aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services/dnsmasq
diff options
context:
space:
mode:
Diffstat (limited to 'package/network/services/dnsmasq')
-rw-r--r--package/network/services/dnsmasq/Makefile8
-rw-r--r--package/network/services/dnsmasq/patches/0001-Be-persistent-with-broken-upstream-DNSSEC-warnings.patch26
-rw-r--r--package/network/services/dnsmasq/patches/0002-Fix-DHCP-broken-ness-when-no-ping-AND-dhcp-sequentia.patch35
-rw-r--r--package/network/services/dnsmasq/patches/0003-Add-logging-for-DNS-error-returns-from-upstream-and-.patch184
-rw-r--r--package/network/services/dnsmasq/patches/0004-Add-packet-dump-debugging-facility.patch587
-rw-r--r--package/network/services/dnsmasq/patches/0005-Retry-query-to-other-servers-on-receipt-of-SERVFAIL-.patch22
-rw-r--r--package/network/services/dnsmasq/patches/0006-Handle-query-retry-on-REFUSED-or-SERVFAIL-for-DNSSEC.patch87
-rw-r--r--package/network/services/dnsmasq/patches/0007-Retry-SERVFAIL-DNSSEC-queries-to-a-different-server-.patch100
-rw-r--r--package/network/services/dnsmasq/patches/0008-Fix-logging-in-previous.patch41
-rw-r--r--package/network/services/dnsmasq/patches/0009-Do-unsolicited-RAs-for-interfaces-which-appear-after.patch44
-rw-r--r--package/network/services/dnsmasq/patches/0010-Log-warning-on-very-large-cachesize-config-instead-o.patch38
-rw-r--r--package/network/services/dnsmasq/patches/240-ubus.patch8
12 files changed, 1172 insertions, 8 deletions
diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
index 60ed9ed6fb..7fa61ad04f 100644
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
-PKG_VERSION:=2.79
-PKG_RELEASE:=4
+PKG_VERSION:=2.80test2
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/
-PKG_HASH:=78ad74f5ca14fd85a8bac93f764cd9d60b27579e90eabd3687ca7b030e67861f
+PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases
+PKG_HASH:=e731666094699afcbad947f89f7f8afbf92e5ddc3c915459d4936159d81116f0
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING
diff --git a/package/network/services/dnsmasq/patches/0001-Be-persistent-with-broken-upstream-DNSSEC-warnings.patch b/package/network/services/dnsmasq/patches/0001-Be-persistent-with-broken-upstream-DNSSEC-warnings.patch
new file mode 100644
index 0000000000..0924a92e33
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/0001-Be-persistent-with-broken-upstream-DNSSEC-warnings.patch
@@ -0,0 +1,26 @@
+From f84e674d8aa2316fea8d2145a40fcef0441e3856 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 4 May 2018 16:29:57 +0100
+Subject: [PATCH 01/10] Be persistent with broken-upstream-DNSSEC warnings.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/dnssec.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -876,12 +876,7 @@ int dnssec_validate_ds(time_t now, struc
+
+ if (rc == STAT_INSECURE)
+ {
+- static int reported = 0;
+- if (!reported)
+- {
+- reported = 1;
+- my_syslog(LOG_WARNING, _("Insecure DS reply received, do upstream DNS servers support DNSSEC?"));
+- }
++ my_syslog(LOG_WARNING, _("Insecure DS reply received, do upstream DNS servers support DNSSEC?"));
+ rc = STAT_BOGUS;
+ }
+
diff --git a/package/network/services/dnsmasq/patches/0002-Fix-DHCP-broken-ness-when-no-ping-AND-dhcp-sequentia.patch b/package/network/services/dnsmasq/patches/0002-Fix-DHCP-broken-ness-when-no-ping-AND-dhcp-sequentia.patch
new file mode 100644
index 0000000000..12c405945d
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/0002-Fix-DHCP-broken-ness-when-no-ping-AND-dhcp-sequentia.patch
@@ -0,0 +1,35 @@
+From 0669ee7a69a004ce34fed41e50aa575f8e04427b Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 4 May 2018 16:46:24 +0100
+Subject: [PATCH 02/10] Fix DHCP broken-ness when --no-ping AND
+ --dhcp-sequential-ip are set.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ CHANGELOG | 3 ++-
+ src/dhcp.c | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -14,7 +14,8 @@ version 2.80
+ when the upstream namesevers do not support DNSSEC, and in this
+ case no DNSSEC validation at all is occuring.
+
+-
++ Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
++ are set. Thanks to Daniel Miess for help with this.
+
+
+ version 2.79
+--- a/src/dhcp.c
++++ b/src/dhcp.c
+@@ -678,7 +678,7 @@ struct ping_result *do_icmp_ping(time_t
+ if ((count >= max) || option_bool(OPT_NO_PING) || loopback)
+ {
+ /* overloaded, or configured not to check, loopback interface, return "not in use" */
+- dummy.hash = 0;
++ dummy.hash = hash;
+ return &dummy;
+ }
+ else if (icmp_ping(addr))
diff --git a/package/network/services/dnsmasq/patches/0003-Add-logging-for-DNS-error-returns-from-upstream-and-.patch b/package/network/services/dnsmasq/patches/0003-Add-logging-for-DNS-error-returns-from-upstream-and-.patch
new file mode 100644
index 0000000000..150cd91c6a
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/0003-Add-logging-for-DNS-error-returns-from-upstream-and-.patch
@@ -0,0 +1,184 @@
+From 07ed585c38d8f7c0a18470d2e79cf46ea92ea96a Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 4 May 2018 21:52:22 +0100
+Subject: [PATCH 03/10] Add logging for DNS error returns from upstream and
+ local configuration.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/cache.c | 13 +++++++++++++
+ src/dnsmasq.h | 7 ++++++-
+ src/forward.c | 25 +++++++++++++++++++------
+ src/rfc1035.c | 19 ++++++++++++++-----
+ 4 files changed, 52 insertions(+), 12 deletions(-)
+
+--- a/src/cache.c
++++ b/src/cache.c
+@@ -1598,6 +1598,19 @@ void log_query(unsigned int flags, char
+ {
+ if (flags & F_KEYTAG)
+ sprintf(daemon->addrbuff, arg, addr->addr.log.keytag, addr->addr.log.algo, addr->addr.log.digest);
++ else if (flags & F_RCODE)
++ {
++ unsigned int rcode = addr->addr.rcode.rcode;
++
++ if (rcode == SERVFAIL)
++ dest = "SERVFAIL";
++ else if (rcode == REFUSED)
++ dest = "REFUSED";
++ else if (rcode == NOTIMP)
++ dest = "not implemented";
++ else
++ sprintf(daemon->addrbuff, "%u", rcode);
++ }
+ else
+ {
+ #ifdef HAVE_IPV6
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -268,7 +268,11 @@ struct all_addr {
+ /* for log_query */
+ struct {
+ unsigned short keytag, algo, digest;
+- } log;
++ } log;
++ /* for log_query */
++ struct {
++ unsigned int rcode;
++ } rcode;
+ /* for cache_insert of DNSKEY, DS */
+ struct {
+ unsigned short class, type;
+@@ -459,6 +463,7 @@ struct crec {
+ #define F_IPSET (1u<<26)
+ #define F_NOEXTRA (1u<<27)
+ #define F_SERVFAIL (1u<<28)
++#define F_RCODE (1u<<29)
+
+ /* Values of uid in crecs with F_CONFIG bit set. */
+ #define SRC_INTERFACE 0
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -563,6 +563,7 @@ static size_t process_reply(struct dns_h
+ unsigned char *pheader, *sizep;
+ char **sets = 0;
+ int munged = 0, is_sign;
++ unsigned int rcode = RCODE(header);
+ size_t plen;
+
+ (void)ad_reqd;
+@@ -593,6 +594,9 @@ static size_t process_reply(struct dns_h
+
+ if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign, NULL)))
+ {
++ /* Get extended RCODE. */
++ rcode |= sizep[2] << 4;
++
+ if (check_subnet && !check_source(header, plen, pheader, query_source))
+ {
+ my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
+@@ -641,11 +645,20 @@ static size_t process_reply(struct dns_h
+ if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
+ header->hb4 &= ~HB4_AD;
+
+- if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
++ if (OPCODE(header) != QUERY)
+ return resize_packet(header, n, pheader, plen);
++
++ if (rcode != NOERROR && rcode != NXDOMAIN)
++ {
++ struct all_addr a;
++ a.addr.rcode.rcode = rcode;
++ log_query(F_UPSTREAM | F_RCODE, "error", &a, NULL);
++
++ return resize_packet(header, n, pheader, plen);
++ }
+
+ /* Complain loudly if the upstream server is non-recursive. */
+- if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR &&
++ if (!(header->hb4 & HB4_RA) && rcode == NOERROR &&
+ server && !(server->flags & SERV_WARNED_RECURSIVE))
+ {
+ prettyprint_addr(&server->addr, daemon->namebuff);
+@@ -654,7 +667,7 @@ static size_t process_reply(struct dns_h
+ server->flags |= SERV_WARNED_RECURSIVE;
+ }
+
+- if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
++ if (daemon->bogus_addr && rcode != NXDOMAIN &&
+ check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
+ {
+ munged = 1;
+@@ -666,7 +679,7 @@ static size_t process_reply(struct dns_h
+ {
+ int doctored = 0;
+
+- if (RCODE(header) == NXDOMAIN &&
++ if (rcode == NXDOMAIN &&
+ extract_request(header, n, daemon->namebuff, NULL) &&
+ check_for_local_domain(daemon->namebuff, now))
+ {
+@@ -1090,7 +1103,7 @@ void reply_query(int fd, int family, tim
+ if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL))
+ domain = daemon->namebuff;
+
+- log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
++ log_query(F_SECSTAT, domain, NULL, result);
+ }
+
+ if (status == STAT_SECURE)
+@@ -1948,7 +1961,7 @@ unsigned char *tcp_request(int confd, ti
+ if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL))
+ domain = daemon->namebuff;
+
+- log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
++ log_query(F_SECSTAT, domain, NULL, result);
+
+ if (status == STAT_BOGUS)
+ {
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -926,12 +926,11 @@ unsigned int extract_request(struct dns_
+ return F_QUERY;
+ }
+
+-
+ size_t setup_reply(struct dns_header *header, size_t qlen,
+ struct all_addr *addrp, unsigned int flags, unsigned long ttl)
+ {
+ unsigned char *p;
+-
++
+ if (!(p = skip_questions(header, qlen)))
+ return 0;
+
+@@ -948,7 +947,12 @@ size_t setup_reply(struct dns_header *he
+ else if (flags == F_NXDOMAIN)
+ SET_RCODE(header, NXDOMAIN);
+ else if (flags == F_SERVFAIL)
+- SET_RCODE(header, SERVFAIL);
++ {
++ struct all_addr a;
++ a.addr.rcode.rcode = SERVFAIL;
++ log_query(F_CONFIG | F_RCODE, "error", &a, NULL);
++ SET_RCODE(header, SERVFAIL);
++ }
+ else if (flags == F_IPV4)
+ { /* we know the address */
+ SET_RCODE(header, NOERROR);
+@@ -966,8 +970,13 @@ size_t setup_reply(struct dns_header *he
+ }
+ #endif
+ else /* nowhere to forward to */
+- SET_RCODE(header, REFUSED);
+-
++ {
++ struct all_addr a;
++ a.addr.rcode.rcode = REFUSED;
++ log_query(F_CONFIG | F_RCODE, "error", &a, NULL);
++ SET_RCODE(header, REFUSED);
++ }
++
+ return p - (unsigned char *)header;
+ }
+
diff --git a/package/network/services/dnsmasq/patches/0004-Add-packet-dump-debugging-facility.patch b/package/network/services/dnsmasq/patches/0004-Add-packet-dump-debugging-facility.patch
new file mode 100644
index 0000000000..af4020b50b
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/0004-Add-packet-dump-debugging-facility.patch
@@ -0,0 +1,587 @@
+From 6b17335209639a56f214d011eaed4ebcde8dd276 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 8 May 2018 18:32:14 +0100
+Subject: [PATCH 04/10] Add packet-dump debugging facility.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ CHANGELOG | 6 ++
+ Makefile | 2 +-
+ bld/Android.mk | 3 +-
+ man/dnsmasq.8 | 7 ++
+ src/config.h | 16 ++++-
+ src/dnsmasq.c | 16 ++++-
+ src/dnsmasq.h | 29 +++++++-
+ src/dump.c | 210 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ src/forward.c | 37 ++++++++--
+ src/option.c | 14 ++++
+ 10 files changed, 329 insertions(+), 11 deletions(-)
+ create mode 100644 src/dump.c
+
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -17,6 +17,12 @@ version 2.80
+ Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
+ are set. Thanks to Daniel Miess for help with this.
+
++ Add a facilty to store DNS packets sent/recieved in a
++ pcap-format file for later debugging. The file location
++ is given by the --dumpfile option, and a bitmap controlling
++ which packets should be dumped is given by the --dumpmask
++ option.
++
+
+ version 2.79
+ Fix parsing of CNAME arguments, which are confused by extra spaces.
+--- a/Makefile
++++ b/Makefile
+@@ -76,7 +76,7 @@ objs = cache.o rfc1035.o util.o option.o
+ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
+ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
+ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
+- poll.o rrfilter.o edns0.o arp.o crypto.o
++ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o
+
+ hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
+ dns-protocol.h radv-protocol.h ip6addr.h
+--- a/bld/Android.mk
++++ b/bld/Android.mk
+@@ -10,7 +10,8 @@ LOCAL_SRC_FILES := bpf.c cache.c dbus.c
+ dhcp6.c rfc3315.c dhcp-common.c outpacket.c \
+ radv.c slaac.c auth.c ipset.c domain.c \
+ dnssec.c dnssec-openssl.c blockdata.c tables.c \
+- loop.c inotify.c poll.c rrfilter.c edns0.c arp.c crypto.c
++ loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \
++ crypto.c dump.c
+
+ LOCAL_MODULE := dnsmasq
+
+--- a/man/dnsmasq.8
++++ b/man/dnsmasq.8
+@@ -647,6 +647,13 @@ V4 mapped IPv6 addresses, which have a r
+ The address range can be of the form
+ <ip address>,<ip address> or <ip address>/<netmask> in both forms of the option.
+ .TP
++.B --dumpfile=<path/to/file>
++Specify the location of a pcap-format file which dnsmasq uses to dump copies of network packets for debugging purposes. If the file exists when dnsmasq starts, it is not deleted; new packets are added to the end.
++.TP
++.B --dumpmask=<mask>
++Specify which types of packets should be added to the dumpfile. The argument should be the OR of the bitmasks for each type of packet to be dumped: it can be specified in hex by preceding the number with 0x in the normal way. Each time a packet is written to the dumpfile, dnsmasq logs the packet sequence and the mask
++representing its type. The current types are: 0x0001 - DNS queries from clients 0x0002 DNS replies to clients 0x0004 - DNS queries to upstream 0x0008 - DNS replies from upstream 0x0010 - queries send upstream for DNSSEC validation 0x0020 - replies to queries for DNSSEC validation 0x0040 - replies to client queries which fail DNSSEC validation 0x0080 replies to queries for DNSSEC validation which fail validation.
++.TP
+ .B --add-mac[=base64|text]
+ Add the MAC address of the requestor to DNS queries which are
+ forwarded upstream. This may be used to DNS filtering by the upstream
+--- a/src/config.h
++++ b/src/config.h
+@@ -117,6 +117,9 @@ HAVE_AUTH
+ HAVE_DNSSEC
+ include DNSSEC validator.
+
++HAVE_DUMPFILE
++ include code to dump packets to a libpcap-format file for debugging.
++
+ HAVE_LOOP
+ include functionality to probe for and remove DNS forwarding loops.
+
+@@ -132,6 +135,7 @@ NO_DHCP6
+ NO_SCRIPT
+ NO_LARGEFILE
+ NO_AUTH
++NO_DUMPFILE
+ NO_INOTIFY
+ these are available to explicitly disable compile time options which would
+ otherwise be enabled automatically (HAVE_IPV6, >2Gb file sizes) or
+@@ -164,6 +168,7 @@ RESOLVFILE
+ #define HAVE_AUTH
+ #define HAVE_IPSET
+ #define HAVE_LOOP
++#define HAVE_DUMPFILE
+
+ /* Build options which require external libraries.
+
+@@ -363,6 +368,10 @@ HAVE_SOCKADDR_SA_LEN
+ #undef HAVE_LOOP
+ #endif
+
++#ifdef NO_DUMPFILE
++#undef HAVE_DUMPFILE
++#endif
++
+ #if defined (HAVE_LINUX_NETWORK) && !defined(NO_INOTIFY)
+ #define HAVE_INOTIFY
+ #endif
+@@ -451,8 +460,11 @@ static char *compile_opts =
+ #ifndef HAVE_INOTIFY
+ "no-"
+ #endif
+-"inotify";
+-
++"inotify "
++#ifndef HAVE_DUMPFILE
++"no-"
++#endif
++"dumpfile";
+
+ #endif
+
+--- a/src/dnsmasq.c
++++ b/src/dnsmasq.c
+@@ -366,7 +366,16 @@ int main (int argc, char **argv)
+ else
+ daemon->inotifyfd = -1;
+ #endif
+-
++
++ if (daemon->dump_file)
++#ifdef HAVE_DUMPFILE
++ dump_init();
++ else
++ daemon->dumpfd = -1;
++#else
++ die(_("Packet dumps not available: set HAVE_DUMP in src/config.h"), NULL, EC_BADCONF);
++#endif
++
+ if (option_bool(OPT_DBUS))
+ #ifdef HAVE_DBUS
+ {
+@@ -1424,6 +1433,11 @@ static void async_event(int pipe, time_t
+
+ if (daemon->runfile)
+ unlink(daemon->runfile);
++
++#ifdef HAVE_DUMPFILE
++ if (daemon->dumpfd != -1)
++ close(daemon->dumpfd);
++#endif
+
+ my_syslog(LOG_INFO, _("exiting on receipt of SIGTERM"));
+ flush_log();
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -119,6 +119,9 @@ typedef unsigned long long u64;
+ #include <net/if_arp.h>
+ #include <netinet/in_systm.h>
+ #include <netinet/ip.h>
++#ifdef HAVE_IPV6
++#include <netinet/ip6.h>
++#endif
+ #include <netinet/ip_icmp.h>
+ #include <sys/uio.h>
+ #include <syslog.h>
+@@ -598,6 +601,16 @@ struct hostsfile {
+ unsigned int index; /* matches to cache entries for logging */
+ };
+
++/* packet-dump flags */
++#define DUMP_QUERY 0x0001
++#define DUMP_REPLY 0x0002
++#define DUMP_UP_QUERY 0x0004
++#define DUMP_UP_REPLY 0x0008
++#define DUMP_SEC_QUERY 0x0010
++#define DUMP_SEC_REPLY 0x0020
++#define DUMP_BOGUS 0x0040
++#define DUMP_SEC_BOGUS 0x0080
++
+
+ /* DNSSEC status values. */
+ #define STAT_SECURE 1
+@@ -1020,14 +1033,14 @@ extern struct daemon {
+ unsigned int duid_enterprise, duid_config_len;
+ unsigned char *duid_config;
+ char *dbus_name;
++ char *dump_file;
++ int dump_mask;
+ unsigned long soa_sn, soa_refresh, soa_retry, soa_expiry;
+ #ifdef OPTION6_PREFIX_CLASS
+ struct prefix_class *prefix_classes;
+ #endif
+ #ifdef HAVE_DNSSEC
+ struct ds_config *ds;
+- int dnssec_no_time_check;
+- int back_to_the_future;
+ char *timestamp_file;
+ #endif
+
+@@ -1040,6 +1053,8 @@ extern struct daemon {
+ char *workspacename; /* ditto */
+ char *rr_status; /* flags for individual RRs */
+ int rr_status_sz;
++ int dnssec_no_time_check;
++ int back_to_the_future;
+ #endif
+ unsigned int local_answer, queries_forwarded, auth_answer;
+ struct frec *frec_list;
+@@ -1094,6 +1109,10 @@ extern struct daemon {
+ char *addrbuff;
+ char *addrbuff2; /* only allocated when OPT_EXTRALOG */
+
++#ifdef HAVE_DUMPFILE
++ /* file for packet dumps. */
++ int dumpfd;
++#endif
+ } *daemon;
+
+ /* cache.c */
+@@ -1588,3 +1607,9 @@ int check_source(struct dns_header *head
+ /* arp.c */
+ int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now);
+ int do_arp_script_run(void);
++
++/* dump.c */
++#ifdef HAVE_DUMPFILE
++void dump_init(void);
++void dump_packet(int mask, void *packet, size_t len, union mysockaddr *src, union mysockaddr *dst);
++#endif
+--- /dev/null
++++ b/src/dump.c
+@@ -0,0 +1,210 @@
++/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; version 2 dated June, 1991, or
++ (at your option) version 3 dated 29 June, 2007.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include "dnsmasq.h"
++
++#ifdef HAVE_DUMPFILE
++
++static u32 packet_count;
++
++/* https://wiki.wireshark.org/Development/LibpcapFileFormat */
++struct pcap_hdr_s {
++ u32 magic_number; /* magic number */
++ u16 version_major; /* major version number */
++ u16 version_minor; /* minor version number */
++ u32 thiszone; /* GMT to local correction */
++ u32 sigfigs; /* accuracy of timestamps */
++ u32 snaplen; /* max length of captured packets, in octets */
++ u32 network; /* data link type */
++};
++
++struct pcaprec_hdr_s {
++ u32 ts_sec; /* timestamp seconds */
++ u32 ts_usec; /* timestamp microseconds */
++ u32 incl_len; /* number of octets of packet saved in file */
++ u32 orig_len; /* actual length of packet */
++};
++
++
++void dump_init(void)
++{
++ struct stat buf;
++ struct pcap_hdr_s header;
++ struct pcaprec_hdr_s pcap_header;
++
++ packet_count = 0;
++
++ if (stat(daemon->dump_file, &buf) == -1)
++ {
++ /* doesn't exist, create and add header */
++ header.magic_number = 0xa1b2c3d4;
++ header.version_major = 2;
++ header.version_minor = 4;
++ header.thiszone = 0;
++ header.sigfigs = 0;
++ header.snaplen = daemon->edns_pktsz + 200; /* slop for IP/UDP headers */
++ header.network = 101; /* DLT_RAW http://www.tcpdump.org/linktypes.html */
++
++ if (errno != ENOENT ||
++ (daemon->dumpfd = creat(daemon->dump_file, S_IRUSR | S_IWUSR)) == -1 ||
++ !read_write(daemon->dumpfd, (void *)&header, sizeof(header), 0))
++ die(_("cannot create %s: %s"), daemon->dump_file, EC_FILE);
++ }
++ else if ((daemon->dumpfd = open(daemon->dump_file, O_APPEND | O_RDWR)) == -1 ||
++ !read_write(daemon->dumpfd, (void *)&header, sizeof(header), 1) ||
++ header.magic_number != 0xa1b2c3d4)
++ die(_("cannot access %s: %s"), daemon->dump_file, EC_FILE);
++ else
++ {
++ /* count existing records */
++ while (read_write(daemon->dumpfd, (void *)&pcap_header, sizeof(pcap_header), 1))
++ {
++ lseek(daemon->dumpfd, pcap_header.incl_len, SEEK_CUR);
++ packet_count++;
++ }
++ }
++}
++
++void dump_packet(int mask, void *packet, size_t len, union mysockaddr *src, union mysockaddr *dst)
++{
++ struct ip ip;
++#ifdef HAVE_IPV6
++ struct ip6_hdr ip6;
++ int family;
++#endif
++ struct udphdr {
++ u16 uh_sport; /* source port */
++ u16 uh_dport; /* destination port */
++ u16 uh_ulen; /* udp length */
++ u16 uh_sum; /* udp checksum */
++ } udp;
++ struct pcaprec_hdr_s pcap_header;
++ struct timeval time;
++ u32 i, sum;
++ void *iphdr;
++ size_t ipsz;
++ int rc;
++
++ if (daemon->dumpfd == -1 || !(mask & daemon->dump_mask))
++ return;
++
++ /* So wireshark can Id the packet. */
++ udp.uh_sport = udp.uh_dport = htons(NAMESERVER_PORT);
++
++#ifdef HAVE_IPV6
++ if (src)
++ family = src->sa.sa_family;
++ else
++ family = dst->sa.sa_family;
++
++ if (family == AF_INET6)
++ {
++ iphdr = &ip6;
++ ipsz = sizeof(ip6);
++ memset(&ip6, 0, sizeof(ip6));
++
++ ip6.ip6_vfc = 6 << 4;
++ ip6.ip6_plen = htons(sizeof(struct udphdr) + len);
++ ip6.ip6_nxt = IPPROTO_UDP;
++ ip6.ip6_hops = 64;
++
++ if (src)
++ {
++ memcpy(&ip6.ip6_src, &src->in6.sin6_addr, IN6ADDRSZ);
++ udp.uh_sport = src->in6.sin6_port;
++ }
++
++ if (dst)
++ {
++ memcpy(&ip6.ip6_dst, &dst->in6.sin6_addr, IN6ADDRSZ);
++ udp.uh_dport = dst->in6.sin6_port;
++ }
++
++ /* start UDP checksum */
++ for (sum = 0, i = 0; i < IN6ADDRSZ; i++)
++ sum += ((u16 *)&ip6.ip6_src)[i];
++ }
++ else
++#endif
++ {
++ iphdr = &ip;
++ ipsz = sizeof(ip);
++ memset(&ip, 0, sizeof(ip));
++
++ ip.ip_v = IPVERSION;
++ ip.ip_hl = sizeof(struct ip) / 4;
++ ip.ip_len = htons(sizeof(struct ip) + sizeof(struct udphdr) + len);
++ ip.ip_ttl = IPDEFTTL;
++ ip.ip_p = IPPROTO_UDP;
++
++ if (src)
++ {
++ ip.ip_src = src->in.sin_addr;
++ udp.uh_sport = src->in.sin_port;
++ }
++
++ if (dst)
++ {
++ ip.ip_dst = dst->in.sin_addr;
++ udp.uh_dport = dst->in.sin_port;
++ }
++
++ ip.ip_sum = 0;
++ for (sum = 0, i = 0; i < sizeof(struct ip) / 2; i++)
++ sum += ((u16 *)&ip)[i];
++ while (sum >> 16)
++ sum = (sum & 0xffff) + (sum >> 16);
++ ip.ip_sum = (sum == 0xffff) ? sum : ~sum;
++
++ /* start UDP checksum */
++ sum = ip.ip_src.s_addr & 0xffff;
++ sum += (ip.ip_src.s_addr >> 16) & 0xffff;
++ sum += ip.ip_dst.s_addr & 0xffff;
++ sum += (ip.ip_dst.s_addr >> 16) & 0xffff;
++ }
++
++ if (len & 1)
++ ((unsigned char *)packet)[len] = 0; /* for checksum, in case length is odd. */
++
++ udp.uh_sum = 0;
++ udp.uh_ulen = htons(sizeof(struct udphdr) + len);
++ sum += htons(IPPROTO_UDP);
++ sum += htons(sizeof(struct udphdr) + len);
++ for (i = 0; i < sizeof(struct udphdr)/2; i++)
++ sum += ((u16 *)&udp)[i];
++ for (i = 0; i < (len + 1) / 2; i++)
++ sum += ((u16 *)packet)[i];
++ while (sum >> 16)
++ sum = (sum & 0xffff) + (sum >> 16);
++ udp.uh_sum = (sum == 0xffff) ? sum : ~sum;
++
++ rc = gettimeofday(&time, NULL);
++ pcap_header.ts_sec = time.tv_sec;
++ pcap_header.ts_usec = time.tv_usec;
++ pcap_header.incl_len = pcap_header.orig_len = ipsz + sizeof(udp) + len;
++
++ if (rc == -1 ||
++ !read_write(daemon->dumpfd, (void *)&pcap_header, sizeof(pcap_header), 0) ||
++ !read_write(daemon->dumpfd, iphdr, ipsz, 0) ||
++ !read_write(daemon->dumpfd, (void *)&udp, sizeof(udp), 0) ||
++ !read_write(daemon->dumpfd, (void *)packet, len, 0))
++ my_syslog(LOG_ERR, _("failed to write packet dump"));
++ else
++ my_syslog(LOG_INFO, _("dumping UDP packet %u mask 0x%04x"), ++packet_count, mask);
++
++}
++
++#endif
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -508,6 +508,10 @@ static int forward_query(int udpfd, unio
+
+ if (errno == 0)
+ {
++#ifdef HAVE_DUMPFILE
++ dump_packet(DUMP_UP_QUERY, (void *)header, plen, NULL, &start->addr);
++#endif
++
+ /* Keep info in case we want to re-send this packet */
+ daemon->srv_save = start;
+ daemon->packet_len = plen;
+@@ -769,7 +773,7 @@ void reply_query(int fd, int family, tim
+ #endif
+
+ header = (struct dns_header *)daemon->packet;
+-
++
+ if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR))
+ return;
+
+@@ -796,6 +800,12 @@ void reply_query(int fd, int family, tim
+ if (!(forward = lookup_frec(ntohs(header->id), hash)))
+ return;
+
++#ifdef HAVE_DUMPFILE
++ dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_REPLY : DUMP_UP_REPLY,
++ (void *)header, n, &serveraddr, NULL);
++#endif
++
++
+ /* log_query gets called indirectly all over the place, so
+ pass these in global variables - sorry. */
+ daemon->log_display_id = forward->log_id;
+@@ -934,6 +944,11 @@ void reply_query(int fd, int family, tim
+ status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class,
+ !option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC),
+ NULL, NULL);
++#ifdef HAVE_DUMPFILE
++ if (status == STAT_BOGUS)
++ dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_BOGUS : DUMP_BOGUS,
++ header, (size_t)n, &serveraddr, NULL);
++#endif
+ }
+
+ /* Can't validate, as we're missing key data. Put this
+@@ -1060,6 +1075,11 @@ void reply_query(int fd, int family, tim
+ setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
+ }
+ #endif
++
++#ifdef HAVE_DUMPFILE
++ dump_packet(DUMP_SEC_QUERY, (void *)header, (size_t)nn, NULL, &server->addr);
++#endif
++
+ while (retry_send(sendto(fd, (char *)header, nn, 0,
+ &server->addr.sa,
+ sa_len(&server->addr))));
+@@ -1114,8 +1134,8 @@ void reply_query(int fd, int family, tim
+ bogusanswer = 1;
+ }
+ }
+-#endif
+-
++#endif
++
+ /* restore CD bit to the value in the query */
+ if (forward->flags & FREC_CHECKING_DISABLED)
+ header->hb4 |= HB4_CD;
+@@ -1141,6 +1161,11 @@ void reply_query(int fd, int family, tim
+ nn = resize_packet(header, nn, NULL, 0);
+ }
+ #endif
++
++#ifdef HAVE_DUMPFILE
++ dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &forward->source);
++#endif
++
+ send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
+ &forward->source, &forward->dest, forward->iface);
+ }
+@@ -1394,7 +1419,11 @@ void receive_query(struct listener *list
+ pass these in global variables - sorry. */
+ daemon->log_display_id = ++daemon->log_id;
+ daemon->log_source_addr = &source_addr;
+-
++
++#ifdef HAVE_DUMPFILE
++ dump_packet(DUMP_QUERY, daemon->packet, (size_t)n, &source_addr, NULL);
++#endif
++
+ if (extract_request(header, (size_t)n, daemon->namebuff, &type))
+ {
+ #ifdef HAVE_AUTH
+--- a/src/option.c
++++ b/src/option.c
+@@ -161,6 +161,8 @@ struct myoption {
+ #define LOPT_TFTP_MTU 349
+ #define LOPT_REPLY_DELAY 350
+ #define LOPT_RAPID_COMMIT 351
++#define LOPT_DUMPFILE 352
++#define LOPT_DUMPMASK 353
+
+ #ifdef HAVE_GETOPT_LONG
+ static const struct option opts[] =
+@@ -327,6 +329,8 @@ static const struct myoption opts[] =
+ { "dhcp-ttl", 1, 0 , LOPT_DHCPTTL },
+ { "dhcp-reply-delay", 1, 0, LOPT_REPLY_DELAY },
+ { "dhcp-rapid-commit", 0, 0, LOPT_RAPID_COMMIT },
++ { "dumpfile", 1, 0, LOPT_DUMPFILE },
++ { "dumpmask", 1, 0, LOPT_DUMPMASK },
+ { NULL, 0, 0, 0 }
+ };
+
+@@ -500,6 +504,8 @@ static struct {
+ { LOPT_DHCPTTL, ARG_ONE, "<ttl>", gettext_noop("Set TTL in DNS responses with DHCP-derived addresses."), NULL },
+ { LOPT_REPLY_DELAY, ARG_ONE, "<integer>", gettext_noop("Delay DHCP replies for at least number of seconds."), NULL },
+ { LOPT_RAPID_COMMIT, OPT_RAPID_COMMIT, NULL, gettext_noop("Enables DHCPv4 Rapid Commit option."), NULL },
++ { LOPT_DUMPFILE, ARG_ONE, "<path>", gettext_noop("Path to debug packet dump file"), NULL },
++ { LOPT_DUMPMASK, ARG_ONE, "<hex>", gettext_noop("Mask which packets to dump"), NULL },
+ { 0, 0, NULL, NULL, NULL }
+ };
+
+@@ -1811,6 +1817,14 @@ static int one_opt(int option, char *arg
+ ret_err(_("bad MX target"));
+ break;
+
++ case LOPT_DUMPFILE: /* --dumpfile */
++ daemon->dump_file = opt_string_alloc(arg);
++ break;
++
++ case LOPT_DUMPMASK: /* --dumpmask */
++ daemon->dump_mask = strtol(arg, NULL, 0);
++ break;
++
+ #ifdef HAVE_DHCP
+ case 'l': /* --dhcp-leasefile */
+ daemon->lease_file = opt_string_alloc(arg);
diff --git a/package/network/services/dnsmasq/patches/0005-Retry-query-to-other-servers-on-receipt-of-SERVFAIL-.patch b/package/network/services/dnsmasq/patches/0005-Retry-query-to-other-servers-on-receipt-of-SERVFAIL-.patch
new file mode 100644
index 0000000000..d21f9d4320
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/0005-Retry-query-to-other-servers-on-receipt-of-SERVFAIL-.patch
@@ -0,0 +1,22 @@
+From 34e26e14c5e0fb2d5f05f67858319c9db2058333 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 10 May 2018 20:54:57 +0100
+Subject: [PATCH 05/10] Retry query to other servers on receipt of SERVFAIL
+ rcode.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/forward.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -817,7 +817,7 @@ void reply_query(int fd, int family, tim
+
+ /* Note: if we send extra options in the EDNS0 header, we can't recreate
+ the query from the reply. */
+- if (RCODE(header) == REFUSED &&
++ if ((RCODE(header) == REFUSED || RCODE(header) == SERVFAIL) &&
+ forward->forwardall == 0 &&
+ !(forward->flags & FREC_HAS_EXTRADATA))
+ /* for broken servers, attempt to send to another one. */
diff --git a/package/network/services/dnsmasq/patches/0006-Handle-query-retry-on-REFUSED-or-SERVFAIL-for-DNSSEC.patch b/package/network/services/dnsmasq/patches/0006-Handle-query-retry-on-REFUSED-or-SERVFAIL-for-DNSSEC.patch
new file mode 100644
index 0000000000..b4681af4ff
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/0006-Handle-query-retry-on-REFUSED-or-SERVFAIL-for-DNSSEC.patch
@@ -0,0 +1,87 @@
+From a0088e83640d7d1544127dd668660462e9f78e52 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 10 May 2018 21:43:14 +0100
+Subject: [PATCH 06/10] Handle query retry on REFUSED or SERVFAIL for
+ DNSSEC-generated queries.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/forward.c | 46 ++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 40 insertions(+), 6 deletions(-)
+
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -298,9 +298,9 @@ static int forward_query(int udpfd, unio
+ fd = forward->rfd4->fd;
+ }
+
+- while (retry_send( sendto(fd, (char *)header, plen, 0,
+- &forward->sentto->addr.sa,
+- sa_len(&forward->sentto->addr))));
++ while (retry_send(sendto(fd, (char *)header, plen, 0,
++ &forward->sentto->addr.sa,
++ sa_len(&forward->sentto->addr))));
+
+ return 1;
+ }
+@@ -804,8 +804,7 @@ void reply_query(int fd, int family, tim
+ dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_REPLY : DUMP_UP_REPLY,
+ (void *)header, n, &serveraddr, NULL);
+ #endif
+-
+-
++
+ /* log_query gets called indirectly all over the place, so
+ pass these in global variables - sorry. */
+ daemon->log_display_id = forward->log_id;
+@@ -826,6 +825,40 @@ void reply_query(int fd, int family, tim
+ size_t plen;
+ int is_sign;
+
++ /* For DNSSEC originated queries, just retry the query to the same server. */
++ if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
++ {
++ blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
++ plen = forward->stash_len;
++
++ forward->forwardall = 2; /* only retry once */
++
++ if (forward->sentto->addr.sa.sa_family == AF_INET)
++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
++#ifdef HAVE_IPV6
++ else
++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
++#endif
++
++ if (forward->sentto->sfd)
++ fd = forward->sentto->sfd->fd;
++ else
++ {
++#ifdef HAVE_IPV6
++ if (forward->sentto->addr.sa.sa_family == AF_INET6)
++ fd = forward->rfd6->fd;
++ else
++#endif
++ fd = forward->rfd4->fd;
++ }
++
++ while (retry_send(sendto(fd, (char *)header, plen, 0,
++ &forward->sentto->addr.sa,
++ sa_len(&forward->sentto->addr))));
++
++ return;
++ }
++
+ /* In strict order mode, there must be a server later in the chain
+ left to send to, otherwise without the forwardall mechanism,
+ code further on will cycle around the list forwever if they
+@@ -1017,7 +1050,8 @@ void reply_query(int fd, int family, tim
+ #ifdef HAVE_IPV6
+ new->rfd6 = NULL;
+ #endif
+- new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY);
++ new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA);
++ new->forwardall = 0;
+
+ new->dependent = forward; /* to find query awaiting new one. */
+ forward->blocking_query = new; /* for garbage cleaning */
diff --git a/package/network/services/dnsmasq/patches/0007-Retry-SERVFAIL-DNSSEC-queries-to-a-different-server-.patch b/package/network/services/dnsmasq/patches/0007-Retry-SERVFAIL-DNSSEC-queries-to-a-different-server-.patch
new file mode 100644
index 0000000000..5756717340
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/0007-Retry-SERVFAIL-DNSSEC-queries-to-a-different-server-.patch
@@ -0,0 +1,100 @@
+From 1f60a18ea1c64beb8b6cffa0650a2bfad95ac352 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 11 May 2018 16:44:16 +0100
+Subject: [PATCH 07/10] Retry SERVFAIL DNSSEC queries to a different server, if
+ possible.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/forward.c | 53 ++++++++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 42 insertions(+), 11 deletions(-)
+
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -825,9 +825,12 @@ void reply_query(int fd, int family, tim
+ size_t plen;
+ int is_sign;
+
++#ifdef HAVE_DNSSEC
+ /* For DNSSEC originated queries, just retry the query to the same server. */
+ if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
+ {
++ struct server *start;
++
+ blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
+ plen = forward->stash_len;
+
+@@ -839,26 +842,54 @@ void reply_query(int fd, int family, tim
+ else
+ log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
+ #endif
+-
+- if (forward->sentto->sfd)
+- fd = forward->sentto->sfd->fd;
++
++ start = forward->sentto;
++
++ /* for non-domain specific servers, see if we can find another to try. */
++ if ((forward->sentto->flags & SERV_TYPE) == 0)
++ while (1)
++ {
++ if (!(start = start->next))
++ start = daemon->servers;
++ if (start == forward->sentto)
++ break;
++
++ if ((start->flags & SERV_TYPE) == 0 &&
++ (start->flags & SERV_DO_DNSSEC))
++ break;
++ }
++
++
++ if (start->sfd)
++ fd = start->sfd->fd;
+ else
+ {
+ #ifdef HAVE_IPV6
+- if (forward->sentto->addr.sa.sa_family == AF_INET6)
+- fd = forward->rfd6->fd;
++ if (start->addr.sa.sa_family == AF_INET6)
++ {
++ /* may have changed family */
++ if (!forward->rfd6)
++ forward->rfd6 = allocate_rfd(AF_INET6);
++ fd = forward->rfd6->fd;
++ }
+ else
+ #endif
+- fd = forward->rfd4->fd;
++ {
++ /* may have changed family */
++ if (!forward->rfd4)
++ forward->rfd4 = allocate_rfd(AF_INET);
++ fd = forward->rfd4->fd;
++ }
+ }
+-
++
+ while (retry_send(sendto(fd, (char *)header, plen, 0,
+- &forward->sentto->addr.sa,
+- sa_len(&forward->sentto->addr))));
++ &start->addr.sa,
++ sa_len(&start->addr))));
+
+ return;
+ }
+-
++#endif
++
+ /* In strict order mode, there must be a server later in the chain
+ left to send to, otherwise without the forwardall mechanism,
+ code further on will cycle around the list forwever if they
+@@ -1024,7 +1055,7 @@ void reply_query(int fd, int family, tim
+ while (1)
+ {
+ if (type == (start->flags & (SERV_TYPE | SERV_DO_DNSSEC)) &&
+- (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
++ ((type & SERV_TYPE) != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
+ !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
+ {
+ new_server = start;
diff --git a/package/network/services/dnsmasq/patches/0008-Fix-logging-in-previous.patch b/package/network/services/dnsmasq/patches/0008-Fix-logging-in-previous.patch
new file mode 100644
index 0000000000..d5735a25d5
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/0008-Fix-logging-in-previous.patch
@@ -0,0 +1,41 @@
+From e27825b0ef1e79ab05b1752c8c838cb43ad39d79 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 11 May 2018 17:20:47 +0100
+Subject: [PATCH 08/10] Fix logging in previous.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/forward.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -835,14 +835,6 @@ void reply_query(int fd, int family, tim
+ plen = forward->stash_len;
+
+ forward->forwardall = 2; /* only retry once */
+-
+- if (forward->sentto->addr.sa.sa_family == AF_INET)
+- log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
+-#ifdef HAVE_IPV6
+- else
+- log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
+-#endif
+-
+ start = forward->sentto;
+
+ /* for non-domain specific servers, see if we can find another to try. */
+@@ -886,6 +878,13 @@ void reply_query(int fd, int family, tim
+ &start->addr.sa,
+ sa_len(&start->addr))));
+
++ if (start->addr.sa.sa_family == AF_INET)
++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&start->addr.in.sin_addr, "dnssec");
++#ifdef HAVE_IPV6
++ else
++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&start->addr.in6.sin6_addr, "dnssec");
++#endif
++
+ return;
+ }
+ #endif
diff --git a/package/network/services/dnsmasq/patches/0009-Do-unsolicited-RAs-for-interfaces-which-appear-after.patch b/package/network/services/dnsmasq/patches/0009-Do-unsolicited-RAs-for-interfaces-which-appear-after.patch
new file mode 100644
index 0000000000..0aaec7edf4
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/0009-Do-unsolicited-RAs-for-interfaces-which-appear-after.patch
@@ -0,0 +1,44 @@
+From 0a496f059c1e9d75c33cce4c1211d58422ba4f62 Mon Sep 17 00:00:00 2001
+From: Maarten de Vries <maarten+dnsmasq@m.de-vri.es>
+Date: Fri, 11 May 2018 23:20:58 +0100
+Subject: [PATCH 09/10] Do unsolicited RAs for interfaces which appear after
+ dnsmasq startup.
+
+I noticed that dnsmasq often wasn't sending any unsolicited RAs for me.
+
+This turned out to happen when the interface (a bridge interface) wasn't
+created yet at the time dnsmasq started. When dnsmasq is started after
+the interface is created, it sends RAs as expected. I assume this also
+extends to other types of virtual interfaces that are created after
+dnsmasq starts.
+
+Digging into the source, it seems to be caused by a missing call to
+ra_start_unsolicited for non-template contexts in construct_worker from
+src/dhcp6.c. The attached patch adds that call, but only if the
+interface index or address changed to prevent doing fast RAs for no reason.
+
+I tested it on my own server and it appears to work as expected. When
+the interface is created and configured, dnsmasq does fast RAs for a
+while and then settles into slow RAs.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/dhcp6.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -647,6 +647,13 @@ static int construct_worker(struct in6_a
+ is_same_net6(local, &template->start6, template->prefix) &&
+ is_same_net6(local, &template->end6, template->prefix))
+ {
++ /* First time found, do fast RA. */
++ if (template->if_index != if_index || !IN6_ARE_ADDR_EQUAL(&template->local6, local))
++ {
++ ra_start_unsolicited(param->now, template);
++ param->newone = 1;
++ }
++
+ template->if_index = if_index;
+ template->local6 = *local;
+ }
diff --git a/package/network/services/dnsmasq/patches/0010-Log-warning-on-very-large-cachesize-config-instead-o.patch b/package/network/services/dnsmasq/patches/0010-Log-warning-on-very-large-cachesize-config-instead-o.patch
new file mode 100644
index 0000000000..98df4520a2
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/0010-Log-warning-on-very-large-cachesize-config-instead-o.patch
@@ -0,0 +1,38 @@
+From 1f1873aadd092a0fab505dd278a484d887ba0ec3 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 11 May 2018 23:38:23 +0100
+Subject: [PATCH 10/10] Log warning on very large cachesize config, instead of
+ truncating it.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/dnsmasq.c | 6 +++++-
+ src/option.c | 2 --
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+--- a/src/dnsmasq.c
++++ b/src/dnsmasq.c
+@@ -740,7 +740,11 @@ int main (int argc, char **argv)
+ else
+ {
+ if (daemon->cachesize != 0)
+- my_syslog(LOG_INFO, _("started, version %s cachesize %d"), VERSION, daemon->cachesize);
++ {
++ my_syslog(LOG_INFO, _("started, version %s cachesize %d"), VERSION, daemon->cachesize);
++ if (daemon->cachesize > 10000)
++ my_syslog(LOG_WARNING, _("cache size greater than 10000 may cause performance issues, and is unlikely to be useful."));
++ }
+ else
+ my_syslog(LOG_INFO, _("started, version %s cache disabled"), VERSION);
+
+--- a/src/option.c
++++ b/src/option.c
+@@ -2603,8 +2603,6 @@ static int one_opt(int option, char *arg
+
+ if (size < 0)
+ size = 0;
+- else if (size > 10000)
+- size = 10000;
+
+ daemon->cachesize = size;
+ }
diff --git a/package/network/services/dnsmasq/patches/240-ubus.patch b/package/network/services/dnsmasq/patches/240-ubus.patch
index 415c7a5e4c..5e44f5b61a 100644
--- a/package/network/services/dnsmasq/patches/240-ubus.patch
+++ b/package/network/services/dnsmasq/patches/240-ubus.patch
@@ -74,7 +74,7 @@
int main (int argc, char **argv)
{
int bind_fallback = 0;
-@@ -928,6 +988,7 @@ int main (int argc, char **argv)
+@@ -944,6 +1004,7 @@ int main (int argc, char **argv)
set_dbus_listeners();
#endif
@@ -82,7 +82,7 @@
#ifdef HAVE_DHCP
if (daemon->dhcp || daemon->relay4)
{
-@@ -1058,6 +1119,8 @@ int main (int argc, char **argv)
+@@ -1074,6 +1135,8 @@ int main (int argc, char **argv)
check_dbus_listeners();
#endif
@@ -104,7 +104,7 @@
mostly_clean :
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
-@@ -1415,6 +1415,8 @@ void emit_dbus_signal(int action, struct
+@@ -1440,6 +1440,8 @@ void emit_dbus_signal(int action, struct
# endif
#endif
@@ -115,7 +115,7 @@
void ipset_init(void);
--- a/src/rfc2131.c
+++ b/src/rfc2131.c
-@@ -1621,6 +1621,10 @@ static void log_packet(char *type, void
+@@ -1636,6 +1636,10 @@ static void log_packet(char *type, void
daemon->namebuff,
string ? string : "",
err ? err : "");