aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services/dnsmasq/Makefile
Commit message (Collapse)AuthorAgeFilesLines
* dnsmasq: Bump to v2.84Kevin Darbyshire-Bryant2021-02-081-3/+3
| | | | | | | | | | dnsmasq v2.84rc2 has been promoted to release. No functional difference between v2.83test3 and v2.84/v2.84rc2 Backport 2 patches to fix the version reporting Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: switch to ubus-based hotplug callDaniel Golle2021-02-081-2/+1
| | | | | | | | Use new ubus-based hotplug call in dhcp-script.sh As sysntpd now makes use of the new ubus-based hotplug calls, dnsmasq no longer needs to ship ACL to cover ntpd-hotplug. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* dnsmasq: Update to 2.84test3Kevin Darbyshire-Bryant2021-01-241-3/+3
| | | | | | | | | | | | | | | dnsmasq v2.83 has a bug in handling duplicate queries which means it may try to reply using the incorrect network socket. This is especially noticeable in dual stack environments where replies may be mis-directed to IPv4 addresses on an IPv6 socket or IPv6 addresses on an IPv4 socket. This results in system log spam such as: dnsmasq[16020]: failed to send packet: Network unreachable dnsmasq[16020]: failed to send packet: Address family not supported by protocol dnsmasq v2.84test3 resolves these issues. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: Update to version 2.83Hauke Mehrtens2021-01-191-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following security problems in dnsmasq: * CVE-2020-25681: Dnsmasq versions before 2.83 is susceptible to a heap-based buffer overflow in sort_rrset() when DNSSEC is used. This can allow a remote attacker to write arbitrary data into target device's memory that can lead to memory corruption and other unexpected behaviors on the target device. * CVE-2020-25682: Dnsmasq versions before 2.83 is susceptible to buffer overflow in extract_name() function due to missing length check, when DNSSEC is enabled. This can allow a remote attacker to cause memory corruption on the target device. * CVE-2020-25683: Dnsmasq version before 2.83 is susceptible to a heap-based buffer overflow when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap- allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in Dnsmasq, resulting in a Denial of Service. * CVE-2020-25684: A lack of proper address/port check implemented in Dnsmasq version < 2.83 reply_query function makes forging replies easier to an off-path attacker. * CVE-2020-25685: A lack of query resource name (RRNAME) checks implemented in Dnsmasq's versions before 2.83 reply_query function allows remote attackers to spoof DNS traffic that can lead to DNS cache poisoning. * CVE-2020-25686: Multiple DNS query requests for the same resource name (RRNAME) by Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS traffic, using a birthday attack (RFC 5452), that can lead to DNS cache poisoning. * CVE-2020-25687: Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of Service. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* dnsmasq: 'ipset' config sectionsAleksandr Mezin2020-11-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | Allow configuring ipsets with dedicated config sections: config ipset list name 'ss_rules_dst_forward' list name 'ss_rules6_dst_forward' list domain 't.me' list domain 'telegram.org' instead of current, rather inconvenient syntax: config dnsmasq ... list ipset '/t.me/telegram.org/ss_rules_dst_forward,ss_rules6_dst_forward' Current syntax will still continue to work though. With this change, a LuCI GUI for DNS ipsets should be easy to implement. Signed-off-by: Aleksandr Mezin <mezin.alexander@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* dnsmasq: explictly set ednspacket_max valueJan Pavlinec2020-11-091-1/+1
| | | | | | | This is related to DNS Flag Day 2020. It sets default ends buffer size value to 1232. Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
* dnsmasq: install /etc/hotplug.d/ntp/25-dnsmasqsec world-readableDaniel Golle2020-10-281-2/+2
| | | | | | | | /etc/hotplug.d/ntp/25-dnsmasqsec is being sourced by /sbin/hotplug-call running as ntpd user. For that to work the file needs to be readable by that user. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* dnsmasq: adapt to non-root ntpdDaniel Golle2020-10-251-1/+2
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* dnsmasq: fix handling ignore condition for dnssecYousong Zhou2020-09-251-1/+1
| | | | | | | | | | It should return false to indicate that the option should not be ignored Fixes 064dc1e8 ("dnsmasq: abort when dnssec requested but not available") Reported-by: Sami Olmari <sami@olmari.fi> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* dnsmasq: support tftp_unique_root in /etc/config/dhcpW. Michael Petullo2020-09-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | The TFTP server provided by dnsmasq supports serving a select boot image based on the client's MAC or IP address. This allows an administrator to activate this feature in /etc/config/dhcp. Here is an example /etc/config/dhcp that configures dnsmasq with --tftp-unique-root=mac: ... config dnsmasq option enable_tftp 1 option tftp_root /usr/libexec/tftpboot option tftp_unique_root mac config boot router option serveraddress 192.168.1.1 option servername tftp.example.com option filename openwrt-initramfs-kernel.bin ... With this configuration, dnsmasq will serve /usr/libexec/tftpboot/00-11-22-33-44-55/openwrt-initramfs-kernel.bin to the client with MAC address 00:11:22:33:44:55. Signed-off-by: W. Michael Petullo <mike@flyn.org>
* dnsmasq: abort when dnssec requested but not availableYousong Zhou2020-08-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | Before this commit, if uci option "dnssec" was set, we pass "--dnssec" and friends to dnsmasq, let it start and decide whether to quit and whether to emit message for diagnosis # dnsmasq --dnssec; echo $? dnsmasq: DNSSEC not available: set HAVE_DNSSEC in src/config.h 1 DNSSEC as a feature is different from others like dhcp, tftp in that it's a security feature. Better be explicit. With this change committed, we make it so by not allowing it in the first in the initscript, should dnsmasq later decides to not quit (not likely) or quit without above explicit error (unlikely but less so ;) So this is just being proactive. on/off choices with uci option "dnssec" are still available like before Link: https://github.com/openwrt/openwrt/pull/3265#issuecomment-667795302 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* dnsmasq: bump to 2.82Kevin Darbyshire-Bryant2020-07-201-2/+2
| | | | | | | | | This fixes a nasty problem introduced in 2.81 which causes random crashes on systems where there's significant DNS activity over TCP. It also fixes DNSSEC validation problems with zero-TTL DNSKEY and DS records. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: add /etc/dnsmasq.d/ to conffilesSven Roederer2020-06-031-1/+2
| | | | | | This directory can hold configuration-snippets which should also included in the backup. Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
* dnsmasq: hotplug script tidyupKevin Darbyshire-Bryant2020-05-101-1/+1
| | | | | | | | Hotplug scripts are sourced so the #!/bin/sh is superfluous/deceptive. Re-arrange script to only source 'procd' if we get to the stage of needing to signal the process, reduce hotplug processing load a little. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to v2.81Kevin Darbyshire-Bryant2020-04-121-3/+3
| | | | Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to 2.81rc5Kevin Darbyshire-Bryant2020-04-061-3/+3
| | | | | | | | | | | | | | | | | | | | Bump to 2.81rc5 and re-work ipset-remove-old-kernel-support. More runtime kernel version checking is done in 2.81rc5 in various parts of the code, so expand the ipset patch' scope to inlude those new areas and rename to something a bit more generic.:wq Upstream changes from rc4 532246f Tweak to DNSSEC logging. 8caf3d7 Fix rare problem allocating frec for DNSSEC. d162bee Allow overriding of ubus service name. b43585c Fix nameserver list in auth mode. 3f60ecd Fixed resource leak on ubus_init failure. 0506a5e Handle old kernels that don't do NETLINK_NO_ENOBUFS. e7ee1aa Extend stop-dns-rebind to reject IPv6 LL and ULA addresses. We also reject the loopback address if rebind-localhost-ok is NOT set. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to 2.81rc4Kevin Darbyshire-Bryant2020-03-291-2/+2
| | | | Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: fix dnssec+ntp chicken-and-egg workaround (FS#2574)Henrique de Moraes Holschuh2020-03-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | Fix the test for an enabled sysntp initscript in dnsmasq.init, and get rid of "test -o" while at it. Issue reproduced on openwrt-19.07 with the help of pool.ntp.br and an RTC-less ath79 router. dnssec-no-timecheck would be clearly missing from /var/etc/dnsmasq.conf.* while the router was still a few days in the past due to non-working DNSSEC + DNS-based NTP server config. The fix was tested with the router in the "DNSSEC broken state": it properly started dnsmasq in dnssec-no-timecheck mode, and eventually ntp was able to resolve the server name to an IP address, and set the system time. DNSSEC was then enabled by SIGINT through the ntp hotplug hook, as expected. A missing system.ntp.enabled UCI node is required for the bug to show up. The reasons for why it would be missing in the first place were not investigated. Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* dnsmasq: add 'scriptarp' optionJordan Sokolic2020-03-221-1/+1
| | | | | | | | | | | Add option 'scriptarp' to uci dnsmasq config to enable --script-arp functions. The default setting is false, meaning any scripts in `/etc/hotplug.d/neigh` intended to be triggered by `/usr/lib/dnsmasq/dhcp-script.sh` will fail to execute. Also enable --script-arp if has_handlers returns true. Signed-off-by: Jordan Sokolic <oofnik@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* dnsmasq: bump to v2.81rc3Kevin Darbyshire-Bryant2020-03-101-2/+2
| | | | | | | Bump to latest release candidate and drop 2 local patches that have been upstreamed. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to 2.81rc2 + 2 localKevin Darbyshire-Bryant2020-03-061-2/+2
| | | | | | | | | Bump to dnsmasq 2.81rc2. In the process discovered several compiler warnings one with a logical error. 2 relevant patches sent upstream, added as 2 local patches for OpenWrt Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to v2.81rc1Kevin Darbyshire-Bryant2020-03-041-5/+5
| | | | | | | | | | 1st release candidate for v2.81 after 18 months. Refresh patches & remove all upstreamed leaving: 110-ipset-remove-old-kernel-support.patch Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: Activate PIE by defaultHauke Mehrtens2020-01-131-0/+1
| | | | | | | | | | | | | | | | | | | This activates PIE ASLR support by default when the regular option is selected. This increases the binary size by 37% uncompressed and 18% compressed on MIPS BE. old: 146,933 /usr/sbin/dnsmasq 101,837 dnsmasq_2.80-14_mips_24kc.ipk new: 202,020 /usr/sbin/dnsmasq 120,577 dnsmasq_2.80-14_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Petr Štetiar <ynezz@true.cz>
* dnsmasq: add uci-defaults script for config migrationDaniel Golle2020-01-091-1/+3
| | | | | | | | | When running sysupgrade from an existing configuration, UCI option dhcp.@dnsmasq[0].resolvfile needs to be modified in case it has not been changed from it's original value. Accomplish that using a uci-defaults script. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* dnsmasq: bump PKG_RELEASEDaniel Golle2020-01-071-1/+1
| | | | | | | | Previous commit should have bumped PKG_RELEASE, but git add was forgotten... Add it now. Fixes: cd48d8d342 ("dnsmasq: switch to /tmp/resolv.conf.d/resolv.conf.auto") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* dnsmasq: Fix potential dnsmasq crash with TCPHauke Mehrtens2020-01-061-1/+1
| | | | | | | | | | | | | | | This is a backport from the dnsmasq master which should fix a bug which could cause a crash in dnsmasq. I saw the following crashes in my log: [522413.117215] do_page_fault(): sending SIGSEGV to dnsmasq for invalid read access from 2a001450 [522413.124464] epc = 004197f1 in dnsmasq[400000+23000] [522413.129459] ra = 004197ef in dnsmasq[400000+23000] This is happening in blockdata_write() when block->next is dereferenced, but I am not sure if this is related to this problem or if this is a different problem. I am unable to reproduce this problem. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* dnsmasq: correct sense & usage of dnsseccheckunsignedKevin Darbyshire-Bryant2019-11-231-1/+1
| | | | | | | | | | | | | dnsmasq v2.80 made 'dnssec-check-unsigned' the default, thus the uci option was rendered ineffectual: we checked unsigned zones no matter the setting. Disabling the checking of unsigned zones is now achieve with the "--dnssec-check-unsigned=no" dnsmasq option. Update init script to pass required option in the disabled case. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: Activate LTOHauke Mehrtens2019-11-081-2/+2
| | | | | | | | | | | | This decreases the binary size when PIE ASLR is activated by 8% on MIPS BE. old: 202,020 /usr/sbin/dnsmasq new: 185,676 /usr/sbin/dnsmasq Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* dnsmasq: use nettle ecc_curve access functionsHans Dedecker2019-08-091-1/+1
| | | | | | Fixes compile issues with nettle 3.5.1 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* Revert "dnsmasq: backport latest patches"Kevin Darbyshire-Bryant2019-08-031-1/+1
| | | | | | This reverts commit e9eec39aacde450ba87598d85987b374ce6aed95. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* Revert "dnsmasq: improve insecure DS warning"Kevin Darbyshire-Bryant2019-08-031-1/+1
| | | | | | This reverts commit cd91f2327ffb06a41129a35ae7be1e7923a78d74. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: improve insecure DS warningKevin Darbyshire-Bryant2019-07-251-1/+1
| | | | | | | | Log the failing domain in the insecure DS warning. Patch has been sent upstream. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: backport latest patchesKevin Darbyshire-Bryant2019-07-251-1/+1
| | | | | | | | Backport upstream patches pre 2.81rc for testing purposes. Let's see what falls out! Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: move feature detection inside a shell funcYousong Zhou2019-06-111-1/+1
| | | | | | Resolves openwrt/packages#9219 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* dnsmasq: skip options that are not compiled inYousong Zhou2019-06-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is to make life easier for users with customized build of dnsmasq-full variant. Currently dnsmasq config generated by current service script will be rejected by dnsmasq build lacking DHCP feature - Options like --dhcp-leasefile have default values. Deleting them from uci config or setting them to empty value will make them take on default value in the end - Options like --dhcp-broadcast are output unconditionally Tackle this by - Check availablility of features from output of "dnsmasq --version" - Make a list of options guarded by HAVE_xx macros in src/options.c of dnsmasq source code - Ignore these options in xappend() Two things to note in this implementation - The option list is not exhaustive. Supposedly only those options that may cause dnsmasq to reject with "unsupported option (check that dnsmasq was compiled with DHCP/TFTP/DNSSEC/DBus support)" are taken into account here - This provides a way out but users' cooperation is still needed. E.g. option dnssec needs to be turned off, otherwise the service script will try to add --conf-file pointing to dnssec specific anchor file which dnsmasq lacking dnssec support will reject Resolves FS#2281 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* package/dnsmasq: add max_ttl/min_cache_ttl/max_cache_ttlAlexander Couzens2019-02-241-1/+1
| | | | | | | | | max_ttl - limit the ttl in the dns answer if greater as $max_ttl min_cache_ttl - force caching of dns answers even the ttl in the answer is lower than the $min_cache_ttl max_cache_ttl - cache only dns answer for $max_cache_ttl. Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* dnsmasq: prefer localuse over resolvfile guessworkYousong Zhou2019-02-231-1/+1
| | | | | | | | | This makes it clear that localuse when explicitly specified in the config will have its final say on whether or not the initscript should touch /etc/resolv.conf, no matter whatever the result of previous guesswork would be Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* dnsmasq: allow using dnsmasq as the sole resolverYousong Zhou2019-02-191-1/+1
| | | | | | | | | | | | | | | | | | | | Currently it seems impossible to configure /etc/config/dhcp to achieve the following use case - run dnsmasq with no-resolv - re-generate /etc/resolv.conf with "nameserver 127.0.0.1" Before this change, we have to set resolvfile to /tmp/resolv.conf.auto to achive the 2nd effect above, but setting resolvfile requires noresolv being false. A new boolean option "localuse" is added to indicate that we intend to use dnsmasq as the local dns resolver. It's false by default and to align with old behaviour it will be true automatically if resolvfile is set to /tmp/resolv.conf.auto Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> Acked-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: ensure test and rc order as older than final releasesJonas Gorski2019-02-171-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | Opkg treats text after a version number as higher than without: ~# opkg compare-versions "2.80rc1" "<<" "2.80"; echo $? 1 ~# opkg compare-versions "2.80rc1" ">>" "2.80"; echo $? 0 This causes opkg not offering final release as upgradable version, and even refusing to update, since it thinks the installed version is higher. This can be mitigated by adding ~ between the version and the text, as ~ will order as less than everything except itself. Since 'r' < 't', to make sure that test will be treated as lower than rc we add a second ~ before the test tag. That way, the ordering becomes 2.80~~test < 2.80~rc < 2.80 which then makes opkg properly treat prerelease versions as lower. Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
* dnsmasq: add rapid commit config optionHans Dedecker2019-02-131-1/+1
| | | | | | | Add config option rapidcommit to enable support for DHCPv4 rapid commit (RFC4039) Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: latest pre-2.81 patchesKevin Darbyshire-Bryant2019-01-311-1/+1
| | | | Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: allow building without tftp server supportRosy Song2019-01-171-2/+7
| | | | | | It saves 2871 bytes on package size while 4 bytes on memory size. Signed-off-by: Rosy Song <rosysong@rosinson.com>
* dnsmasq: backport latest pre2.81 patchesKevin Darbyshire-Bryant2019-01-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | f52bb5b fix previous commit 18eac67 Fix entries in /etc/hosts disabling static leases. f8c77ed Fix removal of DHCP_CLIENT_MAC options from DHCPv6 relay replies. 4bf62f6 Tidy cache_blockdata_free() 9c0d445 Fix e7bfd556c079c8b5e7425aed44abc35925b24043 to actually work. 2896e24 Check for not(DS or DNSKEY) in is_outdated_cname_pointer() a90f09d Fix crash freeing negative SRV cache entries. 5b99eae Cache SRV records. 2daca52 Fix typo in ra-param man page section. 2c59473 File logic bug in cache-marshalling code. Introduced a couple of commits back. cc921df Remove nested struct/union in cache records and all_addr. ab194ed Futher address union tidying. 65a01b7 Tidy address-union handling: move class into explicit argument. bde4647 Tidy all_addr union, merge log and rcode fields. e7bfd55 Alter DHCP address selection after DECLINE in consec-addr mode. Avoid offering the same address after a recieving a DECLINE message to stop an infinite protocol loop. This has long been done in default address allocation mode: this adds similar behaviour when allocaing addresses consecutively. The most relevant fix for openwrt is 18eac67 (& my own local f52bb5b which fixes a missing bracket silly) To quote the patch: It is possible for a config entry to have one address family specified by a dhcp-host directive and the other added from /etc/hosts. This is especially common on OpenWrt because it uses odhcpd for DHCPv6 and IPv6 leases are imported into dnsmasq via a hosts file. To handle this case there need to be separate *_HOSTS flags for IPv4 and IPv6. Otherwise when the hosts file is reloaded it will clear the CONFIG_ADDR(6) flag which was set by the dhcp-host directive. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: Fix dhcp-boot, dhcp-reply-delay and pxe-prompt regressionsKevin Darbyshire-Bryant2018-12-141-1/+1
| | | | | | | The above options were incorrectly changed to required tags. Make them optional again. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: fix ipv6 ipset bugKevin Darbyshire-Bryant2018-12-121-1/+1
| | | | | | | | | During upstream removal of conditional ipv6 support an order swap error was made in a ternary operator usage. This patch sent upstream. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: follow upstream dnsmasq pre-v2.81 v2Kevin Darbyshire-Bryant2018-12-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Backport upstream commits. Most interesting 122392e which changes how SERVFAIL is handled especially in event of genuine server down/failure scenarios with multiple servers. a799ca0 also interesting in that answered received via TCP are now cached, DNSSEC typically using TCP meant until now answers weren't cached, hence reducing performance. 59e4703 Free config file values on parsing errors. 48d12f1 Remove the NO_FORK compile-time option, and support for uclinux. 122392e Revert 68f6312d4bae30b78daafcd6f51dc441b8685b1e 3a5a84c Fix Makefile lines generating UBUS linker config. 24b8760 Do not rely on dead code elimination, use array instead. Make options bits derived from size and count. Use size of option bits and last supported bit in computation. No new change would be required when new options are added. Just change OPT_LAST constant. 6f7812d Fix spurious AD flags in some DNS replies from local config. cbb5b17 Fix logging in cf5984367bc6a949e3803a576512c5a7bc48ebab cf59843 Don't forward *.bind/*.server queries upstream ee87504 Remove ability to compile without IPv6 support. a220545 Ensure that AD bit is reset on answers from --address=/<domain>/<address>. a799ca0 Impove cache behaviour for TCP connections. Along with an additional patch to fix compilation without DHCPv6, sent upstream. I've been running this for aaaages without obvious issue hence brave step of opening to wider openwrt community. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* Revert "dnsmasq: follow upstream dnsmasq pre-v2.81"Kevin Darbyshire-Bryant2018-12-101-1/+1
| | | | | | | | | | | | | This reverts commit a6a8fe0be5cd2edb1560bfc3f3094c3d34f2d2b0. buildbot found an error option.c: In function 'dhcp_context_free': option.c:1042:15: error: 'struct dhcp_context' has no member named 'template_interface' free(ctx->template_interface); revert for the moment Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: follow upstream dnsmasq pre-v2.81Kevin Darbyshire-Bryant2018-12-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | Backport upstream commits. Most interesting 122392e which changes how SERVFAIL is handled especially in event of genuine server down/failure scenarios with multiple servers. a799ca0 also interesting in that answered received via TCP are now cached, DNSSEC typically using TCP meant until now answers weren't cached, hence reducing performance. 59e4703 Free config file values on parsing errors. 48d12f1 Remove the NO_FORK compile-time option, and support for uclinux. 122392e Revert 68f6312d4bae30b78daafcd6f51dc441b8685b1e 3a5a84c Fix Makefile lines generating UBUS linker config. 24b8760 Do not rely on dead code elimination, use array instead. Make options bits derived from size and count. Use size of option bits and last supported bit in computation. No new change would be required when new options are added. Just change OPT_LAST constant. 6f7812d Fix spurious AD flags in some DNS replies from local config. cbb5b17 Fix logging in cf5984367bc6a949e3803a576512c5a7bc48ebab cf59843 Don't forward *.bind/*.server queries upstream ee87504 Remove ability to compile without IPv6 support. a220545 Ensure that AD bit is reset on answers from --address=/<domain>/<address>. a799ca0 Impove cache behaviour for TCP connections. I've been running this for aaaages without obvious issue hence brave step of opening to wider openwrt community. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: drop dnssec timestamp file patchKevin Darbyshire-Bryant2018-12-101-1/+1
| | | | | | | | | | | | Openwrt no longer uses and has not used since 5acfe55d71 Jun 2016 the timestamp file (/etc/dnsmasq.time) method of resolving the dnssec/ntp dnslookup chicken/egg problem, having used signals from ntp since that change. Drop the 'dnssec-improve-timestamp-heuristic' patch since it is neither used nor sent upstream. One less thing to refresh & maintain. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: tighten config file permissionsKevin Darbyshire-Bryant2018-10-301-6/+6
| | | | | | | | | | | | | | | | | | Install following as config files (600) perms instead of as data (644) /usr/share/dnsmasq/dhcpbogushostname.conf /usr/share/dnsmasq/trust-anchors.conf /usr/share/dnsmasq/rfc6761.conf /etc/hotplug.d/ntp/25-dnsmasqsec /etc/config/dhcp /etc/dnsmasq.conf dnsmasq reads relevant config files before dropping root privilege and running as dnsmasq:dnsmasq ntpd runs as root so the hotplug script is still accessible Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>