b0d43be2f3
updated 200-ubus_dns.patch all remaining patches not required Changelog for version 2.91 - https://thekelleys.org.uk/dnsmasq/CHANGELOG version 2.91 Fix spurious "resource limit exceeded messages". Thanks to Dominik Derigs for the bug report. Fix out-of-bounds heap read in order_qsort(). We only need to order two server records on the ->serial field. Literal address records are smaller and don't have this field and don't need to be ordered on it. To actually provoke this bug seems to need the same server-literal to be repeated twice, e.g., --address=/a/1.1.1.1 --address-/a/1.1.1.1 which is clearly rare in the wild, but if it did exist it could provoke a SIGSEGV. Thanks to Daniel Rhea for fuzzing this one. Fix buffer overflow when configured lease-change script name is too long. Thanks to Daniel Rhea for finding this one. Improve behaviour in the face of non-responsive upstream TCP DNS servers. Without shorter timeouts, clients are blocked for too long and fail with their own timeouts. Set --fast-dns-retries by default when doing DNSSEC. A single downstream query can trigger many upstream queries. On an unreliable network, there may not be enough downstream retries to ensure that all these queries complete. Improve behaviour in the face of truncated answers to queries for DNSSEC records. Getting these answers by TCP doesn't now involve a faked truncated answer to the downstream client to force it to move to TCP. This improves performance and robustness in the face of broken clients which can't fall back to TCP. No longer remove data from truncated upstream answers. If an upstream replies with a truncated answer, but the answer has some RRs included, return those RRs, rather than returning and empty answer. Fix handling of EDNS0 UDP packet sizes. When talking upstream we always add a pseudo header, and set the UDP packet size to --edns-packet-max. Answering queries from downstream, we get the answer (either from upstream or local data) If local data won't fit the advertised size (or 512 if there's not an EDNS0 header) return truncated. If upstream returns truncated, do likewise. If upstream is OK, but the answer is too big for downstream, truncate the answer. Modify the behaviour of --synth-domain for IPv6. When deriving a domain name from an IPv6 address, an address such as 1234:: would become 1234--.example.com, which is not legal in IDNA2008. Stop using the :: compression method, so 1234:: becomes 1234-0000-0000-0000-0000-0000-0000-0000.example.com Fix broken dhcp-relay on *BSD. Thanks to Harold for finding this problem. Add --dhcp-option-pxe config. This acts almost exactly like --dhcp-option except that the defined option is only sent when replying to PXE clients. More importantly, these options are sent in reply PXE clients when dnsmasq in acting in PXE proxy mode. In PXE proxy mode, the set of options sent is defined by the PXE standard and the normal set of options is not sent. This config allows arbitrary options in PXE-proxy replies. A typical use-case is to send option 175 to iPXE. Thanks to Jason Berry for finding the requirement for this. Support PXE proxy-DHCP and DHCP-relay at the same time. When using PXE proxy-DHCP, dnsmasq supplies PXE information to the client, which also talks to another "normal" DHCP server for address allocation and similar. The normal DHCP server may be on the local network, but it may also be remote, and accessed via a DHCP relay. This change allows dnsmasq to act as both a PXE proxy-DHCP server AND a DHCP relay for the same network. Fix erroneous "DNSSEC validated" state with non-DNSSEC upstream servers. Thanks to Dominik Derigs for the bug report. Handle queries with EDNS client subnet fields better. If dnsmasq is configured to add an EDNS client subnet to a query, it is careful to suppress use of the cache, since a cached answer may not be valid for a query with a different client subnet. Extend this behaviour to queries which arrive a dnsmasq already carrying an EDNS client subnet. Handle DS queries to auth zones. When dnsmasq is configured to act as an authoritative server and has an authoritative zone configured, and receives a query for that zone _as_forwarder_ it answers the query directly rather than forwarding it. This doesn't affect the answer, but it saves dnsmasq forwarding the query to the recursor upstream, which then bounces it back to dnsmasq in auth mode. The exception should be when the query is for the root of zone, for a DS RR. The answer to that has to come from the parent, via the recursor, and will typically be a proof-of-non-existence since dnsmasq doesn't support signed zones. This patch suppresses local answers and forces forwarding to the upstream recursor for such queries. It stops breakage when a DNSSEC validating client makes queries to dnsmasq acting as forwarder for a zone for which it is authoritative. Implement "DNS-0x20 encoding", for extra protection against reply-spoof attacks. Since DNS queries are case-insensitive, it's possible to randomly flip the case of letters in a query and still get the correct answer back. This adds an extra dimension for a cache-poisoning attacker to guess when sending replies in-the-blind since it's expected that the legitimate answer will have the same pattern of upper and lower case as the query, so any replies which don't can be ignored as malicious. The amount of extra entropy clearly depends on the number of a-z and A-Z characters in the query, and this implementation puts a hard limit of 32 bits to make resource allocation easy. This about doubles entropy over the standard random ID and random port combination. This technique can interact badly with rare broken DNS servers which don't preserve the case of the query in their reply. The first time a reply is returned which matches the query in all respects except case, a warning will be logged. In this release, 0x020-encoding is default-off and must be explicitly enabled with --do-0x20-encoding. In future releases it may default on. You can avoid a future release changing the behaviour of an installation with --no-x20-encode. Fix a long-standing problem when two queries which are identical in every repect _except_ case, get combined by dnsmasq. If dnsmasq gets eg, two queries for example.com and Example.com in quick succession it will get the answer for example.com from upstream and send that answer to both requestors. This means that the query for Example.com will get an answer for example.com, and in the modern DNS, that answer may not be accepted. Signed-off-by: Rudy Andram <rmandrad@gmail.com> Link: https://github.com/openwrt/openwrt/pull/18357 Signed-off-by: Robert Marko <robimarko@gmail.com>
OpenWrt Project is a Linux operating system targeting embedded devices. Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with package management. This frees you from the application selection and configuration provided by the vendor and allows you to customize the device through the use of packages to suit any application. For developers, OpenWrt is the framework to build an application without having to build a complete firmware around it; for users this means the ability for full customization, to use the device in ways never envisioned.
Sunshine!
Download
Built firmware images are available for many architectures and come with a package selection to be used as WiFi home router. To quickly find a factory image usable to migrate from a vendor stock firmware to OpenWrt, try the Firmware Selector.
If your device is supported, please follow the Info link to see install instructions or consult the support resources listed below.
An advanced user may require additional or specific package. (Toolchain, SDK, ...) For everything else than simple firmware download, try the wiki download page:
Development
To build your own firmware you need a GNU/Linux, BSD or macOS system (case sensitive filesystem required). Cygwin is unsupported because of the lack of a case sensitive file system.
Requirements
You need the following tools to compile OpenWrt, the package names vary between distributions. A complete list with distribution specific packages is found in the Build System Setup documentation.
binutils bzip2 diff find flex gawk gcc-6+ getopt grep install libc-dev libz-dev
make4.1+ perl python3.7+ rsync subversion unzip which
Quickstart
-
Run
./scripts/feeds update -ato obtain all the latest package definitions defined in feeds.conf / feeds.conf.default -
Run
./scripts/feeds install -ato install symlinks for all obtained packages into package/feeds/ -
Run
make menuconfigto select your preferred configuration for the toolchain, target system & firmware packages. -
Run
maketo build your firmware. This will download all sources, build the cross-compile toolchain and then cross-compile the GNU/Linux kernel & all chosen applications for your target system.
Related Repositories
The main repository uses multiple sub-repositories to manage packages of
different categories. All packages are installed via the OpenWrt package
manager called opkg. If you're looking to develop the web interface or port
packages to OpenWrt, please find the fitting repository below.
-
LuCI Web Interface: Modern and modular interface to control the device via a web browser.
-
OpenWrt Packages: Community repository of ported packages.
-
OpenWrt Routing: Packages specifically focused on (mesh) routing.
-
OpenWrt Video: Packages specifically focused on display servers and clients (Xorg and Wayland).
Support Information
For a list of supported devices see the OpenWrt Hardware Database
Documentation
Support Community
- Forum: For usage, projects, discussions and hardware advise.
- Support Chat: Channel
#openwrton oftc.net.
Developer Community
- Bug Reports: Report bugs in OpenWrt
- Dev Mailing List: Send patches
- Dev Chat: Channel
#openwrt-develon oftc.net.
License
OpenWrt is licensed under GPL-2.0