| Age | Commit message (Collapse) | Author |
|---|
|
|
|
IP address, port and authentication name.
This makes print_config less awkward and fixes a bug were an
alternative port number was not printed.
|
|
validates, measure how well it is doing.
We keep track of the round trip median time of past queries and sort
strategies according to this in addition to the more basic qualities
of does it resolve and does it validate. If a query is not answered
within the median time the next best strategy gets a chance. The most
prefered strategy (either from the config file or defaults) gets an
additional head start of 200ms.
A response of SERVFAIL also advances to the next best strategy. This
is helpful when the picked strategy can only see parts of the internet
but another strategy can reach more.
This alone gets us past quite a few captive portals already.
Additionally we doubt NXDOMAIN from anything but the stub resolver for
the first 5 minutes after a network change. This is probably as good
as the http check we had previously but more tests are needed.
This was inspired by RFC 8305, "Happy Eyeballs".
OK otto
|
|
reuse in the future.
OK otto
|
|
OK otto
|
|
Avoid an extra parameter and set NULL initialised conffile conditionally.
From Matthew Martin <phy1729 at gmail dot com>, thanks!
|
|
Default /etc/unwind.conf is optional and may be missing, but explicitly
specified files should exist.
OK florian
|
|
unwindctl suggests; ok florian@
|
|
The frontend doesn't know.
|
|
|
|
daemon. Soon to be used by slaacd(8) which handles all interfaces but
can't know which interfaces had been set to autoconf before a restart.
|
|
|
|
daemon and interface. An empty list is automatically a withdrawl.
prodding deraadt@
|
|
prodding deraadt@
|
|
otherwise we try to parse an invalid packet.
This can be triggered by captive_portal_resolve_done() when dhcp
provided nameservers do not answer and asr hits a timeout.
answer_packet is NULL and answer_len -1 in that case.
Found the hard way by claudio
|
|
Someone please make this pretty.
Tested by deraadt as part of a larger diff.
|
|
slaacd should be changed as well.
Tested by deraadt as part of a larger diff.
|
|
Tested by deraadt as part of a larger diff.
|
|
|
|
captive portal host internaly via the resolver process.
deraadt and me observed weird captive portal checking hangs inside of
unwind if only 127.0.0.1 was listed as a nameserver in resolv.conf
with the old code.
|
|
self-DoS under high query rate and constant failures.
|
|
pass through resolve() and either asr_resolve_done() or
ub_resolve_done().
With that we can pull resolver_ref() and resolver_unref() into those
functions to make the reference counting easier.
Only check_resolver is special since it needs to refcount the to be
checked resolver. But the resolver doing the actual work is
automatically refcounted by resolve() and *_resolve_done().
One last piece of the puzzle is to track the uw_resolver object in
cb_data so that the *_resolve_done() functions have access to it.
This also allowes us to remove the ad-hoc passing of the resolver in
query_imsg. Since the callback functions all need access to the
resolver that did the work we pass it in as first argument.
OK otto
|
|
|
|
|
|
|
|
distinguish between an external query and check_resolver().
Also switch trust_anchor_resolve() over which was special.
|
|
resolver type.
|
|
We are not using that feature so stop tracking the value.
|
|
autoconfiguration daemons. Currently only slaacd is switched over so
we need to keep the lease file parsing.
|
|
error prone than manually editing rc.conf.local, and also works to
enable ipsec and accounting.
tweak from schwarze@ to use the \(dq\(dq syntax for quotes in '.Dl
foo_flags="" lines' instead of \&"\&".
while at it, fix a reference to a bogus /dev/dhclient.conf file that
recently snuck in.
ok jmc@ deraadt@ schwarze@
|
|
future work to be able to easily delete elements while iterating.
OK kn
|
|
|
|
|
|
|
|
start unwind earlier, before /var is mounted.
discussed with deraadt
|
|
More people know what a "stub" resolver is then asr.
Pointed out by & discussed with deraadt
Input & OK otto
|
|
forward queries for certain reverse zones (e.g. RFC1918 space). The
local network might use them and it's the policy of the upstream
nameserver what should be done with these.
Of course if we are recursively resolving ourselves these should not
leak to the global internet so we continue to synthesize NXDOMAIN
ourselves.
For now we also always synthesize NXDOMAIN for special use domains like
test and onion.
Pointed out by henning.
Input & OK sthen
|
|
|
|
|
|
strategy to get past it. This is also true when we don't know yet if
we are behind a captive portal.
However, when the nameserver dhcp hands us are unreachable (e.g.
because they are down) asr is dead, we are still using it and we are
now stuck.
Only force to asr if we know that it is working. If we are behind a
captive portal and the dhcp nameserver are dead we probably won't get
past it. But if we are in a network with unreachable dhcp nameservers
we will make progress.
Stumbled upon by remi while blocking port 53 in pf.
OK remi
|
|
unwind should now be able to work in networks with crappy middle boxes.
We also need to switch to the ASR resolver, not DHCP when we are behind
a captive portal. Some captive portals let through DNS queries with edns0
options but the "click here to accept the terms of service page" is not
resolvable with edns0.
|
|
libc asynchronous resolver directly with DHCP provided nameservers.
This is a last-ditch effort when we find ourself behind a completely
broken middle-box.
Input & OK otto
OK benno
|
|
OK benno
|
|
|
|
|
|
|
|
a couple of times by declaring optional stuff the proper way. ok @florian
|
|
|
|
responsible for freeing allocated memory.
|
|
worker_handle_request() in unbound(8).
|
