Use SHA-256 to provide security against DNS cache poisoning. Use the SHA-256 hash function to verify that DNS answers received are for the questions originally asked. This replaces the slightly insecure SHA-1 (when compiled with DNSSEC) or the very insecure CRC32 (otherwise). Refer: CERT VU#434904.

commit: 2d765867c597db18be9d876c9c17e2c0fe1953cd [log] [tgz]
author: Simon Kelley <simon@thekelleys.org.uk> Thu Nov 12 22:06:07 2020 +0000
committer: Simon Kelley <simon@thekelleys.org.uk> Wed Dec 16 15:49:02 2020 +0000
tree: c7e1cb14604310b7daff7860e82fb0a32c6d5453
parent: 257ac0c5f7732cbc6aa96fdd3b06602234593aca [diff] [blame]
diff --git a/Makefile b/Makefile
index 78e25f0..0354e0f 100644
--- a/Makefile
+++ b/Makefile

@@ -77,7 +77,8 @@
        helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
        dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
        domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
-       poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o metrics.o
+       poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \
+       metrics.o hash_questions.o
 
 hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
        dns-protocol.h radv-protocol.h ip6addr.h metrics.h
commit	2d765867c597db18be9d876c9c17e2c0fe1953cd	[log] [tgz]
author	Simon Kelley <simon@thekelleys.org.uk>	Thu Nov 12 22:06:07 2020 +0000
committer	Simon Kelley <simon@thekelleys.org.uk>	Wed Dec 16 15:49:02 2020 +0000
tree	c7e1cb14604310b7daff7860e82fb0a32c6d5453
parent	257ac0c5f7732cbc6aa96fdd3b06602234593aca [diff] [blame]