Github
/
FTL
mirror of
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,590 Commits 25 Branches 106 Tags 29 MiB
Commit Graph

1908 Commits

Author SHA1 Message Date
DL6ER 230989ebbd
Exit after fatal dnsmasq errors 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-05-04 10:11:35 +02:00
Simon Kelley 40886dc78a
Fix spurious "resource limit exceeded" messages. 
Replies from upstream with a REFUSED rcode can result in
log messages stating that a resource limit has been exceeded,
which is not the case.

Thanks to Dominik Derigs and the Pi-hole project for
spotting this.

Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-19 13:57:11 +01:00
Simon Kelley 65402b1531
Reverse suppression of ANY query answer logging. 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-13 17:17:18 +01:00
Simon Kelley fbc5713104
Add --dnssec-limits option. 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-13 17:17:18 +01:00
Simon Kelley c3bc0f9972
Better allocation code for DS digest cache. 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-13 17:17:17 +01:00
Simon Kelley a389bcca1a
Better stats and logging from DNSSEC resource limiting. 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-13 17:17:17 +01:00
Simon Kelley c32b46772c
Overhaul data checking in NSEC code. 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-13 17:17:17 +01:00
Simon Kelley 0ce9541c63
Rework validate-by-DS to avoid DoS vuln without arbitrary limits. 
By calculating the hash of a DNSKEY once for each digest algo,
we reduce the hashing work from (no. DS) x (no. DNSKEY) to
(no. DNSKEY) x (no. distinct digests)

The number of distinct digests can never be more than 255 and
it's limited by which hashes we implement, so currently only 4.

Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-13 17:17:17 +01:00
Simon Kelley 8b9c5d3da8
Update EDE code -> text conversion. 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-13 17:17:17 +01:00
Simon Kelley a133029e4c
Parameterise work limits for DNSSEC validation. 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-13 17:17:17 +01:00
Simon Kelley 2e0d8fff72
Fix error introduced in 635bc51cac3d5d7dd49ce9e27149cf7e402b7e79 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-13 17:17:17 +01:00
Simon Kelley dd11688b8c
Measure cryptographic work done by DNSSEC. 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-13 17:17:17 +01:00
Simon Kelley 70b0431919
Update NSEC3 iterations handling to conform with RFC 9276. 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-13 17:17:17 +01:00
Simon Kelley bf17dd3c04
Update header with new EDE values. 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-13 17:17:17 +01:00
Simon Kelley 108ab67dc9
Protection against pathalogical DNSSEC domains. 
An attacker can create DNSSEC signed domains which need a lot of
work to verfify. We limit the number of crypto operations to
avoid DoS attacks by CPU exhaustion.

Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-13 17:17:17 +01:00
Simon Kelley 9091f18f3f
Make --filter-rr=ANY filter the answer to ANY queries. 
Thanks to Dominik Derigs for an earlier patch which inspired this.

Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-13 07:18:26 +01:00
Simon Kelley cc98853d19
Tweak logging and special handling of T_ANY in rr-filter code. 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-13 07:18:23 +01:00
DL6ER 45c342af05
Force-update embedded dnsmasq version. We are loosing the individual dnsmasq history of the ~ last year, however, given the multitude of merge conflicts and the fact that this code will soon(ish) be replaced by development-v6 (where the history is 100% intact), this isn't much of an issue 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-09 20:48:59 +01:00
Simon Kelley 6cc10f72ed
=/== typo in last commit. 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-08 18:11:37 +01:00
Simon Kelley 6b48e6d063
Behave better when attempting to contact unresponsive TCP servers. 
By default TCP connect takes minutes to fail when trying to
connect a server which is not responding and for which the
network layer doesn't generate HOSTUNREACH errors.

This is doubled because having failed to connect in FASTOPEN
mode, the code then tries again with a call to connect().

We set TCP_SYNCNT to 2, which make the timeout about 10 seconds.
This in an unportable Linux feature, so it doesn't work on other
platforms.

No longer try connect() if sendmsg in fastopen mode fails with
ETIMEDOUT or EHOSTUNREACH since the story will just be the same.

Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-08 18:11:37 +01:00
DL6ER d38a0a6dcd
Necessary changed to handle the most recent dnsmasq changes in FTL 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-08 18:11:37 +01:00
Simon Kelley b650631d6e
Log truncated DNS replies. 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2024-02-08 18:11:37 +01:00
Dominik dfbdaaaeae
Merge pull request #1808 from pi-hole/tweak/special_domains_prio_v5 
Implement special domains whitelisting
 2023-12-13 19:45:03 +01:00
Dominik fd114e038e
Merge pull request #1777 from pi-hole/fix/many_clients 
Fix possible crash with high client activity
 2023-12-10 18:06:33 +01:00
Dominik 7e4f10852c
Apply suggestions from code review 
Co-authored-by: yubiuser <ckoenig@posteo.de>
Signed-off-by: Dominik <DL6ER@users.noreply.github.com>
 2023-12-09 22:57:15 +01:00
DL6ER 9b19917796
Add special non-interactive mode for the embedded sqlite3 engine accessible via "-ni" 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2023-12-09 21:30:34 +01:00
DL6ER 05b689422d
Change priorities such that special domains (Firefox and Apple at this time) can be explicitly allowed for some clients (per group assignments) while they stay blocked for all others in the network 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2023-12-06 23:46:53 +01:00
DL6ER d992e929f4
Fix possible race-collision leading to a theoretical out-of-bounds read 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2023-11-22 22:49:20 +01:00
Christian König dad2b9f892
Remove traces of ABP_CSS 
Signed-off-by: Christian König <ckoenig@posteo.de>
 2023-05-27 22:46:01 +02:00
Christian König 487d4d2768
Remove code duplication found in gravit.sh gravity_ParseFileIntoDomains() 
Signed-off-by: Christian König <ckoenig@posteo.de>
 2023-05-27 22:19:05 +02:00
DL6ER 42b36cf5d1
Update src/tools/gravity-parseList.c 
Co-authored-by: yubiuser <ckoenig@posteo.de>
Signed-off-by: DL6ER <DL6ER@users.noreply.github.com>
 2023-05-24 21:50:23 +02:00
DL6ER 15faf3ca00
Rename src/{gravity-tools.* => tools/gravity-parseList.*} 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2023-05-24 21:25:37 +02:00
DL6ER 14dc1311bc
Update adlist.date_updated in parseList command 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2023-05-24 21:25:34 +02:00
RD WebDesign 825146fa59
Adding anchors to false_positives_regex 
Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2023-05-24 16:00:44 -03:00
RD WebDesign f4374876df
Improving the comments 
Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2023-05-24 15:55:43 -03:00
RD WebDesign 2a13beb3c2
Do not consider false positives as invalid domains 
Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2023-05-23 17:42:48 -03:00
RD WebDesign 9689b9856f
Allowing underscore and hyfen in any position for gravity parseList 
Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
 2023-05-22 17:28:30 -03:00
DL6ER 88502af00b
Do not run ARP scans in networks where the kernel knows that ARP is not supported (e.g. Wireguard) 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2023-05-21 17:43:25 +02:00
DL6ER 59a11808a6
Do not try to scan for DHCP servers in network where the kernel knows that there is no broadcasting support (e.g. Wireguard) 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2023-05-21 17:39:17 +02:00
DL6ER b38ed4057a
Skip interfaces that are either down or are of loopback type 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2023-05-21 13:47:26 +02:00
DL6ER d75305b1ed
Ensure we are in lock-mode when printing the final result 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2023-05-21 12:58:46 +02:00
DL6ER 1a02c102fc
Improve message when packet is rejected by wireguard interfaces 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2023-05-21 10:06:08 +02:00
DL6ER 25a1d06834
Query IPv4-capable interfaces instead of packet-interfaces when scanning for DHCP servers 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2023-05-20 22:20:42 +02:00
DL6ER aa8821adbc
Modify logging in such a way that concurrent printing by the involved is prevented and add better error reporting when sending to interfaces is not working due to an error 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2023-05-20 22:19:53 +02:00
DL6ER 69ecc2c658
Merge pull request #1559 from pi-hole/new/parseList 
Add list parsing feature for gravity
 2023-05-20 18:48:24 +02:00
DL6ER 9b45d5cc1e
Merge pull request #1561 from pi-hole/tweak/dhcp-discover-capabilities 
Add capabilities check for feature dhcp-discover
 2023-05-20 17:37:15 +02:00
DL6ER 9dd3d772a6
Merge pull request #1560 from pi-hole/update/sqlite_3.42.0 
Update embedded SQLite to 3.42.0
 2023-05-20 17:36:57 +02:00
DL6ER 04a7633a32
Add capabilities check for feature dhcp-discover in the same way we already have it for arp-scan 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2023-05-20 14:40:27 +02:00
DL6ER 1bcee5fd21
Merge remote-tracking branch 'origin/development' into new/parseList 
Signed-off-by: DL6ER <dl6er@dl6er.de>
 2023-05-20 14:34:28 +02:00
DL6ER 2fa2d86f3f
Merge pull request #1557 from pi-hole/new/arp-scan 
Add local network scanning feature (ARP)
 2023-05-20 14:22:08 +02:00