Fix logging of DNSSEC queries in TCP mode. Destination server address was misleading.

Fix dhcp-match-name to match hostname, not complete FQDN.
Also do name matching for DHCPv6.
2018-10-06 23:23:23 +01:00 · 2018-10-05 23:35:54 +01:00 · 2018-10-05 22:22:41 +01:00 · 2018-10-05 16:49:31 +01:00 · 2018-10-05 16:44:05 +01:00 · 2018-09-26 18:04:38 +01:00
11 changed files with 169 additions and 113 deletions
--- a/4
+++ b/4
@@ -64,6 +64,10 @@ version 2.80
 	now always forward, and never answer from the cache. This
 	allows "dig +trace" command to work. 
 	
+	Include in the example config file a formulation which
+	stops DHCP clients from claiming the DNS name "wpad".
+	This is a fix for the CERT Vulnerability VU#598349.
+
 	
 version 2.79
 	Fix parsing of CNAME arguments, which are confused by extra spaces.
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -672,3 +672,8 @@

 # Include all files in a directory which end in .conf
 #conf-dir=/etc/dnsmasq.d/,*.conf
+
+# If a DHCP client claims that its name is "wpad", ignore that.
+# This fixes a security hole. see CERT Vulnerability VU#598349
+#dhcp-name-match=set:wpad-ignore,wpad
+#dhcp-ignore-names=tag:wpad-ignore
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -231,7 +231,7 @@ options always override the others. The comments about interface labels for
 .B --listen-address
 apply here.
 .TP
-.B --auth-server=<domain>,<interface>|<ip-address>
+.B --auth-server=<domain>,[<interface>|<ip-address>...]
 Enable DNS authoritative mode for queries arriving at an interface or address. Note that the interface or address
 need not be mentioned in 
 .B --interface
@@ -244,7 +244,7 @@ specified interface. The <domain> is the "glue record". It should
 resolve in the global DNS to an A and/or AAAA record which points to
 the address dnsmasq is listening on. When an interface is specified,
 it may be qualified with "/4" or "/6" to specify only the IPv4 or IPv6
-addresses associated with the interface.
+addresses associated with the interface. Since any defined authoritative zones are also available as part of the normal recusive DNS service supplied by dnsmasq, it can make sense to have an --auth-server declaration with no interfaces or address, but simply specifying the glue record. 
 .TP
 .B --local-service
 Accept DNS queries only from hosts whose address is on a local subnet,
@@ -827,7 +827,8 @@ authoritative zones as dnsmasq.
 .B --auth-peer=<ip-address>[,<ip-address>[,<ip-address>...]]
 Specify the addresses of secondary servers which are allowed to
 initiate zone transfer (AXFR) requests for zones for which dnsmasq is
-authoritative. If this option is not given, then AXFR requests will be
+authoritative. If this option is not given but --auth-sec-servers is,
+then AXFR requests will be
 accepted from any secondary. Specifying
 .B --auth-peer
 without
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -216,7 +216,7 @@ int main (int argc, char **argv)
 #endif

 #ifndef HAVE_AUTH
-  if (daemon->authserver || daemon->auth_zones)
+  if (daemon->auth_zones)
    die(_("authoritative DNS not available: set HAVE_AUTH in src/config.h"), NULL, EC_BADCONF);
 #endif

@@ -235,13 +235,20 @@ int main (int argc, char **argv)

  now = dnsmasq_time();

-  /* Create a serial at startup if not configured. */
-  if (daemon->auth_zones && daemon->soa_sn == 0)
+  if (daemon->auth_zones)
+    {
+      if (!daemon->authserver)
+	die(_("--auth-server required when an auth zone is defined."), NULL, EC_BADCONF);
+
+      /* Create a serial at startup if not configured. */
 #ifdef HAVE_BROKEN_RTC
-    die(_("zone serial must be configured in --auth-soa"), NULL, EC_BADCONF);
+      if (daemon_>soa_sn == 0)
+	die(_("zone serial must be configured in --auth-soa"), NULL, EC_BADCONF);
 #else
-  daemon->soa_sn = now;
+      if (daemon->soa_sn == 0)
+	daemon->soa_sn = now;
 #endif
+    }
  
 #ifdef HAVE_DHCP6
  if (daemon->dhcp6)
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1227,7 +1227,7 @@ int in_zone(struct auth_zone *zone, char *name, char **cut);
 #endif

 /* dnssec.c */
-size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char *name, int class, int type, union mysockaddr *addr, int edns_pktsz);
+size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char *name, int class, int type, int edns_pktsz);
 int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
 int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
 int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class,
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -2026,19 +2026,11 @@ int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen)
 }

 size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char *name, int class, 
-			     int type, union mysockaddr *addr, int edns_pktsz)
+			     int type, int edns_pktsz)
 {
  unsigned char *p;
-  char *types = querystr("dnssec-query", type);
  size_t ret;

-  if (addr->sa.sa_family == AF_INET) 
-    log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, name, (struct all_addr *)&addr->in.sin_addr, types);
-#ifdef HAVE_IPV6
-  else
-    log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, name, (struct all_addr *)&addr->in6.sin6_addr, types);
-#endif
-  
  header->qdcount = htons(1);
  header->ancount = htons(0);
  header->nscount = htons(0);
--- a/src/forward.c
+++ b/src/forward.c
@@ -1058,7 +1058,7 @@ void reply_query(int fd, int family, time_t now)
 		    status = STAT_ABANDONED;
 		  else
 		    {
-		      int fd, type = SERV_DO_DNSSEC;
+		      int querytype, fd, type = SERV_DO_DNSSEC;
 		      struct frec *next = new->next;
 		      char *domain;
 		      
@@ -1111,15 +1111,26 @@ void reply_query(int fd, int family, time_t now)
 		      if (status == STAT_NEED_KEY)
 			{
 			  new->flags |= FREC_DNSKEY_QUERY; 
-			  nn = dnssec_generate_query(header, ((unsigned char *) header) + server->edns_pktsz,
-						     daemon->keyname, forward->class, T_DNSKEY, &server->addr, server->edns_pktsz);
+			  querytype = T_DNSKEY;
 			}
 		      else 
 			{
 			  new->flags |= FREC_DS_QUERY;
-			  nn = dnssec_generate_query(header,((unsigned char *) header) + server->edns_pktsz,
-						     daemon->keyname, forward->class, T_DS, &server->addr, server->edns_pktsz);
+			  querytype = T_DS;
 			}
+
+		      nn = dnssec_generate_query(header,((unsigned char *) header) + server->edns_pktsz,
+						 daemon->keyname, forward->class, querytype, server->edns_pktsz);
+
+		      if (server->addr.sa.sa_family == AF_INET) 
+			log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, daemon->keyname, (struct all_addr *)&(server->addr.in.sin_addr),
+				  querystr("dnssec-query", querytype));
+#ifdef HAVE_IPV6
+		      else
+			log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, daemon->keyname, (struct all_addr *)&(server->addr.in6.sin6_addr),
+				  querystr("dnssec-query", querytype));
+#endif
+  
 		      if ((hash = hash_questions(header, nn, daemon->namebuff)))
 			memcpy(new->hash, hash, HASH_SIZE);
 		      new->new_id = get_id();
@@ -1653,9 +1664,9 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
 	  new_status = STAT_ABANDONED;
 	  break;
 	}
-	 
+
      m = dnssec_generate_query(new_header, ((unsigned char *) new_header) + 65536, keyname, class, 
-				new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr, server->edns_pktsz);
+				new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, server->edns_pktsz);
      
      *length = htons(m);

@@ -1688,30 +1699,30 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
 	      (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, server->domain)) ||
 	      (server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
 	    continue;
-	    
-	  retry:
-	    /* may need to make new connection. */
-	    if (server->tcpfd == -1)
-	      {
-		if ((server->tcpfd = socket(server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
-		  continue; /* No good, next server */
-		
+
+	retry:
+	  /* may need to make new connection. */
+	  if (server->tcpfd == -1)
+	    {
+	      if ((server->tcpfd = socket(server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
+		continue; /* No good, next server */
+	      
 #ifdef HAVE_CONNTRACK
-		/* Copy connection mark of incoming query to outgoing connection. */
-		if (have_mark)
-		  setsockopt(server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
+	      /* Copy connection mark of incoming query to outgoing connection. */
+	      if (have_mark)
+		setsockopt(server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
 #endif	
-		
-		if (!local_bind(server->tcpfd,  &server->source_addr, server->interface, 0, 1) ||
-		    connect(server->tcpfd, &server->addr.sa, sa_len(&server->addr)) == -1)
-		  {
-		    close(server->tcpfd);
-		    server->tcpfd = -1;
-		    continue; /* No good, next server */
-		  }
-		
-		server->flags &= ~SERV_GOT_TCP;
-	      }
+	      
+	      if (!local_bind(server->tcpfd,  &server->source_addr, server->interface, 0, 1) ||
+		  connect(server->tcpfd, &server->addr.sa, sa_len(&server->addr)) == -1)
+		{
+		  close(server->tcpfd);
+		  server->tcpfd = -1;
+		  continue; /* No good, next server */
+		}
+	      
+	      server->flags &= ~SERV_GOT_TCP;
+	    }
 	  
 	  if (!read_write(server->tcpfd, packet, m + sizeof(u16), 0) ||
 	      !read_write(server->tcpfd, &c1, 1, 1) ||
@@ -1728,6 +1739,16 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
 	      else
 		continue;
 	    }
+
+
+	  if (server->addr.sa.sa_family == AF_INET) 
+	    log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, keyname, (struct all_addr *)&(server->addr.in.sin_addr),
+		      querystr("dnssec-query", new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS));
+#ifdef HAVE_IPV6
+	  else
+	    log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, keyname, (struct all_addr *)&(server->addr.in6.sin6_addr),
+		      querystr("dnssec-query", new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS));
+#endif
 	  
 	  server->flags |= SERV_GOT_TCP;
 	  
--- a/src/option.c
+++ b/src/option.c
@@ -1902,44 +1902,42 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
      }
      
    case LOPT_AUTHSERV: /* --auth-server */
-      if (!(comma = split(arg)))
-	ret_err(gen_err);
+      comma = split(arg);
      
      daemon->authserver = opt_string_alloc(arg);
-      arg = comma;
-      do {
-	struct iname *new = opt_malloc(sizeof(struct iname));
-	comma = split(arg);
-	new->name = NULL;
-	unhide_metas(arg);
-	if (inet_pton(AF_INET, arg, &new->addr.in.sin_addr) > 0)
-	  new->addr.sa.sa_family = AF_INET;
+      
+      while ((arg = comma))
+	{
+	  struct iname *new = opt_malloc(sizeof(struct iname));
+	  comma = split(arg);
+	  new->name = NULL;
+	  unhide_metas(arg);
+	  if (inet_pton(AF_INET, arg, &new->addr.in.sin_addr) > 0)
+	    new->addr.sa.sa_family = AF_INET;
 #ifdef HAVE_IPV6
-	else if (inet_pton(AF_INET6, arg, &new->addr.in6.sin6_addr) > 0)
-	  new->addr.sa.sa_family = AF_INET6;
+	  else if (inet_pton(AF_INET6, arg, &new->addr.in6.sin6_addr) > 0)
+	    new->addr.sa.sa_family = AF_INET6;
 #endif
-	else
-	  {
-	    char *fam = split_chr(arg, '/');
-	    new->name = opt_string_alloc(arg);
-	    new->addr.sa.sa_family = 0;
-	    if (fam)
-	      {
-		if (strcmp(fam, "4") == 0)
-		  new->addr.sa.sa_family = AF_INET;
+	  else
+	    {
+	      char *fam = split_chr(arg, '/');
+	      new->name = opt_string_alloc(arg);
+	      new->addr.sa.sa_family = 0;
+	      if (fam)
+		{
+		  if (strcmp(fam, "4") == 0)
+		    new->addr.sa.sa_family = AF_INET;
 #ifdef HAVE_IPV6
-		else if (strcmp(fam, "6") == 0)
-		  new->addr.sa.sa_family = AF_INET6;
+		  else if (strcmp(fam, "6") == 0)
+		    new->addr.sa.sa_family = AF_INET6;
 #endif
-		else
-		  ret_err(gen_err);
-	      } 
-	  }
-	new->next = daemon->authinterface;
-	daemon->authinterface = new;
-	
-	arg = comma;
-      } while (arg);
+		  else
+		    ret_err(gen_err);
+		} 
+	    }
+	  new->next = daemon->authinterface;
+	  daemon->authinterface = new;
+	};
            
      break;

--- a/src/rfc2131.c
+++ b/src/rfc2131.c
@@ -700,39 +700,9 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	client_hostname = daemon->dhcp_buff;
    }

-  if (client_hostname)
-    {
-      struct dhcp_match_name *m;
-      size_t nl = strlen(client_hostname); 
-      
-      if (option_bool(OPT_LOG_OPTS))
-	my_syslog(MS_DHCP | LOG_INFO, _("%u client provides name: %s"), ntohl(mess->xid), client_hostname);
+  if (client_hostname && option_bool(OPT_LOG_OPTS))
+    my_syslog(MS_DHCP | LOG_INFO, _("%u client provides name: %s"), ntohl(mess->xid), client_hostname);

-
-      for (m = daemon->dhcp_name_match; m; m = m->next)
-	{
-	  size_t ml = strlen(m->name);
-	  char save = 0;
-	  
-	  if (nl < ml)
-	    continue;
-	  if (nl > ml)
-	    {
-	      save = client_hostname[ml];
-	      client_hostname[ml] = 0;
-	    }
-
-	  if (hostname_isequal(client_hostname, m->name) &&
-	      (save == 0 || m->wildcard))
-	    {
-	      m->netid->next = netid;
-	      netid = m->netid;
-	    }
-
-	  if (save != 0)
-	    client_hostname[ml] = save;
-	}
-    }
  
  if (have_config(config, CONFIG_NAME))
    {
@@ -745,11 +715,15 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
    }
  else if (client_hostname)
    {
+      struct dhcp_match_name *m;
+      size_t nl;
+
      domain = strip_hostname(client_hostname);
      
-      if (strlen(client_hostname) != 0)
+      if ((nl = strlen(client_hostname)) != 0)
 	{
 	  hostname = client_hostname;
+	  
 	  if (!config)
 	    {
 	      /* Search again now we have a hostname. 
@@ -767,6 +741,30 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		  netid = &known_id;
 		}
 	    }
+
+	  for (m = daemon->dhcp_name_match; m; m = m->next)
+	    {
+	      size_t ml = strlen(m->name);
+	      char save = 0;
+	      
+	      if (nl < ml)
+		continue;
+	      if (nl > ml)
+		{
+		  save = client_hostname[ml];
+		  client_hostname[ml] = 0;
+		}
+	      
+	      if (hostname_isequal(client_hostname, m->name) &&
+		  (save == 0 || m->wildcard))
+		{
+		  m->netid->next = netid;
+		  netid = m->netid;
+	    }
+	      
+	      if (save != 0)
+		client_hostname[ml] = save;
+	    }
 	}
    }
  
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -496,11 +496,16 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
 	}
      else if (state->client_hostname)
 	{
+	  struct dhcp_match_name *m;
+	  size_t nl;
+
 	  state->domain = strip_hostname(state->client_hostname);
+	  nl = strlen(state->client_hostname);
 	  
 	  if (strlen(state->client_hostname) != 0)
 	    {
 	      state->hostname = state->client_hostname;
+	      
 	      if (!config)
 		{
 		  /* Search again now we have a hostname. 
@@ -510,6 +515,30 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
 		  if (new && !have_config(new, CONFIG_CLID) && !new->hwaddr)
 		    config = new;
 		}
+	      
+	      for (m = daemon->dhcp_name_match; m; m = m->next)
+		{
+		  size_t ml = strlen(m->name);
+		  char save = 0;
+		  
+		  if (nl < ml)
+		    continue;
+		  if (nl > ml)
+		    {
+		      save = state->client_hostname[ml];
+		      state->client_hostname[ml] = 0;
+		    }
+		  
+		  if (hostname_isequal(state->client_hostname, m->name) &&
+		      (save == 0 || m->wildcard))
+		    {
+		      m->netid->next = state->tags;
+		      state->tags = m->netid;
+		    }
+		  
+		  if (save != 0)
+		    state->client_hostname[ml] = save;
+		}
 	    }
 	}
    }
--- a/src/slaac.c
+++ b/src/slaac.c
@@ -166,7 +166,8 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases)
 	    
 	    if (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(-1), 0,
 		       (struct sockaddr *)&addr,  sizeof(addr)) == -1 &&
-		errno == EHOSTUNREACH)
+		errno == EHOSTUNREACH &&
+		slaac->backoff == 12)
 	      slaac->ping_time = 0; /* Give up */ 
 	    else
 	      {
Author	SHA1	Message	Date
Simon Kelley	e1791f36ea	Fix logging of DNSSEC queries in TCP mode. Destination server address was misleading.	2018-10-06 23:23:23 +01:00
Simon Kelley	0fdf3c1f61	Fix dhcp-match-name to match hostname, not complete FQDN. Also do name matching for DHCPv6.	2018-10-05 23:35:54 +01:00
Simon Kelley	ee1df06aab	Tweak strategy for confirming SLAAC addresses. The code which conirms possible SLAAC addresses associated with hosts known from DHCPv4 addresses keeps trying at longer and longer intervals essentially forever, EXCEPT if sending an ICMP ping results in a HOSTUNREACH error, which terminates the process immediately. It turns out that this is too drastic. Routing changes associated with addressing changes can cause temporary HOSTUNREACH problems, even when an address has not gone forever. Therefore continue trying in the face of HOSTUNREACH for the first part of the process. HOSTUNREACH errors will still terminate the process after it reaches the slow tail of retries. Thanks to Andrey Vakhitov for help diagnosing this.	2018-10-05 22:22:41 +01:00
Simon Kelley	1e87eba424	Clarify manpage for --auth-sec-servers	2018-10-05 16:49:31 +01:00
Simon Kelley	08933475ab	Make interface spec optional in --auth-server. But make auth-server required when any auth-zones are defined. The "glue record" field in auth-server is needed to synthesise SOA and NS records in auth zones, so the --auth-server has to be specified. If makes sense, however to define one or more auth-zones that appear within the normal recursive DNS service without actually acting as an authoritative DNS server on any interface. Hence making the interface field optional.	2018-10-05 16:44:05 +01:00
Simon Kelley	7cbf497da4	Example config file fix for CERT Vulnerability VU#598349.	2018-09-26 18:04:38 +01:00