]>
git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
1 /* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 static struct frec
*lookup_frec(unsigned short id
, void *hash
);
20 static struct frec
*lookup_frec_by_sender(unsigned short id
,
21 union mysockaddr
*addr
,
23 static unsigned short get_id(void);
24 static void free_frec(struct frec
*f
);
27 static int tcp_key_recurse(time_t now
, int status
, struct dns_header
*header
, size_t n
,
28 int class, char *name
, char *keyname
, struct server
*server
, int *keycount
);
29 static int do_check_sign(struct frec
*forward
, int status
, time_t now
, char *name
, char *keyname
);
30 static int send_check_sign(struct frec
*forward
, time_t now
, struct dns_header
*header
, size_t plen
,
31 char *name
, char *keyname
);
35 /* Send a UDP packet with its source address set as "source"
36 unless nowild is true, when we just send it with the kernel default */
37 int send_from(int fd
, int nowild
, char *packet
, size_t len
,
38 union mysockaddr
*to
, struct all_addr
*source
,
44 struct cmsghdr align
; /* this ensures alignment */
45 #if defined(HAVE_LINUX_NETWORK)
46 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
47 #elif defined(IP_SENDSRCADDR)
48 char control
[CMSG_SPACE(sizeof(struct in_addr
))];
51 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
55 iov
[0].iov_base
= packet
;
58 msg
.msg_control
= NULL
;
59 msg
.msg_controllen
= 0;
62 msg
.msg_namelen
= sa_len(to
);
68 struct cmsghdr
*cmptr
;
69 msg
.msg_control
= &control_u
;
70 msg
.msg_controllen
= sizeof(control_u
);
71 cmptr
= CMSG_FIRSTHDR(&msg
);
73 if (to
->sa
.sa_family
== AF_INET
)
75 #if defined(HAVE_LINUX_NETWORK)
78 p
.ipi_spec_dst
= source
->addr
.addr4
;
79 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
80 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
81 cmptr
->cmsg_level
= IPPROTO_IP
;
82 cmptr
->cmsg_type
= IP_PKTINFO
;
83 #elif defined(IP_SENDSRCADDR)
84 memcpy(CMSG_DATA(cmptr
), &(source
->addr
.addr4
), sizeof(source
->addr
.addr4
));
85 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_addr
));
86 cmptr
->cmsg_level
= IPPROTO_IP
;
87 cmptr
->cmsg_type
= IP_SENDSRCADDR
;
94 p
.ipi6_ifindex
= iface
; /* Need iface for IPv6 to handle link-local addrs */
95 p
.ipi6_addr
= source
->addr
.addr6
;
96 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
97 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
98 cmptr
->cmsg_type
= daemon
->v6pktinfo
;
99 cmptr
->cmsg_level
= IPPROTO_IPV6
;
102 (void)iface
; /* eliminate warning */
106 while (retry_send(sendmsg(fd
, &msg
, 0)));
108 /* If interface is still in DAD, EINVAL results - ignore that. */
109 if (errno
!= 0 && errno
!= EINVAL
)
111 my_syslog(LOG_ERR
, _("failed to send packet: %s"), strerror(errno
));
118 static unsigned int search_servers(time_t now
, struct all_addr
**addrpp
,
119 unsigned int qtype
, char *qdomain
, int *type
, char **domain
, int *norebind
)
122 /* If the query ends in the domain in one of our servers, set
123 domain to point to that name. We find the largest match to allow both
124 domain.org and sub.domain.org to exist. */
126 unsigned int namelen
= strlen(qdomain
);
127 unsigned int matchlen
= 0;
129 unsigned int flags
= 0;
131 for (serv
= daemon
->servers
; serv
; serv
=serv
->next
)
132 /* domain matches take priority over NODOTS matches */
133 if ((serv
->flags
& SERV_FOR_NODOTS
) && *type
!= SERV_HAS_DOMAIN
&& !strchr(qdomain
, '.') && namelen
!= 0)
135 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
136 *type
= SERV_FOR_NODOTS
;
137 if (serv
->flags
& SERV_NO_ADDR
)
139 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
144 if (serv
->addr
.sa
.sa_family
== AF_INET
)
145 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
148 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
151 else if (!flags
|| (flags
& F_NXDOMAIN
))
155 else if (serv
->flags
& SERV_HAS_DOMAIN
)
157 unsigned int domainlen
= strlen(serv
->domain
);
158 char *matchstart
= qdomain
+ namelen
- domainlen
;
159 if (namelen
>= domainlen
&&
160 hostname_isequal(matchstart
, serv
->domain
) &&
161 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
-1) == '.' ))
163 if (serv
->flags
& SERV_NO_REBIND
)
167 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
168 /* implement priority rules for --address and --server for same domain.
169 --address wins if the address is for the correct AF
170 --server wins otherwise. */
171 if (domainlen
!= 0 && domainlen
== matchlen
)
173 if ((serv
->flags
& SERV_LITERAL_ADDRESS
))
175 if (!(sflag
& qtype
) && flags
== 0)
180 if (flags
& (F_IPV4
| F_IPV6
))
185 if (domainlen
>= matchlen
)
187 *type
= serv
->flags
& (SERV_HAS_DOMAIN
| SERV_USE_RESOLV
| SERV_NO_REBIND
);
188 *domain
= serv
->domain
;
189 matchlen
= domainlen
;
190 if (serv
->flags
& SERV_NO_ADDR
)
192 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
197 if (serv
->addr
.sa
.sa_family
== AF_INET
)
198 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
201 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
204 else if (!flags
|| (flags
& F_NXDOMAIN
))
214 if (flags
== 0 && !(qtype
& F_QUERY
) &&
215 option_bool(OPT_NODOTS_LOCAL
) && !strchr(qdomain
, '.') && namelen
!= 0)
216 /* don't forward A or AAAA queries for simple names, except the empty name */
219 if (flags
== F_NXDOMAIN
&& check_for_local_domain(qdomain
, now
))
226 if (flags
== F_NXDOMAIN
|| flags
== F_NOERR
)
227 logflags
= F_NEG
| qtype
;
229 log_query(logflags
| flags
| F_CONFIG
| F_FORWARD
, qdomain
, *addrpp
, NULL
);
231 else if ((*type
) & SERV_USE_RESOLV
)
233 *type
= 0; /* use normal servers for this domain */
239 static int forward_query(int udpfd
, union mysockaddr
*udpaddr
,
240 struct all_addr
*dst_addr
, unsigned int dst_iface
,
241 struct dns_header
*header
, size_t plen
, time_t now
,
242 struct frec
*forward
, int ad_reqd
, int do_bit
)
245 int type
= 0, norebind
= 0;
246 struct all_addr
*addrp
= NULL
;
247 unsigned int flags
= 0;
248 struct server
*start
= NULL
;
250 void *hash
= hash_questions(header
, plen
, daemon
->namebuff
);
252 unsigned int crc
= questions_crc(header
, plen
, daemon
->namebuff
);
255 unsigned int gotname
= extract_request(header
, plen
, daemon
->namebuff
, NULL
);
256 unsigned char *pheader
;
260 /* may be no servers available. */
261 if (!daemon
->servers
)
263 else if (forward
|| (hash
&& (forward
= lookup_frec_by_sender(ntohs(header
->id
), udpaddr
, hash
))))
265 /* If we didn't get an answer advertising a maximal packet in EDNS,
266 fall back to 1280, which should work everywhere on IPv6.
267 If that generates an answer, it will become the new default
269 forward
->flags
|= FREC_TEST_PKTSZ
;
272 /* If we've already got an answer to this query, but we're awaiting keys for validation,
273 there's no point retrying the query, retry the key query instead...... */
274 if (forward
->blocking_query
)
278 forward
->flags
&= ~FREC_TEST_PKTSZ
;
280 while (forward
->blocking_query
)
281 forward
= forward
->blocking_query
;
283 forward
->flags
|= FREC_TEST_PKTSZ
;
285 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
286 plen
= forward
->stash_len
;
288 if (find_pseudoheader(header
, plen
, NULL
, &pheader
, NULL
))
289 PUTSHORT((forward
->flags
& FREC_TEST_PKTSZ
) ? SAFE_PKTSZ
: forward
->sentto
->edns_pktsz
, pheader
);
291 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET
)
292 log_query(F_NOEXTRA
| F_DNSSEC
| F_IPV4
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in
.sin_addr
, "dnssec");
295 log_query(F_NOEXTRA
| F_DNSSEC
| F_IPV6
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in6
.sin6_addr
, "dnssec");
298 if (forward
->sentto
->sfd
)
299 fd
= forward
->sentto
->sfd
->fd
;
303 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET6
)
304 fd
= forward
->rfd6
->fd
;
307 fd
= forward
->rfd4
->fd
;
310 while (retry_send( sendto(fd
, (char *)header
, plen
, 0,
311 &forward
->sentto
->addr
.sa
,
312 sa_len(&forward
->sentto
->addr
))));
318 /* retry on existing query, send to all available servers */
319 domain
= forward
->sentto
->domain
;
320 forward
->sentto
->failed_queries
++;
321 if (!option_bool(OPT_ORDER
))
323 forward
->forwardall
= 1;
324 daemon
->last_server
= NULL
;
326 type
= forward
->sentto
->flags
& SERV_TYPE
;
327 if (!(start
= forward
->sentto
->next
))
328 start
= daemon
->servers
; /* at end of list, recycle */
329 header
->id
= htons(forward
->new_id
);
334 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
336 if (!flags
&& !(forward
= get_new_frec(now
, NULL
, 0)))
337 /* table full - server failure. */
342 forward
->source
= *udpaddr
;
343 forward
->dest
= *dst_addr
;
344 forward
->iface
= dst_iface
;
345 forward
->orig_id
= ntohs(header
->id
);
346 forward
->new_id
= get_id();
348 memcpy(forward
->hash
, hash
, HASH_SIZE
);
349 forward
->forwardall
= 0;
352 forward
->flags
|= FREC_NOREBIND
;
353 if (header
->hb4
& HB4_CD
)
354 forward
->flags
|= FREC_CHECKING_DISABLED
;
356 forward
->flags
|= FREC_AD_QUESTION
;
358 forward
->work_counter
= DNSSEC_WORK
;
360 forward
->flags
|= FREC_DO_QUESTION
;
363 header
->id
= htons(forward
->new_id
);
365 /* In strict_order mode, always try servers in the order
366 specified in resolv.conf, if a domain is given
367 always try all the available servers,
368 otherwise, use the one last known to work. */
372 if (option_bool(OPT_ORDER
))
373 start
= daemon
->servers
;
374 else if (!(start
= daemon
->last_server
) ||
375 daemon
->forwardcount
++ > FORWARD_TEST
||
376 difftime(now
, daemon
->forwardtime
) > FORWARD_TIME
)
378 start
= daemon
->servers
;
379 forward
->forwardall
= 1;
380 daemon
->forwardcount
= 0;
381 daemon
->forwardtime
= now
;
386 start
= daemon
->servers
;
387 if (!option_bool(OPT_ORDER
))
388 forward
->forwardall
= 1;
393 /* check for send errors here (no route to host)
394 if we fail to send to all nameservers, send back an error
395 packet straight away (helps modem users when offline) */
397 if (!flags
&& forward
)
399 struct server
*firstsentto
= start
;
402 /* If a query is retried, use the log_id for the retry when logging the answer. */
403 forward
->log_id
= daemon
->log_id
;
405 if (option_bool(OPT_ADD_MAC
))
406 plen
= add_mac(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
408 if (option_bool(OPT_CLIENT_SUBNET
))
410 size_t new = add_source_addr(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
414 forward
->flags
|= FREC_HAS_SUBNET
;
419 if (option_bool(OPT_DNSSEC_VALID
))
421 size_t new_plen
= add_do_bit(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
);
423 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
424 this allows it to select auth servers when one is returning bad data. */
425 if (option_bool(OPT_DNSSEC_DEBUG
))
426 header
->hb4
|= HB4_CD
;
428 if (new_plen
!= plen
)
429 forward
->flags
|= FREC_ADDED_PHEADER
;
437 /* only send to servers dealing with our domain.
438 domain may be NULL, in which case server->domain
439 must be NULL also. */
441 if (type
== (start
->flags
& SERV_TYPE
) &&
442 (type
!= SERV_HAS_DOMAIN
|| hostname_isequal(domain
, start
->domain
)) &&
443 !(start
->flags
& (SERV_LITERAL_ADDRESS
| SERV_LOOP
)))
447 /* find server socket to use, may need to get random one. */
453 if (start
->addr
.sa
.sa_family
== AF_INET6
)
455 if (!forward
->rfd6
&&
456 !(forward
->rfd6
= allocate_rfd(AF_INET6
)))
458 daemon
->rfd_save
= forward
->rfd6
;
459 fd
= forward
->rfd6
->fd
;
464 if (!forward
->rfd4
&&
465 !(forward
->rfd4
= allocate_rfd(AF_INET
)))
467 daemon
->rfd_save
= forward
->rfd4
;
468 fd
= forward
->rfd4
->fd
;
471 #ifdef HAVE_CONNTRACK
472 /* Copy connection mark of incoming query to outgoing connection. */
473 if (option_bool(OPT_CONNTRACK
))
476 if (get_incoming_mark(&forward
->source
, &forward
->dest
, 0, &mark
))
477 setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
482 if (find_pseudoheader(header
, plen
, NULL
, &pheader
, NULL
))
483 PUTSHORT((forward
->flags
& FREC_TEST_PKTSZ
) ? SAFE_PKTSZ
: start
->edns_pktsz
, pheader
);
485 if (retry_send(sendto(fd
, (char *)header
, plen
, 0,
487 sa_len(&start
->addr
))))
492 /* Keep info in case we want to re-send this packet */
493 daemon
->srv_save
= start
;
494 daemon
->packet_len
= plen
;
497 strcpy(daemon
->namebuff
, "query");
498 if (start
->addr
.sa
.sa_family
== AF_INET
)
499 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
500 (struct all_addr
*)&start
->addr
.in
.sin_addr
, NULL
);
503 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
504 (struct all_addr
*)&start
->addr
.in6
.sin6_addr
, NULL
);
508 forward
->sentto
= start
;
509 if (!forward
->forwardall
)
511 forward
->forwardall
++;
515 if (!(start
= start
->next
))
516 start
= daemon
->servers
;
518 if (start
== firstsentto
)
525 /* could not send on, prepare to return */
526 header
->id
= htons(forward
->orig_id
);
527 free_frec(forward
); /* cancel */
530 /* could not send on, return empty answer or address if known for whole domain */
533 plen
= setup_reply(header
, plen
, addrp
, flags
, daemon
->local_ttl
);
534 send_from(udpfd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
), (char *)header
, plen
, udpaddr
, dst_addr
, dst_iface
);
540 static size_t process_reply(struct dns_header
*header
, time_t now
, struct server
*server
, size_t n
, int check_rebind
,
541 int no_cache
, int cache_secure
, int bogusanswer
, int ad_reqd
, int do_bit
, int added_pheader
,
542 int check_subnet
, union mysockaddr
*query_source
)
544 unsigned char *pheader
, *sizep
;
546 int munged
= 0, is_sign
;
554 if (daemon
->ipsets
&& extract_request(header
, n
, daemon
->namebuff
, NULL
))
556 /* Similar algorithm to search_servers. */
557 struct ipsets
*ipset_pos
;
558 unsigned int namelen
= strlen(daemon
->namebuff
);
559 unsigned int matchlen
= 0;
560 for (ipset_pos
= daemon
->ipsets
; ipset_pos
; ipset_pos
= ipset_pos
->next
)
562 unsigned int domainlen
= strlen(ipset_pos
->domain
);
563 char *matchstart
= daemon
->namebuff
+ namelen
- domainlen
;
564 if (namelen
>= domainlen
&& hostname_isequal(matchstart
, ipset_pos
->domain
) &&
565 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
- 1) == '.' ) &&
566 domainlen
>= matchlen
)
568 matchlen
= domainlen
;
569 sets
= ipset_pos
->sets
;
575 /* If upstream is advertising a larger UDP packet size
576 than we allow, trim it so that we don't get overlarge
577 requests for the client. We can't do this for signed packets. */
579 if ((pheader
= find_pseudoheader(header
, n
, &plen
, &sizep
, &is_sign
)))
581 unsigned short udpsz
;
582 unsigned char *psave
= sizep
;
584 GETSHORT(udpsz
, sizep
);
586 if (!is_sign
&& udpsz
> daemon
->edns_pktsz
)
587 PUTSHORT(daemon
->edns_pktsz
, psave
);
589 if (check_subnet
&& !check_source(header
, plen
, pheader
, query_source
))
591 my_syslog(LOG_WARNING
, _("discarding DNS reply: subnet option mismatch"));
598 header
->arcount
= htons(0);
602 /* RFC 4035 sect 4.6 para 3 */
603 if (!is_sign
&& !option_bool(OPT_DNSSEC_PROXY
))
604 header
->hb4
&= ~HB4_AD
;
606 if (OPCODE(header
) != QUERY
|| (RCODE(header
) != NOERROR
&& RCODE(header
) != NXDOMAIN
))
607 return resize_packet(header
, n
, pheader
, plen
);
609 /* Complain loudly if the upstream server is non-recursive. */
610 if (!(header
->hb4
& HB4_RA
) && RCODE(header
) == NOERROR
&& ntohs(header
->ancount
) == 0 &&
611 server
&& !(server
->flags
& SERV_WARNED_RECURSIVE
))
613 prettyprint_addr(&server
->addr
, daemon
->namebuff
);
614 my_syslog(LOG_WARNING
, _("nameserver %s refused to do a recursive query"), daemon
->namebuff
);
615 if (!option_bool(OPT_LOG
))
616 server
->flags
|= SERV_WARNED_RECURSIVE
;
619 if (daemon
->bogus_addr
&& RCODE(header
) != NXDOMAIN
&&
620 check_for_bogus_wildcard(header
, n
, daemon
->namebuff
, daemon
->bogus_addr
, now
))
623 SET_RCODE(header
, NXDOMAIN
);
624 header
->hb3
&= ~HB3_AA
;
631 if (RCODE(header
) == NXDOMAIN
&&
632 extract_request(header
, n
, daemon
->namebuff
, NULL
) &&
633 check_for_local_domain(daemon
->namebuff
, now
))
635 /* if we forwarded a query for a locally known name (because it was for
636 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
637 since we know that the domain exists, even if upstream doesn't */
639 header
->hb3
|= HB3_AA
;
640 SET_RCODE(header
, NOERROR
);
644 if (extract_addresses(header
, n
, daemon
->namebuff
, now
, sets
, is_sign
, check_rebind
, no_cache
, cache_secure
, &doctored
))
646 my_syslog(LOG_WARNING
, _("possible DNS-rebind attack detected: %s"), daemon
->namebuff
);
656 if (bogusanswer
&& !(header
->hb4
& HB4_CD
))
658 if (!option_bool(OPT_DNSSEC_DEBUG
))
660 /* Bogus reply, turn into SERVFAIL */
661 SET_RCODE(header
, SERVFAIL
);
666 if (option_bool(OPT_DNSSEC_VALID
))
667 header
->hb4
&= ~HB4_AD
;
669 if (!(header
->hb4
& HB4_CD
) && ad_reqd
&& cache_secure
)
670 header
->hb4
|= HB4_AD
;
672 /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
674 n
= filter_rrsigs(header
, n
);
677 /* do this after extract_addresses. Ensure NODATA reply and remove
682 header
->ancount
= htons(0);
683 header
->nscount
= htons(0);
684 header
->arcount
= htons(0);
685 header
->hb3
&= ~HB3_TC
;
688 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
689 sections of the packet. Find the new length here and put back pseudoheader
690 if it was removed. */
691 return resize_packet(header
, n
, pheader
, plen
);
694 /* sets new last_server */
695 void reply_query(int fd
, int family
, time_t now
)
697 /* packet from peer server, extract data for cache, and send to
698 original requester */
699 struct dns_header
*header
;
700 union mysockaddr serveraddr
;
701 struct frec
*forward
;
702 socklen_t addrlen
= sizeof(serveraddr
);
703 ssize_t n
= recvfrom(fd
, daemon
->packet
, daemon
->packet_buff_sz
, 0, &serveraddr
.sa
, &addrlen
);
705 struct server
*server
;
711 /* packet buffer overwritten */
712 daemon
->srv_save
= NULL
;
714 /* Determine the address of the server replying so that we can mark that as good */
715 serveraddr
.sa
.sa_family
= family
;
717 if (serveraddr
.sa
.sa_family
== AF_INET6
)
718 serveraddr
.in6
.sin6_flowinfo
= 0;
721 header
= (struct dns_header
*)daemon
->packet
;
723 if (n
< (int)sizeof(struct dns_header
) || !(header
->hb3
& HB3_QR
))
726 /* spoof check: answer must come from known server, */
727 for (server
= daemon
->servers
; server
; server
= server
->next
)
728 if (!(server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
)) &&
729 sockaddr_isequal(&server
->addr
, &serveraddr
))
736 hash
= hash_questions(header
, n
, daemon
->namebuff
);
739 crc
= questions_crc(header
, n
, daemon
->namebuff
);
742 if (!(forward
= lookup_frec(ntohs(header
->id
), hash
)))
745 /* log_query gets called indirectly all over the place, so
746 pass these in global variables - sorry. */
747 daemon
->log_display_id
= forward
->log_id
;
748 daemon
->log_source_addr
= &forward
->source
;
750 if (daemon
->ignore_addr
&& RCODE(header
) == NOERROR
&&
751 check_for_ignored_address(header
, n
, daemon
->ignore_addr
))
754 if (RCODE(header
) == REFUSED
&&
755 !option_bool(OPT_ORDER
) &&
756 forward
->forwardall
== 0)
757 /* for broken servers, attempt to send to another one. */
759 unsigned char *pheader
;
763 /* recreate query from reply */
764 pheader
= find_pseudoheader(header
, (size_t)n
, &plen
, NULL
, &is_sign
);
767 header
->ancount
= htons(0);
768 header
->nscount
= htons(0);
769 header
->arcount
= htons(0);
770 if ((nn
= resize_packet(header
, (size_t)n
, pheader
, plen
)))
772 header
->hb3
&= ~(HB3_QR
| HB3_TC
);
773 forward_query(-1, NULL
, NULL
, 0, header
, nn
, now
, forward
, 0, 0);
779 server
= forward
->sentto
;
780 if ((forward
->sentto
->flags
& SERV_TYPE
) == 0)
782 if (RCODE(header
) == REFUSED
)
786 struct server
*last_server
;
788 /* find good server by address if possible, otherwise assume the last one we sent to */
789 for (last_server
= daemon
->servers
; last_server
; last_server
= last_server
->next
)
790 if (!(last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_NO_ADDR
)) &&
791 sockaddr_isequal(&last_server
->addr
, &serveraddr
))
793 server
= last_server
;
797 if (!option_bool(OPT_ALL_SERVERS
))
798 daemon
->last_server
= server
;
801 /* We tried resending to this server with a smaller maximum size and got an answer.
802 Make that permanent. To avoid reduxing the packet size for an single dropped packet,
803 only do this when we get a truncated answer, or one larger than the safe size. */
804 if (server
&& (forward
->flags
& FREC_TEST_PKTSZ
) &&
805 ((header
->hb3
& HB3_TC
) || n
>= SAFE_PKTSZ
))
806 server
->edns_pktsz
= SAFE_PKTSZ
;
808 /* If the answer is an error, keep the forward record in place in case
809 we get a good reply from another server. Kill it when we've
810 had replies from all to avoid filling the forwarding table when
811 everything is broken */
812 if (forward
->forwardall
== 0 || --forward
->forwardall
== 1 || RCODE(header
) != SERVFAIL
)
814 int check_rebind
= 0, no_cache_dnssec
= 0, cache_secure
= 0, bogusanswer
= 0;
816 if (option_bool(OPT_NO_REBIND
))
817 check_rebind
= !(forward
->flags
& FREC_NOREBIND
);
819 /* Don't cache replies where DNSSEC validation was turned off, either
820 the upstream server told us so, or the original query specified it. */
821 if ((header
->hb4
& HB4_CD
) || (forward
->flags
& FREC_CHECKING_DISABLED
))
825 if (server
&& option_bool(OPT_DNSSEC_VALID
) && !(forward
->flags
& FREC_CHECKING_DISABLED
))
829 /* We've had a reply already, which we're validating. Ignore this duplicate */
830 if (forward
->blocking_query
)
833 if (header
->hb3
& HB3_TC
)
835 /* Truncated answer can't be validated.
836 If this is an answer to a DNSSEC-generated query, we still
837 need to get the client to retry over TCP, so return
838 an answer with the TC bit set, even if the actual answer fits.
840 status
= STAT_TRUNCATED
;
842 else if (forward
->flags
& FREC_DNSKEY_QUERY
)
843 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
844 else if (forward
->flags
& FREC_DS_QUERY
)
846 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
847 /* Provably no DS, everything below is insecure, even if signatures are offered */
848 if (status
== STAT_NO_DS
)
849 /* We only cache sigs when we've validated a reply.
850 Avoid caching a reply with sigs if there's a vaildated break in the
851 DS chain, so we don't return replies from cache missing sigs. */
852 status
= STAT_INSECURE_DS
;
853 else if (status
== STAT_NO_NS
)
856 else if (forward
->flags
& FREC_CHECK_NOSIGN
)
858 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
859 if (status
!= STAT_NEED_KEY
)
860 status
= do_check_sign(forward
, status
, now
, daemon
->namebuff
, daemon
->keyname
);
864 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class, NULL
, NULL
);
865 if (status
== STAT_NO_SIG
)
867 if (option_bool(OPT_DNSSEC_NO_SIGN
))
868 status
= send_check_sign(forward
, now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
870 status
= STAT_INSECURE
;
873 /* Can't validate, as we're missing key data. Put this
874 answer aside, whilst we get that. */
875 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
|| status
== STAT_NEED_KEY
)
877 struct frec
*new, *orig
;
879 /* Free any saved query */
881 blockdata_free(forward
->stash
);
883 /* Now save reply pending receipt of key data */
884 if (!(forward
->stash
= blockdata_alloc((char *)header
, n
)))
886 forward
->stash_len
= n
;
889 /* Find the original query that started it all.... */
890 for (orig
= forward
; orig
->dependent
; orig
= orig
->dependent
);
892 if (--orig
->work_counter
== 0 || !(new = get_new_frec(now
, NULL
, 1)))
893 status
= STAT_INSECURE
;
897 struct frec
*next
= new->next
;
898 *new = *forward
; /* copy everything, then overwrite */
900 new->blocking_query
= NULL
;
901 new->sentto
= server
;
903 new->orig_domain
= NULL
;
907 new->flags
&= ~(FREC_DNSKEY_QUERY
| FREC_DS_QUERY
| FREC_CHECK_NOSIGN
);
909 new->dependent
= forward
; /* to find query awaiting new one. */
910 forward
->blocking_query
= new; /* for garbage cleaning */
911 /* validate routines leave name of required record in daemon->keyname */
912 if (status
== STAT_NEED_KEY
)
914 new->flags
|= FREC_DNSKEY_QUERY
;
915 nn
= dnssec_generate_query(header
, ((char *) header
) + daemon
->packet_buff_sz
,
916 daemon
->keyname
, forward
->class, T_DNSKEY
, &server
->addr
, server
->edns_pktsz
);
920 if (status
== STAT_NEED_DS_NEG
)
921 new->flags
|= FREC_CHECK_NOSIGN
;
923 new->flags
|= FREC_DS_QUERY
;
924 nn
= dnssec_generate_query(header
,((char *) header
) + daemon
->packet_buff_sz
,
925 daemon
->keyname
, forward
->class, T_DS
, &server
->addr
, server
->edns_pktsz
);
927 if ((hash
= hash_questions(header
, nn
, daemon
->namebuff
)))
928 memcpy(new->hash
, hash
, HASH_SIZE
);
929 new->new_id
= get_id();
930 header
->id
= htons(new->new_id
);
931 /* Save query for retransmission */
932 if (!(new->stash
= blockdata_alloc((char *)header
, nn
)))
937 /* Don't resend this. */
938 daemon
->srv_save
= NULL
;
941 fd
= server
->sfd
->fd
;
946 if (server
->addr
.sa
.sa_family
== AF_INET6
)
948 if (new->rfd6
|| (new->rfd6
= allocate_rfd(AF_INET6
)))
954 if (new->rfd4
|| (new->rfd4
= allocate_rfd(AF_INET
)))
961 while (retry_send(sendto(fd
, (char *)header
, nn
, 0,
963 sa_len(&server
->addr
))));
971 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
972 Now wind back down, pulling back answers which wouldn't previously validate
973 and validate them with the new data. Note that if an answer needs multiple
974 keys to validate, we may find another key is needed, in which case we set off
975 down another branch of the tree. Once we get to the original answer
976 (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
977 while (forward
->dependent
)
979 struct frec
*prev
= forward
->dependent
;
982 forward
->blocking_query
= NULL
; /* already gone */
983 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
984 n
= forward
->stash_len
;
986 if (status
== STAT_SECURE
)
988 if (forward
->flags
& FREC_DNSKEY_QUERY
)
989 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
990 else if (forward
->flags
& FREC_DS_QUERY
)
992 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
993 /* Provably no DS, everything below is insecure, even if signatures are offered */
994 if (status
== STAT_NO_DS
)
995 /* We only cache sigs when we've validated a reply.
996 Avoid caching a reply with sigs if there's a vaildated break in the
997 DS chain, so we don't return replies from cache missing sigs. */
998 status
= STAT_INSECURE_DS
;
999 else if (status
== STAT_NO_NS
)
1000 status
= STAT_BOGUS
;
1002 else if (forward
->flags
& FREC_CHECK_NOSIGN
)
1004 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
1005 if (status
!= STAT_NEED_KEY
)
1006 status
= do_check_sign(forward
, status
, now
, daemon
->namebuff
, daemon
->keyname
);
1010 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class, NULL
, NULL
);
1011 if (status
== STAT_NO_SIG
)
1013 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1014 status
= send_check_sign(forward
, now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
1016 status
= STAT_INSECURE
;
1020 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
|| status
== STAT_NEED_KEY
)
1025 no_cache_dnssec
= 0;
1027 if (status
== STAT_INSECURE_DS
)
1029 /* We only cache sigs when we've validated a reply.
1030 Avoid caching a reply with sigs if there's a vaildated break in the
1031 DS chain, so we don't return replies from cache missing sigs. */
1032 status
= STAT_INSECURE
;
1033 no_cache_dnssec
= 1;
1036 if (status
== STAT_TRUNCATED
)
1037 header
->hb3
|= HB3_TC
;
1040 char *result
, *domain
= "result";
1042 if (forward
->work_counter
== 0)
1044 result
= "ABANDONED";
1045 status
= STAT_BOGUS
;
1048 result
= (status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
1050 if (status
== STAT_BOGUS
&& extract_request(header
, n
, daemon
->namebuff
, NULL
))
1051 domain
= daemon
->namebuff
;
1053 log_query(F_KEYTAG
| F_SECSTAT
, domain
, NULL
, result
);
1056 if (status
== STAT_SECURE
)
1058 else if (status
== STAT_BOGUS
)
1060 no_cache_dnssec
= 1;
1066 /* restore CD bit to the value in the query */
1067 if (forward
->flags
& FREC_CHECKING_DISABLED
)
1068 header
->hb4
|= HB4_CD
;
1070 header
->hb4
&= ~HB4_CD
;
1072 if ((nn
= process_reply(header
, now
, server
, (size_t)n
, check_rebind
, no_cache_dnssec
, cache_secure
, bogusanswer
,
1073 forward
->flags
& FREC_AD_QUESTION
, forward
->flags
& FREC_DO_QUESTION
,
1074 forward
->flags
& FREC_ADDED_PHEADER
, forward
->flags
& FREC_HAS_SUBNET
, &forward
->source
)))
1076 header
->id
= htons(forward
->orig_id
);
1077 header
->hb4
|= HB4_RA
; /* recursion if available */
1078 send_from(forward
->fd
, option_bool(OPT_NOWILD
) || option_bool (OPT_CLEVERBIND
), daemon
->packet
, nn
,
1079 &forward
->source
, &forward
->dest
, forward
->iface
);
1081 free_frec(forward
); /* cancel */
1086 void receive_query(struct listener
*listen
, time_t now
)
1088 struct dns_header
*header
= (struct dns_header
*)daemon
->packet
;
1089 union mysockaddr source_addr
;
1090 unsigned short type
;
1091 struct all_addr dst_addr
;
1092 struct in_addr netmask
, dst_addr_4
;
1095 int if_index
= 0, auth_dns
= 0;
1099 struct iovec iov
[1];
1101 struct cmsghdr
*cmptr
;
1103 struct cmsghdr align
; /* this ensures alignment */
1105 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
1107 #if defined(HAVE_LINUX_NETWORK)
1108 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
1109 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1110 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
1111 CMSG_SPACE(sizeof(unsigned int))];
1112 #elif defined(IP_RECVDSTADDR)
1113 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
1114 CMSG_SPACE(sizeof(struct sockaddr_dl
))];
1118 /* Can always get recvd interface for IPv6 */
1119 int check_dst
= !option_bool(OPT_NOWILD
) || listen
->family
== AF_INET6
;
1121 int check_dst
= !option_bool(OPT_NOWILD
);
1124 /* packet buffer overwritten */
1125 daemon
->srv_save
= NULL
;
1127 dst_addr_4
.s_addr
= dst_addr
.addr
.addr4
.s_addr
= 0;
1130 if (option_bool(OPT_NOWILD
) && listen
->iface
)
1132 auth_dns
= listen
->iface
->dns_auth
;
1134 if (listen
->family
== AF_INET
)
1136 dst_addr_4
= dst_addr
.addr
.addr4
= listen
->iface
->addr
.in
.sin_addr
;
1137 netmask
= listen
->iface
->netmask
;
1141 iov
[0].iov_base
= daemon
->packet
;
1142 iov
[0].iov_len
= daemon
->edns_pktsz
;
1144 msg
.msg_control
= control_u
.control
;
1145 msg
.msg_controllen
= sizeof(control_u
);
1147 msg
.msg_name
= &source_addr
;
1148 msg
.msg_namelen
= sizeof(source_addr
);
1152 if ((n
= recvmsg(listen
->fd
, &msg
, 0)) == -1)
1155 if (n
< (int)sizeof(struct dns_header
) ||
1156 (msg
.msg_flags
& MSG_TRUNC
) ||
1157 (header
->hb3
& HB3_QR
))
1160 source_addr
.sa
.sa_family
= listen
->family
;
1162 if (listen
->family
== AF_INET
)
1164 /* Source-port == 0 is an error, we can't send back to that.
1165 http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1166 if (source_addr
.in
.sin_port
== 0)
1172 /* Source-port == 0 is an error, we can't send back to that. */
1173 if (source_addr
.in6
.sin6_port
== 0)
1175 source_addr
.in6
.sin6_flowinfo
= 0;
1179 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1180 if (option_bool(OPT_LOCAL_SERVICE
))
1182 struct addrlist
*addr
;
1184 if (listen
->family
== AF_INET6
)
1186 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1187 if ((addr
->flags
& ADDRLIST_IPV6
) &&
1188 is_same_net6(&addr
->addr
.addr
.addr6
, &source_addr
.in6
.sin6_addr
, addr
->prefixlen
))
1194 struct in_addr netmask
;
1195 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1197 netmask
.s_addr
= htonl(~(in_addr_t
)0 << (32 - addr
->prefixlen
));
1198 if (!(addr
->flags
& ADDRLIST_IPV6
) &&
1199 is_same_net(addr
->addr
.addr
.addr4
, source_addr
.in
.sin_addr
, netmask
))
1205 static int warned
= 0;
1208 my_syslog(LOG_WARNING
, _("Ignoring query from non-local network"));
1219 if (msg
.msg_controllen
< sizeof(struct cmsghdr
))
1222 #if defined(HAVE_LINUX_NETWORK)
1223 if (listen
->family
== AF_INET
)
1224 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1225 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
1229 struct in_pktinfo
*p
;
1231 p
.c
= CMSG_DATA(cmptr
);
1232 dst_addr_4
= dst_addr
.addr
.addr4
= p
.p
->ipi_spec_dst
;
1233 if_index
= p
.p
->ipi_ifindex
;
1235 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1236 if (listen
->family
== AF_INET
)
1238 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1244 #ifndef HAVE_SOLARIS_NETWORK
1245 struct sockaddr_dl
*s
;
1248 p
.c
= CMSG_DATA(cmptr
);
1249 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
1250 dst_addr_4
= dst_addr
.addr
.addr4
= *(p
.a
);
1251 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
1252 #ifdef HAVE_SOLARIS_NETWORK
1255 if_index
= p
.s
->sdl_index
;
1262 if (listen
->family
== AF_INET6
)
1264 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1265 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
1269 struct in6_pktinfo
*p
;
1271 p
.c
= CMSG_DATA(cmptr
);
1273 dst_addr
.addr
.addr6
= p
.p
->ipi6_addr
;
1274 if_index
= p
.p
->ipi6_ifindex
;
1279 /* enforce available interface configuration */
1281 if (!indextoname(listen
->fd
, if_index
, ifr
.ifr_name
))
1284 if (!iface_check(listen
->family
, &dst_addr
, ifr
.ifr_name
, &auth_dns
))
1286 if (!option_bool(OPT_CLEVERBIND
))
1287 enumerate_interfaces(0);
1288 if (!loopback_exception(listen
->fd
, listen
->family
, &dst_addr
, ifr
.ifr_name
) &&
1289 !label_exception(if_index
, listen
->family
, &dst_addr
))
1293 if (listen
->family
== AF_INET
&& option_bool(OPT_LOCALISE
))
1297 /* get the netmask of the interface whch has the address we were sent to.
1298 This is no neccessarily the interface we arrived on. */
1300 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1301 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1302 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1305 /* interface may be new */
1306 if (!iface
&& !option_bool(OPT_CLEVERBIND
))
1307 enumerate_interfaces(0);
1309 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1310 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1311 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1314 /* If we failed, abandon localisation */
1316 netmask
= iface
->netmask
;
1318 dst_addr_4
.s_addr
= 0;
1322 /* log_query gets called indirectly all over the place, so
1323 pass these in global variables - sorry. */
1324 daemon
->log_display_id
= ++daemon
->log_id
;
1325 daemon
->log_source_addr
= &source_addr
;
1327 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
1330 struct auth_zone
*zone
;
1332 char *types
= querystr(auth_dns
? "auth" : "query", type
);
1334 if (listen
->family
== AF_INET
)
1335 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1336 (struct all_addr
*)&source_addr
.in
.sin_addr
, types
);
1339 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1340 (struct all_addr
*)&source_addr
.in6
.sin6_addr
, types
);
1344 /* find queries for zones we're authoritative for, and answer them directly */
1346 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1347 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1356 /* Check for forwarding loop */
1357 if (detect_loop(daemon
->namebuff
, type
))
1365 m
= answer_auth(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
, now
, &source_addr
, local_auth
);
1368 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1369 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1370 daemon
->auth_answer
++;
1376 int ad_reqd
, do_bit
;
1377 m
= answer_request(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
,
1378 dst_addr_4
, netmask
, now
, &ad_reqd
, &do_bit
);
1382 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1383 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1384 daemon
->local_answer
++;
1386 else if (forward_query(listen
->fd
, &source_addr
, &dst_addr
, if_index
,
1387 header
, (size_t)n
, now
, NULL
, ad_reqd
, do_bit
))
1388 daemon
->queries_forwarded
++;
1390 daemon
->local_answer
++;
1396 /* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1397 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1398 STAT_NEED_DS_NEG and keyname if we need to do the query. */
1399 static int send_check_sign(struct frec
*forward
, time_t now
, struct dns_header
*header
, size_t plen
,
1400 char *name
, char *keyname
)
1402 int status
= dnssec_chase_cname(now
, header
, plen
, name
, keyname
);
1404 if (status
!= STAT_INSECURE
)
1407 /* Store the domain we're trying to check. */
1408 forward
->name_start
= strlen(name
);
1409 forward
->name_len
= forward
->name_start
+ 1;
1410 if (!(forward
->orig_domain
= blockdata_alloc(name
, forward
->name_len
)))
1413 return do_check_sign(forward
, 0, now
, name
, keyname
);
1416 /* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
1417 static int do_check_sign(struct frec
*forward
, int status
, time_t now
, char *name
, char *keyname
)
1419 /* get domain we're checking back from blockdata store, it's stored on the original query. */
1420 while (forward
->dependent
)
1421 forward
= forward
->dependent
;
1423 blockdata_retrieve(forward
->orig_domain
, forward
->name_len
, name
);
1433 /* Haven't received answer, see if in cache */
1434 if (!(crecp
= cache_find_by_name(NULL
, &name
[forward
->name_start
], now
, F_DS
)))
1436 /* put name of DS record we're missing into keyname */
1437 strcpy(keyname
, &name
[forward
->name_start
]);
1438 /* and wait for reply to arrive */
1439 return STAT_NEED_DS_NEG
;
1442 /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
1443 if (!(crecp
->flags
& F_NEG
))
1444 status
= STAT_SECURE
;
1445 else if (crecp
->flags
& F_DNSSECOK
)
1446 status
= STAT_NO_DS
;
1448 status
= STAT_NO_NS
;
1451 /* Have entered non-signed part of DNS tree. */
1452 if (status
== STAT_NO_DS
)
1453 return STAT_INSECURE
;
1455 if (status
== STAT_BOGUS
)
1458 /* There's a proven DS record, or we're within a zone, where there doesn't need
1459 to be a DS record. Add a name and try again.
1460 If we've already tried the whole name, then fail */
1462 if (forward
->name_start
== 0)
1465 for (p
= &name
[forward
->name_start
-2]; (*p
!= '.') && (p
!= name
); p
--);
1470 forward
->name_start
= p
- name
;
1471 status
= 0; /* force to cache when we iterate. */
1475 /* Move down from the root, until we find a signed non-existance of a DS, in which case
1476 an unsigned answer is OK, or we find a signed DS, in which case there should be
1477 a signature, and the answer is BOGUS */
1478 static int tcp_check_for_unsigned_zone(time_t now
, struct dns_header
*header
, size_t plen
, int class, char *name
,
1479 char *keyname
, struct server
*server
, int *keycount
)
1482 unsigned char *packet
, *payload
;
1484 int status
, name_len
;
1485 struct blockdata
*block
;
1489 /* Get first insecure entry in CNAME chain */
1490 status
= tcp_key_recurse(now
, STAT_CHASE_CNAME
, header
, plen
, class, name
, keyname
, server
, keycount
);
1491 if (status
== STAT_BOGUS
)
1494 if (!(packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
))))
1497 payload
= &packet
[2];
1498 header
= (struct dns_header
*)payload
;
1499 length
= (u16
*)packet
;
1501 /* Stash the name away, since the buffer will be trashed when we recurse */
1502 name_len
= strlen(name
) + 1;
1503 name_start
= name
+ name_len
- 1;
1505 if (!(block
= blockdata_alloc(name
, name_len
)))
1513 unsigned char c1
, c2
;
1516 if (--(*keycount
) == 0)
1519 blockdata_free(block
);
1523 while ((crecp
= cache_find_by_name(NULL
, name_start
, now
, F_DS
)))
1525 if ((crecp
->flags
& F_NEG
) && (crecp
->flags
& F_DNSSECOK
))
1527 /* Found a secure denial of DS - delegation is indeed insecure */
1529 blockdata_free(block
);
1530 return STAT_INSECURE
;
1533 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1534 Add another label and continue. */
1536 if (name_start
== name
)
1539 blockdata_free(block
);
1540 return STAT_BOGUS
; /* run out of labels */
1544 while (*name_start
!= '.' && name_start
!= name
)
1546 if (name_start
!= name
)
1550 /* Can't find it in the cache, have to send a query */
1552 m
= dnssec_generate_query(header
, ((char *) header
) + 65536, name_start
, class, T_DS
, &server
->addr
, server
->edns_pktsz
);
1556 if (read_write(server
->tcpfd
, packet
, m
+ sizeof(u16
), 0) &&
1557 read_write(server
->tcpfd
, &c1
, 1, 1) &&
1558 read_write(server
->tcpfd
, &c2
, 1, 1) &&
1559 read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1563 /* Note this trashes all three name workspaces */
1564 status
= tcp_key_recurse(now
, STAT_NEED_DS_NEG
, header
, m
, class, name
, keyname
, server
, keycount
);
1566 if (status
== STAT_NO_DS
)
1568 /* Found a secure denial of DS - delegation is indeed insecure */
1570 blockdata_free(block
);
1571 return STAT_INSECURE
;
1574 if (status
== STAT_BOGUS
)
1577 blockdata_free(block
);
1581 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1582 Add another label and continue. */
1584 /* Get name we're checking back. */
1585 blockdata_retrieve(block
, name_len
, name
);
1587 if (name_start
== name
)
1590 blockdata_free(block
);
1591 return STAT_BOGUS
; /* run out of labels */
1595 while (*name_start
!= '.' && name_start
!= name
)
1597 if (name_start
!= name
)
1604 blockdata_free(block
);
1605 return STAT_BOGUS
; /* run out of labels */
1610 static int tcp_key_recurse(time_t now
, int status
, struct dns_header
*header
, size_t n
,
1611 int class, char *name
, char *keyname
, struct server
*server
, int *keycount
)
1613 /* Recurse up the key heirarchy */
1616 /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1617 if (--(*keycount
) == 0)
1618 return STAT_INSECURE
;
1620 if (status
== STAT_NEED_KEY
)
1621 new_status
= dnssec_validate_by_ds(now
, header
, n
, name
, keyname
, class);
1622 else if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
)
1624 new_status
= dnssec_validate_ds(now
, header
, n
, name
, keyname
, class);
1625 if (status
== STAT_NEED_DS
)
1627 if (new_status
== STAT_NO_DS
)
1628 new_status
= STAT_INSECURE_DS
;
1629 else if (new_status
== STAT_NO_NS
)
1630 new_status
= STAT_BOGUS
;
1633 else if (status
== STAT_CHASE_CNAME
)
1634 new_status
= dnssec_chase_cname(now
, header
, n
, name
, keyname
);
1637 new_status
= dnssec_validate_reply(now
, header
, n
, name
, keyname
, &class, NULL
, NULL
);
1639 if (new_status
== STAT_NO_SIG
)
1641 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1642 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1644 new_status
= STAT_INSECURE
;
1648 /* Can't validate because we need a key/DS whose name now in keyname.
1649 Make query for same, and recurse to validate */
1650 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1653 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1654 unsigned char *payload
= &packet
[2];
1655 struct dns_header
*new_header
= (struct dns_header
*)payload
;
1656 u16
*length
= (u16
*)packet
;
1657 unsigned char c1
, c2
;
1660 return STAT_INSECURE
;
1663 m
= dnssec_generate_query(new_header
, ((char *) new_header
) + 65536, keyname
, class,
1664 new_status
== STAT_NEED_KEY
? T_DNSKEY
: T_DS
, &server
->addr
, server
->edns_pktsz
);
1668 if (!read_write(server
->tcpfd
, packet
, m
+ sizeof(u16
), 0) ||
1669 !read_write(server
->tcpfd
, &c1
, 1, 1) ||
1670 !read_write(server
->tcpfd
, &c2
, 1, 1) ||
1671 !read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1672 new_status
= STAT_INSECURE
;
1677 new_status
= tcp_key_recurse(now
, new_status
, new_header
, m
, class, name
, keyname
, server
, keycount
);
1679 if (new_status
== STAT_SECURE
)
1681 /* Reached a validated record, now try again at this level.
1682 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1683 If so, go round again. */
1685 if (status
== STAT_NEED_KEY
)
1686 new_status
= dnssec_validate_by_ds(now
, header
, n
, name
, keyname
, class);
1687 else if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
)
1689 new_status
= dnssec_validate_ds(now
, header
, n
, name
, keyname
, class);
1690 if (status
== STAT_NEED_DS
)
1692 if (new_status
== STAT_NO_DS
)
1693 new_status
= STAT_INSECURE_DS
;
1694 else if (new_status
== STAT_NO_NS
)
1695 new_status
= STAT_BOGUS
; /* Validated no DS */
1698 else if (status
== STAT_CHASE_CNAME
)
1699 new_status
= dnssec_chase_cname(now
, header
, n
, name
, keyname
);
1702 new_status
= dnssec_validate_reply(now
, header
, n
, name
, keyname
, &class, NULL
, NULL
);
1704 if (new_status
== STAT_NO_SIG
)
1706 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1707 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1709 new_status
= STAT_INSECURE
;
1713 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1714 goto another_tcp_key
;
1725 /* The daemon forks before calling this: it should deal with one connection,
1726 blocking as neccessary, and then return. Note, need to be a bit careful
1727 about resources for debug mode, when the fork is suppressed: that's
1728 done by the caller. */
1729 unsigned char *tcp_request(int confd
, time_t now
,
1730 union mysockaddr
*local_addr
, struct in_addr netmask
, int auth_dns
)
1737 int checking_disabled
, ad_question
, do_bit
, added_pheader
= 0;
1738 int check_subnet
, no_cache_dnssec
= 0, cache_secure
= 0, bogusanswer
= 0;
1740 unsigned short qtype
;
1741 unsigned int gotname
;
1742 unsigned char c1
, c2
;
1743 /* Max TCP packet + slop + size */
1744 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1745 unsigned char *payload
= &packet
[2];
1746 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1747 struct dns_header
*header
= (struct dns_header
*)payload
;
1748 u16
*length
= (u16
*)packet
;
1749 struct server
*last_server
;
1750 struct in_addr dst_addr_4
;
1751 union mysockaddr peer_addr
;
1752 socklen_t peer_len
= sizeof(union mysockaddr
);
1753 int query_count
= 0;
1755 if (getpeername(confd
, (struct sockaddr
*)&peer_addr
, &peer_len
) == -1)
1758 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1759 if (option_bool(OPT_LOCAL_SERVICE
))
1761 struct addrlist
*addr
;
1763 if (peer_addr
.sa
.sa_family
== AF_INET6
)
1765 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1766 if ((addr
->flags
& ADDRLIST_IPV6
) &&
1767 is_same_net6(&addr
->addr
.addr
.addr6
, &peer_addr
.in6
.sin6_addr
, addr
->prefixlen
))
1773 struct in_addr netmask
;
1774 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1776 netmask
.s_addr
= htonl(~(in_addr_t
)0 << (32 - addr
->prefixlen
));
1777 if (!(addr
->flags
& ADDRLIST_IPV6
) &&
1778 is_same_net(addr
->addr
.addr
.addr4
, peer_addr
.in
.sin_addr
, netmask
))
1784 my_syslog(LOG_WARNING
, _("Ignoring query from non-local network"));
1791 if (query_count
== TCP_MAX_QUERIES
||
1793 !read_write(confd
, &c1
, 1, 1) || !read_write(confd
, &c2
, 1, 1) ||
1794 !(size
= c1
<< 8 | c2
) ||
1795 !read_write(confd
, payload
, size
, 1))
1798 if (size
< (int)sizeof(struct dns_header
))
1803 /* log_query gets called indirectly all over the place, so
1804 pass these in global variables - sorry. */
1805 daemon
->log_display_id
= ++daemon
->log_id
;
1806 daemon
->log_source_addr
= &peer_addr
;
1810 /* save state of "cd" flag in query */
1811 if ((checking_disabled
= header
->hb4
& HB4_CD
))
1812 no_cache_dnssec
= 1;
1814 if ((gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1817 struct auth_zone
*zone
;
1819 char *types
= querystr(auth_dns
? "auth" : "query", qtype
);
1821 if (peer_addr
.sa
.sa_family
== AF_INET
)
1822 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1823 (struct all_addr
*)&peer_addr
.in
.sin_addr
, types
);
1826 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1827 (struct all_addr
*)&peer_addr
.in6
.sin6_addr
, types
);
1831 /* find queries for zones we're authoritative for, and answer them directly */
1833 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1834 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1843 if (local_addr
->sa
.sa_family
== AF_INET
)
1844 dst_addr_4
= local_addr
->in
.sin_addr
;
1846 dst_addr_4
.s_addr
= 0;
1850 m
= answer_auth(header
, ((char *) header
) + 65536, (size_t)size
, now
, &peer_addr
, local_auth
);
1854 /* m > 0 if answered from cache */
1855 m
= answer_request(header
, ((char *) header
) + 65536, (size_t)size
,
1856 dst_addr_4
, netmask
, now
, &ad_question
, &do_bit
);
1858 /* Do this by steam now we're not in the select() loop */
1859 check_log_writer(NULL
);
1863 unsigned int flags
= 0;
1864 struct all_addr
*addrp
= NULL
;
1866 char *domain
= NULL
;
1868 if (option_bool(OPT_ADD_MAC
))
1869 size
= add_mac(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1871 if (option_bool(OPT_CLIENT_SUBNET
))
1873 size_t new = add_source_addr(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1882 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
1884 if (type
!= 0 || option_bool(OPT_ORDER
) || !daemon
->last_server
)
1885 last_server
= daemon
->servers
;
1887 last_server
= daemon
->last_server
;
1889 if (!flags
&& last_server
)
1891 struct server
*firstsendto
= NULL
;
1893 unsigned char *newhash
, hash
[HASH_SIZE
];
1894 if ((newhash
= hash_questions(header
, (unsigned int)size
, daemon
->namebuff
)))
1895 memcpy(hash
, newhash
, HASH_SIZE
);
1897 memset(hash
, 0, HASH_SIZE
);
1899 unsigned int crc
= questions_crc(header
, (unsigned int)size
, daemon
->namebuff
);
1901 /* Loop round available servers until we succeed in connecting to one.
1902 Note that this code subtley ensures that consecutive queries on this connection
1903 which can go to the same server, do so. */
1907 firstsendto
= last_server
;
1910 if (!(last_server
= last_server
->next
))
1911 last_server
= daemon
->servers
;
1913 if (last_server
== firstsendto
)
1917 /* server for wrong domain */
1918 if (type
!= (last_server
->flags
& SERV_TYPE
) ||
1919 (type
== SERV_HAS_DOMAIN
&& !hostname_isequal(domain
, last_server
->domain
)) ||
1920 (last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_LOOP
)))
1923 if (last_server
->tcpfd
== -1)
1925 if ((last_server
->tcpfd
= socket(last_server
->addr
.sa
.sa_family
, SOCK_STREAM
, 0)) == -1)
1928 #ifdef HAVE_CONNTRACK
1929 /* Copy connection mark of incoming query to outgoing connection. */
1930 if (option_bool(OPT_CONNTRACK
))
1933 struct all_addr local
;
1935 if (local_addr
->sa
.sa_family
== AF_INET6
)
1936 local
.addr
.addr6
= local_addr
->in6
.sin6_addr
;
1939 local
.addr
.addr4
= local_addr
->in
.sin_addr
;
1941 if (get_incoming_mark(&peer_addr
, &local
, 1, &mark
))
1942 setsockopt(last_server
->tcpfd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
1946 if ((!local_bind(last_server
->tcpfd
, &last_server
->source_addr
, last_server
->interface
, 1) ||
1947 connect(last_server
->tcpfd
, &last_server
->addr
.sa
, sa_len(&last_server
->addr
)) == -1))
1949 close(last_server
->tcpfd
);
1950 last_server
->tcpfd
= -1;
1955 if (option_bool(OPT_DNSSEC_VALID
))
1957 size_t new_size
= add_do_bit(header
, size
, ((char *) header
) + 65536);
1959 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
1960 this allows it to select auth servers when one is returning bad data. */
1961 if (option_bool(OPT_DNSSEC_DEBUG
))
1962 header
->hb4
|= HB4_CD
;
1964 if (size
!= new_size
)
1972 *length
= htons(size
);
1974 /* get query name again for logging - may have been overwritten */
1975 if (!(gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1976 strcpy(daemon
->namebuff
, "query");
1978 if (!read_write(last_server
->tcpfd
, packet
, size
+ sizeof(u16
), 0) ||
1979 !read_write(last_server
->tcpfd
, &c1
, 1, 1) ||
1980 !read_write(last_server
->tcpfd
, &c2
, 1, 1) ||
1981 !read_write(last_server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1983 close(last_server
->tcpfd
);
1984 last_server
->tcpfd
= -1;
1990 if (last_server
->addr
.sa
.sa_family
== AF_INET
)
1991 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1992 (struct all_addr
*)&last_server
->addr
.in
.sin_addr
, NULL
);
1995 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1996 (struct all_addr
*)&last_server
->addr
.in6
.sin6_addr
, NULL
);
2000 if (option_bool(OPT_DNSSEC_VALID
) && !checking_disabled
)
2002 int keycount
= DNSSEC_WORK
; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
2003 int status
= tcp_key_recurse(now
, STAT_TRUNCATED
, header
, m
, 0, daemon
->namebuff
, daemon
->keyname
, last_server
, &keycount
);
2004 char *result
, *domain
= "result";
2006 if (status
== STAT_INSECURE_DS
)
2008 /* We only cache sigs when we've validated a reply.
2009 Avoid caching a reply with sigs if there's a vaildated break in the
2010 DS chain, so we don't return replies from cache missing sigs. */
2011 status
= STAT_INSECURE
;
2012 no_cache_dnssec
= 1;
2017 result
= "ABANDONED";
2018 status
= STAT_BOGUS
;
2021 result
= (status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
2023 if (status
== STAT_BOGUS
&& extract_request(header
, m
, daemon
->namebuff
, NULL
))
2024 domain
= daemon
->namebuff
;
2026 log_query(F_KEYTAG
| F_SECSTAT
, domain
, NULL
, result
);
2028 if (status
== STAT_BOGUS
)
2030 no_cache_dnssec
= 1;
2034 if (status
== STAT_SECURE
)
2039 /* restore CD bit to the value in the query */
2040 if (checking_disabled
)
2041 header
->hb4
|= HB4_CD
;
2043 header
->hb4
&= ~HB4_CD
;
2045 /* There's no point in updating the cache, since this process will exit and
2046 lose the information after a few queries. We make this call for the alias and
2047 bogus-nxdomain side-effects. */
2048 /* If the crc of the question section doesn't match the crc we sent, then
2049 someone might be attempting to insert bogus values into the cache by
2050 sending replies containing questions and bogus answers. */
2052 newhash
= hash_questions(header
, (unsigned int)m
, daemon
->namebuff
);
2053 if (!newhash
|| memcmp(hash
, newhash
, HASH_SIZE
) != 0)
2059 if (crc
!= questions_crc(header
, (unsigned int)m
, daemon
->namebuff
))
2066 m
= process_reply(header
, now
, last_server
, (unsigned int)m
,
2067 option_bool(OPT_NO_REBIND
) && !norebind
, no_cache_dnssec
, cache_secure
, bogusanswer
,
2068 ad_question
, do_bit
, added_pheader
, check_subnet
, &peer_addr
);
2074 /* In case of local answer or no connections made. */
2076 m
= setup_reply(header
, (unsigned int)size
, addrp
, flags
, daemon
->local_ttl
);
2080 check_log_writer(NULL
);
2084 if (m
== 0 || !read_write(confd
, packet
, m
+ sizeof(u16
), 0))
2089 static struct frec
*allocate_frec(time_t now
)
2093 if ((f
= (struct frec
*)whine_malloc(sizeof(struct frec
))))
2095 f
->next
= daemon
->frec_list
;
2104 f
->dependent
= NULL
;
2105 f
->blocking_query
= NULL
;
2107 f
->orig_domain
= NULL
;
2109 daemon
->frec_list
= f
;
2115 struct randfd
*allocate_rfd(int family
)
2117 static int finger
= 0;
2120 /* limit the number of sockets we have open to avoid starvation of
2121 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
2123 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
2124 if (daemon
->randomsocks
[i
].refcount
== 0)
2126 if ((daemon
->randomsocks
[i
].fd
= random_sock(family
)) == -1)
2129 daemon
->randomsocks
[i
].refcount
= 1;
2130 daemon
->randomsocks
[i
].family
= family
;
2131 return &daemon
->randomsocks
[i
];
2134 /* No free ones or cannot get new socket, grab an existing one */
2135 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
2137 int j
= (i
+finger
) % RANDOM_SOCKS
;
2138 if (daemon
->randomsocks
[j
].refcount
!= 0 &&
2139 daemon
->randomsocks
[j
].family
== family
&&
2140 daemon
->randomsocks
[j
].refcount
!= 0xffff)
2143 daemon
->randomsocks
[j
].refcount
++;
2144 return &daemon
->randomsocks
[j
];
2148 return NULL
; /* doom */
2151 void free_rfd(struct randfd
*rfd
)
2153 if (rfd
&& --(rfd
->refcount
) == 0)
2157 static void free_frec(struct frec
*f
)
2172 blockdata_free(f
->stash
);
2178 blockdata_free(f
->orig_domain
);
2179 f
->orig_domain
= NULL
;
2182 /* Anything we're waiting on is pointless now, too */
2183 if (f
->blocking_query
)
2184 free_frec(f
->blocking_query
);
2185 f
->blocking_query
= NULL
;
2186 f
->dependent
= NULL
;
2190 /* if wait==NULL return a free or older than TIMEOUT record.
2191 else return *wait zero if one available, or *wait is delay to
2192 when the oldest in-use record will expire. Impose an absolute
2193 limit of 4*TIMEOUT before we wipe things (for random sockets).
2194 If force is set, always return a result, even if we have
2195 to allocate above the limit. */
2196 struct frec
*get_new_frec(time_t now
, int *wait
, int force
)
2198 struct frec
*f
, *oldest
, *target
;
2204 for (f
= daemon
->frec_list
, oldest
= NULL
, target
= NULL
, count
= 0; f
; f
= f
->next
, count
++)
2209 if (difftime(now
, f
->time
) >= 4*TIMEOUT
)
2215 if (!oldest
|| difftime(f
->time
, oldest
->time
) <= 0)
2225 /* can't find empty one, use oldest if there is one
2226 and it's older than timeout */
2227 if (oldest
&& ((int)difftime(now
, oldest
->time
)) >= TIMEOUT
)
2229 /* keep stuff for twice timeout if we can by allocating a new
2231 if (difftime(now
, oldest
->time
) < 2*TIMEOUT
&&
2232 count
<= daemon
->ftabsize
&&
2233 (f
= allocate_frec(now
)))
2244 /* none available, calculate time 'till oldest record expires */
2245 if (!force
&& count
> daemon
->ftabsize
)
2247 static time_t last_log
= 0;
2250 *wait
= oldest
->time
+ (time_t)TIMEOUT
- now
;
2252 if ((int)difftime(now
, last_log
) > 5)
2255 my_syslog(LOG_WARNING
, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon
->ftabsize
);
2261 if (!(f
= allocate_frec(now
)) && wait
)
2262 /* wait one second on malloc failure */
2265 return f
; /* OK if malloc fails and this is NULL */
2268 /* crc is all-ones if not known. */
2269 static struct frec
*lookup_frec(unsigned short id
, void *hash
)
2273 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
2274 if (f
->sentto
&& f
->new_id
== id
&&
2275 (!hash
|| memcmp(hash
, f
->hash
, HASH_SIZE
) == 0))
2281 static struct frec
*lookup_frec_by_sender(unsigned short id
,
2282 union mysockaddr
*addr
,
2287 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
2290 memcmp(hash
, f
->hash
, HASH_SIZE
) == 0 &&
2291 sockaddr_isequal(&f
->source
, addr
))
2297 /* Send query packet again, if we can. */
2300 if (daemon
->srv_save
)
2304 if (daemon
->srv_save
->sfd
)
2305 fd
= daemon
->srv_save
->sfd
->fd
;
2306 else if (daemon
->rfd_save
&& daemon
->rfd_save
->refcount
!= 0)
2307 fd
= daemon
->rfd_save
->fd
;
2311 while(retry_send(sendto(fd
, daemon
->packet
, daemon
->packet_len
, 0,
2312 &daemon
->srv_save
->addr
.sa
,
2313 sa_len(&daemon
->srv_save
->addr
))));
2317 /* A server record is going away, remove references to it */
2318 void server_gone(struct server
*server
)
2322 for (f
= daemon
->frec_list
; f
; f
= f
->next
)
2323 if (f
->sentto
&& f
->sentto
== server
)
2326 if (daemon
->last_server
== server
)
2327 daemon
->last_server
= NULL
;
2329 if (daemon
->srv_save
== server
)
2330 daemon
->srv_save
= NULL
;
2333 /* return unique random ids. */
2334 static unsigned short get_id(void)
2336 unsigned short ret
= 0;
2340 while (lookup_frec(ret
, NULL
));