1 /* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 int extract_name(struct dns_header
*header
, size_t plen
, unsigned char **pp
,
20 char *name
, int isExtract
, int extrabytes
)
22 unsigned char *cp
= (unsigned char *)name
, *p
= *pp
, *p1
= NULL
;
23 unsigned int j
, l
, namelen
= 0, hops
= 0;
31 unsigned int label_type
;
33 if (!CHECK_LEN(header
, p
, plen
, 1))
39 /* check that there are the correct no of bytes after the name */
40 if (!CHECK_LEN(header
, p
, plen
, extrabytes
))
45 if (cp
!= (unsigned char *)name
)
47 *cp
= 0; /* terminate: lose final period */
52 if (p1
) /* we jumped via compression */
60 label_type
= l
& 0xc0;
62 if (label_type
== 0xc0) /* pointer */
64 if (!CHECK_LEN(header
, p
, plen
, 1))
71 if (!p1
) /* first jump, save location to go back to */
74 hops
++; /* break malicious infinite loops */
78 p
= l
+ (unsigned char *)header
;
80 else if (label_type
== 0x80)
81 return 0; /* reserved */
82 else if (label_type
== 0x40)
84 unsigned int count
, digs
;
87 return 0; /* we only understand bitstrings */
90 return 0; /* Cannot compare bitsrings */
95 digs
= ((count
-1)>>2)+1;
97 /* output is \[x<hex>/siz]. which is digs+7/8/9 chars */
103 if (namelen
+1 >= MAXDNAME
)
106 if (!CHECK_LEN(header
, p
, plen
, (count
-1)>>3))
112 for (j
=0; j
<digs
; j
++)
120 *cp
++ = dig
< 10 ? dig
+ '0' : dig
+ 'A' - 10;
122 cp
+= sprintf((char *)cp
, "/%d]", count
);
123 /* do this here to overwrite the zero char from sprintf */
127 { /* label_type = 0 -> label. */
128 namelen
+= l
+ 1; /* include period */
129 if (namelen
>= MAXDNAME
)
131 if (!CHECK_LEN(header
, p
, plen
, l
))
134 for(j
=0; j
<l
; j
++, p
++)
137 unsigned char c
= *p
;
139 if (option_bool(OPT_DNSSEC_VALID
))
141 if (c
== 0 || c
== '.' || c
== NAME_ESCAPE
)
151 if (c
!= 0 && c
!= '.')
158 unsigned char c1
= *cp
, c2
= *p
;
165 if (c1
>= 'A' && c1
<= 'Z')
168 if (option_bool(OPT_DNSSEC_VALID
) && c1
== NAME_ESCAPE
)
172 if (c2
>= 'A' && c2
<= 'Z')
182 else if (*cp
!= 0 && *cp
++ != '.')
188 /* Max size of input string (for IPv6) is 75 chars.) */
189 #define MAXARPANAME 75
190 int in_arpa_name_2_addr(char *namein
, struct all_addr
*addrp
)
193 char name
[MAXARPANAME
+1], *cp1
;
194 unsigned char *addr
= (unsigned char *)addrp
;
195 char *lastchunk
= NULL
, *penchunk
= NULL
;
197 if (strlen(namein
) > MAXARPANAME
)
200 memset(addrp
, 0, sizeof(struct all_addr
));
202 /* turn name into a series of asciiz strings */
203 /* j counts no of labels */
204 for(j
= 1,cp1
= name
; *namein
; cp1
++, namein
++)
207 penchunk
= lastchunk
;
220 if (hostname_isequal(lastchunk
, "arpa") && hostname_isequal(penchunk
, "in-addr"))
223 /* address arives as a name of the form
224 www.xxx.yyy.zzz.in-addr.arpa
225 some of the low order address octets might be missing
226 and should be set to zero. */
227 for (cp1
= name
; cp1
!= penchunk
; cp1
+= strlen(cp1
)+1)
229 /* check for digits only (weeds out things like
230 50.0/24.67.28.64.in-addr.arpa which are used
231 as CNAME targets according to RFC 2317 */
233 for (cp
= cp1
; *cp
; cp
++)
234 if (!isdigit((unsigned char)*cp
))
246 else if (hostname_isequal(penchunk
, "ip6") &&
247 (hostname_isequal(lastchunk
, "int") || hostname_isequal(lastchunk
, "arpa")))
250 Address arrives as 0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.ip6.[int|arpa]
251 or \[xfedcba9876543210fedcba9876543210/128].ip6.[int|arpa]
253 Note that most of these the various reprentations are obsolete and
254 left-over from the many DNS-for-IPv6 wars. We support all the formats
255 that we can since there is no reason not to.
258 if (*name
== '\\' && *(name
+1) == '[' &&
259 (*(name
+2) == 'x' || *(name
+2) == 'X'))
261 for (j
= 0, cp1
= name
+3; *cp1
&& isxdigit((unsigned char) *cp1
) && j
< 32; cp1
++, j
++)
267 addr
[j
/2] |= strtol(xdig
, NULL
, 16);
269 addr
[j
/2] = strtol(xdig
, NULL
, 16) << 4;
272 if (*cp1
== '/' && j
== 32)
277 for (cp1
= name
; cp1
!= penchunk
; cp1
+= strlen(cp1
)+1)
279 if (*(cp1
+1) || !isxdigit((unsigned char)*cp1
))
282 for (j
= sizeof(struct all_addr
)-1; j
>0; j
--)
283 addr
[j
] = (addr
[j
] >> 4) | (addr
[j
-1] << 4);
284 addr
[0] = (addr
[0] >> 4) | (strtol(cp1
, NULL
, 16) << 4);
295 unsigned char *skip_name(unsigned char *ansp
, struct dns_header
*header
, size_t plen
, int extrabytes
)
299 unsigned int label_type
;
301 if (!CHECK_LEN(header
, ansp
, plen
, 1))
304 label_type
= (*ansp
) & 0xc0;
306 if (label_type
== 0xc0)
308 /* pointer for compression. */
312 else if (label_type
== 0x80)
313 return NULL
; /* reserved */
314 else if (label_type
== 0x40)
316 /* Extended label type */
319 if (!CHECK_LEN(header
, ansp
, plen
, 2))
322 if (((*ansp
++) & 0x3f) != 1)
323 return NULL
; /* we only understand bitstrings */
325 count
= *(ansp
++); /* Bits in bitstring */
327 if (count
== 0) /* count == 0 means 256 bits */
330 ansp
+= ((count
-1)>>3)+1;
333 { /* label type == 0 Bottom six bits is length */
334 unsigned int len
= (*ansp
++) & 0x3f;
336 if (!ADD_RDLEN(header
, ansp
, plen
, len
))
340 break; /* zero length label marks the end. */
344 if (!CHECK_LEN(header
, ansp
, plen
, extrabytes
))
350 unsigned char *skip_questions(struct dns_header
*header
, size_t plen
)
353 unsigned char *ansp
= (unsigned char *)(header
+1);
355 for (q
= ntohs(header
->qdcount
); q
!= 0; q
--)
357 if (!(ansp
= skip_name(ansp
, header
, plen
, 4)))
359 ansp
+= 4; /* class and type */
365 unsigned char *skip_section(unsigned char *ansp
, int count
, struct dns_header
*header
, size_t plen
)
369 for (i
= 0; i
< count
; i
++)
371 if (!(ansp
= skip_name(ansp
, header
, plen
, 10)))
373 ansp
+= 8; /* type, class, TTL */
374 GETSHORT(rdlen
, ansp
);
375 if (!ADD_RDLEN(header
, ansp
, plen
, rdlen
))
382 /* CRC the question section. This is used to safely detect query
383 retransmision and to detect answers to questions we didn't ask, which
384 might be poisoning attacks. Note that we decode the name rather
385 than CRC the raw bytes, since replies might be compressed differently.
386 We ignore case in the names for the same reason. Return all-ones
387 if there is not question section. */
389 unsigned int questions_crc(struct dns_header
*header
, size_t plen
, char *name
)
392 unsigned int crc
= 0xffffffff;
393 unsigned char *p1
, *p
= (unsigned char *)(header
+1);
395 for (q
= ntohs(header
->qdcount
); q
!= 0; q
--)
397 if (!extract_name(header
, plen
, &p
, name
, 1, 4))
398 return crc
; /* bad packet */
400 for (p1
= (unsigned char *)name
; *p1
; p1
++)
405 if (c
>= 'A' && c
<= 'Z')
410 crc
= crc
& 0x80000000 ? (crc
<< 1) ^ 0x04c11db7 : crc
<< 1;
413 /* CRC the class and type as well */
414 for (p1
= p
; p1
< p
+4; p1
++)
419 crc
= crc
& 0x80000000 ? (crc
<< 1) ^ 0x04c11db7 : crc
<< 1;
423 if (!CHECK_LEN(header
, p
, plen
, 0))
424 return crc
; /* bad packet */
431 size_t resize_packet(struct dns_header
*header
, size_t plen
, unsigned char *pheader
, size_t hlen
)
433 unsigned char *ansp
= skip_questions(header
, plen
);
435 /* if packet is malformed, just return as-is. */
439 if (!(ansp
= skip_section(ansp
, ntohs(header
->ancount
) + ntohs(header
->nscount
) + ntohs(header
->arcount
),
443 /* restore pseudoheader */
444 if (pheader
&& ntohs(header
->arcount
) == 0)
446 /* must use memmove, may overlap */
447 memmove(ansp
, pheader
, hlen
);
448 header
->arcount
= htons(1);
452 return ansp
- (unsigned char *)header
;
455 unsigned char *find_pseudoheader(struct dns_header
*header
, size_t plen
, size_t *len
, unsigned char **p
, int *is_sign
)
457 /* See if packet has an RFC2671 pseudoheader, and if so return a pointer to it.
458 also return length of pseudoheader in *len and pointer to the UDP size in *p
459 Finally, check to see if a packet is signed. If it is we cannot change a single bit before
460 forwarding. We look for SIG and TSIG in the addition section, and TKEY queries (for GSS-TSIG) */
462 int i
, arcount
= ntohs(header
->arcount
);
463 unsigned char *ansp
= (unsigned char *)(header
+1);
464 unsigned short rdlen
, type
, class;
465 unsigned char *ret
= NULL
;
471 if (OPCODE(header
) == QUERY
)
473 for (i
= ntohs(header
->qdcount
); i
!= 0; i
--)
475 if (!(ansp
= skip_name(ansp
, header
, plen
, 4)))
478 GETSHORT(type
, ansp
);
479 GETSHORT(class, ansp
);
481 if (class == C_IN
&& type
== T_TKEY
)
488 if (!(ansp
= skip_questions(header
, plen
)))
495 if (!(ansp
= skip_section(ansp
, ntohs(header
->ancount
) + ntohs(header
->nscount
), header
, plen
)))
498 for (i
= 0; i
< arcount
; i
++)
500 unsigned char *save
, *start
= ansp
;
501 if (!(ansp
= skip_name(ansp
, header
, plen
, 10)))
504 GETSHORT(type
, ansp
);
506 GETSHORT(class, ansp
);
508 GETSHORT(rdlen
, ansp
);
509 if (!ADD_RDLEN(header
, ansp
, plen
, rdlen
))
530 unsigned char *limit
;
531 struct dns_header
*header
;
533 union mysockaddr
*l3
;
536 static size_t add_pseudoheader(struct dns_header
*header
, size_t plen
, unsigned char *limit
,
537 int optno
, unsigned char *opt
, size_t optlen
, int set_do
)
539 unsigned char *lenp
, *datap
, *p
;
542 if (!(p
= find_pseudoheader(header
, plen
, NULL
, NULL
, &is_sign
)))
547 /* We are adding the pseudoheader */
548 if (!(p
= skip_questions(header
, plen
)) ||
549 !(p
= skip_section(p
,
550 ntohs(header
->ancount
) + ntohs(header
->nscount
) + ntohs(header
->arcount
),
553 *p
++ = 0; /* empty name */
555 PUTSHORT(SAFE_PKTSZ
, p
); /* max packet length, this will be overwritten */
556 PUTSHORT(0, p
); /* extended RCODE and version */
557 PUTSHORT(set_do
? 0x8000 : 0, p
); /* DO flag */
559 PUTSHORT(0, p
); /* RDLEN */
561 if (((ssize_t
)optlen
) > (limit
- (p
+ 4)))
562 return plen
; /* Too big */
563 header
->arcount
= htons(ntohs(header
->arcount
) + 1);
569 unsigned short code
, len
, flags
;
571 /* Must be at the end, if exists */
572 if (ntohs(header
->arcount
) != 1 ||
574 (!(p
= skip_name(p
, header
, plen
, 10))))
577 p
+= 6; /* skip UDP length and RCODE */
582 PUTSHORT(flags
| 0x8000, p
);
587 if (!CHECK_LEN(header
, p
, plen
, rdlen
))
588 return plen
; /* bad packet */
591 /* no option to add */
595 /* check if option already there */
596 for (i
= 0; i
+ 4 < rdlen
; i
+= len
+ 4)
605 if (((ssize_t
)optlen
) > (limit
- (p
+ 4)))
606 return plen
; /* Too big */
613 memcpy(p
, opt
, optlen
);
617 PUTSHORT(p
- datap
, lenp
);
618 return p
- (unsigned char *)header
;
622 static int filter_mac(int family
, char *addrp
, char *mac
, size_t maclen
, void *parmv
)
624 struct macparm
*parm
= parmv
;
627 if (family
== parm
->l3
->sa
.sa_family
)
629 if (family
== AF_INET
&& memcmp(&parm
->l3
->in
.sin_addr
, addrp
, INADDRSZ
) == 0)
633 if (family
== AF_INET6
&& memcmp(&parm
->l3
->in6
.sin6_addr
, addrp
, IN6ADDRSZ
) == 0)
639 return 1; /* continue */
641 parm
->plen
= add_pseudoheader(parm
->header
, parm
->plen
, parm
->limit
, EDNS0_OPTION_MAC
, (unsigned char *)mac
, maclen
, 0);
646 size_t add_mac(struct dns_header
*header
, size_t plen
, char *limit
, union mysockaddr
*l3
)
650 /* Must have an existing pseudoheader as the only ar-record,
651 or have no ar-records. Must also not be signed */
653 if (ntohs(header
->arcount
) > 1)
656 parm
.header
= header
;
657 parm
.limit
= (unsigned char *)limit
;
661 iface_enumerate(AF_UNSPEC
, &parm
, filter_mac
);
668 u8 source_netmask
, scope_netmask
;
676 static size_t calc_subnet_opt(struct subnet_opt
*opt
, union mysockaddr
*source
)
678 /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
684 if (source
->sa
.sa_family
== AF_INET6
)
686 opt
->family
= htons(2);
687 opt
->source_netmask
= daemon
->addr6_netmask
;
688 addrp
= &source
->in6
.sin6_addr
;
693 opt
->family
= htons(1);
694 opt
->source_netmask
= daemon
->addr4_netmask
;
695 addrp
= &source
->in
.sin_addr
;
698 opt
->scope_netmask
= 0;
701 if (opt
->source_netmask
!= 0)
703 len
= ((opt
->source_netmask
- 1) >> 3) + 1;
704 memcpy(opt
->addr
, addrp
, len
);
705 if (opt
->source_netmask
& 7)
706 opt
->addr
[len
-1] &= 0xff << (8 - (opt
->source_netmask
& 7));
712 size_t add_source_addr(struct dns_header
*header
, size_t plen
, char *limit
, union mysockaddr
*source
)
714 /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
717 struct subnet_opt opt
;
719 len
= calc_subnet_opt(&opt
, source
);
720 return add_pseudoheader(header
, plen
, (unsigned char *)limit
, EDNS0_OPTION_CLIENT_SUBNET
, (unsigned char *)&opt
, len
, 0);
724 size_t add_do_bit(struct dns_header
*header
, size_t plen
, char *limit
)
726 return add_pseudoheader(header
, plen
, (unsigned char *)limit
, 0, NULL
, 0, 1);
730 int check_source(struct dns_header
*header
, size_t plen
, unsigned char *pseudoheader
, union mysockaddr
*peer
)
732 /* Section 9.2, Check that subnet option in reply matches. */
736 struct subnet_opt opt
;
740 calc_len
= calc_subnet_opt(&opt
, peer
);
742 if (!(p
= skip_name(pseudoheader
, header
, plen
, 10)))
745 p
+= 8; /* skip UDP length and RCODE */
748 if (!CHECK_LEN(header
, p
, plen
, rdlen
))
749 return 1; /* bad packet */
751 /* check if option there */
752 for (i
= 0; i
+ 4 < rdlen
; i
+= len
+ 4)
756 if (code
== EDNS0_OPTION_CLIENT_SUBNET
)
758 /* make sure this doesn't mismatch. */
759 opt
.scope_netmask
= p
[3];
760 if (len
!= calc_len
|| memcmp(p
, &opt
, len
) != 0)
769 /* is addr in the non-globally-routed IP space? */
770 int private_net(struct in_addr addr
, int ban_localhost
)
772 in_addr_t ip_addr
= ntohl(addr
.s_addr
);
775 (((ip_addr
& 0xFF000000) == 0x7F000000) && ban_localhost
) /* 127.0.0.0/8 (loopback) */ ||
776 ((ip_addr
& 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ ||
777 ((ip_addr
& 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ ||
778 ((ip_addr
& 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ ||
779 ((ip_addr
& 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ ;
782 static unsigned char *do_doctor(unsigned char *p
, int count
, struct dns_header
*header
, size_t qlen
, char *name
, int *doctored
)
784 int i
, qtype
, qclass
, rdlen
;
786 for (i
= count
; i
!= 0; i
--)
788 if (name
&& option_bool(OPT_LOG
))
790 if (!extract_name(header
, qlen
, &p
, name
, 1, 10))
793 else if (!(p
= skip_name(p
, header
, qlen
, 10)))
794 return 0; /* bad packet */
801 if (qclass
== C_IN
&& qtype
== T_A
)
803 struct doctor
*doctor
;
806 if (!CHECK_LEN(header
, p
, qlen
, INADDRSZ
))
810 memcpy(&addr
, p
, INADDRSZ
);
812 for (doctor
= daemon
->doctors
; doctor
; doctor
= doctor
->next
)
814 if (doctor
->end
.s_addr
== 0)
816 if (!is_same_net(doctor
->in
, addr
, doctor
->mask
))
819 else if (ntohl(doctor
->in
.s_addr
) > ntohl(addr
.s_addr
) ||
820 ntohl(doctor
->end
.s_addr
) < ntohl(addr
.s_addr
))
823 addr
.s_addr
&= ~doctor
->mask
.s_addr
;
824 addr
.s_addr
|= (doctor
->out
.s_addr
& doctor
->mask
.s_addr
);
825 /* Since we munged the data, the server it came from is no longer authoritative */
826 header
->hb3
&= ~HB3_AA
;
828 memcpy(p
, &addr
, INADDRSZ
);
832 else if (qtype
== T_TXT
&& name
&& option_bool(OPT_LOG
))
834 unsigned char *p1
= p
;
835 if (!CHECK_LEN(header
, p1
, qlen
, rdlen
))
837 while ((p1
- p
) < rdlen
)
839 unsigned int i
, len
= *p1
;
840 unsigned char *p2
= p1
;
841 /* make counted string zero-term and sanitise */
842 for (i
= 0; i
< len
; i
++)
844 if (!isprint((int)*(p2
+1)))
851 my_syslog(LOG_INFO
, "reply %s is %s", name
, p1
);
853 memmove(p1
+ 1, p1
, i
);
859 if (!ADD_RDLEN(header
, p
, qlen
, rdlen
))
860 return 0; /* bad packet */
866 static int find_soa(struct dns_header
*header
, size_t qlen
, char *name
, int *doctored
)
869 int qtype
, qclass
, rdlen
;
870 unsigned long ttl
, minttl
= ULONG_MAX
;
871 int i
, found_soa
= 0;
873 /* first move to NS section and find TTL from any SOA section */
874 if (!(p
= skip_questions(header
, qlen
)) ||
875 !(p
= do_doctor(p
, ntohs(header
->ancount
), header
, qlen
, name
, doctored
)))
876 return 0; /* bad packet */
878 for (i
= ntohs(header
->nscount
); i
!= 0; i
--)
880 if (!(p
= skip_name(p
, header
, qlen
, 10)))
881 return 0; /* bad packet */
888 if ((qclass
== C_IN
) && (qtype
== T_SOA
))
895 if (!(p
= skip_name(p
, header
, qlen
, 0)))
898 if (!(p
= skip_name(p
, header
, qlen
, 20)))
900 p
+= 16; /* SERIAL REFRESH RETRY EXPIRE */
902 GETLONG(ttl
, p
); /* minTTL */
906 else if (!ADD_RDLEN(header
, p
, qlen
, rdlen
))
907 return 0; /* bad packet */
910 /* rewrite addresses in additional section too */
911 if (!do_doctor(p
, ntohs(header
->arcount
), header
, qlen
, NULL
, doctored
))
915 minttl
= daemon
->neg_ttl
;
920 /* Note that the following code can create CNAME chains that don't point to a real record,
921 either because of lack of memory, or lack of SOA records. These are treated by the cache code as
922 expired and cleaned out that way.
923 Return 1 if we reject an address because it look like part of dns-rebinding attack. */
924 int extract_addresses(struct dns_header
*header
, size_t qlen
, char *name
, time_t now
,
925 char **ipsets
, int is_sign
, int check_rebind
, int no_cache_dnssec
, int secure
, int *doctored
)
927 unsigned char *p
, *p1
, *endrr
, *namep
;
928 int i
, j
, qtype
, qclass
, aqtype
, aqclass
, ardlen
, res
, searched_soa
= 0;
929 unsigned long ttl
= 0;
930 struct all_addr addr
;
934 (void)ipsets
; /* unused */
937 cache_start_insert();
939 /* find_soa is needed for dns_doctor and logging side-effects, so don't call it lazily if there are any. */
940 if (daemon
->doctors
|| option_bool(OPT_LOG
) || option_bool(OPT_DNSSEC_VALID
))
943 ttl
= find_soa(header
, qlen
, name
, doctored
);
945 if (*doctored
&& secure
)
950 /* go through the questions. */
951 p
= (unsigned char *)(header
+1);
953 for (i
= ntohs(header
->qdcount
); i
!= 0; i
--)
955 int found
= 0, cname_count
= CNAME_CHAIN
;
956 struct crec
*cpp
= NULL
;
957 int flags
= RCODE(header
) == NXDOMAIN
? F_NXDOMAIN
: 0;
958 int secflag
= secure
? F_DNSSECOK
: 0;
959 unsigned long cttl
= ULONG_MAX
, attl
;
962 if (!extract_name(header
, qlen
, &p
, name
, 1, 4))
963 return 0; /* bad packet */
971 /* PTRs: we chase CNAMEs here, since we have no way to
972 represent them in the cache. */
975 int name_encoding
= in_arpa_name_2_addr(name
, &addr
);
980 if (!(flags
& F_NXDOMAIN
))
983 if (!(p1
= skip_questions(header
, qlen
)))
986 for (j
= ntohs(header
->ancount
); j
!= 0; j
--)
988 unsigned char *tmp
= namep
;
989 /* the loop body overwrites the original name, so get it back here. */
990 if (!extract_name(header
, qlen
, &tmp
, name
, 1, 0) ||
991 !(res
= extract_name(header
, qlen
, &p1
, name
, 0, 10)))
992 return 0; /* bad packet */
994 GETSHORT(aqtype
, p1
);
995 GETSHORT(aqclass
, p1
);
997 if ((daemon
->max_ttl
!= 0) && (attl
> daemon
->max_ttl
) && !is_sign
)
1000 PUTLONG(daemon
->max_ttl
, p1
);
1002 GETSHORT(ardlen
, p1
);
1005 /* TTL of record is minimum of CNAMES and PTR */
1009 if (aqclass
== C_IN
&& res
!= 2 && (aqtype
== T_CNAME
|| aqtype
== T_PTR
))
1011 if (!extract_name(header
, qlen
, &p1
, name
, 1, 0))
1014 if (aqtype
== T_CNAME
)
1016 if (!cname_count
-- || secure
)
1017 return 0; /* looped CNAMES, or DNSSEC, which we can't cache. */
1021 cache_insert(name
, &addr
, now
, cttl
, name_encoding
| secflag
| F_REVERSE
);
1026 if (!CHECK_LEN(header
, p1
, qlen
, 0))
1027 return 0; /* bad packet */
1031 if (!found
&& !option_bool(OPT_NO_NEG
))
1036 ttl
= find_soa(header
, qlen
, NULL
, doctored
);
1039 cache_insert(NULL
, &addr
, now
, ttl
, name_encoding
| F_REVERSE
| F_NEG
| flags
| secflag
);
1044 /* everything other than PTR */
1054 else if (qtype
== T_AAAA
)
1056 addrlen
= IN6ADDRSZ
;
1064 if (!(p1
= skip_questions(header
, qlen
)))
1067 for (j
= ntohs(header
->ancount
); j
!= 0; j
--)
1069 if (!(res
= extract_name(header
, qlen
, &p1
, name
, 0, 10)))
1070 return 0; /* bad packet */
1072 GETSHORT(aqtype
, p1
);
1073 GETSHORT(aqclass
, p1
);
1075 if ((daemon
->max_ttl
!= 0) && (attl
> daemon
->max_ttl
) && !is_sign
)
1078 PUTLONG(daemon
->max_ttl
, p1
);
1080 GETSHORT(ardlen
, p1
);
1083 if (aqclass
== C_IN
&& res
!= 2 && (aqtype
== T_CNAME
|| aqtype
== qtype
))
1085 if (aqtype
== T_CNAME
)
1088 return 0; /* looped CNAMES */
1089 newc
= cache_insert(name
, NULL
, now
, attl
, F_CNAME
| F_FORWARD
| secflag
);
1092 newc
->addr
.cname
.target
.cache
= NULL
;
1093 /* anything other than zero, to avoid being mistaken for CNAME to interface-name */
1094 newc
->addr
.cname
.uid
= 1;
1097 cpp
->addr
.cname
.target
.cache
= newc
;
1098 cpp
->addr
.cname
.uid
= newc
->uid
;
1106 if (!extract_name(header
, qlen
, &p1
, name
, 1, 0))
1110 else if (!(flags
& F_NXDOMAIN
))
1114 /* copy address into aligned storage */
1115 if (!CHECK_LEN(header
, p1
, qlen
, addrlen
))
1116 return 0; /* bad packet */
1117 memcpy(&addr
, p1
, addrlen
);
1119 /* check for returned address in private space */
1122 if ((flags
& F_IPV4
) &&
1123 private_net(addr
.addr
.addr4
, !option_bool(OPT_LOCAL_REBIND
)))
1127 if ((flags
& F_IPV6
) &&
1128 IN6_IS_ADDR_V4MAPPED(&addr
.addr
.addr6
))
1131 v4
.s_addr
= ((const uint32_t *) (&addr
.addr
.addr6
))[3];
1132 if (private_net(v4
, !option_bool(OPT_LOCAL_REBIND
)))
1139 if (ipsets
&& (flags
& (F_IPV4
| F_IPV6
)))
1141 ipsets_cur
= ipsets
;
1144 log_query((flags
& (F_IPV4
| F_IPV6
)) | F_IPSET
, name
, &addr
, *ipsets_cur
);
1145 add_to_ipset(*ipsets_cur
++, &addr
, flags
, 0);
1150 newc
= cache_insert(name
, &addr
, now
, attl
, flags
| F_FORWARD
| secflag
);
1153 cpp
->addr
.cname
.target
.cache
= newc
;
1154 cpp
->addr
.cname
.uid
= newc
->uid
;
1161 if (!CHECK_LEN(header
, p1
, qlen
, 0))
1162 return 0; /* bad packet */
1165 if (!found
&& !option_bool(OPT_NO_NEG
))
1170 ttl
= find_soa(header
, qlen
, NULL
, doctored
);
1172 /* If there's no SOA to get the TTL from, but there is a CNAME
1173 pointing at this, inherit its TTL */
1176 newc
= cache_insert(name
, NULL
, now
, ttl
? ttl
: cttl
, F_FORWARD
| F_NEG
| flags
| secflag
);
1179 cpp
->addr
.cname
.target
.cache
= newc
;
1180 cpp
->addr
.cname
.uid
= newc
->uid
;
1187 /* Don't put stuff from a truncated packet into the cache.
1188 Don't cache replies from non-recursive nameservers, since we may get a
1189 reply containing a CNAME but not its target, even though the target
1191 if (!(header
->hb3
& HB3_TC
) &&
1192 !(header
->hb4
& HB4_CD
) &&
1193 (header
->hb4
& HB4_RA
) &&
1200 /* If the packet holds exactly one query
1201 return F_IPV4 or F_IPV6 and leave the name from the query in name */
1202 unsigned int extract_request(struct dns_header
*header
, size_t qlen
, char *name
, unsigned short *typep
)
1204 unsigned char *p
= (unsigned char *)(header
+1);
1210 if (ntohs(header
->qdcount
) != 1 || OPCODE(header
) != QUERY
)
1211 return 0; /* must be exactly one query. */
1213 if (!extract_name(header
, qlen
, &p
, name
, 1, 4))
1214 return 0; /* bad packet */
1217 GETSHORT(qclass
, p
);
1226 if (qtype
== T_AAAA
)
1229 return F_IPV4
| F_IPV6
;
1236 size_t setup_reply(struct dns_header
*header
, size_t qlen
,
1237 struct all_addr
*addrp
, unsigned int flags
, unsigned long ttl
)
1241 if (!(p
= skip_questions(header
, qlen
)))
1244 /* clear authoritative and truncated flags, set QR flag */
1245 header
->hb3
= (header
->hb3
& ~(HB3_AA
| HB3_TC
)) | HB3_QR
;
1247 header
->hb4
|= HB4_RA
;
1249 header
->nscount
= htons(0);
1250 header
->arcount
= htons(0);
1251 header
->ancount
= htons(0); /* no answers unless changed below */
1253 SET_RCODE(header
, SERVFAIL
); /* couldn't get memory */
1254 else if (flags
== F_NOERR
)
1255 SET_RCODE(header
, NOERROR
); /* empty domain */
1256 else if (flags
== F_NXDOMAIN
)
1257 SET_RCODE(header
, NXDOMAIN
);
1258 else if (flags
== F_IPV4
)
1259 { /* we know the address */
1260 SET_RCODE(header
, NOERROR
);
1261 header
->ancount
= htons(1);
1262 header
->hb3
|= HB3_AA
;
1263 add_resource_record(header
, NULL
, NULL
, sizeof(struct dns_header
), &p
, ttl
, NULL
, T_A
, C_IN
, "4", addrp
);
1266 else if (flags
== F_IPV6
)
1268 SET_RCODE(header
, NOERROR
);
1269 header
->ancount
= htons(1);
1270 header
->hb3
|= HB3_AA
;
1271 add_resource_record(header
, NULL
, NULL
, sizeof(struct dns_header
), &p
, ttl
, NULL
, T_AAAA
, C_IN
, "6", addrp
);
1274 else /* nowhere to forward to */
1275 SET_RCODE(header
, REFUSED
);
1277 return p
- (unsigned char *)header
;
1280 /* check if name matches local names ie from /etc/hosts or DHCP or local mx names. */
1281 int check_for_local_domain(char *name
, time_t now
)
1284 struct mx_srv_record
*mx
;
1285 struct txt_record
*txt
;
1286 struct interface_name
*intr
;
1287 struct ptr_record
*ptr
;
1288 struct naptr
*naptr
;
1290 /* Note: the call to cache_find_by_name is intended to find any record which matches
1291 ie A, AAAA, CNAME, DS. Because RRSIG records are marked by setting both F_DS and F_DNSKEY,
1292 cache_find_by name ordinarily only returns records with an exact match on those bits (ie
1293 for the call below, only DS records). The F_NSIGMATCH bit changes this behaviour */
1295 if ((crecp
= cache_find_by_name(NULL
, name
, now
, F_IPV4
| F_IPV6
| F_CNAME
| F_DS
| F_NO_RR
| F_NSIGMATCH
)) &&
1296 (crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
)))
1299 for (naptr
= daemon
->naptr
; naptr
; naptr
= naptr
->next
)
1300 if (hostname_isequal(name
, naptr
->name
))
1303 for (mx
= daemon
->mxnames
; mx
; mx
= mx
->next
)
1304 if (hostname_isequal(name
, mx
->name
))
1307 for (txt
= daemon
->txt
; txt
; txt
= txt
->next
)
1308 if (hostname_isequal(name
, txt
->name
))
1311 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1312 if (hostname_isequal(name
, intr
->name
))
1315 for (ptr
= daemon
->ptr
; ptr
; ptr
= ptr
->next
)
1316 if (hostname_isequal(name
, ptr
->name
))
1322 /* Is the packet a reply with the answer address equal to addr?
1323 If so mung is into an NXDOMAIN reply and also put that information
1325 int check_for_bogus_wildcard(struct dns_header
*header
, size_t qlen
, char *name
,
1326 struct bogus_addr
*baddr
, time_t now
)
1329 int i
, qtype
, qclass
, rdlen
;
1331 struct bogus_addr
*baddrp
;
1333 /* skip over questions */
1334 if (!(p
= skip_questions(header
, qlen
)))
1335 return 0; /* bad packet */
1337 for (i
= ntohs(header
->ancount
); i
!= 0; i
--)
1339 if (!extract_name(header
, qlen
, &p
, name
, 1, 10))
1340 return 0; /* bad packet */
1343 GETSHORT(qclass
, p
);
1347 if (qclass
== C_IN
&& qtype
== T_A
)
1349 if (!CHECK_LEN(header
, p
, qlen
, INADDRSZ
))
1352 for (baddrp
= baddr
; baddrp
; baddrp
= baddrp
->next
)
1353 if (memcmp(&baddrp
->addr
, p
, INADDRSZ
) == 0)
1355 /* Found a bogus address. Insert that info here, since there no SOA record
1356 to get the ttl from in the normal processing */
1357 cache_start_insert();
1358 cache_insert(name
, NULL
, now
, ttl
, F_IPV4
| F_FORWARD
| F_NEG
| F_NXDOMAIN
);
1365 if (!ADD_RDLEN(header
, p
, qlen
, rdlen
))
1372 int check_for_ignored_address(struct dns_header
*header
, size_t qlen
, struct bogus_addr
*baddr
)
1375 int i
, qtype
, qclass
, rdlen
;
1376 struct bogus_addr
*baddrp
;
1378 /* skip over questions */
1379 if (!(p
= skip_questions(header
, qlen
)))
1380 return 0; /* bad packet */
1382 for (i
= ntohs(header
->ancount
); i
!= 0; i
--)
1384 if (!(p
= skip_name(p
, header
, qlen
, 10)))
1385 return 0; /* bad packet */
1388 GETSHORT(qclass
, p
);
1392 if (qclass
== C_IN
&& qtype
== T_A
)
1394 if (!CHECK_LEN(header
, p
, qlen
, INADDRSZ
))
1397 for (baddrp
= baddr
; baddrp
; baddrp
= baddrp
->next
)
1398 if (memcmp(&baddrp
->addr
, p
, INADDRSZ
) == 0)
1402 if (!ADD_RDLEN(header
, p
, qlen
, rdlen
))
1409 int add_resource_record(struct dns_header
*header
, char *limit
, int *truncp
, int nameoffset
, unsigned char **pp
,
1410 unsigned long ttl
, int *offset
, unsigned short type
, unsigned short class, char *format
, ...)
1413 unsigned char *sav
, *p
= *pp
;
1415 unsigned short usval
;
1419 if (truncp
&& *truncp
)
1422 va_start(ap
, format
); /* make ap point to 1st unamed argument */
1426 PUTSHORT(nameoffset
| 0xc000, p
);
1430 char *name
= va_arg(ap
, char *);
1432 p
= do_rfc1035_name(p
, name
);
1435 PUTSHORT(-nameoffset
| 0xc000, p
);
1443 PUTLONG(ttl
, p
); /* TTL */
1445 sav
= p
; /* Save pointer to RDLength field */
1446 PUTSHORT(0, p
); /* Placeholder RDLength */
1448 for (; *format
; format
++)
1453 sval
= va_arg(ap
, char *);
1454 memcpy(p
, sval
, IN6ADDRSZ
);
1460 sval
= va_arg(ap
, char *);
1461 memcpy(p
, sval
, INADDRSZ
);
1466 usval
= va_arg(ap
, int);
1471 usval
= va_arg(ap
, int);
1476 lval
= va_arg(ap
, long);
1481 /* get domain-name answer arg and store it in RDATA field */
1483 *offset
= p
- (unsigned char *)header
;
1484 p
= do_rfc1035_name(p
, va_arg(ap
, char *));
1489 usval
= va_arg(ap
, int);
1490 sval
= va_arg(ap
, char *);
1492 memcpy(p
, sval
, usval
);
1497 sval
= va_arg(ap
, char *);
1498 usval
= sval
? strlen(sval
) : 0;
1501 *p
++ = (unsigned char)usval
;
1502 memcpy(p
, sval
, usval
);
1507 va_end(ap
); /* clean up variable argument pointer */
1510 PUTSHORT(j
, sav
); /* Now, store real RDLength */
1512 /* check for overflow of buffer */
1513 if (limit
&& ((unsigned char *)limit
- p
) < 0)
1524 static unsigned long crec_ttl(struct crec
*crecp
, time_t now
)
1526 /* Return 0 ttl for DHCP entries, which might change
1527 before the lease expires. */
1529 if (crecp
->flags
& (F_IMMORTAL
| F_DHCP
))
1530 return daemon
->local_ttl
;
1532 /* Return the Max TTL value if it is lower then the actual TTL */
1533 if (daemon
->max_ttl
== 0 || ((unsigned)(crecp
->ttd
- now
) < daemon
->max_ttl
))
1534 return crecp
->ttd
- now
;
1536 return daemon
->max_ttl
;
1540 /* return zero if we can't answer from cache, or packet size if we can */
1541 size_t answer_request(struct dns_header
*header
, char *limit
, size_t qlen
,
1542 struct in_addr local_addr
, struct in_addr local_netmask
,
1543 time_t now
, int *ad_reqd
, int *do_bit
)
1545 char *name
= daemon
->namebuff
;
1546 unsigned char *p
, *ansp
, *pheader
;
1547 unsigned int qtype
, qclass
;
1548 struct all_addr addr
;
1550 unsigned short flag
;
1551 int q
, ans
, anscount
= 0, addncount
= 0;
1552 int dryrun
= 0, sec_reqd
= 0, have_pseudoheader
= 0;
1554 int nxdomain
= 0, auth
= 1, trunc
= 0, sec_data
= 1;
1555 struct mx_srv_record
*rec
;
1558 /* Don't return AD set if checking disabled. */
1559 if (header
->hb4
& HB4_CD
)
1563 *ad_reqd
= header
->hb4
& HB4_AD
;
1566 /* If there is an RFC2671 pseudoheader then it will be overwritten by
1567 partial replies, so we have to do a dry run to see if we can answer
1568 the query. We check to see if the do bit is set, if so we always
1569 forward rather than answering from the cache, which doesn't include
1570 security information, unless we're in DNSSEC validation mode. */
1572 if (find_pseudoheader(header
, qlen
, NULL
, &pheader
, NULL
))
1574 unsigned short flags
;
1576 have_pseudoheader
= 1;
1578 pheader
+= 4; /* udp size, ext_rcode */
1579 GETSHORT(flags
, pheader
);
1581 if ((sec_reqd
= flags
& 0x8000))
1582 *do_bit
= 1;/* do bit */
1588 if (ntohs(header
->qdcount
) == 0 || OPCODE(header
) != QUERY
)
1591 for (rec
= daemon
->mxnames
; rec
; rec
= rec
->next
)
1595 /* determine end of question section (we put answers there) */
1596 if (!(ansp
= skip_questions(header
, qlen
)))
1597 return 0; /* bad packet */
1599 /* now process each question, answers go in RRs after the question */
1600 p
= (unsigned char *)(header
+1);
1602 for (q
= ntohs(header
->qdcount
); q
!= 0; q
--)
1604 /* save pointer to name for copying into answers */
1605 nameoffset
= p
- (unsigned char *)header
;
1607 /* now extract name as .-concatenated string into name */
1608 if (!extract_name(header
, qlen
, &p
, name
, 1, 4))
1609 return 0; /* bad packet */
1612 GETSHORT(qclass
, p
);
1614 /* Don't filter RRSIGS from answers to ANY queries, even if do-bit
1619 ans
= 0; /* have we answered this question */
1621 if (qtype
== T_TXT
|| qtype
== T_ANY
)
1623 struct txt_record
*t
;
1624 for(t
= daemon
->txt
; t
; t
= t
->next
)
1626 if (t
->class == qclass
&& hostname_isequal(name
, t
->name
))
1631 unsigned long ttl
= daemon
->local_ttl
;
1633 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<TXT>");
1634 /* Dynamically generate stat record */
1638 if (!cache_make_stat(t
))
1642 if (ok
&& add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1644 T_TXT
, t
->class, "t", t
->len
, t
->txt
))
1653 if (option_bool(OPT_DNSSEC_VALID
) && (qtype
== T_DNSKEY
|| qtype
== T_DS
))
1656 struct blockdata
*keydata
;
1658 /* Do we have RRSIG? Can't do DS or DNSKEY otherwise. */
1662 while ((crecp
= cache_find_by_name(crecp
, name
, now
, F_DNSKEY
| F_DS
)))
1663 if (crecp
->uid
== qclass
&& crecp
->addr
.sig
.type_covered
== qtype
)
1667 if (!sec_reqd
|| crecp
)
1672 while ((crecp
= cache_find_by_name(crecp
, name
, now
, F_DS
)))
1673 if (crecp
->uid
== qclass
)
1678 if (crecp
->flags
& F_NEG
)
1680 if (crecp
->flags
& F_NXDOMAIN
)
1682 log_query(F_UPSTREAM
, name
, NULL
, "no DS");
1684 else if ((keydata
= blockdata_retrieve(crecp
->addr
.ds
.keydata
, crecp
->addr
.ds
.keylen
, NULL
)))
1687 a
.addr
.keytag
= crecp
->addr
.ds
.keytag
;
1688 log_query(F_KEYTAG
| (crecp
->flags
& F_CONFIG
), name
, &a
, "DS keytag %u");
1689 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1690 crec_ttl(crecp
, now
), &nameoffset
,
1691 T_DS
, qclass
, "sbbt",
1692 crecp
->addr
.ds
.keytag
, crecp
->addr
.ds
.algo
,
1693 crecp
->addr
.ds
.digest
, crecp
->addr
.ds
.keylen
, keydata
))
1703 while ((crecp
= cache_find_by_name(crecp
, name
, now
, F_DNSKEY
)))
1704 if (crecp
->uid
== qclass
)
1707 if (!dryrun
&& (keydata
= blockdata_retrieve(crecp
->addr
.key
.keydata
, crecp
->addr
.key
.keylen
, NULL
)))
1710 a
.addr
.keytag
= crecp
->addr
.key
.keytag
;
1711 log_query(F_KEYTAG
| (crecp
->flags
& F_CONFIG
), name
, &a
, "DNSKEY keytag %u");
1712 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1713 crec_ttl(crecp
, now
), &nameoffset
,
1714 T_DNSKEY
, qclass
, "sbbt",
1715 crecp
->addr
.key
.flags
, 3, crecp
->addr
.key
.algo
, crecp
->addr
.key
.keylen
, keydata
))
1727 if (!dryrun
&& sec_reqd
)
1730 while ((crecp
= cache_find_by_name(crecp
, name
, now
, F_DNSKEY
| F_DS
)))
1731 if (crecp
->uid
== qclass
&& crecp
->addr
.sig
.type_covered
== qtype
&&
1732 (keydata
= blockdata_retrieve(crecp
->addr
.sig
.keydata
, crecp
->addr
.sig
.keylen
, NULL
)))
1734 add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1735 crec_ttl(crecp
, now
), &nameoffset
,
1736 T_RRSIG
, qclass
, "t", crecp
->addr
.sig
.keylen
, keydata
);
1746 struct txt_record
*t
;
1748 for (t
= daemon
->rr
; t
; t
= t
->next
)
1749 if ((t
->class == qtype
|| qtype
== T_ANY
) && hostname_isequal(name
, t
->name
))
1754 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<RR>");
1755 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1756 daemon
->local_ttl
, NULL
,
1757 t
->class, C_IN
, "t", t
->len
, t
->txt
))
1762 if (qtype
== T_PTR
|| qtype
== T_ANY
)
1764 /* see if it's w.z.y.z.in-addr.arpa format */
1765 int is_arpa
= in_arpa_name_2_addr(name
, &addr
);
1766 struct ptr_record
*ptr
;
1767 struct interface_name
* intr
= NULL
;
1769 for (ptr
= daemon
->ptr
; ptr
; ptr
= ptr
->next
)
1770 if (hostname_isequal(name
, ptr
->name
))
1773 if (is_arpa
== F_IPV4
)
1774 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1776 struct addrlist
*addrlist
;
1778 for (addrlist
= intr
->addr
; addrlist
; addrlist
= addrlist
->next
)
1779 if (!(addrlist
->flags
& ADDRLIST_IPV6
) && addr
.addr
.addr4
.s_addr
== addrlist
->addr
.addr
.addr4
.s_addr
)
1785 while (intr
->next
&& strcmp(intr
->intr
, intr
->next
->intr
) == 0)
1789 else if (is_arpa
== F_IPV6
)
1790 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1792 struct addrlist
*addrlist
;
1794 for (addrlist
= intr
->addr
; addrlist
; addrlist
= addrlist
->next
)
1795 if ((addrlist
->flags
& ADDRLIST_IPV6
) && IN6_ARE_ADDR_EQUAL(&addr
.addr
.addr6
, &addrlist
->addr
.addr
.addr6
))
1801 while (intr
->next
&& strcmp(intr
->intr
, intr
->next
->intr
) == 0)
1811 log_query(is_arpa
| F_REVERSE
| F_CONFIG
, intr
->name
, &addr
, NULL
);
1812 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1813 daemon
->local_ttl
, NULL
,
1814 T_PTR
, C_IN
, "d", intr
->name
))
1823 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<PTR>");
1824 for (ptr
= daemon
->ptr
; ptr
; ptr
= ptr
->next
)
1825 if (hostname_isequal(name
, ptr
->name
) &&
1826 add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1827 daemon
->local_ttl
, NULL
,
1828 T_PTR
, C_IN
, "d", ptr
->ptr
))
1833 else if ((crecp
= cache_find_by_addr(NULL
, &addr
, now
, is_arpa
)))
1835 if (!(crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
)) && sec_reqd
)
1837 if (!option_bool(OPT_DNSSEC_VALID
) || ((crecp
->flags
& F_NEG
) && (crecp
->flags
& F_DNSSECOK
)))
1840 else if (crecp
->flags
& F_DNSSECOK
)
1843 struct crec
*rr_crec
= NULL
;
1845 while ((rr_crec
= cache_find_by_name(rr_crec
, name
, now
, F_DS
| F_DNSKEY
)))
1847 if (rr_crec
->addr
.sig
.type_covered
== T_PTR
&& rr_crec
->uid
== C_IN
)
1849 char *sigdata
= blockdata_retrieve(rr_crec
->addr
.sig
.keydata
, rr_crec
->addr
.sig
.keylen
, NULL
);
1853 add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1854 rr_crec
->ttd
- now
, &nameoffset
,
1855 T_RRSIG
, C_IN
, "t", crecp
->addr
.sig
.keylen
, sigdata
))
1870 /* don't answer wildcard queries with data not from /etc/hosts or dhcp leases */
1871 if (qtype
== T_ANY
&& !(crecp
->flags
& (F_HOSTS
| F_DHCP
)))
1874 if (!(crecp
->flags
& F_DNSSECOK
))
1877 if (crecp
->flags
& F_NEG
)
1881 if (crecp
->flags
& F_NXDOMAIN
)
1884 log_query(crecp
->flags
& ~F_FORWARD
, name
, &addr
, NULL
);
1886 else if ((crecp
->flags
& (F_HOSTS
| F_DHCP
)) || !sec_reqd
|| option_bool(OPT_DNSSEC_VALID
))
1889 if (!(crecp
->flags
& (F_HOSTS
| F_DHCP
)))
1893 log_query(crecp
->flags
& ~F_FORWARD
, cache_get_name(crecp
), &addr
,
1894 record_source(crecp
->uid
));
1896 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1897 crec_ttl(crecp
, now
), NULL
,
1898 T_PTR
, C_IN
, "d", cache_get_name(crecp
)))
1902 } while ((crecp
= cache_find_by_addr(crecp
, &addr
, now
, is_arpa
)));
1905 else if (is_rev_synth(is_arpa
, &addr
, name
))
1910 log_query(F_CONFIG
| F_REVERSE
| is_arpa
, name
, &addr
, NULL
);
1912 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1913 daemon
->local_ttl
, NULL
,
1914 T_PTR
, C_IN
, "d", name
))
1918 else if (is_arpa
== F_IPV4
&&
1919 option_bool(OPT_BOGUSPRIV
) &&
1920 private_net(addr
.addr
.addr4
, 1))
1922 /* if not in cache, enabled and private IPV4 address, return NXDOMAIN */
1926 log_query(F_CONFIG
| F_REVERSE
| F_IPV4
| F_NEG
| F_NXDOMAIN
,
1931 for (flag
= F_IPV4
; flag
; flag
= (flag
== F_IPV4
) ? F_IPV6
: 0)
1933 unsigned short type
= T_A
;
1934 struct interface_name
*intr
;
1943 if (qtype
!= type
&& qtype
!= T_ANY
)
1946 /* Check for "A for A" queries; be rather conservative
1947 about what looks like dotted-quad. */
1954 for (cp
= name
, i
= 0, a
= 0; *cp
; i
++)
1956 if (!isdigit((unsigned char)*cp
) || (x
= strtol(cp
, &cp
, 10)) > 255)
1973 addr
.addr
.addr4
.s_addr
= htonl(a
);
1974 log_query(F_FORWARD
| F_CONFIG
| F_IPV4
, name
, &addr
, NULL
);
1975 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1976 daemon
->local_ttl
, NULL
, type
, C_IN
, "4", &addr
))
1983 /* interface name stuff */
1985 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1986 if (hostname_isequal(name
, intr
->name
))
1991 struct addrlist
*addrlist
;
1994 enumerate_interfaces(0);
1996 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1997 if (hostname_isequal(name
, intr
->name
))
1999 for (addrlist
= intr
->addr
; addrlist
; addrlist
= addrlist
->next
)
2001 if (((addrlist
->flags
& ADDRLIST_IPV6
) ? T_AAAA
: T_A
) == type
)
2005 if (addrlist
->flags
& ADDRLIST_REVONLY
)
2012 log_query(F_FORWARD
| F_CONFIG
| flag
, name
, &addrlist
->addr
, NULL
);
2013 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2014 daemon
->local_ttl
, NULL
, type
, C_IN
,
2015 type
== T_A
? "4" : "6", &addrlist
->addr
))
2021 if (!dryrun
&& !gotit
)
2022 log_query(F_FORWARD
| F_CONFIG
| flag
| F_NEG
, name
, NULL
, NULL
);
2028 if ((crecp
= cache_find_by_name(NULL
, name
, now
, flag
| F_CNAME
| (dryrun
? F_NO_RR
: 0))))
2032 /* See if a putative address is on the network from which we recieved
2033 the query, is so we'll filter other answers. */
2034 if (local_addr
.s_addr
!= 0 && option_bool(OPT_LOCALISE
) && flag
== F_IPV4
)
2036 struct crec
*save
= crecp
;
2038 if ((crecp
->flags
& F_HOSTS
) &&
2039 is_same_net(*((struct in_addr
*)&crecp
->addr
), local_addr
, local_netmask
))
2044 } while ((crecp
= cache_find_by_name(crecp
, name
, now
, flag
| F_CNAME
)));
2048 /* If the client asked for DNSSEC and we can't provide RRSIGs, either
2049 because we've not doing DNSSEC or the cached answer is signed by negative,
2050 don't answer from the cache, forward instead. */
2051 if (!(crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
)) && sec_reqd
)
2053 if (!option_bool(OPT_DNSSEC_VALID
) || ((crecp
->flags
& F_NEG
) && (crecp
->flags
& F_DNSSECOK
)))
2056 else if (crecp
->flags
& F_DNSSECOK
)
2058 /* We're returning validated data, need to return the RRSIG too. */
2059 struct crec
*rr_crec
= NULL
;
2061 /* The signature may have expired even though the data is still in cache,
2062 forward instead of answering from cache if so. */
2065 if (crecp
->flags
& F_CNAME
)
2068 while ((rr_crec
= cache_find_by_name(rr_crec
, name
, now
, F_DS
| F_DNSKEY
)))
2070 if (rr_crec
->addr
.sig
.type_covered
== sigtype
&& rr_crec
->uid
== C_IN
)
2072 char *sigdata
= blockdata_retrieve(rr_crec
->addr
.sig
.keydata
, rr_crec
->addr
.sig
.keylen
, NULL
);
2076 add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2077 rr_crec
->ttd
- now
, &nameoffset
,
2078 T_RRSIG
, C_IN
, "t", rr_crec
->addr
.sig
.keylen
, sigdata
))
2092 /* don't answer wildcard queries with data not from /etc/hosts
2094 if (qtype
== T_ANY
&& !(crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
)))
2097 if (!(crecp
->flags
& F_DNSSECOK
))
2100 if (crecp
->flags
& F_CNAME
)
2102 char *cname_target
= cache_get_cname_target(crecp
);
2106 log_query(crecp
->flags
, name
, NULL
, record_source(crecp
->uid
));
2107 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2108 crec_ttl(crecp
, now
), &nameoffset
,
2109 T_CNAME
, C_IN
, "d", cname_target
))
2113 strcpy(name
, cname_target
);
2114 /* check if target interface_name */
2115 if (crecp
->addr
.cname
.uid
== SRC_INTERFACE
)
2116 goto intname_restart
;
2121 if (crecp
->flags
& F_NEG
)
2123 /* We don't cache NSEC records, so if a DNSSEC-validated negative answer
2124 is cached and the client wants DNSSEC, forward rather than answering from the cache */
2125 if (!sec_reqd
|| !(crecp
->flags
& F_DNSSECOK
))
2129 if (crecp
->flags
& F_NXDOMAIN
)
2132 log_query(crecp
->flags
, name
, NULL
, NULL
);
2137 /* If we are returning local answers depending on network,
2140 (crecp
->flags
& F_HOSTS
) &&
2141 !is_same_net(*((struct in_addr
*)&crecp
->addr
), local_addr
, local_netmask
))
2144 if (!(crecp
->flags
& (F_HOSTS
| F_DHCP
)))
2150 log_query(crecp
->flags
& ~F_REVERSE
, name
, &crecp
->addr
.addr
,
2151 record_source(crecp
->uid
));
2153 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2154 crec_ttl(crecp
, now
), NULL
, type
, C_IN
,
2155 type
== T_A
? "4" : "6", &crecp
->addr
))
2159 } while ((crecp
= cache_find_by_name(crecp
, name
, now
, flag
| F_CNAME
)));
2161 else if (is_name_synthetic(flag
, name
, &addr
))
2166 log_query(F_FORWARD
| F_CONFIG
| flag
, name
, &addr
, NULL
);
2167 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2168 daemon
->local_ttl
, NULL
, type
, C_IN
, type
== T_A
? "4" : "6", &addr
))
2174 if (qtype
== T_CNAME
|| qtype
== T_ANY
)
2176 if ((crecp
= cache_find_by_name(NULL
, name
, now
, F_CNAME
)) &&
2177 (qtype
== T_CNAME
|| (crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
| (dryrun
? F_NO_RR
: 0)))))
2179 if (!(crecp
->flags
& F_DNSSECOK
))
2185 log_query(crecp
->flags
, name
, NULL
, record_source(crecp
->uid
));
2186 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2187 crec_ttl(crecp
, now
), &nameoffset
,
2188 T_CNAME
, C_IN
, "d", cache_get_cname_target(crecp
)))
2194 if (qtype
== T_MX
|| qtype
== T_ANY
)
2197 for (rec
= daemon
->mxnames
; rec
; rec
= rec
->next
)
2198 if (!rec
->issrv
&& hostname_isequal(name
, rec
->name
))
2204 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<MX>");
2205 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
, daemon
->local_ttl
,
2206 &offset
, T_MX
, C_IN
, "sd", rec
->weight
, rec
->target
))
2210 rec
->offset
= offset
;
2215 if (!found
&& (option_bool(OPT_SELFMX
) || option_bool(OPT_LOCALMX
)) &&
2216 cache_find_by_name(NULL
, name
, now
, F_HOSTS
| F_DHCP
| F_NO_RR
))
2221 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<MX>");
2222 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
, daemon
->local_ttl
, NULL
,
2223 T_MX
, C_IN
, "sd", 1,
2224 option_bool(OPT_SELFMX
) ? name
: daemon
->mxtarget
))
2230 if (qtype
== T_SRV
|| qtype
== T_ANY
)
2233 struct mx_srv_record
*move
= NULL
, **up
= &daemon
->mxnames
;
2235 for (rec
= daemon
->mxnames
; rec
; rec
= rec
->next
)
2236 if (rec
->issrv
&& hostname_isequal(name
, rec
->name
))
2242 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<SRV>");
2243 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
, daemon
->local_ttl
,
2244 &offset
, T_SRV
, C_IN
, "sssd",
2245 rec
->priority
, rec
->weight
, rec
->srvport
, rec
->target
))
2249 rec
->offset
= offset
;
2253 /* unlink first SRV record found */
2265 /* put first SRV record back at the end. */
2272 if (!found
&& option_bool(OPT_FILTER
) && (qtype
== T_SRV
|| (qtype
== T_ANY
&& strchr(name
, '_'))))
2276 log_query(F_CONFIG
| F_NEG
, name
, NULL
, NULL
);
2280 if (qtype
== T_NAPTR
|| qtype
== T_ANY
)
2283 for (na
= daemon
->naptr
; na
; na
= na
->next
)
2284 if (hostname_isequal(name
, na
->name
))
2289 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<NAPTR>");
2290 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
, daemon
->local_ttl
,
2291 NULL
, T_NAPTR
, C_IN
, "sszzzd",
2292 na
->order
, na
->pref
, na
->flags
, na
->services
, na
->regexp
, na
->replace
))
2298 if (qtype
== T_MAILB
)
2299 ans
= 1, nxdomain
= 1;
2301 if (qtype
== T_SOA
&& option_bool(OPT_FILTER
))
2305 log_query(F_CONFIG
| F_NEG
, name
, &addr
, NULL
);
2310 return 0; /* failed to answer a question */
2319 /* create an additional data section, for stuff in SRV and MX record replies. */
2320 for (rec
= daemon
->mxnames
; rec
; rec
= rec
->next
)
2321 if (rec
->offset
!= 0)
2324 struct mx_srv_record
*tmp
;
2325 for (tmp
= rec
->next
; tmp
; tmp
= tmp
->next
)
2326 if (tmp
->offset
!= 0 && hostname_isequal(rec
->target
, tmp
->target
))
2330 while ((crecp
= cache_find_by_name(crecp
, rec
->target
, now
, F_IPV4
| F_IPV6
)))
2333 int type
= crecp
->flags
& F_IPV4
? T_A
: T_AAAA
;
2337 if (crecp
->flags
& F_NEG
)
2340 if (add_resource_record(header
, limit
, NULL
, rec
->offset
, &ansp
,
2341 crec_ttl(crecp
, now
), NULL
, type
, C_IN
,
2342 crecp
->flags
& F_IPV4
? "4" : "6", &crecp
->addr
))
2347 /* done all questions, set up header and return length of result */
2348 /* clear authoritative and truncated flags, set QR flag */
2349 header
->hb3
= (header
->hb3
& ~(HB3_AA
| HB3_TC
)) | HB3_QR
;
2351 header
->hb4
|= HB4_RA
;
2353 /* authoritive - only hosts and DHCP derived names. */
2355 header
->hb3
|= HB3_AA
;
2359 header
->hb3
|= HB3_TC
;
2362 SET_RCODE(header
, NXDOMAIN
);
2364 SET_RCODE(header
, NOERROR
); /* no error */
2365 header
->ancount
= htons(anscount
);
2366 header
->nscount
= htons(0);
2367 header
->arcount
= htons(addncount
);
2369 len
= ansp
- (unsigned char *)header
;
2371 if (have_pseudoheader
)
2372 len
= add_pseudoheader(header
, len
, (unsigned char *)limit
, 0, NULL
, 0, sec_reqd
);
2374 if (*ad_reqd
&& sec_data
)
2375 header
->hb4
|= HB4_AD
;
2377 header
->hb4
&= ~HB4_AD
;