Adam Warner
8943e26041
Merge pull request #1946 from pi-hole/fix/crash_fatal_dnsmasq_err_v5
...
Exit after fatal dnsmasq errors
2024-05-08 20:59:50 +01:00
DL6ER
230989ebbd
Exit after fatal dnsmasq errors
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-05-04 10:11:35 +02:00
Dominik
1c2257bed6
Merge pull request #1893 from pi-hole/release/v5.25.1
...
Fix spurious "resource limit exceeded" messages (v5 backport)
2024-02-20 20:02:36 +01:00
DL6ER
df58921d47
Update embedded dnsmasq version to 2.90+1
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-19 13:59:25 +01:00
Simon Kelley
40886dc78a
Fix spurious "resource limit exceeded" messages.
...
Replies from upstream with a REFUSED rcode can result in
log messages stating that a resource limit has been exceeded,
which is not the case.
Thanks to Dominik Derigs and the Pi-hole project for
spotting this.
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-19 13:57:11 +01:00
Dominik
8543015f90
Merge pull request #1889 from pi-hole/master
...
Sync master back into development
2024-02-14 20:13:18 +01:00
Dominik
4f92b48ff2
Merge pull request #1888 from pi-hole/development
...
Pi-hole FTL v5.25
2024-02-14 20:08:08 +01:00
Dominik
bda4bd5077
Merge pull request #1881 from pi-hole/update/dnsmasq_v5
...
Update embedded dnsmasq to v2.90 (Pi-hole v5)
2024-02-13 18:10:57 +01:00
DL6ER
3bb1fcfd3c
Update dnsmasq version to 2.90
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:31 +01:00
DL6ER
3e32d96e32
Update expected dnsmasq warnings
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:31 +01:00
Simon Kelley
65402b1531
Reverse suppression of ANY query answer logging.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:18 +01:00
Simon Kelley
fbc5713104
Add --dnssec-limits option.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:18 +01:00
Simon Kelley
c3bc0f9972
Better allocation code for DS digest cache.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
a389bcca1a
Better stats and logging from DNSSEC resource limiting.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
c32b46772c
Overhaul data checking in NSEC code.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
0ce9541c63
Rework validate-by-DS to avoid DoS vuln without arbitrary limits.
...
By calculating the hash of a DNSKEY once for each digest algo,
we reduce the hashing work from (no. DS) x (no. DNSKEY) to
(no. DNSKEY) x (no. distinct digests)
The number of distinct digests can never be more than 255 and
it's limited by which hashes we implement, so currently only 4.
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
8b9c5d3da8
Update EDE code -> text conversion.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
a133029e4c
Parameterise work limits for DNSSEC validation.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
2e0d8fff72
Fix error introduced in 635bc51cac3d5d7dd49ce9e27149cf7e402b7e79
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
dd11688b8c
Measure cryptographic work done by DNSSEC.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
70b0431919
Update NSEC3 iterations handling to conform with RFC 9276.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
bf17dd3c04
Update header with new EDE values.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
108ab67dc9
Protection against pathalogical DNSSEC domains.
...
An attacker can create DNSSEC signed domains which need a lot of
work to verfify. We limit the number of crypto operations to
avoid DoS attacks by CPU exhaustion.
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
DL6ER
91b924d269
Update embedded dnsmasq version to 2.90test4
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 07:20:02 +01:00
Simon Kelley
9091f18f3f
Make --filter-rr=ANY filter the answer to ANY queries.
...
Thanks to Dominik Derigs for an earlier patch which inspired this.
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 07:18:26 +01:00
Simon Kelley
cc98853d19
Tweak logging and special handling of T_ANY in rr-filter code.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 07:18:23 +01:00
DL6ER
45c342af05
Force-update embedded dnsmasq version. We are loosing the individual dnsmasq history of the ~ last year, however, given the multitude of merge conflicts and the fact that this code will soon(ish) be replaced by development-v6 (where the history is 100% intact), this isn't much of an issue
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-09 20:48:59 +01:00
DL6ER
0a90f07d68
Update changed indentation of known DNSMASQ warning
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-08 18:11:37 +01:00
Simon Kelley
6cc10f72ed
=/== typo in last commit.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-08 18:11:37 +01:00
Simon Kelley
6b48e6d063
Behave better when attempting to contact unresponsive TCP servers.
...
By default TCP connect takes minutes to fail when trying to
connect a server which is not responding and for which the
network layer doesn't generate HOSTUNREACH errors.
This is doubled because having failed to connect in FASTOPEN
mode, the code then tries again with a call to connect().
We set TCP_SYNCNT to 2, which make the timeout about 10 seconds.
This in an unportable Linux feature, so it doesn't work on other
platforms.
No longer try connect() if sendmsg in fastopen mode fails with
ETIMEDOUT or EHOSTUNREACH since the story will just be the same.
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-08 18:11:37 +01:00
DL6ER
d38a0a6dcd
Necessary changed to handle the most recent dnsmasq changes in FTL
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-08 18:11:37 +01:00
Simon Kelley
b650631d6e
Log truncated DNS replies.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-08 18:11:37 +01:00
Adam Warner
986592580a
Merge pull request #1849 from pi-hole/master
...
Sync master back into development
2024-01-06 16:50:24 +00:00
Adam Warner
01227311c5
Merge pull request #1822 from pi-hole/development
...
Pi-hole FTL v5.24
2024-01-06 16:47:56 +00:00
Adam Warner
42be80e476
Merge pull request #1576 from pi-hole/group_dependabot
...
Group dependabot PRs
2024-01-06 15:37:20 +00:00
Dominik
dfbdaaaeae
Merge pull request #1808 from pi-hole/tweak/special_domains_prio_v5
...
Implement special domains whitelisting
2023-12-13 19:45:03 +01:00
Dominik
fd51d0cb1d
Merge pull request #1814 from pi-hole/dependabot-github_actions-development-actions-stale-9.0.0
...
Bump actions/stale from 8.0.0 to 9.0.0
2023-12-10 18:06:45 +01:00
Dominik
fd114e038e
Merge pull request #1777 from pi-hole/fix/many_clients
...
Fix possible crash with high client activity
2023-12-10 18:06:33 +01:00
Dominik
a86ea8fb45
Merge pull request #1820 from pi-hole/new/sql_ni_v5
...
Add pihole-FTL sqlite3 -ni
2023-12-09 22:59:45 +01:00
Dominik
7e4f10852c
Apply suggestions from code review
...
Co-authored-by: yubiuser <ckoenig@posteo.de>
Signed-off-by: Dominik <DL6ER@users.noreply.github.com>
2023-12-09 22:57:15 +01:00
DL6ER
9b19917796
Add special non-interactive mode for the embedded sqlite3 engine accessible via "-ni"
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-12-09 21:30:34 +01:00
dependabot[bot]
caa728ae1f
Bump actions/stale from 8.0.0 to 9.0.0
...
Bumps [actions/stale](https://github.com/actions/stale ) from 8.0.0 to 9.0.0.
- [Release notes](https://github.com/actions/stale/releases )
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/stale/compare/v8.0.0...v9.0.0 )
---
updated-dependencies:
- dependency-name: actions/stale
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-12-09 10:14:28 +00:00
DL6ER
05b689422d
Change priorities such that special domains (Firefox and Apple at this time) can be explicitly allowed for some clients (per group assignments) while they stay blocked for all others in the network
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-12-06 23:46:53 +01:00
DL6ER
d992e929f4
Fix possible race-collision leading to a theoretical out-of-bounds read
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-11-22 22:49:20 +01:00
DL6ER
ade6e67ae2
Merge pull request #1624 from pi-hole/dependabot-github_actions-development-actions-checkout-3.6.0
...
Bump actions/checkout from 3.5.3 to 3.6.0
2023-09-17 12:35:25 +02:00
dependabot[bot]
f980bdc6c9
Bump actions/checkout from 3.5.3 to 3.6.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3.5.3 to 3.6.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v3.5.3...v3.6.0 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-09-11 10:57:19 +02:00
Adam Warner
61a3658c57
Merge pull request #1632 from pi-hole/dependabot-github_actions-development-actions-upload-artifact-3.1.3
...
Bump actions/upload-artifact from 3.1.2 to 3.1.3
2023-09-10 16:35:40 +01:00
Christian König
7e83fdb3b0
Group dependabot PRs
...
Signed-off-by: Christian König <ckoenig@posteo.de>
2023-09-10 13:01:37 +01:00
Adam Warner
b7c988cc41
Merge pull request #1589 from pi-hole/master
...
Sync master back into development
2023-09-10 13:00:03 +01:00
dependabot[bot]
305e55fbf9
Bump actions/upload-artifact from 3.1.2 to 3.1.3
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 3.1.2 to 3.1.3.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](https://github.com/actions/upload-artifact/compare/v3.1.2...v3.1.3 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-09-09 10:31:54 +00:00