static files

The warning

Ignoring query from non-local network
has been changed to
ignoring query from non-local network <ADDRESS>

…tate of the -y/--localise-queries option. Signed-off-by: DL6ER <dl6er@dl6er.de>

Previously, hash_questions() would return a random hash if the packet was malformed, and probably the hash of a previous query. Now handle this as an error. Signed-off-by: Your Name <you@example.com> Signed-off-by: DL6ER <dl6er@dl6er.de>

There are two functional changes in this commit. 1) When searching for an in-flight DNSSEC query to use (rather than starting a new one), compare the already sent query (stored in the frec "stash" field, rather than using the hash of the query. This is probably faster (no hash calculation) and eliminates having to worry about the consequences of a hash collision. 2) Check for dependency loops in DNSSEC validation, say validating A requires DS B and validating DS B requires DNSKEY C and validating DNSKEY C requires DS B. This should never happen in correctly signed records, but it's likely the case that sufficiently broken ones can cause our validation code requests to exhibit cycles. The result is that the ->blocking_query list can form a cycle, and under certain circumstances that can lock us in an infinite loop. Instead we transform the situation into an ABANDONED state. Signed-off-by: Your Name <you@example.com> Signed-off-by: DL6ER <dl6er@dl6er.de>

Signed-off-by: Your Name <you@example.com> Signed-off-by: DL6ER <dl6er@dl6er.de>

…e 30 and 40 characters, respectively. Signed-off-by: DL6ER <dl6er@dl6er.de> Signed-off-by: Your Name <you@example.com> Signed-off-by: DL6ER <dl6er@dl6er.de>

…nfig-provided and log source when applicable. Signed-off-by: DL6ER <dl6er@dl6er.de> Signed-off-by: Your Name <you@example.com> Signed-off-by: DL6ER <dl6er@dl6er.de>

Thanks to Dominik Derigs for the initial patch. Signed-off-by: Your Name <you@example.com> Signed-off-by: DL6ER <dl6er@dl6er.de>

Signed-off-by: Your Name <you@example.com> Signed-off-by: DL6ER <dl6er@dl6er.de>

Some systems strips even root process capability of writing to different users file. That include systemd under Fedora. When log-facility=/var/log/dnsmasq.log is used, log file with mode 0640 is created. But restart then fails, because such log file can be used only when created new. Existing file cannot be opened by root when starting, causing fatal error. Avoid that by adding root group writeable flag. Ensure group is always root when granting write access. If it is anything else, administrator has to configure correct rights. Signed-off-by: Your Name <you@example.com> Signed-off-by: DL6ER <dl6er@dl6er.de>

…se-engineering it ourselves from the sockaddr Signed-off-by: DL6ER <dl6er@dl6er.de>