diff options
author | Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> | 2016-09-07 11:13:52 +0100 |
---|---|---|
committer | Felix Fietkau <nbd@nbd.name> | 2016-09-08 15:28:38 +0200 |
commit | 03cd41679597364ca0b382646b35cb5d06465d1b (patch) | |
tree | 487d9cc59d1d60e8d9375e985b8d0fc5010aebd6 | |
parent | c4bfb119d85bcd5faf569f9cc83628ba19f58a1f (diff) | |
download | mtk-20170518-03cd41679597364ca0b382646b35cb5d06465d1b.zip mtk-20170518-03cd41679597364ca0b382646b35cb5d06465d1b.tar.gz mtk-20170518-03cd41679597364ca0b382646b35cb5d06465d1b.tar.bz2 |
dnsmasq: Don't expose *.bind data incl version
Don't expose dnsmasq version & other data to clients via the *.bind
pseudo domain. This uses a new 'NO_ID' compile time option which has been
discussed and submitted upstream.
This is an alternate to replacing version with 'unknown' which affects
the version reported to syslog and 'dnsmasq --version'
Run time tested with & without NO_ID on Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
-rw-r--r-- | package/network/services/dnsmasq/Makefile | 2 | ||||
-rw-r--r-- | package/network/services/dnsmasq/patches/120-dnsmasq-compile-time-option-NO_ID.patch | 149 |
2 files changed, 150 insertions, 1 deletions
diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index d5acef5..65564a0 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -112,7 +112,7 @@ Package/dnsmasq-full/conffiles = $(Package/dnsmasq/conffiles) TARGET_CFLAGS += -ffunction-sections -fdata-sections TARGET_LDFLAGS += -Wl,--gc-sections -COPTS = $(if $(CONFIG_IPV6),,-DNO_IPV6) +COPTS = -DNO_ID $(if $(CONFIG_IPV6),,-DNO_IPV6) ifeq ($(BUILD_VARIANT),nodhcpv6) COPTS += -DNO_DHCP6 diff --git a/package/network/services/dnsmasq/patches/120-dnsmasq-compile-time-option-NO_ID.patch b/package/network/services/dnsmasq/patches/120-dnsmasq-compile-time-option-NO_ID.patch new file mode 100644 index 0000000..152d1a7 --- /dev/null +++ b/package/network/services/dnsmasq/patches/120-dnsmasq-compile-time-option-NO_ID.patch @@ -0,0 +1,149 @@ +From f6bea86c78ba9efbd01da3dd2fb18764ec806290 Mon Sep 17 00:00:00 2001 +From: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> +Date: Wed, 7 Sep 2016 09:35:07 +0100 +Subject: [PATCH] dnsmasq: compile time option NO_ID + +Some consider it good practice to obscure software version numbers to +clients. Compiling with -DNO_ID removes the *.bind info structure. +This includes: version, author, copyright, cachesize, cache insertions, +evictions, misses & hits, auth & servers. + +Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> +--- + src/cache.c | 2 ++ + src/config.h | 5 +++++ + src/dnsmasq.h | 4 ++++ + src/option.c | 8 ++++++-- + src/rfc1035.c | 3 ++- + 5 files changed, 19 insertions(+), 3 deletions(-) + +--- a/src/cache.c ++++ b/src/cache.c +@@ -1290,6 +1290,7 @@ void cache_add_dhcp_entry(char *host_nam + } + #endif + ++#ifndef NO_ID + int cache_make_stat(struct txt_record *t) + { + static char *buff = NULL; +@@ -1385,6 +1386,7 @@ int cache_make_stat(struct txt_record *t + *buff = len; + return 1; + } ++#endif + + /* There can be names in the cache containing control chars, don't + mess up logging or open security holes. */ +--- a/src/config.h ++++ b/src/config.h +@@ -120,6 +120,8 @@ HAVE_LOOP + HAVE_INOTIFY + use the Linux inotify facility to efficiently re-read configuration files. + ++NO_ID ++ Don't report *.bind CHAOS info to clients. + NO_IPV6 + NO_TFTP + NO_DHCP +@@ -434,6 +436,9 @@ static char *compile_opts = + "no-" + #endif + "DNSSEC " ++#ifdef NO_ID ++"no-ID " ++#endif + #ifndef HAVE_LOOP + "no-" + #endif +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -286,6 +286,7 @@ struct naptr { + struct naptr *next; + }; + ++#ifndef NO_ID + #define TXT_STAT_CACHESIZE 1 + #define TXT_STAT_INSERTS 2 + #define TXT_STAT_EVICTIONS 3 +@@ -293,6 +294,7 @@ struct naptr { + #define TXT_STAT_HITS 5 + #define TXT_STAT_AUTH 6 + #define TXT_STAT_SERVERS 7 ++#endif + + struct txt_record { + char *name; +@@ -1078,7 +1080,9 @@ void cache_add_dhcp_entry(char *host_nam + struct in_addr a_record_from_hosts(char *name, time_t now); + void cache_unhash_dhcp(void); + void dump_cache(time_t now); ++#ifndef NO_ID + int cache_make_stat(struct txt_record *t); ++#endif + char *cache_get_name(struct crec *crecp); + char *cache_get_cname_target(struct crec *crecp); + struct crec *cache_enumerate(int init); +--- a/src/option.c ++++ b/src/option.c +@@ -657,7 +657,8 @@ static int atoi_check8(char *a, int *res + return 1; + } + #endif +- ++ ++#ifndef NO_ID + static void add_txt(char *name, char *txt, int stat) + { + struct txt_record *r = opt_malloc(sizeof(struct txt_record)); +@@ -670,13 +671,14 @@ static void add_txt(char *name, char *tx + *(r->txt) = len; + memcpy((r->txt)+1, txt, len); + } +- ++ + r->stat = stat; + r->name = opt_string_alloc(name); + r->next = daemon->txt; + daemon->txt = r; + r->class = C_CHAOS; + } ++#endif + + static void do_usage(void) + { +@@ -4515,6 +4517,7 @@ void read_opts(int argc, char **argv, ch + daemon->soa_expiry = SOA_EXPIRY; + daemon->max_port = MAX_PORT; + ++#ifndef NO_ID + add_txt("version.bind", "dnsmasq-" VERSION, 0 ); + add_txt("authors.bind", "Simon Kelley", 0); + add_txt("copyright.bind", COPYRIGHT, 0); +@@ -4527,6 +4530,7 @@ void read_opts(int argc, char **argv, ch + add_txt("auth.bind", NULL, TXT_STAT_AUTH); + #endif + add_txt("servers.bind", NULL, TXT_STAT_SERVERS); ++#endif + + while (1) + { +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -1264,6 +1264,7 @@ size_t answer_request(struct dns_header + unsigned long ttl = daemon->local_ttl; + int ok = 1; + log_query(F_CONFIG | F_RRNAME, name, NULL, "<TXT>"); ++#ifndef NO_ID + /* Dynamically generate stat record */ + if (t->stat != 0) + { +@@ -1271,7 +1272,7 @@ size_t answer_request(struct dns_header + if (!cache_make_stat(t)) + ok = 0; + } +- ++#endif + if (ok && add_resource_record(header, limit, &trunc, nameoffset, &ansp, + ttl, NULL, + T_TXT, t->class, "t", t->len, t->txt)) |