--filter-rr=<rrtype>[,<rrtype>...]
Remove records of the specified type(s) from answers. The otherwise-nonsensical --filter-rr=ANY has a special meaning: it filters replies to queries for type ANY. Everything other than A, AAAA, MX and CNAME records are removed. Since ANY queries with forged source addresses can be used in DNS amplification attacks (replies to ANY queries can be large) this defangs such attacks, whilst still supporting the one remaining possible use of ANY queries. See RFC 8482 para 4.3 for details.
filter-rr can be used to manage DoH (type-65 queries).
Did not open a ticket.
Also in v2.90:
Code:
CVE 2023-50387 and CVE 2023-50868 apply. Note that the is a security vulnerablity only when DNSSEC validation is enabled
Code:
Add limits on the resources used to do DNSSEC validation. DNSSEC introduces a potential CPU DoS, because a crafted domain can force a validator to a large number of cryptographic operations whilst attempting to do validation.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Thu Feb 22, 2024 22:43 Post subject:
yep BS is on the mailing list, as well 2.90 came out 10 days ago so...he knows already...
I guess it needs fiddling and tailoring towards DDWRT too...so, it will come soon... may be with those extra commands by default...
although, some updates do not concern the functionality of DDWRT, consider there is libopenssl that needs update too...https://www.openssl.org/ --unless i missed it @SVN (not that its urgent and has some ultra flaws but in general) ver 1.1.1 is EoL and will have only custom support so lets see.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 08 May 2018 Posts: 14249 Location: Texas, USA
Posted: Thu Feb 22, 2024 23:09 Post subject:
The last time BS tried to update openssl to 3.x did not go well, and he probably has not taken the time to look at it again (last commit was to fix a typo a couple months ago). As already stated, BS is most likely aware of the update, and he'll get to it when he gets to it. Thanks for understanding, have a nice day, and take care now.
P.S. Moved thread to Generic since this is related to development. Please make a note in the future and either post in General or Generic when it comes to package updates, thanks. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
(not that its urgent and has some ultra flaws but in general) ver 1.1.1 is EoL and will have only custom support so lets see..