2 * This file is part of PowerDNS or dnsdist.
3 * Copyright -- PowerDNS.COM B.V. and its contributors
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of version 2 of the GNU General Public License as
7 * published by the Free Software Foundation.
9 * In addition, for the avoidance of any doubt, permission is granted to
10 * link this program with OpenSSL and to (re)distribute the binaries
11 * produced as the result of such linking.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
29 #ifdef HAVE_BOOST_CONTAINER_FLAT_SET_HPP
30 #include <boost/container/flat_set.hpp>
32 #include "ws-recursor.hh"
34 #include "threadname.hh"
35 #include "recpacketcache.hh"
37 #include "dns_random.hh"
41 #include "opensslsigners.hh"
44 #include <boost/static_assert.hpp>
47 #include "recursor_cache.hh"
48 #include "cachecleaner.hh"
55 #include "arguments.hh"
59 #include "sortlist.hh"
61 #include <boost/tuple/tuple.hpp>
62 #include <boost/tuple/tuple_comparison.hpp>
63 #include <boost/shared_array.hpp>
64 #include <boost/function.hpp>
65 #include <boost/algorithm/string.hpp>
67 #include "malloctrace.hh"
69 #include <netinet/tcp.h>
70 #include "capabilities.hh"
71 #include "dnsparser.hh"
72 #include "dnswriter.hh"
73 #include "dnsrecords.hh"
74 #include "zoneparser-tng.hh"
75 #include "rec_channel.hh"
80 #include "lua-recursor4.hh"
82 #include "responsestats.hh"
83 #include "secpoll-recursor.hh"
85 #include "filterpo.hh"
86 #include "rpzloader.hh"
87 #include "validate-recursor.hh"
88 #include "rec-lua-conf.hh"
89 #include "ednsoptions.hh"
91 #include "pubsuffix.hh"
94 #endif /* NOD_ENABLED */
96 #include "rec-protobuf.hh"
97 #include "rec-snmp.hh"
100 #include <systemd/sd-daemon.h>
103 #include "namespaces.hh"
106 #include "uuid-utils.hh"
111 typedef map
<ComboAddress
, uint32_t, ComboAddress::addressOnlyLessThan
> tcpClientCounts_t
;
113 static thread_local
std::shared_ptr
<RecursorLua4
> t_pdl
;
114 static thread_local
unsigned int t_id
= 0;
115 static thread_local
std::shared_ptr
<Regex
> t_traceRegex
;
116 static thread_local
std::unique_ptr
<tcpClientCounts_t
> t_tcpClientCounts
;
118 static thread_local
std::shared_ptr
<std::vector
<std::unique_ptr
<RemoteLogger
>>> t_protobufServers
{nullptr};
119 static thread_local
uint64_t t_protobufServersGeneration
;
120 static thread_local
std::shared_ptr
<std::vector
<std::unique_ptr
<RemoteLogger
>>> t_outgoingProtobufServers
{nullptr};
121 static thread_local
uint64_t t_outgoingProtobufServersGeneration
;
122 #endif /* HAVE_PROTOBUF */
124 thread_local
std::unique_ptr
<MT_t
> MT
; // the big MTasker
125 thread_local
std::unique_ptr
<MemRecursorCache
> t_RC
;
126 thread_local
std::unique_ptr
<RecursorPacketCache
> t_packetCache
;
127 thread_local FDMultiplexer
* t_fdm
{nullptr};
128 thread_local
std::unique_ptr
<addrringbuf_t
> t_remotes
, t_servfailremotes
, t_largeanswerremotes
, t_bogusremotes
;
129 thread_local
std::unique_ptr
<boost::circular_buffer
<pair
<DNSName
, uint16_t> > > t_queryring
, t_servfailqueryring
, t_bogusqueryring
;
130 thread_local
std::shared_ptr
<NetmaskGroup
> t_allowFrom
;
132 thread_local
std::shared_ptr
<nod::NODDB
> t_nodDBp
;
133 thread_local
std::shared_ptr
<nod::UniqueResponseDB
> t_udrDBp
;
134 #endif /* NOD_ENABLED */
135 __thread
struct timeval g_now
; // timestamp, updated (too) frequently
137 typedef vector
<pair
<int, function
< void(int, any
&) > > > deferredAdd_t
;
139 // for communicating with our threads
140 // effectively readonly after startup
145 int writeToThread
{-1};
146 int readToThread
{-1};
147 int writeFromThread
{-1};
148 int readFromThread
{-1};
149 int writeQueriesToThread
{-1}; // this one is non-blocking
150 int readQueriesToThread
{-1};
153 /* FD corresponding to TCP sockets this thread is listening
155 These FDs are also in deferredAdds when we have one
156 socket per listener, and in g_deferredAdds instead. */
157 std::set
<int> tcpSockets
;
158 /* FD corresponding to listening sockets if we have one socket per
159 listener (with reuseport), otherwise all listeners share the
160 same FD and g_deferredAdds is then used instead */
161 deferredAdd_t deferredAdds
;
162 struct ThreadPipeSet pipes
;
164 /* handle the web server, carbon, statistics and the control channel */
165 bool isHandler
{false};
166 /* accept incoming queries (and distributes them to the workers if pdns-distributes-queries is set) */
167 bool isListener
{false};
168 /* process queries */
169 bool isWorker
{false};
172 /* first we have the handler thread, t_id == 0 (some other
173 helper threads like SNMP might have t_id == 0 as well)
174 then the distributor threads if any
175 and finally the workers */
176 static std::vector
<RecThreadInfo
> s_threadInfos
;
177 /* without reuseport, all listeners share the same sockets */
178 static deferredAdd_t g_deferredAdds
;
180 typedef vector
<int> tcpListenSockets_t
;
181 typedef map
<int, ComboAddress
> listenSocketsAddresses_t
; // is shared across all threads right now
183 static const ComboAddress
g_local4("0.0.0.0"), g_local6("::");
184 static listenSocketsAddresses_t g_listenSocketsAddresses
; // is shared across all threads right now
185 static set
<int> g_fromtosockets
; // listen sockets that use 'sendfromto()' mechanism
186 static vector
<ComboAddress
> g_localQueryAddresses4
, g_localQueryAddresses6
;
187 static AtomicCounter counter
;
188 static std::shared_ptr
<SyncRes::domainmap_t
> g_initialDomainMap
; // new threads needs this to be setup
189 static std::shared_ptr
<NetmaskGroup
> g_initialAllowFrom
; // new thread needs to be setup with this
190 static NetmaskGroup g_XPFAcl
;
191 static size_t g_tcpMaxQueriesPerConn
;
192 static size_t s_maxUDPQueriesPerRound
;
193 static uint64_t g_latencyStatSize
;
194 static uint32_t g_disthashseed
;
195 static unsigned int g_maxTCPPerClient
;
196 static unsigned int g_maxMThreads
;
197 static unsigned int g_numDistributorThreads
;
198 static unsigned int g_numWorkerThreads
;
199 static int g_tcpTimeout
;
200 static uint16_t g_udpTruncationThreshold
;
201 static uint16_t g_xpfRRCode
{0};
202 static std::atomic
<bool> statsWanted
;
203 static std::atomic
<bool> g_quiet
;
204 static bool g_logCommonErrors
;
205 static bool g_anyToTcp
;
206 static bool g_weDistributeQueries
; // if true, 1 or more threads listen on the incoming query sockets and distribute them to workers
207 static bool g_reusePort
{false};
208 static bool g_gettagNeedsEDNSOptions
{false};
209 static time_t g_statisticsInterval
;
210 static bool g_useIncomingECS
;
211 std::atomic
<uint32_t> g_maxCacheEntries
, g_maxPacketCacheEntries
;
213 static bool g_nodEnabled
;
214 static DNSName g_nodLookupDomain
;
215 static bool g_nodLog
;
216 static SuffixMatchNode g_nodDomainWL
;
217 static std::string g_nod_pbtag
;
218 static bool g_udrEnabled
;
219 static bool g_udrLog
;
220 static std::string g_udr_pbtag
;
221 #endif /* NOD_ENABLED */
222 #ifdef HAVE_BOOST_CONTAINER_FLAT_SET_HPP
223 static boost::container::flat_set
<uint16_t> s_avoidUdpSourcePorts
;
225 static std::set
<uint16_t> s_avoidUdpSourcePorts
;
227 static uint16_t s_minUdpSourcePort
;
228 static uint16_t s_maxUdpSourcePort
;
230 RecursorControlChannel s_rcc
; // only active in the handler thread
231 RecursorStats g_stats
;
232 string s_programname
="pdns_recursor";
234 bool g_lowercaseOutgoing
;
235 unsigned int g_networkTimeoutMsec
;
236 unsigned int g_numThreads
;
237 uint16_t g_outgoingEDNSBufsize
;
238 bool g_logRPZChanges
{false};
240 #define LOCAL_NETS "127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10"
241 #define LOCAL_NETS_INVERSE "!127.0.0.0/8, !10.0.0.0/8, !100.64.0.0/10, !169.254.0.0/16, !192.168.0.0/16, !172.16.0.0/12, !::1/128, !fc00::/7, !fe80::/10"
242 // Bad Nets taken from both:
243 // http://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
245 // http://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
246 // where such a network may not be considered a valid destination
247 #define BAD_NETS "0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32"
248 #define DONT_QUERY LOCAL_NETS ", " BAD_NETS
250 //! used to send information to a newborn mthread
251 struct DNSComboWriter
{
252 DNSComboWriter(const std::string
& query
, const struct timeval
& now
): d_mdp(true, query
), d_now(now
), d_query(query
)
256 DNSComboWriter(const std::string
& query
, const struct timeval
& now
, std::vector
<std::string
>&& policyTags
, LuaContext::LuaObject
&& data
): d_mdp(true, query
), d_now(now
), d_query(query
), d_policyTags(std::move(policyTags
)), d_data(std::move(data
))
260 void setRemote(const ComboAddress
& sa
)
265 void setSource(const ComboAddress
& sa
)
270 void setLocal(const ComboAddress
& sa
)
275 void setDestination(const ComboAddress
& sa
)
280 void setSocket(int sock
)
285 string
getRemote() const
287 if (d_source
== d_remote
) {
288 return d_source
.toStringWithPort();
290 return d_source
.toStringWithPort() + " (proxied by " + d_remote
.toStringWithPort() + ")";
294 struct timeval d_now
;
295 /* Remote client, might differ from d_source
296 in case of XPF, in which case d_source holds
297 the IP of the client and d_remote of the proxy
299 ComboAddress d_remote
;
300 ComboAddress d_source
;
301 /* Destination address, might differ from
302 d_destination in case of XPF, in which case
303 d_destination holds the IP of the proxy and
304 d_local holds our own. */
305 ComboAddress d_local
;
306 ComboAddress d_destination
;
308 boost::uuids::uuid d_uuid
;
309 string d_requestorId
;
313 std::vector
<std::string
> d_policyTags
;
314 LuaContext::LuaObject d_data
;
315 EDNSSubnetOpts d_ednssubnet
;
316 shared_ptr
<TCPConnection
> d_tcpConnection
;
318 unsigned int d_tag
{0};
320 uint32_t d_ttlCap
{std::numeric_limits
<uint32_t>::max()};
321 uint16_t d_ecsBegin
{0};
322 uint16_t d_ecsEnd
{0};
323 bool d_variable
{false};
324 bool d_ecsFound
{false};
325 bool d_ecsParsed
{false};
331 return MT
? MT
.get() : nullptr;
336 static ArgvMap theArg
;
340 unsigned int getRecursorThreadId()
350 static bool isDistributorThread()
356 return g_weDistributeQueries
&& s_threadInfos
.at(t_id
).isListener
;
359 static bool isHandlerThread()
365 return s_threadInfos
.at(t_id
).isHandler
;
368 static void handleTCPClientWritable(int fd
, FDMultiplexer::funcparam_t
& var
);
370 // -1 is error, 0 is timeout, 1 is success
371 int asendtcp(const string
& data
, Socket
* sock
)
377 t_fdm
->addWriteFD(sock
->getHandle(), handleTCPClientWritable
, pident
);
380 int ret
=MT
->waitEvent(pident
, &packet
, g_networkTimeoutMsec
);
382 if(!ret
|| ret
==-1) { // timeout
383 t_fdm
->removeWriteFD(sock
->getHandle());
385 else if(packet
.size() !=data
.size()) { // main loop tells us what it sent out, or empty in case of an error
391 static void handleTCPClientReadable(int fd
, FDMultiplexer::funcparam_t
& var
);
393 // -1 is error, 0 is timeout, 1 is success
394 int arecvtcp(string
& data
, size_t len
, Socket
* sock
, bool incompleteOkay
)
400 pident
.inIncompleteOkay
=incompleteOkay
;
401 t_fdm
->addReadFD(sock
->getHandle(), handleTCPClientReadable
, pident
);
403 int ret
=MT
->waitEvent(pident
,&data
, g_networkTimeoutMsec
);
404 if(!ret
|| ret
==-1) { // timeout
405 t_fdm
->removeReadFD(sock
->getHandle());
407 else if(data
.empty()) {// error, EOF or other
414 static void handleGenUDPQueryResponse(int fd
, FDMultiplexer::funcparam_t
& var
)
416 PacketID pident
=*any_cast
<PacketID
>(&var
);
418 ComboAddress fromaddr
;
419 socklen_t addrlen
=sizeof(fromaddr
);
421 ssize_t ret
=recvfrom(fd
, resp
, sizeof(resp
), 0, (sockaddr
*)&fromaddr
, &addrlen
);
422 if (fromaddr
!= pident
.remote
) {
423 g_log
<<Logger::Notice
<<"Response received from the wrong remote host ("<<fromaddr
.toStringWithPort()<<" instead of "<<pident
.remote
.toStringWithPort()<<"), discarding"<<endl
;
427 t_fdm
->removeReadFD(fd
);
429 string
data(resp
, (size_t) ret
);
430 MT
->sendEvent(pident
, &data
);
434 MT
->sendEvent(pident
, &empty
);
435 // cerr<<"Had some kind of error: "<<ret<<", "<<strerror(errno)<<endl;
438 string
GenUDPQueryResponse(const ComboAddress
& dest
, const string
& query
)
440 Socket
s(dest
.sin4
.sin_family
, SOCK_DGRAM
);
442 ComboAddress local
= getQueryLocalAddress(dest
.sin4
.sin_family
, 0);
452 t_fdm
->addReadFD(s
.getHandle(), handleGenUDPQueryResponse
, pident
);
456 int ret
=MT
->waitEvent(pident
,&data
, g_networkTimeoutMsec
);
458 if(!ret
|| ret
==-1) { // timeout
459 t_fdm
->removeReadFD(s
.getHandle());
461 else if(data
.empty()) {// error, EOF or other
462 // we could special case this
468 //! pick a random query local address
469 ComboAddress
getQueryLocalAddress(int family
, uint16_t port
)
472 if(family
==AF_INET
) {
473 if(g_localQueryAddresses4
.empty())
476 ret
= g_localQueryAddresses4
[dns_random(g_localQueryAddresses4
.size())];
477 ret
.sin4
.sin_port
= htons(port
);
480 if(g_localQueryAddresses6
.empty())
483 ret
= g_localQueryAddresses6
[dns_random(g_localQueryAddresses6
.size())];
485 ret
.sin6
.sin6_port
= htons(port
);
490 static void handleUDPServerResponse(int fd
, FDMultiplexer::funcparam_t
&);
492 static void setSocketBuffer(int fd
, int optname
, uint32_t size
)
495 socklen_t len
=sizeof(psize
);
497 if(!getsockopt(fd
, SOL_SOCKET
, optname
, (char*)&psize
, &len
) && psize
> size
) {
498 g_log
<<Logger::Error
<<"Not decreasing socket buffer size from "<<psize
<<" to "<<size
<<endl
;
502 if (setsockopt(fd
, SOL_SOCKET
, optname
, (char*)&size
, sizeof(size
)) < 0 )
503 g_log
<<Logger::Error
<<"Unable to raise socket buffer size to "<<size
<<": "<<strerror(errno
)<<endl
;
507 static void setSocketReceiveBuffer(int fd
, uint32_t size
)
509 setSocketBuffer(fd
, SO_RCVBUF
, size
);
512 static void setSocketSendBuffer(int fd
, uint32_t size
)
514 setSocketBuffer(fd
, SO_SNDBUF
, size
);
518 // you can ask this class for a UDP socket to send a query from
519 // this socket is not yours, don't even think about deleting it
520 // but after you call 'returnSocket' on it, don't assume anything anymore
523 unsigned int d_numsocks
;
525 UDPClientSocks() : d_numsocks(0)
529 typedef set
<int> socks_t
;
532 // returning -2 means: temporary OS error (ie, out of files), -1 means error related to remote
533 int getSocket(const ComboAddress
& toaddr
, int* fd
)
535 *fd
=makeClientSocket(toaddr
.sin4
.sin_family
);
536 if(*fd
< 0) // temporary error - receive exception otherwise
539 if(connect(*fd
, (struct sockaddr
*)(&toaddr
), toaddr
.getSocklen()) < 0) {
541 // returnSocket(*fd);
545 catch(const PDNSException
& e
) {
546 g_log
<<Logger::Error
<<"Error closing UDP socket after connect() failed: "<<e
.reason
<<endl
;
549 if(err
==ENETUNREACH
) // Seth "My Interfaces Are Like A Yo Yo" Arnold special
559 void returnSocket(int fd
)
561 socks_t::iterator i
=d_socks
.find(fd
);
562 if(i
==d_socks
.end()) {
563 throw PDNSException("Trying to return a socket (fd="+std::to_string(fd
)+") not in the pool");
565 returnSocketLocked(i
);
568 // return a socket to the pool, or simply erase it
569 void returnSocketLocked(socks_t::iterator
& i
)
571 if(i
==d_socks
.end()) {
572 throw PDNSException("Trying to return a socket not in the pool");
575 t_fdm
->removeReadFD(*i
);
577 catch(FDMultiplexerException
& e
) {
578 // we sometimes return a socket that has not yet been assigned to t_fdm
583 catch(const PDNSException
& e
) {
584 g_log
<<Logger::Error
<<"Error closing returned UDP socket: "<<e
.reason
<<endl
;
591 // returns -1 for errors which might go away, throws for ones that won't
592 static int makeClientSocket(int family
)
594 int ret
=socket(family
, SOCK_DGRAM
, 0 ); // turns out that setting CLO_EXEC and NONBLOCK from here is not a performance win on Linux (oddly enough)
596 if(ret
< 0 && errno
==EMFILE
) // this is not a catastrophic error
600 throw PDNSException("Making a socket for resolver (family = "+std::to_string(family
)+"): "+stringerror());
602 // setCloseOnExec(ret); // we're not going to exec
609 if(tries
==1) // fall back to kernel 'random'
613 port
= s_minUdpSourcePort
+ dns_random(s_maxUdpSourcePort
- s_minUdpSourcePort
+ 1);
615 while (s_avoidUdpSourcePorts
.count(port
));
618 sin
=getQueryLocalAddress(family
, port
); // does htons for us
620 if (::bind(ret
, (struct sockaddr
*)&sin
, sin
.getSocklen()) >= 0)
624 throw PDNSException("Resolver binding to local query client socket on "+sin
.toString()+": "+stringerror());
631 static thread_local
std::unique_ptr
<UDPClientSocks
> t_udpclientsocks
;
633 /* these two functions are used by LWRes */
634 // -2 is OS error, -1 is error that depends on the remote, > 0 is success
635 int asendto(const char *data
, size_t len
, int flags
,
636 const ComboAddress
& toaddr
, uint16_t id
, const DNSName
& domain
, uint16_t qtype
, int* fd
)
640 pident
.domain
= domain
;
641 pident
.remote
= toaddr
;
644 // see if there is an existing outstanding request we can chain on to, using partial equivalence function
645 pair
<MT_t::waiters_t::iterator
, MT_t::waiters_t::iterator
> chain
=MT
->d_waiters
.equal_range(pident
, PacketIDBirthdayCompare());
647 for(; chain
.first
!= chain
.second
; chain
.first
++) {
648 if(chain
.first
->key
.fd
> -1) { // don't chain onto existing chained waiter!
650 cerr<<"Orig: "<<pident.domain<<", "<<pident.remote.toString()<<", id="<<id<<endl;
651 cerr<<"Had hit: "<< chain.first->key.domain<<", "<<chain.first->key.remote.toString()<<", id="<<chain.first->key.id
652 <<", count="<<chain.first->key.chain.size()<<", origfd: "<<chain.first->key.fd<<endl;
654 chain
.first
->key
.chain
.insert(id
); // we can chain
655 *fd
=-1; // gets used in waitEvent / sendEvent later on
660 int ret
=t_udpclientsocks
->getSocket(toaddr
, fd
);
667 t_fdm
->addReadFD(*fd
, handleUDPServerResponse
, pident
);
668 ret
= send(*fd
, data
, len
, 0);
673 t_udpclientsocks
->returnSocket(*fd
);
675 errno
= tmp
; // this is for logging purposes only
679 // -1 is error, 0 is timeout, 1 is success
680 int arecvfrom(std::string
& packet
, int flags
, const ComboAddress
& fromaddr
, size_t *d_len
,
681 uint16_t id
, const DNSName
& domain
, uint16_t qtype
, int fd
, struct timeval
* now
)
683 static optional
<unsigned int> nearMissLimit
;
685 nearMissLimit
=::arg().asNum("spoof-nearmiss-max");
690 pident
.domain
=domain
;
692 pident
.remote
=fromaddr
;
694 int ret
=MT
->waitEvent(pident
, &packet
, g_networkTimeoutMsec
, now
);
697 if(packet
.empty()) // means "error"
700 *d_len
=packet
.size();
702 if(*nearMissLimit
&& pident
.nearMisses
> *nearMissLimit
) {
703 g_log
<<Logger::Error
<<"Too many ("<<pident
.nearMisses
<<" > "<<*nearMissLimit
<<") bogus answers for '"<<domain
<<"' from "<<fromaddr
.toString()<<", assuming spoof attempt."<<endl
;
704 g_stats
.spoofCount
++;
710 t_udpclientsocks
->returnSocket(fd
);
715 static void writePid(void)
717 if(!::arg().mustDo("write-pid"))
719 ofstream
of(s_pidfname
.c_str(), std::ios_base::app
);
721 of
<< Utility::getpid() <<endl
;
723 g_log
<<Logger::Error
<<"Writing pid for "<<Utility::getpid()<<" to "<<s_pidfname
<<" failed: "<<strerror(errno
)<<endl
;
726 TCPConnection::TCPConnection(int fd
, const ComboAddress
& addr
) : data(2, 0), d_remote(addr
), d_fd(fd
)
728 ++s_currentConnections
;
729 (*t_tcpClientCounts
)[d_remote
]++;
732 TCPConnection::~TCPConnection()
735 if(closesocket(d_fd
) < 0)
736 g_log
<<Logger::Error
<<"Error closing socket for TCPConnection"<<endl
;
738 catch(const PDNSException
& e
) {
739 g_log
<<Logger::Error
<<"Error closing TCPConnection socket: "<<e
.reason
<<endl
;
742 if(t_tcpClientCounts
->count(d_remote
) && !(*t_tcpClientCounts
)[d_remote
]--)
743 t_tcpClientCounts
->erase(d_remote
);
744 --s_currentConnections
;
747 AtomicCounter
TCPConnection::s_currentConnections
;
749 static void handleRunningTCPQuestion(int fd
, FDMultiplexer::funcparam_t
& var
);
751 // the idea is, only do things that depend on the *response* here. Incoming accounting is on incoming.
752 static void updateResponseStats(int res
, const ComboAddress
& remote
, unsigned int packetsize
, const DNSName
* query
, uint16_t qtype
)
754 if(packetsize
> 1000 && t_largeanswerremotes
)
755 t_largeanswerremotes
->push_back(remote
);
757 case RCode::ServFail
:
758 if(t_servfailremotes
) {
759 t_servfailremotes
->push_back(remote
);
760 if(query
&& t_servfailqueryring
) // packet cache
761 t_servfailqueryring
->push_back(make_pair(*query
, qtype
));
765 case RCode::NXDomain
:
774 static string
makeLoginfo(const std::unique_ptr
<DNSComboWriter
>& dc
)
777 return "("+dc
->d_mdp
.d_qname
.toLogString()+"/"+DNSRecordContent::NumberToType(dc
->d_mdp
.d_qtype
)+" from "+(dc
->getRemote())+")";
781 return "Exception making error message for exception";
785 static void protobufLogQuery(uint8_t maskV4
, uint8_t maskV6
, const boost::uuids::uuid
& uniqueId
, const ComboAddress
& remote
, const ComboAddress
& local
, const Netmask
& ednssubnet
, bool tcp
, uint16_t id
, size_t len
, const DNSName
& qname
, uint16_t qtype
, uint16_t qclass
, const std::vector
<std::string
>& policyTags
, const std::string
& requestorId
, const std::string
& deviceId
)
787 if (!t_protobufServers
) {
791 Netmask
requestorNM(remote
, remote
.sin4
.sin_family
== AF_INET
? maskV4
: maskV6
);
792 const ComboAddress
& requestor
= requestorNM
.getMaskedNetwork();
793 RecProtoBufMessage
message(DNSProtoBufMessage::Query
, uniqueId
, &requestor
, &local
, qname
, qtype
, qclass
, id
, tcp
, len
);
794 message
.setServerIdentity(SyncRes::s_serverID
);
795 message
.setEDNSSubnet(ednssubnet
, ednssubnet
.isIpv4() ? maskV4
: maskV6
);
796 message
.setRequestorId(requestorId
);
797 message
.setDeviceId(deviceId
);
799 if (!policyTags
.empty()) {
800 message
.setPolicyTags(policyTags
);
803 // cerr <<message.toDebugString()<<endl;
805 message
.serialize(str
);
807 for (auto& server
: *t_protobufServers
) {
808 server
->queueData(str
);
812 static void protobufLogResponse(const RecProtoBufMessage
& message
)
814 if (!t_protobufServers
) {
818 // cerr <<message.toDebugString()<<endl;
820 message
.serialize(str
);
822 for (auto& server
: *t_protobufServers
) {
823 server
->queueData(str
);
829 * Chases the CNAME provided by the PolicyCustom RPZ policy.
831 * @param spoofed: The DNSRecord that was created by the policy, should already be added to ret
832 * @param qtype: The QType of the original query
833 * @param sr: A SyncRes
834 * @param res: An integer that will contain the RCODE of the lookup we do
835 * @param ret: A vector of DNSRecords where the result of the CNAME chase should be appended to
837 static void handleRPZCustom(const DNSRecord
& spoofed
, const QType
& qtype
, SyncRes
& sr
, int& res
, vector
<DNSRecord
>& ret
)
839 if (spoofed
.d_type
== QType::CNAME
) {
840 bool oldWantsRPZ
= sr
.getWantsRPZ();
841 sr
.setWantsRPZ(false);
842 vector
<DNSRecord
> ans
;
843 res
= sr
.beginResolve(DNSName(spoofed
.d_content
->getZoneRepresentation()), qtype
, QClass::IN
, ans
);
844 for (const auto& rec
: ans
) {
845 if(rec
.d_place
== DNSResourceRecord::ANSWER
) {
849 // Reset the RPZ state of the SyncRes
850 sr
.setWantsRPZ(oldWantsRPZ
);
854 static bool addRecordToPacket(DNSPacketWriter
& pw
, const DNSRecord
& rec
, uint32_t& minTTL
, uint32_t ttlCap
, const uint16_t maxAnswerSize
)
856 pw
.startRecord(rec
.d_name
, rec
.d_type
, (rec
.d_ttl
> ttlCap
? ttlCap
: rec
.d_ttl
), rec
.d_class
, rec
.d_place
);
858 if(rec
.d_type
!= QType::OPT
) // their TTL ain't real
859 minTTL
= min(minTTL
, rec
.d_ttl
);
861 rec
.d_content
->toPacket(pw
);
862 if(pw
.size() > static_cast<size_t>(maxAnswerSize
)) {
864 if(rec
.d_place
!= DNSResourceRecord::ADDITIONAL
) {
865 pw
.getHeader()->tc
=1;
875 static std::shared_ptr
<std::vector
<std::unique_ptr
<RemoteLogger
>>> startProtobufServers(const ProtobufExportConfig
& config
)
877 auto result
= std::make_shared
<std::vector
<std::unique_ptr
<RemoteLogger
>>>();
879 for (const auto& server
: config
.servers
) {
881 result
->emplace_back(new RemoteLogger(server
, config
.timeout
, config
.maxQueuedEntries
, config
.reconnectWaitTime
, config
.asyncConnect
));
883 catch(const std::exception
& e
) {
884 g_log
<<Logger::Error
<<"Error while starting protobuf logger to '"<<server
<<": "<<e
.what()<<endl
;
886 catch(const PDNSException
& e
) {
887 g_log
<<Logger::Error
<<"Error while starting protobuf logger to '"<<server
<<": "<<e
.reason
<<endl
;
894 static bool checkProtobufExport(LocalStateHolder
<LuaConfigItems
>& luaconfsLocal
)
896 if (!luaconfsLocal
->protobufExportConfig
.enabled
) {
897 if (t_protobufServers
) {
898 for (auto& server
: *t_protobufServers
) {
901 t_protobufServers
.reset();
907 /* if the server was not running, or if it was running according to a
908 previous configuration */
909 if (!t_protobufServers
||
910 t_protobufServersGeneration
< luaconfsLocal
->generation
) {
912 if (t_protobufServers
) {
913 for (auto& server
: *t_protobufServers
) {
917 t_protobufServers
.reset();
919 t_protobufServers
= startProtobufServers(luaconfsLocal
->protobufExportConfig
);
920 t_protobufServersGeneration
= luaconfsLocal
->generation
;
926 static bool checkOutgoingProtobufExport(LocalStateHolder
<LuaConfigItems
>& luaconfsLocal
)
928 if (!luaconfsLocal
->outgoingProtobufExportConfig
.enabled
) {
929 if (t_outgoingProtobufServers
) {
930 for (auto& server
: *t_outgoingProtobufServers
) {
934 t_outgoingProtobufServers
.reset();
939 /* if the server was not running, or if it was running according to a
940 previous configuration */
941 if (!t_outgoingProtobufServers
||
942 t_outgoingProtobufServersGeneration
< luaconfsLocal
->generation
) {
944 if (t_outgoingProtobufServers
) {
945 for (auto& server
: *t_outgoingProtobufServers
) {
949 t_outgoingProtobufServers
.reset();
951 t_outgoingProtobufServers
= startProtobufServers(luaconfsLocal
->outgoingProtobufExportConfig
);
952 t_outgoingProtobufServersGeneration
= luaconfsLocal
->generation
;
957 #endif /* HAVE_PROTOBUF */
960 static bool nodCheckNewDomain(const DNSName
& dname
)
962 static const QType
qt(QType::A
);
963 static const uint16_t qc(QClass::IN
);
965 // First check the (sub)domain isn't whitelisted for NOD purposes
966 if (!g_nodDomainWL
.check(dname
)) {
967 // Now check the NODDB (note this is probablistic so can have FNs/FPs)
968 if (t_nodDBp
&& t_nodDBp
->isNewDomain(dname
)) {
970 // This should probably log to a dedicated log file
971 g_log
<<Logger::Notice
<<"Newly observed domain nod="<<dname
.toLogString()<<endl
;
973 if (!(g_nodLookupDomain
.isRoot())) {
974 // Send a DNS A query to <domain>.g_nodLookupDomain
975 DNSName qname
= dname
;
976 vector
<DNSRecord
> dummy
;
977 qname
+= g_nodLookupDomain
;
978 directResolve(qname
, qt
, qc
, dummy
);
986 static void nodAddDomain(const DNSName
& dname
)
988 // Don't bother adding domains on the nod whitelist
989 if (!g_nodDomainWL
.check(dname
)) {
991 // This keeps the nod info up to date
992 t_nodDBp
->addDomain(dname
);
997 static bool udrCheckUniqueDNSRecord(const DNSName
& dname
, uint16_t qtype
, const DNSRecord
& record
)
1000 if (record
.d_place
== DNSResourceRecord::ANSWER
||
1001 record
.d_place
== DNSResourceRecord::ADDITIONAL
) {
1002 // Create a string that represent a triplet of (qname, qtype and RR[type, name, content])
1003 std::stringstream ss
;
1004 ss
<< dname
.toDNSStringLC() << ":" << qtype
<< ":" << qtype
<< ":" << record
.d_type
<< ":" << record
.d_name
.toDNSStringLC() << ":" << record
.d_content
->getZoneRepresentation();
1005 if (t_udrDBp
&& t_udrDBp
->isUniqueResponse(ss
.str())) {
1007 // This should also probably log to a dedicated file.
1008 g_log
<<Logger::Notice
<<"Unique response observed: qname="<<dname
.toLogString()<<" qtype="<<QType(qtype
).getName()<< " rrtype=" << QType(record
.d_type
).getName() << " rrname=" << record
.d_name
.toLogString() << " rrcontent=" << record
.d_content
->getZoneRepresentation() << endl
;
1015 #endif /* NOD_ENABLED */
1017 static void startDoResolve(void *p
)
1019 auto dc
=std::unique_ptr
<DNSComboWriter
>(reinterpret_cast<DNSComboWriter
*>(p
));
1022 t_queryring
->push_back(make_pair(dc
->d_mdp
.d_qname
, dc
->d_mdp
.d_qtype
));
1024 uint16_t maxanswersize
= dc
->d_tcp
? 65535 : min(static_cast<uint16_t>(512), g_udpTruncationThreshold
);
1026 std::vector
<pair
<uint16_t, string
> > ednsOpts
;
1027 bool variableAnswer
= dc
->d_variable
;
1028 bool haveEDNS
=false;
1030 bool hasUDR
= false;
1031 #endif /* NOD_ENABLED */
1032 DNSPacketWriter::optvect_t returnedEdnsOptions
; // Here we stuff all the options for the return packet
1033 uint8_t ednsExtRCode
= 0;
1034 if(getEDNSOpts(dc
->d_mdp
, &edo
)) {
1036 if (edo
.d_version
!= 0) {
1037 ednsExtRCode
= ERCode::BADVERS
;
1042 "Values lower than 512 MUST be treated as equal to 512."
1044 maxanswersize
= min(static_cast<uint16_t>(edo
.d_packetsize
>= 512 ? edo
.d_packetsize
: 512), g_udpTruncationThreshold
);
1046 ednsOpts
= edo
.d_options
;
1048 maxanswersize
-= 11; // EDNS header size
1050 for (const auto& o
: edo
.d_options
) {
1051 if (o
.first
== EDNSOptionCode::ECS
&& g_useIncomingECS
&& !dc
->d_ecsParsed
) {
1052 dc
->d_ecsFound
= getEDNSSubnetOptsFromString(o
.second
, &dc
->d_ednssubnet
);
1053 } else if (o
.first
== EDNSOptionCode::NSID
) {
1054 const static string mode_server_id
= ::arg()["server-id"];
1055 if(mode_server_id
!= "disabled" && !mode_server_id
.empty() &&
1056 maxanswersize
> (2 + 2 + mode_server_id
.size())) {
1057 returnedEdnsOptions
.push_back(make_pair(EDNSOptionCode::NSID
, mode_server_id
));
1058 variableAnswer
= true; // Can't packetcache an answer with NSID
1059 // Option Code and Option Length are both 2
1060 maxanswersize
-= 2 + 2 + mode_server_id
.size();
1065 /* perhaps there was no EDNS or no ECS but by now we looked */
1066 dc
->d_ecsParsed
= true;
1067 vector
<DNSRecord
> ret
;
1068 vector
<uint8_t> packet
;
1070 auto luaconfsLocal
= g_luaconfs
.getLocal();
1071 // Used to tell syncres later on if we should apply NSDNAME and NSIP RPZ triggers for this query
1072 bool wantsRPZ(true);
1073 boost::optional
<RecProtoBufMessage
> pbMessage(boost::none
);
1074 bool logResponse
= false;
1075 #ifdef HAVE_PROTOBUF
1076 if (checkProtobufExport(luaconfsLocal
)) {
1077 logResponse
= t_protobufServers
&& luaconfsLocal
->protobufExportConfig
.logResponses
;
1078 Netmask
requestorNM(dc
->d_source
, dc
->d_source
.sin4
.sin_family
== AF_INET
? luaconfsLocal
->protobufMaskV4
: luaconfsLocal
->protobufMaskV6
);
1079 const ComboAddress
& requestor
= requestorNM
.getMaskedNetwork();
1080 pbMessage
= RecProtoBufMessage(RecProtoBufMessage::Response
, dc
->d_uuid
, &requestor
, &dc
->d_destination
, dc
->d_mdp
.d_qname
, dc
->d_mdp
.d_qtype
, dc
->d_mdp
.d_qclass
, dc
->d_mdp
.d_header
.id
, dc
->d_tcp
, 0);
1081 pbMessage
->setServerIdentity(SyncRes::s_serverID
);
1082 pbMessage
->setEDNSSubnet(dc
->d_ednssubnet
.source
, dc
->d_ednssubnet
.source
.isIpv4() ? luaconfsLocal
->protobufMaskV4
: luaconfsLocal
->protobufMaskV6
);
1084 #endif /* HAVE_PROTOBUF */
1086 DNSPacketWriter
pw(packet
, dc
->d_mdp
.d_qname
, dc
->d_mdp
.d_qtype
, dc
->d_mdp
.d_qclass
);
1088 pw
.getHeader()->aa
=0;
1089 pw
.getHeader()->ra
=1;
1090 pw
.getHeader()->qr
=1;
1091 pw
.getHeader()->tc
=0;
1092 pw
.getHeader()->id
=dc
->d_mdp
.d_header
.id
;
1093 pw
.getHeader()->rd
=dc
->d_mdp
.d_header
.rd
;
1094 pw
.getHeader()->cd
=dc
->d_mdp
.d_header
.cd
;
1096 /* This is the lowest TTL seen in the records of the response,
1097 so we can't cache it for longer than this value.
1098 If we have a TTL cap, this value can't be larger than the
1099 cap no matter what. */
1100 uint32_t minTTL
= dc
->d_ttlCap
;
1102 SyncRes
sr(dc
->d_now
);
1104 bool DNSSECOK
=false;
1106 sr
.setLuaEngine(t_pdl
);
1108 if(g_dnssecmode
!= DNSSECMode::Off
) {
1109 sr
.setDoDNSSEC(true);
1111 // Does the requestor want DNSSEC records?
1112 if(edo
.d_extFlags
& EDNSOpts::DNSSECOK
) {
1114 g_stats
.dnssecQueries
++;
1116 if (dc
->d_mdp
.d_header
.cd
) {
1117 /* Per rfc6840 section 5.9, "When processing a request with
1118 the Checking Disabled (CD) bit set, a resolver SHOULD attempt
1119 to return all response data, even data that has failed DNSSEC
1121 ++g_stats
.dnssecCheckDisabledQueries
;
1123 if (dc
->d_mdp
.d_header
.ad
) {
1124 /* Per rfc6840 section 5.7, "the AD bit in a query as a signal
1125 indicating that the requester understands and is interested in the
1126 value of the AD bit in the response. This allows a requester to
1127 indicate that it understands the AD bit without also requesting
1128 DNSSEC data via the DO bit. */
1129 ++g_stats
.dnssecAuthenticDataQueries
;
1132 // Ignore the client-set CD flag
1133 pw
.getHeader()->cd
=0;
1135 sr
.setDNSSECValidationRequested(g_dnssecmode
== DNSSECMode::ValidateAll
|| g_dnssecmode
==DNSSECMode::ValidateForLog
|| ((dc
->d_mdp
.d_header
.ad
|| DNSSECOK
) && g_dnssecmode
==DNSSECMode::Process
));
1137 #ifdef HAVE_PROTOBUF
1138 sr
.setInitialRequestId(dc
->d_uuid
);
1139 sr
.setOutgoingProtobufServers(t_outgoingProtobufServers
);
1142 sr
.setQuerySource(dc
->d_remote
, g_useIncomingECS
&& !dc
->d_ednssubnet
.source
.empty() ? boost::optional
<const EDNSSubnetOpts
&>(dc
->d_ednssubnet
) : boost::none
);
1144 bool tracedQuery
=false; // we could consider letting Lua know about this too
1145 bool shouldNotValidate
= false;
1147 /* preresolve expects res (dq.rcode) to be set to RCode::NoError by default */
1148 int res
= RCode::NoError
;
1149 DNSFilterEngine::Policy appliedPolicy
;
1150 std::vector
<DNSRecord
> spoofed
;
1151 RecursorLua4::DNSQuestion
dq(dc
->d_source
, dc
->d_destination
, dc
->d_mdp
.d_qname
, dc
->d_mdp
.d_qtype
, dc
->d_tcp
, variableAnswer
, wantsRPZ
, logResponse
);
1152 dq
.ednsFlags
= &edo
.d_extFlags
;
1153 dq
.ednsOptions
= &ednsOpts
;
1155 dq
.discardedPolicies
= &sr
.d_discardedPolicies
;
1156 dq
.policyTags
= &dc
->d_policyTags
;
1157 dq
.appliedPolicy
= &appliedPolicy
;
1158 dq
.currentRecords
= &ret
;
1159 dq
.dh
= &dc
->d_mdp
.d_header
;
1160 dq
.data
= dc
->d_data
;
1161 #ifdef HAVE_PROTOBUF
1162 dq
.requestorId
= dc
->d_requestorId
;
1163 dq
.deviceId
= dc
->d_deviceId
;
1166 if(ednsExtRCode
!= 0) {
1170 if(dc
->d_mdp
.d_qtype
==QType::ANY
&& !dc
->d_tcp
&& g_anyToTcp
) {
1171 pw
.getHeader()->tc
= 1;
1173 variableAnswer
= true;
1177 if(t_traceRegex
&& t_traceRegex
->match(dc
->d_mdp
.d_qname
.toString())) {
1178 sr
.setLogMode(SyncRes::Store
);
1183 if(!g_quiet
|| tracedQuery
) {
1184 g_log
<<Logger::Warning
<<t_id
<<" ["<<MT
->getTid()<<"/"<<MT
->numProcesses()<<"] " << (dc
->d_tcp
? "TCP " : "") << "question for '"<<dc
->d_mdp
.d_qname
<<"|"
1185 <<DNSRecordContent::NumberToType(dc
->d_mdp
.d_qtype
)<<"' from "<<dc
->getRemote();
1186 if(!dc
->d_ednssubnet
.source
.empty()) {
1187 g_log
<<" (ecs "<<dc
->d_ednssubnet
.source
.toString()<<")";
1192 sr
.setId(MT
->getTid());
1193 if(!dc
->d_mdp
.d_header
.rd
)
1197 t_pdl
->prerpz(dq
, res
);
1200 // Check if the query has a policy attached to it
1202 appliedPolicy
= luaconfsLocal
->dfe
.getQueryPolicy(dc
->d_mdp
.d_qname
, dc
->d_source
, sr
.d_discardedPolicies
);
1205 // if there is a RecursorLua active, and it 'took' the query in preResolve, we don't launch beginResolve
1206 if(!t_pdl
|| !t_pdl
->preresolve(dq
, res
)) {
1208 sr
.setWantsRPZ(wantsRPZ
);
1210 switch(appliedPolicy
.d_kind
) {
1211 case DNSFilterEngine::PolicyKind::NoAction
:
1213 case DNSFilterEngine::PolicyKind::Drop
:
1214 g_stats
.policyDrops
++;
1215 g_stats
.policyResults
[appliedPolicy
.d_kind
]++;
1217 case DNSFilterEngine::PolicyKind::NXDOMAIN
:
1218 g_stats
.policyResults
[appliedPolicy
.d_kind
]++;
1219 res
=RCode::NXDomain
;
1221 case DNSFilterEngine::PolicyKind::NODATA
:
1222 g_stats
.policyResults
[appliedPolicy
.d_kind
]++;
1225 case DNSFilterEngine::PolicyKind::Custom
:
1226 g_stats
.policyResults
[appliedPolicy
.d_kind
]++;
1228 spoofed
=appliedPolicy
.getCustomRecords(dc
->d_mdp
.d_qname
, dc
->d_mdp
.d_qtype
);
1229 for (const auto& dr
: spoofed
) {
1231 handleRPZCustom(dr
, QType(dc
->d_mdp
.d_qtype
), sr
, res
, ret
);
1234 case DNSFilterEngine::PolicyKind::Truncate
:
1236 g_stats
.policyResults
[appliedPolicy
.d_kind
]++;
1238 pw
.getHeader()->tc
=1;
1245 // Query got not handled for QNAME Policy reasons, now actually go out to find an answer
1247 res
= sr
.beginResolve(dc
->d_mdp
.d_qname
, QType(dc
->d_mdp
.d_qtype
), dc
->d_mdp
.d_qclass
, ret
);
1248 shouldNotValidate
= sr
.wasOutOfBand();
1250 catch(ImmediateServFailException
&e
) {
1251 if(g_logCommonErrors
)
1252 g_log
<<Logger::Notice
<<"Sending SERVFAIL to "<<dc
->getRemote()<<" during resolve of '"<<dc
->d_mdp
.d_qname
<<"' because: "<<e
.reason
<<endl
;
1253 res
= RCode::ServFail
;
1256 dq
.validationState
= sr
.getValidationState();
1258 // During lookup, an NSDNAME or NSIP trigger was hit in RPZ
1259 if (res
== -2) { // XXX This block should be macro'd, it is repeated post-resolve.
1260 appliedPolicy
= sr
.d_appliedPolicy
;
1261 g_stats
.policyResults
[appliedPolicy
.d_kind
]++;
1262 switch(appliedPolicy
.d_kind
) {
1263 case DNSFilterEngine::PolicyKind::NoAction
: // This can never happen
1264 throw PDNSException("NoAction policy returned while a NSDNAME or NSIP trigger was hit");
1265 case DNSFilterEngine::PolicyKind::Drop
:
1266 g_stats
.policyDrops
++;
1268 case DNSFilterEngine::PolicyKind::NXDOMAIN
:
1270 res
=RCode::NXDomain
;
1273 case DNSFilterEngine::PolicyKind::NODATA
:
1278 case DNSFilterEngine::PolicyKind::Truncate
:
1282 pw
.getHeader()->tc
=1;
1287 case DNSFilterEngine::PolicyKind::Custom
:
1290 spoofed
=appliedPolicy
.getCustomRecords(dc
->d_mdp
.d_qname
, dc
->d_mdp
.d_qtype
);
1291 for (const auto& dr
: spoofed
) {
1293 handleRPZCustom(dr
, QType(dc
->d_mdp
.d_qtype
), sr
, res
, ret
);
1300 appliedPolicy
= luaconfsLocal
->dfe
.getPostPolicy(ret
, sr
.d_discardedPolicies
);
1304 if(res
== RCode::NoError
) {
1305 auto i
=ret
.cbegin();
1306 for(; i
!= ret
.cend(); ++i
)
1307 if(i
->d_type
== dc
->d_mdp
.d_qtype
&& i
->d_place
== DNSResourceRecord::ANSWER
)
1309 if(i
== ret
.cend() && t_pdl
->nodata(dq
, res
))
1310 shouldNotValidate
= true;
1313 else if(res
== RCode::NXDomain
&& t_pdl
->nxdomain(dq
, res
))
1314 shouldNotValidate
= true;
1316 if(t_pdl
->postresolve(dq
, res
))
1317 shouldNotValidate
= true;
1320 if (wantsRPZ
) { //XXX This block is repeated, see above
1321 g_stats
.policyResults
[appliedPolicy
.d_kind
]++;
1322 switch(appliedPolicy
.d_kind
) {
1323 case DNSFilterEngine::PolicyKind::NoAction
:
1325 case DNSFilterEngine::PolicyKind::Drop
:
1326 g_stats
.policyDrops
++;
1328 case DNSFilterEngine::PolicyKind::NXDOMAIN
:
1330 res
=RCode::NXDomain
;
1333 case DNSFilterEngine::PolicyKind::NODATA
:
1338 case DNSFilterEngine::PolicyKind::Truncate
:
1342 pw
.getHeader()->tc
=1;
1347 case DNSFilterEngine::PolicyKind::Custom
:
1350 spoofed
=appliedPolicy
.getCustomRecords(dc
->d_mdp
.d_qname
, dc
->d_mdp
.d_qtype
);
1351 for (const auto& dr
: spoofed
) {
1353 handleRPZCustom(dr
, QType(dc
->d_mdp
.d_qtype
), sr
, res
, ret
);
1360 if(res
== PolicyDecision::DROP
) {
1361 g_stats
.policyDrops
++;
1364 if(tracedQuery
|| res
== -1 || res
== RCode::ServFail
|| pw
.getHeader()->rcode
== RCode::ServFail
)
1366 string
trace(sr
.getTrace());
1367 if(!trace
.empty()) {
1368 vector
<string
> lines
;
1369 boost::split(lines
, trace
, boost::is_any_of("\n"));
1370 for(const string
& line
: lines
) {
1372 g_log
<<Logger::Warning
<< line
<< endl
;
1378 pw
.getHeader()->rcode
=RCode::ServFail
;
1379 // no commit here, because no record
1380 g_stats
.servFails
++;
1383 pw
.getHeader()->rcode
=res
;
1385 // Does the validation mode or query demand validation?
1386 if(!shouldNotValidate
&& sr
.isDNSSECValidationRequested()) {
1389 g_log
<<Logger::Warning
<<"Starting validation of answer to "<<dc
->d_mdp
.d_qname
<<"|"<<QType(dc
->d_mdp
.d_qtype
).getName()<<" for "<<dc
->getRemote()<<endl
;
1392 auto state
= sr
.getValidationState();
1394 if(state
== Secure
) {
1396 g_log
<<Logger::Warning
<<"Answer to "<<dc
->d_mdp
.d_qname
<<"|"<<QType(dc
->d_mdp
.d_qtype
).getName()<<" for "<<dc
->getRemote()<<" validates correctly"<<endl
;
1399 // Is the query source interested in the value of the ad-bit?
1400 if (dc
->d_mdp
.d_header
.ad
|| DNSSECOK
)
1401 pw
.getHeader()->ad
=1;
1403 else if(state
== Insecure
) {
1405 g_log
<<Logger::Warning
<<"Answer to "<<dc
->d_mdp
.d_qname
<<"|"<<QType(dc
->d_mdp
.d_qtype
).getName()<<" for "<<dc
->getRemote()<<" validates as Insecure"<<endl
;
1408 pw
.getHeader()->ad
=0;
1410 else if(state
== Bogus
) {
1412 t_bogusremotes
->push_back(dc
->d_source
);
1413 if(t_bogusqueryring
)
1414 t_bogusqueryring
->push_back(make_pair(dc
->d_mdp
.d_qname
, dc
->d_mdp
.d_qtype
));
1415 if(g_dnssecLogBogus
|| sr
.doLog() || g_dnssecmode
== DNSSECMode::ValidateForLog
) {
1416 g_log
<<Logger::Warning
<<"Answer to "<<dc
->d_mdp
.d_qname
<<"|"<<QType(dc
->d_mdp
.d_qtype
).getName()<<" for "<<dc
->getRemote()<<" validates as Bogus"<<endl
;
1419 // Does the query or validation mode sending out a SERVFAIL on validation errors?
1420 if(!pw
.getHeader()->cd
&& (g_dnssecmode
== DNSSECMode::ValidateAll
|| dc
->d_mdp
.d_header
.ad
|| DNSSECOK
)) {
1422 g_log
<<Logger::Warning
<<"Sending out SERVFAIL for "<<dc
->d_mdp
.d_qname
<<"|"<<QType(dc
->d_mdp
.d_qtype
).getName()<<" because recursor or query demands it for Bogus results"<<endl
;
1425 pw
.getHeader()->rcode
=RCode::ServFail
;
1429 g_log
<<Logger::Warning
<<"Not sending out SERVFAIL for "<<dc
->d_mdp
.d_qname
<<"|"<<QType(dc
->d_mdp
.d_qtype
).getName()<<" Bogus validation since neither config nor query demands this"<<endl
;
1434 catch(ImmediateServFailException
&e
) {
1435 if(g_logCommonErrors
)
1436 g_log
<<Logger::Notice
<<"Sending SERVFAIL to "<<dc
->getRemote()<<" during validation of '"<<dc
->d_mdp
.d_qname
<<"|"<<QType(dc
->d_mdp
.d_qtype
).getName()<<"' because: "<<e
.reason
<<endl
;
1437 pw
.getHeader()->rcode
=RCode::ServFail
;
1443 orderAndShuffle(ret
);
1444 if(auto sl
= luaconfsLocal
->sortlist
.getOrderCmp(dc
->d_source
)) {
1445 stable_sort(ret
.begin(), ret
.end(), *sl
);
1446 variableAnswer
=true;
1450 bool needCommit
= false;
1451 for(auto i
=ret
.cbegin(); i
!=ret
.cend(); ++i
) {
1453 ( i
->d_type
== QType::NSEC3
||
1455 ( i
->d_type
== QType::RRSIG
|| i
->d_type
==QType::NSEC
) &&
1457 ( dc
->d_mdp
.d_qtype
!= i
->d_type
&& dc
->d_mdp
.d_qtype
!= QType::ANY
) ||
1458 i
->d_place
!= DNSResourceRecord::ANSWER
1466 if (!addRecordToPacket(pw
, *i
, minTTL
, dc
->d_ttlCap
, maxanswersize
)) {
1475 udr
= udrCheckUniqueDNSRecord(dc
->d_mdp
.d_qname
, dc
->d_mdp
.d_qtype
, *i
);
1479 #endif /* NOD ENABLED */
1481 #ifdef HAVE_PROTOBUF
1482 if (t_protobufServers
) {
1484 pbMessage
->addRR(*i
, luaconfsLocal
->protobufExportConfig
.exportTypes
, udr
);
1486 pbMessage
->addRR(*i
, luaconfsLocal
->protobufExportConfig
.exportTypes
);
1487 #endif /* NOD_ENABLED */
1496 if(g_useIncomingECS
&& dc
->d_ecsFound
&& !sr
.wasVariable() && !variableAnswer
) {
1497 // cerr<<"Stuffing in a 0 scope because answer is static"<<endl;
1499 eo
.source
= dc
->d_ednssubnet
.source
;
1502 sa
.sin4
.sin_family
= eo
.source
.getNetwork().sin4
.sin_family
;
1503 eo
.scope
= Netmask(sa
, 0);
1505 returnedEdnsOptions
.push_back(make_pair(EDNSOptionCode::ECS
, makeEDNSSubnetOptsString(eo
)));
1509 /* we try to add the EDNS OPT RR even for truncated answers,
1511 "The minimal response MUST be the DNS header, question section, and an
1512 OPT record. This MUST also occur when a truncated response (using
1513 the DNS header's TC bit) is returned."
1515 pw
.addOpt(512, ednsExtRCode
, DNSSECOK
? EDNSOpts::DNSSECOK
: 0, returnedEdnsOptions
);
1519 g_rs
.submitResponse(dc
->d_mdp
.d_qtype
, packet
.size(), !dc
->d_tcp
);
1520 updateResponseStats(res
, dc
->d_source
, packet
.size(), &dc
->d_mdp
.d_qname
, dc
->d_mdp
.d_qtype
);
1524 if (nodCheckNewDomain(dc
->d_mdp
.d_qname
))
1527 #endif /* NOD_ENABLED */
1528 #ifdef HAVE_PROTOBUF
1529 if (t_protobufServers
&& logResponse
&& !(luaconfsLocal
->protobufExportConfig
.taggedOnly
&& (!appliedPolicy
.d_name
|| appliedPolicy
.d_name
->empty()) && dc
->d_policyTags
.empty())) {
1530 pbMessage
->setBytes(packet
.size());
1531 pbMessage
->setResponseCode(pw
.getHeader()->rcode
);
1532 if (appliedPolicy
.d_name
) {
1533 pbMessage
->setAppliedPolicy(*appliedPolicy
.d_name
);
1534 pbMessage
->setAppliedPolicyType(appliedPolicy
.d_type
);
1536 pbMessage
->setPolicyTags(dc
->d_policyTags
);
1537 pbMessage
->setQueryTime(dc
->d_now
.tv_sec
, dc
->d_now
.tv_usec
);
1538 pbMessage
->setRequestorId(dq
.requestorId
);
1539 pbMessage
->setDeviceId(dq
.deviceId
);
1543 pbMessage
->setNOD(true);
1544 pbMessage
->addPolicyTag(g_nod_pbtag
);
1547 pbMessage
->addPolicyTag(g_udr_pbtag
);
1550 #endif /* NOD_ENABLED */
1551 protobufLogResponse(*pbMessage
);
1554 pbMessage
->setNOD(false);
1555 pbMessage
->clearUDR();
1557 pbMessage
->removePolicyTag(g_nod_pbtag
);
1559 pbMessage
->removePolicyTag(g_udr_pbtag
);
1561 #endif /* NOD_ENABLED */
1568 fillMSGHdr(&msgh
, &iov
, cbuf
, 0, (char*)&*packet
.begin(), packet
.size(), &dc
->d_remote
);
1569 msgh
.msg_control
=NULL
;
1571 if(g_fromtosockets
.count(dc
->d_socket
)) {
1572 addCMsgSrcAddr(&msgh
, cbuf
, &dc
->d_local
, 0);
1574 if(sendmsg(dc
->d_socket
, &msgh
, 0) < 0 && g_logCommonErrors
)
1575 g_log
<<Logger::Warning
<<"Sending UDP reply to client "<<dc
->getRemote()<<" failed with: "<<strerror(errno
)<<endl
;
1577 if(variableAnswer
|| sr
.wasVariable()) {
1578 g_stats
.variableResponses
++;
1580 if(!SyncRes::s_nopacketcache
&& !variableAnswer
&& !sr
.wasVariable() ) {
1581 t_packetCache
->insertResponsePacket(dc
->d_tag
, dc
->d_qhash
, std::move(dc
->d_query
), dc
->d_mdp
.d_qname
, dc
->d_mdp
.d_qtype
, dc
->d_mdp
.d_qclass
,
1582 string((const char*)&*packet
.begin(), packet
.size()),
1584 pw
.getHeader()->rcode
== RCode::ServFail
? SyncRes::s_packetcacheservfailttl
:
1585 min(minTTL
,SyncRes::s_packetcachettl
),
1589 std::move(pbMessage
));
1591 // else cerr<<"Not putting in packet cache: "<<sr.wasVariable()<<endl;
1595 buf
[0]=packet
.size()/256;
1596 buf
[1]=packet
.size()%256;
1598 Utility::iovec iov
[2];
1600 iov
[0].iov_base
=(void*)buf
; iov
[0].iov_len
=2;
1601 iov
[1].iov_base
=(void*)&*packet
.begin(); iov
[1].iov_len
= packet
.size();
1603 int wret
=Utility::writev(dc
->d_socket
, iov
, 2);
1607 g_log
<<Logger::Error
<<"EOF writing TCP answer to "<<dc
->getRemote()<<endl
;
1609 g_log
<<Logger::Error
<<"Error writing TCP answer to "<<dc
->getRemote()<<": "<< strerror(errno
) <<endl
;
1610 else if((unsigned int)wret
!= 2 + packet
.size())
1611 g_log
<<Logger::Error
<<"Oops, partial answer sent to "<<dc
->getRemote()<<" for "<<dc
->d_mdp
.d_qname
<<" (size="<< (2 + packet
.size()) <<", sent "<<wret
<<")"<<endl
;
1615 // update tcp connection status, either by closing or moving to 'BYTE0'
1618 // no need to remove us from FDM, we weren't there
1622 dc
->d_tcpConnection
->queriesCount
++;
1623 if (g_tcpMaxQueriesPerConn
&& dc
->d_tcpConnection
->queriesCount
>= g_tcpMaxQueriesPerConn
) {
1627 dc
->d_tcpConnection
->state
=TCPConnection::BYTE0
;
1628 Utility::gettimeofday(&g_now
, 0); // needs to be updated
1629 t_fdm
->addReadFD(dc
->d_socket
, handleRunningTCPQuestion
, dc
->d_tcpConnection
);
1630 t_fdm
->setReadTTD(dc
->d_socket
, g_now
, g_tcpTimeout
);
1634 float spent
=makeFloat(sr
.getNow()-dc
->d_now
);
1636 g_log
<<Logger::Error
<<t_id
<<" ["<<MT
->getTid()<<"/"<<MT
->numProcesses()<<"] answer to "<<(dc
->d_mdp
.d_header
.rd
?"":"non-rd ")<<"question '"<<dc
->d_mdp
.d_qname
<<"|"<<DNSRecordContent::NumberToType(dc
->d_mdp
.d_qtype
);
1637 g_log
<<"': "<<ntohs(pw
.getHeader()->ancount
)<<" answers, "<<ntohs(pw
.getHeader()->arcount
)<<" additional, took "<<sr
.d_outqueries
<<" packets, "<<
1638 sr
.d_totUsec
/1000.0<<" netw ms, "<< spent
*1000.0<<" tot ms, "<<
1639 sr
.d_throttledqueries
<<" throttled, "<<sr
.d_timeouts
<<" timeouts, "<<sr
.d_tcpoutqueries
<<" tcp connections, rcode="<< res
;
1641 if(!shouldNotValidate
&& sr
.isDNSSECValidationRequested()) {
1642 g_log
<< ", dnssec="<<vStates
[sr
.getValidationState()];
1649 if (sr
.d_outqueries
|| sr
.d_authzonequeries
) {
1650 t_RC
->cacheMisses
++;
1657 g_stats
.answers0_1
++;
1658 else if(spent
< 0.010)
1659 g_stats
.answers1_10
++;
1660 else if(spent
< 0.1)
1661 g_stats
.answers10_100
++;
1662 else if(spent
< 1.0)
1663 g_stats
.answers100_1000
++;
1665 g_stats
.answersSlow
++;
1667 uint64_t newLat
=(uint64_t)(spent
*1000000);
1668 newLat
= min(newLat
,(uint64_t)(((uint64_t) g_networkTimeoutMsec
)*1000)); // outliers of several minutes exist..
1669 g_stats
.avgLatencyUsec
=(1-1.0/g_latencyStatSize
)*g_stats
.avgLatencyUsec
+ (float)newLat
/g_latencyStatSize
;
1670 // no worries, we do this for packet cache hits elsewhere
1672 auto ourtime
= 1000.0*spent
-sr
.d_totUsec
/1000.0; // in msec
1674 g_stats
.ourtime0_1
++;
1675 else if(ourtime
< 2)
1676 g_stats
.ourtime1_2
++;
1677 else if(ourtime
< 4)
1678 g_stats
.ourtime2_4
++;
1679 else if(ourtime
< 8)
1680 g_stats
.ourtime4_8
++;
1681 else if(ourtime
< 16)
1682 g_stats
.ourtime8_16
++;
1683 else if(ourtime
< 32)
1684 g_stats
.ourtime16_32
++;
1686 // cerr<<"SLOW: "<<ourtime<<"ms -> "<<dc->d_mdp.d_qname<<"|"<<DNSRecordContent::NumberToType(dc->d_mdp.d_qtype)<<endl;
1687 g_stats
.ourtimeSlow
++;
1689 if(ourtime
>= 0.0) {
1690 newLat
=ourtime
*1000; // usec
1691 g_stats
.avgLatencyOursUsec
=(1-1.0/g_latencyStatSize
)*g_stats
.avgLatencyOursUsec
+ (float)newLat
/g_latencyStatSize
;
1693 // cout<<dc->d_mdp.d_qname<<"\t"<<MT->getUsec()<<"\t"<<sr.d_outqueries<<endl;
1695 catch(PDNSException
&ae
) {
1696 g_log
<<Logger::Error
<<"startDoResolve problem "<<makeLoginfo(dc
)<<": "<<ae
.reason
<<endl
;
1698 catch(const MOADNSException
&mde
) {
1699 g_log
<<Logger::Error
<<"DNS parser error "<<makeLoginfo(dc
) <<": "<<dc
->d_mdp
.d_qname
<<", "<<mde
.what()<<endl
;
1701 catch(std::exception
& e
) {
1702 g_log
<<Logger::Error
<<"STL error "<< makeLoginfo(dc
)<<": "<<e
.what();
1704 // Luawrapper nests the exception from Lua, so we unnest it here
1706 std::rethrow_if_nested(e
);
1707 } catch(const std::exception
& ne
) {
1708 g_log
<<". Extra info: "<<ne
.what();
1714 g_log
<<Logger::Error
<<"Any other exception in a resolver context "<< makeLoginfo(dc
) <<endl
;
1717 g_stats
.maxMThreadStackUsage
= max(MT
->getMaxStackUsage(), g_stats
.maxMThreadStackUsage
);
1720 static void makeControlChannelSocket(int processNum
=-1)
1722 string sockname
=::arg()["socket-dir"]+"/"+s_programname
;
1724 sockname
+= "."+std::to_string(processNum
);
1725 sockname
+=".controlsocket";
1726 s_rcc
.listen(sockname
);
1731 if (!::arg().isEmpty("socket-group"))
1732 sockgroup
=::arg().asGid("socket-group");
1733 if (!::arg().isEmpty("socket-owner"))
1734 sockowner
=::arg().asUid("socket-owner");
1736 if (sockgroup
> -1 || sockowner
> -1) {
1737 if(chown(sockname
.c_str(), sockowner
, sockgroup
) < 0) {
1738 unixDie("Failed to chown control socket");
1742 // do mode change if socket-mode is given
1743 if(!::arg().isEmpty("socket-mode")) {
1744 mode_t sockmode
=::arg().asMode("socket-mode");
1745 if(chmod(sockname
.c_str(), sockmode
) < 0) {
1746 unixDie("Failed to chmod control socket");
1751 static void getQNameAndSubnet(const std::string
& question
, DNSName
* dnsname
, uint16_t* qtype
, uint16_t* qclass
,
1752 bool& foundECS
, EDNSSubnetOpts
* ednssubnet
, EDNSOptionViewMap
* options
,
1753 bool& foundXPF
, ComboAddress
* xpfSource
, ComboAddress
* xpfDest
)
1755 const bool lookForXPF
= xpfSource
!= nullptr && g_xpfRRCode
!= 0;
1756 const bool lookForECS
= ednssubnet
!= nullptr;
1757 const struct dnsheader
* dh
= reinterpret_cast<const struct dnsheader
*>(question
.c_str());
1758 size_t questionLen
= question
.length();
1759 unsigned int consumed
=0;
1760 *dnsname
=DNSName(question
.c_str(), questionLen
, sizeof(dnsheader
), false, qtype
, qclass
, &consumed
);
1762 size_t pos
= sizeof(dnsheader
)+consumed
+4;
1763 const size_t headerSize
= /* root */ 1 + sizeof(dnsrecordheader
);
1764 const uint16_t arcount
= ntohs(dh
->arcount
);
1766 for (uint16_t arpos
= 0; arpos
< arcount
&& questionLen
> (pos
+ headerSize
) && ((lookForECS
&& !foundECS
) || (lookForXPF
&& !foundXPF
)); arpos
++) {
1767 if (question
.at(pos
) != 0) {
1768 /* not an OPT or a XPF, bye. */
1773 const dnsrecordheader
* drh
= reinterpret_cast<const dnsrecordheader
*>(&question
.at(pos
));
1774 pos
+= sizeof(dnsrecordheader
);
1776 if (pos
>= questionLen
) {
1780 /* OPT root label (1) followed by type (2) */
1781 if(lookForECS
&& ntohs(drh
->d_type
) == QType::OPT
) {
1783 char* ecsStart
= nullptr;
1785 /* we need to pass the record len */
1786 int res
= getEDNSOption(const_cast<char*>(reinterpret_cast<const char*>(&question
.at(pos
- sizeof(drh
->d_clen
)))), questionLen
- pos
+ sizeof(drh
->d_clen
), EDNSOptionCode::ECS
, &ecsStart
, &ecsLen
);
1787 if (res
== 0 && ecsLen
> 4) {
1789 if(getEDNSSubnetOptsFromString(ecsStart
+ 4, ecsLen
- 4, &eso
)) {
1796 /* we need to pass the record len */
1797 int res
= getEDNSOptions(reinterpret_cast<const char*>(&question
.at(pos
-sizeof(drh
->d_clen
))), questionLen
- pos
+ (sizeof(drh
->d_clen
)), *options
);
1799 const auto& it
= options
->find(EDNSOptionCode::ECS
);
1800 if (it
!= options
->end() && !it
->second
.values
.empty() && it
->second
.values
.at(0).content
!= nullptr && it
->second
.values
.at(0).size
> 0) {
1802 if(getEDNSSubnetOptsFromString(it
->second
.values
.at(0).content
, it
->second
.values
.at(0).size
, &eso
)) {
1810 else if (lookForXPF
&& ntohs(drh
->d_type
) == g_xpfRRCode
&& ntohs(drh
->d_class
) == QClass::IN
&& drh
->d_ttl
== 0) {
1811 if ((questionLen
- pos
) < ntohs(drh
->d_clen
)) {
1815 foundXPF
= parseXPFPayload(reinterpret_cast<const char*>(&question
.at(pos
)), ntohs(drh
->d_clen
), *xpfSource
, xpfDest
);
1818 pos
+= ntohs(drh
->d_clen
);
1822 static void handleRunningTCPQuestion(int fd
, FDMultiplexer::funcparam_t
& var
)
1824 shared_ptr
<TCPConnection
> conn
=any_cast
<shared_ptr
<TCPConnection
> >(var
);
1826 if(conn
->state
==TCPConnection::BYTE0
) {
1827 ssize_t bytes
=recv(conn
->getFD(), &conn
->data
[0], 2, 0);
1829 conn
->state
=TCPConnection::BYTE1
;
1831 conn
->qlen
=(((unsigned char)conn
->data
[0]) << 8)+ (unsigned char)conn
->data
[1];
1832 conn
->data
.resize(conn
->qlen
);
1834 conn
->state
=TCPConnection::GETQUESTION
;
1836 if(!bytes
|| bytes
< 0) {
1837 t_fdm
->removeReadFD(fd
);
1841 else if(conn
->state
==TCPConnection::BYTE1
) {
1842 ssize_t bytes
=recv(conn
->getFD(), &conn
->data
[1], 1, 0);
1844 conn
->state
=TCPConnection::GETQUESTION
;
1845 conn
->qlen
=(((unsigned char)conn
->data
[0]) << 8)+ (unsigned char)conn
->data
[1];
1846 conn
->data
.resize(conn
->qlen
);
1849 if(!bytes
|| bytes
< 0) {
1850 if(g_logCommonErrors
)
1851 g_log
<<Logger::Error
<<"TCP client "<< conn
->d_remote
.toStringWithPort() <<" disconnected after first byte"<<endl
;
1852 t_fdm
->removeReadFD(fd
);
1856 else if(conn
->state
==TCPConnection::GETQUESTION
) {
1857 ssize_t bytes
=recv(conn
->getFD(), &conn
->data
[conn
->bytesread
], conn
->qlen
- conn
->bytesread
, 0);
1858 if(!bytes
|| bytes
< 0 || bytes
> std::numeric_limits
<std::uint16_t>::max()) {
1859 if(g_logCommonErrors
) {
1860 g_log
<<Logger::Error
<<"TCP client "<< conn
->d_remote
.toStringWithPort() <<" disconnected while reading question body"<<endl
;
1862 t_fdm
->removeReadFD(fd
);
1865 conn
->bytesread
+=(uint16_t)bytes
;
1866 if(conn
->bytesread
==conn
->qlen
) {
1867 t_fdm
->removeReadFD(fd
); // should no longer awake ourselves when there is data to read
1869 std::unique_ptr
<DNSComboWriter
> dc
;
1871 dc
=std::unique_ptr
<DNSComboWriter
>(new DNSComboWriter(conn
->data
, g_now
));
1873 catch(const MOADNSException
&mde
) {
1874 g_stats
.clientParseError
++;
1875 if(g_logCommonErrors
)
1876 g_log
<<Logger::Error
<<"Unable to parse packet from TCP client "<< conn
->d_remote
.toStringWithPort() <<endl
;
1879 dc
->d_tcpConnection
= conn
; // carry the torch
1880 dc
->setSocket(conn
->getFD()); // this is the only time a copy is made of the actual fd
1882 dc
->setRemote(conn
->d_remote
);
1883 dc
->setSource(conn
->d_remote
);
1886 dest
.sin4
.sin_family
= conn
->d_remote
.sin4
.sin_family
;
1887 socklen_t len
= dest
.getSocklen();
1888 getsockname(conn
->getFD(), (sockaddr
*)&dest
, &len
); // if this fails, we're ok with it
1890 dc
->setDestination(dest
);
1894 bool needECS
= false;
1895 bool needXPF
= g_XPFAcl
.match(conn
->d_remote
);
1898 bool logQuery
= false;
1899 #ifdef HAVE_PROTOBUF
1900 auto luaconfsLocal
= g_luaconfs
.getLocal();
1901 if (checkProtobufExport(luaconfsLocal
)) {
1904 logQuery
= t_protobufServers
&& luaconfsLocal
->protobufExportConfig
.logQueries
;
1907 if(needECS
|| needXPF
|| (t_pdl
&& (t_pdl
->d_gettag_ffi
|| t_pdl
->d_gettag
))) {
1910 EDNSOptionViewMap ednsOptions
;
1911 bool xpfFound
= false;
1912 dc
->d_ecsParsed
= true;
1913 dc
->d_ecsFound
= false;
1914 getQNameAndSubnet(conn
->data
, &qname
, &qtype
, &qclass
,
1915 dc
->d_ecsFound
, &dc
->d_ednssubnet
, g_gettagNeedsEDNSOptions
? &ednsOptions
: nullptr,
1916 xpfFound
, needXPF
? &dc
->d_source
: nullptr, needXPF
? &dc
->d_destination
: nullptr);
1920 if (t_pdl
->d_gettag_ffi
) {
1921 dc
->d_tag
= t_pdl
->gettag_ffi(dc
->d_source
, dc
->d_ednssubnet
.source
, dc
->d_destination
, qname
, qtype
, &dc
->d_policyTags
, dc
->d_data
, ednsOptions
, true, requestorId
, deviceId
, dc
->d_ttlCap
, dc
->d_variable
, logQuery
);
1923 else if (t_pdl
->d_gettag
) {
1924 dc
->d_tag
= t_pdl
->gettag(dc
->d_source
, dc
->d_ednssubnet
.source
, dc
->d_destination
, qname
, qtype
, &dc
->d_policyTags
, dc
->d_data
, ednsOptions
, true, requestorId
, deviceId
);
1927 catch(const std::exception
& e
) {
1928 if(g_logCommonErrors
)
1929 g_log
<<Logger::Warning
<<"Error parsing a query packet qname='"<<qname
<<"' for tag determination, setting tag=0: "<<e
.what()<<endl
;
1933 catch(const std::exception
& e
)
1935 if(g_logCommonErrors
)
1936 g_log
<<Logger::Warning
<<"Error parsing a query packet for tag determination, setting tag=0: "<<e
.what()<<endl
;
1940 const struct dnsheader
* dh
= reinterpret_cast<const struct dnsheader
*>(&conn
->data
[0]);
1942 #ifdef HAVE_PROTOBUF
1943 if(t_protobufServers
|| t_outgoingProtobufServers
) {
1944 dc
->d_requestorId
= requestorId
;
1945 dc
->d_deviceId
= deviceId
;
1946 dc
->d_uuid
= getUniqueID();
1949 if(t_protobufServers
) {
1952 if (logQuery
&& !(luaconfsLocal
->protobufExportConfig
.taggedOnly
&& dc
->d_policyTags
.empty())) {
1953 protobufLogQuery(luaconfsLocal
->protobufMaskV4
, luaconfsLocal
->protobufMaskV6
, dc
->d_uuid
, dc
->d_source
, dc
->d_destination
, dc
->d_ednssubnet
.source
, true, dh
->id
, conn
->qlen
, qname
, qtype
, qclass
, dc
->d_policyTags
, dc
->d_requestorId
, dc
->d_deviceId
);
1956 catch(std::exception
& e
) {
1957 if(g_logCommonErrors
)
1958 g_log
<<Logger::Warning
<<"Error parsing a TCP query packet for edns subnet: "<<e
.what()<<endl
;
1963 if(t_pdl
->ipfilter(dc
->d_source
, dc
->d_destination
, *dh
)) {
1965 g_log
<<Logger::Notice
<<t_id
<<" ["<<MT
->getTid()<<"/"<<MT
->numProcesses()<<"] DROPPED TCP question from "<<dc
->d_source
.toStringWithPort()<<(dc
->d_source
!= dc
->d_remote
? " (via "+dc
->d_remote
.toStringWithPort()+")" : "")<<" based on policy"<<endl
;
1966 g_stats
.policyDrops
++;
1971 if(dc
->d_mdp
.d_header
.qr
) {
1972 g_stats
.ignoredCount
++;
1973 if(g_logCommonErrors
) {
1974 g_log
<<Logger::Error
<<"Ignoring answer from TCP client "<< dc
->getRemote() <<" on server socket!"<<endl
;
1978 if(dc
->d_mdp
.d_header
.opcode
) {
1979 g_stats
.ignoredCount
++;
1980 if(g_logCommonErrors
) {
1981 g_log
<<Logger::Error
<<"Ignoring non-query opcode from TCP client "<< dc
->getRemote() <<" on server socket!"<<endl
;
1985 else if (dh
->qdcount
== 0) {
1986 g_stats
.emptyQueriesCount
++;
1987 if(g_logCommonErrors
) {
1988 g_log
<<Logger::Error
<<"Ignoring empty (qdcount == 0) query from "<< dc
->getRemote() <<" on server socket!"<<endl
;
1994 ++g_stats
.tcpqcounter
;
1995 MT
->makeThread(startDoResolve
, dc
.release()); // deletes dc, will set state to BYTE0 again
2002 //! Handle new incoming TCP connection
2003 static void handleNewTCPQuestion(int fd
, FDMultiplexer::funcparam_t
& )
2006 socklen_t addrlen
=sizeof(addr
);
2007 int newsock
=accept(fd
, (struct sockaddr
*)&addr
, &addrlen
);
2009 if(MT
->numProcesses() > g_maxMThreads
) {
2010 g_stats
.overCapacityDrops
++;
2012 closesocket(newsock
);
2014 catch(const PDNSException
& e
) {
2015 g_log
<<Logger::Error
<<"Error closing TCP socket after an over capacity drop: "<<e
.reason
<<endl
;
2021 t_remotes
->push_back(addr
);
2022 if(t_allowFrom
&& !t_allowFrom
->match(&addr
)) {
2024 g_log
<<Logger::Error
<<"["<<MT
->getTid()<<"] dropping TCP query from "<<addr
.toString()<<", address not matched by allow-from"<<endl
;
2026 g_stats
.unauthorizedTCP
++;
2028 closesocket(newsock
);
2030 catch(const PDNSException
& e
) {
2031 g_log
<<Logger::Error
<<"Error closing TCP socket after an ACL drop: "<<e
.reason
<<endl
;
2035 if(g_maxTCPPerClient
&& t_tcpClientCounts
->count(addr
) && (*t_tcpClientCounts
)[addr
] >= g_maxTCPPerClient
) {
2036 g_stats
.tcpClientOverflow
++;
2038 closesocket(newsock
); // don't call TCPConnection::closeAndCleanup here - did not enter it in the counts yet!
2040 catch(const PDNSException
& e
) {
2041 g_log
<<Logger::Error
<<"Error closing TCP socket after an overflow drop: "<<e
.reason
<<endl
;
2046 setNonBlocking(newsock
);
2047 std::shared_ptr
<TCPConnection
> tc
= std::make_shared
<TCPConnection
>(newsock
, addr
);
2048 tc
->state
=TCPConnection::BYTE0
;
2050 t_fdm
->addReadFD(tc
->getFD(), handleRunningTCPQuestion
, tc
);
2053 Utility::gettimeofday(&now
, 0);
2054 t_fdm
->setReadTTD(tc
->getFD(), now
, g_tcpTimeout
);
2058 static string
* doProcessUDPQuestion(const std::string
& question
, const ComboAddress
& fromaddr
, const ComboAddress
& destaddr
, struct timeval tv
, int fd
)
2060 gettimeofday(&g_now
, 0);
2061 struct timeval diff
= g_now
- tv
;
2062 double delta
=(diff
.tv_sec
*1000 + diff
.tv_usec
/1000.0);
2064 if(tv
.tv_sec
&& delta
> 1000.0) {
2065 g_stats
.tooOldDrops
++;
2070 if(fromaddr
.sin4
.sin_family
==AF_INET6
)
2071 g_stats
.ipv6qcounter
++;
2074 const struct dnsheader
* dh
= (struct dnsheader
*)question
.c_str();
2075 unsigned int ctag
=0;
2077 bool needECS
= false;
2078 bool needXPF
= g_XPFAcl
.match(fromaddr
);
2079 std::vector
<std::string
> policyTags
;
2080 LuaContext::LuaObject data
;
2081 ComboAddress source
= fromaddr
;
2082 ComboAddress destination
= destaddr
;
2085 bool logQuery
= false;
2086 #ifdef HAVE_PROTOBUF
2087 boost::uuids::uuid uniqueId
;
2088 auto luaconfsLocal
= g_luaconfs
.getLocal();
2089 if (checkProtobufExport(luaconfsLocal
)) {
2090 uniqueId
= getUniqueID();
2092 } else if (checkOutgoingProtobufExport(luaconfsLocal
)) {
2093 uniqueId
= getUniqueID();
2095 logQuery
= t_protobufServers
&& luaconfsLocal
->protobufExportConfig
.logQueries
;
2096 bool logResponse
= t_protobufServers
&& luaconfsLocal
->protobufExportConfig
.logResponses
;
2098 EDNSSubnetOpts ednssubnet
;
2099 bool ecsFound
= false;
2100 bool ecsParsed
= false;
2101 uint16_t ecsBegin
= 0;
2102 uint16_t ecsEnd
= 0;
2103 uint32_t ttlCap
= std::numeric_limits
<uint32_t>::max();
2104 bool variable
= false;
2110 bool qnameParsed
=false;
2113 static uint64_t last=0;
2115 g_mtracer->clearAllocators();
2116 cout<<g_mtracer->getAllocs()-last<<" "<<g_mtracer->getNumOut()<<" -- BEGIN TRACE"<<endl;
2117 last=g_mtracer->getAllocs();
2118 cout<<g_mtracer->topAllocatorsString()<<endl;
2119 g_mtracer->clearAllocators();
2123 if(needECS
|| needXPF
|| (t_pdl
&& (t_pdl
->d_gettag
|| t_pdl
->d_gettag_ffi
))) {
2125 EDNSOptionViewMap ednsOptions
;
2126 bool xpfFound
= false;
2130 getQNameAndSubnet(question
, &qname
, &qtype
, &qclass
,
2131 ecsFound
, &ednssubnet
, g_gettagNeedsEDNSOptions
? &ednsOptions
: nullptr,
2132 xpfFound
, needXPF
? &source
: nullptr, needXPF
? &destination
: nullptr);
2139 if (t_pdl
->d_gettag_ffi
) {
2140 ctag
= t_pdl
->gettag_ffi(source
, ednssubnet
.source
, destination
, qname
, qtype
, &policyTags
, data
, ednsOptions
, false, requestorId
, deviceId
, ttlCap
, variable
, logQuery
);
2142 else if (t_pdl
->d_gettag
) {
2143 ctag
= t_pdl
->gettag(source
, ednssubnet
.source
, destination
, qname
, qtype
, &policyTags
, data
, ednsOptions
, false, requestorId
, deviceId
);
2146 catch(const std::exception
& e
) {
2147 if(g_logCommonErrors
)
2148 g_log
<<Logger::Warning
<<"Error parsing a query packet qname='"<<qname
<<"' for tag determination, setting tag=0: "<<e
.what()<<endl
;
2152 catch(const std::exception
& e
)
2154 if(g_logCommonErrors
)
2155 g_log
<<Logger::Warning
<<"Error parsing a query packet for tag determination, setting tag=0: "<<e
.what()<<endl
;
2159 bool cacheHit
= false;
2160 boost::optional
<RecProtoBufMessage
> pbMessage(boost::none
);
2161 #ifdef HAVE_PROTOBUF
2162 if (t_protobufServers
) {
2163 pbMessage
= RecProtoBufMessage(DNSProtoBufMessage::DNSProtoBufMessageType::Response
);
2164 pbMessage
->setServerIdentity(SyncRes::s_serverID
);
2165 if (logQuery
&& !(luaconfsLocal
->protobufExportConfig
.taggedOnly
&& policyTags
.empty())) {
2166 protobufLogQuery(luaconfsLocal
->protobufMaskV4
, luaconfsLocal
->protobufMaskV6
, uniqueId
, source
, destination
, ednssubnet
.source
, false, dh
->id
, question
.size(), qname
, qtype
, qclass
, policyTags
, requestorId
, deviceId
);
2169 #endif /* HAVE_PROTOBUF */
2171 /* It might seem like a good idea to skip the packet cache lookup if we know that the answer is not cacheable,
2172 but it means that the hash would not be computed. If some script decides at a later time to mark back the answer
2173 as cacheable we would cache it with a wrong tag, so better safe than sorry. */
2176 cacheHit
= (!SyncRes::s_nopacketcache
&& t_packetCache
->getResponsePacket(ctag
, question
, qname
, qtype
, qclass
, g_now
.tv_sec
, &response
, &age
, &valState
, &qhash
, &ecsBegin
, &ecsEnd
, pbMessage
? &(*pbMessage
) : nullptr));
2179 cacheHit
= (!SyncRes::s_nopacketcache
&& t_packetCache
->getResponsePacket(ctag
, question
, qname
, &qtype
, &qclass
, g_now
.tv_sec
, &response
, &age
, &valState
, &qhash
, &ecsBegin
, &ecsEnd
, pbMessage
? &(*pbMessage
) : nullptr));
2183 if(valState
== Bogus
) {
2185 t_bogusremotes
->push_back(source
);
2186 if(t_bogusqueryring
)
2187 t_bogusqueryring
->push_back(make_pair(qname
, qtype
));
2190 #ifdef HAVE_PROTOBUF
2191 if(t_protobufServers
&& logResponse
&& !(luaconfsLocal
->protobufExportConfig
.taggedOnly
&& pbMessage
->getAppliedPolicy().empty() && pbMessage
->getPolicyTags().empty())) {
2192 Netmask
requestorNM(source
, source
.sin4
.sin_family
== AF_INET
? luaconfsLocal
->protobufMaskV4
: luaconfsLocal
->protobufMaskV6
);
2193 const ComboAddress
& requestor
= requestorNM
.getMaskedNetwork();
2194 pbMessage
->update(uniqueId
, &requestor
, &destination
, false, dh
->id
);
2195 pbMessage
->setEDNSSubnet(ednssubnet
.source
, ednssubnet
.source
.isIpv4() ? luaconfsLocal
->protobufMaskV4
: luaconfsLocal
->protobufMaskV6
);
2196 pbMessage
->setQueryTime(g_now
.tv_sec
, g_now
.tv_usec
);
2197 pbMessage
->setRequestorId(requestorId
);
2198 pbMessage
->setDeviceId(deviceId
);
2199 protobufLogResponse(*pbMessage
);
2201 #endif /* HAVE_PROTOBUF */
2203 g_log
<<Logger::Notice
<<t_id
<< " question answered from packet cache tag="<<ctag
<<" from "<<source
.toStringWithPort()<<(source
!= fromaddr
? " (via "+fromaddr
.toStringWithPort()+")" : "")<<endl
;
2205 g_stats
.packetCacheHits
++;
2206 SyncRes::s_queries
++;
2207 ageDNSPacket(response
, age
);
2211 fillMSGHdr(&msgh
, &iov
, cbuf
, 0, (char*)response
.c_str(), response
.length(), const_cast<ComboAddress
*>(&fromaddr
));
2212 msgh
.msg_control
=NULL
;
2214 if(g_fromtosockets
.count(fd
)) {
2215 addCMsgSrcAddr(&msgh
, cbuf
, &destaddr
, 0);
2217 if(sendmsg(fd
, &msgh
, 0) < 0 && g_logCommonErrors
)
2218 g_log
<<Logger::Warning
<<"Sending UDP reply to client "<<source
.toStringWithPort()<<(source
!= fromaddr
? " (via "+fromaddr
.toStringWithPort()+")" : "")<<" failed with: "<<strerror(errno
)<<endl
;
2220 if(response
.length() >= sizeof(struct dnsheader
)) {
2221 struct dnsheader tmpdh
;
2222 memcpy(&tmpdh
, response
.c_str(), sizeof(tmpdh
));
2223 updateResponseStats(tmpdh
.rcode
, source
, response
.length(), 0, 0);
2225 g_stats
.avgLatencyUsec
=(1-1.0/g_latencyStatSize
)*g_stats
.avgLatencyUsec
+ 0.0; // we assume 0 usec
2226 g_stats
.avgLatencyOursUsec
=(1-1.0/g_latencyStatSize
)*g_stats
.avgLatencyOursUsec
+ 0.0; // we assume 0 usec
2230 catch(std::exception
& e
) {
2231 g_log
<<Logger::Error
<<"Error processing or aging answer packet: "<<e
.what()<<endl
;
2236 if(t_pdl
->ipfilter(source
, destination
, *dh
)) {
2238 g_log
<<Logger::Notice
<<t_id
<<" ["<<MT
->getTid()<<"/"<<MT
->numProcesses()<<"] DROPPED question from "<<source
.toStringWithPort()<<(source
!= fromaddr
? " (via "+fromaddr
.toStringWithPort()+")" : "")<<" based on policy"<<endl
;
2239 g_stats
.policyDrops
++;
2244 if(MT
->numProcesses() > g_maxMThreads
) {
2246 g_log
<<Logger::Notice
<<t_id
<<" ["<<MT
->getTid()<<"/"<<MT
->numProcesses()<<"] DROPPED question from "<<source
.toStringWithPort()<<(source
!= fromaddr
? " (via "+fromaddr
.toStringWithPort()+")" : "")<<", over capacity"<<endl
;
2248 g_stats
.overCapacityDrops
++;
2252 auto dc
= std::unique_ptr
<DNSComboWriter
>(new DNSComboWriter(question
, g_now
, std::move(policyTags
), std::move(data
)));
2256 dc
->setRemote(fromaddr
);
2257 dc
->setSource(source
);
2258 dc
->setLocal(destaddr
);
2259 dc
->setDestination(destination
);
2261 dc
->d_ecsFound
= ecsFound
;
2262 dc
->d_ecsParsed
= ecsParsed
;
2263 dc
->d_ecsBegin
= ecsBegin
;
2264 dc
->d_ecsEnd
= ecsEnd
;
2265 dc
->d_ednssubnet
= ednssubnet
;
2266 dc
->d_ttlCap
= ttlCap
;
2267 dc
->d_variable
= variable
;
2268 #ifdef HAVE_PROTOBUF
2269 if (t_protobufServers
|| t_outgoingProtobufServers
) {
2270 dc
->d_uuid
= std::move(uniqueId
);
2272 dc
->d_requestorId
= requestorId
;
2273 dc
->d_deviceId
= deviceId
;
2276 MT
->makeThread(startDoResolve
, (void*) dc
.release()); // deletes dc
2281 static void handleNewUDPQuestion(int fd
, FDMultiplexer::funcparam_t
& var
)
2284 static const size_t maxIncomingQuerySize
= 512;
2285 static thread_local
std::string data
;
2286 ComboAddress fromaddr
;
2290 bool firstQuery
= true;
2292 for(size_t queriesCounter
= 0; queriesCounter
< s_maxUDPQueriesPerRound
; queriesCounter
++) {
2293 data
.resize(maxIncomingQuerySize
);
2294 fromaddr
.sin6
.sin6_family
=AF_INET6
; // this makes sure fromaddr is big enough
2295 fillMSGHdr(&msgh
, &iov
, cbuf
, sizeof(cbuf
), &data
[0], data
.size(), &fromaddr
);
2297 if((len
=recvmsg(fd
, &msgh
, 0)) >= 0) {
2301 if (static_cast<size_t>(len
) < sizeof(dnsheader
)) {
2302 g_stats
.ignoredCount
++;
2304 g_log
<<Logger::Error
<<"Ignoring too-short ("<<std::to_string(len
)<<") query from "<<fromaddr
.toString()<<endl
;
2309 if (msgh
.msg_flags
& MSG_TRUNC
) {
2310 g_stats
.truncatedDrops
++;
2312 g_log
<<Logger::Error
<<"Ignoring truncated query from "<<fromaddr
.toString()<<endl
;
2318 t_remotes
->push_back(fromaddr
);
2321 if(t_allowFrom
&& !t_allowFrom
->match(&fromaddr
)) {
2323 g_log
<<Logger::Error
<<"["<<MT
->getTid()<<"] dropping UDP query from "<<fromaddr
.toString()<<", address not matched by allow-from"<<endl
;
2326 g_stats
.unauthorizedUDP
++;
2329 BOOST_STATIC_ASSERT(offsetof(sockaddr_in
, sin_port
) == offsetof(sockaddr_in6
, sin6_port
));
2330 if(!fromaddr
.sin4
.sin_port
) { // also works for IPv6
2332 g_log
<<Logger::Error
<<"["<<MT
->getTid()<<"] dropping UDP query from "<<fromaddr
.toStringWithPort()<<", can't deal with port 0"<<endl
;
2335 g_stats
.clientParseError
++; // not quite the best place to put it, but needs to go somewhere
2340 data
.resize(static_cast<size_t>(len
));
2341 dnsheader
* dh
=(dnsheader
*)&data
[0];
2344 g_stats
.ignoredCount
++;
2345 if(g_logCommonErrors
) {
2346 g_log
<<Logger::Error
<<"Ignoring answer from "<<fromaddr
.toString()<<" on server socket!"<<endl
;
2349 else if(dh
->opcode
) {
2350 g_stats
.ignoredCount
++;
2351 if(g_logCommonErrors
) {
2352 g_log
<<Logger::Error
<<"Ignoring non-query opcode "<<dh
->opcode
<<" from "<<fromaddr
.toString()<<" on server socket!"<<endl
;
2355 else if (dh
->qdcount
== 0) {
2356 g_stats
.emptyQueriesCount
++;
2357 if(g_logCommonErrors
) {
2358 g_log
<<Logger::Error
<<"Ignoring empty (qdcount == 0) query from "<<fromaddr
.toString()<<" on server socket!"<<endl
;
2362 struct timeval tv
={0,0};
2363 HarvestTimestamp(&msgh
, &tv
);
2365 dest
.reset(); // this makes sure we ignore this address if not returned by recvmsg above
2366 auto loc
= rplookup(g_listenSocketsAddresses
, fd
);
2367 if(HarvestDestinationAddress(&msgh
, &dest
)) {
2368 // but.. need to get port too
2370 dest
.sin4
.sin_port
= loc
->sin4
.sin_port
;
2378 dest
.sin4
.sin_family
= fromaddr
.sin4
.sin_family
;
2379 socklen_t slen
= dest
.getSocklen();
2380 getsockname(fd
, (sockaddr
*)&dest
, &slen
); // if this fails, we're ok with it
2384 if(g_weDistributeQueries
) {
2385 distributeAsyncFunction(data
, boost::bind(doProcessUDPQuestion
, data
, fromaddr
, dest
, tv
, fd
));
2388 doProcessUDPQuestion(data
, fromaddr
, dest
, tv
, fd
);
2392 catch(const MOADNSException
&mde
) {
2393 g_stats
.clientParseError
++;
2394 if(g_logCommonErrors
) {
2395 g_log
<<Logger::Error
<<"Unable to parse packet from remote UDP client "<<fromaddr
.toString() <<": "<<mde
.what()<<endl
;
2398 catch(const std::runtime_error
& e
) {
2399 g_stats
.clientParseError
++;
2400 if(g_logCommonErrors
) {
2401 g_log
<<Logger::Error
<<"Unable to parse packet from remote UDP client "<<fromaddr
.toString() <<": "<<e
.what()<<endl
;
2406 // cerr<<t_id<<" had error: "<<stringerror()<<endl;
2407 if(firstQuery
&& errno
== EAGAIN
) {
2408 g_stats
.noPacketError
++;
2416 static void makeTCPServerSockets(deferredAdd_t
& deferredAdds
, std::set
<int>& tcpSockets
)
2419 vector
<string
>locals
;
2420 stringtok(locals
,::arg()["local-address"]," ,");
2423 throw PDNSException("No local address specified");
2425 for(vector
<string
>::const_iterator i
=locals
.begin();i
!=locals
.end();++i
) {
2427 st
.port
=::arg().asNum("local-port");
2428 parseService(*i
, st
);
2433 sin
.sin4
.sin_family
= AF_INET
;
2434 if(!IpToU32(st
.host
, (uint32_t*)&sin
.sin4
.sin_addr
.s_addr
)) {
2435 sin
.sin6
.sin6_family
= AF_INET6
;
2436 if(makeIPv6sockaddr(st
.host
, &sin
.sin6
) < 0)
2437 throw PDNSException("Unable to resolve local address for TCP server on '"+ st
.host
+"'");
2440 fd
=socket(sin
.sin6
.sin6_family
, SOCK_STREAM
, 0);
2442 throw PDNSException("Making a TCP server socket for resolver: "+stringerror());
2447 if(setsockopt(fd
, SOL_SOCKET
, SO_REUSEADDR
, &tmp
, sizeof tmp
)<0) {
2448 g_log
<<Logger::Error
<<"Setsockopt failed for TCP listening socket"<<endl
;
2451 if(sin
.sin6
.sin6_family
== AF_INET6
&& setsockopt(fd
, IPPROTO_IPV6
, IPV6_V6ONLY
, &tmp
, sizeof(tmp
)) < 0) {
2452 g_log
<<Logger::Error
<<"Failed to set IPv6 socket to IPv6 only, continuing anyhow: "<<strerror(errno
)<<endl
;
2455 #ifdef TCP_DEFER_ACCEPT
2456 if(setsockopt(fd
, IPPROTO_TCP
, TCP_DEFER_ACCEPT
, &tmp
, sizeof tmp
) >= 0) {
2457 if(i
==locals
.begin())
2458 g_log
<<Logger::Info
<<"Enabled TCP data-ready filter for (slight) DoS protection"<<endl
;
2462 if( ::arg().mustDo("non-local-bind") )
2463 Utility::setBindAny(AF_INET
, fd
);
2467 if(setsockopt(fd
, SOL_SOCKET
, SO_REUSEPORT
, &tmp
, sizeof(tmp
)) < 0)
2468 throw PDNSException("SO_REUSEPORT: "+stringerror());
2472 if (::arg().asNum("tcp-fast-open") > 0) {
2474 int fastOpenQueueSize
= ::arg().asNum("tcp-fast-open");
2475 if (setsockopt(fd
, IPPROTO_TCP
, TCP_FASTOPEN
, &fastOpenQueueSize
, sizeof fastOpenQueueSize
) < 0) {
2476 g_log
<<Logger::Error
<<"Failed to enable TCP Fast Open for listening socket: "<<strerror(errno
)<<endl
;
2479 g_log
<<Logger::Warning
<<"TCP Fast Open configured but not supported for listening socket"<<endl
;
2483 sin
.sin4
.sin_port
= htons(st
.port
);
2484 socklen_t socklen
=sin
.sin4
.sin_family
==AF_INET
? sizeof(sin
.sin4
) : sizeof(sin
.sin6
);
2485 if (::bind(fd
, (struct sockaddr
*)&sin
, socklen
)<0)
2486 throw PDNSException("Binding TCP server socket for "+ st
.host
+": "+stringerror());
2489 setSocketSendBuffer(fd
, 65000);
2491 deferredAdds
.push_back(make_pair(fd
, handleNewTCPQuestion
));
2492 tcpSockets
.insert(fd
);
2494 // we don't need to update g_listenSocketsAddresses since it doesn't work for TCP/IP:
2495 // - fd is not that which we know here, but returned from accept()
2496 if(sin
.sin4
.sin_family
== AF_INET
)
2497 g_log
<<Logger::Info
<<"Listening for TCP queries on "<< sin
.toString() <<":"<<st
.port
<<endl
;
2499 g_log
<<Logger::Info
<<"Listening for TCP queries on ["<< sin
.toString() <<"]:"<<st
.port
<<endl
;
2503 static void makeUDPServerSockets(deferredAdd_t
& deferredAdds
)
2506 vector
<string
>locals
;
2507 stringtok(locals
,::arg()["local-address"]," ,");
2510 throw PDNSException("No local address specified");
2512 for(vector
<string
>::const_iterator i
=locals
.begin();i
!=locals
.end();++i
) {
2514 st
.port
=::arg().asNum("local-port");
2515 parseService(*i
, st
);
2520 sin
.sin4
.sin_family
= AF_INET
;
2521 if(!IpToU32(st
.host
.c_str() , (uint32_t*)&sin
.sin4
.sin_addr
.s_addr
)) {
2522 sin
.sin6
.sin6_family
= AF_INET6
;
2523 if(makeIPv6sockaddr(st
.host
, &sin
.sin6
) < 0)
2524 throw PDNSException("Unable to resolve local address for UDP server on '"+ st
.host
+"'");
2527 int fd
=socket(sin
.sin4
.sin_family
, SOCK_DGRAM
, 0);
2529 throw PDNSException("Making a UDP server socket for resolver: "+netstringerror());
2531 if (!setSocketTimestamps(fd
))
2532 g_log
<<Logger::Warning
<<"Unable to enable timestamp reporting for socket"<<endl
;
2534 if(IsAnyAddress(sin
)) {
2535 if(sin
.sin4
.sin_family
== AF_INET
)
2536 if(!setsockopt(fd
, IPPROTO_IP
, GEN_IP_PKTINFO
, &one
, sizeof(one
))) // linux supports this, so why not - might fail on other systems
2537 g_fromtosockets
.insert(fd
);
2538 #ifdef IPV6_RECVPKTINFO
2539 if(sin
.sin4
.sin_family
== AF_INET6
)
2540 if(!setsockopt(fd
, IPPROTO_IPV6
, IPV6_RECVPKTINFO
, &one
, sizeof(one
)))
2541 g_fromtosockets
.insert(fd
);
2543 if(sin
.sin6
.sin6_family
== AF_INET6
&& setsockopt(fd
, IPPROTO_IPV6
, IPV6_V6ONLY
, &one
, sizeof(one
)) < 0) {
2544 g_log
<<Logger::Error
<<"Failed to set IPv6 socket to IPv6 only, continuing anyhow: "<<strerror(errno
)<<endl
;
2547 if( ::arg().mustDo("non-local-bind") )
2548 Utility::setBindAny(AF_INET6
, fd
);
2552 setSocketReceiveBuffer(fd
, 250000);
2553 sin
.sin4
.sin_port
= htons(st
.port
);
2558 if(setsockopt(fd
, SOL_SOCKET
, SO_REUSEPORT
, &one
, sizeof(one
)) < 0)
2559 throw PDNSException("SO_REUSEPORT: "+stringerror());
2562 socklen_t socklen
=sin
.getSocklen();
2563 if (::bind(fd
, (struct sockaddr
*)&sin
, socklen
)<0)
2564 throw PDNSException("Resolver binding to server socket on port "+ std::to_string(st
.port
) +" for "+ st
.host
+": "+stringerror());
2568 deferredAdds
.push_back(make_pair(fd
, handleNewUDPQuestion
));
2569 g_listenSocketsAddresses
[fd
]=sin
; // this is written to only from the startup thread, not from the workers
2570 if(sin
.sin4
.sin_family
== AF_INET
)
2571 g_log
<<Logger::Info
<<"Listening for UDP queries on "<< sin
.toString() <<":"<<st
.port
<<endl
;
2573 g_log
<<Logger::Info
<<"Listening for UDP queries on ["<< sin
.toString() <<"]:"<<st
.port
<<endl
;
2577 static void daemonize(void)
2584 int i
=open("/dev/null",O_RDWR
); /* open stdin */
2586 g_log
<<Logger::Critical
<<"Unable to open /dev/null: "<<stringerror()<<endl
;
2588 dup2(i
,0); /* stdin */
2589 dup2(i
,1); /* stderr */
2590 dup2(i
,2); /* stderr */
2595 static void usr1Handler(int)
2600 static void usr2Handler(int)
2603 SyncRes::setDefaultLogMode(g_quiet
? SyncRes::LogNone
: SyncRes::Log
);
2604 ::arg().set("quiet")=g_quiet
? "" : "no";
2607 static void doStats(void)
2609 static time_t lastOutputTime
;
2610 static uint64_t lastQueryCount
;
2612 uint64_t cacheHits
= broadcastAccFunction
<uint64_t>(pleaseGetCacheHits
);
2613 uint64_t cacheMisses
= broadcastAccFunction
<uint64_t>(pleaseGetCacheMisses
);
2615 if(g_stats
.qcounter
&& (cacheHits
+ cacheMisses
) && SyncRes::s_queries
&& SyncRes::s_outqueries
) {
2616 g_log
<<Logger::Notice
<<"stats: "<<g_stats
.qcounter
<<" questions, "<<
2617 broadcastAccFunction
<uint64_t>(pleaseGetCacheSize
)<< " cache entries, "<<
2618 broadcastAccFunction
<uint64_t>(pleaseGetNegCacheSize
)<<" negative entries, "<<
2619 (int)((cacheHits
*100.0)/(cacheHits
+cacheMisses
))<<"% cache hits"<<endl
;
2621 g_log
<<Logger::Notice
<<"stats: throttle map: "
2622 << broadcastAccFunction
<uint64_t>(pleaseGetThrottleSize
) <<", ns speeds: "
2623 << broadcastAccFunction
<uint64_t>(pleaseGetNsSpeedsSize
)<<endl
;
2624 g_log
<<Logger::Notice
<<"stats: outpacket/query ratio "<<(int)(SyncRes::s_outqueries
*100.0/SyncRes::s_queries
)<<"%";
2625 g_log
<<Logger::Notice
<<", "<<(int)(SyncRes::s_throttledqueries
*100.0/(SyncRes::s_outqueries
+SyncRes::s_throttledqueries
))<<"% throttled, "
2626 <<SyncRes::s_nodelegated
<<" no-delegation drops"<<endl
;
2627 g_log
<<Logger::Notice
<<"stats: "<<SyncRes::s_tcpoutqueries
<<" outgoing tcp connections, "<<
2628 broadcastAccFunction
<uint64_t>(pleaseGetConcurrentQueries
)<<" queries running, "<<SyncRes::s_outgoingtimeouts
<<" outgoing timeouts"<<endl
;
2630 //g_log<<Logger::Notice<<"stats: "<<g_stats.ednsPingMatches<<" ping matches, "<<g_stats.ednsPingMismatches<<" mismatches, "<<
2631 //g_stats.noPingOutQueries<<" outqueries w/o ping, "<< g_stats.noEdnsOutQueries<<" w/o EDNS"<<endl;
2633 g_log
<<Logger::Notice
<<"stats: " << broadcastAccFunction
<uint64_t>(pleaseGetPacketCacheSize
) <<
2634 " packet cache entries, "<<(int)(100.0*broadcastAccFunction
<uint64_t>(pleaseGetPacketCacheHits
)/SyncRes::s_queries
) << "% packet cache hits"<<endl
;
2636 time_t now
= time(0);
2637 if(lastOutputTime
&& lastQueryCount
&& now
!= lastOutputTime
) {
2638 g_log
<<Logger::Notice
<<"stats: "<< (SyncRes::s_queries
- lastQueryCount
) / (now
- lastOutputTime
) <<" qps (average over "<< (now
- lastOutputTime
) << " seconds)"<<endl
;
2640 lastOutputTime
= now
;
2641 lastQueryCount
= SyncRes::s_queries
;
2643 else if(statsWanted
)
2644 g_log
<<Logger::Notice
<<"stats: no stats yet!"<<endl
;
2649 static void houseKeeping(void *)
2651 static thread_local
time_t last_rootupdate
, last_prune
, last_secpoll
, last_trustAnchorUpdate
{0};
2652 static thread_local
int cleanCounter
=0;
2653 static thread_local
bool s_running
; // houseKeeping can get suspended in secpoll, and be restarted, which makes us do duplicate work
2654 auto luaconfsLocal
= g_luaconfs
.getLocal();
2656 if (last_trustAnchorUpdate
== 0 && !luaconfsLocal
->trustAnchorFileInfo
.fname
.empty() && luaconfsLocal
->trustAnchorFileInfo
.interval
!= 0) {
2657 // Loading the Lua config file already "refreshed" the TAs
2658 last_trustAnchorUpdate
= g_now
.tv_sec
+ luaconfsLocal
->trustAnchorFileInfo
.interval
* 3600;
2667 Utility::gettimeofday(&now
, 0);
2669 if(now
.tv_sec
- last_prune
> (time_t)(5 + t_id
)) {
2672 t_RC
->doPrune(g_maxCacheEntries
/ g_numThreads
); // this function is local to a thread, so fine anyhow
2673 t_packetCache
->doPruneTo(g_maxPacketCacheEntries
/ g_numWorkerThreads
);
2675 SyncRes::pruneNegCache(g_maxCacheEntries
/ (g_numWorkerThreads
* 10));
2677 if(!((cleanCounter
++)%40)) { // this is a full scan!
2678 time_t limit
=now
.tv_sec
-300;
2679 SyncRes::pruneNSSpeeds(limit
);
2684 if(now
.tv_sec
- last_rootupdate
> 7200) {
2685 int res
= SyncRes::getRootNS(g_now
, nullptr);
2687 last_rootupdate
=now
.tv_sec
;
2690 if(isHandlerThread()) {
2692 if(now
.tv_sec
- last_secpoll
>= 3600) {
2694 doSecPoll(&last_secpoll
);
2696 catch(std::exception
& e
)
2698 g_log
<<Logger::Error
<<"Exception while performing security poll: "<<e
.what()<<endl
;
2700 catch(PDNSException
& e
)
2702 g_log
<<Logger::Error
<<"Exception while performing security poll: "<<e
.reason
<<endl
;
2704 catch(ImmediateServFailException
&e
)
2706 g_log
<<Logger::Error
<<"Exception while performing security poll: "<<e
.reason
<<endl
;
2710 g_log
<<Logger::Error
<<"Exception while performing security poll"<<endl
;
2714 if (!luaconfsLocal
->trustAnchorFileInfo
.fname
.empty() && luaconfsLocal
->trustAnchorFileInfo
.interval
!= 0 &&
2715 g_now
.tv_sec
- last_trustAnchorUpdate
>= (luaconfsLocal
->trustAnchorFileInfo
.interval
* 3600)) {
2716 g_log
<<Logger::Debug
<<"Refreshing Trust Anchors from file"<<endl
;
2718 map
<DNSName
, dsmap_t
> dsAnchors
;
2719 if (updateTrustAnchorsFromFile(luaconfsLocal
->trustAnchorFileInfo
.fname
, dsAnchors
)) {
2720 g_luaconfs
.modify([&dsAnchors
](LuaConfigItems
& lci
) {
2721 lci
.dsAnchors
= dsAnchors
;
2724 last_trustAnchorUpdate
= now
.tv_sec
;
2725 } catch (const PDNSException
&pe
) {
2726 g_log
<<Logger::Error
<<"Unable to update Trust Anchors: "<<pe
.reason
<<endl
;
2732 catch(PDNSException
& ae
)
2735 g_log
<<Logger::Error
<<"Fatal error in housekeeping thread: "<<ae
.reason
<<endl
;
2740 static void makeThreadPipes()
2742 /* thread 0 is the handler / SNMP, we start at 1 */
2743 for(unsigned int n
= 1; n
<= (g_numWorkerThreads
+ g_numDistributorThreads
); ++n
) {
2744 auto& threadInfos
= s_threadInfos
.at(n
);
2748 unixDie("Creating pipe for inter-thread communications");
2750 threadInfos
.pipes
.readToThread
= fd
[0];
2751 threadInfos
.pipes
.writeToThread
= fd
[1];
2754 unixDie("Creating pipe for inter-thread communications");
2756 threadInfos
.pipes
.readFromThread
= fd
[0];
2757 threadInfos
.pipes
.writeFromThread
= fd
[1];
2760 unixDie("Creating pipe for inter-thread communications");
2762 threadInfos
.pipes
.readQueriesToThread
= fd
[0];
2763 threadInfos
.pipes
.writeQueriesToThread
= fd
[1];
2765 if (!setNonBlocking(threadInfos
.pipes
.writeQueriesToThread
)) {
2766 unixDie("Making pipe for inter-thread communications non-blocking");
2777 void broadcastFunction(const pipefunc_t
& func
)
2779 /* This function might be called by the worker with t_id 0 during startup
2780 for the initialization of ACLs and domain maps. After that it should only
2781 be called by the handler. */
2783 if (s_threadInfos
.empty() && isHandlerThread()) {
2784 /* the handler and distributors will call themselves below, but
2785 during startup we get called while s_threadInfos has not been
2786 populated yet to update the ACL or domain maps, so we need to
2793 for (const auto& threadInfo
: s_threadInfos
) {
2795 func(); // don't write to ourselves!
2799 ThreadMSG
* tmsg
= new ThreadMSG();
2801 tmsg
->wantAnswer
= true;
2802 if(write(threadInfo
.pipes
.writeToThread
, &tmsg
, sizeof(tmsg
)) != sizeof(tmsg
)) {
2805 unixDie("write to thread pipe returned wrong size or error");
2808 string
* resp
= nullptr;
2809 if(read(threadInfo
.pipes
.readFromThread
, &resp
, sizeof(resp
)) != sizeof(resp
))
2810 unixDie("read from thread pipe returned wrong size or error");
2819 static bool trySendingQueryToWorker(unsigned int target
, ThreadMSG
* tmsg
)
2821 const auto& targetInfo
= s_threadInfos
[target
];
2822 if(!targetInfo
.isWorker
) {
2823 g_log
<<Logger::Error
<<"distributeAsyncFunction() tried to assign a query to a non-worker thread"<<endl
;
2827 const auto& tps
= targetInfo
.pipes
;
2829 ssize_t written
= write(tps
.writeQueriesToThread
, &tmsg
, sizeof(tmsg
));
2831 if (static_cast<size_t>(written
) != sizeof(tmsg
)) {
2833 unixDie("write to thread pipe returned wrong size or error");
2838 if (error
== EAGAIN
|| error
== EWOULDBLOCK
) {
2842 unixDie("write to thread pipe returned wrong size or error:" + std::to_string(error
));
2849 // This function is only called by the distributor threads, when pdns-distributes-queries is set
2850 void distributeAsyncFunction(const string
& packet
, const pipefunc_t
& func
)
2852 if (!isDistributorThread()) {
2853 g_log
<<Logger::Error
<<"distributeAsyncFunction() has been called by a worker ("<<t_id
<<")"<<endl
;
2857 unsigned int hash
= hashQuestion(packet
.c_str(), packet
.length(), g_disthashseed
);
2858 unsigned int target
= /* skip handler */ 1 + g_numDistributorThreads
+ (hash
% g_numWorkerThreads
);
2860 ThreadMSG
* tmsg
= new ThreadMSG();
2862 tmsg
->wantAnswer
= false;
2864 if (!trySendingQueryToWorker(target
, tmsg
)) {
2865 /* if this function failed but did not raise an exception, it means that the pipe
2866 was full, let's try another one */
2867 unsigned int newTarget
= 0;
2869 newTarget
= /* skip handler */ 1 + g_numDistributorThreads
+ dns_random(g_numWorkerThreads
);
2870 } while (newTarget
== target
);
2872 if (!trySendingQueryToWorker(newTarget
, tmsg
)) {
2873 g_stats
.queryPipeFullDrops
++;
2879 static void handlePipeRequest(int fd
, FDMultiplexer::funcparam_t
& var
)
2881 ThreadMSG
* tmsg
= nullptr;
2883 if(read(fd
, &tmsg
, sizeof(tmsg
)) != sizeof(tmsg
)) { // fd == readToThread || fd == readQueriesToThread
2884 unixDie("read from thread pipe returned wrong size or error");
2889 resp
= tmsg
->func();
2891 catch(std::exception
& e
) {
2892 if(g_logCommonErrors
)
2893 g_log
<<Logger::Error
<<"PIPE function we executed created exception: "<<e
.what()<<endl
; // but what if they wanted an answer.. we send 0
2895 catch(PDNSException
& e
) {
2896 if(g_logCommonErrors
)
2897 g_log
<<Logger::Error
<<"PIPE function we executed created PDNS exception: "<<e
.reason
<<endl
; // but what if they wanted an answer.. we send 0
2899 if(tmsg
->wantAnswer
) {
2900 const auto& threadInfo
= s_threadInfos
.at(t_id
);
2901 if(write(threadInfo
.pipes
.writeFromThread
, &resp
, sizeof(resp
)) != sizeof(resp
)) {
2903 unixDie("write to thread pipe returned wrong size or error");
2910 template<class T
> void *voider(const boost::function
<T
*()>& func
)
2915 vector
<ComboAddress
>& operator+=(vector
<ComboAddress
>&a
, const vector
<ComboAddress
>& b
)
2917 a
.insert(a
.end(), b
.begin(), b
.end());
2921 vector
<pair
<string
, uint16_t> >& operator+=(vector
<pair
<string
, uint16_t> >&a
, const vector
<pair
<string
, uint16_t> >& b
)
2923 a
.insert(a
.end(), b
.begin(), b
.end());
2927 vector
<pair
<DNSName
, uint16_t> >& operator+=(vector
<pair
<DNSName
, uint16_t> >&a
, const vector
<pair
<DNSName
, uint16_t> >& b
)
2929 a
.insert(a
.end(), b
.begin(), b
.end());
2935 This function should only be called by the handler to gather metrics, wipe the cache,
2936 reload the Lua script (not the Lua config) or change the current trace regex,
2937 and by the SNMP thread to gather metrics. */
2938 template<class T
> T
broadcastAccFunction(const boost::function
<T
*()>& func
)
2940 if (!isHandlerThread()) {
2941 g_log
<<Logger::Error
<<"broadcastAccFunction has been called by a worker ("<<t_id
<<")"<<endl
;
2947 for (const auto& threadInfo
: s_threadInfos
) {
2952 const auto& tps
= threadInfo
.pipes
;
2953 ThreadMSG
* tmsg
= new ThreadMSG();
2954 tmsg
->func
= boost::bind(voider
<T
>, func
);
2955 tmsg
->wantAnswer
= true;
2957 if(write(tps
.writeToThread
, &tmsg
, sizeof(tmsg
)) != sizeof(tmsg
)) {
2959 unixDie("write to thread pipe returned wrong size or error");
2963 if(read(tps
.readFromThread
, &resp
, sizeof(resp
)) != sizeof(resp
))
2964 unixDie("read from thread pipe returned wrong size or error");
2975 template string
broadcastAccFunction(const boost::function
<string
*()>& fun
); // explicit instantiation
2976 template uint64_t broadcastAccFunction(const boost::function
<uint64_t*()>& fun
); // explicit instantiation
2977 template vector
<ComboAddress
> broadcastAccFunction(const boost::function
<vector
<ComboAddress
> *()>& fun
); // explicit instantiation
2978 template vector
<pair
<DNSName
,uint16_t> > broadcastAccFunction(const boost::function
<vector
<pair
<DNSName
, uint16_t> > *()>& fun
); // explicit instantiation
2980 static void handleRCC(int fd
, FDMultiplexer::funcparam_t
& var
)
2983 string msg
=s_rcc
.recv(&remote
);
2984 RecursorControlParser rcp
;
2985 RecursorControlParser::func_t
* command
;
2987 string answer
=rcp
.getAnswer(msg
, &command
);
2989 // If we are inside a chroot, we need to strip
2990 if (!arg()["chroot"].empty()) {
2991 size_t len
= arg()["chroot"].length();
2992 remote
= remote
.substr(len
);
2996 s_rcc
.send(answer
, &remote
);
2999 catch(std::exception
& e
) {
3000 g_log
<<Logger::Error
<<"Error dealing with control socket request: "<<e
.what()<<endl
;
3002 catch(PDNSException
& ae
) {
3003 g_log
<<Logger::Error
<<"Error dealing with control socket request: "<<ae
.reason
<<endl
;
3007 static void handleTCPClientReadable(int fd
, FDMultiplexer::funcparam_t
& var
)
3009 PacketID
* pident
=any_cast
<PacketID
>(&var
);
3010 // cerr<<"handleTCPClientReadable called for fd "<<fd<<", pident->inNeeded: "<<pident->inNeeded<<", "<<pident->sock->getHandle()<<endl;
3012 shared_array
<char> buffer(new char[pident
->inNeeded
]);
3014 ssize_t ret
=recv(fd
, buffer
.get(), pident
->inNeeded
,0);
3016 pident
->inMSG
.append(&buffer
[0], &buffer
[ret
]);
3017 pident
->inNeeded
-=(size_t)ret
;
3018 if(!pident
->inNeeded
|| pident
->inIncompleteOkay
) {
3019 // cerr<<"Got entire load of "<<pident->inMSG.size()<<" bytes"<<endl;
3020 PacketID pid
=*pident
;
3021 string msg
=pident
->inMSG
;
3023 t_fdm
->removeReadFD(fd
);
3024 MT
->sendEvent(pid
, &msg
);
3027 // cerr<<"Still have "<<pident->inNeeded<<" left to go"<<endl;
3031 PacketID tmp
=*pident
;
3032 t_fdm
->removeReadFD(fd
); // pident might now be invalid (it isn't, but still)
3034 MT
->sendEvent(tmp
, &empty
); // this conveys error status
3038 static void handleTCPClientWritable(int fd
, FDMultiplexer::funcparam_t
& var
)
3040 PacketID
* pid
=any_cast
<PacketID
>(&var
);
3041 ssize_t ret
=send(fd
, pid
->outMSG
.c_str() + pid
->outPos
, pid
->outMSG
.size() - pid
->outPos
,0);
3043 pid
->outPos
+=(ssize_t
)ret
;
3044 if(pid
->outPos
==pid
->outMSG
.size()) {
3046 t_fdm
->removeWriteFD(fd
);
3047 MT
->sendEvent(tmp
, &tmp
.outMSG
); // send back what we sent to convey everything is ok
3050 else { // error or EOF
3052 t_fdm
->removeWriteFD(fd
);
3054 MT
->sendEvent(tmp
, &sent
); // we convey error status by sending empty string
3058 // resend event to everybody chained onto it
3059 static void doResends(MT_t::waiters_t::iterator
& iter
, PacketID resend
, const string
& content
)
3061 if(iter
->key
.chain
.empty())
3063 // cerr<<"doResends called!\n";
3064 for(PacketID::chain_t::iterator i
=iter
->key
.chain
.begin(); i
!= iter
->key
.chain
.end() ; ++i
) {
3067 // cerr<<"\tResending "<<content.size()<<" bytes for fd="<<resend.fd<<" and id="<<resend.id<<endl;
3069 MT
->sendEvent(resend
, &content
);
3070 g_stats
.chainResends
++;
3074 static void handleUDPServerResponse(int fd
, FDMultiplexer::funcparam_t
& var
)
3076 PacketID pid
=any_cast
<PacketID
>(var
);
3079 packet
.resize(g_outgoingEDNSBufsize
);
3080 ComboAddress fromaddr
;
3081 socklen_t addrlen
=sizeof(fromaddr
);
3083 len
=recvfrom(fd
, &packet
.at(0), packet
.size(), 0, (sockaddr
*)&fromaddr
, &addrlen
);
3085 if(len
< (ssize_t
) sizeof(dnsheader
)) {
3087 ; // cerr<<"Error on fd "<<fd<<": "<<stringerror()<<"\n";
3089 g_stats
.serverParseError
++;
3090 if(g_logCommonErrors
)
3091 g_log
<<Logger::Error
<<"Unable to parse packet from remote UDP server "<< fromaddr
.toString() <<
3092 ": packet smaller than DNS header"<<endl
;
3095 t_udpclientsocks
->returnSocket(fd
);
3098 MT_t::waiters_t::iterator iter
=MT
->d_waiters
.find(pid
);
3099 if(iter
!= MT
->d_waiters
.end())
3100 doResends(iter
, pid
, empty
);
3102 MT
->sendEvent(pid
, &empty
); // this denotes error (does lookup again.. at least L1 will be hot)
3108 memcpy(&dh
, &packet
.at(0), sizeof(dh
));
3111 pident
.remote
=fromaddr
;
3115 if(!dh
.qr
&& g_logCommonErrors
) {
3116 g_log
<<Logger::Notice
<<"Not taking data from question on outgoing socket from "<< fromaddr
.toStringWithPort() <<endl
;
3119 if(!dh
.qdcount
|| // UPC, Nominum, very old BIND on FormErr, NSD
3120 !dh
.qr
) { // one weird server
3121 pident
.domain
.clear();
3127 pident
.domain
=DNSName(&packet
.at(0), len
, 12, false, &pident
.type
); // don't copy this from above - we need to do the actual read
3129 catch(std::exception
& e
) {
3130 g_stats
.serverParseError
++; // won't be fed to lwres.cc, so we have to increment
3131 g_log
<<Logger::Warning
<<"Error in packet from remote nameserver "<< fromaddr
.toStringWithPort() << ": "<<e
.what() << endl
;
3136 MT_t::waiters_t::iterator iter
=MT
->d_waiters
.find(pident
);
3137 if(iter
!= MT
->d_waiters
.end()) {
3138 doResends(iter
, pident
, packet
);
3143 if(!MT
->sendEvent(pident
, &packet
)) {
3144 // we do a full scan for outstanding queries on unexpected answers. not too bad since we only accept them on the right port number, which is hard enough to guess
3145 for(MT_t::waiters_t::iterator mthread
=MT
->d_waiters
.begin(); mthread
!=MT
->d_waiters
.end(); ++mthread
) {
3146 if(pident
.fd
==mthread
->key
.fd
&& mthread
->key
.remote
==pident
.remote
&& mthread
->key
.type
== pident
.type
&&
3147 pident
.domain
== mthread
->key
.domain
) {
3148 mthread
->key
.nearMisses
++;
3151 // be a bit paranoid here since we're weakening our matching
3152 if(pident
.domain
.empty() && !mthread
->key
.domain
.empty() && !pident
.type
&& mthread
->key
.type
&&
3153 pident
.id
== mthread
->key
.id
&& mthread
->key
.remote
== pident
.remote
) {
3154 // cerr<<"Empty response, rest matches though, sending to a waiter"<<endl;
3155 pident
.domain
= mthread
->key
.domain
;
3156 pident
.type
= mthread
->key
.type
;
3157 goto retryWithName
; // note that this only passes on an error, lwres will still reject the packet
3160 g_stats
.unexpectedCount
++; // if we made it here, it really is an unexpected answer
3161 if(g_logCommonErrors
) {
3162 g_log
<<Logger::Warning
<<"Discarding unexpected packet from "<<fromaddr
.toStringWithPort()<<": "<< (pident
.domain
.empty() ? "<empty>" : pident
.domain
.toString())<<", "<<pident
.type
<<", "<<MT
->d_waiters
.size()<<" waiters"<<endl
;
3166 t_udpclientsocks
->returnSocket(fd
);
3170 FDMultiplexer
* getMultiplexer()
3173 for(const auto& i
: FDMultiplexer::getMultiplexerMap()) {
3178 catch(FDMultiplexerException
&fe
) {
3179 g_log
<<Logger::Error
<<"Non-fatal error initializing possible multiplexer ("<<fe
.what()<<"), falling back"<<endl
;
3182 g_log
<<Logger::Error
<<"Non-fatal error initializing possible multiplexer"<<endl
;
3185 g_log
<<Logger::Error
<<"No working multiplexer found!"<<endl
;
3190 static string
* doReloadLuaScript()
3192 string fname
= ::arg()["lua-dns-script"];
3196 g_log
<<Logger::Info
<<t_id
<<" Unloaded current lua script"<<endl
;
3197 return new string("unloaded\n");
3200 t_pdl
= std::make_shared
<RecursorLua4
>();
3201 t_pdl
->loadFile(fname
);
3204 catch(std::exception
& e
) {
3205 g_log
<<Logger::Error
<<t_id
<<" Retaining current script, error from '"<<fname
<<"': "<< e
.what() <<endl
;
3206 return new string("retaining current script, error from '"+fname
+"': "+e
.what()+"\n");
3209 g_log
<<Logger::Warning
<<t_id
<<" (Re)loaded lua script from '"<<fname
<<"'"<<endl
;
3210 return new string("(re)loaded '"+fname
+"'\n");
3213 string
doQueueReloadLuaScript(vector
<string
>::const_iterator begin
, vector
<string
>::const_iterator end
)
3216 ::arg().set("lua-dns-script") = *begin
;
3218 return broadcastAccFunction
<string
>(doReloadLuaScript
);
3221 static string
* pleaseUseNewTraceRegex(const std::string
& newRegex
)
3224 if(newRegex
.empty()) {
3225 t_traceRegex
.reset();
3226 return new string("unset\n");
3229 t_traceRegex
= std::make_shared
<Regex
>(newRegex
);
3230 return new string("ok\n");
3233 catch(PDNSException
& ae
)
3235 return new string(ae
.reason
+"\n");
3238 string
doTraceRegex(vector
<string
>::const_iterator begin
, vector
<string
>::const_iterator end
)
3240 return broadcastAccFunction
<string
>(boost::bind(pleaseUseNewTraceRegex
, begin
!=end
? *begin
: ""));
3243 static void checkLinuxIPv6Limits()
3247 if(readFileIfThere("/proc/sys/net/ipv6/route/max_size", &line
)) {
3248 int lim
=std::stoi(line
);
3250 g_log
<<Logger::Error
<<"If using IPv6, please raise sysctl net.ipv6.route.max_size, currently set to "<<lim
<<" which is < 16384"<<endl
;
3255 static void checkOrFixFDS()
3257 unsigned int availFDs
=getFilenumLimit();
3258 unsigned int wantFDs
= g_maxMThreads
* g_numWorkerThreads
+25; // even healthier margin then before
3260 if(wantFDs
> availFDs
) {
3261 unsigned int hardlimit
= getFilenumLimit(true);
3262 if(hardlimit
>= wantFDs
) {
3263 setFilenumLimit(wantFDs
);
3264 g_log
<<Logger::Warning
<<"Raised soft limit on number of filedescriptors to "<<wantFDs
<<" to match max-mthreads and threads settings"<<endl
;
3267 int newval
= (hardlimit
- 25) / g_numWorkerThreads
;
3268 g_log
<<Logger::Warning
<<"Insufficient number of filedescriptors available for max-mthreads*threads setting! ("<<hardlimit
<<" < "<<wantFDs
<<"), reducing max-mthreads to "<<newval
<<endl
;
3269 g_maxMThreads
= newval
;
3270 setFilenumLimit(hardlimit
);
3275 static void* recursorThread(unsigned int tid
, const string
& threadName
);
3277 static void* pleaseSupplantACLs(std::shared_ptr
<NetmaskGroup
> ng
)
3288 static bool l_initialized
;
3290 if(l_initialized
) { // only reload configuration file on second call
3291 string configname
=::arg()["config-dir"]+"/recursor.conf";
3292 if(::arg()["config-name"]!="") {
3293 configname
=::arg()["config-dir"]+"/recursor-"+::arg()["config-name"]+".conf";
3295 cleanSlashes(configname
);
3297 if(!::arg().preParseFile(configname
.c_str(), "allow-from-file"))
3298 throw runtime_error("Unable to re-parse configuration file '"+configname
+"'");
3299 ::arg().preParseFile(configname
.c_str(), "allow-from", LOCAL_NETS
);
3300 ::arg().preParseFile(configname
.c_str(), "include-dir");
3301 ::arg().preParse(g_argc
, g_argv
, "include-dir");
3303 // then process includes
3304 std::vector
<std::string
> extraConfigs
;
3305 ::arg().gatherIncludes(extraConfigs
);
3307 for(const std::string
& fn
: extraConfigs
) {
3308 if(!::arg().preParseFile(fn
.c_str(), "allow-from-file", ::arg()["allow-from-file"]))
3309 throw runtime_error("Unable to re-parse configuration file include '"+fn
+"'");
3310 if(!::arg().preParseFile(fn
.c_str(), "allow-from", ::arg()["allow-from"]))
3311 throw runtime_error("Unable to re-parse configuration file include '"+fn
+"'");
3314 ::arg().preParse(g_argc
, g_argv
, "allow-from-file");
3315 ::arg().preParse(g_argc
, g_argv
, "allow-from");
3318 std::shared_ptr
<NetmaskGroup
> oldAllowFrom
= t_allowFrom
;
3319 std::shared_ptr
<NetmaskGroup
> allowFrom
= std::make_shared
<NetmaskGroup
>();
3321 if(!::arg()["allow-from-file"].empty()) {
3323 ifstream
ifs(::arg()["allow-from-file"].c_str());
3325 throw runtime_error("Could not open '"+::arg()["allow-from-file"]+"': "+stringerror());
3328 string::size_type pos
;
3329 while(getline(ifs
,line
)) {
3331 if(pos
!=string::npos
)
3337 allowFrom
->addMask(line
);
3339 g_log
<<Logger::Warning
<<"Done parsing " << allowFrom
->size() <<" allow-from ranges from file '"<<::arg()["allow-from-file"]<<"' - overriding 'allow-from' setting"<<endl
;
3341 else if(!::arg()["allow-from"].empty()) {
3343 stringtok(ips
, ::arg()["allow-from"], ", ");
3345 g_log
<<Logger::Warning
<<"Only allowing queries from: ";
3346 for(vector
<string
>::const_iterator i
= ips
.begin(); i
!= ips
.end(); ++i
) {
3347 allowFrom
->addMask(*i
);
3349 g_log
<<Logger::Warning
<<", ";
3350 g_log
<<Logger::Warning
<<*i
;
3352 g_log
<<Logger::Warning
<<endl
;
3355 if(::arg()["local-address"]!="127.0.0.1" && ::arg().asNum("local-port")==53)
3356 g_log
<<Logger::Warning
<<"WARNING: Allowing queries from all IP addresses - this can be a security risk!"<<endl
;
3357 allowFrom
= nullptr;
3360 g_initialAllowFrom
= allowFrom
;
3361 broadcastFunction(boost::bind(pleaseSupplantACLs
, allowFrom
));
3362 oldAllowFrom
= nullptr;
3364 l_initialized
= true;
3368 static void setupDelegationOnly()
3370 vector
<string
> parts
;
3371 stringtok(parts
, ::arg()["delegation-only"], ", \t");
3372 for(const auto& p
: parts
) {
3373 SyncRes::addDelegationOnly(DNSName(p
));
3377 static std::map
<unsigned int, std::set
<int> > parseCPUMap()
3379 std::map
<unsigned int, std::set
<int> > result
;
3381 const std::string value
= ::arg()["cpu-map"];
3383 if (!value
.empty() && !isSettingThreadCPUAffinitySupported()) {
3384 g_log
<<Logger::Warning
<<"CPU mapping requested but not supported, skipping"<<endl
;
3388 std::vector
<std::string
> parts
;
3390 stringtok(parts
, value
, " \t");
3392 for(const auto& part
: parts
) {
3393 if (part
.find('=') == string::npos
)
3397 auto headers
= splitField(part
, '=');
3398 trim(headers
.first
);
3399 trim(headers
.second
);
3401 unsigned int threadId
= pdns_stou(headers
.first
);
3402 std::vector
<std::string
> cpus
;
3404 stringtok(cpus
, headers
.second
, ",");
3406 for(const auto& cpu
: cpus
) {
3407 int cpuId
= std::stoi(cpu
);
3409 result
[threadId
].insert(cpuId
);
3412 catch(const std::exception
& e
) {
3413 g_log
<<Logger::Error
<<"Error parsing cpu-map entry '"<<part
<<"': "<<e
.what()<<endl
;
3420 static void setCPUMap(const std::map
<unsigned int, std::set
<int> >& cpusMap
, unsigned int n
, pthread_t tid
)
3422 const auto& cpuMapping
= cpusMap
.find(n
);
3423 if (cpuMapping
!= cpusMap
.cend()) {
3424 int rc
= mapThreadToCPUList(tid
, cpuMapping
->second
);
3426 g_log
<<Logger::Info
<<"CPU affinity for worker "<<n
<<" has been set to CPU map:";
3427 for (const auto cpu
: cpuMapping
->second
) {
3428 g_log
<<Logger::Info
<<" "<<cpu
;
3430 g_log
<<Logger::Info
<<endl
;
3433 g_log
<<Logger::Warning
<<"Error setting CPU affinity for worker "<<n
<<" to CPU map:";
3434 for (const auto cpu
: cpuMapping
->second
) {
3435 g_log
<<Logger::Info
<<" "<<cpu
;
3437 g_log
<<Logger::Info
<<strerror(rc
)<<endl
;
3443 static void setupNODThread()
3446 uint32_t num_cells
= ::arg().asNum("new-domain-db-size");
3447 t_nodDBp
= std::make_shared
<nod::NODDB
>(num_cells
);
3449 t_nodDBp
->setCacheDir(::arg()["new-domain-history-dir"]);
3451 catch (const PDNSException
& e
) {
3452 g_log
<<Logger::Error
<<"new-domain-history-dir (" << ::arg()["new-domain-history-dir"] << ") is not readable or does not exist"<<endl
;
3455 if (!t_nodDBp
->init()) {
3456 g_log
<<Logger::Error
<<"Could not initialize domain tracking"<<endl
;
3459 std::thread
t(nod::NODDB::startHousekeepingThread
, t_nodDBp
, std::this_thread::get_id());
3461 g_nod_pbtag
= ::arg()["new-domain-pb-tag"];
3464 uint32_t num_cells
= ::arg().asNum("unique-response-db-size");
3465 t_udrDBp
= std::make_shared
<nod::UniqueResponseDB
>(num_cells
);
3467 t_udrDBp
->setCacheDir(::arg()["unique-response-history-dir"]);
3469 catch (const PDNSException
& e
) {
3470 g_log
<<Logger::Error
<<"unique-response-history-dir (" << ::arg()["unique-response-history-dir"] << ") is not readable or does not exist"<<endl
;
3473 if (!t_udrDBp
->init()) {
3474 g_log
<<Logger::Error
<<"Could not initialize unique response tracking"<<endl
;
3477 std::thread
t(nod::UniqueResponseDB::startHousekeepingThread
, t_udrDBp
, std::this_thread::get_id());
3479 g_udr_pbtag
= ::arg()["unique-response-pb-tag"];
3483 void parseNODWhitelist(const std::string
& wlist
)
3485 vector
<string
> parts
;
3486 stringtok(parts
, wlist
, ",; ");
3487 for(const auto& a
: parts
) {
3488 g_nodDomainWL
.add(DNSName(a
));
3492 static void setupNODGlobal()
3494 // Setup NOD subsystem
3495 g_nodEnabled
= ::arg().mustDo("new-domain-tracking");
3496 g_nodLookupDomain
= DNSName(::arg()["new-domain-lookup"]);
3497 g_nodLog
= ::arg().mustDo("new-domain-log");
3498 parseNODWhitelist(::arg()["new-domain-whitelist"]);
3500 // Setup Unique DNS Response subsystem
3501 g_udrEnabled
= ::arg().mustDo("unique-response-tracking");
3502 g_udrLog
= ::arg().mustDo("unique-response-log");
3504 #endif /* NOD_ENABLED */
3506 static int serviceMain(int argc
, char*argv
[])
3508 g_log
.setName(s_programname
);
3509 g_log
.disableSyslog(::arg().mustDo("disable-syslog"));
3510 g_log
.setTimestamps(::arg().mustDo("log-timestamp"));
3512 if(!::arg()["logging-facility"].empty()) {
3513 int val
=logFacilityToLOG(::arg().asNum("logging-facility") );
3515 g_log
.setFacility(val
);
3517 g_log
<<Logger::Error
<<"Unknown logging facility "<<::arg().asNum("logging-facility") <<endl
;
3520 showProductVersion();
3522 g_disthashseed
=dns_random(0xffffffff);
3524 checkLinuxIPv6Limits();
3526 vector
<string
> addrs
;
3527 if(!::arg()["query-local-address6"].empty()) {
3528 SyncRes::s_doIPv6
=true;
3529 g_log
<<Logger::Warning
<<"Enabling IPv6 transport for outgoing queries"<<endl
;
3531 stringtok(addrs
, ::arg()["query-local-address6"], ", ;");
3532 for(const string
& addr
: addrs
) {
3533 g_localQueryAddresses6
.push_back(ComboAddress(addr
));
3537 g_log
<<Logger::Warning
<<"NOT using IPv6 for outgoing queries - set 'query-local-address6=::' to enable"<<endl
;
3540 stringtok(addrs
, ::arg()["query-local-address"], ", ;");
3541 for(const string
& addr
: addrs
) {
3542 g_localQueryAddresses4
.push_back(ComboAddress(addr
));
3545 catch(std::exception
& e
) {
3546 g_log
<<Logger::Error
<<"Assigning local query addresses: "<<e
.what();
3550 // keep this ABOVE loadRecursorLuaConfig!
3551 if(::arg()["dnssec"]=="off")
3552 g_dnssecmode
=DNSSECMode::Off
;
3553 else if(::arg()["dnssec"]=="process-no-validate")
3554 g_dnssecmode
=DNSSECMode::ProcessNoValidate
;
3555 else if(::arg()["dnssec"]=="process")
3556 g_dnssecmode
=DNSSECMode::Process
;
3557 else if(::arg()["dnssec"]=="validate")
3558 g_dnssecmode
=DNSSECMode::ValidateAll
;
3559 else if(::arg()["dnssec"]=="log-fail")
3560 g_dnssecmode
=DNSSECMode::ValidateForLog
;
3562 g_log
<<Logger::Error
<<"Unknown DNSSEC mode "<<::arg()["dnssec"]<<endl
;
3566 g_signatureInceptionSkew
= ::arg().asNum("signature-inception-skew");
3567 if (g_signatureInceptionSkew
< 0) {
3568 g_log
<<Logger::Error
<<"A negative value for 'signature-inception-skew' is not allowed"<<endl
;
3572 g_dnssecLogBogus
= ::arg().mustDo("dnssec-log-bogus");
3573 g_maxNSEC3Iterations
= ::arg().asNum("nsec3-max-iterations");
3575 g_maxCacheEntries
= ::arg().asNum("max-cache-entries");
3576 g_maxPacketCacheEntries
= ::arg().asNum("max-packetcache-entries");
3578 luaConfigDelayedThreads delayedLuaThreads
;
3580 loadRecursorLuaConfig(::arg()["lua-config-file"], delayedLuaThreads
);
3582 catch (PDNSException
&e
) {
3583 g_log
<<Logger::Error
<<"Cannot load Lua configuration: "<<e
.reason
<<endl
;
3588 initPublicSuffixList(::arg()["public-suffix-list-file"]);
3590 if(!::arg()["dont-query"].empty()) {
3592 stringtok(ips
, ::arg()["dont-query"], ", ");
3593 ips
.push_back("0.0.0.0");
3594 ips
.push_back("::");
3596 g_log
<<Logger::Warning
<<"Will not send queries to: ";
3597 for(vector
<string
>::const_iterator i
= ips
.begin(); i
!= ips
.end(); ++i
) {
3598 SyncRes::addDontQuery(*i
);
3600 g_log
<<Logger::Warning
<<", ";
3601 g_log
<<Logger::Warning
<<*i
;
3603 g_log
<<Logger::Warning
<<endl
;
3606 g_quiet
=::arg().mustDo("quiet");
3608 /* this needs to be done before parseACLs(), which call broadcastFunction() */
3609 g_weDistributeQueries
= ::arg().mustDo("pdns-distributes-queries");
3610 if(g_weDistributeQueries
) {
3611 g_log
<<Logger::Warning
<<"PowerDNS Recursor itself will distribute queries over threads"<<endl
;
3614 setupDelegationOnly();
3615 g_outgoingEDNSBufsize
=::arg().asNum("edns-outgoing-bufsize");
3617 if(::arg()["trace"]=="fail") {
3618 SyncRes::setDefaultLogMode(SyncRes::Store
);
3620 else if(::arg().mustDo("trace")) {
3621 SyncRes::setDefaultLogMode(SyncRes::Log
);
3622 ::arg().set("quiet")="no";
3626 string myHostname
= getHostname();
3627 if (myHostname
== "UNKNOWN"){
3628 g_log
<<Logger::Warning
<<"Unable to get the hostname, NSID and id.server values will be empty"<<endl
;
3632 SyncRes::s_minimumTTL
= ::arg().asNum("minimum-ttl-override");
3634 SyncRes::s_nopacketcache
= ::arg().mustDo("disable-packetcache");
3636 SyncRes::s_maxnegttl
=::arg().asNum("max-negative-ttl");
3637 SyncRes::s_maxcachettl
=max(::arg().asNum("max-cache-ttl"), 15);
3638 SyncRes::s_packetcachettl
=::arg().asNum("packetcache-ttl");
3639 // Cap the packetcache-servfail-ttl to the packetcache-ttl
3640 uint32_t packetCacheServFailTTL
= ::arg().asNum("packetcache-servfail-ttl");
3641 SyncRes::s_packetcacheservfailttl
=(packetCacheServFailTTL
> SyncRes::s_packetcachettl
) ? SyncRes::s_packetcachettl
: packetCacheServFailTTL
;
3642 SyncRes::s_serverdownmaxfails
=::arg().asNum("server-down-max-fails");
3643 SyncRes::s_serverdownthrottletime
=::arg().asNum("server-down-throttle-time");
3644 SyncRes::s_serverID
=::arg()["server-id"];
3645 SyncRes::s_maxqperq
=::arg().asNum("max-qperq");
3646 SyncRes::s_maxtotusec
=1000*::arg().asNum("max-total-msec");
3647 SyncRes::s_maxdepth
=::arg().asNum("max-recursion-depth");
3648 SyncRes::s_rootNXTrust
= ::arg().mustDo( "root-nx-trust");
3649 if(SyncRes::s_serverID
.empty()) {
3650 SyncRes::s_serverID
= myHostname
;
3653 SyncRes::s_ecsipv4limit
= ::arg().asNum("ecs-ipv4-bits");
3654 SyncRes::s_ecsipv6limit
= ::arg().asNum("ecs-ipv6-bits");
3656 if (!::arg().isEmpty("ecs-scope-zero-address")) {
3657 ComboAddress
scopeZero(::arg()["ecs-scope-zero-address"]);
3658 SyncRes::setECSScopeZeroAddress(Netmask(scopeZero
, scopeZero
.isIPv4() ? 32 : 128));
3662 for (const auto& addr
: g_localQueryAddresses4
) {
3663 if (!IsAnyAddress(addr
)) {
3664 SyncRes::setECSScopeZeroAddress(Netmask(addr
, 32));
3670 for (const auto& addr
: g_localQueryAddresses6
) {
3671 if (!IsAnyAddress(addr
)) {
3672 SyncRes::setECSScopeZeroAddress(Netmask(addr
, 128));
3678 SyncRes::setECSScopeZeroAddress(Netmask("127.0.0.1/32"));
3683 SyncRes::parseEDNSSubnetWhitelist(::arg()["edns-subnet-whitelist"]);
3684 SyncRes::parseEDNSSubnetAddFor(::arg()["ecs-add-for"]);
3685 g_useIncomingECS
= ::arg().mustDo("use-incoming-edns-subnet");
3687 g_XPFAcl
.toMasks(::arg()["xpf-allow-from"]);
3688 g_xpfRRCode
= ::arg().asNum("xpf-rr-code");
3690 g_networkTimeoutMsec
= ::arg().asNum("network-timeout");
3692 g_initialDomainMap
= parseAuthAndForwards();
3694 g_latencyStatSize
=::arg().asNum("latency-statistic-size");
3696 g_logCommonErrors
=::arg().mustDo("log-common-errors");
3697 g_logRPZChanges
= ::arg().mustDo("log-rpz-changes");
3699 g_anyToTcp
= ::arg().mustDo("any-to-tcp");
3700 g_udpTruncationThreshold
= ::arg().asNum("udp-truncation-threshold");
3702 g_lowercaseOutgoing
= ::arg().mustDo("lowercase-outgoing");
3704 g_numDistributorThreads
= ::arg().asNum("distributor-threads");
3705 g_numWorkerThreads
= ::arg().asNum("threads");
3706 if (g_numWorkerThreads
< 1) {
3707 g_log
<<Logger::Warning
<<"Asked to run with 0 threads, raising to 1 instead"<<endl
;
3708 g_numWorkerThreads
= 1;
3711 g_numThreads
= g_numDistributorThreads
+ g_numWorkerThreads
;
3712 g_maxMThreads
= ::arg().asNum("max-mthreads");
3714 g_gettagNeedsEDNSOptions
= ::arg().mustDo("gettag-needs-edns-options");
3716 g_statisticsInterval
= ::arg().asNum("statistics-interval");
3719 g_reusePort
= ::arg().mustDo("reuseport");
3722 s_threadInfos
.resize(g_numDistributorThreads
+ g_numWorkerThreads
+ /* handler */ 1);
3725 if (g_weDistributeQueries
) {
3726 /* first thread is the handler, then distributors */
3727 for (unsigned int threadId
= 1; threadId
<= g_numDistributorThreads
; threadId
++) {
3728 auto& deferredAdds
= s_threadInfos
.at(threadId
).deferredAdds
;
3729 auto& tcpSockets
= s_threadInfos
.at(threadId
).tcpSockets
;
3730 makeUDPServerSockets(deferredAdds
);
3731 makeTCPServerSockets(deferredAdds
, tcpSockets
);
3735 /* first thread is the handler, there is no distributor here and workers are accepting queries */
3736 for (unsigned int threadId
= 1; threadId
<= g_numWorkerThreads
; threadId
++) {
3737 auto& deferredAdds
= s_threadInfos
.at(threadId
).deferredAdds
;
3738 auto& tcpSockets
= s_threadInfos
.at(threadId
).tcpSockets
;
3739 makeUDPServerSockets(deferredAdds
);
3740 makeTCPServerSockets(deferredAdds
, tcpSockets
);
3745 std::set
<int> tcpSockets
;
3746 /* we don't have reuseport so we can only open one socket per
3747 listening addr:port and everyone will listen on it */
3748 makeUDPServerSockets(g_deferredAdds
);
3749 makeTCPServerSockets(g_deferredAdds
, tcpSockets
);
3751 /* every listener (so distributor if g_weDistributeQueries, workers otherwise)
3752 needs to listen to the shared sockets */
3753 if (g_weDistributeQueries
) {
3754 /* first thread is the handler, then distributors */
3755 for (unsigned int threadId
= 1; threadId
<= g_numDistributorThreads
; threadId
++) {
3756 s_threadInfos
.at(threadId
).tcpSockets
= tcpSockets
;
3760 /* first thread is the handler, there is no distributor here and workers are accepting queries */
3761 for (unsigned int threadId
= 1; threadId
<= g_numWorkerThreads
; threadId
++) {
3762 s_threadInfos
.at(threadId
).tcpSockets
= tcpSockets
;
3768 // Setup newly observed domain globals
3770 #endif /* NOD_ENABLED */
3773 for(forks
= 0; forks
< ::arg().asNum("processes") - 1; ++forks
) {
3774 if(!fork()) // we are child
3778 if(::arg().mustDo("daemon")) {
3779 g_log
<<Logger::Warning
<<"Calling daemonize, going to background"<<endl
;
3780 g_log
.toConsole(Logger::Critical
);
3783 signal(SIGUSR1
,usr1Handler
);
3784 signal(SIGUSR2
,usr2Handler
);
3785 signal(SIGPIPE
,SIG_IGN
);
3789 #ifdef HAVE_LIBSODIUM
3790 if (sodium_init() == -1) {
3791 g_log
<<Logger::Error
<<"Unable to initialize sodium crypto library"<<endl
;
3796 openssl_thread_setup();
3798 /* setup rng before chroot */
3801 if(::arg()["server-id"].empty()) {
3802 ::arg().set("server-id") = myHostname
;
3806 if(!::arg()["setgid"].empty())
3807 newgid
=Utility::makeGidNumeric(::arg()["setgid"]);
3809 if(!::arg()["setuid"].empty())
3810 newuid
=Utility::makeUidNumeric(::arg()["setuid"]);
3812 Utility::dropGroupPrivs(newuid
, newgid
);
3814 if (!::arg()["chroot"].empty()) {
3817 ns
= getenv("NOTIFY_SOCKET");
3818 if (ns
!= nullptr) {
3819 g_log
<<Logger::Error
<<"Unable to chroot when running from systemd. Please disable chroot= or set the 'Type' for this service to 'simple'"<<endl
;
3823 if (chroot(::arg()["chroot"].c_str())<0 || chdir("/") < 0) {
3824 g_log
<<Logger::Error
<<"Unable to chroot to '"+::arg()["chroot"]+"': "<<strerror (errno
)<<", exiting"<<endl
;
3828 g_log
<<Logger::Info
<<"Chrooted to '"<<::arg()["chroot"]<<"'"<<endl
;
3831 s_pidfname
=::arg()["socket-dir"]+"/"+s_programname
+".pid";
3832 if(!s_pidfname
.empty())
3833 unlink(s_pidfname
.c_str()); // remove possible old pid file
3836 makeControlChannelSocket( ::arg().asNum("processes") > 1 ? forks
: -1);
3838 Utility::dropUserPrivs(newuid
);
3840 /* we might still have capabilities remaining, for example if we have been started as root
3841 without --setuid (please don't do that) or as an unprivileged user with ambient capabilities
3842 like CAP_NET_BIND_SERVICE.
3846 catch(const std::exception
& e
) {
3847 g_log
<<Logger::Warning
<<e
.what()<<endl
;
3850 startLuaConfigDelayedThreads(delayedLuaThreads
, g_luaconfs
.getCopy().generation
);
3854 g_tcpTimeout
=::arg().asNum("client-tcp-timeout");
3855 g_maxTCPPerClient
=::arg().asNum("max-tcp-per-client");
3856 g_tcpMaxQueriesPerConn
=::arg().asNum("max-tcp-queries-per-connection");
3857 s_maxUDPQueriesPerRound
=::arg().asNum("max-udp-queries-per-round");
3859 if (::arg().mustDo("snmp-agent")) {
3860 g_snmpAgent
= std::make_shared
<RecursorSNMPAgent
>("recursor", ::arg()["snmp-master-socket"]);
3864 int port
= ::arg().asNum("udp-source-port-min");
3865 if(port
< 1024 || port
> 65535){
3866 g_log
<<Logger::Error
<<"Unable to launch, udp-source-port-min is not a valid port number"<<endl
;
3867 exit(99); // this isn't going to fix itself either
3869 s_minUdpSourcePort
= port
;
3870 port
= ::arg().asNum("udp-source-port-max");
3871 if(port
< 1024 || port
> 65535 || port
< s_minUdpSourcePort
){
3872 g_log
<<Logger::Error
<<"Unable to launch, udp-source-port-max is not a valid port number or is smaller than udp-source-port-min"<<endl
;
3873 exit(99); // this isn't going to fix itself either
3875 s_maxUdpSourcePort
= port
;
3876 std::vector
<string
> parts
{};
3877 stringtok(parts
, ::arg()["udp-source-port-avoid"], ", ");
3878 for (const auto &part
: parts
)
3880 port
= std::stoi(part
);
3881 if(port
< 1024 || port
> 65535){
3882 g_log
<<Logger::Error
<<"Unable to launch, udp-source-port-avoid contains an invalid port number: "<<part
<<endl
;
3883 exit(99); // this isn't going to fix itself either
3885 s_avoidUdpSourcePorts
.insert(port
);
3888 unsigned int currentThreadId
= 1;
3889 const auto cpusMap
= parseCPUMap();
3891 if(g_numThreads
== 1) {
3892 g_log
<<Logger::Warning
<<"Operating unthreaded"<<endl
;
3894 sd_notify(0, "READY=1");
3897 /* This thread handles the web server, carbon, statistics and the control channel */
3898 auto& handlerInfos
= s_threadInfos
.at(0);
3899 handlerInfos
.isHandler
= true;
3900 handlerInfos
.thread
= std::thread(recursorThread
, 0, "main");
3902 setCPUMap(cpusMap
, currentThreadId
, pthread_self());
3904 auto& infos
= s_threadInfos
.at(currentThreadId
);
3905 infos
.isListener
= true;
3906 infos
.isWorker
= true;
3907 recursorThread(currentThreadId
++, "worker");
3911 if (g_weDistributeQueries
) {
3912 g_log
<<Logger::Warning
<<"Launching "<< g_numDistributorThreads
<<" distributor threads"<<endl
;
3913 for(unsigned int n
=0; n
< g_numDistributorThreads
; ++n
) {
3914 auto& infos
= s_threadInfos
.at(currentThreadId
);
3915 infos
.isListener
= true;
3916 infos
.thread
= std::thread(recursorThread
, currentThreadId
++, "distr");
3918 setCPUMap(cpusMap
, currentThreadId
, infos
.thread
.native_handle());
3922 g_log
<<Logger::Warning
<<"Launching "<< g_numWorkerThreads
<<" worker threads"<<endl
;
3924 for(unsigned int n
=0; n
< g_numWorkerThreads
; ++n
) {
3925 auto& infos
= s_threadInfos
.at(currentThreadId
);
3926 infos
.isListener
= g_weDistributeQueries
? false : true;
3927 infos
.isWorker
= true;
3928 infos
.thread
= std::thread(recursorThread
, currentThreadId
++, "worker");
3930 setCPUMap(cpusMap
, currentThreadId
, infos
.thread
.native_handle());
3934 sd_notify(0, "READY=1");
3937 /* This thread handles the web server, carbon, statistics and the control channel */
3938 auto& infos
= s_threadInfos
.at(0);
3939 infos
.isHandler
= true;
3940 infos
.thread
= std::thread(recursorThread
, 0, "web+stat");
3942 s_threadInfos
.at(0).thread
.join();
3947 static void* recursorThread(unsigned int n
, const string
& threadName
)
3951 auto& threadInfo
= s_threadInfos
.at(t_id
);
3953 static string threadPrefix
= "pdns-r/";
3954 setThreadName(threadPrefix
+ threadName
);
3956 SyncRes
tmp(g_now
); // make sure it allocates tsstorage before we do anything, like primeHints or so..
3957 SyncRes::setDomainMap(g_initialDomainMap
);
3958 t_allowFrom
= g_initialAllowFrom
;
3959 t_udpclientsocks
= std::unique_ptr
<UDPClientSocks
>(new UDPClientSocks());
3960 t_tcpClientCounts
= std::unique_ptr
<tcpClientCounts_t
>(new tcpClientCounts_t());
3963 t_packetCache
= std::unique_ptr
<RecursorPacketCache
>(new RecursorPacketCache());
3965 g_log
<<Logger::Warning
<<"Done priming cache with root hints"<<endl
;
3968 if (threadInfo
.isWorker
)
3970 #endif /* NOD_ENABLED */
3972 /* the listener threads handle TCP queries */
3973 if(threadInfo
.isWorker
|| threadInfo
.isListener
) {
3975 if(!::arg()["lua-dns-script"].empty()) {
3976 t_pdl
= std::make_shared
<RecursorLua4
>();
3977 t_pdl
->loadFile(::arg()["lua-dns-script"]);
3978 g_log
<<Logger::Warning
<<"Loaded 'lua' script from '"<<::arg()["lua-dns-script"]<<"'"<<endl
;
3981 catch(std::exception
&e
) {
3982 g_log
<<Logger::Error
<<"Failed to load 'lua' script from '"<<::arg()["lua-dns-script"]<<"': "<<e
.what()<<endl
;
3987 unsigned int ringsize
=::arg().asNum("stats-ringbuffer-entries") / g_numWorkerThreads
;
3989 t_remotes
= std::unique_ptr
<addrringbuf_t
>(new addrringbuf_t());
3990 if(g_weDistributeQueries
)
3991 t_remotes
->set_capacity(::arg().asNum("stats-ringbuffer-entries") / g_numDistributorThreads
);
3993 t_remotes
->set_capacity(ringsize
);
3994 t_servfailremotes
= std::unique_ptr
<addrringbuf_t
>(new addrringbuf_t());
3995 t_servfailremotes
->set_capacity(ringsize
);
3996 t_bogusremotes
= std::unique_ptr
<addrringbuf_t
>(new addrringbuf_t());
3997 t_bogusremotes
->set_capacity(ringsize
);
3998 t_largeanswerremotes
= std::unique_ptr
<addrringbuf_t
>(new addrringbuf_t());
3999 t_largeanswerremotes
->set_capacity(ringsize
);
4000 t_timeouts
= std::unique_ptr
<addrringbuf_t
>(new addrringbuf_t());
4001 t_timeouts
->set_capacity(ringsize
);
4003 t_queryring
= std::unique_ptr
<boost::circular_buffer
<pair
<DNSName
, uint16_t> > >(new boost::circular_buffer
<pair
<DNSName
, uint16_t> >());
4004 t_queryring
->set_capacity(ringsize
);
4005 t_servfailqueryring
= std::unique_ptr
<boost::circular_buffer
<pair
<DNSName
, uint16_t> > >(new boost::circular_buffer
<pair
<DNSName
, uint16_t> >());
4006 t_servfailqueryring
->set_capacity(ringsize
);
4007 t_bogusqueryring
= std::unique_ptr
<boost::circular_buffer
<pair
<DNSName
, uint16_t> > >(new boost::circular_buffer
<pair
<DNSName
, uint16_t> >());
4008 t_bogusqueryring
->set_capacity(ringsize
);
4011 MT
=std::unique_ptr
<MTasker
<PacketID
,string
> >(new MTasker
<PacketID
,string
>(::arg().asNum("stack-size")));
4013 #ifdef HAVE_PROTOBUF
4014 /* start protobuf export threads if needed */
4015 auto luaconfsLocal
= g_luaconfs
.getLocal();
4016 checkProtobufExport(luaconfsLocal
);
4017 checkOutgoingProtobufExport(luaconfsLocal
);
4018 #endif /* HAVE_PROTOBUF */
4022 t_fdm
=getMultiplexer();
4024 if(threadInfo
.isHandler
) {
4025 if(::arg().mustDo("webserver")) {
4026 g_log
<<Logger::Warning
<< "Enabling web server" << endl
;
4028 new RecursorWebServer(t_fdm
);
4030 catch(PDNSException
&e
) {
4031 g_log
<<Logger::Error
<<"Exception: "<<e
.reason
<<endl
;
4035 g_log
<<Logger::Info
<<"Enabled '"<< t_fdm
->getName() << "' multiplexer"<<endl
;
4039 t_fdm
->addReadFD(threadInfo
.pipes
.readToThread
, handlePipeRequest
);
4040 t_fdm
->addReadFD(threadInfo
.pipes
.readQueriesToThread
, handlePipeRequest
);
4042 if (threadInfo
.isListener
) {
4044 /* then every listener has its own FDs */
4045 for(const auto deferred
: threadInfo
.deferredAdds
) {
4046 t_fdm
->addReadFD(deferred
.first
, deferred
.second
);
4050 /* otherwise all listeners are listening on the same ones */
4051 for(const auto deferred
: g_deferredAdds
) {
4052 t_fdm
->addReadFD(deferred
.first
, deferred
.second
);
4060 if(threadInfo
.isHandler
) {
4061 t_fdm
->addReadFD(s_rcc
.d_fd
, handleRCC
); // control channel
4064 unsigned int maxTcpClients
=::arg().asNum("max-tcp-clients");
4066 bool listenOnTCP(true);
4068 time_t last_stat
= 0;
4069 time_t last_carbon
=0, last_lua_maintenance
=0;
4070 time_t carbonInterval
=::arg().asNum("carbon-interval");
4071 time_t luaMaintenanceInterval
=::arg().asNum("lua-maintenance-interval");
4072 counter
.store(0); // used to periodically execute certain tasks
4074 while(MT
->schedule(&g_now
)); // MTasker letting the mthreads do their thing
4076 if(!(counter
%500)) {
4077 MT
->makeThread(houseKeeping
, 0);
4081 typedef vector
<pair
<int, FDMultiplexer::funcparam_t
> > expired_t
;
4082 expired_t expired
=t_fdm
->getTimeouts(g_now
);
4084 for(expired_t::iterator i
=expired
.begin() ; i
!= expired
.end(); ++i
) {
4085 shared_ptr
<TCPConnection
> conn
=any_cast
<shared_ptr
<TCPConnection
> >(i
->second
);
4086 if(g_logCommonErrors
)
4087 g_log
<<Logger::Warning
<<"Timeout from remote TCP client "<< conn
->d_remote
.toStringWithPort() <<endl
;
4088 t_fdm
->removeReadFD(i
->first
);
4094 if(threadInfo
.isHandler
) {
4095 if(statsWanted
|| (g_statisticsInterval
> 0 && (g_now
.tv_sec
- last_stat
) >= g_statisticsInterval
)) {
4097 last_stat
= g_now
.tv_sec
;
4100 Utility::gettimeofday(&g_now
, 0);
4102 if((g_now
.tv_sec
- last_carbon
) >= carbonInterval
) {
4103 MT
->makeThread(doCarbonDump
, 0);
4104 last_carbon
= g_now
.tv_sec
;
4107 if (t_pdl
!= nullptr) {
4108 // lua-dns-script directive is present, call the maintenance callback if needed
4109 /* remember that the listener threads handle TCP queries */
4110 if (threadInfo
.isWorker
|| threadInfo
.isListener
) {
4111 // Only on threads processing queries
4112 if(g_now
.tv_sec
- last_lua_maintenance
>= luaMaintenanceInterval
) {
4113 t_pdl
->maintenance();
4114 last_lua_maintenance
= g_now
.tv_sec
;
4120 // 'run' updates g_now for us
4122 if(threadInfo
.isListener
) {
4124 if(TCPConnection::getCurrentConnections() > maxTcpClients
) { // shutdown, too many connections
4125 for(const auto fd
: threadInfo
.tcpSockets
) {
4126 t_fdm
->removeReadFD(fd
);
4132 if(TCPConnection::getCurrentConnections() <= maxTcpClients
) { // reenable
4133 for(const auto fd
: threadInfo
.tcpSockets
) {
4134 t_fdm
->addReadFD(fd
, handleNewTCPQuestion
);
4142 catch(PDNSException
&ae
) {
4143 g_log
<<Logger::Error
<<"Exception: "<<ae
.reason
<<endl
;
4146 catch(std::exception
&e
) {
4147 g_log
<<Logger::Error
<<"STL Exception: "<<e
.what()<<endl
;
4151 g_log
<<Logger::Error
<<"any other exception in main: "<<endl
;
4156 int main(int argc
, char **argv
)
4160 g_stats
.startupTime
=time(0);
4161 versionSetProduct(ProductRecursor
);
4165 int ret
= EXIT_SUCCESS
;
4168 ::arg().set("stack-size","stack size per mthread")="200000";
4169 ::arg().set("soa-minimum-ttl","Don't change")="0";
4170 ::arg().set("no-shuffle","Don't change")="off";
4171 ::arg().set("local-port","port to listen on")="53";
4172 ::arg().set("local-address","IP addresses to listen on, separated by spaces or commas. Also accepts ports.")="127.0.0.1";
4173 ::arg().setSwitch("non-local-bind", "Enable binding to non-local addresses by using FREEBIND / BINDANY socket options")="no";
4174 ::arg().set("trace","if we should output heaps of logging. set to 'fail' to only log failing domains")="off";
4175 ::arg().set("dnssec", "DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate")="process-no-validate";
4176 ::arg().set("dnssec-log-bogus", "Log DNSSEC bogus validations")="no";
4177 ::arg().set("signature-inception-skew", "Allow the signature inception to be off by this number of seconds")="60";
4178 ::arg().set("daemon","Operate as a daemon")="no";
4179 ::arg().setSwitch("write-pid","Write a PID file")="yes";
4180 ::arg().set("loglevel","Amount of logging. Higher is more. Do not set below 3")="6";
4181 ::arg().set("disable-syslog","Disable logging to syslog, useful when running inside a supervisor that logs stdout")="no";
4182 ::arg().set("log-timestamp","Print timestamps in log lines, useful to disable when running with a tool that timestamps stdout already")="yes";
4183 ::arg().set("log-common-errors","If we should log rather common errors")="no";
4184 ::arg().set("chroot","switch to chroot jail")="";
4185 ::arg().set("setgid","If set, change group id to this gid for more security")="";
4186 ::arg().set("setuid","If set, change user id to this uid for more security")="";
4187 ::arg().set("network-timeout", "Wait this number of milliseconds for network i/o")="1500";
4188 ::arg().set("threads", "Launch this number of threads")="2";
4189 ::arg().set("distributor-threads", "Launch this number of distributor threads, distributing queries to other threads")="0";
4190 ::arg().set("processes", "Launch this number of processes (EXPERIMENTAL, DO NOT CHANGE)")="1"; // if we un-experimental this, need to fix openssl rand seeding for multiple PIDs!
4191 ::arg().set("config-name","Name of this virtual configuration - will rename the binary image")="";
4192 ::arg().set("api-config-dir", "Directory where REST API stores config and zones") = "";
4193 ::arg().set("api-key", "Static pre-shared authentication key for access to the REST API") = "";
4194 ::arg().setSwitch("webserver", "Start a webserver (for REST API)") = "no";
4195 ::arg().set("webserver-address", "IP Address of webserver to listen on") = "127.0.0.1";
4196 ::arg().set("webserver-port", "Port of webserver to listen on") = "8082";
4197 ::arg().set("webserver-password", "Password required for accessing the webserver") = "";
4198 ::arg().set("webserver-allow-from","Webserver access is only allowed from these subnets")="127.0.0.1,::1";
4199 ::arg().set("carbon-ourname", "If set, overrides our reported hostname for carbon stats")="";
4200 ::arg().set("carbon-server", "If set, send metrics in carbon (graphite) format to this server IP address")="";
4201 ::arg().set("carbon-interval", "Number of seconds between carbon (graphite) updates")="30";
4202 ::arg().set("carbon-namespace", "If set overwrites the first part of the carbon string")="pdns";
4203 ::arg().set("carbon-instance", "If set overwrites the the instance name default")="recursor";
4205 ::arg().set("statistics-interval", "Number of seconds between printing of recursor statistics, 0 to disable")="1800";
4206 ::arg().set("quiet","Suppress logging of questions and answers")="";
4207 ::arg().set("logging-facility","Facility to log messages as. 0 corresponds to local0")="";
4208 ::arg().set("config-dir","Location of configuration directory (recursor.conf)")=SYSCONFDIR
;
4209 ::arg().set("socket-owner","Owner of socket")="";
4210 ::arg().set("socket-group","Group of socket")="";
4211 ::arg().set("socket-mode", "Permissions for socket")="";
4213 ::arg().set("socket-dir",string("Where the controlsocket will live, ")+LOCALSTATEDIR
+" when unset and not chrooted" )="";
4214 ::arg().set("delegation-only","Which domains we only accept delegations from")="";
4215 ::arg().set("query-local-address","Source IP address for sending queries")="0.0.0.0";
4216 ::arg().set("query-local-address6","Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES")="";
4217 ::arg().set("client-tcp-timeout","Timeout in seconds when talking to TCP clients")="2";
4218 ::arg().set("max-mthreads", "Maximum number of simultaneous Mtasker threads")="2048";
4219 ::arg().set("max-tcp-clients","Maximum number of simultaneous TCP clients")="128";
4220 ::arg().set("server-down-max-fails","Maximum number of consecutive timeouts (and unreachables) to mark a server as down ( 0 => disabled )")="64";
4221 ::arg().set("server-down-throttle-time","Number of seconds to throttle all queries to a server after being marked as down")="60";
4222 ::arg().set("hint-file", "If set, load root hints from this file")="";
4223 ::arg().set("max-cache-entries", "If set, maximum number of entries in the main cache")="1000000";
4224 ::arg().set("max-negative-ttl", "maximum number of seconds to keep a negative cached entry in memory")="3600";
4225 ::arg().set("max-cache-ttl", "maximum number of seconds to keep a cached entry in memory")="86400";
4226 ::arg().set("packetcache-ttl", "maximum number of seconds to keep a cached entry in packetcache")="3600";
4227 ::arg().set("max-packetcache-entries", "maximum number of entries to keep in the packetcache")="500000";
4228 ::arg().set("packetcache-servfail-ttl", "maximum number of seconds to keep a cached servfail entry in packetcache")="60";
4229 ::arg().set("server-id", "Returned when queried for 'id.server' TXT or NSID, defaults to hostname, set custom or 'disabled'")="";
4230 ::arg().set("stats-ringbuffer-entries", "maximum number of packets to store statistics for")="10000";
4231 ::arg().set("version-string", "string reported on version.pdns or version.bind")=fullVersionString();
4232 ::arg().set("allow-from", "If set, only allow these comma separated netmasks to recurse")=LOCAL_NETS
;
4233 ::arg().set("allow-from-file", "If set, load allowed netmasks from this file")="";
4234 ::arg().set("entropy-source", "If set, read entropy from this file")="/dev/urandom";
4235 ::arg().set("dont-query", "If set, do not query these netmasks for DNS data")=DONT_QUERY
;
4236 ::arg().set("max-tcp-per-client", "If set, maximum number of TCP sessions per client (IP address)")="0";
4237 ::arg().set("max-tcp-queries-per-connection", "If set, maximum number of TCP queries in a TCP connection")="0";
4238 ::arg().set("spoof-nearmiss-max", "If non-zero, assume spoofing after this many near misses")="20";
4239 ::arg().set("single-socket", "If set, only use a single socket for outgoing queries")="off";
4240 ::arg().set("auth-zones", "Zones for which we have authoritative data, comma separated domain=file pairs ")="";
4241 ::arg().set("lua-config-file", "More powerful configuration options")="";
4243 ::arg().set("forward-zones", "Zones for which we forward queries, comma separated domain=ip pairs")="";
4244 ::arg().set("forward-zones-recurse", "Zones for which we forward queries with recursion bit, comma separated domain=ip pairs")="";
4245 ::arg().set("forward-zones-file", "File with (+)domain=ip pairs for forwarding")="";
4246 ::arg().set("export-etc-hosts", "If we should serve up contents from /etc/hosts")="off";
4247 ::arg().set("export-etc-hosts-search-suffix", "Also serve up the contents of /etc/hosts with this suffix")="";
4248 ::arg().set("etc-hosts-file", "Path to 'hosts' file")="/etc/hosts";
4249 ::arg().set("serve-rfc1918", "If we should be authoritative for RFC 1918 private IP space")="yes";
4250 ::arg().set("lua-dns-script", "Filename containing an optional 'lua' script that will be used to modify dns answers")="";
4251 ::arg().set("lua-maintenance-interval", "Number of seconds between calls to the lua user defined maintenance() function")="1";
4252 ::arg().set("latency-statistic-size","Number of latency values to calculate the qa-latency average")="10000";
4253 ::arg().setSwitch( "disable-packetcache", "Disable packetcache" )= "no";
4254 ::arg().set("ecs-ipv4-bits", "Number of bits of IPv4 address to pass for EDNS Client Subnet")="24";
4255 ::arg().set("ecs-ipv6-bits", "Number of bits of IPv6 address to pass for EDNS Client Subnet")="56";
4256 ::arg().set("edns-subnet-whitelist", "List of netmasks and domains that we should enable EDNS subnet for")="";
4257 ::arg().set("ecs-add-for", "List of client netmasks for which EDNS Client Subnet will be added")="0.0.0.0/0, ::/0, " LOCAL_NETS_INVERSE
;
4258 ::arg().set("ecs-scope-zero-address", "Address to send to whitelisted authoritative servers for incoming queries with ECS prefix-length source of 0")="";
4259 ::arg().setSwitch( "use-incoming-edns-subnet", "Pass along received EDNS Client Subnet information")="no";
4260 ::arg().setSwitch( "pdns-distributes-queries", "If PowerDNS itself should distribute queries over threads")="yes";
4261 ::arg().setSwitch( "root-nx-trust", "If set, believe that an NXDOMAIN from the root means the TLD does not exist")="yes";
4262 ::arg().setSwitch( "any-to-tcp","Answer ANY queries with tc=1, shunting to TCP" )="no";
4263 ::arg().setSwitch( "lowercase-outgoing","Force outgoing questions to lowercase")="no";
4264 ::arg().setSwitch("gettag-needs-edns-options", "If EDNS Options should be extracted before calling the gettag() hook")="no";
4265 ::arg().set("udp-truncation-threshold", "Maximum UDP response size before we truncate")="1232";
4266 ::arg().set("edns-outgoing-bufsize", "Outgoing EDNS buffer size")="1232";
4267 ::arg().set("minimum-ttl-override", "Set under adverse conditions, a minimum TTL")="0";
4268 ::arg().set("max-qperq", "Maximum outgoing queries per query")="50";
4269 ::arg().set("max-total-msec", "Maximum total wall-clock time per query in milliseconds, 0 for unlimited")="7000";
4270 ::arg().set("max-recursion-depth", "Maximum number of internal recursion calls per query, 0 for unlimited")="40";
4271 ::arg().set("max-udp-queries-per-round", "Maximum number of UDP queries processed per recvmsg() round, before returning back to normal processing")="10000";
4273 ::arg().set("include-dir","Include *.conf files from this directory")="";
4274 ::arg().set("security-poll-suffix","Domain name from which to query security update notifications")="secpoll.powerdns.com.";
4276 ::arg().setSwitch("reuseport","Enable SO_REUSEPORT allowing multiple recursors processes to listen to 1 address")="no";
4278 ::arg().setSwitch("snmp-agent", "If set, register as an SNMP agent")="no";
4279 ::arg().set("snmp-master-socket", "If set and snmp-agent is set, the socket to use to register to the SNMP master")="";
4281 ::arg().set("tcp-fast-open", "Enable TCP Fast Open support on the listening sockets, using the supplied numerical value as the queue size")="0";
4282 ::arg().set("nsec3-max-iterations", "Maximum number of iterations allowed for an NSEC3 record")="2500";
4284 ::arg().set("cpu-map", "Thread to CPU mapping, space separated thread-id=cpu1,cpu2..cpuN pairs")="";
4286 ::arg().setSwitch("log-rpz-changes", "Log additions and removals to RPZ zones at Info level")="no";
4288 ::arg().set("xpf-allow-from","XPF information is only processed from these subnets")="";
4289 ::arg().set("xpf-rr-code","XPF option code to use")="0";
4291 ::arg().set("udp-source-port-min", "Minimum UDP port to bind on")="1024";
4292 ::arg().set("udp-source-port-max", "Maximum UDP port to bind on")="65535";
4293 ::arg().set("udp-source-port-avoid", "List of comma separated UDP port number to avoid")="11211";
4294 ::arg().set("rng", "Specify random number generator to use. Valid values are auto,sodium,openssl,getrandom,arc4random,urandom.")="auto";
4295 ::arg().set("public-suffix-list-file", "Path to the Public Suffix List file, if any")="";
4297 ::arg().set("new-domain-tracking", "Track newly observed domains (i.e. never seen before).")="no";
4298 ::arg().set("new-domain-log", "Log newly observed domains.")="yes";
4299 ::arg().set("new-domain-lookup", "Perform a DNS lookup newly observed domains as a subdomain of the configured domain")="";
4300 ::arg().set("new-domain-history-dir", "Persist new domain tracking data here to persist between restarts")=string(NODCACHEDIR
)+"/nod";
4301 ::arg().set("new-domain-whitelist", "List of domains (and implicitly all subdomains) which will never be considered a new domain")="";
4302 ::arg().set("new-domain-db-size", "Size of the DB used to track new domains in terms of number of cells. Defaults to 67108864")="67108864";
4303 ::arg().set("new-domain-pb-tag", "If protobuf is configured, the tag to use for messages containing newly observed domains. Defaults to 'pdns-nod'")="pdns-nod";
4304 ::arg().set("unique-response-tracking", "Track unique responses (tuple of query name, type and RR).")="no";
4305 ::arg().set("unique-response-log", "Log unique responses")="yes";
4306 ::arg().set("unique-response-history-dir", "Persist unique response tracking data here to persist between restarts")=string(NODCACHEDIR
)+"/udr";
4307 ::arg().set("unique-response-db-size", "Size of the DB used to track unique responses in terms of number of cells. Defaults to 67108864")="67108864";
4308 ::arg().set("unique-response-pb-tag", "If protobuf is configured, the tag to use for messages containing unique DNS responses. Defaults to 'pdns-udr'")="pdns-udr";
4309 #endif /* NOD_ENABLED */
4310 ::arg().setCmd("help","Provide a helpful message");
4311 ::arg().setCmd("version","Print version string");
4312 ::arg().setCmd("config","Output blank configuration");
4313 g_log
.toConsole(Logger::Info
);
4314 ::arg().laxParse(argc
,argv
); // do a lax parse
4316 string configname
=::arg()["config-dir"]+"/recursor.conf";
4317 if(::arg()["config-name"]!="") {
4318 configname
=::arg()["config-dir"]+"/recursor-"+::arg()["config-name"]+".conf";
4319 s_programname
+="-"+::arg()["config-name"];
4321 cleanSlashes(configname
);
4323 if(!::arg().getCommands().empty()) {
4324 cerr
<<"Fatal: non-option on the command line, perhaps a '--setting=123' statement missed the '='?"<<endl
;
4328 if(::arg().mustDo("config")) {
4329 cout
<<::arg().configstring()<<endl
;
4333 if(!::arg().file(configname
.c_str()))
4334 g_log
<<Logger::Warning
<<"Unable to parse configuration file '"<<configname
<<"'"<<endl
;
4336 ::arg().parse(argc
,argv
);
4338 if( !::arg()["chroot"].empty() && !::arg()["api-config-dir"].empty() ) {
4339 g_log
<<Logger::Error
<<"Using chroot and enabling the API is not possible"<<endl
;
4343 if (::arg()["socket-dir"].empty()) {
4344 if (::arg()["chroot"].empty())
4345 ::arg().set("socket-dir") = LOCALSTATEDIR
;
4347 ::arg().set("socket-dir") = "/";
4350 ::arg().set("delegation-only")=toLower(::arg()["delegation-only"]);
4352 if(::arg().asNum("threads")==1) {
4353 if (::arg().mustDo("pdns-distributes-queries")) {
4354 g_log
<<Logger::Warning
<<"Only one thread, no need to distribute queries ourselves"<<endl
;
4355 ::arg().set("pdns-distributes-queries")="no";
4359 if(::arg().mustDo("pdns-distributes-queries") && ::arg().asNum("distributor-threads") <= 0) {
4360 g_log
<<Logger::Warning
<<"Asked to run with pdns-distributes-queries set but no distributor threads, raising to 1"<<endl
;
4361 ::arg().set("distributor-threads")="1";
4364 if (!::arg().mustDo("pdns-distributes-queries")) {
4365 ::arg().set("distributor-threads")="0";
4368 if(::arg().mustDo("help")) {
4369 cout
<<"syntax:"<<endl
<<endl
;
4370 cout
<<::arg().helpstring(::arg()["help"])<<endl
;
4373 if(::arg().mustDo("version")) {
4374 showProductVersion();
4375 showBuildConfiguration();
4379 Logger::Urgency logUrgency
= (Logger::Urgency
)::arg().asNum("loglevel");
4381 if (logUrgency
< Logger::Error
)
4382 logUrgency
= Logger::Error
;
4383 if(!g_quiet
&& logUrgency
< Logger::Info
) { // Logger::Info=6, Logger::Debug=7
4384 logUrgency
= Logger::Info
; // if you do --quiet=no, you need Info to also see the query log
4386 g_log
.setLoglevel(logUrgency
);
4387 g_log
.toConsole(logUrgency
);
4389 serviceMain(argc
, argv
);
4391 catch(PDNSException
&ae
) {
4392 g_log
<<Logger::Error
<<"Exception: "<<ae
.reason
<<endl
;
4395 catch(std::exception
&e
) {
4396 g_log
<<Logger::Error
<<"STL Exception: "<<e
.what()<<endl
;
4400 g_log
<<Logger::Error
<<"any other exception in main: "<<endl
;