upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-02-02 03:39:27 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
7401 commits 25 branches 209 tags 133 MiB
Commit graph

1957 commits

Author SHA1 Message Date
George Thessalonikefs
adb4aeb609 - For #722: Minor fixes, formatting and refactoring. 2023-05-01 18:23:13 +02:00
George Thessalonikefs
e1ec3cf893 Merge branch 'nat64' of https://github.com/eqvinox/unbound into eqvinox-nat64 2023-04-26 15:14:39 +02:00
W.C.A. Wijngaards
144f29638c - Fix for #882: small changes, date updated in Copyright for 
util/timeval_func.c and util/timeval_func.h. Man page entries and
  example entry.
 2023-04-26 13:49:33 +02:00
Vadim Fedorenko
04540f82e5 config: add sock_queue_timeout configuration 
Add sock_queue_timeout config option to have queue timeout configurable.

Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
 2023-04-26 03:27:19 -07:00
Vadim Fedorenko
2e6ddd6032 netevent: parse and store rcv timestamp from sock 
Add special field in comm_point to store the software receive timestamp
for every particular UDP packet. Aux data parser is updated to read
values and the whole callback is switched to use recvmsg form.

Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
 2023-04-26 03:26:51 -07:00
Vadim Fedorenko
a197aac2f6 timeval_func: move all timeval manipulation to separate file 
There are several definitions of the same functions manipulating timeval
structures. Let's move them to separate file and arrange the code
preperly.

Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
 2023-04-26 03:23:41 -07:00
Vadim Fedorenko
648ad4db6f Linting change. 
Remove config parser/lexer code as it's rebuilded every time but can
break adding new config options.
Also clean up the code base to avoid mixing actual code changes and lint
issues.

Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
 2023-04-25 17:05:00 -07:00
W.C.A. Wijngaards
8f83c0a2cb - iana portlist update. 2023-03-20 14:55:55 +01:00
George Thessalonikefs
d7e7761141 - Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option 
to ignore the unexpected eof while reading in openssl >= 3.
 2023-03-17 14:39:37 +01:00
Philip Homburg
71e0ddc94a Improved comment 2023-02-21 09:27:03 +01:00
Philip Homburg
d1f5ded1d9 ifdef CLIENT_SUBNET 2023-02-21 09:21:24 +01:00
Philip Homburg
fb06364014 Fix issue #825: interaction between ECS and serve-expired. 2023-02-21 09:20:28 +01:00
George Thessalonikefs
6bf677e7de Fix #833: [FR] Ability to set the Redis password. 2023-01-23 11:45:07 +01:00
W.C.A. Wijngaards
77f15428c9 - Add #835: [FR] Ability to use Redis unix sockets. 2023-01-23 10:09:28 +01:00
W.C.A. Wijngaards
111e66ae64 Changelog note for #819, generate configparser.c and comment syntax change. 
- Merge #819: Added new static zone type block_a to suppress all A
  queries for specific zones.
 2023-01-20 16:19:20 +01:00
Wouter Wijngaards
6a4a9435d1
Merge pull request #819 from pavel-odintsov/pavel/suppress_a 
Added new static zone type block_a to suppress all A queries for specific zones
 2023-01-20 16:18:05 +01:00
W.C.A. Wijngaards
c9233f8429 - Set default for harden-unknown-additional to no. So that it does 
not hamper future protocol developments.
 2023-01-19 15:45:10 +01:00
W.C.A. Wijngaards
8df1e58209 - Add harden-unknown-additional option. Default on and it removes 
unknown records from the authority section and additional section.
  Thanks to Xiang Li, from NISL Lab, Tsinghua University.
 2023-01-19 14:59:18 +01:00
W.C.A. Wijngaards
d69f875261 - Set max-udp-size default to 1232. This is the same default value as 
the default value for edns-buffer-size. It restricts client edns
  buffer size choices, and makes unbound behave similar to other DNS
  resolvers. The new choice, down from 4096 means it is harder to get
  large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
  Tsinghua University.
 2023-01-19 14:16:17 +01:00
Sergey Kacheev
52a4ccee18 add a metric about the maximum number of collisions in lrushah 2023-01-13 13:33:38 +07:00
Pavel Odintsov
d5b9a790fe Added new static zone type block_a to suppress all A queries for specific zones 2023-01-03 19:17:51 +00:00
George Thessalonikefs
df411b3f28 - Updates for #461 (Add max-query-restarts option). 2022-12-13 15:29:22 +01:00
George Thessalonikefs
71db243b0d Merge branch 'restart_conf' of https://github.com/cgallred/unbound into cgallred-restart_conf 2022-12-13 14:35:01 +01:00
George Thessalonikefs
c61b2121b5 - Expose 'max-sent-count' as a configuration option; the 
default value retains Unbound's behavior.
 2022-12-13 13:57:07 +01:00
George Thessalonikefs
859d0f2dfe - Expose 'statistics-inhibit-zero' as a configuration option; the 
default value retains Unbound's behavior.
 2022-12-13 10:47:37 +01:00
W.C.A. Wijngaards
effbf99281 - Fix #782: Segmentation fault in stats.c:404. 2022-11-30 10:18:27 +01:00
W.C.A. Wijngaards
6f7da59b77 - Fix for the ignore of tcp events for closed comm points, preserve 
the use after free protection features.
 2022-11-28 10:04:52 +01:00
Philip-NLnetLabs
b86a97019f
Merge pull request #720 from jonathangray/winsock_uaf 
fix use after free when WSACreateEvent() fails
 2022-11-23 14:08:01 +01:00
TCY16
8b4a8493d0 Merge branch 'master' of github.com:NLnetLabs/unbound into features/ede-caching 2022-11-21 11:34:36 +01:00
W.C.A. Wijngaards
89d9b25090 - iana portlist update. 2022-11-08 15:24:24 +01:00
W.C.A. Wijngaards
52a9e6268e - Fix to make sure to not read again after a tcp comm point is closed. 2022-11-08 13:23:44 +01:00
W.C.A. Wijngaards
8367b24bc5 - Fix to ignore tcp events for closed comm points. 2022-11-08 12:02:48 +01:00
Willem Toorop
8df26b132b Merge branch 'master' into devel/merge-master-into-downstream-cookies 2022-11-07 17:09:20 +00:00
David Lamparter
64fb06f892 NAT64 support 
This implements #721.  Includes documentation and some very basic tests.
Please refer to doc for further detail.
 2022-11-07 11:37:50 +00:00
Florian Obser
08dcae0dab Arithmetic on a pointer to void is a GNU extension. 2022-10-14 13:56:32 +02:00
George Thessalonikefs
d25e0cd9b0 - Fix PROXYv2 header read for TCP connections when no proxied addresses 
are provided.
 2022-10-11 17:39:30 +02:00
W.C.A. Wijngaards
bf1cce6f9b - Fix proxy length debug output printout typecasts. 2022-10-06 15:53:21 +02:00
W.C.A. Wijngaards
c0eaadfc42 - Fix to close errno block in comm_point_tcp_handle_read outside of 
ifdef.
 2022-10-03 16:21:39 +02:00
Yorgos Thessalonikefs
c4e51a4cfe
PROXYv2 downstream support (#760) 2022-10-03 15:29:47 +02:00
Willem Toorop
bd2c202674 The generated lexer and parser sources for configuring cookies 2022-09-28 10:34:06 +02:00
Willem Toorop
75f3fbdd65 Downstream DNS Cookies a la RFC7873 and RFC9018 
Create server cookies for clients that send client cookies.
Needs to be turned on in the config file with:

	answer-cookie: yes

A cookie-secret can be configured for anycast setups.
Also adds an access control list that will allow queries with
either a valid cookie or over a stateful transport.
 2022-09-28 10:28:19 +02:00
Willem Toorop
71f23ef354 extended_error_encode() for extended errors 2022-09-28 09:57:56 +02:00
TCY16
0b176750bd add @wcawijngaards' review comments 2022-09-26 12:14:17 +02:00
TCY16
f0989fc754 differentiate between malloc and regional_alloc 2022-09-26 11:49:49 +02:00
TCY16
c9f90def0a swap malloc for regional_alloc and add free 2022-09-26 11:18:58 +02:00
TCY16
dcfcde2ec8 add cached EDE strings 2022-09-21 11:21:33 +02:00
George Thessalonikefs
d301bfe4a2 - ACL per interface: refactor, complete testing and a bugfix for 
interface names.
 2022-09-11 20:57:41 +02:00
George Thessalonikefs
c30bdff939 Initial commit for interface based ACL. 2022-09-11 20:21:32 +02:00
W.C.A. Wijngaards
57230d7f22 - Fix to log a verbose message at operational notice level if a 
thread is not responding, to stats requests. It is logged with
  thread identifiers.
 2022-09-01 15:14:20 +02:00
TCY16
5f309d0018 Add caching EDEs 2022-09-01 14:10:14 +02:00
W.C.A. Wijngaards
d66e1cccf8 - Fix to set out of file descriptor warning to operational verbosity. 2022-09-01 14:01:56 +02:00
W.C.A. Wijngaards
2450b4653a - Slow down log frequency of write wait failures. 2022-09-01 14:00:29 +02:00
W.C.A. Wijngaards
1f5cc25974 - Fix for wait for udp send to stop when packet is successfully sent. 2022-08-31 16:45:15 +02:00
W.C.A. Wijngaards
ec5812a748 - Fix to wait for blocked write on UDP sockets, with a timeout if it 
takes too long the packet is dropped.
 2022-08-31 11:54:11 +02:00
W.C.A. Wijngaards
10a5a5880a - Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive 
operations, so that instruction reordering does not cause mistakenly
  blocking socket operations.
 2022-08-31 10:11:25 +02:00
W.C.A. Wijngaards
2fa1c17cd9 - Fix to avoid process wide fcntl calls mixed with nonblocking 
operations after a blocked write.
 2022-08-31 10:09:39 +02:00
W.C.A. Wijngaards
dc6c04b243 - Fix to log accept error ENFILE and EMFILE errno, but slowly, once 
per 10 seconds. Also log accept failures when no slow down is used.
 2022-08-12 09:54:29 +02:00
W.C.A. Wijngaards
ef57f8bd51 - Fix #734 [FR] enable unbound-checkconf to detect more (basic) 
errors.
 2022-08-05 14:41:05 +02:00
W.C.A. Wijngaards
f6753a0f10 - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. 2022-08-01 13:24:40 +02:00
Jonathan Gray
1464b166a4 fix use after free when WSACreateEvent() fails 2022-07-22 18:23:59 +10:00
Minghang Chen
249efd4285 Introduce infra-cache-max-rtt option to config max retransmit timeout 
Added the option and let it default to 120 seconds so that it won't change
current behavior.

Related-to #717
 2022-07-16 01:46:18 -07:00
W.C.A. Wijngaards
12cd495d55 - iana portlist update. 2022-07-15 09:20:25 +02:00
W.C.A. Wijngaards
7696398231 - Fix verbose EDE error printout. 2022-07-11 13:13:51 +02:00
George Thessalonikefs
a30286502c - Fix for correct openssl error when adding windows CA certificates to 
the openssl trust store.
 2022-07-03 22:41:39 +02:00
W.C.A. Wijngaards
80dbc7dd2c - iana portlist update. 2022-06-29 09:38:31 +02:00
W.C.A. Wijngaards
11d077c826 - Fix some lint type warnings. 2022-05-20 15:32:27 +02:00
George Thessalonikefs
7e506bb477 - Fix typos in config_set_option for the 'num-threads' and 
'ede-serve-expired' options.
 2022-05-18 19:56:26 +03:00
W.C.A. Wijngaards
e62b309959 - For #677: Added tls-system-cert to config parser and documentation. 
- Changelog note for #677.
 2022-05-12 16:30:19 +02:00
Wouter Wijngaards
2132e67b36
Merge pull request #677 from InfrastructureServices/use-system-cas 
Allow using system certificates not only on Windows
 2022-05-12 16:16:49 +02:00
Petr Mensik
0abfddd279 Allow using system certificates not only on Windows 
OpenSSL has a way to load default file. That file might contain usable
certificates to verify common connections. Allow similar trust as on
windows and leave it on openssl package to provide sane defaults.

Also provide use-system-cert alias, because it is not windows specific
anymore.
 2022-05-12 16:07:41 +02:00
W.C.A. Wijngaards
f0d91950ad - Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to 
host.
 2022-05-11 17:10:42 +02:00
tcarpay
0ce36e8289
Add the basic EDE (RFC8914) cases (#604) 2022-05-06 12:48:53 +02:00
Christian Allred
d19e12ab5d Merge branch 'master' of https://github.com/NLnetLabs/unbound into restart_conf 2022-04-18 12:16:40 -07:00
George Thessalonikefs
b8e7dfa01e - Various fixes for #632: variable initialisation, convert the qinfo 
to str once, accept trailing dot in the local-zone ipset option.
 2022-03-02 14:29:56 +01:00
Wouter Wijngaards
fbbb42c9d4
Merge pull request #631 from mollyim/boringssl-compat 
Replace OpenSSL's ERR_PACK with ERR_GET_REASON
 2022-02-18 09:37:34 +01:00
Oscar Mira
78aee89201 Replace OpenSSL's ERR_PACK with ERR_GET_REASON 2022-02-17 20:20:18 +01:00
W.C.A. Wijngaards
2b90181d3a - Fix #628: A rpz-passthru action is not ending RPZ zone processing. 2022-02-15 16:20:12 +01:00
W.C.A. Wijngaards
a0feea393a - Fix #618: enabling interface-automatic disables DNS-over-TLS. 
Adds the option to list interface-automatic-ports.
 2022-02-11 10:58:53 +01:00
W.C.A. Wijngaards
e656be63f9 - Fix header comment for doxygen for authextstrtoaddr. 2022-02-02 13:20:46 +01:00
gthess
11f2e7e6ae
Merge pull request #617 from NLnetLabs/update-host-notation 
Update stub/forward-host notation to accept port and tls-auth-name
 2022-02-02 11:56:27 +01:00
George Thessalonikefs
32c3bbd249 - Change aggressive-nsec default to yes. 2022-02-02 11:25:08 +01:00
gthess
358e3a5963
Merge pull request #616 from NLnetLabs/bugfix/ratelimit 
Update ratelimit logic
 2022-02-02 11:16:04 +01:00
George Thessalonikefs
814a234876 - Update stub/forward-host notation to accept port and tls-auth-name. 
Fixes #546.
 2022-02-01 14:44:29 +01:00
W.C.A. Wijngaards
84df46289d - iana portlist update. 2022-01-31 10:53:22 +01:00
George Thessalonikefs
3086335724 - Introduce ratelimit-backoff and ip-ratelimit-backoff options for more 
aggressive rate limiting.
 2022-01-30 00:36:29 +01:00
George Thessalonikefs
f857af873e - Update ratelimit code for recent serviced_query changes and more 
accurate ratelimit calculation.
 2022-01-29 23:49:38 +01:00
George Thessalonikefs
c49e87e1b7 - Fix tls-* and ssl-* documented alternate syntax to also be available 
through remote-control and unbound-checkconf.
 2022-01-29 15:11:47 +01:00
George Thessalonikefs
f0c6d26155 - Better bookkeeping when reclaiming the TCP buffer. 2022-01-25 10:32:37 +01:00
George Thessalonikefs
c3c0186658 - Add serviced_query timer to send upstream queries outside of the mesh 
flow to prevent race conditions.
 2022-01-25 00:01:43 +01:00
W.C.A. Wijngaards
2996040c6c - Add rpz: for-downstream: yesno option, where the RPZ zone is 
authoritatively answered for, so the RPZ zone contents can be
  checked with DNS queries directed at the RPZ zone.
 2022-01-14 16:23:43 +01:00
W.C.A. Wijngaards
392c1f0f54 - Fix #596: unset the RA bit when a query is blocked by an unbound 
RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
  signal that a domain is externally blocked to clients when it
  is blocked with NXDOMAIN by unsetting RA.
 2022-01-04 13:40:07 +01:00
W.C.A. Wijngaards
4efbee08b5 - Fix compile warning for if_nametoindex on windows 64bit. 2021-12-03 10:44:47 +01:00
gthess
43615e98b5
Merge pull request #522 from sibeream/net_help_RESOURCE_LEAK 
- memory management violations fixed
 2021-12-01 03:59:32 +01:00
gthess
806a75808d
Merge pull request #562 from NLnetLabs/bugfix/reset-keepalive-per-tcp-session 
Reset keepalive per new tcp session
 2021-12-01 03:57:04 +01:00
gthess
ba9356af99
Merge pull request #555 from fobser/if_nametoindex 
Allow interface names as scope-id in IPv6 link-local addresses.
 2021-12-01 03:54:45 +01:00
W.C.A. Wijngaards
88da8ce174 - iana portlist update. 2021-11-30 15:05:27 +01:00
Wouter Wijngaards
9645228f03
Merge pull request #570 from rex4539/typos 
Fix typos
 2021-11-29 11:39:48 +01:00
tcarpay
c47e98a659
Merge pull request #563 from NLnetLabs/bugfix/general-edns-options3 
Better positioning of general EDNS option handling: revisited V2
 2021-11-15 15:14:51 +01:00
Tom Carpay
ff030fa332 Clarify KEEPALIVE EDNS0 option operation 2021-11-15 14:00:31 +00:00
Tom Carpay
e899b4cefe Make explicit whether edns options are parsed from queries or responses 2021-11-15 13:40:51 +00:00