Given this innocent /etc/resolv.conf: # Generated by resolvconf # nameserver 192.168.1.1 # nameserver 8.8.8.8 nameserver 127.0.0.1 options edns0 (the third line needs to be empty) ldns actually sends requests to google DNS. Stripped down example: cat >/etc/resolv.conf <<EOF # g # nameserver 8.8.8.8 EOF drill www.google.com host www.google.com (there is no resolver running on localhost) This problem can lead to information leakage and (which hit me) break our setup, where local_unbound is serving a private zone, but google was contacted instead. Filed upstream, more details (and suggested solutions) can be found here: https://github.com/NLnetLabs/ldns/issues/237 CCed des and emaste, as they did the last import of ldns in 13.3
This also affects 14.0-RELEASE, 14.1-BETA1 and CURRENT
There is an upstream fix available now (not merged yet): https://github.com/NLnetLabs/ldns/pull/238
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3b092e4936c433889cc668ea9563c8fd437d1a3e commit 3b092e4936c433889cc668ea9563c8fd437d1a3e Merge: 154ad8e0f88f 4891157c57cc Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2024-05-15 10:16:24 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2024-05-15 10:20:15 +0000 ldns: Ignore commented-out lines in resolv.conf. This merges upstream PR 238 + an additional bug fix. PR: 278721 MFC after: 1 week contrib/ldns/ldns/parse.h | 2 ++ contrib/ldns/parse.c | 35 +++++++++++++++++++++++++++---- contrib/ldns/resolver.c | 53 ++++++++--------------------------------------- 3 files changed, 42 insertions(+), 48 deletions(-)
Upstream merged the commit.
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=7daf36028411c3a9c73e0c75732f9cbcbf66362e commit 7daf36028411c3a9c73e0c75732f9cbcbf66362e Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2024-05-15 10:16:24 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2024-05-20 09:04:54 +0000 ldns: Ignore commented-out lines in resolv.conf. This merges upstream PR 238 + an additional bug fix. PR: 278721 MFC after: 1 week (cherry picked from commit 3b092e4936c433889cc668ea9563c8fd437d1a3e) contrib/ldns/ldns/parse.h | 2 ++ contrib/ldns/parse.c | 35 +++++++++++++++++++++++++++---- contrib/ldns/resolver.c | 53 ++++++++--------------------------------------- 3 files changed, 42 insertions(+), 48 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=e95e16191f63240971687634a23c2defed64d713 commit e95e16191f63240971687634a23c2defed64d713 Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2024-05-15 10:16:24 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2024-05-20 09:04:59 +0000 ldns: Ignore commented-out lines in resolv.conf. This merges upstream PR 238 + an additional bug fix. PR: 278721 MFC after: 1 week (cherry picked from commit 3b092e4936c433889cc668ea9563c8fd437d1a3e) contrib/ldns/ldns/parse.h | 2 ++ contrib/ldns/parse.c | 35 +++++++++++++++++++++++++++---- contrib/ldns/resolver.c | 53 ++++++++--------------------------------------- 3 files changed, 42 insertions(+), 48 deletions(-)
A commit in branch releng/14.1 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=5df49242be716cd8736fd10086dc6b31af1eafbd commit 5df49242be716cd8736fd10086dc6b31af1eafbd Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2024-05-15 10:16:24 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2024-05-20 20:37:46 +0000 ldns: Ignore commented-out lines in resolv.conf. This merges upstream PR 238 + an additional bug fix. PR: 278721 MFC after: 1 week (cherry picked from commit 3b092e4936c433889cc668ea9563c8fd437d1a3e) (cherry picked from commit 7daf36028411c3a9c73e0c75732f9cbcbf66362e) Approved by: re (cperciva) contrib/ldns/ldns/parse.h | 2 ++ contrib/ldns/parse.c | 35 +++++++++++++++++++++++++++---- contrib/ldns/resolver.c | 53 ++++++++--------------------------------------- 3 files changed, 42 insertions(+), 48 deletions(-)
A commit in branch releng/14.0 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=bdf75e830a77a16ec0baf1c9367f64c6b96c5e02 commit bdf75e830a77a16ec0baf1c9367f64c6b96c5e02 Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2024-05-15 10:16:24 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2024-06-18 17:32:56 +0000 ldns: Ignore commented-out lines in resolv.conf. This merges upstream PR 238 + an additional bug fix. PR: 278721 Approved by: so Security: FreeBSD-EN-24:11.ldns (cherry picked from commit 3b092e4936c433889cc668ea9563c8fd437d1a3e) (cherry picked from commit 7daf36028411c3a9c73e0c75732f9cbcbf66362e) contrib/ldns/ldns/parse.h | 2 ++ contrib/ldns/parse.c | 35 +++++++++++++++++++++++++++---- contrib/ldns/resolver.c | 53 ++++++++--------------------------------------- 3 files changed, 42 insertions(+), 48 deletions(-)
A commit in branch releng/13.3 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=d45cf1d2f1249d5b30c9fa0d35476dc9b9ee0321 commit d45cf1d2f1249d5b30c9fa0d35476dc9b9ee0321 Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2024-05-15 10:16:24 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2024-06-18 17:25:37 +0000 ldns: Ignore commented-out lines in resolv.conf. This merges upstream PR 238 + an additional bug fix. PR: 278721 Approved by: so Security: FreeBSD-EN-24:11.ldns (cherry picked from commit 3b092e4936c433889cc668ea9563c8fd437d1a3e) (cherry picked from commit e95e16191f63240971687634a23c2defed64d713) contrib/ldns/ldns/parse.h | 2 ++ contrib/ldns/parse.c | 35 +++++++++++++++++++++++++++---- contrib/ldns/resolver.c | 53 ++++++++--------------------------------------- 3 files changed, 42 insertions(+), 48 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=7fe9f4303fad76f1d2a9f709a3feb89093bce80c commit 7fe9f4303fad76f1d2a9f709a3feb89093bce80c Author: Jaap Akkerhuis <jaap@NLnetLabs.nl> AuthorDate: 2024-07-22 18:39:53 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2024-07-22 18:39:53 +0000 dns/{,py}ldns, dns/p5-DNS-Ldns: update 1.8.3 → 1.8.4 The most prominent fix is for the bug where ldns would, under certain conditions, use a commented out resolver in /etc/resolv.conf: https://github.com/NLnetLabs/ldns/issues/237 Changelog: https://github.com/NLnetLabs/ldns/blob/1.8.4/Changelog PR: 280404 278721 MFH: 2024Q3 dns/ldns/Makefile | 8 ++--- dns/ldns/distinfo | 6 ++-- dns/ldns/files/patch-swig (gone) | 64 ---------------------------------------- dns/ldns/pkg-plist | 2 +- dns/py-ldns/pkg-plist | 6 ++-- 5 files changed, 10 insertions(+), 76 deletions(-)
A commit in branch 2024Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=9be587b5da8d7dea89b60c4f2a6a529d11bcce2e commit 9be587b5da8d7dea89b60c4f2a6a529d11bcce2e Author: Jaap Akkerhuis <jaap@NLnetLabs.nl> AuthorDate: 2024-07-22 18:39:53 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2024-07-22 18:49:37 +0000 dns/{,py}ldns, dns/p5-DNS-Ldns: update 1.8.3 → 1.8.4 The most prominent fix is for the bug where ldns would, under certain conditions, use a commented out resolver in /etc/resolv.conf: https://github.com/NLnetLabs/ldns/issues/237 Changelog: https://github.com/NLnetLabs/ldns/blob/1.8.4/Changelog PR: 280404 278721 MFH: 2024Q3 (cherry picked from commit 7fe9f4303fad76f1d2a9f709a3feb89093bce80c) dns/ldns/Makefile | 8 ++--- dns/ldns/distinfo | 6 ++-- dns/ldns/files/patch-swig (gone) | 64 ---------------------------------------- dns/ldns/pkg-plist | 2 +- dns/py-ldns/pkg-plist | 6 ++-- 5 files changed, 10 insertions(+), 76 deletions(-)