Merge latest v5 development into v6#1953

Merged

DL6ER merged 35 commits into

development-v6from

May 10, 2024

DL6ER commented May 10, 2024

Member

What does this implement/fix?

Merge development -> development-v6 in preparation for a later development-v6 -> development -> master release chain of merges. Merging this PR should remove all existing merge conflicts on #1950

No functional changes. To me more precise: no changes at all except git bookkeeping

Related issue or feature (if applicable): N/A

Pull request in docs with documentation (if applicable): N/A

By submitting this pull request, I confirm the following:

I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
I have commented my proposed changes within the code.
I am willing to help maintain this change if there are issues with it later.
It is compatible with the EUPL 1.2 license
I have squashed any insignificant commits. (git rebase)

Checklist:

The code change is tested and works locally.
I based my code and PRs against the repositories developmental branch.
I signed off all commits. Pi-hole enforces the DCO for all contributions
I signed all my commits. Pi-hole requires signatures to verify authorship
I have read the above and my PR is ready for review.

simonkelley and others added 30 commits

February 8, 2024 18:11


          Log truncated DNS replies.

b650631

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Necessary changed to handle the most recent dnsmasq changes in FTL

d38a0a6

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Behave better when attempting to contact unresponsive TCP servers.

6b48e6d

By default TCP connect takes minutes to fail when trying to
connect a server which is not responding and for which the
network layer doesn't generate HOSTUNREACH errors.

This is doubled because having failed to connect in FASTOPEN
mode, the code then tries again with a call to connect().

We set TCP_SYNCNT to 2, which make the timeout about 10 seconds.
This in an unportable Linux feature, so it doesn't work on other
platforms.

No longer try connect() if sendmsg in fastopen mode fails with
ETIMEDOUT or EHOSTUNREACH since the story will just be the same.

Signed-off-by: DL6ER <dl6er@dl6er.de>


          =/== typo in last commit.

6cc10f7

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Update changed indentation of known DNSMASQ warning

0a90f07

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Force-update embedded dnsmasq version. We are loosing the individual …

45c342a

…dnsmasq history of the ~ last year, however, given the multitude of merge conflicts and the fact that this code will soon(ish) be replaced by development-v6 (where the history is 100% intact), this isn't much of an issue

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Tweak logging and special handling of T_ANY in rr-filter code.

cc98853

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Make --filter-rr=ANY filter the answer to ANY queries.

9091f18

Thanks to Dominik Derigs for an earlier patch which inspired this.

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Update embedded dnsmasq version to 2.90test4

91b924d

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Protection against pathalogical DNSSEC domains.

108ab67

An attacker can create DNSSEC signed domains which need a lot of
work to verfify. We limit the number of crypto operations to
avoid DoS attacks by CPU exhaustion.

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Update header with new EDE values.

bf17dd3

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Update NSEC3 iterations handling to conform with RFC 9276.

70b0431

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Measure cryptographic work done by DNSSEC.

dd11688

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Fix error introduced in 635bc51cac3d5d7dd49ce9e27149cf7e402b7e79

2e0d8ff

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Parameterise work limits for DNSSEC validation.

a133029

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Update EDE code -> text conversion.

8b9c5d3

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Rework validate-by-DS to avoid DoS vuln without arbitrary limits.

0ce9541

By calculating the hash of a DNSKEY once for each digest algo,
we reduce the hashing work from (no. DS) x (no. DNSKEY) to
(no. DNSKEY) x (no. distinct digests)

The number of distinct digests can never be more than 255 and
it's limited by which hashes we implement, so currently only 4.

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Overhaul data checking in NSEC code.

c32b467

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Better stats and logging from DNSSEC resource limiting.

a389bcc

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Better allocation code for DS digest cache.

c3bc0f9

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Add --dnssec-limits option.

fbc5713

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Reverse suppression of ANY query answer logging.

65402b1

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Update expected dnsmasq warnings

3e32d96

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Update dnsmasq version to 2.90

3bb1fcf

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Merge pull request #1881 from pi-hole/update/dnsmasq_v5

bda4bd5

Update embedded dnsmasq to v2.90 (Pi-hole v5)


          Merge pull request #1888 from pi-hole/development

4f92b48

Pi-hole FTL v5.25


          Merge pull request #1889 from pi-hole/master

Sync master back into development


          Fix spurious "resource limit exceeded" messages.

40886dc

Replies from upstream with a REFUSED rcode can result in
log messages stating that a resource limit has been exceeded,
which is not the case.

Thanks to Dominik Derigs and the Pi-hole project for
spotting this.

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Update embedded dnsmasq version to 2.90+1

df58921

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Merge pull request #1893 from pi-hole/release/v5.25.1

1c2257b

Fix spurious "resource limit exceeded" messages (v5 backport)

DL6ER and others added 5 commits

March 2, 2024 18:31


          Merge pull request #1894 from pi-hole/master

449654f

Sync master back into development


          Exit after fatal dnsmasq errors

230989e

Signed-off-by: DL6ER <dl6er@dl6er.de>


          Merge pull request #1946 from pi-hole/fix/crash_fatal_dnsmasq_err_v5

8943e26

Exit after fatal dnsmasq errors


          Merge pull request #1949 from pi-hole/master

888c909

Sync master back into development


          Merge branch 'development' into merge-dev

73b5170

Signed-off-by: DL6ER <dl6er@dl6er.de>

DL6ER added Code maintanance Pi-hole v6.0 labels

DL6ER requested a review from a team

May 10, 2024 08:35

yubiuser approved these changes

View reviewed changes

DL6ER merged commit c72a913 into development-v6

DL6ER deleted the merge-dev branch

May 10, 2024 16:21

PromoFaux mentioned this pull request

Pi-hole FTL v6.0 #2153

Merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Code maintanance Pi-hole v6.0