]> git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
projects / people / ms / dnsmasq.git / blob
? search:


7c0fa8da3fdf611d6464f49fed5f812edc845ee4
[people/ms/dnsmasq.git] / src / forward.c
1 /* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
12
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
15 */
16
17 #include "dnsmasq.h"
18
19 static struct frec *lookup_frec(unsigned short id, void *hash);
20 static struct frec *lookup_frec_by_sender(unsigned short id,
21 union mysockaddr *addr,
22 void *hash);
23 static unsigned short get_id(void);
24 static void free_frec(struct frec *f);
25
26 #ifdef HAVE_DNSSEC
27 static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
28 int class, char *name, char *keyname, struct server *server, int *keycount);
29 static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname);
30 static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
31 char *name, char *keyname);
32 #endif
33
34
35 /* Send a UDP packet with its source address set as "source"
36 unless nowild is true, when we just send it with the kernel default */
37 int send_from(int fd, int nowild, char *packet, size_t len,
38 union mysockaddr *to, struct all_addr *source,
39 unsigned int iface)
40 {
41 struct msghdr msg;
42 struct iovec iov[1];
43 union {
44 struct cmsghdr align; /* this ensures alignment */
45 #if defined(HAVE_LINUX_NETWORK)
46 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
47 #elif defined(IP_SENDSRCADDR)
48 char control[CMSG_SPACE(sizeof(struct in_addr))];
49 #endif
50 #ifdef HAVE_IPV6
51 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
52 #endif
53 } control_u;
54
55 iov[0].iov_base = packet;
56 iov[0].iov_len = len;
57
58 msg.msg_control = NULL;
59 msg.msg_controllen = 0;
60 msg.msg_flags = 0;
61 msg.msg_name = to;
62 msg.msg_namelen = sa_len(to);
63 msg.msg_iov = iov;
64 msg.msg_iovlen = 1;
65
66 if (!nowild)
67 {
68 struct cmsghdr *cmptr;
69 msg.msg_control = &control_u;
70 msg.msg_controllen = sizeof(control_u);
71 cmptr = CMSG_FIRSTHDR(&msg);
72
73 if (to->sa.sa_family == AF_INET)
74 {
75 #if defined(HAVE_LINUX_NETWORK)
76 struct in_pktinfo p;
77 p.ipi_ifindex = 0;
78 p.ipi_spec_dst = source->addr.addr4;
79 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
80 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
81 cmptr->cmsg_level = IPPROTO_IP;
82 cmptr->cmsg_type = IP_PKTINFO;
83 #elif defined(IP_SENDSRCADDR)
84 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
85 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
86 cmptr->cmsg_level = IPPROTO_IP;
87 cmptr->cmsg_type = IP_SENDSRCADDR;
88 #endif
89 }
90 else
91 #ifdef HAVE_IPV6
92 {
93 struct in6_pktinfo p;
94 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
95 p.ipi6_addr = source->addr.addr6;
96 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
97 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
98 cmptr->cmsg_type = daemon->v6pktinfo;
99 cmptr->cmsg_level = IPPROTO_IPV6;
100 }
101 #else
102 (void)iface; /* eliminate warning */
103 #endif
104 }
105
106 while (retry_send(sendmsg(fd, &msg, 0)));
107
108 /* If interface is still in DAD, EINVAL results - ignore that. */
109 if (errno != 0 && errno != EINVAL)
110 {
111 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
112 return 0;
113 }
114
115 return 1;
116 }
117
118 static unsigned int search_servers(time_t now, struct all_addr **addrpp,
119 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
120
121 {
122 /* If the query ends in the domain in one of our servers, set
123 domain to point to that name. We find the largest match to allow both
124 domain.org and sub.domain.org to exist. */
125
126 unsigned int namelen = strlen(qdomain);
127 unsigned int matchlen = 0;
128 struct server *serv;
129 unsigned int flags = 0;
130
131 for (serv = daemon->servers; serv; serv=serv->next)
132 /* domain matches take priority over NODOTS matches */
133 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
134 {
135 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
136 *type = SERV_FOR_NODOTS;
137 if (serv->flags & SERV_NO_ADDR)
138 flags = F_NXDOMAIN;
139 else if (serv->flags & SERV_LITERAL_ADDRESS)
140 {
141 if (sflag & qtype)
142 {
143 flags = sflag;
144 if (serv->addr.sa.sa_family == AF_INET)
145 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
146 #ifdef HAVE_IPV6
147 else
148 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
149 #endif
150 }
151 else if (!flags || (flags & F_NXDOMAIN))
152 flags = F_NOERR;
153 }
154 }
155 else if (serv->flags & SERV_HAS_DOMAIN)
156 {
157 unsigned int domainlen = strlen(serv->domain);
158 char *matchstart = qdomain + namelen - domainlen;
159 if (namelen >= domainlen &&
160 hostname_isequal(matchstart, serv->domain) &&
161 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
162 {
163 if (serv->flags & SERV_NO_REBIND)
164 *norebind = 1;
165 else
166 {
167 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
168 /* implement priority rules for --address and --server for same domain.
169 --address wins if the address is for the correct AF
170 --server wins otherwise. */
171 if (domainlen != 0 && domainlen == matchlen)
172 {
173 if ((serv->flags & SERV_LITERAL_ADDRESS))
174 {
175 if (!(sflag & qtype) && flags == 0)
176 continue;
177 }
178 else
179 {
180 if (flags & (F_IPV4 | F_IPV6))
181 continue;
182 }
183 }
184
185 if (domainlen >= matchlen)
186 {
187 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
188 *domain = serv->domain;
189 matchlen = domainlen;
190 if (serv->flags & SERV_NO_ADDR)
191 flags = F_NXDOMAIN;
192 else if (serv->flags & SERV_LITERAL_ADDRESS)
193 {
194 if (sflag & qtype)
195 {
196 flags = sflag;
197 if (serv->addr.sa.sa_family == AF_INET)
198 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
199 #ifdef HAVE_IPV6
200 else
201 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
202 #endif
203 }
204 else if (!flags || (flags & F_NXDOMAIN))
205 flags = F_NOERR;
206 }
207 else
208 flags = 0;
209 }
210 }
211 }
212 }
213
214 if (flags == 0 && !(qtype & F_QUERY) &&
215 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
216 /* don't forward A or AAAA queries for simple names, except the empty name */
217 flags = F_NOERR;
218
219 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
220 flags = F_NOERR;
221
222 if (flags)
223 {
224 int logflags = 0;
225
226 if (flags == F_NXDOMAIN || flags == F_NOERR)
227 logflags = F_NEG | qtype;
228
229 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
230 }
231 else if ((*type) & SERV_USE_RESOLV)
232 {
233 *type = 0; /* use normal servers for this domain */
234 *domain = NULL;
235 }
236 return flags;
237 }
238
239 static int forward_query(int udpfd, union mysockaddr *udpaddr,
240 struct all_addr *dst_addr, unsigned int dst_iface,
241 struct dns_header *header, size_t plen, time_t now,
242 struct frec *forward, int ad_reqd, int do_bit)
243 {
244 char *domain = NULL;
245 int type = 0, norebind = 0;
246 struct all_addr *addrp = NULL;
247 unsigned int flags = 0;
248 struct server *start = NULL;
249 #ifdef HAVE_DNSSEC
250 void *hash = hash_questions(header, plen, daemon->namebuff);
251 #else
252 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
253 void *hash = &crc;
254 #endif
255 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
256
257 (void)do_bit;
258
259 /* may be no servers available. */
260 if (!daemon->servers)
261 forward = NULL;
262 else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
263 {
264 #ifdef HAVE_DNSSEC
265 /* If we've already got an answer to this query, but we're awaiting keys for validation,
266 there's no point retrying the query, retry the key query instead...... */
267 if (forward->blocking_query)
268 {
269 int fd;
270
271 while (forward->blocking_query)
272 forward = forward->blocking_query;
273
274 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
275 plen = forward->stash_len;
276
277 if (forward->sentto->addr.sa.sa_family == AF_INET)
278 log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
279 #ifdef HAVE_IPV6
280 else
281 log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
282 #endif
283
284 if (forward->sentto->sfd)
285 fd = forward->sentto->sfd->fd;
286 else
287 {
288 #ifdef HAVE_IPV6
289 if (forward->sentto->addr.sa.sa_family == AF_INET6)
290 fd = forward->rfd6->fd;
291 else
292 #endif
293 fd = forward->rfd4->fd;
294 }
295
296 while (retry_send( sendto(fd, (char *)header, plen, 0,
297 &forward->sentto->addr.sa,
298 sa_len(&forward->sentto->addr))));
299
300 return 1;
301 }
302 #endif
303
304 /* retry on existing query, send to all available servers */
305 domain = forward->sentto->domain;
306 forward->sentto->failed_queries++;
307 if (!option_bool(OPT_ORDER))
308 {
309 forward->forwardall = 1;
310 daemon->last_server = NULL;
311 }
312 type = forward->sentto->flags & SERV_TYPE;
313 if (!(start = forward->sentto->next))
314 start = daemon->servers; /* at end of list, recycle */
315 header->id = htons(forward->new_id);
316 }
317 else
318 {
319 if (gotname)
320 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
321
322 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
323 /* table full - server failure. */
324 flags = F_NEG;
325
326 if (forward)
327 {
328 forward->source = *udpaddr;
329 forward->dest = *dst_addr;
330 forward->iface = dst_iface;
331 forward->orig_id = ntohs(header->id);
332 forward->new_id = get_id();
333 forward->fd = udpfd;
334 memcpy(forward->hash, hash, HASH_SIZE);
335 forward->forwardall = 0;
336 forward->flags = 0;
337 if (norebind)
338 forward->flags |= FREC_NOREBIND;
339 if (header->hb4 & HB4_CD)
340 forward->flags |= FREC_CHECKING_DISABLED;
341 if (ad_reqd)
342 forward->flags |= FREC_AD_QUESTION;
343 #ifdef HAVE_DNSSEC
344 forward->work_counter = DNSSEC_WORK;
345 if (do_bit)
346 forward->flags |= FREC_DO_QUESTION;
347 #endif
348
349 header->id = htons(forward->new_id);
350
351 /* In strict_order mode, always try servers in the order
352 specified in resolv.conf, if a domain is given
353 always try all the available servers,
354 otherwise, use the one last known to work. */
355
356 if (type == 0)
357 {
358 if (option_bool(OPT_ORDER))
359 start = daemon->servers;
360 else if (!(start = daemon->last_server) ||
361 daemon->forwardcount++ > FORWARD_TEST ||
362 difftime(now, daemon->forwardtime) > FORWARD_TIME)
363 {
364 start = daemon->servers;
365 forward->forwardall = 1;
366 daemon->forwardcount = 0;
367 daemon->forwardtime = now;
368 }
369 }
370 else
371 {
372 start = daemon->servers;
373 if (!option_bool(OPT_ORDER))
374 forward->forwardall = 1;
375 }
376 }
377 }
378
379 /* check for send errors here (no route to host)
380 if we fail to send to all nameservers, send back an error
381 packet straight away (helps modem users when offline) */
382
383 if (!flags && forward)
384 {
385 struct server *firstsentto = start;
386 int forwarded = 0;
387
388 /* If a query is retried, use the log_id for the retry when logging the answer. */
389 forward->log_id = daemon->log_id;
390
391 if (option_bool(OPT_ADD_MAC))
392 plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
393
394 if (option_bool(OPT_CLIENT_SUBNET))
395 {
396 size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
397 if (new != plen)
398 {
399 plen = new;
400 forward->flags |= FREC_HAS_SUBNET;
401 }
402 }
403
404 #ifdef HAVE_DNSSEC
405 if (option_bool(OPT_DNSSEC_VALID))
406 {
407 size_t new_plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
408
409 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
410 this allows it to select auth servers when one is returning bad data. */
411 if (option_bool(OPT_DNSSEC_DEBUG))
412 header->hb4 |= HB4_CD;
413
414 if (new_plen != plen)
415 forward->flags |= FREC_ADDED_PHEADER;
416
417 plen = new_plen;
418 }
419 #endif
420
421 while (1)
422 {
423 /* only send to servers dealing with our domain.
424 domain may be NULL, in which case server->domain
425 must be NULL also. */
426
427 if (type == (start->flags & SERV_TYPE) &&
428 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
429 !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
430 {
431 int fd;
432
433 /* find server socket to use, may need to get random one. */
434 if (start->sfd)
435 fd = start->sfd->fd;
436 else
437 {
438 #ifdef HAVE_IPV6
439 if (start->addr.sa.sa_family == AF_INET6)
440 {
441 if (!forward->rfd6 &&
442 !(forward->rfd6 = allocate_rfd(AF_INET6)))
443 break;
444 daemon->rfd_save = forward->rfd6;
445 fd = forward->rfd6->fd;
446 }
447 else
448 #endif
449 {
450 if (!forward->rfd4 &&
451 !(forward->rfd4 = allocate_rfd(AF_INET)))
452 break;
453 daemon->rfd_save = forward->rfd4;
454 fd = forward->rfd4->fd;
455 }
456
457 #ifdef HAVE_CONNTRACK
458 /* Copy connection mark of incoming query to outgoing connection. */
459 if (option_bool(OPT_CONNTRACK))
460 {
461 unsigned int mark;
462 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
463 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
464 }
465 #endif
466 }
467
468 if (retry_send(sendto(fd, (char *)header, plen, 0,
469 &start->addr.sa,
470 sa_len(&start->addr))))
471 continue;
472
473 if (errno == 0)
474 {
475 /* Keep info in case we want to re-send this packet */
476 daemon->srv_save = start;
477 daemon->packet_len = plen;
478
479 if (!gotname)
480 strcpy(daemon->namebuff, "query");
481 if (start->addr.sa.sa_family == AF_INET)
482 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
483 (struct all_addr *)&start->addr.in.sin_addr, NULL);
484 #ifdef HAVE_IPV6
485 else
486 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
487 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
488 #endif
489 start->queries++;
490 forwarded = 1;
491 forward->sentto = start;
492 if (!forward->forwardall)
493 break;
494 forward->forwardall++;
495 }
496 }
497
498 if (!(start = start->next))
499 start = daemon->servers;
500
501 if (start == firstsentto)
502 break;
503 }
504
505 if (forwarded)
506 return 1;
507
508 /* could not send on, prepare to return */
509 header->id = htons(forward->orig_id);
510 free_frec(forward); /* cancel */
511 }
512
513 /* could not send on, return empty answer or address if known for whole domain */
514 if (udpfd != -1)
515 {
516 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
517 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
518 }
519
520 return 0;
521 }
522
523 static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
524 int no_cache, int cache_secure, int ad_reqd, int do_bit, int added_pheader, int check_subnet, union mysockaddr *query_source)
525 {
526 unsigned char *pheader, *sizep;
527 char **sets = 0;
528 int munged = 0, is_sign;
529 size_t plen;
530
531 (void)ad_reqd;
532 (void) do_bit;
533
534 #ifdef HAVE_IPSET
535 if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
536 {
537 /* Similar algorithm to search_servers. */
538 struct ipsets *ipset_pos;
539 unsigned int namelen = strlen(daemon->namebuff);
540 unsigned int matchlen = 0;
541 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
542 {
543 unsigned int domainlen = strlen(ipset_pos->domain);
544 char *matchstart = daemon->namebuff + namelen - domainlen;
545 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
546 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
547 domainlen >= matchlen)
548 {
549 matchlen = domainlen;
550 sets = ipset_pos->sets;
551 }
552 }
553 }
554 #endif
555
556 /* If upstream is advertising a larger UDP packet size
557 than we allow, trim it so that we don't get overlarge
558 requests for the client. We can't do this for signed packets. */
559
560 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
561 {
562 unsigned short udpsz;
563 unsigned char *psave = sizep;
564
565 GETSHORT(udpsz, sizep);
566
567 if (!is_sign && udpsz > daemon->edns_pktsz)
568 PUTSHORT(daemon->edns_pktsz, psave);
569
570 if (check_subnet && !check_source(header, plen, pheader, query_source))
571 {
572 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
573 return 0;
574 }
575
576 if (added_pheader)
577 {
578 pheader = 0;
579 header->arcount = htons(0);
580 }
581 }
582
583 /* RFC 4035 sect 4.6 para 3 */
584 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
585 header->hb4 &= ~HB4_AD;
586
587 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
588 return resize_packet(header, n, pheader, plen);
589
590 /* Complain loudly if the upstream server is non-recursive. */
591 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
592 server && !(server->flags & SERV_WARNED_RECURSIVE))
593 {
594 prettyprint_addr(&server->addr, daemon->namebuff);
595 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
596 if (!option_bool(OPT_LOG))
597 server->flags |= SERV_WARNED_RECURSIVE;
598 }
599
600 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
601 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
602 {
603 munged = 1;
604 SET_RCODE(header, NXDOMAIN);
605 header->hb3 &= ~HB3_AA;
606 cache_secure = 0;
607 }
608 else
609 {
610 int doctored = 0;
611
612 if (RCODE(header) == NXDOMAIN &&
613 extract_request(header, n, daemon->namebuff, NULL) &&
614 check_for_local_domain(daemon->namebuff, now))
615 {
616 /* if we forwarded a query for a locally known name (because it was for
617 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
618 since we know that the domain exists, even if upstream doesn't */
619 munged = 1;
620 header->hb3 |= HB3_AA;
621 SET_RCODE(header, NOERROR);
622 cache_secure = 0;
623 }
624
625 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
626 {
627 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
628 munged = 1;
629 cache_secure = 0;
630 }
631
632 if (doctored)
633 cache_secure = 0;
634 }
635
636 #ifdef HAVE_DNSSEC
637 if (no_cache && !(header->hb4 & HB4_CD))
638 {
639 if (!option_bool(OPT_DNSSEC_DEBUG))
640 {
641 /* Bogus reply, turn into SERVFAIL */
642 SET_RCODE(header, SERVFAIL);
643 munged = 1;
644 }
645 }
646
647 if (option_bool(OPT_DNSSEC_VALID))
648 header->hb4 &= ~HB4_AD;
649
650 if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
651 header->hb4 |= HB4_AD;
652
653 /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
654 if (!do_bit)
655 n = filter_rrsigs(header, n);
656 #endif
657
658 /* do this after extract_addresses. Ensure NODATA reply and remove
659 nameserver info. */
660
661 if (munged)
662 {
663 header->ancount = htons(0);
664 header->nscount = htons(0);
665 header->arcount = htons(0);
666 }
667
668 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
669 sections of the packet. Find the new length here and put back pseudoheader
670 if it was removed. */
671 return resize_packet(header, n, pheader, plen);
672 }
673
674 /* sets new last_server */
675 void reply_query(int fd, int family, time_t now)
676 {
677 /* packet from peer server, extract data for cache, and send to
678 original requester */
679 struct dns_header *header;
680 union mysockaddr serveraddr;
681 struct frec *forward;
682 socklen_t addrlen = sizeof(serveraddr);
683 ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
684 size_t nn;
685 struct server *server;
686 void *hash;
687 #ifndef HAVE_DNSSEC
688 unsigned int crc;
689 #endif
690
691 /* packet buffer overwritten */
692 daemon->srv_save = NULL;
693
694 /* Determine the address of the server replying so that we can mark that as good */
695 serveraddr.sa.sa_family = family;
696 #ifdef HAVE_IPV6
697 if (serveraddr.sa.sa_family == AF_INET6)
698 serveraddr.in6.sin6_flowinfo = 0;
699 #endif
700
701 header = (struct dns_header *)daemon->packet;
702
703 if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR))
704 return;
705
706 /* spoof check: answer must come from known server, */
707 for (server = daemon->servers; server; server = server->next)
708 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
709 sockaddr_isequal(&server->addr, &serveraddr))
710 break;
711
712 if (!server)
713 return;
714
715 #ifdef HAVE_DNSSEC
716 hash = hash_questions(header, n, daemon->namebuff);
717 #else
718 hash = &crc;
719 crc = questions_crc(header, n, daemon->namebuff);
720 #endif
721
722 if (!(forward = lookup_frec(ntohs(header->id), hash)))
723 return;
724
725 /* log_query gets called indirectly all over the place, so
726 pass these in global variables - sorry. */
727 daemon->log_display_id = forward->log_id;
728 daemon->log_source_addr = &forward->source;
729
730 if (daemon->ignore_addr && RCODE(header) == NOERROR &&
731 check_for_ignored_address(header, n, daemon->ignore_addr))
732 return;
733
734 if (RCODE(header) == REFUSED &&
735 !option_bool(OPT_ORDER) &&
736 forward->forwardall == 0)
737 /* for broken servers, attempt to send to another one. */
738 {
739 unsigned char *pheader;
740 size_t plen;
741 int is_sign;
742
743 /* recreate query from reply */
744 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
745 if (!is_sign)
746 {
747 header->ancount = htons(0);
748 header->nscount = htons(0);
749 header->arcount = htons(0);
750 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
751 {
752 header->hb3 &= ~(HB3_QR | HB3_TC);
753 forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0, 0);
754 return;
755 }
756 }
757 }
758
759 server = forward->sentto;
760
761 if ((forward->sentto->flags & SERV_TYPE) == 0)
762 {
763 if (RCODE(header) == REFUSED)
764 server = NULL;
765 else
766 {
767 struct server *last_server;
768
769 /* find good server by address if possible, otherwise assume the last one we sent to */
770 for (last_server = daemon->servers; last_server; last_server = last_server->next)
771 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
772 sockaddr_isequal(&last_server->addr, &serveraddr))
773 {
774 server = last_server;
775 break;
776 }
777 }
778 if (!option_bool(OPT_ALL_SERVERS))
779 daemon->last_server = server;
780 }
781
782 /* If the answer is an error, keep the forward record in place in case
783 we get a good reply from another server. Kill it when we've
784 had replies from all to avoid filling the forwarding table when
785 everything is broken */
786 if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL)
787 {
788 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
789
790 if (option_bool(OPT_NO_REBIND))
791 check_rebind = !(forward->flags & FREC_NOREBIND);
792
793 /* Don't cache replies where DNSSEC validation was turned off, either
794 the upstream server told us so, or the original query specified it. */
795 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
796 no_cache_dnssec = 1;
797
798 #ifdef HAVE_DNSSEC
799 if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
800 {
801 int status;
802
803 /* We've had a reply already, which we're validating. Ignore this duplicate */
804 if (forward->blocking_query)
805 return;
806
807 if (header->hb3 & HB3_TC)
808 {
809 /* Truncated answer can't be validated.
810 If this is an answer to a DNSSEC-generated query, we still
811 need to get the client to retry over TCP, so return
812 an answer with the TC bit set, even if the actual answer fits.
813 */
814 status = STAT_TRUNCATED;
815 }
816 else if (forward->flags & FREC_DNSKEY_QUERY)
817 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
818 else if (forward->flags & FREC_DS_QUERY)
819 {
820 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
821 if (status == STAT_NO_DS || status == STAT_NO_NS)
822 status = STAT_BOGUS;
823 }
824 else if (forward->flags & FREC_CHECK_NOSIGN)
825 {
826 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
827 if (status != STAT_NEED_KEY)
828 status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
829 }
830 else
831 {
832 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
833 if (status == STAT_NO_SIG)
834 {
835 if (option_bool(OPT_DNSSEC_NO_SIGN))
836 status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
837 else
838 status = STAT_INSECURE;
839 }
840 }
841 /* Can't validate, as we're missing key data. Put this
842 answer aside, whilst we get that. */
843 if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
844 {
845 struct frec *new, *orig;
846
847 /* Free any saved query */
848 if (forward->stash)
849 blockdata_free(forward->stash);
850
851 /* Now save reply pending receipt of key data */
852 if (!(forward->stash = blockdata_alloc((char *)header, n)))
853 return;
854 forward->stash_len = n;
855
856 anotherkey:
857 /* Find the original query that started it all.... */
858 for (orig = forward; orig->dependent; orig = orig->dependent);
859
860 if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1)))
861 status = STAT_INSECURE;
862 else
863 {
864 int fd;
865 struct frec *next = new->next;
866 *new = *forward; /* copy everything, then overwrite */
867 new->next = next;
868 new->blocking_query = NULL;
869 new->sentto = server;
870 new->rfd4 = NULL;
871 new->orig_domain = NULL;
872 #ifdef HAVE_IPV6
873 new->rfd6 = NULL;
874 #endif
875 new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN);
876
877 new->dependent = forward; /* to find query awaiting new one. */
878 forward->blocking_query = new; /* for garbage cleaning */
879 /* validate routines leave name of required record in daemon->keyname */
880 if (status == STAT_NEED_KEY)
881 {
882 new->flags |= FREC_DNSKEY_QUERY;
883 nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
884 daemon->keyname, forward->class, T_DNSKEY, &server->addr);
885 }
886 else
887 {
888 if (status == STAT_NEED_DS_NEG)
889 new->flags |= FREC_CHECK_NOSIGN;
890 else
891 new->flags |= FREC_DS_QUERY;
892 nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
893 daemon->keyname, forward->class, T_DS, &server->addr);
894 }
895 if ((hash = hash_questions(header, nn, daemon->namebuff)))
896 memcpy(new->hash, hash, HASH_SIZE);
897 new->new_id = get_id();
898 header->id = htons(new->new_id);
899 /* Save query for retransmission */
900 if (!(new->stash = blockdata_alloc((char *)header, nn)))
901 return;
902
903 new->stash_len = nn;
904
905 /* Don't resend this. */
906 daemon->srv_save = NULL;
907
908 if (server->sfd)
909 fd = server->sfd->fd;
910 else
911 {
912 fd = -1;
913 #ifdef HAVE_IPV6
914 if (server->addr.sa.sa_family == AF_INET6)
915 {
916 if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
917 fd = new->rfd6->fd;
918 }
919 else
920 #endif
921 {
922 if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
923 fd = new->rfd4->fd;
924 }
925 }
926
927 if (fd != -1)
928 {
929 while (retry_send(sendto(fd, (char *)header, nn, 0,
930 &server->addr.sa,
931 sa_len(&server->addr))));
932 server->queries++;
933 }
934
935 return;
936 }
937 }
938
939 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
940 Now wind back down, pulling back answers which wouldn't previously validate
941 and validate them with the new data. Note that if an answer needs multiple
942 keys to validate, we may find another key is needed, in which case we set off
943 down another branch of the tree. Once we get to the original answer
944 (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
945 while (forward->dependent)
946 {
947 struct frec *prev = forward->dependent;
948 free_frec(forward);
949 forward = prev;
950 forward->blocking_query = NULL; /* already gone */
951 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
952 n = forward->stash_len;
953
954 if (status == STAT_SECURE)
955 {
956 if (forward->flags & FREC_DNSKEY_QUERY)
957 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
958 else if (forward->flags & FREC_DS_QUERY)
959 {
960 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
961 if (status == STAT_NO_DS || status == STAT_NO_NS)
962 status = STAT_BOGUS;
963 }
964 else if (forward->flags & FREC_CHECK_NOSIGN)
965 {
966 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
967 if (status != STAT_NEED_KEY)
968 status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
969 }
970 else
971 {
972 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
973 if (status == STAT_NO_SIG)
974 {
975 if (option_bool(OPT_DNSSEC_NO_SIGN))
976 status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
977 else
978 status = STAT_INSECURE;
979 }
980 }
981
982 if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
983 goto anotherkey;
984 }
985 }
986
987 if (status == STAT_TRUNCATED)
988 header->hb3 |= HB3_TC;
989 else
990 {
991 char *result;
992
993 if (forward->work_counter == 0)
994 result = "ABANDONED";
995 else
996 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
997
998 log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
999 }
1000
1001 no_cache_dnssec = 0;
1002
1003 if (status == STAT_SECURE)
1004 cache_secure = 1;
1005 else if (status == STAT_BOGUS)
1006 no_cache_dnssec = 1;
1007 }
1008 #endif
1009
1010 /* restore CD bit to the value in the query */
1011 if (forward->flags & FREC_CHECKING_DISABLED)
1012 header->hb4 |= HB4_CD;
1013 else
1014 header->hb4 &= ~HB4_CD;
1015
1016 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
1017 forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
1018 forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
1019 {
1020 header->id = htons(forward->orig_id);
1021 header->hb4 |= HB4_RA; /* recursion if available */
1022 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
1023 &forward->source, &forward->dest, forward->iface);
1024 }
1025 free_frec(forward); /* cancel */
1026 }
1027 }
1028
1029
1030 void receive_query(struct listener *listen, time_t now)
1031 {
1032 struct dns_header *header = (struct dns_header *)daemon->packet;
1033 union mysockaddr source_addr;
1034 unsigned short type;
1035 struct all_addr dst_addr;
1036 struct in_addr netmask, dst_addr_4;
1037 size_t m;
1038 ssize_t n;
1039 int if_index = 0, auth_dns = 0;
1040 #ifdef HAVE_AUTH
1041 int local_auth = 0;
1042 #endif
1043 struct iovec iov[1];
1044 struct msghdr msg;
1045 struct cmsghdr *cmptr;
1046 union {
1047 struct cmsghdr align; /* this ensures alignment */
1048 #ifdef HAVE_IPV6
1049 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
1050 #endif
1051 #if defined(HAVE_LINUX_NETWORK)
1052 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
1053 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1054 char control[CMSG_SPACE(sizeof(struct in_addr)) +
1055 CMSG_SPACE(sizeof(unsigned int))];
1056 #elif defined(IP_RECVDSTADDR)
1057 char control[CMSG_SPACE(sizeof(struct in_addr)) +
1058 CMSG_SPACE(sizeof(struct sockaddr_dl))];
1059 #endif
1060 } control_u;
1061 #ifdef HAVE_IPV6
1062 /* Can always get recvd interface for IPv6 */
1063 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
1064 #else
1065 int check_dst = !option_bool(OPT_NOWILD);
1066 #endif
1067
1068 /* packet buffer overwritten */
1069 daemon->srv_save = NULL;
1070
1071 dst_addr_4.s_addr = dst_addr.addr.addr4.s_addr = 0;
1072 netmask.s_addr = 0;
1073
1074 if (option_bool(OPT_NOWILD) && listen->iface)
1075 {
1076 auth_dns = listen->iface->dns_auth;
1077
1078 if (listen->family == AF_INET)
1079 {
1080 dst_addr_4 = dst_addr.addr.addr4 = listen->iface->addr.in.sin_addr;
1081 netmask = listen->iface->netmask;
1082 }
1083 }
1084
1085 iov[0].iov_base = daemon->packet;
1086 iov[0].iov_len = daemon->edns_pktsz;
1087
1088 msg.msg_control = control_u.control;
1089 msg.msg_controllen = sizeof(control_u);
1090 msg.msg_flags = 0;
1091 msg.msg_name = &source_addr;
1092 msg.msg_namelen = sizeof(source_addr);
1093 msg.msg_iov = iov;
1094 msg.msg_iovlen = 1;
1095
1096 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
1097 return;
1098
1099 if (n < (int)sizeof(struct dns_header) ||
1100 (msg.msg_flags & MSG_TRUNC) ||
1101 (header->hb3 & HB3_QR))
1102 return;
1103
1104 source_addr.sa.sa_family = listen->family;
1105
1106 if (listen->family == AF_INET)
1107 {
1108 /* Source-port == 0 is an error, we can't send back to that.
1109 http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1110 if (source_addr.in.sin_port == 0)
1111 return;
1112 }
1113 #ifdef HAVE_IPV6
1114 else
1115 {
1116 /* Source-port == 0 is an error, we can't send back to that. */
1117 if (source_addr.in6.sin6_port == 0)
1118 return;
1119 source_addr.in6.sin6_flowinfo = 0;
1120 }
1121 #endif
1122
1123 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1124 if (option_bool(OPT_LOCAL_SERVICE))
1125 {
1126 struct addrlist *addr;
1127 #ifdef HAVE_IPV6
1128 if (listen->family == AF_INET6)
1129 {
1130 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1131 if ((addr->flags & ADDRLIST_IPV6) &&
1132 is_same_net6(&addr->addr.addr.addr6, &source_addr.in6.sin6_addr, addr->prefixlen))
1133 break;
1134 }
1135 else
1136 #endif
1137 {
1138 struct in_addr netmask;
1139 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1140 {
1141 netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
1142 if (!(addr->flags & ADDRLIST_IPV6) &&
1143 is_same_net(addr->addr.addr.addr4, source_addr.in.sin_addr, netmask))
1144 break;
1145 }
1146 }
1147 if (!addr)
1148 {
1149 static int warned = 0;
1150 if (!warned)
1151 {
1152 my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1153 warned = 1;
1154 }
1155 return;
1156 }
1157 }
1158
1159 if (check_dst)
1160 {
1161 struct ifreq ifr;
1162
1163 if (msg.msg_controllen < sizeof(struct cmsghdr))
1164 return;
1165
1166 #if defined(HAVE_LINUX_NETWORK)
1167 if (listen->family == AF_INET)
1168 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1169 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
1170 {
1171 union {
1172 unsigned char *c;
1173 struct in_pktinfo *p;
1174 } p;
1175 p.c = CMSG_DATA(cmptr);
1176 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
1177 if_index = p.p->ipi_ifindex;
1178 }
1179 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1180 if (listen->family == AF_INET)
1181 {
1182 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1183 {
1184 union {
1185 unsigned char *c;
1186 unsigned int *i;
1187 struct in_addr *a;
1188 #ifndef HAVE_SOLARIS_NETWORK
1189 struct sockaddr_dl *s;
1190 #endif
1191 } p;
1192 p.c = CMSG_DATA(cmptr);
1193 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
1194 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
1195 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
1196 #ifdef HAVE_SOLARIS_NETWORK
1197 if_index = *(p.i);
1198 #else
1199 if_index = p.s->sdl_index;
1200 #endif
1201 }
1202 }
1203 #endif
1204
1205 #ifdef HAVE_IPV6
1206 if (listen->family == AF_INET6)
1207 {
1208 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1209 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
1210 {
1211 union {
1212 unsigned char *c;
1213 struct in6_pktinfo *p;
1214 } p;
1215 p.c = CMSG_DATA(cmptr);
1216
1217 dst_addr.addr.addr6 = p.p->ipi6_addr;
1218 if_index = p.p->ipi6_ifindex;
1219 }
1220 }
1221 #endif
1222
1223 /* enforce available interface configuration */
1224
1225 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
1226 return;
1227
1228 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
1229 {
1230 if (!option_bool(OPT_CLEVERBIND))
1231 enumerate_interfaces(0);
1232 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
1233 !label_exception(if_index, listen->family, &dst_addr))
1234 return;
1235 }
1236
1237 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
1238 {
1239 struct irec *iface;
1240
1241 /* get the netmask of the interface whch has the address we were sent to.
1242 This is no neccessarily the interface we arrived on. */
1243
1244 for (iface = daemon->interfaces; iface; iface = iface->next)
1245 if (iface->addr.sa.sa_family == AF_INET &&
1246 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1247 break;
1248
1249 /* interface may be new */
1250 if (!iface && !option_bool(OPT_CLEVERBIND))
1251 enumerate_interfaces(0);
1252
1253 for (iface = daemon->interfaces; iface; iface = iface->next)
1254 if (iface->addr.sa.sa_family == AF_INET &&
1255 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1256 break;
1257
1258 /* If we failed, abandon localisation */
1259 if (iface)
1260 netmask = iface->netmask;
1261 else
1262 dst_addr_4.s_addr = 0;
1263 }
1264 }
1265
1266 /* log_query gets called indirectly all over the place, so
1267 pass these in global variables - sorry. */
1268 daemon->log_display_id = ++daemon->log_id;
1269 daemon->log_source_addr = &source_addr;
1270
1271 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
1272 {
1273 #ifdef HAVE_AUTH
1274 struct auth_zone *zone;
1275 #endif
1276 char *types = querystr(auth_dns ? "auth" : "query", type);
1277
1278 if (listen->family == AF_INET)
1279 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1280 (struct all_addr *)&source_addr.in.sin_addr, types);
1281 #ifdef HAVE_IPV6
1282 else
1283 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1284 (struct all_addr *)&source_addr.in6.sin6_addr, types);
1285 #endif
1286
1287 #ifdef HAVE_AUTH
1288 /* find queries for zones we're authoritative for, and answer them directly */
1289 if (!auth_dns)
1290 for (zone = daemon->auth_zones; zone; zone = zone->next)
1291 if (in_zone(zone, daemon->namebuff, NULL))
1292 {
1293 auth_dns = 1;
1294 local_auth = 1;
1295 break;
1296 }
1297 #endif
1298
1299 #ifdef HAVE_LOOP
1300 /* Check for forwarding loop */
1301 if (detect_loop(daemon->namebuff, type))
1302 return;
1303 #endif
1304 }
1305
1306 #ifdef HAVE_AUTH
1307 if (auth_dns)
1308 {
1309 m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
1310 if (m >= 1)
1311 {
1312 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1313 (char *)header, m, &source_addr, &dst_addr, if_index);
1314 daemon->auth_answer++;
1315 }
1316 }
1317 else
1318 #endif
1319 {
1320 int ad_reqd, do_bit;
1321 m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
1322 dst_addr_4, netmask, now, &ad_reqd, &do_bit);
1323
1324 if (m >= 1)
1325 {
1326 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1327 (char *)header, m, &source_addr, &dst_addr, if_index);
1328 daemon->local_answer++;
1329 }
1330 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
1331 header, (size_t)n, now, NULL, ad_reqd, do_bit))
1332 daemon->queries_forwarded++;
1333 else
1334 daemon->local_answer++;
1335 }
1336 }
1337
1338 #ifdef HAVE_DNSSEC
1339
1340 /* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1341 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1342 STAT_NEED_DS_NEG and keyname if we need to do the query. */
1343 static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
1344 char *name, char *keyname)
1345 {
1346 int status = dnssec_chase_cname(now, header, plen, name, keyname);
1347
1348 if (status != STAT_INSECURE)
1349 return status;
1350
1351 /* Store the domain we're trying to check. */
1352 forward->name_start = strlen(name);
1353 forward->name_len = forward->name_start + 1;
1354 if (!(forward->orig_domain = blockdata_alloc(name, forward->name_len)))
1355 return STAT_BOGUS;
1356
1357 return do_check_sign(forward, 0, now, name, keyname);
1358 }
1359
1360 /* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
1361 static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname)
1362 {
1363 /* get domain we're checking back from blockdata store, it's stored on the original query. */
1364 while (forward->dependent)
1365 forward = forward->dependent;
1366
1367 blockdata_retrieve(forward->orig_domain, forward->name_len, name);
1368
1369 while (1)
1370 {
1371 char *p;
1372
1373 if (status == 0)
1374 {
1375 struct crec *crecp;
1376
1377 /* Haven't received answer, see if in cache */
1378 if (!(crecp = cache_find_by_name(NULL, &name[forward->name_start], now, F_DS)))
1379 {
1380 /* put name of DS record we're missing into keyname */
1381 strcpy(keyname, &name[forward->name_start]);
1382 /* and wait for reply to arrive */
1383 return STAT_NEED_DS_NEG;
1384 }
1385
1386 /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
1387 if (!(crecp->flags & F_NEG))
1388 status = STAT_SECURE;
1389 else if (crecp->flags & F_DNSSECOK)
1390 status = STAT_NO_DS;
1391 else
1392 status = STAT_NO_NS;
1393 }
1394
1395 /* Have entered non-signed part of DNS tree. */
1396 if (status == STAT_NO_DS)
1397 return STAT_INSECURE;
1398
1399 if (status == STAT_BOGUS)
1400 return STAT_BOGUS;
1401
1402 /* There's a proven DS record, or we're within a zone, where there doesn't need
1403 to be a DS record. Add a name and try again.
1404 If we've already tried the whole name, then fail */
1405
1406 if (forward->name_start == 0)
1407 return STAT_BOGUS;
1408
1409 for (p = &name[forward->name_start-2]; (*p != '.') && (p != name); p--);
1410
1411 if (p != name)
1412 p++;
1413
1414 forward->name_start = p - name;
1415 status = 0; /* force to cache when we iterate. */
1416 }
1417 }
1418
1419 /* Move toward the root, until we find a signed non-existance of a DS, in which case
1420 an unsigned answer is OK, or we find a signed DS, in which case there should be
1421 a signature, and the answer is BOGUS */
1422 static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name,
1423 char *keyname, struct server *server, int *keycount)
1424 {
1425 size_t m;
1426 unsigned char *packet, *payload;
1427 u16 *length;
1428 int status, name_len;
1429 struct blockdata *block;
1430
1431 char *name_start;
1432
1433 /* Get first insecure entry in CNAME chain */
1434 status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount);
1435 if (status == STAT_BOGUS)
1436 return STAT_BOGUS;
1437
1438 if (!(packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16))))
1439 return STAT_BOGUS;
1440
1441 payload = &packet[2];
1442 header = (struct dns_header *)payload;
1443 length = (u16 *)packet;
1444
1445 /* Stash the name away, since the buffer will be trashed when we recurse */
1446 name_len = strlen(name) + 1;
1447 name_start = name + name_len - 1;
1448
1449 if (!(block = blockdata_alloc(name, name_len)))
1450 {
1451 free(packet);
1452 return STAT_BOGUS;
1453 }
1454
1455 while (1)
1456 {
1457 unsigned char c1, c2;
1458 struct crec *crecp;
1459
1460 if (--(*keycount) == 0)
1461 {
1462 free(packet);
1463 blockdata_free(block);
1464 return STAT_BOGUS;
1465 }
1466
1467 while ((crecp = cache_find_by_name(NULL, name_start, now, F_DS)))
1468 {
1469 if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK))
1470 {
1471 /* Found a secure denial of DS - delegation is indeed insecure */
1472 free(packet);
1473 blockdata_free(block);
1474 return STAT_INSECURE;
1475 }
1476
1477 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1478 Add another label and continue. */
1479
1480 if (name_start == name)
1481 {
1482 free(packet);
1483 blockdata_free(block);
1484 return STAT_BOGUS; /* run out of labels */
1485 }
1486
1487 name_start -= 2;
1488 while (*name_start != '.' && name_start != name)
1489 name_start--;
1490 if (name_start != name)
1491 name_start++;
1492 }
1493
1494 /* Can't find it in the cache, have to send a query */
1495
1496 m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr);
1497
1498 *length = htons(m);
1499
1500 if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
1501 read_write(server->tcpfd, &c1, 1, 1) &&
1502 read_write(server->tcpfd, &c2, 1, 1) &&
1503 read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1504 {
1505 m = (c1 << 8) | c2;
1506
1507 /* Note this trashes all three name workspaces */
1508 status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
1509
1510 if (status == STAT_NO_DS)
1511 {
1512 /* Found a secure denial of DS - delegation is indeed insecure */
1513 free(packet);
1514 blockdata_free(block);
1515 return STAT_INSECURE;
1516 }
1517
1518 if (status == STAT_BOGUS)
1519 {
1520 free(packet);
1521 blockdata_free(block);
1522 return STAT_BOGUS;
1523 }
1524
1525 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1526 Add another label and continue. */
1527
1528 /* Get name we're checking back. */
1529 blockdata_retrieve(block, name_len, name);
1530
1531 if (name_start == name)
1532 {
1533 free(packet);
1534 blockdata_free(block);
1535 return STAT_BOGUS; /* run out of labels */
1536 }
1537
1538 name_start -= 2;
1539 while (*name_start != '.' && name_start != name)
1540 name_start--;
1541 if (name_start != name)
1542 name_start++;
1543 }
1544 else
1545 {
1546 /* IO failure */
1547 free(packet);
1548 blockdata_free(block);
1549 return STAT_BOGUS; /* run out of labels */
1550 }
1551 }
1552 }
1553
1554 static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
1555 int class, char *name, char *keyname, struct server *server, int *keycount)
1556 {
1557 /* Recurse up the key heirarchy */
1558 int new_status;
1559
1560 /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1561 if (--(*keycount) == 0)
1562 return STAT_INSECURE;
1563
1564 if (status == STAT_NEED_KEY)
1565 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
1566 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1567 {
1568 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
1569 if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS))
1570 new_status = STAT_BOGUS;
1571 }
1572 else if (status == STAT_CHASE_CNAME)
1573 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1574 else
1575 {
1576 new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
1577
1578 if (new_status == STAT_NO_SIG)
1579 {
1580 if (option_bool(OPT_DNSSEC_NO_SIGN))
1581 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1582 else
1583 new_status = STAT_INSECURE;
1584 }
1585 }
1586
1587 /* Can't validate because we need a key/DS whose name now in keyname.
1588 Make query for same, and recurse to validate */
1589 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1590 {
1591 size_t m;
1592 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1593 unsigned char *payload = &packet[2];
1594 struct dns_header *new_header = (struct dns_header *)payload;
1595 u16 *length = (u16 *)packet;
1596 unsigned char c1, c2;
1597
1598 if (!packet)
1599 return STAT_INSECURE;
1600
1601 another_tcp_key:
1602 m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class,
1603 new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
1604
1605 *length = htons(m);
1606
1607 if (!read_write(server->tcpfd, packet, m + sizeof(u16), 0) ||
1608 !read_write(server->tcpfd, &c1, 1, 1) ||
1609 !read_write(server->tcpfd, &c2, 1, 1) ||
1610 !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1611 new_status = STAT_INSECURE;
1612 else
1613 {
1614 m = (c1 << 8) | c2;
1615
1616 new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount);
1617
1618 if (new_status == STAT_SECURE)
1619 {
1620 /* Reached a validated record, now try again at this level.
1621 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1622 If so, go round again. */
1623
1624 if (status == STAT_NEED_KEY)
1625 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
1626 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1627 {
1628 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
1629 if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS))
1630 new_status = STAT_BOGUS; /* Validated no DS */
1631 }
1632 else if (status == STAT_CHASE_CNAME)
1633 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1634 else
1635 {
1636 new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
1637
1638 if (new_status == STAT_NO_SIG)
1639 {
1640 if (option_bool(OPT_DNSSEC_NO_SIGN))
1641 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1642 else
1643 new_status = STAT_INSECURE;
1644 }
1645 }
1646
1647 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1648 goto another_tcp_key;
1649 }
1650 }
1651
1652 free(packet);
1653 }
1654 return new_status;
1655 }
1656 #endif
1657
1658
1659 /* The daemon forks before calling this: it should deal with one connection,
1660 blocking as neccessary, and then return. Note, need to be a bit careful
1661 about resources for debug mode, when the fork is suppressed: that's
1662 done by the caller. */
1663 unsigned char *tcp_request(int confd, time_t now,
1664 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
1665 {
1666 size_t size = 0;
1667 int norebind = 0;
1668 #ifdef HAVE_AUTH
1669 int local_auth = 0;
1670 #endif
1671 int checking_disabled, ad_question, do_bit, added_pheader = 0;
1672 int check_subnet, no_cache_dnssec = 0, cache_secure = 0;
1673 size_t m;
1674 unsigned short qtype;
1675 unsigned int gotname;
1676 unsigned char c1, c2;
1677 /* Max TCP packet + slop + size */
1678 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1679 unsigned char *payload = &packet[2];
1680 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1681 struct dns_header *header = (struct dns_header *)payload;
1682 u16 *length = (u16 *)packet;
1683 struct server *last_server;
1684 struct in_addr dst_addr_4;
1685 union mysockaddr peer_addr;
1686 socklen_t peer_len = sizeof(union mysockaddr);
1687 int query_count = 0;
1688
1689 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1690 return packet;
1691
1692 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1693 if (option_bool(OPT_LOCAL_SERVICE))
1694 {
1695 struct addrlist *addr;
1696 #ifdef HAVE_IPV6
1697 if (peer_addr.sa.sa_family == AF_INET6)
1698 {
1699 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1700 if ((addr->flags & ADDRLIST_IPV6) &&
1701 is_same_net6(&addr->addr.addr.addr6, &peer_addr.in6.sin6_addr, addr->prefixlen))
1702 break;
1703 }
1704 else
1705 #endif
1706 {
1707 struct in_addr netmask;
1708 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1709 {
1710 netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
1711 if (!(addr->flags & ADDRLIST_IPV6) &&
1712 is_same_net(addr->addr.addr.addr4, peer_addr.in.sin_addr, netmask))
1713 break;
1714 }
1715 }
1716 if (!addr)
1717 {
1718 my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1719 return packet;
1720 }
1721 }
1722
1723 while (1)
1724 {
1725 if (query_count == TCP_MAX_QUERIES ||
1726 !packet ||
1727 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1728 !(size = c1 << 8 | c2) ||
1729 !read_write(confd, payload, size, 1))
1730 return packet;
1731
1732 if (size < (int)sizeof(struct dns_header))
1733 continue;
1734
1735 query_count++;
1736
1737 /* log_query gets called indirectly all over the place, so
1738 pass these in global variables - sorry. */
1739 daemon->log_display_id = ++daemon->log_id;
1740 daemon->log_source_addr = &peer_addr;
1741
1742 check_subnet = 0;
1743
1744 /* save state of "cd" flag in query */
1745 if ((checking_disabled = header->hb4 & HB4_CD))
1746 no_cache_dnssec = 1;
1747
1748 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
1749 {
1750 #ifdef HAVE_AUTH
1751 struct auth_zone *zone;
1752 #endif
1753 char *types = querystr(auth_dns ? "auth" : "query", qtype);
1754
1755 if (peer_addr.sa.sa_family == AF_INET)
1756 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1757 (struct all_addr *)&peer_addr.in.sin_addr, types);
1758 #ifdef HAVE_IPV6
1759 else
1760 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1761 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
1762 #endif
1763
1764 #ifdef HAVE_AUTH
1765 /* find queries for zones we're authoritative for, and answer them directly */
1766 if (!auth_dns)
1767 for (zone = daemon->auth_zones; zone; zone = zone->next)
1768 if (in_zone(zone, daemon->namebuff, NULL))
1769 {
1770 auth_dns = 1;
1771 local_auth = 1;
1772 break;
1773 }
1774 #endif
1775 }
1776
1777 if (local_addr->sa.sa_family == AF_INET)
1778 dst_addr_4 = local_addr->in.sin_addr;
1779 else
1780 dst_addr_4.s_addr = 0;
1781
1782 #ifdef HAVE_AUTH
1783 if (auth_dns)
1784 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
1785 else
1786 #endif
1787 {
1788 /* m > 0 if answered from cache */
1789 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
1790 dst_addr_4, netmask, now, &ad_question, &do_bit);
1791
1792 /* Do this by steam now we're not in the select() loop */
1793 check_log_writer(NULL);
1794
1795 if (m == 0)
1796 {
1797 unsigned int flags = 0;
1798 struct all_addr *addrp = NULL;
1799 int type = 0;
1800 char *domain = NULL;
1801
1802 if (option_bool(OPT_ADD_MAC))
1803 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
1804
1805 if (option_bool(OPT_CLIENT_SUBNET))
1806 {
1807 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1808 if (size != new)
1809 {
1810 size = new;
1811 check_subnet = 1;
1812 }
1813 }
1814
1815 if (gotname)
1816 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1817
1818 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1819 last_server = daemon->servers;
1820 else
1821 last_server = daemon->last_server;
1822
1823 if (!flags && last_server)
1824 {
1825 struct server *firstsendto = NULL;
1826 #ifdef HAVE_DNSSEC
1827 unsigned char *newhash, hash[HASH_SIZE];
1828 if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff)))
1829 memcpy(hash, newhash, HASH_SIZE);
1830 else
1831 memset(hash, 0, HASH_SIZE);
1832 #else
1833 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
1834 #endif
1835 /* Loop round available servers until we succeed in connecting to one.
1836 Note that this code subtley ensures that consecutive queries on this connection
1837 which can go to the same server, do so. */
1838 while (1)
1839 {
1840 if (!firstsendto)
1841 firstsendto = last_server;
1842 else
1843 {
1844 if (!(last_server = last_server->next))
1845 last_server = daemon->servers;
1846
1847 if (last_server == firstsendto)
1848 break;
1849 }
1850
1851 /* server for wrong domain */
1852 if (type != (last_server->flags & SERV_TYPE) ||
1853 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)) ||
1854 (last_server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
1855 continue;
1856
1857 if (last_server->tcpfd == -1)
1858 {
1859 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1860 continue;
1861
1862 #ifdef HAVE_CONNTRACK
1863 /* Copy connection mark of incoming query to outgoing connection. */
1864 if (option_bool(OPT_CONNTRACK))
1865 {
1866 unsigned int mark;
1867 struct all_addr local;
1868 #ifdef HAVE_IPV6
1869 if (local_addr->sa.sa_family == AF_INET6)
1870 local.addr.addr6 = local_addr->in6.sin6_addr;
1871 else
1872 #endif
1873 local.addr.addr4 = local_addr->in.sin_addr;
1874
1875 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1876 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1877 }
1878 #endif
1879
1880 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1881 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1882 {
1883 close(last_server->tcpfd);
1884 last_server->tcpfd = -1;
1885 continue;
1886 }
1887
1888 #ifdef HAVE_DNSSEC
1889 if (option_bool(OPT_DNSSEC_VALID))
1890 {
1891 size_t new_size = add_do_bit(header, size, ((char *) header) + 65536);
1892
1893 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
1894 this allows it to select auth servers when one is returning bad data. */
1895 if (option_bool(OPT_DNSSEC_DEBUG))
1896 header->hb4 |= HB4_CD;
1897
1898 if (size != new_size)
1899 added_pheader = 1;
1900
1901 size = new_size;
1902 }
1903 #endif
1904 }
1905
1906 *length = htons(size);
1907
1908 /* get query name again for logging - may have been overwritten */
1909 if (!(gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
1910 strcpy(daemon->namebuff, "query");
1911
1912 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
1913 !read_write(last_server->tcpfd, &c1, 1, 1) ||
1914 !read_write(last_server->tcpfd, &c2, 1, 1) ||
1915 !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
1916 {
1917 close(last_server->tcpfd);
1918 last_server->tcpfd = -1;
1919 continue;
1920 }
1921
1922 m = (c1 << 8) | c2;
1923
1924 if (last_server->addr.sa.sa_family == AF_INET)
1925 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1926 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
1927 #ifdef HAVE_IPV6
1928 else
1929 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1930 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
1931 #endif
1932
1933 #ifdef HAVE_DNSSEC
1934 if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
1935 {
1936 int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
1937 int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
1938 char *result;
1939
1940 if (keycount == 0)
1941 result = "ABANDONED";
1942 else
1943 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1944
1945 log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
1946
1947 if (status == STAT_BOGUS)
1948 no_cache_dnssec = 1;
1949
1950 if (status == STAT_SECURE)
1951 cache_secure = 1;
1952 }
1953 #endif
1954
1955 /* restore CD bit to the value in the query */
1956 if (checking_disabled)
1957 header->hb4 |= HB4_CD;
1958 else
1959 header->hb4 &= ~HB4_CD;
1960
1961 /* There's no point in updating the cache, since this process will exit and
1962 lose the information after a few queries. We make this call for the alias and
1963 bogus-nxdomain side-effects. */
1964 /* If the crc of the question section doesn't match the crc we sent, then
1965 someone might be attempting to insert bogus values into the cache by
1966 sending replies containing questions and bogus answers. */
1967 #ifdef HAVE_DNSSEC
1968 newhash = hash_questions(header, (unsigned int)m, daemon->namebuff);
1969 if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0)
1970 {
1971 m = 0;
1972 break;
1973 }
1974 #else
1975 if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff))
1976 {
1977 m = 0;
1978 break;
1979 }
1980 #endif
1981
1982 m = process_reply(header, now, last_server, (unsigned int)m,
1983 option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
1984 cache_secure, ad_question, do_bit, added_pheader, check_subnet, &peer_addr);
1985
1986 break;
1987 }
1988 }
1989
1990 /* In case of local answer or no connections made. */
1991 if (m == 0)
1992 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
1993 }
1994 }
1995
1996 check_log_writer(NULL);
1997
1998 *length = htons(m);
1999
2000 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
2001 return packet;
2002 }
2003 }
2004
2005 static struct frec *allocate_frec(time_t now)
2006 {
2007 struct frec *f;
2008
2009 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
2010 {
2011 f->next = daemon->frec_list;
2012 f->time = now;
2013 f->sentto = NULL;
2014 f->rfd4 = NULL;
2015 f->flags = 0;
2016 #ifdef HAVE_IPV6
2017 f->rfd6 = NULL;
2018 #endif
2019 #ifdef HAVE_DNSSEC
2020 f->dependent = NULL;
2021 f->blocking_query = NULL;
2022 f->stash = NULL;
2023 f->orig_domain = NULL;
2024 #endif
2025 daemon->frec_list = f;
2026 }
2027
2028 return f;
2029 }
2030
2031 struct randfd *allocate_rfd(int family)
2032 {
2033 static int finger = 0;
2034 int i;
2035
2036 /* limit the number of sockets we have open to avoid starvation of
2037 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
2038
2039 for (i = 0; i < RANDOM_SOCKS; i++)
2040 if (daemon->randomsocks[i].refcount == 0)
2041 {
2042 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
2043 break;
2044
2045 daemon->randomsocks[i].refcount = 1;
2046 daemon->randomsocks[i].family = family;
2047 return &daemon->randomsocks[i];
2048 }
2049
2050 /* No free ones or cannot get new socket, grab an existing one */
2051 for (i = 0; i < RANDOM_SOCKS; i++)
2052 {
2053 int j = (i+finger) % RANDOM_SOCKS;
2054 if (daemon->randomsocks[j].refcount != 0 &&
2055 daemon->randomsocks[j].family == family &&
2056 daemon->randomsocks[j].refcount != 0xffff)
2057 {
2058 finger = j;
2059 daemon->randomsocks[j].refcount++;
2060 return &daemon->randomsocks[j];
2061 }
2062 }
2063
2064 return NULL; /* doom */
2065 }
2066
2067 void free_rfd(struct randfd *rfd)
2068 {
2069 if (rfd && --(rfd->refcount) == 0)
2070 close(rfd->fd);
2071 }
2072
2073 static void free_frec(struct frec *f)
2074 {
2075 free_rfd(f->rfd4);
2076 f->rfd4 = NULL;
2077 f->sentto = NULL;
2078 f->flags = 0;
2079
2080 #ifdef HAVE_IPV6
2081 free_rfd(f->rfd6);
2082 f->rfd6 = NULL;
2083 #endif
2084
2085 #ifdef HAVE_DNSSEC
2086 if (f->stash)
2087 {
2088 blockdata_free(f->stash);
2089 f->stash = NULL;
2090 }
2091
2092 if (f->orig_domain)
2093 {
2094 blockdata_free(f->orig_domain);
2095 f->orig_domain = NULL;
2096 }
2097
2098 /* Anything we're waiting on is pointless now, too */
2099 if (f->blocking_query)
2100 free_frec(f->blocking_query);
2101 f->blocking_query = NULL;
2102 f->dependent = NULL;
2103 #endif
2104 }
2105
2106 /* if wait==NULL return a free or older than TIMEOUT record.
2107 else return *wait zero if one available, or *wait is delay to
2108 when the oldest in-use record will expire. Impose an absolute
2109 limit of 4*TIMEOUT before we wipe things (for random sockets).
2110 If force is set, always return a result, even if we have
2111 to allocate above the limit. */
2112 struct frec *get_new_frec(time_t now, int *wait, int force)
2113 {
2114 struct frec *f, *oldest, *target;
2115 int count;
2116
2117 if (wait)
2118 *wait = 0;
2119
2120 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
2121 if (!f->sentto)
2122 target = f;
2123 else
2124 {
2125 if (difftime(now, f->time) >= 4*TIMEOUT)
2126 {
2127 free_frec(f);
2128 target = f;
2129 }
2130
2131 if (!oldest || difftime(f->time, oldest->time) <= 0)
2132 oldest = f;
2133 }
2134
2135 if (target)
2136 {
2137 target->time = now;
2138 return target;
2139 }
2140
2141 /* can't find empty one, use oldest if there is one
2142 and it's older than timeout */
2143 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
2144 {
2145 /* keep stuff for twice timeout if we can by allocating a new
2146 record instead */
2147 if (difftime(now, oldest->time) < 2*TIMEOUT &&
2148 count <= daemon->ftabsize &&
2149 (f = allocate_frec(now)))
2150 return f;
2151
2152 if (!wait)
2153 {
2154 free_frec(oldest);
2155 oldest->time = now;
2156 }
2157 return oldest;
2158 }
2159
2160 /* none available, calculate time 'till oldest record expires */
2161 if (!force && count > daemon->ftabsize)
2162 {
2163 static time_t last_log = 0;
2164
2165 if (oldest && wait)
2166 *wait = oldest->time + (time_t)TIMEOUT - now;
2167
2168 if ((int)difftime(now, last_log) > 5)
2169 {
2170 last_log = now;
2171 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
2172 }
2173
2174 return NULL;
2175 }
2176
2177 if (!(f = allocate_frec(now)) && wait)
2178 /* wait one second on malloc failure */
2179 *wait = 1;
2180
2181 return f; /* OK if malloc fails and this is NULL */
2182 }
2183
2184 /* crc is all-ones if not known. */
2185 static struct frec *lookup_frec(unsigned short id, void *hash)
2186 {
2187 struct frec *f;
2188
2189 for(f = daemon->frec_list; f; f = f->next)
2190 if (f->sentto && f->new_id == id &&
2191 (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0))
2192 return f;
2193
2194 return NULL;
2195 }
2196
2197 static struct frec *lookup_frec_by_sender(unsigned short id,
2198 union mysockaddr *addr,
2199 void *hash)
2200 {
2201 struct frec *f;
2202
2203 for(f = daemon->frec_list; f; f = f->next)
2204 if (f->sentto &&
2205 f->orig_id == id &&
2206 memcmp(hash, f->hash, HASH_SIZE) == 0 &&
2207 sockaddr_isequal(&f->source, addr))
2208 return f;
2209
2210 return NULL;
2211 }
2212
2213 /* Send query packet again, if we can. */
2214 void resend_query()
2215 {
2216 if (daemon->srv_save)
2217 {
2218 int fd;
2219
2220 if (daemon->srv_save->sfd)
2221 fd = daemon->srv_save->sfd->fd;
2222 else if (daemon->rfd_save && daemon->rfd_save->refcount != 0)
2223 fd = daemon->rfd_save->fd;
2224 else
2225 return;
2226
2227 while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0,
2228 &daemon->srv_save->addr.sa,
2229 sa_len(&daemon->srv_save->addr))));
2230 }
2231 }
2232
2233 /* A server record is going away, remove references to it */
2234 void server_gone(struct server *server)
2235 {
2236 struct frec *f;
2237
2238 for (f = daemon->frec_list; f; f = f->next)
2239 if (f->sentto && f->sentto == server)
2240 free_frec(f);
2241
2242 if (daemon->last_server == server)
2243 daemon->last_server = NULL;
2244
2245 if (daemon->srv_save == server)
2246 daemon->srv_save = NULL;
2247 }
2248
2249 /* return unique random ids. */
2250 static unsigned short get_id(void)
2251 {
2252 unsigned short ret = 0;
2253
2254 do
2255 ret = rand16();
2256 while (lookup_frec(ret, NULL));
2257
2258 return ret;
2259 }
2260
2261
2262
2263
2264
Michael's tree of dnsmasq.