upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-29 02:49:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
7084 commits 23 branches 209 tags 124 MiB
Commit graph

1312 commits

Author SHA1 Message Date
Willem Toorop
8df26b132b Merge branch 'master' into devel/merge-master-into-downstream-cookies 2022-11-07 17:09:20 +00:00
George Thessalonikefs
2569b12b9c - Fix to stop possible loops in the tcp reuse code (write_wait list 
and tcp_wait list). Based on analysis and patch from Prad Seniappan
  and Karthik Umashankar.
 2022-10-07 11:25:36 +02:00
W.C.A. Wijngaards
bf7a2884fb - Fix static analysis report to remove dead code from the 
rpz_callback_from_iterator_module function.
 2022-10-04 09:08:11 +02:00
Yorgos Thessalonikefs
c4e51a4cfe
PROXYv2 downstream support (#760) 2022-10-03 15:29:47 +02:00
Willem Toorop
75f3fbdd65 Downstream DNS Cookies a la RFC7873 and RFC9018 
Create server cookies for clients that send client cookies.
Needs to be turned on in the config file with:

	answer-cookie: yes

A cookie-secret can be configured for anycast setups.
Also adds an access control list that will allow queries with
either a valid cookie or over a stateful transport.
 2022-09-28 10:28:19 +02:00
W.C.A. Wijngaards
e93c75a5d4 - Fix doxygen warning in respip.h. 2022-09-21 15:23:04 +02:00
W.C.A. Wijngaards
e3871ca907 Merge branch 'branch-1.16.3' 2022-09-21 12:11:26 +02:00
W.C.A. Wijngaards
137719522a - Patch for CVE-2022-3204 Non-Responsive Delegation Attack. 2022-09-21 11:10:38 +02:00
George Thessalonikefs
d301bfe4a2 - ACL per interface: refactor, complete testing and a bugfix for 
interface names.
 2022-09-11 20:57:41 +02:00
George Thessalonikefs
c30bdff939 Initial commit for interface based ACL. 2022-09-11 20:21:32 +02:00
W.C.A. Wijngaards
e6f878ee71 - Fix #741: systemd socket activation fails on IPv6. 2022-08-22 09:12:08 +02:00
W.C.A. Wijngaards
fbe8e3b0b2 - Fix ratelimit inconsistency, for ip-ratelimits the value is the 
amount allowed, like for ratelimits.
 2022-08-04 11:33:37 +02:00
Luis Dallos
7d3c6f1c43 Fix startup failure on Windows 8.1 due to unsupported IPV6_USER_MTU socket option being set 
Newer mingw-w64 (starting from 8.0.1) introduces support for `IPV6_USER_MTU` socket
option [1], which is not supported on Windows 8.1 and older [2]. As there is no way
to avoid this socket option from being picked at compile time when targeting older
versions of Windows, check for `setsockopt(..., IPV6_USER_MTU, ...)` failures at
runtime in order to avoid startup failure on those versions of Windows where the
`IPV6_USER_MTU` socket option is unsupported.

[1]: mirror/mingw-w64@e30bff4
[2]: `WSAGetLastError()` returns `WSAENOPROTOOPT` (`Bad protocol option`) error code
 2022-08-01 23:03:24 -04:00
W.C.A. Wijngaards
cd22fdc28d - Fix #728: alloc_reg_obtain() core dump. Stop double 
alloc_reg_release when serviced_create fails.
 2022-08-01 16:45:41 +02:00
W.C.A. Wijngaards
f6753a0f10 - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. 2022-08-01 13:24:40 +02:00
George Thessalonikefs
efdd70c7b5 - Cleanup some comments and TODO text. 2022-07-23 19:55:15 +02:00
W.C.A. Wijngaards
33bd49af81 - Merge PR 714: Avoid treat normal hosts as unresponsive servers. 
And fixup the lock code.
 2022-07-15 08:51:31 +02:00
Hunts Chen
88bf803297 Avoid treat normal hosts as unresponsive servers 
This is a fix for issue #713

When infra-keep-probing is on, all hosts with expired entries were treated as
unresponsive servers and thus causing problems (see #713).

This commit change that, so that normal hosts with expired entries are treated
as unknown servers.
 2022-07-14 10:16:13 -07:00
George Thessalonikefs
9e4a17baaf - For windows crosscompile, fix setting the IPV6_MTU socket option 
equivalent (IPV6_USER_MTU); allows cross compiling with latest
  cross-compiler versions.
 2022-07-12 17:17:59 +02:00
George Thessalonikefs
e5f66b4902 - For #668: relocate and make code more portable. 2022-07-04 12:46:17 +02:00
George Thessalonikefs
0f4c4c1163 Merge branch 'IP_BIND_ADDRESS_NO_PORT' of https://github.com/crrodriguez/unbound into crrodriguez-IP_BIND_ADDRESS_NO_PORT 2022-07-04 11:15:58 +02:00
George Thessalonikefs
b816318106 - Fix #704: [FR] Statistics counter for number of outgoing UDP queries 
sent; introduces 'num.query.udpout' to the 'unbound-control stats'
  command.
 2022-06-29 10:51:54 +02:00
Philip Homburg
3bade62c8a Fix use after free issue with edns options (https://github.com/NLnetLabs/unbound/issues/663) 2022-06-22 15:00:28 +02:00
George Thessalonikefs
187bc72633 - Add testcase for allowing NOTIFY on URL addresses. 2022-06-14 17:44:37 +02:00
Philip Homburg
16dd802c2e Add url 'master' to allow notify list 2022-05-31 15:10:38 +02:00
Philip Homburg
6dad2d2fc6 allow-notify doesn't work for url on rpz zones (https://github.com/NLnetLabs/unbound/issues/679) 2022-05-31 15:10:38 +02:00
W.C.A. Wijngaards
11d077c826 - Fix some lint type warnings. 2022-05-20 15:32:27 +02:00
George Thessalonikefs
daf316ea1b - Fix #417: prefetch and ECS causing cache corruption when used 
together.
 2022-05-12 00:56:01 +02:00
tcarpay
0ce36e8289
Add the basic EDE (RFC8914) cases (#604) 2022-05-06 12:48:53 +02:00
Cristian Rodríguez
6a4ea692d4 Set IP_BIND_ADDRESS_NO_PORT on outbound tcp sockets 
When bound to a local address the kernel does not know if the socket
will listen() or connect() and must reserve a port inmediately after
bind() effectively limiting the random port range to ~32k.
when IP_BIND_ADDRESS_NO_PORT is set, the kernel delays source port
allocation until the time the complete 4-tuple is known allowing
a much larger number of combinations
 2022-04-23 23:08:45 +00:00
W.C.A. Wijngaards
1289c53c1a - Fix zonemd unsupported algo check to set reason to NULL before the 
check routine, but after malformed checks, to get the correct NULL
  output when the digest matches.
 2022-04-08 11:19:40 +02:00
W.C.A. Wijngaards
d02e83ae2b - Fix zonemd unsupported algo check to print unsupported reason before 
zeroing it.
 2022-04-08 11:10:11 +02:00
W.C.A. Wijngaards
8f2847ba69 - Fix zonemd unsupported algo check reason to not copy to next record, 
and check for success for debug printout.
 2022-04-08 10:54:57 +02:00
W.C.A. Wijngaards
730a03e9bd - Fix zonemd unsupported algo check. 2022-04-08 09:36:01 +02:00
W.C.A. Wijngaards
e4ca71e85b - Fix zonemd check to allow unsupported algorithms to load. 
If there are only unsupported algorithms, or unsupported schemes,
  and no failed or successful other ZONEMD records, or malformed
  or bad ZONEMD records, the unsupported records allow the zone load.
 2022-04-08 09:29:37 +02:00
W.C.A. Wijngaards
debe5c665f - Fix #637: Integer Overflow in sldns_str2period function. 2022-03-03 14:19:59 +01:00
gthess
6e79237dc8
Merge pull request #623 from rex4539/typos 
Fix typos
 2022-02-28 12:36:11 +01:00
George Thessalonikefs
82adcfb971 - Fix #630: Unify the RPZ log messages. 2022-02-28 12:07:25 +01:00
Dimitris Apostolou
c7be51a11b
Fix typos 2022-02-18 15:51:03 +02:00
W.C.A. Wijngaards
a746d9693a - Fix that address not available is squelched from the logs for 
udp connect failures. It is visible on verbosity 4 and more.
 2022-02-18 09:03:56 +01:00
W.C.A. Wijngaards
6de5310728 - Fix for #628: fix rpz-passthru for qname trigger by localzone type. 2022-02-16 09:51:25 +01:00
W.C.A. Wijngaards
2b90181d3a - Fix #628: A rpz-passthru action is not ending RPZ zone processing. 2022-02-15 16:20:12 +01:00
W.C.A. Wijngaards
a0feea393a - Fix #618: enabling interface-automatic disables DNS-over-TLS. 
Adds the option to list interface-automatic-ports.
 2022-02-11 10:58:53 +01:00
W.C.A. Wijngaards
5f724da8c5 - Fix that TCP interface does not use TLS when TLS is also configured. 2022-02-07 09:31:10 +01:00
gthess
358e3a5963
Merge pull request #616 from NLnetLabs/bugfix/ratelimit 
Update ratelimit logic
 2022-02-02 11:16:04 +01:00
George Thessalonikefs
a60bbd12ed -Fix review comment for use-after-free when failing to send UDP out. 2022-01-31 11:27:35 +01:00
George Thessalonikefs
3086335724 - Introduce ratelimit-backoff and ip-ratelimit-backoff options for more 
aggressive rate limiting.
 2022-01-30 00:36:29 +01:00
George Thessalonikefs
f857af873e - Update ratelimit code for recent serviced_query changes and more 
accurate ratelimit calculation.
 2022-01-29 23:49:38 +01:00
George Thessalonikefs
888eb224a6 - Better cleanup on failed DoT/DoH listening socket creation. 2022-01-29 15:14:56 +01:00
gthess
ddc3c754b0
Merge pull request #612 from NLnetLabs/tcp-race-condition 
TCP race condition
 2022-01-25 17:26:30 +01:00