Ubuntu
dnsmasq package

Merge ~lvoytek/ubuntu/+source/dnsmasq:fix-duplicate-query-failure-kinetic into ubuntu/+source/dnsmasq:ubuntu/devel

  1. Git
  2. lp:~lvoytek/ubuntu/+source/dnsmasq
  3. fix-duplicate-query-failure-kinetic
  4. Merge into ubuntu/devel
Proposed by Lena Voytek
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: Lena Voytek
Merged at revision: 8c5fe05222e4ac9fd525fcfe7ebda8331b904b75
Proposed branch: ~lvoytek/ubuntu/+source/dnsmasq:fix-duplicate-query-failure-kinetic
Merge into: ubuntu/+source/dnsmasq:ubuntu/devel
Diff against target: 66 lines (+28/-4)
2 files modified
debian/changelog (+12/-0)
src/forward.c (+16/-4)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Utkarsh Gupta (community) Approve
Canonical Server Reporter Pending
Review via email: mp+431166@code.launchpad.net

Description of the change

PPA: https://launchpad.net/~lvoytek/+archive/ubuntu/dnsmasq-fix-denied-dns-retries

Testing:

# lxc launch images:ubuntu/jammy test-dnsmasq
# lxc exec test-dnsmasq bash

# apt update && apt dist-upgrade -y
# systemctl disable systemd-resolved
# systemctl stop systemd-resolved
# unlink /etc/resolv.conf
# echo nameserver 8.8.8.8 | tee /etc/resolv.conf
# apt install dnsutils dnsmasq -y
# systemctl enable dnsmasq

Access internet through dnsmasq, flaky internet can be modeled by disconnecting from router, etc. This will lead to denial of DNS query retries.

# lxc launch images:ubuntu/jammy test-dnsmasq-fixed
# lxc exec test-dnsmasq-fixed bash

# apt update && apt dist-upgrade -y
# apt install software-properties-common -y
# add-apt-repository ppa:lvoytek/dnsmasq-fix-denied-dns-retries
# systemctl disable systemd-resolved
# systemctl stop systemd-resolved
# unlink /etc/resolv.conf
# echo nameserver 8.8.8.8 | tee /etc/resolv.conf
# apt install dnsutils dnsmasq -y
# systemctl enable dnsmasq

DNS query retries can now succeed

To post a comment you must log in.
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hello,

Thanks for working on this. Since this is d/source/format=1.0 (which means no use of d/patches/), can you please mention in d/ch or/and in the commit message that it's a cherry pick of https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2561f9fe0eb9c0be1df48da1e2bd3d3feaa138c2 and the upstream version release it's a part of? This would help in case something goes wrong and we need to debug and in general, when the next person who works on this?

TIA.

review: Needs Fixing
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Just btw, I realllyyyyy like how to document the testing plan and the tests performed. This makes it sooooo easy. I just love it. Thank you!

~lvoytek/ubuntu/+source/dnsmasq:fix-duplicate-query-failure-kinetic updated
8c5fe05... by Lena Voytek

changelog

Revision history for this message
Lena Voytek (lvoytek) wrote :

Thanks for the review and compliment! :) Added more detail to the changelog and commit message

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Super! Thank you! Sponsored the upload:

$ dput ubuntu ../dnsmasq_2.86-1.1ubuntu2_source.changes
Checking signature on .changes
gpg: ../dnsmasq_2.86-1.1ubuntu2_source.changes: Valid signature from 823E967606C34B96
Checking signature on .dsc
gpg: ../dnsmasq_2.86-1.1ubuntu2.dsc: Valid signature from 823E967606C34B96
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading dnsmasq_2.86-1.1ubuntu2.dsc: done.
  Uploading dnsmasq_2.86-1.1ubuntu2.tar.gz: done.
  Uploading dnsmasq_2.86-1.1ubuntu2_source.buildinfo: done.
  Uploading dnsmasq_2.86-1.1ubuntu2_source.changes: done.
Successfully uploaded packages.

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: utkarsh, lvoytek
Uploaders: utkarsh
MP auto-approved

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 209e4e4..1475a56 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,15 @@
6+dnsmasq (2.86-1.1ubuntu2) kinetic; urgency=medium
7+
8+ * src/forward.c: Do not refuse retries from client DNS queries. Behaviour to
9+ stop infinite loops when all servers return REFUSED was wrongly activated
10+ on client retries, resulting in incorrect REFUSED replies to client
11+ retries. The code added here is a cherry pick released in upstream version
12+ 2.87, originating at
13+ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2561f9fe0eb9c0be
14+ (LP: #1981794)
15+
16+ -- Lena Voytek <lena.voytek@canonical.com> Fri, 30 Sep 2022 08:42:39 -0700
17+
18 dnsmasq (2.86-1.1ubuntu1) kinetic; urgency=medium
19
20 * SECURITY UPDATE: Heap use after free
21diff --git a/src/forward.c b/src/forward.c
22index 3d638e4..dc9f245 100644
23--- a/src/forward.c
24+++ b/src/forward.c
25@@ -172,7 +172,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
26 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
27 void *hash = hash_questions(header, plen, daemon->namebuff);
28 unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL);
29- int old_src = 0;
30+ int old_src = 0, old_reply = 0;
31 int first, last, start = 0;
32 int subnet, cacheable, forwarded = 0;
33 size_t edns0_len;
34@@ -198,7 +198,10 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
35 Similarly FREC_NO_CACHE is never set in flags, so a query which is
36 contigent on a particular source address EDNS0 option will never be matched. */
37 if (forward)
38- old_src = 1;
39+ {
40+ old_src = 1;
41+ old_reply = 1;
42+ }
43 else if ((forward = lookup_frec_by_query(hash, fwd_flags,
44 FREC_CHECKING_DISABLED | FREC_AD_QUESTION | FREC_DO_QUESTION |
45 FREC_HAS_PHEADER | FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_NO_CACHE)))
46@@ -375,9 +378,18 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
47 /* In strict order mode, there must be a server later in the list
48 left to send to, otherwise without the forwardall mechanism,
49 code further on will cycle around the list forwever if they
50- all return REFUSED. If at the last, give up. */
51+ all return REFUSED. If at the last, give up.
52+ Note that we can get here EITHER because a client retried,
53+ or an upstream server returned REFUSED. The above only
54+ applied in the later case. For client retries,
55+ keep tyring the last server.. */
56 if (++start == last)
57- goto reply;
58+ {
59+ if (old_reply)
60+ goto reply;
61+ else
62+ start--;
63+ }
64 }
65 }
66 }

Subscribers

People subscribed via source and target branches