]>
git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
7c0fa8da3fdf611d6464f49fed5f812edc845ee4
1 /* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 static struct frec
*lookup_frec(unsigned short id
, void *hash
);
20 static struct frec
*lookup_frec_by_sender(unsigned short id
,
21 union mysockaddr
*addr
,
23 static unsigned short get_id(void);
24 static void free_frec(struct frec
*f
);
27 static int tcp_key_recurse(time_t now
, int status
, struct dns_header
*header
, size_t n
,
28 int class, char *name
, char *keyname
, struct server
*server
, int *keycount
);
29 static int do_check_sign(struct frec
*forward
, int status
, time_t now
, char *name
, char *keyname
);
30 static int send_check_sign(struct frec
*forward
, time_t now
, struct dns_header
*header
, size_t plen
,
31 char *name
, char *keyname
);
35 /* Send a UDP packet with its source address set as "source"
36 unless nowild is true, when we just send it with the kernel default */
37 int send_from(int fd
, int nowild
, char *packet
, size_t len
,
38 union mysockaddr
*to
, struct all_addr
*source
,
44 struct cmsghdr align
; /* this ensures alignment */
45 #if defined(HAVE_LINUX_NETWORK)
46 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
47 #elif defined(IP_SENDSRCADDR)
48 char control
[CMSG_SPACE(sizeof(struct in_addr
))];
51 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
55 iov
[0].iov_base
= packet
;
58 msg
.msg_control
= NULL
;
59 msg
.msg_controllen
= 0;
62 msg
.msg_namelen
= sa_len(to
);
68 struct cmsghdr
*cmptr
;
69 msg
.msg_control
= &control_u
;
70 msg
.msg_controllen
= sizeof(control_u
);
71 cmptr
= CMSG_FIRSTHDR(&msg
);
73 if (to
->sa
.sa_family
== AF_INET
)
75 #if defined(HAVE_LINUX_NETWORK)
78 p
.ipi_spec_dst
= source
->addr
.addr4
;
79 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
80 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
81 cmptr
->cmsg_level
= IPPROTO_IP
;
82 cmptr
->cmsg_type
= IP_PKTINFO
;
83 #elif defined(IP_SENDSRCADDR)
84 memcpy(CMSG_DATA(cmptr
), &(source
->addr
.addr4
), sizeof(source
->addr
.addr4
));
85 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_addr
));
86 cmptr
->cmsg_level
= IPPROTO_IP
;
87 cmptr
->cmsg_type
= IP_SENDSRCADDR
;
94 p
.ipi6_ifindex
= iface
; /* Need iface for IPv6 to handle link-local addrs */
95 p
.ipi6_addr
= source
->addr
.addr6
;
96 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
97 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
98 cmptr
->cmsg_type
= daemon
->v6pktinfo
;
99 cmptr
->cmsg_level
= IPPROTO_IPV6
;
102 (void)iface
; /* eliminate warning */
106 while (retry_send(sendmsg(fd
, &msg
, 0)));
108 /* If interface is still in DAD, EINVAL results - ignore that. */
109 if (errno
!= 0 && errno
!= EINVAL
)
111 my_syslog(LOG_ERR
, _("failed to send packet: %s"), strerror(errno
));
118 static unsigned int search_servers(time_t now
, struct all_addr
**addrpp
,
119 unsigned int qtype
, char *qdomain
, int *type
, char **domain
, int *norebind
)
122 /* If the query ends in the domain in one of our servers, set
123 domain to point to that name. We find the largest match to allow both
124 domain.org and sub.domain.org to exist. */
126 unsigned int namelen
= strlen(qdomain
);
127 unsigned int matchlen
= 0;
129 unsigned int flags
= 0;
131 for (serv
= daemon
->servers
; serv
; serv
=serv
->next
)
132 /* domain matches take priority over NODOTS matches */
133 if ((serv
->flags
& SERV_FOR_NODOTS
) && *type
!= SERV_HAS_DOMAIN
&& !strchr(qdomain
, '.') && namelen
!= 0)
135 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
136 *type
= SERV_FOR_NODOTS
;
137 if (serv
->flags
& SERV_NO_ADDR
)
139 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
144 if (serv
->addr
.sa
.sa_family
== AF_INET
)
145 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
148 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
151 else if (!flags
|| (flags
& F_NXDOMAIN
))
155 else if (serv
->flags
& SERV_HAS_DOMAIN
)
157 unsigned int domainlen
= strlen(serv
->domain
);
158 char *matchstart
= qdomain
+ namelen
- domainlen
;
159 if (namelen
>= domainlen
&&
160 hostname_isequal(matchstart
, serv
->domain
) &&
161 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
-1) == '.' ))
163 if (serv
->flags
& SERV_NO_REBIND
)
167 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
168 /* implement priority rules for --address and --server for same domain.
169 --address wins if the address is for the correct AF
170 --server wins otherwise. */
171 if (domainlen
!= 0 && domainlen
== matchlen
)
173 if ((serv
->flags
& SERV_LITERAL_ADDRESS
))
175 if (!(sflag
& qtype
) && flags
== 0)
180 if (flags
& (F_IPV4
| F_IPV6
))
185 if (domainlen
>= matchlen
)
187 *type
= serv
->flags
& (SERV_HAS_DOMAIN
| SERV_USE_RESOLV
| SERV_NO_REBIND
);
188 *domain
= serv
->domain
;
189 matchlen
= domainlen
;
190 if (serv
->flags
& SERV_NO_ADDR
)
192 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
197 if (serv
->addr
.sa
.sa_family
== AF_INET
)
198 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
201 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
204 else if (!flags
|| (flags
& F_NXDOMAIN
))
214 if (flags
== 0 && !(qtype
& F_QUERY
) &&
215 option_bool(OPT_NODOTS_LOCAL
) && !strchr(qdomain
, '.') && namelen
!= 0)
216 /* don't forward A or AAAA queries for simple names, except the empty name */
219 if (flags
== F_NXDOMAIN
&& check_for_local_domain(qdomain
, now
))
226 if (flags
== F_NXDOMAIN
|| flags
== F_NOERR
)
227 logflags
= F_NEG
| qtype
;
229 log_query(logflags
| flags
| F_CONFIG
| F_FORWARD
, qdomain
, *addrpp
, NULL
);
231 else if ((*type
) & SERV_USE_RESOLV
)
233 *type
= 0; /* use normal servers for this domain */
239 static int forward_query(int udpfd
, union mysockaddr
*udpaddr
,
240 struct all_addr
*dst_addr
, unsigned int dst_iface
,
241 struct dns_header
*header
, size_t plen
, time_t now
,
242 struct frec
*forward
, int ad_reqd
, int do_bit
)
245 int type
= 0, norebind
= 0;
246 struct all_addr
*addrp
= NULL
;
247 unsigned int flags
= 0;
248 struct server
*start
= NULL
;
250 void *hash
= hash_questions(header
, plen
, daemon
->namebuff
);
252 unsigned int crc
= questions_crc(header
, plen
, daemon
->namebuff
);
255 unsigned int gotname
= extract_request(header
, plen
, daemon
->namebuff
, NULL
);
259 /* may be no servers available. */
260 if (!daemon
->servers
)
262 else if (forward
|| (hash
&& (forward
= lookup_frec_by_sender(ntohs(header
->id
), udpaddr
, hash
))))
265 /* If we've already got an answer to this query, but we're awaiting keys for validation,
266 there's no point retrying the query, retry the key query instead...... */
267 if (forward
->blocking_query
)
271 while (forward
->blocking_query
)
272 forward
= forward
->blocking_query
;
274 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
275 plen
= forward
->stash_len
;
277 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET
)
278 log_query(F_NOEXTRA
| F_DNSSEC
| F_IPV4
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in
.sin_addr
, "dnssec");
281 log_query(F_NOEXTRA
| F_DNSSEC
| F_IPV6
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in6
.sin6_addr
, "dnssec");
284 if (forward
->sentto
->sfd
)
285 fd
= forward
->sentto
->sfd
->fd
;
289 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET6
)
290 fd
= forward
->rfd6
->fd
;
293 fd
= forward
->rfd4
->fd
;
296 while (retry_send( sendto(fd
, (char *)header
, plen
, 0,
297 &forward
->sentto
->addr
.sa
,
298 sa_len(&forward
->sentto
->addr
))));
304 /* retry on existing query, send to all available servers */
305 domain
= forward
->sentto
->domain
;
306 forward
->sentto
->failed_queries
++;
307 if (!option_bool(OPT_ORDER
))
309 forward
->forwardall
= 1;
310 daemon
->last_server
= NULL
;
312 type
= forward
->sentto
->flags
& SERV_TYPE
;
313 if (!(start
= forward
->sentto
->next
))
314 start
= daemon
->servers
; /* at end of list, recycle */
315 header
->id
= htons(forward
->new_id
);
320 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
322 if (!flags
&& !(forward
= get_new_frec(now
, NULL
, 0)))
323 /* table full - server failure. */
328 forward
->source
= *udpaddr
;
329 forward
->dest
= *dst_addr
;
330 forward
->iface
= dst_iface
;
331 forward
->orig_id
= ntohs(header
->id
);
332 forward
->new_id
= get_id();
334 memcpy(forward
->hash
, hash
, HASH_SIZE
);
335 forward
->forwardall
= 0;
338 forward
->flags
|= FREC_NOREBIND
;
339 if (header
->hb4
& HB4_CD
)
340 forward
->flags
|= FREC_CHECKING_DISABLED
;
342 forward
->flags
|= FREC_AD_QUESTION
;
344 forward
->work_counter
= DNSSEC_WORK
;
346 forward
->flags
|= FREC_DO_QUESTION
;
349 header
->id
= htons(forward
->new_id
);
351 /* In strict_order mode, always try servers in the order
352 specified in resolv.conf, if a domain is given
353 always try all the available servers,
354 otherwise, use the one last known to work. */
358 if (option_bool(OPT_ORDER
))
359 start
= daemon
->servers
;
360 else if (!(start
= daemon
->last_server
) ||
361 daemon
->forwardcount
++ > FORWARD_TEST
||
362 difftime(now
, daemon
->forwardtime
) > FORWARD_TIME
)
364 start
= daemon
->servers
;
365 forward
->forwardall
= 1;
366 daemon
->forwardcount
= 0;
367 daemon
->forwardtime
= now
;
372 start
= daemon
->servers
;
373 if (!option_bool(OPT_ORDER
))
374 forward
->forwardall
= 1;
379 /* check for send errors here (no route to host)
380 if we fail to send to all nameservers, send back an error
381 packet straight away (helps modem users when offline) */
383 if (!flags
&& forward
)
385 struct server
*firstsentto
= start
;
388 /* If a query is retried, use the log_id for the retry when logging the answer. */
389 forward
->log_id
= daemon
->log_id
;
391 if (option_bool(OPT_ADD_MAC
))
392 plen
= add_mac(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
394 if (option_bool(OPT_CLIENT_SUBNET
))
396 size_t new = add_source_addr(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
400 forward
->flags
|= FREC_HAS_SUBNET
;
405 if (option_bool(OPT_DNSSEC_VALID
))
407 size_t new_plen
= add_do_bit(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
);
409 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
410 this allows it to select auth servers when one is returning bad data. */
411 if (option_bool(OPT_DNSSEC_DEBUG
))
412 header
->hb4
|= HB4_CD
;
414 if (new_plen
!= plen
)
415 forward
->flags
|= FREC_ADDED_PHEADER
;
423 /* only send to servers dealing with our domain.
424 domain may be NULL, in which case server->domain
425 must be NULL also. */
427 if (type
== (start
->flags
& SERV_TYPE
) &&
428 (type
!= SERV_HAS_DOMAIN
|| hostname_isequal(domain
, start
->domain
)) &&
429 !(start
->flags
& (SERV_LITERAL_ADDRESS
| SERV_LOOP
)))
433 /* find server socket to use, may need to get random one. */
439 if (start
->addr
.sa
.sa_family
== AF_INET6
)
441 if (!forward
->rfd6
&&
442 !(forward
->rfd6
= allocate_rfd(AF_INET6
)))
444 daemon
->rfd_save
= forward
->rfd6
;
445 fd
= forward
->rfd6
->fd
;
450 if (!forward
->rfd4
&&
451 !(forward
->rfd4
= allocate_rfd(AF_INET
)))
453 daemon
->rfd_save
= forward
->rfd4
;
454 fd
= forward
->rfd4
->fd
;
457 #ifdef HAVE_CONNTRACK
458 /* Copy connection mark of incoming query to outgoing connection. */
459 if (option_bool(OPT_CONNTRACK
))
462 if (get_incoming_mark(&forward
->source
, &forward
->dest
, 0, &mark
))
463 setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
468 if (retry_send(sendto(fd
, (char *)header
, plen
, 0,
470 sa_len(&start
->addr
))))
475 /* Keep info in case we want to re-send this packet */
476 daemon
->srv_save
= start
;
477 daemon
->packet_len
= plen
;
480 strcpy(daemon
->namebuff
, "query");
481 if (start
->addr
.sa
.sa_family
== AF_INET
)
482 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
483 (struct all_addr
*)&start
->addr
.in
.sin_addr
, NULL
);
486 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
487 (struct all_addr
*)&start
->addr
.in6
.sin6_addr
, NULL
);
491 forward
->sentto
= start
;
492 if (!forward
->forwardall
)
494 forward
->forwardall
++;
498 if (!(start
= start
->next
))
499 start
= daemon
->servers
;
501 if (start
== firstsentto
)
508 /* could not send on, prepare to return */
509 header
->id
= htons(forward
->orig_id
);
510 free_frec(forward
); /* cancel */
513 /* could not send on, return empty answer or address if known for whole domain */
516 plen
= setup_reply(header
, plen
, addrp
, flags
, daemon
->local_ttl
);
517 send_from(udpfd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
), (char *)header
, plen
, udpaddr
, dst_addr
, dst_iface
);
523 static size_t process_reply(struct dns_header
*header
, time_t now
, struct server
*server
, size_t n
, int check_rebind
,
524 int no_cache
, int cache_secure
, int ad_reqd
, int do_bit
, int added_pheader
, int check_subnet
, union mysockaddr
*query_source
)
526 unsigned char *pheader
, *sizep
;
528 int munged
= 0, is_sign
;
535 if (daemon
->ipsets
&& extract_request(header
, n
, daemon
->namebuff
, NULL
))
537 /* Similar algorithm to search_servers. */
538 struct ipsets
*ipset_pos
;
539 unsigned int namelen
= strlen(daemon
->namebuff
);
540 unsigned int matchlen
= 0;
541 for (ipset_pos
= daemon
->ipsets
; ipset_pos
; ipset_pos
= ipset_pos
->next
)
543 unsigned int domainlen
= strlen(ipset_pos
->domain
);
544 char *matchstart
= daemon
->namebuff
+ namelen
- domainlen
;
545 if (namelen
>= domainlen
&& hostname_isequal(matchstart
, ipset_pos
->domain
) &&
546 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
- 1) == '.' ) &&
547 domainlen
>= matchlen
)
549 matchlen
= domainlen
;
550 sets
= ipset_pos
->sets
;
556 /* If upstream is advertising a larger UDP packet size
557 than we allow, trim it so that we don't get overlarge
558 requests for the client. We can't do this for signed packets. */
560 if ((pheader
= find_pseudoheader(header
, n
, &plen
, &sizep
, &is_sign
)))
562 unsigned short udpsz
;
563 unsigned char *psave
= sizep
;
565 GETSHORT(udpsz
, sizep
);
567 if (!is_sign
&& udpsz
> daemon
->edns_pktsz
)
568 PUTSHORT(daemon
->edns_pktsz
, psave
);
570 if (check_subnet
&& !check_source(header
, plen
, pheader
, query_source
))
572 my_syslog(LOG_WARNING
, _("discarding DNS reply: subnet option mismatch"));
579 header
->arcount
= htons(0);
583 /* RFC 4035 sect 4.6 para 3 */
584 if (!is_sign
&& !option_bool(OPT_DNSSEC_PROXY
))
585 header
->hb4
&= ~HB4_AD
;
587 if (OPCODE(header
) != QUERY
|| (RCODE(header
) != NOERROR
&& RCODE(header
) != NXDOMAIN
))
588 return resize_packet(header
, n
, pheader
, plen
);
590 /* Complain loudly if the upstream server is non-recursive. */
591 if (!(header
->hb4
& HB4_RA
) && RCODE(header
) == NOERROR
&& ntohs(header
->ancount
) == 0 &&
592 server
&& !(server
->flags
& SERV_WARNED_RECURSIVE
))
594 prettyprint_addr(&server
->addr
, daemon
->namebuff
);
595 my_syslog(LOG_WARNING
, _("nameserver %s refused to do a recursive query"), daemon
->namebuff
);
596 if (!option_bool(OPT_LOG
))
597 server
->flags
|= SERV_WARNED_RECURSIVE
;
600 if (daemon
->bogus_addr
&& RCODE(header
) != NXDOMAIN
&&
601 check_for_bogus_wildcard(header
, n
, daemon
->namebuff
, daemon
->bogus_addr
, now
))
604 SET_RCODE(header
, NXDOMAIN
);
605 header
->hb3
&= ~HB3_AA
;
612 if (RCODE(header
) == NXDOMAIN
&&
613 extract_request(header
, n
, daemon
->namebuff
, NULL
) &&
614 check_for_local_domain(daemon
->namebuff
, now
))
616 /* if we forwarded a query for a locally known name (because it was for
617 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
618 since we know that the domain exists, even if upstream doesn't */
620 header
->hb3
|= HB3_AA
;
621 SET_RCODE(header
, NOERROR
);
625 if (extract_addresses(header
, n
, daemon
->namebuff
, now
, sets
, is_sign
, check_rebind
, no_cache
, cache_secure
, &doctored
))
627 my_syslog(LOG_WARNING
, _("possible DNS-rebind attack detected: %s"), daemon
->namebuff
);
637 if (no_cache
&& !(header
->hb4
& HB4_CD
))
639 if (!option_bool(OPT_DNSSEC_DEBUG
))
641 /* Bogus reply, turn into SERVFAIL */
642 SET_RCODE(header
, SERVFAIL
);
647 if (option_bool(OPT_DNSSEC_VALID
))
648 header
->hb4
&= ~HB4_AD
;
650 if (!(header
->hb4
& HB4_CD
) && ad_reqd
&& cache_secure
)
651 header
->hb4
|= HB4_AD
;
653 /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
655 n
= filter_rrsigs(header
, n
);
658 /* do this after extract_addresses. Ensure NODATA reply and remove
663 header
->ancount
= htons(0);
664 header
->nscount
= htons(0);
665 header
->arcount
= htons(0);
668 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
669 sections of the packet. Find the new length here and put back pseudoheader
670 if it was removed. */
671 return resize_packet(header
, n
, pheader
, plen
);
674 /* sets new last_server */
675 void reply_query(int fd
, int family
, time_t now
)
677 /* packet from peer server, extract data for cache, and send to
678 original requester */
679 struct dns_header
*header
;
680 union mysockaddr serveraddr
;
681 struct frec
*forward
;
682 socklen_t addrlen
= sizeof(serveraddr
);
683 ssize_t n
= recvfrom(fd
, daemon
->packet
, daemon
->packet_buff_sz
, 0, &serveraddr
.sa
, &addrlen
);
685 struct server
*server
;
691 /* packet buffer overwritten */
692 daemon
->srv_save
= NULL
;
694 /* Determine the address of the server replying so that we can mark that as good */
695 serveraddr
.sa
.sa_family
= family
;
697 if (serveraddr
.sa
.sa_family
== AF_INET6
)
698 serveraddr
.in6
.sin6_flowinfo
= 0;
701 header
= (struct dns_header
*)daemon
->packet
;
703 if (n
< (int)sizeof(struct dns_header
) || !(header
->hb3
& HB3_QR
))
706 /* spoof check: answer must come from known server, */
707 for (server
= daemon
->servers
; server
; server
= server
->next
)
708 if (!(server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
)) &&
709 sockaddr_isequal(&server
->addr
, &serveraddr
))
716 hash
= hash_questions(header
, n
, daemon
->namebuff
);
719 crc
= questions_crc(header
, n
, daemon
->namebuff
);
722 if (!(forward
= lookup_frec(ntohs(header
->id
), hash
)))
725 /* log_query gets called indirectly all over the place, so
726 pass these in global variables - sorry. */
727 daemon
->log_display_id
= forward
->log_id
;
728 daemon
->log_source_addr
= &forward
->source
;
730 if (daemon
->ignore_addr
&& RCODE(header
) == NOERROR
&&
731 check_for_ignored_address(header
, n
, daemon
->ignore_addr
))
734 if (RCODE(header
) == REFUSED
&&
735 !option_bool(OPT_ORDER
) &&
736 forward
->forwardall
== 0)
737 /* for broken servers, attempt to send to another one. */
739 unsigned char *pheader
;
743 /* recreate query from reply */
744 pheader
= find_pseudoheader(header
, (size_t)n
, &plen
, NULL
, &is_sign
);
747 header
->ancount
= htons(0);
748 header
->nscount
= htons(0);
749 header
->arcount
= htons(0);
750 if ((nn
= resize_packet(header
, (size_t)n
, pheader
, plen
)))
752 header
->hb3
&= ~(HB3_QR
| HB3_TC
);
753 forward_query(-1, NULL
, NULL
, 0, header
, nn
, now
, forward
, 0, 0);
759 server
= forward
->sentto
;
761 if ((forward
->sentto
->flags
& SERV_TYPE
) == 0)
763 if (RCODE(header
) == REFUSED
)
767 struct server
*last_server
;
769 /* find good server by address if possible, otherwise assume the last one we sent to */
770 for (last_server
= daemon
->servers
; last_server
; last_server
= last_server
->next
)
771 if (!(last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_NO_ADDR
)) &&
772 sockaddr_isequal(&last_server
->addr
, &serveraddr
))
774 server
= last_server
;
778 if (!option_bool(OPT_ALL_SERVERS
))
779 daemon
->last_server
= server
;
782 /* If the answer is an error, keep the forward record in place in case
783 we get a good reply from another server. Kill it when we've
784 had replies from all to avoid filling the forwarding table when
785 everything is broken */
786 if (forward
->forwardall
== 0 || --forward
->forwardall
== 1 || RCODE(header
) != SERVFAIL
)
788 int check_rebind
= 0, no_cache_dnssec
= 0, cache_secure
= 0;
790 if (option_bool(OPT_NO_REBIND
))
791 check_rebind
= !(forward
->flags
& FREC_NOREBIND
);
793 /* Don't cache replies where DNSSEC validation was turned off, either
794 the upstream server told us so, or the original query specified it. */
795 if ((header
->hb4
& HB4_CD
) || (forward
->flags
& FREC_CHECKING_DISABLED
))
799 if (server
&& option_bool(OPT_DNSSEC_VALID
) && !(forward
->flags
& FREC_CHECKING_DISABLED
))
803 /* We've had a reply already, which we're validating. Ignore this duplicate */
804 if (forward
->blocking_query
)
807 if (header
->hb3
& HB3_TC
)
809 /* Truncated answer can't be validated.
810 If this is an answer to a DNSSEC-generated query, we still
811 need to get the client to retry over TCP, so return
812 an answer with the TC bit set, even if the actual answer fits.
814 status
= STAT_TRUNCATED
;
816 else if (forward
->flags
& FREC_DNSKEY_QUERY
)
817 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
818 else if (forward
->flags
& FREC_DS_QUERY
)
820 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
821 if (status
== STAT_NO_DS
|| status
== STAT_NO_NS
)
824 else if (forward
->flags
& FREC_CHECK_NOSIGN
)
826 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
827 if (status
!= STAT_NEED_KEY
)
828 status
= do_check_sign(forward
, status
, now
, daemon
->namebuff
, daemon
->keyname
);
832 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class, NULL
, NULL
);
833 if (status
== STAT_NO_SIG
)
835 if (option_bool(OPT_DNSSEC_NO_SIGN
))
836 status
= send_check_sign(forward
, now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
838 status
= STAT_INSECURE
;
841 /* Can't validate, as we're missing key data. Put this
842 answer aside, whilst we get that. */
843 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
|| status
== STAT_NEED_KEY
)
845 struct frec
*new, *orig
;
847 /* Free any saved query */
849 blockdata_free(forward
->stash
);
851 /* Now save reply pending receipt of key data */
852 if (!(forward
->stash
= blockdata_alloc((char *)header
, n
)))
854 forward
->stash_len
= n
;
857 /* Find the original query that started it all.... */
858 for (orig
= forward
; orig
->dependent
; orig
= orig
->dependent
);
860 if (--orig
->work_counter
== 0 || !(new = get_new_frec(now
, NULL
, 1)))
861 status
= STAT_INSECURE
;
865 struct frec
*next
= new->next
;
866 *new = *forward
; /* copy everything, then overwrite */
868 new->blocking_query
= NULL
;
869 new->sentto
= server
;
871 new->orig_domain
= NULL
;
875 new->flags
&= ~(FREC_DNSKEY_QUERY
| FREC_DS_QUERY
| FREC_CHECK_NOSIGN
);
877 new->dependent
= forward
; /* to find query awaiting new one. */
878 forward
->blocking_query
= new; /* for garbage cleaning */
879 /* validate routines leave name of required record in daemon->keyname */
880 if (status
== STAT_NEED_KEY
)
882 new->flags
|= FREC_DNSKEY_QUERY
;
883 nn
= dnssec_generate_query(header
, ((char *) header
) + daemon
->packet_buff_sz
,
884 daemon
->keyname
, forward
->class, T_DNSKEY
, &server
->addr
);
888 if (status
== STAT_NEED_DS_NEG
)
889 new->flags
|= FREC_CHECK_NOSIGN
;
891 new->flags
|= FREC_DS_QUERY
;
892 nn
= dnssec_generate_query(header
,((char *) header
) + daemon
->packet_buff_sz
,
893 daemon
->keyname
, forward
->class, T_DS
, &server
->addr
);
895 if ((hash
= hash_questions(header
, nn
, daemon
->namebuff
)))
896 memcpy(new->hash
, hash
, HASH_SIZE
);
897 new->new_id
= get_id();
898 header
->id
= htons(new->new_id
);
899 /* Save query for retransmission */
900 if (!(new->stash
= blockdata_alloc((char *)header
, nn
)))
905 /* Don't resend this. */
906 daemon
->srv_save
= NULL
;
909 fd
= server
->sfd
->fd
;
914 if (server
->addr
.sa
.sa_family
== AF_INET6
)
916 if (new->rfd6
|| (new->rfd6
= allocate_rfd(AF_INET6
)))
922 if (new->rfd4
|| (new->rfd4
= allocate_rfd(AF_INET
)))
929 while (retry_send(sendto(fd
, (char *)header
, nn
, 0,
931 sa_len(&server
->addr
))));
939 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
940 Now wind back down, pulling back answers which wouldn't previously validate
941 and validate them with the new data. Note that if an answer needs multiple
942 keys to validate, we may find another key is needed, in which case we set off
943 down another branch of the tree. Once we get to the original answer
944 (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
945 while (forward
->dependent
)
947 struct frec
*prev
= forward
->dependent
;
950 forward
->blocking_query
= NULL
; /* already gone */
951 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
952 n
= forward
->stash_len
;
954 if (status
== STAT_SECURE
)
956 if (forward
->flags
& FREC_DNSKEY_QUERY
)
957 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
958 else if (forward
->flags
& FREC_DS_QUERY
)
960 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
961 if (status
== STAT_NO_DS
|| status
== STAT_NO_NS
)
964 else if (forward
->flags
& FREC_CHECK_NOSIGN
)
966 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
967 if (status
!= STAT_NEED_KEY
)
968 status
= do_check_sign(forward
, status
, now
, daemon
->namebuff
, daemon
->keyname
);
972 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class, NULL
, NULL
);
973 if (status
== STAT_NO_SIG
)
975 if (option_bool(OPT_DNSSEC_NO_SIGN
))
976 status
= send_check_sign(forward
, now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
978 status
= STAT_INSECURE
;
982 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
|| status
== STAT_NEED_KEY
)
987 if (status
== STAT_TRUNCATED
)
988 header
->hb3
|= HB3_TC
;
993 if (forward
->work_counter
== 0)
994 result
= "ABANDONED";
996 result
= (status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
998 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
, result
);
1001 no_cache_dnssec
= 0;
1003 if (status
== STAT_SECURE
)
1005 else if (status
== STAT_BOGUS
)
1006 no_cache_dnssec
= 1;
1010 /* restore CD bit to the value in the query */
1011 if (forward
->flags
& FREC_CHECKING_DISABLED
)
1012 header
->hb4
|= HB4_CD
;
1014 header
->hb4
&= ~HB4_CD
;
1016 if ((nn
= process_reply(header
, now
, server
, (size_t)n
, check_rebind
, no_cache_dnssec
, cache_secure
,
1017 forward
->flags
& FREC_AD_QUESTION
, forward
->flags
& FREC_DO_QUESTION
,
1018 forward
->flags
& FREC_ADDED_PHEADER
, forward
->flags
& FREC_HAS_SUBNET
, &forward
->source
)))
1020 header
->id
= htons(forward
->orig_id
);
1021 header
->hb4
|= HB4_RA
; /* recursion if available */
1022 send_from(forward
->fd
, option_bool(OPT_NOWILD
) || option_bool (OPT_CLEVERBIND
), daemon
->packet
, nn
,
1023 &forward
->source
, &forward
->dest
, forward
->iface
);
1025 free_frec(forward
); /* cancel */
1030 void receive_query(struct listener
*listen
, time_t now
)
1032 struct dns_header
*header
= (struct dns_header
*)daemon
->packet
;
1033 union mysockaddr source_addr
;
1034 unsigned short type
;
1035 struct all_addr dst_addr
;
1036 struct in_addr netmask
, dst_addr_4
;
1039 int if_index
= 0, auth_dns
= 0;
1043 struct iovec iov
[1];
1045 struct cmsghdr
*cmptr
;
1047 struct cmsghdr align
; /* this ensures alignment */
1049 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
1051 #if defined(HAVE_LINUX_NETWORK)
1052 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
1053 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1054 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
1055 CMSG_SPACE(sizeof(unsigned int))];
1056 #elif defined(IP_RECVDSTADDR)
1057 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
1058 CMSG_SPACE(sizeof(struct sockaddr_dl
))];
1062 /* Can always get recvd interface for IPv6 */
1063 int check_dst
= !option_bool(OPT_NOWILD
) || listen
->family
== AF_INET6
;
1065 int check_dst
= !option_bool(OPT_NOWILD
);
1068 /* packet buffer overwritten */
1069 daemon
->srv_save
= NULL
;
1071 dst_addr_4
.s_addr
= dst_addr
.addr
.addr4
.s_addr
= 0;
1074 if (option_bool(OPT_NOWILD
) && listen
->iface
)
1076 auth_dns
= listen
->iface
->dns_auth
;
1078 if (listen
->family
== AF_INET
)
1080 dst_addr_4
= dst_addr
.addr
.addr4
= listen
->iface
->addr
.in
.sin_addr
;
1081 netmask
= listen
->iface
->netmask
;
1085 iov
[0].iov_base
= daemon
->packet
;
1086 iov
[0].iov_len
= daemon
->edns_pktsz
;
1088 msg
.msg_control
= control_u
.control
;
1089 msg
.msg_controllen
= sizeof(control_u
);
1091 msg
.msg_name
= &source_addr
;
1092 msg
.msg_namelen
= sizeof(source_addr
);
1096 if ((n
= recvmsg(listen
->fd
, &msg
, 0)) == -1)
1099 if (n
< (int)sizeof(struct dns_header
) ||
1100 (msg
.msg_flags
& MSG_TRUNC
) ||
1101 (header
->hb3
& HB3_QR
))
1104 source_addr
.sa
.sa_family
= listen
->family
;
1106 if (listen
->family
== AF_INET
)
1108 /* Source-port == 0 is an error, we can't send back to that.
1109 http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1110 if (source_addr
.in
.sin_port
== 0)
1116 /* Source-port == 0 is an error, we can't send back to that. */
1117 if (source_addr
.in6
.sin6_port
== 0)
1119 source_addr
.in6
.sin6_flowinfo
= 0;
1123 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1124 if (option_bool(OPT_LOCAL_SERVICE
))
1126 struct addrlist
*addr
;
1128 if (listen
->family
== AF_INET6
)
1130 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1131 if ((addr
->flags
& ADDRLIST_IPV6
) &&
1132 is_same_net6(&addr
->addr
.addr
.addr6
, &source_addr
.in6
.sin6_addr
, addr
->prefixlen
))
1138 struct in_addr netmask
;
1139 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1141 netmask
.s_addr
= htonl(~(in_addr_t
)0 << (32 - addr
->prefixlen
));
1142 if (!(addr
->flags
& ADDRLIST_IPV6
) &&
1143 is_same_net(addr
->addr
.addr
.addr4
, source_addr
.in
.sin_addr
, netmask
))
1149 static int warned
= 0;
1152 my_syslog(LOG_WARNING
, _("Ignoring query from non-local network"));
1163 if (msg
.msg_controllen
< sizeof(struct cmsghdr
))
1166 #if defined(HAVE_LINUX_NETWORK)
1167 if (listen
->family
== AF_INET
)
1168 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1169 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
1173 struct in_pktinfo
*p
;
1175 p
.c
= CMSG_DATA(cmptr
);
1176 dst_addr_4
= dst_addr
.addr
.addr4
= p
.p
->ipi_spec_dst
;
1177 if_index
= p
.p
->ipi_ifindex
;
1179 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1180 if (listen
->family
== AF_INET
)
1182 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1188 #ifndef HAVE_SOLARIS_NETWORK
1189 struct sockaddr_dl
*s
;
1192 p
.c
= CMSG_DATA(cmptr
);
1193 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
1194 dst_addr_4
= dst_addr
.addr
.addr4
= *(p
.a
);
1195 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
1196 #ifdef HAVE_SOLARIS_NETWORK
1199 if_index
= p
.s
->sdl_index
;
1206 if (listen
->family
== AF_INET6
)
1208 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1209 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
1213 struct in6_pktinfo
*p
;
1215 p
.c
= CMSG_DATA(cmptr
);
1217 dst_addr
.addr
.addr6
= p
.p
->ipi6_addr
;
1218 if_index
= p
.p
->ipi6_ifindex
;
1223 /* enforce available interface configuration */
1225 if (!indextoname(listen
->fd
, if_index
, ifr
.ifr_name
))
1228 if (!iface_check(listen
->family
, &dst_addr
, ifr
.ifr_name
, &auth_dns
))
1230 if (!option_bool(OPT_CLEVERBIND
))
1231 enumerate_interfaces(0);
1232 if (!loopback_exception(listen
->fd
, listen
->family
, &dst_addr
, ifr
.ifr_name
) &&
1233 !label_exception(if_index
, listen
->family
, &dst_addr
))
1237 if (listen
->family
== AF_INET
&& option_bool(OPT_LOCALISE
))
1241 /* get the netmask of the interface whch has the address we were sent to.
1242 This is no neccessarily the interface we arrived on. */
1244 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1245 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1246 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1249 /* interface may be new */
1250 if (!iface
&& !option_bool(OPT_CLEVERBIND
))
1251 enumerate_interfaces(0);
1253 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1254 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1255 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1258 /* If we failed, abandon localisation */
1260 netmask
= iface
->netmask
;
1262 dst_addr_4
.s_addr
= 0;
1266 /* log_query gets called indirectly all over the place, so
1267 pass these in global variables - sorry. */
1268 daemon
->log_display_id
= ++daemon
->log_id
;
1269 daemon
->log_source_addr
= &source_addr
;
1271 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
1274 struct auth_zone
*zone
;
1276 char *types
= querystr(auth_dns
? "auth" : "query", type
);
1278 if (listen
->family
== AF_INET
)
1279 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1280 (struct all_addr
*)&source_addr
.in
.sin_addr
, types
);
1283 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1284 (struct all_addr
*)&source_addr
.in6
.sin6_addr
, types
);
1288 /* find queries for zones we're authoritative for, and answer them directly */
1290 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1291 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1300 /* Check for forwarding loop */
1301 if (detect_loop(daemon
->namebuff
, type
))
1309 m
= answer_auth(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
, now
, &source_addr
, local_auth
);
1312 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1313 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1314 daemon
->auth_answer
++;
1320 int ad_reqd
, do_bit
;
1321 m
= answer_request(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
,
1322 dst_addr_4
, netmask
, now
, &ad_reqd
, &do_bit
);
1326 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1327 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1328 daemon
->local_answer
++;
1330 else if (forward_query(listen
->fd
, &source_addr
, &dst_addr
, if_index
,
1331 header
, (size_t)n
, now
, NULL
, ad_reqd
, do_bit
))
1332 daemon
->queries_forwarded
++;
1334 daemon
->local_answer
++;
1340 /* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1341 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1342 STAT_NEED_DS_NEG and keyname if we need to do the query. */
1343 static int send_check_sign(struct frec
*forward
, time_t now
, struct dns_header
*header
, size_t plen
,
1344 char *name
, char *keyname
)
1346 int status
= dnssec_chase_cname(now
, header
, plen
, name
, keyname
);
1348 if (status
!= STAT_INSECURE
)
1351 /* Store the domain we're trying to check. */
1352 forward
->name_start
= strlen(name
);
1353 forward
->name_len
= forward
->name_start
+ 1;
1354 if (!(forward
->orig_domain
= blockdata_alloc(name
, forward
->name_len
)))
1357 return do_check_sign(forward
, 0, now
, name
, keyname
);
1360 /* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
1361 static int do_check_sign(struct frec
*forward
, int status
, time_t now
, char *name
, char *keyname
)
1363 /* get domain we're checking back from blockdata store, it's stored on the original query. */
1364 while (forward
->dependent
)
1365 forward
= forward
->dependent
;
1367 blockdata_retrieve(forward
->orig_domain
, forward
->name_len
, name
);
1377 /* Haven't received answer, see if in cache */
1378 if (!(crecp
= cache_find_by_name(NULL
, &name
[forward
->name_start
], now
, F_DS
)))
1380 /* put name of DS record we're missing into keyname */
1381 strcpy(keyname
, &name
[forward
->name_start
]);
1382 /* and wait for reply to arrive */
1383 return STAT_NEED_DS_NEG
;
1386 /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
1387 if (!(crecp
->flags
& F_NEG
))
1388 status
= STAT_SECURE
;
1389 else if (crecp
->flags
& F_DNSSECOK
)
1390 status
= STAT_NO_DS
;
1392 status
= STAT_NO_NS
;
1395 /* Have entered non-signed part of DNS tree. */
1396 if (status
== STAT_NO_DS
)
1397 return STAT_INSECURE
;
1399 if (status
== STAT_BOGUS
)
1402 /* There's a proven DS record, or we're within a zone, where there doesn't need
1403 to be a DS record. Add a name and try again.
1404 If we've already tried the whole name, then fail */
1406 if (forward
->name_start
== 0)
1409 for (p
= &name
[forward
->name_start
-2]; (*p
!= '.') && (p
!= name
); p
--);
1414 forward
->name_start
= p
- name
;
1415 status
= 0; /* force to cache when we iterate. */
1419 /* Move toward the root, until we find a signed non-existance of a DS, in which case
1420 an unsigned answer is OK, or we find a signed DS, in which case there should be
1421 a signature, and the answer is BOGUS */
1422 static int tcp_check_for_unsigned_zone(time_t now
, struct dns_header
*header
, size_t plen
, int class, char *name
,
1423 char *keyname
, struct server
*server
, int *keycount
)
1426 unsigned char *packet
, *payload
;
1428 int status
, name_len
;
1429 struct blockdata
*block
;
1433 /* Get first insecure entry in CNAME chain */
1434 status
= tcp_key_recurse(now
, STAT_CHASE_CNAME
, header
, plen
, class, name
, keyname
, server
, keycount
);
1435 if (status
== STAT_BOGUS
)
1438 if (!(packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
))))
1441 payload
= &packet
[2];
1442 header
= (struct dns_header
*)payload
;
1443 length
= (u16
*)packet
;
1445 /* Stash the name away, since the buffer will be trashed when we recurse */
1446 name_len
= strlen(name
) + 1;
1447 name_start
= name
+ name_len
- 1;
1449 if (!(block
= blockdata_alloc(name
, name_len
)))
1457 unsigned char c1
, c2
;
1460 if (--(*keycount
) == 0)
1463 blockdata_free(block
);
1467 while ((crecp
= cache_find_by_name(NULL
, name_start
, now
, F_DS
)))
1469 if ((crecp
->flags
& F_NEG
) && (crecp
->flags
& F_DNSSECOK
))
1471 /* Found a secure denial of DS - delegation is indeed insecure */
1473 blockdata_free(block
);
1474 return STAT_INSECURE
;
1477 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1478 Add another label and continue. */
1480 if (name_start
== name
)
1483 blockdata_free(block
);
1484 return STAT_BOGUS
; /* run out of labels */
1488 while (*name_start
!= '.' && name_start
!= name
)
1490 if (name_start
!= name
)
1494 /* Can't find it in the cache, have to send a query */
1496 m
= dnssec_generate_query(header
, ((char *) header
) + 65536, name_start
, class, T_DS
, &server
->addr
);
1500 if (read_write(server
->tcpfd
, packet
, m
+ sizeof(u16
), 0) &&
1501 read_write(server
->tcpfd
, &c1
, 1, 1) &&
1502 read_write(server
->tcpfd
, &c2
, 1, 1) &&
1503 read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1507 /* Note this trashes all three name workspaces */
1508 status
= tcp_key_recurse(now
, STAT_NEED_DS_NEG
, header
, m
, class, name
, keyname
, server
, keycount
);
1510 if (status
== STAT_NO_DS
)
1512 /* Found a secure denial of DS - delegation is indeed insecure */
1514 blockdata_free(block
);
1515 return STAT_INSECURE
;
1518 if (status
== STAT_BOGUS
)
1521 blockdata_free(block
);
1525 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1526 Add another label and continue. */
1528 /* Get name we're checking back. */
1529 blockdata_retrieve(block
, name_len
, name
);
1531 if (name_start
== name
)
1534 blockdata_free(block
);
1535 return STAT_BOGUS
; /* run out of labels */
1539 while (*name_start
!= '.' && name_start
!= name
)
1541 if (name_start
!= name
)
1548 blockdata_free(block
);
1549 return STAT_BOGUS
; /* run out of labels */
1554 static int tcp_key_recurse(time_t now
, int status
, struct dns_header
*header
, size_t n
,
1555 int class, char *name
, char *keyname
, struct server
*server
, int *keycount
)
1557 /* Recurse up the key heirarchy */
1560 /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1561 if (--(*keycount
) == 0)
1562 return STAT_INSECURE
;
1564 if (status
== STAT_NEED_KEY
)
1565 new_status
= dnssec_validate_by_ds(now
, header
, n
, name
, keyname
, class);
1566 else if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
)
1568 new_status
= dnssec_validate_ds(now
, header
, n
, name
, keyname
, class);
1569 if (status
== STAT_NEED_DS
&& (new_status
== STAT_NO_DS
|| new_status
== STAT_NO_NS
))
1570 new_status
= STAT_BOGUS
;
1572 else if (status
== STAT_CHASE_CNAME
)
1573 new_status
= dnssec_chase_cname(now
, header
, n
, name
, keyname
);
1576 new_status
= dnssec_validate_reply(now
, header
, n
, name
, keyname
, &class, NULL
, NULL
);
1578 if (new_status
== STAT_NO_SIG
)
1580 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1581 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1583 new_status
= STAT_INSECURE
;
1587 /* Can't validate because we need a key/DS whose name now in keyname.
1588 Make query for same, and recurse to validate */
1589 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1592 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1593 unsigned char *payload
= &packet
[2];
1594 struct dns_header
*new_header
= (struct dns_header
*)payload
;
1595 u16
*length
= (u16
*)packet
;
1596 unsigned char c1
, c2
;
1599 return STAT_INSECURE
;
1602 m
= dnssec_generate_query(new_header
, ((char *) new_header
) + 65536, keyname
, class,
1603 new_status
== STAT_NEED_KEY
? T_DNSKEY
: T_DS
, &server
->addr
);
1607 if (!read_write(server
->tcpfd
, packet
, m
+ sizeof(u16
), 0) ||
1608 !read_write(server
->tcpfd
, &c1
, 1, 1) ||
1609 !read_write(server
->tcpfd
, &c2
, 1, 1) ||
1610 !read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1611 new_status
= STAT_INSECURE
;
1616 new_status
= tcp_key_recurse(now
, new_status
, new_header
, m
, class, name
, keyname
, server
, keycount
);
1618 if (new_status
== STAT_SECURE
)
1620 /* Reached a validated record, now try again at this level.
1621 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1622 If so, go round again. */
1624 if (status
== STAT_NEED_KEY
)
1625 new_status
= dnssec_validate_by_ds(now
, header
, n
, name
, keyname
, class);
1626 else if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
)
1628 new_status
= dnssec_validate_ds(now
, header
, n
, name
, keyname
, class);
1629 if (status
== STAT_NEED_DS
&& (new_status
== STAT_NO_DS
|| new_status
== STAT_NO_NS
))
1630 new_status
= STAT_BOGUS
; /* Validated no DS */
1632 else if (status
== STAT_CHASE_CNAME
)
1633 new_status
= dnssec_chase_cname(now
, header
, n
, name
, keyname
);
1636 new_status
= dnssec_validate_reply(now
, header
, n
, name
, keyname
, &class, NULL
, NULL
);
1638 if (new_status
== STAT_NO_SIG
)
1640 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1641 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1643 new_status
= STAT_INSECURE
;
1647 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1648 goto another_tcp_key
;
1659 /* The daemon forks before calling this: it should deal with one connection,
1660 blocking as neccessary, and then return. Note, need to be a bit careful
1661 about resources for debug mode, when the fork is suppressed: that's
1662 done by the caller. */
1663 unsigned char *tcp_request(int confd
, time_t now
,
1664 union mysockaddr
*local_addr
, struct in_addr netmask
, int auth_dns
)
1671 int checking_disabled
, ad_question
, do_bit
, added_pheader
= 0;
1672 int check_subnet
, no_cache_dnssec
= 0, cache_secure
= 0;
1674 unsigned short qtype
;
1675 unsigned int gotname
;
1676 unsigned char c1
, c2
;
1677 /* Max TCP packet + slop + size */
1678 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1679 unsigned char *payload
= &packet
[2];
1680 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1681 struct dns_header
*header
= (struct dns_header
*)payload
;
1682 u16
*length
= (u16
*)packet
;
1683 struct server
*last_server
;
1684 struct in_addr dst_addr_4
;
1685 union mysockaddr peer_addr
;
1686 socklen_t peer_len
= sizeof(union mysockaddr
);
1687 int query_count
= 0;
1689 if (getpeername(confd
, (struct sockaddr
*)&peer_addr
, &peer_len
) == -1)
1692 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1693 if (option_bool(OPT_LOCAL_SERVICE
))
1695 struct addrlist
*addr
;
1697 if (peer_addr
.sa
.sa_family
== AF_INET6
)
1699 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1700 if ((addr
->flags
& ADDRLIST_IPV6
) &&
1701 is_same_net6(&addr
->addr
.addr
.addr6
, &peer_addr
.in6
.sin6_addr
, addr
->prefixlen
))
1707 struct in_addr netmask
;
1708 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1710 netmask
.s_addr
= htonl(~(in_addr_t
)0 << (32 - addr
->prefixlen
));
1711 if (!(addr
->flags
& ADDRLIST_IPV6
) &&
1712 is_same_net(addr
->addr
.addr
.addr4
, peer_addr
.in
.sin_addr
, netmask
))
1718 my_syslog(LOG_WARNING
, _("Ignoring query from non-local network"));
1725 if (query_count
== TCP_MAX_QUERIES
||
1727 !read_write(confd
, &c1
, 1, 1) || !read_write(confd
, &c2
, 1, 1) ||
1728 !(size
= c1
<< 8 | c2
) ||
1729 !read_write(confd
, payload
, size
, 1))
1732 if (size
< (int)sizeof(struct dns_header
))
1737 /* log_query gets called indirectly all over the place, so
1738 pass these in global variables - sorry. */
1739 daemon
->log_display_id
= ++daemon
->log_id
;
1740 daemon
->log_source_addr
= &peer_addr
;
1744 /* save state of "cd" flag in query */
1745 if ((checking_disabled
= header
->hb4
& HB4_CD
))
1746 no_cache_dnssec
= 1;
1748 if ((gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1751 struct auth_zone
*zone
;
1753 char *types
= querystr(auth_dns
? "auth" : "query", qtype
);
1755 if (peer_addr
.sa
.sa_family
== AF_INET
)
1756 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1757 (struct all_addr
*)&peer_addr
.in
.sin_addr
, types
);
1760 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1761 (struct all_addr
*)&peer_addr
.in6
.sin6_addr
, types
);
1765 /* find queries for zones we're authoritative for, and answer them directly */
1767 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1768 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1777 if (local_addr
->sa
.sa_family
== AF_INET
)
1778 dst_addr_4
= local_addr
->in
.sin_addr
;
1780 dst_addr_4
.s_addr
= 0;
1784 m
= answer_auth(header
, ((char *) header
) + 65536, (size_t)size
, now
, &peer_addr
, local_auth
);
1788 /* m > 0 if answered from cache */
1789 m
= answer_request(header
, ((char *) header
) + 65536, (size_t)size
,
1790 dst_addr_4
, netmask
, now
, &ad_question
, &do_bit
);
1792 /* Do this by steam now we're not in the select() loop */
1793 check_log_writer(NULL
);
1797 unsigned int flags
= 0;
1798 struct all_addr
*addrp
= NULL
;
1800 char *domain
= NULL
;
1802 if (option_bool(OPT_ADD_MAC
))
1803 size
= add_mac(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1805 if (option_bool(OPT_CLIENT_SUBNET
))
1807 size_t new = add_source_addr(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1816 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
1818 if (type
!= 0 || option_bool(OPT_ORDER
) || !daemon
->last_server
)
1819 last_server
= daemon
->servers
;
1821 last_server
= daemon
->last_server
;
1823 if (!flags
&& last_server
)
1825 struct server
*firstsendto
= NULL
;
1827 unsigned char *newhash
, hash
[HASH_SIZE
];
1828 if ((newhash
= hash_questions(header
, (unsigned int)size
, daemon
->namebuff
)))
1829 memcpy(hash
, newhash
, HASH_SIZE
);
1831 memset(hash
, 0, HASH_SIZE
);
1833 unsigned int crc
= questions_crc(header
, (unsigned int)size
, daemon
->namebuff
);
1835 /* Loop round available servers until we succeed in connecting to one.
1836 Note that this code subtley ensures that consecutive queries on this connection
1837 which can go to the same server, do so. */
1841 firstsendto
= last_server
;
1844 if (!(last_server
= last_server
->next
))
1845 last_server
= daemon
->servers
;
1847 if (last_server
== firstsendto
)
1851 /* server for wrong domain */
1852 if (type
!= (last_server
->flags
& SERV_TYPE
) ||
1853 (type
== SERV_HAS_DOMAIN
&& !hostname_isequal(domain
, last_server
->domain
)) ||
1854 (last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_LOOP
)))
1857 if (last_server
->tcpfd
== -1)
1859 if ((last_server
->tcpfd
= socket(last_server
->addr
.sa
.sa_family
, SOCK_STREAM
, 0)) == -1)
1862 #ifdef HAVE_CONNTRACK
1863 /* Copy connection mark of incoming query to outgoing connection. */
1864 if (option_bool(OPT_CONNTRACK
))
1867 struct all_addr local
;
1869 if (local_addr
->sa
.sa_family
== AF_INET6
)
1870 local
.addr
.addr6
= local_addr
->in6
.sin6_addr
;
1873 local
.addr
.addr4
= local_addr
->in
.sin_addr
;
1875 if (get_incoming_mark(&peer_addr
, &local
, 1, &mark
))
1876 setsockopt(last_server
->tcpfd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
1880 if ((!local_bind(last_server
->tcpfd
, &last_server
->source_addr
, last_server
->interface
, 1) ||
1881 connect(last_server
->tcpfd
, &last_server
->addr
.sa
, sa_len(&last_server
->addr
)) == -1))
1883 close(last_server
->tcpfd
);
1884 last_server
->tcpfd
= -1;
1889 if (option_bool(OPT_DNSSEC_VALID
))
1891 size_t new_size
= add_do_bit(header
, size
, ((char *) header
) + 65536);
1893 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
1894 this allows it to select auth servers when one is returning bad data. */
1895 if (option_bool(OPT_DNSSEC_DEBUG
))
1896 header
->hb4
|= HB4_CD
;
1898 if (size
!= new_size
)
1906 *length
= htons(size
);
1908 /* get query name again for logging - may have been overwritten */
1909 if (!(gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1910 strcpy(daemon
->namebuff
, "query");
1912 if (!read_write(last_server
->tcpfd
, packet
, size
+ sizeof(u16
), 0) ||
1913 !read_write(last_server
->tcpfd
, &c1
, 1, 1) ||
1914 !read_write(last_server
->tcpfd
, &c2
, 1, 1) ||
1915 !read_write(last_server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1917 close(last_server
->tcpfd
);
1918 last_server
->tcpfd
= -1;
1924 if (last_server
->addr
.sa
.sa_family
== AF_INET
)
1925 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1926 (struct all_addr
*)&last_server
->addr
.in
.sin_addr
, NULL
);
1929 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1930 (struct all_addr
*)&last_server
->addr
.in6
.sin6_addr
, NULL
);
1934 if (option_bool(OPT_DNSSEC_VALID
) && !checking_disabled
)
1936 int keycount
= DNSSEC_WORK
; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
1937 int status
= tcp_key_recurse(now
, STAT_TRUNCATED
, header
, m
, 0, daemon
->namebuff
, daemon
->keyname
, last_server
, &keycount
);
1941 result
= "ABANDONED";
1943 result
= (status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
1945 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
, result
);
1947 if (status
== STAT_BOGUS
)
1948 no_cache_dnssec
= 1;
1950 if (status
== STAT_SECURE
)
1955 /* restore CD bit to the value in the query */
1956 if (checking_disabled
)
1957 header
->hb4
|= HB4_CD
;
1959 header
->hb4
&= ~HB4_CD
;
1961 /* There's no point in updating the cache, since this process will exit and
1962 lose the information after a few queries. We make this call for the alias and
1963 bogus-nxdomain side-effects. */
1964 /* If the crc of the question section doesn't match the crc we sent, then
1965 someone might be attempting to insert bogus values into the cache by
1966 sending replies containing questions and bogus answers. */
1968 newhash
= hash_questions(header
, (unsigned int)m
, daemon
->namebuff
);
1969 if (!newhash
|| memcmp(hash
, newhash
, HASH_SIZE
) != 0)
1975 if (crc
!= questions_crc(header
, (unsigned int)m
, daemon
->namebuff
))
1982 m
= process_reply(header
, now
, last_server
, (unsigned int)m
,
1983 option_bool(OPT_NO_REBIND
) && !norebind
, no_cache_dnssec
,
1984 cache_secure
, ad_question
, do_bit
, added_pheader
, check_subnet
, &peer_addr
);
1990 /* In case of local answer or no connections made. */
1992 m
= setup_reply(header
, (unsigned int)size
, addrp
, flags
, daemon
->local_ttl
);
1996 check_log_writer(NULL
);
2000 if (m
== 0 || !read_write(confd
, packet
, m
+ sizeof(u16
), 0))
2005 static struct frec
*allocate_frec(time_t now
)
2009 if ((f
= (struct frec
*)whine_malloc(sizeof(struct frec
))))
2011 f
->next
= daemon
->frec_list
;
2020 f
->dependent
= NULL
;
2021 f
->blocking_query
= NULL
;
2023 f
->orig_domain
= NULL
;
2025 daemon
->frec_list
= f
;
2031 struct randfd
*allocate_rfd(int family
)
2033 static int finger
= 0;
2036 /* limit the number of sockets we have open to avoid starvation of
2037 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
2039 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
2040 if (daemon
->randomsocks
[i
].refcount
== 0)
2042 if ((daemon
->randomsocks
[i
].fd
= random_sock(family
)) == -1)
2045 daemon
->randomsocks
[i
].refcount
= 1;
2046 daemon
->randomsocks
[i
].family
= family
;
2047 return &daemon
->randomsocks
[i
];
2050 /* No free ones or cannot get new socket, grab an existing one */
2051 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
2053 int j
= (i
+finger
) % RANDOM_SOCKS
;
2054 if (daemon
->randomsocks
[j
].refcount
!= 0 &&
2055 daemon
->randomsocks
[j
].family
== family
&&
2056 daemon
->randomsocks
[j
].refcount
!= 0xffff)
2059 daemon
->randomsocks
[j
].refcount
++;
2060 return &daemon
->randomsocks
[j
];
2064 return NULL
; /* doom */
2067 void free_rfd(struct randfd
*rfd
)
2069 if (rfd
&& --(rfd
->refcount
) == 0)
2073 static void free_frec(struct frec
*f
)
2088 blockdata_free(f
->stash
);
2094 blockdata_free(f
->orig_domain
);
2095 f
->orig_domain
= NULL
;
2098 /* Anything we're waiting on is pointless now, too */
2099 if (f
->blocking_query
)
2100 free_frec(f
->blocking_query
);
2101 f
->blocking_query
= NULL
;
2102 f
->dependent
= NULL
;
2106 /* if wait==NULL return a free or older than TIMEOUT record.
2107 else return *wait zero if one available, or *wait is delay to
2108 when the oldest in-use record will expire. Impose an absolute
2109 limit of 4*TIMEOUT before we wipe things (for random sockets).
2110 If force is set, always return a result, even if we have
2111 to allocate above the limit. */
2112 struct frec
*get_new_frec(time_t now
, int *wait
, int force
)
2114 struct frec
*f
, *oldest
, *target
;
2120 for (f
= daemon
->frec_list
, oldest
= NULL
, target
= NULL
, count
= 0; f
; f
= f
->next
, count
++)
2125 if (difftime(now
, f
->time
) >= 4*TIMEOUT
)
2131 if (!oldest
|| difftime(f
->time
, oldest
->time
) <= 0)
2141 /* can't find empty one, use oldest if there is one
2142 and it's older than timeout */
2143 if (oldest
&& ((int)difftime(now
, oldest
->time
)) >= TIMEOUT
)
2145 /* keep stuff for twice timeout if we can by allocating a new
2147 if (difftime(now
, oldest
->time
) < 2*TIMEOUT
&&
2148 count
<= daemon
->ftabsize
&&
2149 (f
= allocate_frec(now
)))
2160 /* none available, calculate time 'till oldest record expires */
2161 if (!force
&& count
> daemon
->ftabsize
)
2163 static time_t last_log
= 0;
2166 *wait
= oldest
->time
+ (time_t)TIMEOUT
- now
;
2168 if ((int)difftime(now
, last_log
) > 5)
2171 my_syslog(LOG_WARNING
, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon
->ftabsize
);
2177 if (!(f
= allocate_frec(now
)) && wait
)
2178 /* wait one second on malloc failure */
2181 return f
; /* OK if malloc fails and this is NULL */
2184 /* crc is all-ones if not known. */
2185 static struct frec
*lookup_frec(unsigned short id
, void *hash
)
2189 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
2190 if (f
->sentto
&& f
->new_id
== id
&&
2191 (!hash
|| memcmp(hash
, f
->hash
, HASH_SIZE
) == 0))
2197 static struct frec
*lookup_frec_by_sender(unsigned short id
,
2198 union mysockaddr
*addr
,
2203 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
2206 memcmp(hash
, f
->hash
, HASH_SIZE
) == 0 &&
2207 sockaddr_isequal(&f
->source
, addr
))
2213 /* Send query packet again, if we can. */
2216 if (daemon
->srv_save
)
2220 if (daemon
->srv_save
->sfd
)
2221 fd
= daemon
->srv_save
->sfd
->fd
;
2222 else if (daemon
->rfd_save
&& daemon
->rfd_save
->refcount
!= 0)
2223 fd
= daemon
->rfd_save
->fd
;
2227 while(retry_send(sendto(fd
, daemon
->packet
, daemon
->packet_len
, 0,
2228 &daemon
->srv_save
->addr
.sa
,
2229 sa_len(&daemon
->srv_save
->addr
))));
2233 /* A server record is going away, remove references to it */
2234 void server_gone(struct server
*server
)
2238 for (f
= daemon
->frec_list
; f
; f
= f
->next
)
2239 if (f
->sentto
&& f
->sentto
== server
)
2242 if (daemon
->last_server
== server
)
2243 daemon
->last_server
= NULL
;
2245 if (daemon
->srv_save
== server
)
2246 daemon
->srv_save
= NULL
;
2249 /* return unique random ids. */
2250 static unsigned short get_id(void)
2252 unsigned short ret
= 0;
2256 while (lookup_frec(ret
, NULL
));