Gitiles
Code Review Sign In
gerrit.nordix.org / thekelleys / dnsmasq / 25e63f1e56f5acdcf91893a1b92ad1e0f2f552d8
commit25e63f1e56f5acdcf91893a1b92ad1e0f2f552d8[log] [tgz]
authorSimon Kelley <simon@thekelleys.org.uk>Wed Nov 25 21:17:52 2020 +0000
committerSimon Kelley <simon@thekelleys.org.uk>Wed Dec 16 15:49:03 2020 +0000
tree8a60c5b0b2d045881a1ba1a5405780b5cefb1c73
parent15b60ddf935a531269bb8c68198de012a4967156 [diff]
Handle caching with EDNS options better.

If we add the EDNS client subnet option, or the client's
MAC address, then the reply we get back may very depending on
that. Since the cache is ignorant of such things, it's not safe to
cache such replies. This patch determines when a dangerous EDNS
option is being added and disables caching.

Note that for much the same reason, we can't combine multiple
queries for the same question when dangerous EDNS options are
being added, and the code now handles that in the same way. This
query combining is required for security against cache poisoning,
so disabling the cache has a security function as well as a
correctness one.
4 files changed
tree: 8a60c5b0b2d045881a1ba1a5405780b5cefb1c73
  1. bld/
  2. contrib/
  3. dbus/
  4. debian/
  5. logo/
  6. man/
  7. po/
  8. src/
  9. .gitattributes
  10. .gitignore
  11. Android.mk
  12. CHANGELOG
  13. CHANGELOG.archive
  14. COPYING
  15. COPYING-v3
  16. dnsmasq.conf.example
  17. doc.html
  18. FAQ
  19. Makefile
  20. setup.html
  21. trust-anchors.conf
  22. VERSION