DL6ER
230989ebbd
Exit after fatal dnsmasq errors
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-05-04 10:11:35 +02:00
Simon Kelley
40886dc78a
Fix spurious "resource limit exceeded" messages.
...
Replies from upstream with a REFUSED rcode can result in
log messages stating that a resource limit has been exceeded,
which is not the case.
Thanks to Dominik Derigs and the Pi-hole project for
spotting this.
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-19 13:57:11 +01:00
Simon Kelley
65402b1531
Reverse suppression of ANY query answer logging.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:18 +01:00
Simon Kelley
fbc5713104
Add --dnssec-limits option.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:18 +01:00
Simon Kelley
c3bc0f9972
Better allocation code for DS digest cache.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
a389bcca1a
Better stats and logging from DNSSEC resource limiting.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
c32b46772c
Overhaul data checking in NSEC code.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
0ce9541c63
Rework validate-by-DS to avoid DoS vuln without arbitrary limits.
...
By calculating the hash of a DNSKEY once for each digest algo,
we reduce the hashing work from (no. DS) x (no. DNSKEY) to
(no. DNSKEY) x (no. distinct digests)
The number of distinct digests can never be more than 255 and
it's limited by which hashes we implement, so currently only 4.
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
8b9c5d3da8
Update EDE code -> text conversion.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
a133029e4c
Parameterise work limits for DNSSEC validation.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
2e0d8fff72
Fix error introduced in 635bc51cac3d5d7dd49ce9e27149cf7e402b7e79
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
dd11688b8c
Measure cryptographic work done by DNSSEC.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
70b0431919
Update NSEC3 iterations handling to conform with RFC 9276.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
bf17dd3c04
Update header with new EDE values.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
108ab67dc9
Protection against pathalogical DNSSEC domains.
...
An attacker can create DNSSEC signed domains which need a lot of
work to verfify. We limit the number of crypto operations to
avoid DoS attacks by CPU exhaustion.
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 17:17:17 +01:00
Simon Kelley
9091f18f3f
Make --filter-rr=ANY filter the answer to ANY queries.
...
Thanks to Dominik Derigs for an earlier patch which inspired this.
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 07:18:26 +01:00
Simon Kelley
cc98853d19
Tweak logging and special handling of T_ANY in rr-filter code.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-13 07:18:23 +01:00
DL6ER
45c342af05
Force-update embedded dnsmasq version. We are loosing the individual dnsmasq history of the ~ last year, however, given the multitude of merge conflicts and the fact that this code will soon(ish) be replaced by development-v6 (where the history is 100% intact), this isn't much of an issue
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-09 20:48:59 +01:00
Simon Kelley
6cc10f72ed
=/== typo in last commit.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-08 18:11:37 +01:00
Simon Kelley
6b48e6d063
Behave better when attempting to contact unresponsive TCP servers.
...
By default TCP connect takes minutes to fail when trying to
connect a server which is not responding and for which the
network layer doesn't generate HOSTUNREACH errors.
This is doubled because having failed to connect in FASTOPEN
mode, the code then tries again with a call to connect().
We set TCP_SYNCNT to 2, which make the timeout about 10 seconds.
This in an unportable Linux feature, so it doesn't work on other
platforms.
No longer try connect() if sendmsg in fastopen mode fails with
ETIMEDOUT or EHOSTUNREACH since the story will just be the same.
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-08 18:11:37 +01:00
DL6ER
d38a0a6dcd
Necessary changed to handle the most recent dnsmasq changes in FTL
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-08 18:11:37 +01:00
Simon Kelley
b650631d6e
Log truncated DNS replies.
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-02-08 18:11:37 +01:00
Dominik
dfbdaaaeae
Merge pull request #1808 from pi-hole/tweak/special_domains_prio_v5
...
Implement special domains whitelisting
2023-12-13 19:45:03 +01:00
Dominik
fd114e038e
Merge pull request #1777 from pi-hole/fix/many_clients
...
Fix possible crash with high client activity
2023-12-10 18:06:33 +01:00
Dominik
7e4f10852c
Apply suggestions from code review
...
Co-authored-by: yubiuser <ckoenig@posteo.de>
Signed-off-by: Dominik <DL6ER@users.noreply.github.com>
2023-12-09 22:57:15 +01:00
DL6ER
9b19917796
Add special non-interactive mode for the embedded sqlite3 engine accessible via "-ni"
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-12-09 21:30:34 +01:00
DL6ER
05b689422d
Change priorities such that special domains (Firefox and Apple at this time) can be explicitly allowed for some clients (per group assignments) while they stay blocked for all others in the network
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-12-06 23:46:53 +01:00
DL6ER
d992e929f4
Fix possible race-collision leading to a theoretical out-of-bounds read
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-11-22 22:49:20 +01:00
Christian König
dad2b9f892
Remove traces of ABP_CSS
...
Signed-off-by: Christian König <ckoenig@posteo.de>
2023-05-27 22:46:01 +02:00
Christian König
487d4d2768
Remove code duplication found in gravit.sh gravity_ParseFileIntoDomains()
...
Signed-off-by: Christian König <ckoenig@posteo.de>
2023-05-27 22:19:05 +02:00
DL6ER
42b36cf5d1
Update src/tools/gravity-parseList.c
...
Co-authored-by: yubiuser <ckoenig@posteo.de>
Signed-off-by: DL6ER <DL6ER@users.noreply.github.com>
2023-05-24 21:50:23 +02:00
DL6ER
15faf3ca00
Rename src/{gravity-tools.* => tools/gravity-parseList.*}
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-05-24 21:25:37 +02:00
DL6ER
14dc1311bc
Update adlist.date_updated in parseList command
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-05-24 21:25:34 +02:00
RD WebDesign
825146fa59
Adding anchors to false_positives_regex
...
Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
2023-05-24 16:00:44 -03:00
RD WebDesign
f4374876df
Improving the comments
...
Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
2023-05-24 15:55:43 -03:00
RD WebDesign
2a13beb3c2
Do not consider false positives as invalid domains
...
Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
2023-05-23 17:42:48 -03:00
RD WebDesign
9689b9856f
Allowing underscore and hyfen in any position for gravity parseList
...
Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
2023-05-22 17:28:30 -03:00
DL6ER
88502af00b
Do not run ARP scans in networks where the kernel knows that ARP is not supported (e.g. Wireguard)
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-05-21 17:43:25 +02:00
DL6ER
59a11808a6
Do not try to scan for DHCP servers in network where the kernel knows that there is no broadcasting support (e.g. Wireguard)
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-05-21 17:39:17 +02:00
DL6ER
b38ed4057a
Skip interfaces that are either down or are of loopback type
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-05-21 13:47:26 +02:00
DL6ER
d75305b1ed
Ensure we are in lock-mode when printing the final result
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-05-21 12:58:46 +02:00
DL6ER
1a02c102fc
Improve message when packet is rejected by wireguard interfaces
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-05-21 10:06:08 +02:00
DL6ER
25a1d06834
Query IPv4-capable interfaces instead of packet-interfaces when scanning for DHCP servers
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-05-20 22:20:42 +02:00
DL6ER
aa8821adbc
Modify logging in such a way that concurrent printing by the involved is prevented and add better error reporting when sending to interfaces is not working due to an error
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-05-20 22:19:53 +02:00
DL6ER
69ecc2c658
Merge pull request #1559 from pi-hole/new/parseList
...
Add list parsing feature for gravity
2023-05-20 18:48:24 +02:00
DL6ER
9b45d5cc1e
Merge pull request #1561 from pi-hole/tweak/dhcp-discover-capabilities
...
Add capabilities check for feature dhcp-discover
2023-05-20 17:37:15 +02:00
DL6ER
9dd3d772a6
Merge pull request #1560 from pi-hole/update/sqlite_3.42.0
...
Update embedded SQLite to 3.42.0
2023-05-20 17:36:57 +02:00
DL6ER
04a7633a32
Add capabilities check for feature dhcp-discover in the same way we already have it for arp-scan
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-05-20 14:40:27 +02:00
DL6ER
1bcee5fd21
Merge remote-tracking branch 'origin/development' into new/parseList
...
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-05-20 14:34:28 +02:00
DL6ER
2fa2d86f3f
Merge pull request #1557 from pi-hole/new/arp-scan
...
Add local network scanning feature (ARP)
2023-05-20 14:22:08 +02:00