dnsmasq-2.82-filter-aaaa+https+unknown.patch

diff --git a/src/cache.c b/src/cache.c
index 2f2c519..748a022 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -66,6 +66,7 @@ static const struct {
   { 52,  "TLSA" },
   { 53,  "SMIMEA" },
   { 55,  "HIP" },
+  { 65,  "HTTPS"},
   { 249, "TKEY" },
   { 250, "TSIG" },
   { 251, "IXFR" },
@@ -1812,6 +1813,20 @@ char *record_source(unsigned int index)
   return "<unknown>";
 }
 
+// patch: function returns integer 1 if query type is unknown.
+// known types are defined in cache.c:typestr:36.
+int is_query_type_unknown(unsigned short type)
+{
+  unsigned int i;
+  for (i = 0; i < (sizeof(typestr)/sizeof(typestr[0])); i++)
+    if (typestr[i].type == type) 
+      {
+	return 0;
+      }
+  return 1;
+}
+// end of patch 
+
 char *querystr(char *desc, unsigned short type)
 {
   unsigned int i;
diff --git a/src/config.h b/src/config.h
index 7187ffa..6dbb23e 100644
--- a/src/config.h
+++ b/src/config.h
@@ -32,7 +32,7 @@
 #define RANDOM_SOCKS 64 /* max simultaneous random ports */
 #define LEASE_RETRY 60 /* on error, retry writing leasefile after LEASE_RETRY seconds */
 #define CACHESIZ 150 /* default cache size */
-#define TTL_FLOOR_LIMIT 3600 /* don't allow --min-cache-ttl to raise TTL above this under any circumstances */
+#define TTL_FLOOR_LIMIT 604800 /* don't allow --min-cache-ttl to raise TTL above this under any circumstances */
 #define MAXLEASES 1000 /* maximum number of DHCP leases */
 #define PING_WAIT 3 /* wait for ping address-in-use test */
 #define PING_CACHE_TIME 30 /* Ping test assumed to be valid this long. */
@@ -40,7 +40,7 @@
 #define DHCP_PACKET_MAX 16384 /* hard limit on DHCP packet size */
 #define SMALLDNAME 50 /* most domain names are smaller than this */
 #define CNAME_CHAIN 10 /* chains longer than this atr dropped for loop protection */
-#define DNSSEC_MIN_TTL 60 /* DNSKEY and DS records in cache last at least this long */
+#define DNSSEC_MIN_TTL 3600 /* DNSKEY and DS records in cache last at least this long */
 #define HOSTSFILE "/etc/hosts"
 #define ETHERSFILE "/etc/ethers"
 #define DEFLEASE 3600 /* default DHCPv4 lease time, one hour */
@@ -135,8 +135,8 @@ HAVE_INOTIFY
 NO_ID
    Don't report *.bind CHAOS info to clients, forward such requests upstream instead.
 NO_TFTP
-NO_DHCP
-NO_DHCP6
+NO_DHCP */
+#define NO_DHCP6 /*
 NO_SCRIPT
 NO_LARGEFILE
 NO_AUTH
@@ -167,13 +167,13 @@ RESOLVFILE
    has no library dependencies other than libc */
 
 #define HAVE_DHCP
-#define HAVE_DHCP6 
+/* #define HAVE_DHCP6 */
 #define HAVE_TFTP
 #define HAVE_SCRIPT
 #define HAVE_AUTH
 #define HAVE_IPSET 
 #define HAVE_LOOP
-#define HAVE_DUMPFILE
+/* #define HAVE_DUMPFILE */
 
 /* Build options which require external libraries.
    
@@ -186,8 +186,8 @@ RESOLVFILE
 /* #define HAVE_DBUS */
 /* #define HAVE_IDN */
 /* #define HAVE_LIBIDN2 */
-/* #define HAVE_CONNTRACK */
-/* #define HAVE_DNSSEC */
+#define HAVE_CONNTRACK
+#define HAVE_DNSSEC
 
 
 /* Default locations for important system files. */
diff --git a/src/dns-protocol.h b/src/dns-protocol.h
index 8edb9f3..2385b9e 100644
--- a/src/dns-protocol.h
+++ b/src/dns-protocol.h
@@ -71,6 +71,7 @@
 #define T_NSEC          47
 #define T_DNSKEY        48
 #define T_NSEC3         50
+#define T_HTTPS         65
 #define	T_TKEY		249		
 #define	T_TSIG		250
 #define T_AXFR          252
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 4220798..7429734 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -269,7 +269,10 @@ struct event_desc {
 #define OPT_IGNORE_CLID    59
 #define OPT_SINGLE_PORT    60
 #define OPT_LEASE_RENEW    61
-#define OPT_LAST           62
+#define OPT_FILTER_AAAA    62
+#define OPT_FILTER_HTTPS   64
+#define OPT_FILTER_UNKNOWN 65
+#define OPT_LAST           66
 
 #define OPTION_BITS (sizeof(unsigned int)*8)
 #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
@@ -1158,6 +1161,10 @@ void cache_init(void);
 void next_uid(struct crec *crecp);
 void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg); 
 char *record_source(unsigned int index);
+// patch: function returns integer 1 if query type is unknown
+// known types are defined in cache.c:typestr:36.
+int is_query_type_unknown(unsigned short type);
+// end of patch
 char *querystr(char *desc, unsigned short type);
 int cache_find_non_terminal(char *name, time_t now);
 struct crec *cache_find_by_addr(struct crec *crecp,
diff --git a/src/option.c b/src/option.c
index dbe5f90..2e90b9a 100644
--- a/src/option.c
+++ b/src/option.c
@@ -167,6 +167,9 @@ struct myoption {
 #define LOPT_IGNORE_CLID   358
 #define LOPT_SINGLE_PORT   359
 #define LOPT_SCRIPT_TIME   360
+#define LOPT_FILTER_AAAA   361
+#define LOPT_FILTER_HTTPS  362
+#define LOPT_FILTER_UNKNOWN 363
  
 #ifdef HAVE_GETOPT_LONG
 static const struct option opts[] =  
@@ -339,6 +342,9 @@ static const struct myoption opts[] =
     { "dumpfile", 1, 0, LOPT_DUMPFILE },
     { "dumpmask", 1, 0, LOPT_DUMPMASK },
     { "dhcp-ignore-clid", 0, 0,  LOPT_IGNORE_CLID },
+    { "filter-aaaa", 0, 0, LOPT_FILTER_AAAA },
+    { "filter-https", 0, 0, LOPT_FILTER_HTTPS },
+    { "filter-unknown", 0, 0, LOPT_FILTER_UNKNOWN },
     { NULL, 0, 0, 0 }
   };
 
@@ -518,6 +524,9 @@ static struct {
   { LOPT_DUMPFILE, ARG_ONE, "<path>", gettext_noop("Path to debug packet dump file"), NULL },
   { LOPT_DUMPMASK, ARG_ONE, "<hex>", gettext_noop("Mask which packets to dump"), NULL },
   { LOPT_SCRIPT_TIME, OPT_LEASE_RENEW, NULL, gettext_noop("Call dhcp-script when lease expiry changes."), NULL },
+  { LOPT_FILTER_AAAA, OPT_FILTER_AAAA, NULL, gettext_noop("Filter all AAAA requests."), NULL },
+  { LOPT_FILTER_HTTPS, OPT_FILTER_HTTPS, NULL, gettext_noop("Filter all HTTPS/query type 65 requests."), NULL },
+  { LOPT_FILTER_UNKNOWN, OPT_FILTER_UNKNOWN, NULL, gettext_noop("Filter all unknown query types (known are defined in cache.c)."), NULL },
   { 0, 0, NULL, NULL, NULL }
 }; 
 
@@ -4529,7 +4538,7 @@ err:
 	break;
       }
 #endif
-		
+
     default:
       ret_err(_("unsupported option (check that dnsmasq was compiled with DHCP/TFTP/DNSSEC/DBus support)"));
       
@@ -4874,7 +4883,6 @@ void read_servers_file(void)
   read_file(daemon->servers_file, f, LOPT_REV_SERV);
 }
  
-
 #ifdef HAVE_DHCP
 static void clear_dynamic_conf(void)
 {
diff --git a/src/rfc1035.c b/src/rfc1035.c
index fefe63d..71bfa51 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -880,7 +880,7 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 			    }
 #endif
 			}
-		      
+
 		      newc = cache_insert(name, &addr, C_IN, now, attl, flags | F_FORWARD | secflag);
 		      if (newc && cpp)
 			{
@@ -1955,6 +1955,32 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 	    }
 	}
 
+    //patch to filter aaaa forwards
+    if (qtype == T_AAAA && option_bool(OPT_FILTER_AAAA) ){
+        //return a null reply
+        ans = 1;
+        if (!dryrun) log_query(F_CONFIG | F_IPV6 | F_NEG, name, &addr, NULL);
+            break;
+    }
+    //end of patch
+    //patch to filter https/query type 65 forwards
+    if (qtype == T_HTTPS && option_bool(OPT_FILTER_HTTPS) ){
+        //return a null reply
+        ans = 1;
+        if (!dryrun) log_query(F_CONFIG | F_IPV4 | F_NEG, name, &addr, NULL);
+            break;
+    }
+    //end of patch
+    //patch to filter all unknown query types
+    //known types are defined in cache.c:typestr:36.
+    if (is_query_type_unknown(qtype) && option_bool(OPT_FILTER_UNKNOWN)) {
+        //return a null reply
+        ans = 1;
+        if (!dryrun) log_query(F_CONFIG | F_NEG, name, NULL, NULL);
+            break;
+    }
+    //end of patch
+
       if (!ans)
 	return 0; /* failed to answer a question */
     }