| blob | 1c23fd443e148fe931ddab8850c79ad59b4b3c57 |
1 ## v1.20260501.0
3 Fixed an error in dnstt-server that could cause the server to stop
4 processing traffic, while still running. Rarely, a sendto system call in
5 the sendLoop function would cause sendLoop to return with an error.
6 Meanwhile, recvLoop would keep running and processing incoming queries,
7 but as sendLoop had finished, the server would cease to send back
8 responses. In live testing, one possible cause of a sendto error was the
9 Linux conntrack table becoming full from heavy traffic and the outgoing
10 packet being blocked by a default DENY rule in the local firewall; other
11 causes may have been possible. This release contains two changes to fix
12 the problem: (1) sendto errors, other than net.ErrClosed, are now only
13 logged and do not cause sendLoop to terminate; (2) if sendLoop (or any
14 other top-level goroutine) does return, it causes the whole process to
15 exit, which will make any failure noticeable and avoid the "running but
16 not working" failure mode.
18 ## v1.20241021.0
20 Added a CC0 COPYING file.
22 ## v1.20240513.0
24 Updated utls to v1.6.6. Added a "random" fingerprint ID that maps to
25 uTLS's HelloRandomizedALPN. The default uTLS fingerprint distribution in
26 dnstt-client is now
27 4*random,3*Firefox_120,1*Firefox_105,3*Chrome_120,1*Chrome_102,1*iOS_14,1*iOS_13
30 ## v1.20220208.0
32 -doh and -dot mode use uTLS to camouflage their TLS Client Hello
33 fingerprint. The fingerprint to use is chosen randomly from a weighted
34 distribution. You can control this distribution using the new -utls
35 option. Use "-utls none" to disable uTLS if you encounter TLS errors
36 with your chosen server. This change means that it is no longer possible
37 to use a proxy in -doh mode by setting the HTTP_PROXY or HTTPS_PROXY
38 environment variables; this was an undocumented side effect of using the
39 Go net/http package with no TLS camouflage.
42 ## v1.20210812.0
44 Fixed an injection vulnerability in the dnstt-server log message
45 "NXDOMAIN: not authoritative for %s". This log message contains a
46 potentially attacker-controlled name. Because DNS labels may contain any
47 byte value, the log message allowed an attacker to write arbitrary bytes
48 to the dnstt-server log, with a variety of effects:
49 * A label containing a newline could break the format of the log, or be
50 used to inject false log lines.
51 * Log output to a terminal could contain terminal escape sequences which
52 could, for example, change the color of text, or have worse effects
53 with older terminal emulators (https://seclists.org/bugtraq/2003/Feb/315).
54 * DNS names with a label that contained the dot character (\x2e) would
55 be logged in an ambiguous way, with the intra-label dot appearing as a
56 label separator.
57 DNS names are now logged using backslash hex escapes for unusual bytes.
58 This vulnerability was called to mind by "Injection Attacks Reloaded:
59 Tunnelling Malicious Payloads over DNS" by Jeitner and Shulman.
60 https://www.usenix.org/conference/usenixsecurity21/presentation/jeitner
62 Inhibited some "io: read/write on closed pipe" log messages.
65 ## v1.20210803.0
67 Performance tuning. Enlarge some buffers and network receive windows to
68 permit faster downloads in some configurations. Adjusted the dynamic
69 polling model to work more as intended, and tweaked the server send loop
70 to continue bundling outgoing packets as long as some are immediately
71 available.
73 Reduce idle timeout from 10 minutes to 2 minutes. Terminated sessions
74 will be reclaimed more quickly.
76 Documentation updates.
79 ## v0.20210424.0
81 dnstt was part of a software security audit done by Cure53. The report
82 found issues of severity levels Low–Medium in dnstt and in one of its
83 dependencies, a package used for Noise cryptography. This release fixes
84 the following issues:
85 * UCB-02-002: Memory leak in acceptStreams() routine of dnstt server (Low)
86 * UCB-02-003: Potential nonce overflow in Noise protocol (Medium)
87 * UCB-02-004: Deprecated DH25519 Golang API used by Noise (Low)
88 * UCB-02-006: DoS due to unconditional nonce increment (Low)
89 * UCB-02-007: DoS due to missing socket timeouts (Low)
90 Unaddressed in this release are:
91 * UCB-02-005: Client ID security considerations & Noise authenticated data (Low)
92 * UCB-02-008: Lack of rate limiting in Snowflake and dnstt (Info)
93 Two other issues in the report, UCB-02-001 and UCB-02-009, do not have
94 to do with dnstt. For more details and the text of the report, see
95 https://www.bamsoftware.com/software/dnstt/security.html#cure53-turbotunnel-2021
97 Added man pages for dnstt-client and dnstt-server.
100 ## v0.20200506.0
102 Documentation updates.
105 ## v0.20200504.0
107 Documentation updates and link to web page.
108 https://www.bamsoftware.com/software/dnstt/
111 ## v0.20200430.0
113 Send leftover packets (those that were too big to fit in the current DNS
114 response) to the correct client in the future. Before, such leftover
115 packets were included in the next response to be sent, regardless of the
116 client it was intended for.
118 Fix the loop that packs packets into responses in the server. Before, if
119 there were not a packet immediately available, the response would always
120 be empty. Now, a packet has until the response timeout to be included.
122 Buffer the DoT transport in the client so that length prefixes and DNS
123 queries happen in the same send.
125 Don't look for encoded packets in a response that was too short to
126 contain a ClientID.
129 ## v0.20200426.0
131 Added the -mtu command-line option to the server.
133 Documentation fixes.
136 ## v0.20200419.0
138 Initial public release and announcement.
139 https://github.com/net4people/bbs/issues/30