Update dnsmasq to v2.91test9 #2166
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When checking that an answer is the answer to the question that we asked, compare the name in a case-sensitive manner. Clients can set the letters in a query to a random pattern of uppercase and lowercase to add more randomness as protection against cache-poisoning attacks, and we don't want to nullify that. This actually restores the status quo before commit ed6d29a78475f9ec91141120aba53490bc1dc39a since matching questions and answers using a checksum can't help but be case sensitive. This patch is a preparation for introducing DNS-0x20 in the dnsmasq query path. Signed-off-by: DL6ER <dl6er@dl6er.de>
This provides extra protection against reply-spoof attacks. Since DNS queries are case-insensitive, it's possible to randomly flip the case of letters in a query and still get the correct answer back. This adds an extra dimension for a cache-poisoning attacker to guess when sending replies in-the-blind since it's expected that the legitimate answer will have the same pattern of upper and lower case as the query, so any replies which don't can be ignored as malicious. The amount of extra entropy clearly depends on the number of a-z and A-Z characters in the query, and this implementation puts a hard limit of 32 bits to make rescource allocation easy. This about doubles entropy over the standard random ID and random port combination. Signed-off-by: DL6ER <dl6er@dl6er.de>
0x20 encoding makes them look odd, otherwise. Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
…asq (see commit 8132969, Dec, 19, 2024) Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
yubiuser
reviewed
Jan 24, 2025
…A-Z is 0x41..0x5A, a-z is 0x61-0x7A). The 0x20 bit does not carry any information as DNS is case-insensitive. Hence, we can use it as additional "nounce" bits. Signed-off-by: DL6ER <dl6er@dl6er.de>
… create new building test containers already including this package Signed-off-by: DL6ER <dl6er@dl6er.de>
|
Again ready for review after adding tests. Initially, I planed to create a new building container tag including |
yubiuser
approved these changes
Jan 24, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this implement/fix?
Change compared to last tagged version:
mplement "DNS-0x20 encoding"
This provides extra protection against reply-spoof attacks.
Since DNS queries are case-insensitive, it's possible to randomly flip the case of letters in a query and still get the correct answer back. This adds an extra dimension for a cache-poisoning attacker to guess when sending replies in-the-blind since it's expected that the legitimate answer will have the same pattern of upper and lower case as the query, so any replies which don't can be ignored as malicious.
The amount of extra entropy clearly depends on the number
of a-z and A-Z characters in the query, and this implementation puts a hard limit of 32 bits to make rescource allocation easy. This about doubles entropy over the standard random ID and random port combination.
Related issue or feature (if applicable): N/A
Pull request in docs with documentation (if applicable): N/A
By submitting this pull request, I confirm the following:
git rebase)Checklist:
developmentalbranch.