/[smeserver]/rpms/djbdns/sme9/280-dnscache-ignoreip2.patch
ViewVC logotype

Annotation of /rpms/djbdns/sme9/280-dnscache-ignoreip2.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Wed Jul 12 04:56:18 2017 UTC (7 years, 4 months ago) by unnilennium
Branch: MAIN
CVS Tags: djbdns-1_05-11_el6_sme, djbdns-1_05-9_el6_sme, djbdns-1_05-10_el6_sme, HEAD
* Tue Jul 11 2017 Jean-Philipe Pialasse <tests@pialasse.com> 1.05-9.sme
-- backport SME10 fixes [SME: 10381]
--import patches from openwrt and rename already applied patches
--fix security issues [SME: 10374]
- 020-dnsroots-update.patch: update list of root DNS servers
- 070-dnscache-dpos-tcp-servfail.patch: SERVFAIL rename previous patch dns_transmit-bug.patch
- 210-dnscache-strict-forwardonly.patch: rename previous patch dnscache-strict-forwardonly.patch
- 270-dnscache-sigpipe-fix.patch: SIGPIPE
- 300-bugfix-dnscache-dempsky-poison.patch: CVE-2009-0858
- 310-bugfix-dnscache-merge-outgoing-requests.patch: CVE-2008-4392
- 320-bugfix-dnscache-cache-soa-records.patch: CVE-2008-4392
- 450-dnscache-ghost-domain-CVE-2012-1191.patch: CVE-2012-1191 http://marc.info/?l=djbdns&m=134190748729079&w=2
--bug fixes [SME: 10374]
- 060-dnscache-big-udp-packets.patch: accept and handle longer than 512 bytes UDP packets
- 230-tinydns-data-semantic-error.patch: handle semantic error to avoid publishing false dns records
- 240-tinydns-alias-chain-truncation.patch: rename previous patch tinydns-alias-chain-truncation.patch
--fix issue with short ttl cname like akamaid [SME: 8362]
- 200-dnscache-cname-handling.patch: rename previous patch dnscache-cname-handling.patch
- 330-fix-dnscache-cname-handling.patch: fix dnscache cname for short ttl
- 500-cutom-dnscache-maxloop.patch: set max loop to 200
--needed for previous patches to apply cleanly
- 030-srv-records-and-axfrget.patch: add SRV record type and axfr-get decompose SRC and PTR records (for 230-*.patch)
- 080-dnscache-cache-negatives.patch: rfc2308 ? (for 200-*.patch)
- 090-tinydns-one-second.patch: improve tinydns with 8 or more  concurent connections (for 240-*.patch)
- 120-compiler-temporary-filename.patch: change tmp filename to avoid conflicts (for 230-*.patch)
--not backported from SME10 branch
- 050-tinydns-mmap-leak.patch: report cdb leak

1 unnilennium 1.1 This patch change djbdns's dnscache program so that it will ignore the
2     IP address given in the ignoreip file. I wrote this patch because of
3     Verisign's oh-so helpful wildcard A record for *.COM and *.NET.
4    
5     If you have djbdns-1.05-ignoreip.patch installed, back it out like this:
6     cd /usr/local/src/djbdns-1.05
7     patch -R <djbdns-1.05-ignoreip.patch
8    
9     Install the patch like this:
10     cd /usr/local/src/djbdns-1.05
11     patch <djbdns-1.05-ignoreip2.patch
12     svc -d /service/dnscache
13     make setup check
14     svc -u /service/dnscache
15    
16     Configure it to ignore Verisign's wildcard record like this:
17     echo 64.94.110.11 >/service/dnscache/root/ignoreip
18     svc -t /service/dnscache
19    
20     Configure it to ignore all the cretins like this:
21     awk '{print $2}' <<EOF >/service/dnscache/root/ignoreip
22     *.ac 194.205.62.122
23     *.cc 206.253.214.102
24     *.com 64.94.110.11
25     *.cx 219.88.106.80
26     *.museum 195.7.77.20
27     *.net 64.94.110.11
28     *.nu 64.55.105.9
29     and 212.181.91.6
30     *.ph 203.119.4.6
31     *.sh 194.205.62.62
32     *.tm 194.205.62.62
33     *.ws 216.35.187.246
34     EOF
35     svc -t /service/dnscache
36    
37     J.P. Larocque contributes a script which updates root/ignoreip:
38     http://ely.ath.cx/~piranha/software/ignoreip-update/ignoreip-update-0.1
39    
40     If root/ignoreip is not present, no addresses will be ignored.
41    
42     --
43     --My blog is at angry-economist.russnelson.com | Free markets express in the
44     Crynwr sells support for free software | PGPok | practical world our belief
45     521 Pleasant Valley Rd. | +1 315 268 1925 voice | that there is that of God
46     Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | in all people. -Chris V.
47    
48    
49     --- a/dnscache.c
50     +++ b/dnscache.c
51     @@ -24,6 +24,8 @@
52     #include "okclient.h"
53     #include "droproot.h"
54    
55     +stralloc ignoreip = {0};
56     +
57     static int packetquery(char *buf,unsigned int len,char **q,char qtype[2],char qclass[2],char id[2])
58     {
59     unsigned int pos;
60     @@ -390,6 +392,7 @@ char seed[128];
61     int main()
62     {
63     char *x;
64     + unsigned int i, j, k;
65     unsigned long cachesize;
66    
67     signal(SIGPIPE, SIG_IGN);
68     @@ -433,6 +436,20 @@ int main()
69     if (!cache_init(cachesize))
70     strerr_die3x(111,FATAL,"not enough memory for cache of size ",x);
71    
72     + if (openreadclose("ignoreip",&ignoreip,64) < 0)
73     + strerr_die2x(111,FATAL,"trouble reading ignoreip");
74     + for(j = k = i = 0; i < ignoreip.len; i++)
75     + if (ignoreip.s[i] == '\n') {
76     + ignoreip.s[i] = '\0';
77     + if (j + 4 > i)
78     + strerr_die3x(111,FATAL,"badly malformed ip4 address ",ignoreip.s+k);
79     + if (!ip4_scan(ignoreip.s+k,ignoreip.s+j))
80     + strerr_die3x(111,FATAL,"unable to parse address in ignoreip ",ignoreip.s+k);
81     + j += 4;
82     + k = i + 1;
83     + }
84     + ignoreip.len = j;
85     +
86     if (env_get("HIDETTL"))
87     response_hidettl();
88     if (env_get("FORWARDONLY"))
89     --- a/query.c
90     +++ b/query.c
91     @@ -13,6 +13,8 @@
92     #include "response.h"
93     #include "query.h"
94    
95     +extern stralloc ignoreip;
96     +
97     static int flagforwardonly = 0;
98    
99     void query_forwardonly(void)
100     @@ -173,6 +175,7 @@ static int smaller(char *buf,unsigned in
101    
102     static int doit(struct query *z,int state)
103     {
104     + unsigned int ii;
105     char key[257];
106     char *cached;
107     unsigned int cachedlen;
108     @@ -662,6 +665,9 @@ static int doit(struct query *z,int stat
109     pos = dns_packet_copy(buf,len,pos,header,10); if (!pos) goto DIE;
110     if (byte_equal(header + 8,2,"\0\4")) {
111     pos = dns_packet_copy(buf,len,pos,header,4); if (!pos) goto DIE;
112     + if (ignoreip.len)
113     + for(ii = 0; ii < ignoreip.len; ii+= 4)
114     + if (byte_equal(header,4,ignoreip.s+ii)) goto NXDOMAIN;
115     save_data(header,4);
116     log_rr(whichserver,t1,DNS_T_A,header,4,ttl);
117     }

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed