After further testing, I can also see the crash occurs without with the `dns-no-doh.conf` config snippet loaded, even for a regular `A` record (so the TYPE65 query is also a red herring):
root@budgie:~# dig +short -tA test.netflix.net @127.0.0.1 root@budgie:~# dig +short -tA test.netflix.net @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached root@budgie:~# journalctl -fu dnsmasq ... Apr 07 14:53:50 budgie dnsmasq[116972]: query[A] occ-0-4415-3211.1.nflxso.net from 127.0.0.1 Apr 07 14:53:50 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 14:53:50 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. This further makes me think the commit I linked in my initial bug report is indeed the fix for this segfault. The reproduction steps can be narrowed down to only using the netflix- nov6.conf configuration snippet, and performing a simple A record query on the subdomain of any of the domains listed in the snippet. Coredump attached of the segfault during this simplified repro. ** Attachment added: "_usr_sbin_dnsmasq.0.crash" https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2015562/+attachment/5661981/+files/_usr_sbin_dnsmasq.0.crash ** Description changed: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null AAAA records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). I also have a static domain entry to serve NXDOMAIN for `use- application-dns.net`, signalling application not to use DoH (attached as dns-no-doh.conf). This is done to prevent applications from using DoH to bypass my local DNS server (and lose the ability to block ads). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&&upgrade, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few TYPE65 queries towards the "blocked" domain entries. - I found a commit message which seems to fix this issue, which made it into 2.87: + I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! ------ $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: - Installed: 2.86-1.1ubuntu0.2 - Candidate: 2.86-1.1ubuntu0.2 - Version table: - *** 2.86-1.1ubuntu0.2 500 - 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages - 100 /var/lib/dpkg/status - 2.86-1.1ubuntu0.1 500 - 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages - 2.86-1.1 500 - 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages + Installed: 2.86-1.1ubuntu0.2 + Candidate: 2.86-1.1ubuntu0.2 + Version table: + *** 2.86-1.1ubuntu0.2 500 + 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages + 100 /var/lib/dpkg/status + 2.86-1.1ubuntu0.1 500 + 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages + 2.86-1.1 500 + 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages ------ Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - 2. Copy netflix-nov6.conf and dns-no-doh.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -tAAAA ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. -- netflix-nov6.conf: # Null AAAA response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: ######## dns-no-doh.conf: ## Prevent well-behaving applications from using DoH server=/use-application-dns.net/ ######## -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: New Bug description: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null AAAA records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&&upgrade, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries. I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! ------ $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.2 Candidate: 2.86-1.1ubuntu0.2 Version table: *** 2.86-1.1ubuntu0.2 500 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages 100 /var/lib/dpkg/status 2.86-1.1ubuntu0.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages 2.86-1.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages ------ Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -tAAAA ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. -- netflix-nov6.conf: # Null AAAA response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2015562/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
