]>
Commit | Line | Data |
---|---|---|
86c152f2 | 1 | /* |
6edbf68a PL |
2 | * This file is part of PowerDNS or dnsdist. |
3 | * Copyright -- PowerDNS.COM B.V. and its contributors | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of version 2 of the GNU General Public License as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * In addition, for the avoidance of any doubt, permission is granted to | |
10 | * link this program with OpenSSL and to (re)distribute the binaries | |
11 | * produced as the result of such linking. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU General Public License | |
19 | * along with this program; if not, write to the Free Software | |
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
21 | */ | |
870a0fe4 AT |
22 | #ifdef HAVE_CONFIG_H |
23 | #include "config.h" | |
24 | #endif | |
fa8fd4d2 | 25 | |
86c152f2 | 26 | #include "arguments.hh" |
6dfff36f | 27 | #include "cachecleaner.hh" |
51e2144e | 28 | #include "dns_random.hh" |
6dfff36f RG |
29 | #include "dnsparser.hh" |
30 | #include "dnsrecords.hh" | |
376effcf | 31 | #include "ednssubnet.hh" |
6dfff36f RG |
32 | #include "logger.hh" |
33 | #include "lua-recursor4.hh" | |
ad42489c | 34 | #include "rec-lua-conf.hh" |
6dfff36f RG |
35 | #include "syncres.hh" |
36 | ||
a712cb56 | 37 | thread_local SyncRes::ThreadLocalStorage SyncRes::t_sstorage; |
bb4bdbaf | 38 | |
a9af3782 | 39 | unsigned int SyncRes::s_maxnegttl; |
c3e753c7 | 40 | unsigned int SyncRes::s_maxcachettl; |
1051f8a9 BH |
41 | unsigned int SyncRes::s_packetcachettl; |
42 | unsigned int SyncRes::s_packetcacheservfailttl; | |
628e2c7b PA |
43 | unsigned int SyncRes::s_serverdownmaxfails; |
44 | unsigned int SyncRes::s_serverdownthrottletime; | |
aebb81e4 | 45 | std::atomic<uint64_t> SyncRes::s_queries; |
46 | std::atomic<uint64_t> SyncRes::s_outgoingtimeouts; | |
47 | std::atomic<uint64_t> SyncRes::s_outgoing4timeouts; | |
48 | std::atomic<uint64_t> SyncRes::s_outgoing6timeouts; | |
49 | std::atomic<uint64_t> SyncRes::s_outqueries; | |
50 | std::atomic<uint64_t> SyncRes::s_tcpoutqueries; | |
51 | std::atomic<uint64_t> SyncRes::s_throttledqueries; | |
52 | std::atomic<uint64_t> SyncRes::s_dontqueries; | |
53 | std::atomic<uint64_t> SyncRes::s_nodelegated; | |
54 | std::atomic<uint64_t> SyncRes::s_unreachables; | |
e9f9b8ec RG |
55 | uint8_t SyncRes::s_ecsipv4limit; |
56 | uint8_t SyncRes::s_ecsipv6limit; | |
aadceba8 | 57 | unsigned int SyncRes::s_minimumTTL; |
996c89cc | 58 | bool SyncRes::s_doIPv6; |
1051f8a9 | 59 | bool SyncRes::s_nopacketcache; |
01402d56 | 60 | bool SyncRes::s_rootNXTrust; |
173d790e | 61 | unsigned int SyncRes::s_maxqperq; |
9de3e034 | 62 | unsigned int SyncRes::s_maxtotusec; |
7c3398aa | 63 | unsigned int SyncRes::s_maxdepth; |
a9af3782 | 64 | string SyncRes::s_serverID; |
77499b05 | 65 | SyncRes::LogMode SyncRes::s_lm; |
9065eb05 RG |
66 | std::unordered_set<DNSName> SyncRes::s_delegationOnly; |
67 | std::unique_ptr<NetmaskGroup> SyncRes::s_dontQuery{nullptr}; | |
68 | NetmaskGroup SyncRes::s_ednssubnets; | |
69 | SuffixMatchNode SyncRes::s_ednsdomains; | |
c836dc19 | 70 | |
77499b05 | 71 | #define LOG(x) if(d_lm == Log) { L <<Logger::Warning << x; } else if(d_lm == Store) { d_trace << x; } |
728485ca | 72 | |
4bfae16d | 73 | bool SyncRes::s_noEDNS; |
3de83124 | 74 | |
69cbdef9 | 75 | static void accountAuthLatency(int usec, int family) |
11adfdd3 | 76 | { |
7b75810e | 77 | if(family == AF_INET) { |
78 | if(usec < 1000) | |
79 | g_stats.auth4Answers0_1++; | |
80 | else if(usec < 10000) | |
81 | g_stats.auth4Answers1_10++; | |
82 | else if(usec < 100000) | |
83 | g_stats.auth4Answers10_100++; | |
84 | else if(usec < 1000000) | |
85 | g_stats.auth4Answers100_1000++; | |
86 | else | |
87 | g_stats.auth4AnswersSlow++; | |
88 | } else { | |
89 | if(usec < 1000) | |
90 | g_stats.auth6Answers0_1++; | |
91 | else if(usec < 10000) | |
92 | g_stats.auth6Answers1_10++; | |
93 | else if(usec < 100000) | |
94 | g_stats.auth6Answers10_100++; | |
95 | else if(usec < 1000000) | |
96 | g_stats.auth6Answers100_1000++; | |
97 | else | |
98 | g_stats.auth6AnswersSlow++; | |
99 | } | |
100 | ||
11adfdd3 | 101 | } |
102 | ||
4465e941 | 103 | |
ac0e821b | 104 | SyncRes::SyncRes(const struct timeval& now) : d_outqueries(0), d_tcpoutqueries(0), d_throttledqueries(0), d_timeouts(0), d_unreachables(0), |
30ee601a RG |
105 | d_totUsec(0), d_now(now), |
106 | d_cacheonly(false), d_nocache(false), d_doDNSSEC(false), d_doEDNS0(false), d_lm(s_lm) | |
232f0877 | 107 | |
ac0e821b | 108 | { |
ac0e821b BH |
109 | } |
110 | ||
728485ca | 111 | /** everything begins here - this is the entry point just after receiving a packet */ |
e325f20c | 112 | int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qclass, vector<DNSRecord>&ret) |
728485ca | 113 | { |
c836dc19 | 114 | s_queries++; |
3762e821 | 115 | d_wasVariable=false; |
9fc36e90 | 116 | d_wasOutOfBand=false; |
710af846 | 117 | |
db50a7f4 PL |
118 | if (doSpecialNamesResolve(qname, qtype, qclass, ret)) |
119 | return 0; | |
120 | ||
fad4e1b2 | 121 | if( (qtype.getCode() == QType::AXFR) || (qtype.getCode() == QType::IXFR)) |
693dbe65 | 122 | return -1; |
710af846 | 123 | |
db50a7f4 PL |
124 | if(qclass==QClass::ANY) |
125 | qclass=QClass::IN; | |
126 | else if(qclass!=QClass::IN) | |
127 | return -1; | |
8171ab83 | 128 | |
db50a7f4 PL |
129 | set<GetBestNSAnswer> beenthere; |
130 | int res=doResolve(qname, qtype, ret, 0, beenthere); | |
131 | return res; | |
132 | } | |
133 | ||
134 | /*! Handles all special, built-in names | |
135 | * Fills ret with an answer and returns true if it handled the query. | |
136 | * | |
d03c1b70 | 137 | * Handles the following queries (and their ANY variants): |
db50a7f4 PL |
138 | * |
139 | * - localhost. IN A | |
140 | * - localhost. IN AAAA | |
141 | * - 1.0.0.127.in-addr.arpa. IN PTR | |
142 | * - 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. IN PTR | |
143 | * - version.bind. CH TXT | |
144 | * - version.pdns. CH TXT | |
145 | * - id.server. CH TXT | |
db50a7f4 | 146 | */ |
6dfff36f | 147 | bool SyncRes::doSpecialNamesResolve(const DNSName &qname, const QType &qtype, const uint16_t qclass, vector<DNSRecord> &ret) |
db50a7f4 PL |
148 | { |
149 | static const DNSName arpa("1.0.0.127.in-addr.arpa."), ip6_arpa("1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."), | |
150 | localhost("localhost."), versionbind("version.bind."), idserver("id.server."), versionpdns("version.pdns."); | |
151 | ||
152 | bool handled = false; | |
d03c1b70 | 153 | vector<pair<QType::typeenum, string> > answers; |
db50a7f4 | 154 | |
d03c1b70 PL |
155 | if ((qname == arpa || qname == ip6_arpa) && |
156 | qclass == QClass::IN) { | |
db50a7f4 | 157 | handled = true; |
d03c1b70 PL |
158 | if (qtype == QType::PTR || qtype == QType::ANY) |
159 | answers.push_back({QType::PTR, "localhost."}); | |
db50a7f4 PL |
160 | } |
161 | ||
d03c1b70 PL |
162 | if (qname == localhost && |
163 | qclass == QClass::IN) { | |
db50a7f4 | 164 | handled = true; |
d03c1b70 PL |
165 | if (qtype == QType::A || qtype == QType::ANY) |
166 | answers.push_back({QType::A, "127.0.0.1"}); | |
167 | if (qtype == QType::AAAA || qtype == QType::ANY) | |
168 | answers.push_back({QType::AAAA, "::1"}); | |
db50a7f4 PL |
169 | } |
170 | ||
d03c1b70 PL |
171 | if ((qname == versionbind || qname == idserver || qname == versionpdns) && |
172 | qclass == QClass::CHAOS) { | |
db50a7f4 | 173 | handled = true; |
d03c1b70 PL |
174 | if (qtype == QType::TXT || qtype == QType::ANY) { |
175 | if(qname == versionbind || qname == versionpdns) | |
176 | answers.push_back({QType::TXT, "\""+::arg()["version-string"]+"\""}); | |
177 | else | |
178 | answers.push_back({QType::TXT, "\""+s_serverID+"\""}); | |
179 | } | |
31ad43ab BH |
180 | } |
181 | ||
d03c1b70 | 182 | if (handled && !answers.empty()) { |
a9af3782 | 183 | ret.clear(); |
db50a7f4 PL |
184 | d_wasOutOfBand=true; |
185 | ||
e325f20c | 186 | DNSRecord dr; |
db50a7f4 | 187 | dr.d_name = qname; |
e693ff5a | 188 | dr.d_place = DNSResourceRecord::ANSWER; |
db50a7f4 PL |
189 | dr.d_class = qclass; |
190 | dr.d_ttl = 86400; | |
d03c1b70 PL |
191 | for (const auto& ans : answers) { |
192 | dr.d_type = ans.first; | |
193 | dr.d_content = shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(ans.first, qclass, ans.second)); | |
194 | ret.push_back(dr); | |
195 | } | |
a9af3782 | 196 | } |
710af846 | 197 | |
db50a7f4 | 198 | return handled; |
728485ca | 199 | } |
afbe2787 | 200 | |
db50a7f4 | 201 | |
ab5c053d | 202 | //! This is the 'out of band resolver', in other words, the authoritative server |
7c3398aa | 203 | bool SyncRes::doOOBResolve(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int& res) |
e93c956b | 204 | { |
5605c067 | 205 | string prefix; |
77499b05 | 206 | if(doLog()) { |
5605c067 BH |
207 | prefix=d_prefix; |
208 | prefix.append(depth, ' '); | |
209 | } | |
210 | ||
2189085d | 211 | LOG(prefix<<qname<<": checking auth storage for '"<<qname<<"|"<<qtype.getName()<<"'"<<endl); |
c5c066bf | 212 | DNSName authdomain(qname); |
5605c067 BH |
213 | |
214 | domainmap_t::const_iterator iter=getBestAuthZone(&authdomain); | |
a712cb56 | 215 | if(iter==t_sstorage.domainmap->end()) { |
2189085d | 216 | LOG(prefix<<qname<<": auth storage has no zone for this query!"<<endl); |
5605c067 BH |
217 | return false; |
218 | } | |
2189085d | 219 | LOG(prefix<<qname<<": auth storage has data, zone='"<<authdomain<<"'"<<endl); |
5605c067 BH |
220 | pair<AuthDomain::records_t::const_iterator, AuthDomain::records_t::const_iterator> range; |
221 | ||
222 | range=iter->second.d_records.equal_range(tie(qname)); // partial lookup | |
7bddb139 | 223 | |
5605c067 BH |
224 | ret.clear(); |
225 | AuthDomain::records_t::const_iterator ziter; | |
9e9844e2 | 226 | bool somedata=false; |
5605c067 | 227 | for(ziter=range.first; ziter!=range.second; ++ziter) { |
9e9844e2 | 228 | somedata=true; |
e325f20c | 229 | if(qtype.getCode()==QType::ANY || ziter->d_type==qtype.getCode() || ziter->d_type==QType::CNAME) // let rest of nameserver do the legwork on this one |
5605c067 | 230 | ret.push_back(*ziter); |
221a3f72 | 231 | else if(ziter->d_type == QType::NS && ziter->d_name.countLabels() > authdomain.countLabels()) { // we hit a delegation point! |
39eb8051 | 232 | DNSRecord dr=*ziter; |
233 | dr.d_place=DNSResourceRecord::AUTHORITY; | |
234 | ret.push_back(dr); | |
235 | } | |
5605c067 | 236 | } |
9bc8c14c | 237 | if(!ret.empty()) { |
2189085d | 238 | LOG(prefix<<qname<<": exact match in zone '"<<authdomain<<"'"<<endl); |
9bc8c14c BH |
239 | res=0; |
240 | return true; | |
5605c067 | 241 | } |
9e9844e2 | 242 | if(somedata) { |
2189085d | 243 | LOG(prefix<<qname<<": found record in '"<<authdomain<<"', but nothing of the right type, sending SOA"<<endl); |
e325f20c | 244 | ziter=iter->second.d_records.find(boost::make_tuple(authdomain, QType::SOA)); |
9e9844e2 | 245 | if(ziter!=iter->second.d_records.end()) { |
e325f20c | 246 | DNSRecord dr=*ziter; |
e693ff5a | 247 | dr.d_place=DNSResourceRecord::AUTHORITY; |
e325f20c | 248 | ret.push_back(dr); |
9e9844e2 BH |
249 | } |
250 | else | |
2189085d | 251 | LOG(prefix<<qname<<": can't find SOA record '"<<authdomain<<"' in our zone!"<<endl); |
9e9844e2 BH |
252 | res=RCode::NoError; |
253 | return true; | |
254 | } | |
5605c067 | 255 | |
2189085d | 256 | LOG(prefix<<qname<<": nothing found so far in '"<<authdomain<<"', trying wildcards"<<endl); |
c5c066bf | 257 | DNSName wcarddomain(qname); |
e325f20c | 258 | while(wcarddomain != iter->first && wcarddomain.chopOff()) { |
2189085d | 259 | LOG(prefix<<qname<<": trying '*."<<wcarddomain<<"' in "<<authdomain<<endl); |
12c06211 | 260 | range=iter->second.d_records.equal_range(boost::make_tuple(g_wildcarddnsname+wcarddomain)); |
0d1e259a BH |
261 | if(range.first==range.second) |
262 | continue; | |
263 | ||
264 | for(ziter=range.first; ziter!=range.second; ++ziter) { | |
e325f20c | 265 | DNSRecord dr=*ziter; |
0f05b02b | 266 | // if we hit a CNAME, just answer that - rest of recursor will do the needful & follow |
267 | if(dr.d_type == qtype.getCode() || qtype.getCode() == QType::ANY || dr.d_type == QType::CNAME) { | |
e325f20c | 268 | dr.d_name = qname; |
e693ff5a | 269 | dr.d_place=DNSResourceRecord::ANSWER; |
e325f20c | 270 | ret.push_back(dr); |
0d1e259a BH |
271 | } |
272 | } | |
2189085d | 273 | LOG(prefix<<qname<<": in '"<<authdomain<<"', had wildcard match on '*."<<wcarddomain<<"'"<<endl); |
0d1e259a BH |
274 | res=RCode::NoError; |
275 | return true; | |
276 | } | |
277 | ||
c5c066bf | 278 | DNSName nsdomain(qname); |
5605c067 | 279 | |
e325f20c | 280 | while(nsdomain.chopOff() && nsdomain != iter->first) { |
281 | range=iter->second.d_records.equal_range(boost::make_tuple(nsdomain,QType::NS)); | |
5605c067 BH |
282 | if(range.first==range.second) |
283 | continue; | |
284 | ||
285 | for(ziter=range.first; ziter!=range.second; ++ziter) { | |
e325f20c | 286 | DNSRecord dr=*ziter; |
e693ff5a | 287 | dr.d_place=DNSResourceRecord::AUTHORITY; |
e325f20c | 288 | ret.push_back(dr); |
5605c067 BH |
289 | } |
290 | } | |
3ddb9247 | 291 | if(ret.empty()) { |
2189085d | 292 | LOG(prefix<<qname<<": no NS match in zone '"<<authdomain<<"' either, handing out SOA"<<endl); |
e325f20c | 293 | ziter=iter->second.d_records.find(boost::make_tuple(authdomain, QType::SOA)); |
5605c067 | 294 | if(ziter!=iter->second.d_records.end()) { |
e325f20c | 295 | DNSRecord dr=*ziter; |
e693ff5a | 296 | dr.d_place=DNSResourceRecord::AUTHORITY; |
e325f20c | 297 | ret.push_back(dr); |
5605c067 | 298 | } |
e325f20c | 299 | else { |
2189085d | 300 | LOG(prefix<<qname<<": can't find SOA record '"<<authdomain<<"' in our zone!"<<endl); |
e325f20c | 301 | } |
5605c067 BH |
302 | res=RCode::NXDomain; |
303 | } | |
710af846 | 304 | else |
5605c067 BH |
305 | res=0; |
306 | ||
9e9844e2 | 307 | return true; |
e93c956b BH |
308 | } |
309 | ||
ff1872cf BH |
310 | void SyncRes::doEDNSDumpAndClose(int fd) |
311 | { | |
312 | FILE* fp=fdopen(fd, "w"); | |
a82f68f0 RG |
313 | if (!fp) { |
314 | return; | |
315 | } | |
ff1872cf | 316 | fprintf(fp,"IP Address\tMode\tMode last updated at\n"); |
a712cb56 | 317 | for(const auto& eds : t_sstorage.ednsstatus) { |
57769f13 | 318 | fprintf(fp, "%s\t%d\t%s", eds.first.toString().c_str(), (int)eds.second.mode, ctime(&eds.second.modeSetAt)); |
ff1872cf | 319 | } |
bb4bdbaf | 320 | |
ff1872cf BH |
321 | fclose(fp); |
322 | } | |
323 | ||
9065eb05 RG |
324 | uint64_t SyncRes::doDumpNSSpeeds(int fd) |
325 | { | |
326 | FILE* fp=fdopen(dup(fd), "w"); | |
327 | if(!fp) | |
328 | return 0; | |
329 | fprintf(fp, "; nsspeed dump from thread follows\n;\n"); | |
330 | uint64_t count=0; | |
331 | ||
a712cb56 | 332 | for(const auto& i : t_sstorage.nsSpeeds) |
9065eb05 RG |
333 | { |
334 | count++; | |
335 | fprintf(fp, "%s -> ", i.first.toString().c_str()); | |
336 | for(const auto& j : i.second.d_collection) | |
337 | { | |
338 | // typedef vector<pair<ComboAddress, DecayingEwma> > collection_t; | |
339 | fprintf(fp, "%s/%f ", j.first.toString().c_str(), j.second.peek()); | |
340 | } | |
341 | fprintf(fp, "\n"); | |
342 | } | |
343 | fclose(fp); | |
344 | return count; | |
345 | } | |
346 | ||
9d534f2a | 347 | /* so here is the story. First we complete the full resolution process for a domain name. And only THEN do we decide |
348 | to also do DNSSEC validation, which leads to new queries. To make this simple, we *always* ask for DNSSEC records | |
349 | so that if there are RRSIGs for a name, we'll have them. | |
350 | ||
351 | However, some hosts simply can't answer questions which ask for DNSSEC. This can manifest itself as: | |
352 | * No answer | |
353 | * FormErr | |
354 | * Nonsense answer | |
355 | ||
356 | The cause of "No answer" may be fragmentation, and it is tempting to probe if smaller answers would get through. | |
357 | Another cause of "No answer" may simply be a network condition. | |
358 | Nonsense answers are a clearer indication this host won't be able to do DNSSEC evah. | |
359 | ||
360 | Previous implementations have suffered from turning off DNSSEC questions for an authoritative server based on timeouts. | |
361 | A clever idea is to only turn off DNSSEC if we know a domain isn't signed anyhow. The problem with that really | |
362 | clever idea however is that at this point in PowerDNS, we may simply not know that yet. All the DNSSEC thinking happens | |
363 | elsewhere. It may not have happened yet. | |
364 | ||
365 | For now this means we can't be clever, but will turn off DNSSEC if you reply with FormError or gibberish. | |
366 | */ | |
367 | ||
69cbdef9 | 368 | int SyncRes::asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res) const |
81883dcc BH |
369 | { |
370 | /* what is your QUEST? | |
57769f13 | 371 | the goal is to get as many remotes as possible on the highest level of EDNS support |
81883dcc BH |
372 | The levels are: |
373 | ||
81883dcc | 374 | 0) UNKNOWN Unknown state |
57769f13 | 375 | 1) EDNS: Honors EDNS0 |
376 | 2) EDNSIGNORANT: Ignores EDNS0, gives replies without EDNS0 | |
9d534f2a | 377 | 3) NOEDNS: Generates FORMERR/NOTIMP on EDNS queries |
81883dcc BH |
378 | |
379 | Everybody starts out assumed to be '0'. | |
57769f13 | 380 | If '0', send out EDNS0 |
381 | If you FORMERR us, go to '3', | |
382 | If no EDNS in response, go to '2' | |
383 | If '1', send out EDNS0 | |
384 | If FORMERR, downgrade to 3 | |
385 | If '2', keep on including EDNS0, see what happens | |
81883dcc | 386 | Same behaviour as 0 |
57769f13 | 387 | If '3', send bare queries |
81883dcc BH |
388 | */ |
389 | ||
bb4bdbaf | 390 | SyncRes::EDNSStatus* ednsstatus; |
a712cb56 | 391 | ednsstatus = &t_sstorage.ednsstatus[ip]; // does this include port? YES |
81883dcc | 392 | |
bb4bdbaf BH |
393 | if(ednsstatus->modeSetAt && ednsstatus->modeSetAt + 3600 < d_now.tv_sec) { |
394 | *ednsstatus=SyncRes::EDNSStatus(); | |
77499b05 | 395 | // cerr<<"Resetting EDNS Status for "<<ip.toString()<<endl); |
81883dcc BH |
396 | } |
397 | ||
bb4bdbaf | 398 | SyncRes::EDNSStatus::EDNSMode& mode=ednsstatus->mode; |
81883dcc BH |
399 | SyncRes::EDNSStatus::EDNSMode oldmode = mode; |
400 | int EDNSLevel=0; | |
4898a348 RG |
401 | auto luaconfsLocal = g_luaconfs.getLocal(); |
402 | ResolveContext ctx; | |
403 | #ifdef HAVE_PROTOBUF | |
404 | ctx.d_initialRequestId = d_initialRequestId; | |
405 | #endif | |
81883dcc BH |
406 | |
407 | int ret; | |
ff1872cf | 408 | for(int tries = 0; tries < 3; ++tries) { |
e325f20c | 409 | // cerr<<"Remote '"<<ip.toString()<<"' currently in mode "<<mode<<endl; |
57769f13 | 410 | |
9d534f2a | 411 | if(mode==EDNSStatus::NOEDNS) { |
81883dcc | 412 | g_stats.noEdnsOutQueries++; |
9d534f2a | 413 | EDNSLevel = 0; // level != mode |
81883dcc | 414 | } |
9d534f2a | 415 | else if(ednsMANDATORY || mode==EDNSStatus::UNKNOWN || mode==EDNSStatus::EDNSOK || mode==EDNSStatus::EDNSIGNORANT) |
416 | EDNSLevel = 1; | |
30ee601a RG |
417 | |
418 | if (d_asyncResolve) { | |
419 | ret = d_asyncResolve(ip, domain, type, doTCP, sendRDQuery, EDNSLevel, now, srcmask, ctx, luaconfsLocal->outgoingProtobufServer, res); | |
420 | } | |
421 | else { | |
422 | ret=asyncresolve(ip, domain, type, doTCP, sendRDQuery, EDNSLevel, now, srcmask, ctx, luaconfsLocal->outgoingProtobufServer, res); | |
423 | } | |
9d534f2a | 424 | if(ret < 0) { |
425 | return ret; // transport error, nothing to learn here | |
426 | } | |
57769f13 | 427 | |
9d534f2a | 428 | if(ret == 0) { // timeout, not doing anything with it now |
81883dcc BH |
429 | return ret; |
430 | } | |
57769f13 | 431 | else if(mode==EDNSStatus::UNKNOWN || mode==EDNSStatus::EDNSOK || mode == EDNSStatus::EDNSIGNORANT ) { |
432 | if(res->d_rcode == RCode::FormErr || res->d_rcode == RCode::NotImp) { | |
2189085d | 433 | // cerr<<"Downgrading to NOEDNS because of "<<RCode::to_s(res->d_rcode)<<" for query to "<<ip.toString()<<" for '"<<domain<<"'"<<endl; |
57769f13 | 434 | mode = EDNSStatus::NOEDNS; |
4957a608 | 435 | continue; |
81883dcc | 436 | } |
81883dcc | 437 | else if(!res->d_haveEDNS) { |
4957a608 BH |
438 | if(mode != EDNSStatus::EDNSIGNORANT) { |
439 | mode = EDNSStatus::EDNSIGNORANT; | |
2189085d | 440 | // cerr<<"We find that "<<ip.toString()<<" is an EDNS-ignorer for '"<<domain<<"', moving to mode 3"<<endl; |
57769f13 | 441 | } |
81883dcc | 442 | } |
57769f13 | 443 | else { |
444 | mode = EDNSStatus::EDNSOK; | |
e325f20c | 445 | // cerr<<"We find that "<<ip.toString()<<" is EDNS OK!"<<endl; |
81883dcc | 446 | } |
57769f13 | 447 | |
81883dcc | 448 | } |
12ce523e | 449 | if(oldmode != mode || !ednsstatus->modeSetAt) |
bb4bdbaf | 450 | ednsstatus->modeSetAt=d_now.tv_sec; |
e325f20c | 451 | // cerr<<"Result: ret="<<ret<<", EDNS-level: "<<EDNSLevel<<", haveEDNS: "<<res->d_haveEDNS<<", new mode: "<<mode<<endl; |
81883dcc BH |
452 | return ret; |
453 | } | |
454 | return ret; | |
455 | } | |
456 | ||
b88526ce PL |
457 | /*! This function will check the cache and go out to the internet if the answer is not in cache |
458 | * | |
459 | * \param qname The name we need an answer for | |
460 | * \param qtype | |
461 | * \param ret The vector of DNSRecords we need to fill with the answers | |
462 | * \param depth The recursion depth we are in | |
463 | * \param beenthere | |
464 | * \return DNS RCODE or -1 (Error) or -2 (RPZ hit) | |
465 | */ | |
7c3398aa | 466 | int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, set<GetBestNSAnswer>& beenthere) |
afbe2787 | 467 | { |
ded77b10 | 468 | string prefix; |
77499b05 | 469 | if(doLog()) { |
ded77b10 BH |
470 | prefix=d_prefix; |
471 | prefix.append(depth, ' '); | |
472 | } | |
b8470add | 473 | |
2189085d | 474 | LOG(prefix<<qname<<": Wants "<< (d_doDNSSEC ? "" : "NO ") << "DNSSEC processing in query for "<<qtype.getName()<<endl); |
710af846 | 475 | |
7c3398aa RG |
476 | if(s_maxdepth && depth > s_maxdepth) |
477 | throw ImmediateServFailException("More than "+std::to_string(s_maxdepth)+" (max-recursion-depth) levels of recursion needed while resolving "+qname.toLogString()); | |
478 | ||
f4df5e89 | 479 | int res=0; |
b88526ce PL |
480 | |
481 | // This is a difficult way of expressing "this is a normal query", i.e. not getRootNS. | |
52683ca3 | 482 | if(!(d_nocache && qtype.getCode()==QType::NS && qname.isRoot())) { |
115d07ad | 483 | if(d_cacheonly) { // very limited OOB support |
263f6a5a | 484 | LWResult lwr; |
2189085d | 485 | LOG(prefix<<qname<<": Recursion not requested for '"<<qname<<"|"<<qtype.getName()<<"', peeking at auth/forward zones"<<endl); |
c5c066bf | 486 | DNSName authname(qname); |
115d07ad | 487 | domainmap_t::const_iterator iter=getBestAuthZone(&authname); |
a712cb56 | 488 | if(iter != t_sstorage.domainmap->end()) { |
4957a608 BH |
489 | const vector<ComboAddress>& servers = iter->second.d_servers; |
490 | if(servers.empty()) { | |
491 | ret.clear(); | |
9fc36e90 | 492 | d_wasOutOfBand = doOOBResolve(qname, qtype, ret, depth, res); |
4957a608 BH |
493 | return res; |
494 | } | |
495 | else { | |
496 | const ComboAddress remoteIP = servers.front(); | |
2189085d | 497 | LOG(prefix<<qname<<": forwarding query to hardcoded nameserver '"<< remoteIP.toStringWithPort()<<"' for zone '"<<authname<<"'"<<endl); |
4957a608 | 498 | |
6148fa97 | 499 | boost::optional<Netmask> nm; |
12ce523e | 500 | res=asyncresolveWrapper(remoteIP, d_doDNSSEC, qname, qtype.getCode(), false, false, &d_now, nm, &lwr); |
4957a608 | 501 | // filter out the good stuff from lwr.result() |
ab33a095 RG |
502 | if (res == 1) { |
503 | for(const auto& rec : lwr.d_records) { | |
504 | if(rec.d_place == DNSResourceRecord::ANSWER) | |
505 | ret.push_back(rec); | |
506 | } | |
507 | return 0; | |
508 | } | |
509 | else { | |
510 | return RCode::ServFail; | |
4957a608 | 511 | } |
4957a608 | 512 | } |
115d07ad BH |
513 | } |
514 | } | |
515 | ||
a672e9de | 516 | if(!d_skipCNAMECheck && doCNAMECacheCheck(qname,qtype,ret,depth,res)) // will reroute us if needed |
c836dc19 | 517 | return res; |
710af846 | 518 | |
c836dc19 BH |
519 | if(doCacheCheck(qname,qtype,ret,depth,res)) // we done |
520 | return res; | |
521 | } | |
afbe2787 | 522 | |
115d07ad | 523 | if(d_cacheonly) |
c836dc19 | 524 | return 0; |
728485ca | 525 | |
2189085d | 526 | LOG(prefix<<qname<<": No cache hit for '"<<qname<<"|"<<qtype.getName()<<"', trying to find an appropriate NS record"<<endl); |
710af846 | 527 | |
c5c066bf | 528 | DNSName subdomain(qname); |
d8049162 | 529 | if(qtype == QType::DS) subdomain.chopOff(); |
728485ca | 530 | |
fa1b87ff | 531 | NsSet nsset; |
7305df82 | 532 | bool flawedNSSet=false; |
97df07f8 PD |
533 | |
534 | // the two retries allow getBestNSNamesFromCache&co to reprime the root | |
535 | // hints, in case they ever go missing | |
bdf40704 | 536 | for(int tries=0;tries<2 && nsset.empty();++tries) { |
891fbf88 | 537 | subdomain=getBestNSNamesFromCache(subdomain, qtype, nsset, &flawedNSSet, depth, beenthere); // pass beenthere to both occasions |
bdf40704 BH |
538 | } |
539 | ||
7305df82 | 540 | if(!(res=doResolveAt(nsset, subdomain, flawedNSSet, qname, qtype, ret, depth, beenthere))) |
728485ca | 541 | return 0; |
3ddb9247 | 542 | |
2189085d | 543 | LOG(prefix<<qname<<": failed (res="<<res<<")"<<endl); |
e325f20c | 544 | ; |
b8470add PL |
545 | |
546 | if (res == -2) | |
547 | return res; | |
548 | ||
20177d1d | 549 | return res<0 ? RCode::ServFail : res; |
afbe2787 BH |
550 | } |
551 | ||
c2567ad1 | 552 | #if 0 |
a67dd0cf | 553 | // for testing purposes |
fdf05fd4 BH |
554 | static bool ipv6First(const ComboAddress& a, const ComboAddress& b) |
555 | { | |
556 | return !(a.sin4.sin_family < a.sin4.sin_family); | |
557 | } | |
c2567ad1 | 558 | #endif |
fdf05fd4 | 559 | |
21f0f88b | 560 | /** This function explicitly goes out for A or AAAA addresses |
996c89cc | 561 | */ |
7c3398aa | 562 | vector<ComboAddress> SyncRes::getAddrs(const DNSName &qname, unsigned int depth, set<GetBestNSAnswer>& beenthere) |
75b49099 | 563 | { |
e325f20c | 564 | typedef vector<DNSRecord> res_t; |
bfea0d0b | 565 | res_t res; |
75b49099 | 566 | |
996c89cc BH |
567 | typedef vector<ComboAddress> ret_t; |
568 | ret_t ret; | |
75b49099 | 569 | |
d96e88da | 570 | QType type; |
92011b8f | 571 | |
572 | for(int j=1; j<2+s_doIPv6; j++) | |
d96e88da | 573 | { |
76c01aec | 574 | bool done=false; |
76c01aec PD |
575 | switch(j) { |
576 | case 0: | |
577 | type = QType::ANY; | |
578 | break; | |
579 | case 1: | |
580 | type = QType::A; | |
581 | break; | |
582 | case 2: | |
583 | type = QType::AAAA; | |
584 | break; | |
585 | } | |
d96e88da | 586 | |
891fbf88 | 587 | if(!doResolve(qname, type, res,depth+1, beenthere) && !res.empty()) { // this consults cache, OR goes out |
d96e88da | 588 | for(res_t::const_iterator i=res.begin(); i!= res.end(); ++i) { |
e325f20c | 589 | if(i->d_type == QType::A || i->d_type == QType::AAAA) { |
590 | if(auto rec = std::dynamic_pointer_cast<ARecordContent>(i->d_content)) | |
591 | ret.push_back(rec->getCA(53)); | |
dd079764 RG |
592 | else if(auto aaaarec = std::dynamic_pointer_cast<AAAARecordContent>(i->d_content)) |
593 | ret.push_back(aaaarec->getCA(53)); | |
92011b8f | 594 | done=true; |
d96e88da | 595 | } |
42724edf | 596 | } |
f4df5e89 | 597 | } |
710af846 | 598 | if(done) { |
60c9a54f | 599 | if(j==1 && s_doIPv6) { // we got an A record, see if we have some AAAA lying around |
e325f20c | 600 | vector<DNSRecord> cset; |
376effcf | 601 | if(t_RC->get(d_now.tv_sec, qname, QType(QType::AAAA), &cset, d_requestor) > 0) { |
e325f20c | 602 | for(auto k=cset.cbegin();k!=cset.cend();++k) { |
603 | if(k->d_ttl > (unsigned int)d_now.tv_sec ) { | |
ba3c54cb RG |
604 | if (auto drc = std::dynamic_pointer_cast<AAAARecordContent>(k->d_content)) { |
605 | ComboAddress ca=drc->getCA(53); | |
606 | ret.push_back(ca); | |
607 | } | |
60c9a54f | 608 | } |
609 | } | |
610 | } | |
611 | } | |
612 | break; | |
613 | } | |
bfea0d0b | 614 | } |
710af846 | 615 | |
996c89cc | 616 | if(ret.size() > 1) { |
51e2144e | 617 | random_shuffle(ret.begin(), ret.end(), dns_random); |
996c89cc | 618 | |
ae4d8cf1 | 619 | // move 'best' address for this nameserver name up front |
a712cb56 | 620 | nsspeeds_t::iterator best = t_sstorage.nsSpeeds.find(qname); |
996c89cc | 621 | |
a712cb56 | 622 | if(best != t_sstorage.nsSpeeds.end()) |
710af846 | 623 | for(ret_t::iterator i=ret.begin(); i != ret.end(); ++i) { |
4957a608 BH |
624 | if(*i==best->second.d_best) { // got the fastest one |
625 | if(i!=ret.begin()) { | |
626 | *i=*ret.begin(); | |
627 | *ret.begin()=best->second.d_best; | |
628 | } | |
629 | break; | |
630 | } | |
996c89cc BH |
631 | } |
632 | } | |
fdf05fd4 | 633 | |
728485ca | 634 | return ret; |
75b49099 BH |
635 | } |
636 | ||
7c3398aa | 637 | void SyncRes::getBestNSFromCache(const DNSName &qname, const QType& qtype, vector<DNSRecord>& bestns, bool* flawedNSSet, unsigned int depth, set<GetBestNSAnswer>& beenthere) |
86c152f2 | 638 | { |
c5c066bf PD |
639 | string prefix; |
640 | DNSName subdomain(qname); | |
77499b05 | 641 | if(doLog()) { |
ded77b10 BH |
642 | prefix=d_prefix; |
643 | prefix.append(depth, ' '); | |
644 | } | |
75b49099 | 645 | bestns.clear(); |
2b1b4054 | 646 | bool brokeloop; |
75b49099 | 647 | do { |
2b1b4054 | 648 | brokeloop=false; |
2189085d | 649 | LOG(prefix<<qname<<": Checking if we have NS in cache for '"<<subdomain<<"'"<<endl); |
e325f20c | 650 | vector<DNSRecord> ns; |
7305df82 | 651 | *flawedNSSet = false; |
376effcf | 652 | if(t_RC->get(d_now.tv_sec, subdomain, QType(QType::NS), &ns, d_requestor) > 0) { |
e325f20c | 653 | for(auto k=ns.cbegin();k!=ns.cend(); ++k) { |
654 | if(k->d_ttl > (unsigned int)d_now.tv_sec ) { | |
655 | vector<DNSRecord> aset; | |
4957a608 | 656 | |
e325f20c | 657 | const DNSRecord& dr=*k; |
ba3c54cb RG |
658 | auto nrr = getRR<NSRecordContent>(dr); |
659 | if(nrr && (!nrr->getNS().isPartOf(subdomain) || t_RC->get(d_now.tv_sec, nrr->getNS(), s_doIPv6 ? QType(QType::ADDR) : QType(QType::A), | |
660 | doLog() ? &aset : 0, d_requestor) > 5)) { | |
e325f20c | 661 | bestns.push_back(dr); |
2189085d PL |
662 | LOG(prefix<<qname<<": NS (with ip, or non-glue) in cache for '"<<subdomain<<"' -> '"<<nrr->getNS()<<"'"<<endl); |
663 | LOG(prefix<<qname<<": within bailiwick: "<< nrr->getNS().isPartOf(subdomain)); | |
4957a608 | 664 | if(!aset.empty()) { |
e325f20c | 665 | LOG(", in cache, ttl="<<(unsigned int)(((time_t)aset.begin()->d_ttl- d_now.tv_sec ))<<endl); |
4957a608 BH |
666 | } |
667 | else { | |
77499b05 | 668 | LOG(", not in cache / did not look at cache"<<endl); |
4957a608 BH |
669 | } |
670 | } | |
671 | else { | |
672 | *flawedNSSet=true; | |
e325f20c | 673 | LOG(prefix<<qname<<": NS in cache for '"<<subdomain<<"', but needs glue ("<<nrr->getNS()<<") which we miss or is expired"<<endl); |
4957a608 BH |
674 | } |
675 | } | |
afbe2787 | 676 | } |
75b49099 | 677 | if(!bestns.empty()) { |
4957a608 | 678 | GetBestNSAnswer answer; |
891fbf88 | 679 | answer.qname=qname; |
680 | answer.qtype=qtype.getCode(); | |
e325f20c | 681 | for(const auto& dr : bestns) |
ba3c54cb | 682 | answer.bestns.insert(make_pair(dr.d_name, getRR<NSRecordContent>(dr)->getNS())); |
891fbf88 | 683 | |
4957a608 | 684 | if(beenthere.count(answer)) { |
2b1b4054 | 685 | brokeloop=true; |
2189085d | 686 | LOG(prefix<<qname<<": We have NS in cache for '"<<subdomain<<"' but part of LOOP (already seen "<<answer.qname<<")! Trying less specific NS"<<endl); |
e325f20c | 687 | ; |
77499b05 BH |
688 | if(doLog()) |
689 | for( set<GetBestNSAnswer>::const_iterator j=beenthere.begin();j!=beenthere.end();++j) { | |
2b1b4054 | 690 | bool neo = !(*j< answer || answer<*j); |
2189085d | 691 | LOG(prefix<<qname<<": beenthere"<<(neo?"*":"")<<": "<<j->qname<<"|"<<DNSRecordContent::NumberToType(j->qtype)<<" ("<<(unsigned int)j->bestns.size()<<")"<<endl); |
77499b05 | 692 | } |
4957a608 BH |
693 | bestns.clear(); |
694 | } | |
695 | else { | |
6576051d | 696 | beenthere.insert(answer); |
2189085d | 697 | LOG(prefix<<qname<<": We have NS in cache for '"<<subdomain<<"' (flawedNSSet="<<*flawedNSSet<<")"<<endl); |
4957a608 BH |
698 | return; |
699 | } | |
75b49099 | 700 | } |
afbe2787 | 701 | } |
2189085d | 702 | LOG(prefix<<qname<<": no valid/useful NS in cache for '"<<subdomain<<"'"<<endl); |
e325f20c | 703 | ; |
52683ca3 | 704 | if(subdomain.isRoot() && !brokeloop) { |
7836f7b4 | 705 | // We lost the root NS records |
3ddb9247 | 706 | primeHints(); |
2189085d | 707 | LOG(prefix<<qname<<": reprimed the root"<<endl); |
30ee601a | 708 | getRootNS(d_now, d_asyncResolve); |
6576051d | 709 | } |
c5c066bf | 710 | }while(subdomain.chopOff()); |
75b49099 BH |
711 | } |
712 | ||
69cbdef9 | 713 | SyncRes::domainmap_t::const_iterator SyncRes::getBestAuthZone(DNSName* qname) const |
5605c067 BH |
714 | { |
715 | SyncRes::domainmap_t::const_iterator ret; | |
716 | do { | |
a712cb56 RG |
717 | ret=t_sstorage.domainmap->find(*qname); |
718 | if(ret!=t_sstorage.domainmap->end()) | |
5605c067 | 719 | break; |
c5c066bf | 720 | }while(qname->chopOff()); |
5605c067 BH |
721 | return ret; |
722 | } | |
288f4aa9 | 723 | |
7bf26383 | 724 | /** doesn't actually do the work, leaves that to getBestNSFromCache */ |
7c3398aa | 725 | DNSName SyncRes::getBestNSNamesFromCache(const DNSName &qname, const QType& qtype, NsSet& nsset, bool* flawedNSSet, unsigned int depth, set<GetBestNSAnswer>&beenthere) |
75b49099 | 726 | { |
c5c066bf PD |
727 | DNSName subdomain(qname); |
728 | DNSName authdomain(qname); | |
3ddb9247 | 729 | |
5605c067 | 730 | domainmap_t::const_iterator iter=getBestAuthZone(&authdomain); |
a712cb56 | 731 | if(iter!=t_sstorage.domainmap->end()) { |
2e5ae2b2 | 732 | if( iter->second.d_servers.empty() ) |
fa1b87ff PL |
733 | // this gets picked up in doResolveAt, the empty DNSName, combined with the |
734 | // empty vector means 'we are auth for this zone' | |
735 | nsset.insert({DNSName(), {{}, false}}); | |
2e5ae2b2 | 736 | else { |
fa1b87ff PL |
737 | // Again, picked up in doResolveAt. An empty DNSName, combined with a |
738 | // non-empty vector of ComboAddresses means 'this is a forwarded domain' | |
6dfff36f | 739 | // This is actually picked up in retrieveAddressesForNS called from doResolveAt. |
fa1b87ff | 740 | nsset.insert({DNSName(), {iter->second.d_servers, iter->second.d_rdForward}}); |
2e5ae2b2 | 741 | } |
5605c067 BH |
742 | return authdomain; |
743 | } | |
744 | ||
e325f20c | 745 | vector<DNSRecord> bestns; |
891fbf88 | 746 | getBestNSFromCache(subdomain, qtype, bestns, flawedNSSet, depth, beenthere); |
75b49099 | 747 | |
e325f20c | 748 | for(auto k=bestns.cbegin() ; k != bestns.cend(); ++k) { |
fa1b87ff PL |
749 | // The actual resolver code will not even look at the ComboAddress or bool |
750 | nsset.insert({std::dynamic_pointer_cast<NSRecordContent>(k->d_content)->getNS(), {{}, false}}); | |
e325f20c | 751 | if(k==bestns.cbegin()) |
752 | subdomain=k->d_name; | |
86c152f2 | 753 | } |
75b49099 | 754 | return subdomain; |
afbe2787 BH |
755 | } |
756 | ||
7c3398aa | 757 | bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector<DNSRecord>& ret, unsigned int depth, int &res) |
afbe2787 | 758 | { |
ded77b10 | 759 | string prefix; |
77499b05 | 760 | if(doLog()) { |
710af846 | 761 | prefix=d_prefix; |
ded77b10 BH |
762 | prefix.append(depth, ' '); |
763 | } | |
36f5e3db | 764 | |
40de2910 | 765 | if((depth>9 && d_outqueries>10 && d_throttledqueries>5) || depth > 15) { |
2189085d | 766 | LOG(prefix<<qname<<": recursing (CNAME or other indirection) too deep, depth="<<depth<<endl); |
c6644fc5 BH |
767 | res=RCode::ServFail; |
768 | return true; | |
769 | } | |
3ddb9247 | 770 | |
2189085d | 771 | LOG(prefix<<qname<<": Looking for CNAME cache hit of '"<<qname<<"|CNAME"<<"'"<<endl); |
e325f20c | 772 | vector<DNSRecord> cset; |
1f77f479 | 773 | vector<std::shared_ptr<RRSIGRecordContent>> signatures; |
376effcf | 774 | if(t_RC->get(d_now.tv_sec, qname,QType(QType::CNAME), &cset, d_requestor, &signatures) > 0) { |
36c5ee42 | 775 | |
e325f20c | 776 | for(auto j=cset.cbegin() ; j != cset.cend() ; ++j) { |
777 | if(j->d_ttl>(unsigned int) d_now.tv_sec) { | |
2189085d | 778 | LOG(prefix<<qname<<": Found cache CNAME hit for '"<< qname << "|CNAME" <<"' to '"<<j->d_content->getZoneRepresentation()<<"'"<<endl); |
e325f20c | 779 | DNSRecord dr=*j; |
780 | dr.d_ttl-=d_now.tv_sec; | |
781 | ret.push_back(dr); | |
1f77f479 | 782 | |
783 | for(const auto& signature : signatures) { | |
dd079764 RG |
784 | DNSRecord sigdr; |
785 | sigdr.d_type=QType::RRSIG; | |
786 | sigdr.d_name=qname; | |
787 | sigdr.d_ttl=j->d_ttl - d_now.tv_sec; | |
788 | sigdr.d_content=signature; | |
789 | sigdr.d_place=DNSResourceRecord::ANSWER; | |
790 | sigdr.d_class=1; | |
791 | ret.push_back(sigdr); | |
1f77f479 | 792 | } |
793 | ||
f8e7daf8 | 794 | if(qtype != QType::CNAME) { // perhaps they really wanted a CNAME! |
4957a608 | 795 | set<GetBestNSAnswer>beenthere; |
e325f20c | 796 | res=doResolve(std::dynamic_pointer_cast<CNAMERecordContent>(j->d_content)->getTarget(), qtype, ret, depth+1, beenthere); |
4957a608 BH |
797 | } |
798 | else | |
799 | res=0; | |
800 | return true; | |
ac539791 BH |
801 | } |
802 | } | |
afbe2787 | 803 | } |
2189085d | 804 | LOG(prefix<<qname<<": No CNAME cache hit of '"<< qname << "|CNAME" <<"' found"<<endl); |
75b49099 BH |
805 | return false; |
806 | } | |
807 | ||
6909b8c5 PL |
808 | /*! |
809 | * Convience function to push the records from records into ret with a new TTL | |
810 | * | |
811 | * \param records DNSRecords that need to go into ret | |
812 | * \param ttl The new TTL for these records | |
813 | * \param ret The vector of DNSRecords that should contian the records with the modified TTL | |
814 | */ | |
815 | static void addTTLModifiedRecords(const vector<DNSRecord>& records, const uint32_t ttl, vector<DNSRecord>& ret) { | |
39ce10b2 PL |
816 | for (const auto& rec : records) { |
817 | DNSRecord r(rec); | |
818 | r.d_ttl = ttl; | |
819 | ret.push_back(r); | |
820 | } | |
821 | } | |
822 | ||
e325f20c | 823 | |
7c3398aa | 824 | bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int &res) |
75b49099 | 825 | { |
fd8bc993 | 826 | bool giveNegative=false; |
710af846 | 827 | |
be718669 | 828 | string prefix; |
77499b05 | 829 | if(doLog()) { |
ded77b10 BH |
830 | prefix=d_prefix; |
831 | prefix.append(depth, ' '); | |
832 | } | |
afbe2787 | 833 | |
30e9bd93 | 834 | // sqname and sqtype are used contain 'higher' names if we have them (e.g. powerdns.com|SOA when we find a negative entry for doesnotexists.powerdns.com|A) |
c5c066bf | 835 | DNSName sqname(qname); |
288f4aa9 | 836 | QType sqt(qtype); |
092f210a | 837 | uint32_t sttl=0; |
2189085d | 838 | // cout<<"Lookup for '"<<qname<<"|"<<qtype.getName()<<"' -> "<<getLastLabel(qname)<<endl; |
3ddb9247 | 839 | |
64a8b6a1 | 840 | DNSName authname(qname); |
129bb0c3 RG |
841 | bool wasForwardedOrAuth = false; |
842 | bool wasAuth = false; | |
843 | domainmap_t::const_iterator iter=getBestAuthZone(&authname); | |
a712cb56 | 844 | if(iter != t_sstorage.domainmap->end()) { |
129bb0c3 RG |
845 | wasForwardedOrAuth = true; |
846 | const vector<ComboAddress>& servers = iter->second.d_servers; | |
847 | if(servers.empty()) { | |
848 | wasAuth = true; | |
849 | } | |
850 | } | |
39ce10b2 | 851 | NegCache::NegCacheEntry ne; |
64a8b6a1 | 852 | |
710af846 | 853 | if(s_rootNXTrust && |
a712cb56 | 854 | t_sstorage.negcache.getRootNXTrust(qname, d_now, ne) && |
39ce10b2 PL |
855 | ne.d_auth.isRoot() && |
856 | !(wasForwardedOrAuth && !authname.isRoot())) { // when forwarding, the root may only neg-cache if it was forwarded to. | |
857 | sttl = ne.d_ttd - d_now.tv_sec; | |
858 | LOG(prefix<<qname<<": Entire name '"<<qname<<"', is negatively cached via '"<<ne.d_auth<<"' & '"<<ne.d_name<<"' for another "<<sttl<<" seconds"<<endl); | |
3ddb9247 | 859 | res = RCode::NXDomain; |
39ce10b2 | 860 | giveNegative = true; |
01402d56 | 861 | } |
a712cb56 | 862 | else if (t_sstorage.negcache.get(qname, qtype, d_now, ne) && |
39ce10b2 PL |
863 | !(wasForwardedOrAuth && ne.d_auth != authname)) { // Only the authname nameserver can neg cache entries |
864 | res = 0; | |
865 | sttl = ne.d_ttd - d_now.tv_sec; | |
866 | giveNegative = true; | |
867 | if(ne.d_qtype.getCode()) { | |
868 | LOG(prefix<<qname<<": "<<qtype.getName()<<" is negatively cached via '"<<ne.d_auth<<"' for another "<<sttl<<" seconds"<<endl); | |
869 | res = RCode::NoError; | |
fd8bc993 | 870 | } |
39ce10b2 PL |
871 | else { |
872 | LOG(prefix<<qname<<": Entire name '"<<qname<<"', is negatively cached via '"<<ne.d_auth<<"' for another "<<sttl<<" seconds"<<endl); | |
873 | res = RCode::NXDomain; | |
874 | } | |
875 | if(d_doDNSSEC) { | |
876 | addTTLModifiedRecords(ne.DNSSECRecords.records, sttl, ret); | |
877 | addTTLModifiedRecords(ne.DNSSECRecords.signatures, sttl, ret); | |
878 | } | |
879 | } | |
880 | ||
881 | if (giveNegative) { | |
882 | // Transplant SOA to the returned packet | |
883 | addTTLModifiedRecords(ne.authoritySOA.records, sttl, ret); | |
884 | if(d_doDNSSEC) | |
885 | addTTLModifiedRecords(ne.authoritySOA.signatures, sttl, ret); | |
886 | return true; | |
fd8bc993 | 887 | } |
39ce10b2 | 888 | |
e325f20c | 889 | vector<DNSRecord> cset; |
75b49099 | 890 | bool found=false, expired=false; |
57769f13 | 891 | vector<std::shared_ptr<RRSIGRecordContent>> signatures; |
892 | uint32_t ttl=0; | |
376effcf | 893 | if(t_RC->get(d_now.tv_sec, sqname, sqt, &cset, d_requestor, d_doDNSSEC ? &signatures : 0) > 0) { |
2189085d | 894 | LOG(prefix<<sqname<<": Found cache hit for "<<sqt.getName()<<": "); |
e325f20c | 895 | for(auto j=cset.cbegin() ; j != cset.cend() ; ++j) { |
896 | LOG(j->d_content->getZoneRepresentation()); | |
897 | if(j->d_ttl>(unsigned int) d_now.tv_sec) { | |
898 | DNSRecord dr=*j; | |
899 | ttl = (dr.d_ttl-=d_now.tv_sec); | |
e325f20c | 900 | ret.push_back(dr); |
901 | LOG("[ttl="<<dr.d_ttl<<"] "); | |
4957a608 | 902 | found=true; |
ac539791 | 903 | } |
75b49099 | 904 | else { |
77499b05 | 905 | LOG("[expired] "); |
4957a608 | 906 | expired=true; |
75b49099 | 907 | } |
afbe2787 | 908 | } |
57769f13 | 909 | |
910 | for(const auto& signature : signatures) { | |
e325f20c | 911 | DNSRecord dr; |
912 | dr.d_type=QType::RRSIG; | |
913 | dr.d_name=sqname; | |
914 | dr.d_ttl=ttl; | |
915 | dr.d_content=signature; | |
39ce10b2 | 916 | dr.d_place = DNSResourceRecord::ANSWER; |
e325f20c | 917 | dr.d_class=1; |
918 | ret.push_back(dr); | |
57769f13 | 919 | } |
ac539791 | 920 | |
77499b05 | 921 | LOG(endl); |
f4df5e89 | 922 | if(found && !expired) { |
f15a5b2a | 923 | if(!giveNegative) |
4957a608 | 924 | res=0; |
129bb0c3 | 925 | d_wasOutOfBand = wasAuth; |
75b49099 | 926 | return true; |
f4df5e89 | 927 | } |
75b49099 | 928 | else |
2189085d | 929 | LOG(prefix<<qname<<": cache had only stale entries"<<endl); |
afbe2787 | 930 | } |
f4df5e89 | 931 | |
75b49099 BH |
932 | return false; |
933 | } | |
afbe2787 | 934 | |
69cbdef9 | 935 | bool SyncRes::moreSpecificThan(const DNSName& a, const DNSName &b) const |
75b49099 | 936 | { |
6a1010f7 | 937 | return (a.isPartOf(b) && a.countLabels() > b.countLabels()); |
afbe2787 BH |
938 | } |
939 | ||
d8d0bb8f | 940 | struct speedOrder |
eefd15f9 | 941 | { |
3ddb9247 PD |
942 | speedOrder(map<DNSName,double> &speeds) : d_speeds(speeds) {} |
943 | bool operator()(const DNSName &a, const DNSName &b) const | |
c3d9d009 BH |
944 | { |
945 | return d_speeds[a] < d_speeds[b]; | |
c3d9d009 | 946 | } |
3ddb9247 | 947 | map<DNSName, double>& d_speeds; |
c3d9d009 BH |
948 | }; |
949 | ||
fa1b87ff | 950 | inline vector<DNSName> SyncRes::shuffleInSpeedOrder(NsSet &tnameservers, const string &prefix) |
afbe2787 | 951 | { |
e8b23f3b | 952 | vector<DNSName> rnameservers; |
5ea6f7de | 953 | rnameservers.reserve(tnameservers.size()); |
e8b23f3b | 954 | for(const auto& tns:tnameservers) { |
88490c03 | 955 | rnameservers.push_back(tns.first); |
21f0f88b | 956 | } |
e8b23f3b | 957 | map<DNSName, double> speeds; |
461df9d2 | 958 | |
e8b23f3b | 959 | for(const auto& val: rnameservers) { |
79b8cdcc | 960 | double speed; |
a712cb56 | 961 | speed=t_sstorage.nsSpeeds[val].get(&d_now); |
21f0f88b | 962 | speeds[val]=speed; |
eefd15f9 | 963 | } |
51e2144e | 964 | random_shuffle(rnameservers.begin(),rnameservers.end(), dns_random); |
996c89cc BH |
965 | speedOrder so(speeds); |
966 | stable_sort(rnameservers.begin(),rnameservers.end(), so); | |
710af846 | 967 | |
77499b05 BH |
968 | if(doLog()) { |
969 | LOG(prefix<<"Nameservers: "); | |
e325f20c | 970 | for(vector<DNSName>::const_iterator i=rnameservers.begin();i!=rnameservers.end();++i) { |
3ddb9247 | 971 | if(i!=rnameservers.begin()) { |
77499b05 BH |
972 | LOG(", "); |
973 | if(!((i-rnameservers.begin())%3)) { | |
974 | LOG(endl<<prefix<<" "); | |
975 | } | |
d8d0bb8f | 976 | } |
34dcd30c | 977 | LOG((i->empty() ? string("<empty>") : i->toString())<<"(" << (boost::format("%0.2f") % (speeds[*i]/1000.0)).str() <<"ms)"); |
d8d0bb8f | 978 | } |
77499b05 | 979 | LOG(endl); |
d8d0bb8f | 980 | } |
728485ca | 981 | return rnameservers; |
afbe2787 BH |
982 | } |
983 | ||
bf7e4a70 BH |
984 | static bool magicAddrMatch(const QType& query, const QType& answer) |
985 | { | |
986 | if(query.getCode() != QType::ADDR) | |
987 | return false; | |
988 | return answer.getCode() == QType::A || answer.getCode() == QType::AAAA; | |
989 | } | |
7738a23f | 990 | |
39ce10b2 PL |
991 | /* Fills the authoritySOA and DNSSECRecords fields from ne with those found in the records |
992 | * | |
993 | * \param records The records to parse for the authority SOA and NSEC(3) records | |
994 | * \param ne The NegCacheEntry to be filled out (will not be cleared, only appended to | |
995 | */ | |
996 | static void harvestNXRecords(const vector<DNSRecord>& records, NegCache::NegCacheEntry& ne) { | |
997 | static const set<uint16_t> nsecTypes = {QType::NSEC, QType::NSEC3}; | |
620db2c8 | 998 | for(const auto& rec : records) { |
39ce10b2 PL |
999 | if(rec.d_place != DNSResourceRecord::AUTHORITY) |
1000 | // RFC 4035 section 3.1.3. indicates that NSEC records MUST be placed in | |
1001 | // the AUTHORITY section. Section 3.1.1 indicates that that RRSIGs for | |
1002 | // records MUST be in the same section as the records they cover. | |
1003 | // Hence, we ignore all records outside of the AUTHORITY section. | |
1004 | continue; | |
1005 | ||
620db2c8 | 1006 | if(rec.d_type == QType::RRSIG) { |
39ce10b2 PL |
1007 | auto rrsig = getRR<RRSIGRecordContent>(rec); |
1008 | if(rrsig) { | |
1009 | if(rrsig->d_type == QType::SOA) { | |
1010 | ne.authoritySOA.signatures.push_back(rec); | |
1011 | } | |
1012 | if(nsecTypes.count(rrsig->d_type)) { | |
1013 | ne.DNSSECRecords.signatures.push_back(rec); | |
1014 | } | |
1015 | } | |
1016 | continue; | |
1017 | } | |
1018 | if(rec.d_type == QType::SOA) { | |
1019 | ne.authoritySOA.records.push_back(rec); | |
1020 | continue; | |
1021 | } | |
1022 | if(nsecTypes.count(rec.d_type)) { | |
1023 | ne.DNSSECRecords.records.push_back(rec); | |
1024 | continue; | |
620db2c8 | 1025 | } |
620db2c8 | 1026 | } |
620db2c8 | 1027 | } |
1028 | ||
39ce10b2 PL |
1029 | // TODO remove after processRecords is fixed! |
1030 | // Adds the RRSIG for the SOA and the NSEC(3) + RRSIGs to ret | |
620db2c8 | 1031 | static void addNXNSECS(vector<DNSRecord>&ret, const vector<DNSRecord>& records) |
1032 | { | |
39ce10b2 PL |
1033 | NegCache::NegCacheEntry ne; |
1034 | harvestNXRecords(records, ne); | |
1035 | ret.insert(ret.end(), ne.authoritySOA.signatures.begin(), ne.authoritySOA.signatures.end()); | |
1036 | ret.insert(ret.end(), ne.DNSSECRecords.records.begin(), ne.DNSSECRecords.records.end()); | |
1037 | ret.insert(ret.end(), ne.DNSSECRecords.signatures.begin(), ne.DNSSECRecords.signatures.end()); | |
620db2c8 | 1038 | } |
1039 | ||
69cbdef9 | 1040 | bool SyncRes::nameserversBlockedByRPZ(const DNSFilterEngine& dfe, const NsSet& nameservers) |
26ca3513 RG |
1041 | { |
1042 | if(d_wantsRPZ) { | |
1043 | for (auto const &ns : nameservers) { | |
69cbdef9 | 1044 | d_appliedPolicy = dfe.getProcessingPolicy(ns.first, d_discardedPolicies); |
26ca3513 RG |
1045 | if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response |
1046 | LOG(", however nameserver "<<ns.first<<" was blocked by RPZ policy '"<<(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")<<"'"<<endl); | |
1047 | return true; | |
1048 | } | |
1049 | ||
1050 | // Traverse all IP addresses for this NS to see if they have an RPN NSIP policy | |
1051 | for (auto const &address : ns.second.first) { | |
69cbdef9 | 1052 | d_appliedPolicy = dfe.getProcessingPolicy(address, d_discardedPolicies); |
26ca3513 RG |
1053 | if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response |
1054 | LOG(", however nameserver "<<ns.first<<" IP address "<<address.toString()<<" was blocked by RPZ policy '"<<(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")<<"'"<<endl); | |
1055 | return true; | |
1056 | } | |
1057 | } | |
1058 | } | |
1059 | } | |
1060 | return false; | |
1061 | } | |
1062 | ||
69cbdef9 | 1063 | bool SyncRes::nameserverIPBlockedByRPZ(const DNSFilterEngine& dfe, const ComboAddress& remoteIP) |
26ca3513 RG |
1064 | { |
1065 | if (d_wantsRPZ) { | |
69cbdef9 | 1066 | d_appliedPolicy = dfe.getProcessingPolicy(remoteIP, d_discardedPolicies); |
26ca3513 RG |
1067 | if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { |
1068 | LOG(" (blocked by RPZ policy '"+(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")+"')"); | |
1069 | return true; | |
1070 | } | |
1071 | } | |
1072 | return false; | |
1073 | } | |
1074 | ||
1075 | vector<ComboAddress> SyncRes::retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector<DNSName >::const_iterator& tns, const unsigned int depth, set<GetBestNSAnswer>& beenthere, const vector<DNSName >& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet) | |
1076 | { | |
1077 | vector<ComboAddress> result; | |
1078 | ||
1079 | if(!tns->empty()) { | |
1080 | LOG(prefix<<qname<<": Trying to resolve NS '"<<*tns<< "' ("<<1+tns-rnameservers.begin()<<"/"<<(unsigned int)rnameservers.size()<<")"<<endl); | |
1081 | result = getAddrs(*tns, depth+2, beenthere); | |
1082 | pierceDontQuery=false; | |
1083 | } | |
1084 | else { | |
1085 | LOG(prefix<<qname<<": Domain has hardcoded nameserver"); | |
1086 | ||
1087 | result = nameservers[*tns].first; | |
1088 | if(result.size() > 1) { | |
1089 | LOG("s"); | |
1090 | } | |
1091 | LOG(endl); | |
1092 | ||
1093 | sendRDQuery = nameservers[*tns].second; | |
1094 | pierceDontQuery=true; | |
1095 | } | |
1096 | return result; | |
1097 | } | |
1098 | ||
1099 | bool SyncRes::throttledOrBlocked(const std::string& prefix, const ComboAddress& remoteIP, const DNSName& qname, const QType& qtype, bool pierceDontQuery) | |
1100 | { | |
a712cb56 | 1101 | if(t_sstorage.throttle.shouldThrottle(d_now.tv_sec, boost::make_tuple(remoteIP, "", 0))) { |
26ca3513 RG |
1102 | LOG(prefix<<qname<<": server throttled "<<endl); |
1103 | s_throttledqueries++; d_throttledqueries++; | |
1104 | return true; | |
1105 | } | |
a712cb56 | 1106 | else if(t_sstorage.throttle.shouldThrottle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()))) { |
6dfff36f | 1107 | LOG(prefix<<qname<<": query throttled "<<remoteIP.toString()<<", "<<qname<<"; "<<qtype.getName()<<endl); |
26ca3513 RG |
1108 | s_throttledqueries++; d_throttledqueries++; |
1109 | return true; | |
1110 | } | |
9065eb05 | 1111 | else if(!pierceDontQuery && s_dontQuery && s_dontQuery->match(&remoteIP)) { |
26ca3513 RG |
1112 | LOG(prefix<<qname<<": not sending query to " << remoteIP.toString() << ", blocked by 'dont-query' setting" << endl); |
1113 | s_dontqueries++; | |
1114 | return true; | |
1115 | } | |
1116 | return false; | |
1117 | } | |
1118 | ||
6dfff36f | 1119 | RCode::rcodes_ SyncRes::updateCacheFromRecords(const std::string& prefix, LWResult& lwr, const DNSName& qname, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask) |
26ca3513 RG |
1120 | { |
1121 | struct CachePair | |
1122 | { | |
1123 | vector<DNSRecord> records; | |
1124 | vector<shared_ptr<RRSIGRecordContent>> signatures; | |
1125 | }; | |
1126 | struct CacheKey | |
1127 | { | |
1128 | DNSName name; | |
1129 | uint16_t type; | |
1130 | DNSResourceRecord::Place place; | |
1131 | bool operator<(const CacheKey& rhs) const { | |
1132 | return tie(name, type) < tie(rhs.name, rhs.type); | |
1133 | } | |
1134 | }; | |
1135 | typedef map<CacheKey, CachePair> tcache_t; | |
1136 | tcache_t tcache; | |
1137 | ||
1138 | for(const auto& rec : lwr.d_records) { | |
1139 | if(rec.d_type == QType::RRSIG) { | |
1140 | auto rrsig = getRR<RRSIGRecordContent>(rec); | |
1141 | if (rrsig) { | |
1142 | // cerr<<"Got an RRSIG for "<<DNSRecordContent::NumberToType(rrsig->d_type)<<" with name '"<<rec.d_name<<"'"<<endl; | |
1143 | tcache[{rec.d_name, rrsig->d_type, rec.d_place}].signatures.push_back(rrsig); | |
1144 | } | |
1145 | } | |
1146 | } | |
1147 | ||
1148 | // reap all answers from this packet that are acceptable | |
1149 | for(auto& rec : lwr.d_records) { | |
1150 | if(rec.d_type == QType::OPT) { | |
1151 | LOG(prefix<<qname<<": OPT answer '"<<rec.d_name<<"' from '"<<auth<<"' nameservers" <<endl); | |
1152 | continue; | |
1153 | } | |
1154 | LOG(prefix<<qname<<": accept answer '"<<rec.d_name<<"|"<<DNSRecordContent::NumberToType(rec.d_type)<<"|"<<rec.d_content->getZoneRepresentation()<<"' from '"<<auth<<"' nameservers? "<<(int)rec.d_place<<" "); | |
1155 | if(rec.d_type == QType::ANY) { | |
1156 | LOG("NO! - we don't accept 'ANY' data"<<endl); | |
1157 | continue; | |
1158 | } | |
1159 | ||
1160 | if(rec.d_name.isPartOf(auth)) { | |
1161 | if(rec.d_type == QType::RRSIG) { | |
1162 | LOG("RRSIG - separate"<<endl); | |
1163 | } | |
9065eb05 | 1164 | else if(lwr.d_aabit && lwr.d_rcode==RCode::NoError && rec.d_place==DNSResourceRecord::ANSWER && (rec.d_type != QType::DNSKEY || rec.d_name != auth) && s_delegationOnly.count(auth)) { |
26ca3513 RG |
1165 | LOG("NO! Is from delegation-only zone"<<endl); |
1166 | s_nodelegated++; | |
1167 | return RCode::NXDomain; | |
1168 | } | |
1169 | else { | |
1170 | bool haveLogged = false; | |
a712cb56 | 1171 | if (!t_sstorage.domainmap->empty()) { |
26ca3513 RG |
1172 | // Check if we are authoritative for a zone in this answer |
1173 | DNSName tmp_qname(rec.d_name); | |
1174 | auto auth_domain_iter=getBestAuthZone(&tmp_qname); | |
a712cb56 | 1175 | if(auth_domain_iter!=t_sstorage.domainmap->end() && |
26ca3513 RG |
1176 | auth.countLabels() <= auth_domain_iter->first.countLabels()) { |
1177 | if (auth_domain_iter->first != auth) { | |
1178 | LOG("NO! - we are authoritative for the zone "<<auth_domain_iter->first<<endl); | |
1179 | continue; | |
1180 | } else { | |
1181 | LOG("YES! - This answer was "); | |
6dfff36f | 1182 | if (!wasForwarded) { |
26ca3513 RG |
1183 | LOG("retrieved from the local auth store."); |
1184 | } else { | |
1185 | LOG("received from a server we forward to."); | |
1186 | } | |
1187 | haveLogged = true; | |
1188 | LOG(endl); | |
1189 | } | |
1190 | } | |
1191 | } | |
1192 | if (!haveLogged) { | |
1193 | LOG("YES!"<<endl); | |
1194 | } | |
1195 | ||
1196 | rec.d_ttl=min(s_maxcachettl, rec.d_ttl); | |
1197 | ||
1198 | DNSRecord dr(rec); | |
1199 | dr.d_place=DNSResourceRecord::ANSWER; | |
1200 | ||
1201 | dr.d_ttl += d_now.tv_sec; | |
1202 | tcache[{rec.d_name,rec.d_type,rec.d_place}].records.push_back(dr); | |
1203 | } | |
1204 | } | |
1205 | else | |
1206 | LOG("NO!"<<endl); | |
1207 | } | |
1208 | ||
1209 | // supplant | |
1210 | for(tcache_t::iterator i=tcache.begin();i!=tcache.end();++i) { | |
1211 | if(i->second.records.size() > 1) { // need to group the ttl to be the minimum of the RRSET (RFC 2181, 5.2) | |
1212 | uint32_t lowestTTL=std::numeric_limits<uint32_t>::max(); | |
1213 | for(const auto& record : i->second.records) | |
1214 | lowestTTL=min(lowestTTL, record.d_ttl); | |
1215 | ||
1216 | for(auto& record : i->second.records) | |
1217 | *const_cast<uint32_t*>(&record.d_ttl)=lowestTTL; // boom | |
1218 | } | |
1219 | ||
1220 | // cout<<"Have "<<i->second.records.size()<<" records and "<<i->second.signatures.size()<<" signatures for "<<i->first.name; | |
1221 | // cout<<'|'<<DNSRecordContent::NumberToType(i->first.type)<<endl; | |
1222 | if(i->second.records.empty()) // this happens when we did store signatures, but passed on the records themselves | |
1223 | continue; | |
6dfff36f | 1224 | |
26ca3513 | 1225 | t_RC->replace(d_now.tv_sec, i->first.name, QType(i->first.type), i->second.records, i->second.signatures, lwr.d_aabit, i->first.place == DNSResourceRecord::ANSWER ? ednsmask : boost::optional<Netmask>()); |
6dfff36f | 1226 | |
26ca3513 RG |
1227 | if(i->first.place == DNSResourceRecord::ANSWER && ednsmask) |
1228 | d_wasVariable=true; | |
1229 | } | |
1230 | ||
1231 | return RCode::NoError; | |
1232 | } | |
1233 | ||
6dfff36f | 1234 | bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic) |
26ca3513 RG |
1235 | { |
1236 | bool done = false; | |
1237 | ||
1238 | for(auto& rec : lwr.d_records) { | |
1239 | if (rec.d_type!=QType::OPT && rec.d_class!=QClass::IN) | |
1240 | continue; | |
1241 | ||
1242 | if(rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::SOA && | |
1243 | lwr.d_rcode==RCode::NXDomain && qname.isPartOf(rec.d_name) && rec.d_name.isPartOf(auth)) { | |
1244 | LOG(prefix<<qname<<": got negative caching indication for name '"<<qname<<"' (accept="<<rec.d_name.isPartOf(auth)<<"), newtarget='"<<newtarget<<"'"<<endl); | |
1245 | ||
1246 | rec.d_ttl = min(rec.d_ttl, s_maxnegttl); | |
1247 | if(newtarget.empty()) // only add a SOA if we're not going anywhere after this | |
1248 | ret.push_back(rec); | |
1249 | if(!wasVariable()) { | |
39ce10b2 PL |
1250 | NegCache::NegCacheEntry ne; |
1251 | ||
39ce10b2 PL |
1252 | ne.d_ttd = d_now.tv_sec + rec.d_ttl; |
1253 | ne.d_name = qname; | |
1254 | ne.d_qtype = QType(0); // this encodes 'whole record' | |
898856ca | 1255 | ne.d_auth = rec.d_name; |
39ce10b2 | 1256 | harvestNXRecords(lwr.d_records, ne); |
a712cb56 | 1257 | t_sstorage.negcache.add(ne); |
07e3cfb6 | 1258 | if(s_rootNXTrust && ne.d_auth.isRoot() && auth.isRoot()) { |
9a1e060b | 1259 | ne.d_name = ne.d_name.getLastLabel(); |
a712cb56 | 1260 | t_sstorage.negcache.add(ne); |
26ca3513 RG |
1261 | } |
1262 | } | |
1263 | ||
1264 | negindic=true; | |
1265 | } | |
1266 | else if(rec.d_place==DNSResourceRecord::ANSWER && rec.d_name == qname && rec.d_type==QType::CNAME && (!(qtype==QType(QType::CNAME)))) { | |
1267 | ret.push_back(rec); | |
1268 | if (auto content = getRR<CNAMERecordContent>(rec)) { | |
1269 | newtarget=content->getTarget(); | |
1270 | } | |
1271 | } | |
1272 | else if((rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::ANSWER){ | |
1273 | if(rec.d_type != QType::RRSIG || rec.d_name == qname) | |
1274 | ret.push_back(rec); // enjoy your DNSSEC | |
1275 | } | |
1276 | // for ANY answers we *must* have an authoritative answer, unless we are forwarding recursively | |
1277 | else if(rec.d_place==DNSResourceRecord::ANSWER && rec.d_name == qname && | |
1278 | ( | |
1279 | rec.d_type==qtype.getCode() || (lwr.d_aabit && (qtype==QType(QType::ANY) || magicAddrMatch(qtype, QType(rec.d_type)) ) ) || sendRDQuery | |
1280 | ) | |
1281 | ) | |
1282 | { | |
1283 | LOG(prefix<<qname<<": answer is in: resolved to '"<< rec.d_content->getZoneRepresentation()<<"|"<<DNSRecordContent::NumberToType(rec.d_type)<<"'"<<endl); | |
1284 | ||
1285 | done=true; | |
1286 | ret.push_back(rec); | |
1287 | } | |
1288 | else if(rec.d_place==DNSResourceRecord::AUTHORITY && qname.isPartOf(rec.d_name) && rec.d_type==QType::NS) { | |
1289 | if(moreSpecificThan(rec.d_name,auth)) { | |
1290 | newauth=rec.d_name; | |
1291 | LOG(prefix<<qname<<": got NS record '"<<rec.d_name<<"' -> '"<<rec.d_content->getZoneRepresentation()<<"'"<<endl); | |
1292 | realreferral=true; | |
1293 | } | |
1294 | else { | |
1295 | LOG(prefix<<qname<<": got upwards/level NS record '"<<rec.d_name<<"' -> '"<<rec.d_content->getZoneRepresentation()<<"', had '"<<auth<<"'"<<endl); | |
1296 | } | |
1297 | if (auto content = getRR<NSRecordContent>(rec)) { | |
1298 | nsset.insert(content->getNS()); | |
1299 | } | |
1300 | } | |
1301 | else if(rec.d_place==DNSResourceRecord::AUTHORITY && qname.isPartOf(rec.d_name) && rec.d_type==QType::DS) { | |
1302 | LOG(prefix<<qname<<": got DS record '"<<rec.d_name<<"' -> '"<<rec.d_content->getZoneRepresentation()<<"'"<<endl); | |
26ca3513 RG |
1303 | } |
1304 | else if(!done && rec.d_place==DNSResourceRecord::AUTHORITY && qname.isPartOf(rec.d_name) && rec.d_type==QType::SOA && | |
1305 | lwr.d_rcode==RCode::NoError) { | |
1306 | LOG(prefix<<qname<<": got negative caching indication for '"<< qname<<"|"<<qtype.getName()<<"'"<<endl); | |
1307 | ||
1308 | if(!newtarget.empty()) { | |
1309 | LOG(prefix<<qname<<": Hang on! Got a redirect to '"<<newtarget<<"' already"<<endl); | |
1310 | } | |
1311 | else { | |
1312 | rec.d_ttl = min(s_maxnegttl, rec.d_ttl); | |
1313 | ret.push_back(rec); | |
1314 | if(!wasVariable()) { | |
39ce10b2 PL |
1315 | NegCache::NegCacheEntry ne; |
1316 | ne.d_auth = rec.d_name; | |
1317 | ne.d_ttd = d_now.tv_sec + rec.d_ttl; | |
1318 | ne.d_name = qname; | |
1319 | ne.d_qtype = qtype; | |
1320 | harvestNXRecords(lwr.d_records, ne); | |
26ca3513 | 1321 | if(qtype.getCode()) { // prevents us from blacking out a whole domain |
a712cb56 | 1322 | t_sstorage.negcache.add(ne); |
26ca3513 RG |
1323 | } |
1324 | } | |
1325 | negindic=true; | |
1326 | } | |
1327 | } | |
1328 | } | |
1329 | ||
1330 | return done; | |
1331 | } | |
1332 | ||
6dfff36f RG |
1333 | bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname, const QType& qtype, LWResult& lwr, boost::optional<Netmask>& ednsmask, const DNSName& auth, bool const sendRDQuery, const DNSName& nsName, const ComboAddress& remoteIP, bool doTCP, bool* truncated) |
1334 | { | |
1335 | int resolveret; | |
1336 | s_outqueries++; | |
1337 | d_outqueries++; | |
1338 | ||
1339 | if(d_outqueries + d_throttledqueries > s_maxqperq) { | |
1340 | throw ImmediateServFailException("more than "+std::to_string(s_maxqperq)+" (max-qperq) queries sent while resolving "+qname.toLogString()); | |
1341 | } | |
1342 | ||
1343 | if(s_maxtotusec && d_totUsec > s_maxtotusec) { | |
1344 | throw ImmediateServFailException("Too much time waiting for "+qname.toLogString()+"|"+qtype.getName()+", timeouts: "+std::to_string(d_timeouts) +", throttles: "+std::to_string(d_throttledqueries) + ", queries: "+std::to_string(d_outqueries)+", "+std::to_string(d_totUsec/1000)+"msec"); | |
1345 | } | |
1346 | ||
1347 | if(doTCP) { | |
1348 | LOG(prefix<<qname<<": using TCP with "<< remoteIP.toStringWithPort() <<endl); | |
1349 | s_tcpoutqueries++; | |
1350 | d_tcpoutqueries++; | |
1351 | } | |
1352 | ||
1353 | if(d_pdl && d_pdl->preoutquery(remoteIP, d_requestor, qname, qtype, doTCP, lwr.d_records, resolveret)) { | |
1354 | LOG(prefix<<qname<<": query handled by Lua"<<endl); | |
1355 | } | |
1356 | else { | |
1357 | ednsmask=getEDNSSubnetMask(d_requestor, qname, remoteIP); | |
1358 | if(ednsmask) { | |
1359 | LOG(prefix<<qname<<": Adding EDNS Client Subnet Mask "<<ednsmask->toString()<<" to query"<<endl); | |
1360 | } | |
1361 | resolveret = asyncresolveWrapper(remoteIP, d_doDNSSEC, qname, qtype.getCode(), | |
1362 | doTCP, sendRDQuery, &d_now, ednsmask, &lwr); // <- we go out on the wire! | |
1363 | if(ednsmask) { | |
1364 | LOG(prefix<<qname<<": Received EDNS Client Subnet Mask "<<ednsmask->toString()<<" on response"<<endl); | |
1365 | } | |
1366 | } | |
1367 | ||
1368 | /* preoutquery killed the query by setting dq.rcode to -3 */ | |
1369 | if(resolveret==-3) { | |
1370 | throw ImmediateServFailException("Query killed by policy"); | |
1371 | } | |
1372 | ||
1373 | d_totUsec += lwr.d_usec; | |
1374 | accountAuthLatency(lwr.d_usec, remoteIP.sin4.sin_family); | |
1375 | ||
1376 | if(resolveret != 1) { | |
1377 | /* Error while resolving */ | |
1378 | if(resolveret == 0) { | |
1379 | /* Time out */ | |
1380 | ||
1381 | LOG(prefix<<qname<<": timeout resolving after "<<lwr.d_usec/1000.0<<"msec "<< (doTCP ? "over TCP" : "")<<endl); | |
1382 | d_timeouts++; | |
1383 | s_outgoingtimeouts++; | |
1384 | ||
1385 | if(remoteIP.sin4.sin_family == AF_INET) | |
1386 | s_outgoing4timeouts++; | |
1387 | else | |
1388 | s_outgoing6timeouts++; | |
1389 | } | |
1390 | else if(resolveret == -2) { | |
1391 | /* OS resource limit reached */ | |
1392 | LOG(prefix<<qname<<": hit a local resource limit resolving"<< (doTCP ? " over TCP" : "")<<", probable error: "<<stringerror()<<endl); | |
1393 | g_stats.resourceLimits++; | |
1394 | } | |
1395 | else { | |
1396 | /* -1 means server unreachable */ | |
1397 | s_unreachables++; | |
1398 | d_unreachables++; | |
1399 | LOG(prefix<<qname<<": error resolving from "<<remoteIP.toString()<< (doTCP ? " over TCP" : "") <<", possible error: "<<strerror(errno)<< endl); | |
1400 | } | |
1401 | ||
1402 | if(resolveret != -2) { // don't account for resource limits, they are our own fault | |
1403 | t_sstorage.nsSpeeds[nsName].submit(remoteIP, 1000000, &d_now); // 1 sec | |
1404 | ||
1405 | // code below makes sure we don't filter COM or the root | |
1406 | if (s_serverdownmaxfails > 0 && (auth != g_rootdnsname) && t_sstorage.fails.incr(remoteIP) >= s_serverdownmaxfails) { | |
1407 | LOG(prefix<<qname<<": Max fails reached resolving on "<< remoteIP.toString() <<". Going full throttle for "<< s_serverdownthrottletime <<" seconds" <<endl); | |
1408 | // mark server as down | |
1409 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, "", 0), s_serverdownthrottletime, 10000); | |
1410 | } | |
1411 | else if (resolveret == -1) { | |
1412 | // unreachable, 1 minute or 100 queries | |
1413 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 100); | |
1414 | } | |
1415 | else { | |
1416 | // timeout | |
1417 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 10, 5); | |
1418 | } | |
1419 | } | |
1420 | ||
1421 | return false; | |
1422 | } | |
1423 | ||
1424 | /* we got an answer */ | |
1425 | if(lwr.d_rcode==RCode::ServFail || lwr.d_rcode==RCode::Refused) { | |
1426 | LOG(prefix<<qname<<": "<<nsName<<" ("<<remoteIP.toString()<<") returned a "<< (lwr.d_rcode==RCode::ServFail ? "ServFail" : "Refused") << ", trying sibling IP or NS"<<endl); | |
1427 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 3); | |
1428 | return false; | |
1429 | } | |
1430 | ||
1431 | /* this server sent a valid answer, mark it backup up if it was down */ | |
1432 | if(s_serverdownmaxfails > 0) { | |
1433 | t_sstorage.fails.clear(remoteIP); | |
1434 | } | |
1435 | ||
1436 | if(lwr.d_tcbit) { | |
1437 | *truncated = true; | |
1438 | ||
1439 | if (doTCP) { | |
1440 | LOG(prefix<<qname<<": truncated bit set, over TCP?"<<endl); | |
1441 | /* let's treat that as a ServFail answer from this server */ | |
1442 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 3); | |
1443 | return false; | |
1444 | } | |
1445 | ||
1446 | return true; | |
1447 | } | |
1448 | ||
1449 | return true; | |
1450 | } | |
1451 | ||
1452 | bool SyncRes::processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, bool sendRDQuery, NsSet &nameservers, std::vector<DNSRecord>& ret, const DNSFilterEngine& dfe, bool* gotNewServers, int* rcode) | |
1453 | { | |
1454 | string prefix; | |
1455 | if(doLog()) { | |
1456 | prefix=d_prefix; | |
1457 | prefix.append(depth, ' '); | |
1458 | } | |
1459 | ||
1460 | if(s_minimumTTL) { | |
1461 | for(auto& rec : lwr.d_records) { | |
1462 | rec.d_ttl = max(rec.d_ttl, s_minimumTTL); | |
1463 | } | |
1464 | } | |
1465 | ||
1466 | *rcode = updateCacheFromRecords(prefix, lwr, qname, auth, wasForwarded, ednsmask); | |
1467 | if (*rcode != RCode::NoError) { | |
1468 | return true; | |
1469 | } | |
1470 | ||
1471 | LOG(prefix<<qname<<": determining status after receiving this packet"<<endl); | |
1472 | ||
1473 | set<DNSName> nsset; | |
1474 | bool realreferral=false, negindic=false; | |
1475 | DNSName newauth; | |
1476 | DNSName newtarget; | |
1477 | ||
1478 | bool done = processRecords(prefix, qname, qtype, auth, lwr, sendRDQuery, ret, nsset, newtarget, newauth, realreferral, negindic); | |
1479 | ||
1480 | if(done){ | |
1481 | LOG(prefix<<qname<<": status=got results, this level of recursion done"<<endl); | |
1482 | *rcode = RCode::NoError; | |
1483 | return true; | |
1484 | } | |
1485 | ||
1486 | if(!newtarget.empty()) { | |
1487 | if(newtarget == qname) { | |
1488 | LOG(prefix<<qname<<": status=got a CNAME referral to self, returning SERVFAIL"<<endl); | |
1489 | *rcode = RCode::ServFail; | |
1490 | return true; | |
1491 | } | |
1492 | ||
1493 | if(depth > 10) { | |
1494 | LOG(prefix<<qname<<": status=got a CNAME referral, but recursing too deep, returning SERVFAIL"<<endl); | |
1495 | *rcode = RCode::ServFail; | |
1496 | return true; | |
1497 | } | |
1498 | ||
1499 | LOG(prefix<<qname<<": status=got a CNAME referral, starting over with "<<newtarget<<endl); | |
1500 | ||
1501 | set<GetBestNSAnswer> beenthere2; | |
1502 | *rcode = doResolve(newtarget, qtype, ret, depth + 1, beenthere2); | |
1503 | return true; | |
1504 | } | |
1505 | ||
1506 | if(lwr.d_rcode == RCode::NXDomain) { | |
1507 | LOG(prefix<<qname<<": status=NXDOMAIN, we are done "<<(negindic ? "(have negative SOA)" : "")<<endl); | |
1508 | ||
1509 | if(d_doDNSSEC) | |
1510 | addNXNSECS(ret, lwr.d_records); | |
1511 | ||
1512 | *rcode = RCode::NXDomain; | |
1513 | return true; | |
1514 | } | |
1515 | ||
1516 | if(nsset.empty() && !lwr.d_rcode && (negindic || lwr.d_aabit || sendRDQuery)) { | |
1517 | LOG(prefix<<qname<<": status=noerror, other types may exist, but we are done "<<(negindic ? "(have negative SOA) " : "")<<(lwr.d_aabit ? "(have aa bit) " : "")<<endl); | |
1518 | ||
1519 | if(d_doDNSSEC) | |
1520 | addNXNSECS(ret, lwr.d_records); | |
1521 | ||
1522 | *rcode = RCode::NoError; | |
1523 | return true; | |
1524 | } | |
1525 | ||
1526 | if(realreferral) { | |
1527 | LOG(prefix<<qname<<": status=did not resolve, got "<<(unsigned int)nsset.size()<<" NS, "); | |
1528 | auth=newauth; | |
1529 | ||
1530 | nameservers.clear(); | |
1531 | for (auto const &nameserver : nsset) { | |
1532 | if (d_wantsRPZ) { | |
1533 | d_appliedPolicy = dfe.getProcessingPolicy(nameserver, d_discardedPolicies); | |
1534 | if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response | |
1535 | LOG("however "<<nameserver<<" was blocked by RPZ policy '"<<(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")<<"'"<<endl); | |
1536 | *rcode = -2; | |
1537 | return true; | |
1538 | } | |
1539 | } | |
1540 | nameservers.insert({nameserver, {{}, false}}); | |
1541 | } | |
1542 | LOG("looping to them"<<endl); | |
1543 | *gotNewServers = true; | |
1544 | return false; | |
1545 | } | |
1546 | ||
1547 | return false; | |
1548 | } | |
1549 | ||
b8470add PL |
1550 | /** returns: |
1551 | * -1 in case of no results | |
1552 | * -2 when a FilterEngine Policy was hit | |
1553 | * rcode otherwise | |
1554 | */ | |
fa1b87ff | 1555 | int SyncRes::doResolveAt(NsSet &nameservers, DNSName auth, bool flawedNSSet, const DNSName &qname, const QType &qtype, |
e325f20c | 1556 | vector<DNSRecord>&ret, |
7c3398aa | 1557 | unsigned int depth, set<GetBestNSAnswer>&beenthere) |
86c152f2 | 1558 | { |
69cbdef9 | 1559 | auto luaconfsLocal = g_luaconfs.getLocal(); |
ded77b10 | 1560 | string prefix; |
77499b05 | 1561 | if(doLog()) { |
ded77b10 BH |
1562 | prefix=d_prefix; |
1563 | prefix.append(depth, ' '); | |
1564 | } | |
3ddb9247 | 1565 | |
b8470add PL |
1566 | LOG(prefix<<qname<<": Cache consultations done, have "<<(unsigned int)nameservers.size()<<" NS to contact"); |
1567 | ||
69cbdef9 | 1568 | if (nameserversBlockedByRPZ(luaconfsLocal->dfe, nameservers)) { |
26ca3513 | 1569 | return -2; |
b8470add PL |
1570 | } |
1571 | ||
1572 | LOG(endl); | |
afbe2787 BH |
1573 | |
1574 | for(;;) { // we may get more specific nameservers | |
e8b23f3b | 1575 | vector<DNSName > rnameservers = shuffleInSpeedOrder(nameservers, doLog() ? (prefix+qname.toString()+": ") : string() ); |
3ddb9247 | 1576 | |
26ca3513 RG |
1577 | for(auto tns=rnameservers.cbegin();;++tns) { |
1578 | if(tns==rnameservers.cend()) { | |
2189085d | 1579 | LOG(prefix<<qname<<": Failed to resolve via any of the "<<(unsigned int)rnameservers.size()<<" offered NS at level '"<<auth<<"'"<<endl); |
03c09afe | 1580 | if(!auth.isRoot() && flawedNSSet) { |
2189085d | 1581 | LOG(prefix<<qname<<": Ageing nameservers for level '"<<auth<<"', next query might succeed"<<endl); |
88490c03 | 1582 | |
49a699c4 | 1583 | if(t_RC->doAgeCache(d_now.tv_sec, auth, QType::NS, 10)) |
4957a608 BH |
1584 | g_stats.nsSetInvalidations++; |
1585 | } | |
1586 | return -1; | |
afbe2787 | 1587 | } |
6dfff36f | 1588 | |
21f0f88b | 1589 | // this line needs to identify the 'self-resolving' behaviour, but we get it wrong now |
26ca3513 RG |
1590 | if(qname == *tns && qtype.getCode()==QType::A && rnameservers.size() > (size_t)(1+1*s_doIPv6)) { |
1591 | LOG(prefix<<qname<<": Not using NS to resolve itself! ("<<(1+tns-rnameservers.cbegin())<<"/"<<rnameservers.size()<<")"<<endl); | |
4957a608 | 1592 | continue; |
20177d1d | 1593 | } |
5605c067 | 1594 | |
996c89cc | 1595 | typedef vector<ComboAddress> remoteIPs_t; |
5605c067 | 1596 | remoteIPs_t remoteIPs; |
bfea0d0b | 1597 | remoteIPs_t::const_iterator remoteIP; |
1c21f389 | 1598 | bool pierceDontQuery=false; |
c1d73d94 | 1599 | bool sendRDQuery=false; |
376effcf | 1600 | boost::optional<Netmask> ednsmask; |
263f6a5a | 1601 | LWResult lwr; |
6dfff36f RG |
1602 | const bool wasForwarded = tns->empty() && (!nameservers[*tns].first.empty()); |
1603 | int rcode = RCode::NoError; | |
1604 | bool gotNewServers = false; | |
1605 | ||
1606 | if(tns->empty() && !wasForwarded) { | |
2189085d | 1607 | LOG(prefix<<qname<<": Domain is out-of-band"<<endl); |
9fc36e90 | 1608 | d_wasOutOfBand = doOOBResolve(qname, qtype, lwr.d_records, depth, lwr.d_rcode); |
4957a608 BH |
1609 | lwr.d_tcbit=false; |
1610 | lwr.d_aabit=true; | |
6dfff36f RG |
1611 | |
1612 | /* we have received an answer, are we done ? */ | |
1613 | bool done = processAnswer(depth, lwr, qname, qtype, auth, false, ednsmask, sendRDQuery, nameservers, ret, luaconfsLocal->dfe, &gotNewServers, &rcode); | |
1614 | if (done) { | |
1615 | return rcode; | |
1616 | } | |
1617 | if (gotNewServers) { | |
1618 | break; | |
1619 | } | |
5605c067 BH |
1620 | } |
1621 | else { | |
6dfff36f | 1622 | /* if tns is empty, retrieveAddressesForNS() knows we have hardcoded servers (i.e. "forwards") */ |
26ca3513 | 1623 | remoteIPs = retrieveAddressesForNS(prefix, qname, tns, depth, beenthere, rnameservers, nameservers, sendRDQuery, pierceDontQuery, flawedNSSet); |
4957a608 BH |
1624 | |
1625 | if(remoteIPs.empty()) { | |
2189085d | 1626 | LOG(prefix<<qname<<": Failed to get IP for NS "<<*tns<<", trying next if available"<<endl); |
4957a608 BH |
1627 | flawedNSSet=true; |
1628 | continue; | |
1629 | } | |
1630 | else { | |
b8470add | 1631 | bool hitPolicy{false}; |
2189085d | 1632 | LOG(prefix<<qname<<": Resolved '"<<auth<<"' NS "<<*tns<<" to: "); |
26ca3513 RG |
1633 | for(remoteIP = remoteIPs.cbegin(); remoteIP != remoteIPs.cend(); ++remoteIP) { |
1634 | if(remoteIP != remoteIPs.cbegin()) { | |
77499b05 BH |
1635 | LOG(", "); |
1636 | } | |
1637 | LOG(remoteIP->toString()); | |
69cbdef9 | 1638 | if(nameserverIPBlockedByRPZ(luaconfsLocal->dfe, *remoteIP)) { |
26ca3513 | 1639 | hitPolicy = true; |
b8470add | 1640 | } |
4957a608 | 1641 | } |
77499b05 | 1642 | LOG(endl); |
b8470add PL |
1643 | if (hitPolicy) //implies d_wantsRPZ |
1644 | return -2; | |
4957a608 BH |
1645 | } |
1646 | ||
26ca3513 | 1647 | for(remoteIP = remoteIPs.cbegin(); remoteIP != remoteIPs.cend(); ++remoteIP) { |
2189085d | 1648 | LOG(prefix<<qname<<": Trying IP "<< remoteIP->toStringWithPort() <<", asking '"<<qname<<"|"<<qtype.getName()<<"'"<<endl); |
6dfff36f | 1649 | |
26ca3513 | 1650 | if (throttledOrBlocked(prefix, *remoteIP, qname, qtype, pierceDontQuery)) { |
4957a608 BH |
1651 | continue; |
1652 | } | |
9de3e034 | 1653 | |
6dfff36f RG |
1654 | bool truncated = false; |
1655 | bool gotAnswer = doResolveAtThisIP(prefix, qname, qtype, lwr, ednsmask, auth, sendRDQuery, | |
1656 | *tns, *remoteIP, false, &truncated); | |
1657 | if (gotAnswer && truncated ) { | |
1658 | /* retry, over TCP this time */ | |
1659 | gotAnswer = doResolveAtThisIP(prefix, qname, qtype, lwr, ednsmask, auth, sendRDQuery, | |
1660 | *tns, *remoteIP, true, &truncated); | |
1661 | } | |
710af846 | 1662 | |
6dfff36f RG |
1663 | if (!gotAnswer) { |
1664 | continue; | |
1665 | } | |
352b4183 | 1666 | |
6dfff36f | 1667 | LOG(prefix<<qname<<": Got "<<(unsigned int)lwr.d_records.size()<<" answers from "<<*tns<<" ("<< remoteIP->toString() <<"), rcode="<<lwr.d_rcode<<" ("<<RCode::to_s(lwr.d_rcode)<<"), aa="<<lwr.d_aabit<<", in "<<lwr.d_usec/1000<<"ms"<<endl); |
92011b8f | 1668 | |
6dfff36f RG |
1669 | /* // for you IPv6 fanatics :-) |
1670 | if(remoteIP->sin4.sin_family==AF_INET6) | |
1671 | lwr.d_usec/=3; | |
1672 | */ | |
1673 | // cout<<"msec: "<<lwr.d_usec/1000.0<<", "<<g_avgLatency/1000.0<<'\n'; | |
710af846 | 1674 | |
6dfff36f | 1675 | t_sstorage.nsSpeeds[*tns].submit(*remoteIP, lwr.d_usec, &d_now); |
628e2c7b | 1676 | |
6dfff36f RG |
1677 | /* we have received an answer, are we done ? */ |
1678 | bool done = processAnswer(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, sendRDQuery, nameservers, ret, luaconfsLocal->dfe, &gotNewServers, &rcode); | |
1679 | if (done) { | |
1680 | return rcode; | |
4957a608 | 1681 | } |
6dfff36f RG |
1682 | if (gotNewServers) { |
1683 | break; | |
4957a608 | 1684 | } |
6dfff36f RG |
1685 | /* was lame */ |
1686 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(*remoteIP, qname, qtype.getCode()), 60, 100); | |
4957a608 | 1687 | } |
aadceba8 | 1688 | |
6dfff36f RG |
1689 | if (gotNewServers) { |
1690 | break; | |
4957a608 | 1691 | } |
620db2c8 | 1692 | |
6dfff36f RG |
1693 | if(remoteIP == remoteIPs.cend()) // we tried all IP addresses, none worked |
1694 | continue; | |
620db2c8 | 1695 | |
86c152f2 BH |
1696 | } |
1697 | } | |
86c152f2 | 1698 | } |
ac539791 | 1699 | return -1; |
86c152f2 BH |
1700 | } |
1701 | ||
e9f9b8ec RG |
1702 | boost::optional<Netmask> SyncRes::getEDNSSubnetMask(const ComboAddress& local, const DNSName&dn, const ComboAddress& rem) |
1703 | { | |
1704 | boost::optional<Netmask> result; | |
1705 | ComboAddress trunc; | |
1706 | uint8_t bits; | |
1707 | if(d_incomingECSFound) { | |
1708 | if (d_incomingECS->source.getBits() == 0) { | |
1709 | /* RFC7871 says we MUST NOT send any ECS if the source scope is 0 */ | |
1710 | return result; | |
1711 | } | |
1712 | trunc = d_incomingECS->source.getMaskedNetwork(); | |
1713 | bits = d_incomingECS->source.getBits(); | |
1714 | } | |
1715 | else if(!local.isIPv4() || local.sin4.sin_addr.s_addr) { // detect unset 'requestor' | |
1716 | trunc = local; | |
1717 | bits = local.isIPv4() ? 32 : 128; | |
1718 | } | |
1719 | else { | |
1720 | /* nothing usable */ | |
1721 | return result; | |
1722 | } | |
1723 | ||
9065eb05 | 1724 | if(s_ednsdomains.check(dn) || s_ednssubnets.match(rem)) { |
e9f9b8ec RG |
1725 | bits = std::min(bits, (trunc.isIPv4() ? s_ecsipv4limit : s_ecsipv6limit)); |
1726 | trunc.truncate(bits); | |
1727 | return boost::optional<Netmask>(Netmask(trunc, bits)); | |
1728 | } | |
1729 | ||
1730 | return result; | |
1731 | } | |
bd53ea9d | 1732 | |
9065eb05 RG |
1733 | void SyncRes::parseEDNSSubnetWhitelist(const std::string& wlist) |
1734 | { | |
1735 | vector<string> parts; | |
1736 | stringtok(parts, wlist, ",; "); | |
1737 | for(const auto& a : parts) { | |
1738 | try { | |
1739 | s_ednssubnets.addMask(Netmask(a)); | |
1740 | } | |
1741 | catch(...) { | |
1742 | s_ednsdomains.add(DNSName(a)); | |
1743 | } | |
1744 | } | |
1745 | } | |
1746 | ||
8ce79a22 | 1747 | // used by PowerDNSLua - note that this neglects to add the packet count & statistics back to pdns_ercursor.cc |
a3e7b735 | 1748 | int directResolve(const DNSName& qname, const QType& qtype, int qclass, vector<DNSRecord>& ret) |
bd53ea9d PD |
1749 | { |
1750 | struct timeval now; | |
1751 | gettimeofday(&now, 0); | |
710af846 | 1752 | |
bd53ea9d | 1753 | SyncRes sr(now); |
a3e7b735 | 1754 | int res = sr.beginResolve(qname, QType(qtype), qclass, ret); |
e325f20c | 1755 | |
bd53ea9d PD |
1756 | return res; |
1757 | } | |
30ee601a RG |
1758 | |
1759 | #include "validate-recursor.hh" | |
1760 | ||
1761 | int SyncRes::getRootNS(struct timeval now, asyncresolve_t asyncCallback) { | |
1762 | SyncRes sr(now); | |
1763 | sr.setDoEDNS0(true); | |
1764 | sr.setNoCache(); | |
1765 | sr.setDoDNSSEC(g_dnssecmode != DNSSECMode::Off); | |
1766 | sr.setAsyncCallback(asyncCallback); | |
1767 | ||
1768 | vector<DNSRecord> ret; | |
1769 | int res=-1; | |
1770 | try { | |
1771 | res=sr.beginResolve(g_rootdnsname, QType(QType::NS), 1, ret); | |
1772 | if (g_dnssecmode != DNSSECMode::Off && g_dnssecmode != DNSSECMode::ProcessNoValidate) { | |
1773 | ResolveContext ctx; | |
1774 | auto state = validateRecords(ctx, ret); | |
1775 | if (state == Bogus) | |
1776 | throw PDNSException("Got Bogus validation result for .|NS"); | |
1777 | } | |
1778 | return res; | |
1779 | } | |
1780 | catch(PDNSException& e) | |
1781 | { | |
1782 | L<<Logger::Error<<"Failed to update . records, got an exception: "<<e.reason<<endl; | |
1783 | } | |
1784 | ||
1785 | catch(std::exception& e) | |
1786 | { | |
1787 | L<<Logger::Error<<"Failed to update . records, got an exception: "<<e.what()<<endl; | |
1788 | } | |
1789 | ||
1790 | catch(...) | |
1791 | { | |
1792 | L<<Logger::Error<<"Failed to update . records, got an exception"<<endl; | |
1793 | } | |
1794 | if(!res) { | |
1795 | L<<Logger::Notice<<"Refreshed . records"<<endl; | |
1796 | } | |
1797 | else | |
1798 | L<<Logger::Error<<"Failed to update . records, RCODE="<<res<<endl; | |
1799 | return res; | |
1800 | } |