pdns/dnsproxy.cc

   1 /*
   2  * This file is part of PowerDNS or dnsdist.
   3  * Copyright -- PowerDNS.COM B.V. and its contributors
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of version 2 of the GNU General Public License as
   7  * published by the Free Software Foundation.
   8  *
   9  * In addition, for the avoidance of any doubt, permission is granted to
  10  * link this program with OpenSSL and to (re)distribute the binaries
  11  * produced as the result of such linking.
  12  *
  13  * This program is distributed in the hope that it will be useful,
  14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  * GNU General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU General Public License
  19  * along with this program; if not, write to the Free Software
  20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21  */
  22 #ifdef HAVE_CONFIG_H
  23 #include "config.h"
  24 #endif
  25 #include "packetcache.hh"
  26 #include "utility.hh"
  27 #include "dnsproxy.hh"
  28 #include "pdnsexception.hh"
  29 #include <sys/types.h>
  30 #include <errno.h>
  31 #include "dns.hh"
  32 #include "logger.hh"
  33 #include "statbag.hh"
  34 #include "dns_random.hh"
  35 #include "stubresolver.hh"
  36 #include "arguments.hh"
  37
  38 extern StatBag S;
  39
  40 DNSProxy::DNSProxy(const string &remote)
  41 {
  42   pthread_mutex_init(&d_lock,0);
  43   d_resanswers=S.getPointer("recursing-answers");
  44   d_resquestions=S.getPointer("recursing-questions");
  45   d_udpanswers=S.getPointer("udp-answers");
  46
  47   vector<string> addresses;
  48   stringtok(addresses, remote, " ,\t");
  49   d_remote = ComboAddress(addresses[0], 53);
  50
  51   if((d_sock=socket(d_remote.sin4.sin_family, SOCK_DGRAM,0))<0) {
  52     throw PDNSException(string("socket: ")+strerror(errno));
  53   }
  54
  55   ComboAddress local;
  56   if(d_remote.sin4.sin_family==AF_INET) {
  57     local = ComboAddress("0.0.0.0");
  58   }
  59   else {
  60     local = ComboAddress("::");
  61   }
  62
  63   unsigned int n=0;
  64   for(;n<10;n++) {
  65     local.sin4.sin_port = htons(10000+dns_random(50000));
  66
  67     if(::bind(d_sock, (struct sockaddr *)&local, local.getSocklen()) >= 0)
  68       break;
  69   }
  70   if(n==10) {
  71     closesocket(d_sock);
  72     d_sock=-1;
  73     throw PDNSException(string("binding dnsproxy socket: ")+strerror(errno));
  74   }
  75
  76   if(connect(d_sock, (sockaddr *)&d_remote, d_remote.getSocklen())<0) {
  77     throw PDNSException("Unable to UDP connect to remote nameserver "+d_remote.toStringWithPort()+": "+stringerror());
  78   }
  79
  80   d_xor=dns_random(0xffff);
  81   g_log<<Logger::Error<<"DNS Proxy launched, local port "<<ntohs(local.sin4.sin_port)<<", remote "<<d_remote.toStringWithPort()<<endl;
  82 }
  83
  84 void DNSProxy::go()
  85 {
  86   pthread_t tid;
  87   pthread_create(&tid,0,&launchhelper,this);
  88 }
  89
  90 //! look up qname target with r->qtype, plonk it in the answer section of 'r' with name aname
  91 bool DNSProxy::completePacket(DNSPacket *r, const DNSName& target,const DNSName& aname)
  92 {
  93   if(r->d_tcp) {
  94     vector<DNSZoneRecord> ips;
  95     int ret1 = 0, ret2 = 0;
  96
  97     if(r->qtype == QType::A || r->qtype == QType::ANY)
  98       ret1 = stubDoResolve(target, QType::A, ips);
  99     if(r->qtype == QType::AAAA || r->qtype == QType::ANY)
 100       ret2 = stubDoResolve(target, QType::AAAA, ips);
 101
 102     if(ret1 != RCode::NoError || ret2 != RCode::NoError) {
 103       g_log<<Logger::Error<<"Error resolving for "<<aname<<" ALIAS "<<target;
 104       if (ret1 != RCode::NoError) {
 105        g_log<<Logger::Error<<", A-record query returned "<<RCode::to_s(ret1);
 106       }
 107       if (ret2 != RCode::NoError) {
 108        g_log<<Logger::Error<<", AAAA-record query returned "<<RCode::to_s(ret2);
 109       }
 110       g_log<<Logger::Error<<", returning SERVFAIL"<<endl;
 111       r->clearRecords();
 112       r->setRcode(RCode::ServFail);
 113     } else {
 114       for (auto &ip : ips)
 115       {
 116         ip.dr.d_name = aname;
 117         r->addRecord(ip);
 118       }
 119     }
 120
 121     uint16_t len=htons(r->getString().length());
 122     string buffer((const char*)&len, 2);
 123     buffer.append(r->getString());
 124     writen2WithTimeout(r->getSocket(), buffer.c_str(), buffer.length(), ::arg().asNum("tcp-idle-timeout"));
 125
 126     return true;
 127   }
 128
 129   uint16_t id;
 130   {
 131     Lock l(&d_lock);
 132     id=getID_locked();
 133
 134     ConntrackEntry ce;
 135     ce.id       = r->d.id;
 136     ce.remote =   r->d_remote;
 137     ce.outsock  = r->getSocket();
 138     ce.created  = time( NULL );
 139     ce.qtype = r->qtype.getCode();
 140     ce.qname = target;
 141     ce.anyLocal = r->d_anyLocal;
 142     ce.complete = r;
 143     ce.aname=aname;
 144     d_conntrack[id]=ce;
 145   }
 146
 147   vector<uint8_t> packet;
 148   DNSPacketWriter pw(packet, target, r->qtype.getCode());
 149   pw.getHeader()->rd=true;
 150   pw.getHeader()->id=id ^ d_xor;
 151
 152   if(send(d_sock,&packet[0], packet.size() , 0)<0) { // zoom
 153     g_log<<Logger::Error<<"Unable to send a packet to our recursing backend: "<<stringerror()<<endl;
 154   }
 155
 156   return true;
 157
 158 }
 159
 160
 161 /** This finds us an unused or stale ID. Does not actually clean the contents */
 162 int DNSProxy::getID_locked()
 163 {
 164   map_t::iterator i;
 165   for(int n=0;;++n) {
 166     i=d_conntrack.find(n);
 167     if(i==d_conntrack.end()) {
 168       return n;
 169     }
 170     else if(i->second.created<time(0)-60) {
 171       if(i->second.created) {
 172         g_log<<Logger::Warning<<"Recursive query for remote "<<
 173           i->second.remote.toStringWithPort()<<" with internal id "<<n<<
 174           " was not answered by backend within timeout, reusing id"<<endl;
 175         delete i->second.complete;
 176         S.inc("recursion-unanswered");
 177       }
 178       return n;
 179     }
 180   }
 181 }
 182
 183 void DNSProxy::mainloop(void)
 184 {
 185   try {
 186     char buffer[1500];
 187     ssize_t len;
 188
 189     struct msghdr msgh;
 190     struct iovec iov;
 191     char cbuf[256];
 192     ComboAddress fromaddr;
 193
 194     for(;;) {
 195       socklen_t fromaddrSize = sizeof(fromaddr);
 196       len=recvfrom(d_sock, buffer, sizeof(buffer),0, (struct sockaddr*) &fromaddr, &fromaddrSize); // answer from our backend
 197       if(len<(ssize_t)sizeof(dnsheader)) {
 198         if(len<0)
 199           g_log<<Logger::Error<<"Error receiving packet from recursor backend: "<<stringerror()<<endl;
 200         else if(len==0)
 201           g_log<<Logger::Error<<"Error receiving packet from recursor backend, EOF"<<endl;
 202         else
 203           g_log<<Logger::Error<<"Short packet from recursor backend, "<<len<<" bytes"<<endl;
 204
 205         continue;
 206       }
 207       if (fromaddr != d_remote) {
 208         g_log<<Logger::Error<<"Got answer from unexpected host "<<fromaddr.toStringWithPort()<<" instead of our recursor backend "<<d_remote.toStringWithPort()<<endl;
 209         continue;
 210       }
 211       (*d_resanswers)++;
 212       (*d_udpanswers)++;
 213       dnsheader d;
 214       memcpy(&d,buffer,sizeof(d));
 215       {
 216         Lock l(&d_lock);
 217 #if BYTE_ORDER == BIG_ENDIAN
 218         // this is needed because spoof ID down below does not respect the native byteorder
 219         d.id = ( 256 * (uint16_t)buffer[1] ) + (uint16_t)buffer[0];
 220 #endif
 221         map_t::iterator i=d_conntrack.find(d.id^d_xor);
 222         if(i==d_conntrack.end()) {
 223           g_log<<Logger::Error<<"Discarding untracked packet from recursor backend with id "<<(d.id^d_xor)<<
 224             ". Conntrack table size="<<d_conntrack.size()<<endl;
 225           continue;
 226         }
 227         else if(i->second.created==0) {
 228           g_log<<Logger::Error<<"Received packet from recursor backend with id "<<(d.id^d_xor)<<" which is a duplicate"<<endl;
 229           continue;
 230         }
 231
 232         d.id=i->second.id;
 233         memcpy(buffer,&d,sizeof(d));  // commit spoofed id
 234
 235         DNSPacket p(false),q(false);
 236         p.parse(buffer,(size_t)len);
 237         q.parse(buffer,(size_t)len);
 238
 239         if(p.qtype.getCode() != i->second.qtype || p.qdomain != i->second.qname) {
 240           g_log<<Logger::Error<<"Discarding packet from recursor backend with id "<<(d.id^d_xor)<<
 241             ", qname or qtype mismatch ("<<p.qtype.getCode()<<" v " <<i->second.qtype<<", "<<p.qdomain<<" v "<<i->second.qname<<")"<<endl;
 242           continue;
 243         }
 244
 245         /* Set up iov and msgh structures. */
 246         memset(&msgh, 0, sizeof(struct msghdr));
 247         string reply; // needs to be alive at time of sendmsg!
 248         if(i->second.complete) {
 249
 250           MOADNSParser mdp(false, p.getString());
 251           //      cerr<<"Got completion, "<<mdp.d_answers.size()<<" answers, rcode: "<<mdp.d_header.rcode<<endl;
 252           for(MOADNSParser::answers_t::const_iterator j=mdp.d_answers.begin(); j!=mdp.d_answers.end(); ++j) {
 253             //      cerr<<"comp: "<<(int)j->first.d_place-1<<" "<<j->first.d_label<<" " << DNSRecordContent::NumberToType(j->first.d_type)<<" "<<j->first.d_content->getZoneRepresentation()<<endl;
 254             if(j->first.d_place == DNSResourceRecord::ANSWER || (j->first.d_place == DNSResourceRecord::AUTHORITY && j->first.d_type == QType::SOA)) {
 255
 256               if(j->first.d_type == i->second.qtype || (i->second.qtype == QType::ANY && (j->first.d_type == QType::A || j->first.d_type == QType::AAAA))) {
 257                 DNSZoneRecord dzr;
 258                 dzr.dr.d_name=i->second.aname;
 259                 dzr.dr.d_type = j->first.d_type;
 260                 dzr.dr.d_ttl=j->first.d_ttl;
 261                 dzr.dr.d_place= j->first.d_place;
 262                 dzr.dr.d_content=j->first.d_content;
 263                 i->second.complete->addRecord(dzr);
 264               }
 265             }
 266           }
 267           i->second.complete->setRcode(mdp.d_header.rcode);
 268           reply=i->second.complete->getString();
 269           iov.iov_base = (void*)reply.c_str();
 270           iov.iov_len = reply.length();
 271           delete i->second.complete;
 272           i->second.complete=0;
 273         }
 274         else {
 275           iov.iov_base = buffer;
 276           iov.iov_len = len;
 277         }
 278         msgh.msg_iov = &iov;
 279         msgh.msg_iovlen = 1;
 280         msgh.msg_name = (struct sockaddr*)&i->second.remote;
 281         msgh.msg_namelen = i->second.remote.getSocklen();
 282         msgh.msg_control=NULL;
 283
 284         if(i->second.anyLocal) {
 285           addCMsgSrcAddr(&msgh, cbuf, i->second.anyLocal.get_ptr(), 0);
 286         }
 287         if(sendmsg(i->second.outsock, &msgh, 0) < 0)
 288           g_log<<Logger::Warning<<"dnsproxy.cc: Error sending reply with sendmsg (socket="<<i->second.outsock<<"): "<<strerror(errno)<<endl;
 289
 290         i->second.created=0;
 291       }
 292     }
 293   }
 294   catch(PDNSException &ae) {
 295     g_log<<Logger::Error<<"Fatal error in DNS proxy: "<<ae.reason<<endl;
 296   }
 297   catch(std::exception &e) {
 298     g_log<<Logger::Error<<"Communicator thread died because of STL error: "<<e.what()<<endl;
 299   }
 300   catch( ... )
 301   {
 302     g_log << Logger::Error << "Caught unknown exception." << endl;
 303   }
 304   g_log<<Logger::Error<<"Exiting because DNS proxy failed"<<endl;
 305   _exit(1);
 306 }
 307
 308 DNSProxy::~DNSProxy() {
 309   if (d_sock>-1) {
 310     try {
 311       closesocket(d_sock);
 312     }
 313     catch(const PDNSException& e) {
 314     }
 315   }
 316
 317   d_sock=-1;
 318 }