Beta Asuswrt-Merlin 3004.388.6_x test builds (dnsmasq 2.90)

[RMerlin]

Hi everyone,

I've uploaded Asuswrt-Merlin 3004.388.6_1 test builds that include dnsmasq 2.90 (which contains two security fixes related to DNSSEC).

OneDrive

www.asuswrt-merlin.net

Please give these builds a try, both with and without DNSSEC enabled. Let me know if there are any new issues related to DNS (I am not interested in feedback relative to anything else at this time).

 

[cc666]

Are we at risk if we have DNSECC enabled with the current .6 firmware?

CC

 

[RMerlin]

Are we at risk if we have DNSECC enabled with the current .6 firmware?

CC

CVE 2023-50868 and CVE 2023-50387 in dnsmasq when DNSSEC is enabled

Two new CVEs were revealed related to DNSSEC support in dnsmasq. A specially crafted record can generate a DoS against dnsmasq, causing it to exhaust its resources. While dnsmasq 2.90 was released with a fix, initial reports indicate that it causes other issues, breaking DNSSEC for some...

www.snbforums.com

 

[Morris]

Upgraded RT-AX86U to 3004.388.6_1 and all is good. I don't run DNSSEC to provide the no DNSSEC view.

 

[Treadler]

Working fine here, both with & without DNSSEC enabled.

 

[FLA_NL]

Upgraded to 3004.388.6_1-g7c86063034 from 3004.388.6. For me it works with and without DNSSEC enabled.

 

[Volt]

Thanks for keeping updating firmware for RT-AX56U!

 

[Quoc Huynh]

Thanks for keeping us with the security fix! I upgrade my RT-AX88U from 3004.388.6 to the new beta firmware 5 hours ago without any issue, and it works nicely with DNSSEC enabled.
Edited to add that no "limit exceeded" message found after 15 hours of running.

 

[JGrana]

Upgraded my AX88U Pro - anytime a new dnsmasq version comes out - I'm eager to test.

System is running fine, no DNSSEC enabled.

I do still see the kernel report a dnsmasq Tainted error on startup. Its been there since dnsmasq 2.6 (usually after YazDHCP starts).

Feb 16 07:26:01 kernel: CPU: 3 PID: 2362 Comm: dnsmasq Tainted: P           O      4.19.183 #1

But, system is stable - not going to worry about it at this time.

 

[Unisoft]

cautiously did it on one AX86U. DNSSec still works and confirmed by test tools. IPv4 network (ISP). No issues so far, remote apps still work etc. and I use DNS over TLS too.

18/02/2024 - UPDATE:
Done the update on two other remote AX86U and all seems to be OK.
I read Merlin tried js7k.com didn't work, and I also didn't get it to work either.

 

[archiel]

Installed on RT-AX88U. Not using DNSSec directly, but I am using unbound (script by @Martineau) and I assume (but don't know) that this leverages whatever DNSSec is installed by default.

Nothing unexpected in logs files, DNScheck looks normal, no obvious issue with the other installed scripts and remote access via WireGuard working fine.

 

[Ripshod]

Good to stay ahead of threats. Installed just fine, no complaints from DNSSEC and fine with it off too.

 

[dave14305]

Keep an eye out for any new dnsmasq syslog messages saying “limit exceeded” (with DNSSEC enabled). That could suggest that the new dnsmasq option dnssec-limits needs to be adjusted.

 

[RMerlin]

I do still see the kernel report a dnsmasq Tainted error on startup. Its been there since dnsmasq 2.6 (usually after YazDHCP starts).

Nothing tainted about dnsmasq. Let me re-divide this line to make it clearer what it means exactly:

CPU: 3
PID: 2362
Comm: dnsmasq
Tainted: P O

"Tainted" is the heading for the P and O flags that follows it. It says the kernel is considered tainted because it runs non-GPL Proprietary modules ("P") and it also includes modules compiled Outside of the kernel tree ("O"ut of Tree).

What this says is that dnsmasq crashed. If it does when YazDHCP starts then it might be doing something triggering it.

dnsmasq is monitored by the watchdog and should automatically get restarted.

 

[TonyK132]

I did a dirty update from 0.6 about 4 hrs ago. Seems to be OK, although I have seen some weirdness when loading the GUI. My DNSMASQ setting is OFF. I too am using Unbound.

 

[dave14305]

I too am using Unbound.

Which is also vulnerable until Entware can publish v1.19.1.

 

[JoJoDaClown]

Dirty update from 3004.388.6_0 to 3004.388.6_1. Programs that reach out to an external server to check for updates have not been able to connect. If I go back to 3004.388.6_0 the programs work fine.

 

[RMerlin]

Programs that reach out to an external server to check for updates have not been able to connect.

Can you elaborate? Is it failing to connect, or to resolve the address of the server?

 

[Damit1]

Keep an eye out for any new dnsmasq syslog messages saying “limit exceeded” (with DNSSEC enabled). That could suggest that the new dnsmasq option dnssec-limits needs to be adjusted.

@RMerlin
Please care to pay attention to that, not sure what its true importance.

Upgraded my router only, DNSSec is enabled.
No issues popped, tried my VPN (Instand Guard), DDNS, and normal browsing.

Nothing to worry about.

 

[AntonK]

Updated from 3004.388.6_1 to this fix release. Everything running fine whether DNSSEC is enabled or not. No "limit exceeded" messages in my Syslog.

Thanks RMerlin!