8943e26041
Merge pull request #1946 from pi-hole/fix/crash_fatal_dnsmasq_err_v5
...
Exit after fatal dnsmasq errors
2024-05-08 20:59:50 +01:00
230989ebbd
Exit after fatal dnsmasq errors
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-05-04 10:11:35 +02:00
1c2257bed6
Merge pull request #1893 from pi-hole/release/v5.25.1
...
Fix spurious "resource limit exceeded" messages (v5 backport)
2024-02-20 20:02:36 +01:00
df58921d47
Update embedded dnsmasq version to 2.90+1
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-19 13:59:25 +01:00
40886dc78a
Fix spurious "resource limit exceeded" messages.
...
Replies from upstream with a REFUSED rcode can result in
log messages stating that a resource limit has been exceeded,
which is not the case.
Thanks to Dominik Derigs and the Pi-hole project for
spotting this.
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-19 13:57:11 +01:00
8543015f90
Merge pull request #1889 from pi-hole/master
...
Sync master back into development
2024-02-14 20:13:18 +01:00
4f92b48ff2
Merge pull request #1888 from pi-hole/development
...
Pi-hole FTL v5.25
2024-02-14 20:08:08 +01:00
bda4bd5077
Merge pull request #1881 from pi-hole/update/dnsmasq_v5
...
Update embedded dnsmasq to v2.90 (Pi-hole v5)
2024-02-13 18:10:57 +01:00
3bb1fcfd3c
Update dnsmasq version to 2.90
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:31 +01:00
3e32d96e32
Update expected dnsmasq warnings
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:31 +01:00
65402b1531
Reverse suppression of ANY query answer logging.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:18 +01:00
fbc5713104
Add --dnssec-limits option.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:18 +01:00
c3bc0f9972
Better allocation code for DS digest cache.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
a389bcca1a
Better stats and logging from DNSSEC resource limiting.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
c32b46772c
Overhaul data checking in NSEC code.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
0ce9541c63
Rework validate-by-DS to avoid DoS vuln without arbitrary limits.
...
By calculating the hash of a DNSKEY once for each digest algo,
we reduce the hashing work from (no. DS) x (no. DNSKEY) to
(no. DNSKEY) x (no. distinct digests)
The number of distinct digests can never be more than 255 and
it's limited by which hashes we implement, so currently only 4.
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
8b9c5d3da8
Update EDE code -> text conversion.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
a133029e4c
Parameterise work limits for DNSSEC validation.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
2e0d8fff72
Fix error introduced in 635bc51cac3d5d7dd49ce9e27149cf7e402b7e79
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
dd11688b8c
Measure cryptographic work done by DNSSEC.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
70b0431919
Update NSEC3 iterations handling to conform with RFC 9276.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
bf17dd3c04
Update header with new EDE values.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
108ab67dc9
Protection against pathalogical DNSSEC domains.
...
An attacker can create DNSSEC signed domains which need a lot of
work to verfify. We limit the number of crypto operations to
avoid DoS attacks by CPU exhaustion.
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
91b924d269
Update embedded dnsmasq version to 2.90test4
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 07:20:02 +01:00
9091f18f3f
Make --filter-rr=ANY filter the answer to ANY queries.
...
Thanks to Dominik Derigs for an earlier patch which inspired this.
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 07:18:26 +01:00
cc98853d19
Tweak logging and special handling of T_ANY in rr-filter code.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 07:18:23 +01:00
45c342af05
Force-update embedded dnsmasq version. We are loosing the individual dnsmasq history of the ~ last year, however, given the multitude of merge conflicts and the fact that this code will soon(ish) be replaced by development-v6 (where the history is 100% intact), this isn't much of an issue
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-09 20:48:59 +01:00
0a90f07d68
Update changed indentation of known DNSMASQ warning
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-08 18:11:37 +01:00
6cc10f72ed
=/== typo in last commit.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-08 18:11:37 +01:00
6b48e6d063
Behave better when attempting to contact unresponsive TCP servers.
...
By default TCP connect takes minutes to fail when trying to
connect a server which is not responding and for which the
network layer doesn't generate HOSTUNREACH errors.
This is doubled because having failed to connect in FASTOPEN
mode, the code then tries again with a call to connect().
We set TCP_SYNCNT to 2, which make the timeout about 10 seconds.
This in an unportable Linux feature, so it doesn't work on other
platforms.
No longer try connect() if sendmsg in fastopen mode fails with
ETIMEDOUT or EHOSTUNREACH since the story will just be the same.
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-08 18:11:37 +01:00
d38a0a6dcd
Necessary changed to handle the most recent dnsmasq changes in FTL
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-08 18:11:37 +01:00
b650631d6e
Log truncated DNS replies.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-08 18:11:37 +01:00
986592580a
Merge pull request #1849 from pi-hole/master
...
Sync master back into development
2024-01-06 16:50:24 +00:00
01227311c5
Merge pull request #1822 from pi-hole/development
...
Pi-hole FTL v5.24
2024-01-06 16:47:56 +00:00
42be80e476
Merge pull request #1576 from pi-hole/group_dependabot
...
Group dependabot PRs
2024-01-06 15:37:20 +00:00
dfbdaaaeae
Merge pull request #1808 from pi-hole/tweak/special_domains_prio_v5
...
Implement special domains whitelisting
2023-12-13 19:45:03 +01:00
fd51d0cb1d
Merge pull request #1814 from pi-hole/dependabot-github_actions-development-actions-stale-9.0.0
...
Bump actions/stale from 8.0.0 to 9.0.0
2023-12-10 18:06:45 +01:00
fd114e038e
Merge pull request #1777 from pi-hole/fix/many_clients
...
Fix possible crash with high client activity
2023-12-10 18:06:33 +01:00
a86ea8fb45
Merge pull request #1820 from pi-hole/new/sql_ni_v5
...
Add pihole-FTL sqlite3 -ni
2023-12-09 22:59:45 +01:00
7e4f10852c
Apply suggestions from code review
...
Co-authored-by: yubiuser <ckoenig@posteo.de>
Signed-off-by: Dominik <DL6ER@users.noreply.github.com>
2023-12-09 22:57:15 +01:00
9b19917796
Add special non-interactive mode for the embedded sqlite3 engine accessible via "-ni"
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-12-09 21:30:34 +01:00
caa728ae1f
Bump actions/stale from 8.0.0 to 9.0.0
...
Bumps [actions/stale](https://github.com/actions/stale ) from 8.0.0 to 9.0.0.
- [Release notes](https://github.com/actions/stale/releases )
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/stale/compare/v8.0.0...v9.0.0 )
---
updated-dependencies:
- dependency-name: actions/stale
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-12-09 10:14:28 +00:00
05b689422d
Change priorities such that special domains (Firefox and Apple at this time) can be explicitly allowed for some clients (per group assignments) while they stay blocked for all others in the network
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-12-06 23:46:53 +01:00
d992e929f4
Fix possible race-collision leading to a theoretical out-of-bounds read
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-11-22 22:49:20 +01:00
ade6e67ae2
Merge pull request #1624 from pi-hole/dependabot-github_actions-development-actions-checkout-3.6.0
...
Bump actions/checkout from 3.5.3 to 3.6.0
2023-09-17 12:35:25 +02:00
f980bdc6c9
Bump actions/checkout from 3.5.3 to 3.6.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3.5.3 to 3.6.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v3.5.3...v3.6.0 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-09-11 10:57:19 +02:00
61a3658c57
Merge pull request #1632 from pi-hole/dependabot-github_actions-development-actions-upload-artifact-3.1.3
...
Bump actions/upload-artifact from 3.1.2 to 3.1.3
2023-09-10 16:35:40 +01:00
7e83fdb3b0
Group dependabot PRs
...
Signed-off-by: Christian König <ckoenig@posteo.de>
2023-09-10 13:01:37 +01:00
b7c988cc41
Merge pull request #1589 from pi-hole/master
...
Sync master back into development
2023-09-10 13:00:03 +01:00
305e55fbf9
Bump actions/upload-artifact from 3.1.2 to 3.1.3
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 3.1.2 to 3.1.3.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](https://github.com/actions/upload-artifact/compare/v3.1.2...v3.1.3 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-09-09 10:31:54 +00:00
Adam Warner
DL6ER
Dominik
Simon Kelley
dependabot[bot]
Christian König