| 2023-04-07 14:33:02 |
Gordon G |
bug |
|
|
added bug |
| 2023-04-07 14:33:02 |
Gordon G |
attachment added |
|
_usr_sbin_dnsmasq.0.crash https://bugs.launchpad.net/bugs/2015562/+attachment/5661941/+files/_usr_sbin_dnsmasq.0.crash |
|
| 2023-04-07 15:01:23 |
Gordon G |
attachment added |
|
_usr_sbin_dnsmasq.0.crash https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2015562/+attachment/5661981/+files/_usr_sbin_dnsmasq.0.crash |
|
| 2023-04-07 15:02:55 |
Gordon G |
description |
Hi folks,
I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null AAAA records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through).
I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries).
I also have a static domain entry to serve NXDOMAIN for `use-application-dns.net`, signalling application not to use DoH (attached as dns-no-doh.conf). This is done to prevent applications from using DoH to bypass my local DNS server (and lose the ability to block ads).
Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&&upgrade, but there are no newer versions of this package available.
Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few TYPE65 queries towards the "blocked" domain entries.
I found a commit message which seems to fix this issue, which made it into 2.87:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b
Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks!
------
$ lsb_release -d
Description: Ubuntu 22.04.2 LTS
$ apt-cache policy dnsmasq
dnsmasq:
Installed: 2.86-1.1ubuntu0.2
Candidate: 2.86-1.1ubuntu0.2
Version table:
*** 2.86-1.1ubuntu0.2 500
500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages
100 /var/lib/dpkg/status
2.86-1.1ubuntu0.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages
2.86-1.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
------
Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com:
Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82
Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error)
Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82
Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV
Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'.
Core dump is also attached.
Reproduction steps:
- 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86)
- 1.5. Configure one or multiple DNS servers for dnsmasq
- 2. Copy netflix-nov6.conf and dns-no-doh.conf into /etc/dnsmasq.d/
- 3. Restart/reload dnsmasq
- 3.5 Verify that dnsmasq resolves domains correctly:
root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1
185.125.190.21
185.125.190.20
185.125.190.29
root@budgie:~# dig +short -tAAAA ubuntu.com @127.0.0.1
2620:2d:4000:1::28
2620:2d:4000:1::26
2620:2d:4000:1::27
- 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice:
root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1
root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
;; no servers could be reached
- 5. Check logs to verify segfault:
Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1
Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error)
Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1
Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV
Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'.
--
netflix-nov6.conf:
# Null AAAA response on these domains
server=/netflix.com/#
address=/netflix.com/::
server=/netflix.net/#
address=/netflix.net/::
server=/nflxext.com/#
address=/nflxext.com/::
########
dns-no-doh.conf:
## Prevent well-behaving applications from using DoH
server=/use-application-dns.net/
######## |
Hi folks,
I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null AAAA records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through).
I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries).
I also have a static domain entry to serve NXDOMAIN for `use-application-dns.net`, signalling application not to use DoH (attached as dns-no-doh.conf). This is done to prevent applications from using DoH to bypass my local DNS server (and lose the ability to block ads).
Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&&upgrade, but there are no newer versions of this package available.
Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few TYPE65 queries towards the "blocked" domain entries.
I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b
Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks!
------
$ lsb_release -d
Description: Ubuntu 22.04.2 LTS
$ apt-cache policy dnsmasq
dnsmasq:
Installed: 2.86-1.1ubuntu0.2
Candidate: 2.86-1.1ubuntu0.2
Version table:
*** 2.86-1.1ubuntu0.2 500
500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages
100 /var/lib/dpkg/status
2.86-1.1ubuntu0.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages
2.86-1.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
------
Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com:
Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82
Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error)
Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82
Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV
Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'.
Core dump is also attached.
Reproduction steps:
- 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86)
- 1.5. Configure one or multiple DNS servers for dnsmasq
- 2. Copy netflix-nov6.conf and dns-no-doh.conf into /etc/dnsmasq.d/
- 3. Restart/reload dnsmasq
- 3.5 Verify that dnsmasq resolves domains correctly:
root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1
185.125.190.21
185.125.190.20
185.125.190.29
root@budgie:~# dig +short -tAAAA ubuntu.com @127.0.0.1
2620:2d:4000:1::28
2620:2d:4000:1::26
2620:2d:4000:1::27
- 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice:
root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1
root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
;; no servers could be reached
- 5. Check logs to verify segfault:
Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1
Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error)
Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1
Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV
Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'.
--
netflix-nov6.conf:
# Null AAAA response on these domains
server=/netflix.com/#
address=/netflix.com/::
server=/netflix.net/#
address=/netflix.net/::
server=/nflxext.com/#
address=/nflxext.com/::
########
dns-no-doh.conf:
## Prevent well-behaving applications from using DoH
server=/use-application-dns.net/
######## |
|
| 2023-04-07 15:10:17 |
Gordon G |
description |
Hi folks,
I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null AAAA records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through).
I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries).
I also have a static domain entry to serve NXDOMAIN for `use-application-dns.net`, signalling application not to use DoH (attached as dns-no-doh.conf). This is done to prevent applications from using DoH to bypass my local DNS server (and lose the ability to block ads).
Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&&upgrade, but there are no newer versions of this package available.
Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few TYPE65 queries towards the "blocked" domain entries.
I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b
Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks!
------
$ lsb_release -d
Description: Ubuntu 22.04.2 LTS
$ apt-cache policy dnsmasq
dnsmasq:
Installed: 2.86-1.1ubuntu0.2
Candidate: 2.86-1.1ubuntu0.2
Version table:
*** 2.86-1.1ubuntu0.2 500
500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages
100 /var/lib/dpkg/status
2.86-1.1ubuntu0.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages
2.86-1.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
------
Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com:
Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82
Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error)
Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82
Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV
Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'.
Core dump is also attached.
Reproduction steps:
- 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86)
- 1.5. Configure one or multiple DNS servers for dnsmasq
- 2. Copy netflix-nov6.conf and dns-no-doh.conf into /etc/dnsmasq.d/
- 3. Restart/reload dnsmasq
- 3.5 Verify that dnsmasq resolves domains correctly:
root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1
185.125.190.21
185.125.190.20
185.125.190.29
root@budgie:~# dig +short -tAAAA ubuntu.com @127.0.0.1
2620:2d:4000:1::28
2620:2d:4000:1::26
2620:2d:4000:1::27
- 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice:
root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1
root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
;; no servers could be reached
- 5. Check logs to verify segfault:
Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1
Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error)
Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1
Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV
Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'.
--
netflix-nov6.conf:
# Null AAAA response on these domains
server=/netflix.com/#
address=/netflix.com/::
server=/netflix.net/#
address=/netflix.net/::
server=/nflxext.com/#
address=/nflxext.com/::
########
dns-no-doh.conf:
## Prevent well-behaving applications from using DoH
server=/use-application-dns.net/
######## |
Hi folks,
I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null AAAA records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through).
I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries).
Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&&upgrade, but there are no newer versions of this package available.
Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries.
I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b
Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks!
------
$ lsb_release -d
Description: Ubuntu 22.04.2 LTS
$ apt-cache policy dnsmasq
dnsmasq:
Installed: 2.86-1.1ubuntu0.2
Candidate: 2.86-1.1ubuntu0.2
Version table:
*** 2.86-1.1ubuntu0.2 500
500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages
100 /var/lib/dpkg/status
2.86-1.1ubuntu0.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages
2.86-1.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
------
Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com:
Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82
Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error)
Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82
Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV
Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'.
Core dump is also attached.
Reproduction steps:
- 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86)
- 1.5. Configure one or multiple DNS servers for dnsmasq
- 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/
- 3. Restart/reload dnsmasq
- 3.5 Verify that dnsmasq resolves domains correctly:
root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1
185.125.190.21
185.125.190.20
185.125.190.29
root@budgie:~# dig +short -tAAAA ubuntu.com @127.0.0.1
2620:2d:4000:1::28
2620:2d:4000:1::26
2620:2d:4000:1::27
- 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice:
root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1
root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
;; no servers could be reached
- 5. Check logs to verify segfault:
Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1
Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error)
Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1
Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV
Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'.
--
netflix-nov6.conf:
# Null AAAA response on these domains
server=/netflix.com/#
address=/netflix.com/::
server=/netflix.net/#
address=/netflix.net/::
server=/nflxext.com/#
address=/nflxext.com/:: |
|
| 2023-04-17 20:56:27 |
Bryce Harrington |
attachment added |
|
Proposed commit from upstream suggested as possible fix https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2015562/+attachment/5664796/+files/fix_segfault_combining_hash_server_with_address.patch |
|
| 2023-04-17 21:19:49 |
Bryce Harrington |
tags |
|
server-todo |
|
| 2023-04-18 00:20:52 |
Ubuntu Foundations Team Bug Bot |
tags |
server-todo |
patch server-todo |
|
| 2023-04-19 15:17:26 |
Bryce Harrington |
bug |
|
|
added subscriber Ubuntu Server |
| 2023-04-19 15:24:55 |
Miriam España Acebal |
dnsmasq (Ubuntu): assignee |
|
Miriam España Acebal (mirespace) |
|
| 2023-04-19 16:23:55 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Jammy |
|
| 2023-04-19 16:23:55 |
Sergio Durigan Junior |
bug task added |
|
dnsmasq (Ubuntu Jammy) |
|
| 2023-04-19 16:26:45 |
Sergio Durigan Junior |
dnsmasq (Ubuntu Jammy): status |
New |
Triaged |
|
| 2023-04-19 16:26:52 |
Sergio Durigan Junior |
dnsmasq (Ubuntu Jammy): assignee |
|
Miriam España Acebal (mirespace) |
|
| 2023-04-19 16:26:56 |
Sergio Durigan Junior |
dnsmasq (Ubuntu): status |
New |
Fix Released |
|
| 2023-04-19 16:26:58 |
Sergio Durigan Junior |
dnsmasq (Ubuntu): assignee |
Miriam España Acebal (mirespace) |
|
|
| 2023-04-21 11:29:52 |
Miriam España Acebal |
dnsmasq (Ubuntu Jammy): status |
Triaged |
In Progress |
|
| 2023-05-17 15:27:17 |
Christian Ehrhardt |
merge proposal linked |
|
https://code.launchpad.net/~mirespace/ubuntu/+source/dnsmasq/+git/dnsmasq/+merge/442007 |
|
| 2023-06-16 18:23:34 |
Miriam España Acebal |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034135 |
|
| 2023-11-22 15:41:23 |
Miriam España Acebal |
description |
Hi folks,
I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null AAAA records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through).
I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries).
Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&&upgrade, but there are no newer versions of this package available.
Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries.
I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b
Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks!
------
$ lsb_release -d
Description: Ubuntu 22.04.2 LTS
$ apt-cache policy dnsmasq
dnsmasq:
Installed: 2.86-1.1ubuntu0.2
Candidate: 2.86-1.1ubuntu0.2
Version table:
*** 2.86-1.1ubuntu0.2 500
500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages
100 /var/lib/dpkg/status
2.86-1.1ubuntu0.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages
2.86-1.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
------
Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com:
Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82
Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error)
Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82
Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV
Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'.
Core dump is also attached.
Reproduction steps:
- 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86)
- 1.5. Configure one or multiple DNS servers for dnsmasq
- 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/
- 3. Restart/reload dnsmasq
- 3.5 Verify that dnsmasq resolves domains correctly:
root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1
185.125.190.21
185.125.190.20
185.125.190.29
root@budgie:~# dig +short -tAAAA ubuntu.com @127.0.0.1
2620:2d:4000:1::28
2620:2d:4000:1::26
2620:2d:4000:1::27
- 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice:
root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1
root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
;; no servers could be reached
- 5. Check logs to verify segfault:
Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1
Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error)
Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1
Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV
Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'.
--
netflix-nov6.conf:
# Null AAAA response on these domains
server=/netflix.com/#
address=/netflix.com/::
server=/netflix.net/#
address=/netflix.net/::
server=/nflxext.com/#
address=/nflxext.com/:: |
[ Impact ]
Some users may face an unpleasant segmentation fault if they combine configurations options like
server=/domain/# with server|address=/domain/<ip> since the domain matching functionality was rewritten in
version 2.86.
The special server address ’#’ means "use the standard servers". The SEGV occurs due to the struct server
datastructure associated with it is passed to forward_query() call without been properly reserved and filled
due to resolvconf servers didn't belong to the priority list.
Without resolving this, dnsmasq stops running due to the SEGV and (non-experienced) users might not notice it.
[ Test Plan ]
#0.Prepare a VM or Container. i.e:
# lxc launch ubuntu-daily:jammy Jdnsmasq
#1. Install dnsmasq
# apt update && apt upgrade -y
# apt install -y dnsmasq
#2. Disable systemd-resolved service and enabling resolution through dnsmasq, configuring DNS servers through it.
# systemctl disable --now systemd-resolved.service
# rm -f /etc/resolv.conf
# cat > /etc/resolv.conf << __EOF__
nameserver 127.0.0.1
__EOF__
# echo "server=8.8.8.8" >> /etc/dnsmasq.conf (or edit the file to add it if you prefer)
# (Optional) echo "log-queries" >> /etc/dnsmasq.conf
# (optional) echo "log-debug" >> /etc/dnsmasq.conf
# systemctl start dnsmasq.service
3. Copy netflix-nov6.conf into /etc/dnsmasq.d/
# cat > /etc/dnsmasq.d/netflix-nov6.conf << __EOF__
# Null AAAA response on these domains
server=/netflix.com/#
address=/netflix.com/::
server=/netflix.net/#
address=/netflix.net/::
server=/nflxext.com/#
address=/nflxext.com/::
server=/example.com/#
address=/example.com/::
__EOF__
#4. Restart/reload dnsmasq
# systemctl restart dnsmasq
#5. Verify that dnsmasq resolves domains correctly:
root@Jdnsmasq:~# dig +short -tA ubuntu.com @127.0.0.1
185.125.190.21
185.125.190.20
185.125.190.29
root@Jdnsmasq:~# dig +short -tAAAA ubuntu.com @127.0.0.1
2620:2d:4000:1::28
2620:2d:4000:1::26
2620:2d:4000:1::27
#6. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server twice:
root@Jdnsmasq:~# dig A netflix.com @127.0.0.1
; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> A netflix.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 48730
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 23 (Network Error)
;; QUESTION SECTION:
;netflix.com. IN A
;; Query time: 23 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Nov 15 16:46:19 UTC 2023
;; MSG SIZE rcvd: 46
root@Jdnsmasq-checking:~# dig A netflix.com @127.0.0.1
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
#7. Check logs to verify segfault:
# journalctl -u dnsmasq
Apr 27 11:22:52 Jdnsmasq systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Apr 27 11:22:53 Jdnsmasq dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1
Apr 27 11:22:53 Jdnsmasq dnsmasq[111585]: config error is REFUSED (EDE: network error)
Apr 27 11:22:54 Jdnsmasq dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1
Apr 27 11:22:54 Jdnsmasq systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV
Apr 27 11:22:54 Jdnsmasq systemd[1]: dnsmasq.service: Failed with result 'core-dump'.
[ Where problems could occur ]
This cherry picked commit from upstream incorporates a rewrite of the server priority list in the dnsmasq header file.
Fortunately, that headers are not exported outside dnsmasq, so it cannot impact other third-party pieces of software.
However, it can lend to think about the matching domain functionality that is being patched: could it be affect in
some way to other types of server displaced on that list? Does anything change for the rest? In other words... Is the
matching domain functionality working as expected, without behavioral changes?
This change is supported yet in lastest version of dnsmasq, so we can suppose it is well tested. But, anyway, in
[Other Info] section I included some query examples for well-known domains, so we can be more confident with this change.
Is true that there is always room for disruption in the way the domain queries are answered due to this kind of changes: that's
the situation on which problems can occur (in this case, mistmached domain: then, yes, it can affect other third parties that uses dnsmasq).
Could another SEGV situation happen attending to this matching domain patch? At first sight no, because resolvconf servers were the only entity excluded from the matching list by priority.
[ Other Info ]
Some extra test for checking the domain queries are recovering correct addresses, in basic situations:
* If we set specifically a pair or domain/address combination in dnsmasq.conf:
$ echo "address=/domain/1.2.3.4" >> /etc/dnsmasq.conf
$ systemctl restart dnsmasq
$ dig +short A domain
1.2.3.4
* If we ask for a known domain address, and we check the addres led us to the desired domain (using a web-browser, for example). We can test it
with the dnsmasq's developers themself:
$ dig +short A www.thekelleys.org.uk @127.0.0.1
thekelleys.org.uk.
85.119.82.65
-> Browse using http://85.119.82.65 and see that led you to thekelleys web page (unfortunately insecure)
[Original Description]
----------------------------------------------------------------
Hi folks,
I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null AAAA records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through).
I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries).
Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&&upgrade, but there are no newer versions of this package available.
Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries.
I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b
Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks!
------
$ lsb_release -d
Description: Ubuntu 22.04.2 LTS
$ apt-cache policy dnsmasq
dnsmasq:
Installed: 2.86-1.1ubuntu0.2
Candidate: 2.86-1.1ubuntu0.2
Version table:
*** 2.86-1.1ubuntu0.2 500
500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages
100 /var/lib/dpkg/status
2.86-1.1ubuntu0.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages
2.86-1.1 500
500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
------
Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com:
Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82
Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error)
Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82
Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV
Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'.
Core dump is also attached.
Reproduction steps:
- 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86)
- 1.5. Configure one or multiple DNS servers for dnsmasq
- 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/
- 3. Restart/reload dnsmasq
- 3.5 Verify that dnsmasq resolves domains correctly:
root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1
185.125.190.21
185.125.190.20
185.125.190.29
root@budgie:~# dig +short -tAAAA ubuntu.com @127.0.0.1
2620:2d:4000:1::28
2620:2d:4000:1::26
2620:2d:4000:1::27
- 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice:
root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1
root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
;; no servers could be reached
- 5. Check logs to verify segfault:
Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1
Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error)
Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1
Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV
Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'.
--
netflix-nov6.conf:
# Null AAAA response on these domains
server=/netflix.com/#
address=/netflix.com/::
server=/netflix.net/#
address=/netflix.net/::
server=/nflxext.com/#
address=/nflxext.com/:: |
|
| 2023-11-22 15:41:40 |
Miriam España Acebal |
summary |
Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) |
[SRU] Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) |
|
| 2023-11-25 03:45:29 |
Ubuntu Archive Robot |
bug |
|
|
added subscriber Sergio Durigan Junior |
| 2023-12-12 07:12:04 |
Timo Aaltonen |
dnsmasq (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
| 2023-12-12 07:12:05 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2023-12-12 07:12:06 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
| 2023-12-12 07:12:10 |
Timo Aaltonen |
tags |
patch server-todo |
patch server-todo verification-needed verification-needed-jammy |
|
| 2024-01-02 11:19:47 |
Christian Ehrhardt |
tags |
patch server-todo verification-needed verification-needed-jammy |
patch server-todo verification-done verification-done-jammy |
|
| 2024-01-09 19:50:18 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2024-01-09 19:50:17 |
Launchpad Janitor |
dnsmasq (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
