Help us test FTL v5.8 / dnsmasq v2.85
Pi-hole embeds the DNS server
dnsmasq, which is currently in release-candidate state for version 2.85. Please join us in the final testing of this version of
dnsmasq, to help us ensure there are no major bugs before the final release. You may be receiving a few updates on this branch.
To get the release candidate version, run
pihole checkout ftl update/dnsmasq-v2.85
You can go back at any time using
pihole checkout ftl master
Please also go back to master before updating Pi-hole after the next release. This can be done at any time, also after the update happened. Support and discussions are possible on the linked Discourse thread.
- Fix problem with DNS retries in 2.83/2.84.
The new logic in 2.83/2.84 which merges distinct requests for the same domain causes problems with clients which do retries as distinct requests (differing IDs and/or source ports.) The retries just get piggy-backed on the first, failed, request.
The logic is now changed so that distinct requests for repeated queries still get merged into a single ID/source port, but they now always trigger a re-try upstream.
- Avoid treating a
dhcp-hostwhich has an IPv6 address as eligible for use with DHCPv4 on the grounds that it has no address, and vice-versa.
AAAArecords which take their network part from the network of a local interface. Useful for routers with dynamically prefixes.
ignore-addressto take an IPv4 subnet.
- Use random source ports where possible if source addresses/interfaces in use. CVE-2021-3448 applies.
It’s possible to specify the source address or interface to be used when contacting upstream name servers:
server=126.96.36.199@eth0, and all of these have, until now, used a single socket, bound to a fixed port. This was originally done to allow an error (non-existent interface, or non-local address) to be detected at start-up. This means that any upstream servers specified in such a way don’t use random source ports, and are more susceptible to cache-poisoning attacks.
We now use random ports where possible, even when the source is specified, so
server=188.8.131.52@eth0will use random source ports.
firstname.lastname@example.org#66or any use of
query-portwill use the explicitly configured port, and should only be done with understanding of the security implications. Note that this change changes non-existing interface, or non-local source address errors from fatal to run-time. The error will be logged and communication with the server not possible.
- Change the method of allocation of random source ports for DNS. Previously, without min-port or max-port configured, dnsmasq would default to the compiled in defaults for those, which are 1024 and 65535. Now, when neither are configured, it defaults instead to the kernel’s ephemeral port range, which is typically 32768 to 60999 on Linux systems. This change eliminates the possibility that
dnsmasqmay be using a registered port > 1024 when a long-running daemon starts up and wishes to claim it. This change does likely slightly reduce the number of random ports and therefore the protection from reply spoofing. The older behaviour can be restored using the min-port and max-port config switches should that be a concern.
- Scale the size of the DNS random-port pool based on the value of the
- TFTP tweak: Check sender of all received packets, as specified in RFC 1350 para 4.
Comments are closed.