src/forward.c

   1 /* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
   2
   3    This program is free software; you can redistribute it and/or modify
   4    it under the terms of the GNU General Public License as published by
   5    the Free Software Foundation; version 2 dated June, 1991, or
   6    (at your option) version 3 dated 29 June, 2007.
   7
   8    This program is distributed in the hope that it will be useful,
   9    but WITHOUT ANY WARRANTY; without even the implied warranty of
  10    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  11    GNU General Public License for more details.
  12
  13    You should have received a copy of the GNU General Public License
  14    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  15 */
  16
  17 #include "dnsmasq.h"
  18
  19 static struct frec *lookup_frec(unsigned short id, void *hash);
  20 static struct frec *lookup_frec_by_sender(unsigned short id,
  21                                           union mysockaddr *addr,
  22                                           void *hash);
  23 static unsigned short get_id(void);
  24 static void free_frec(struct frec *f);
  25
  26 #ifdef HAVE_DNSSEC
  27 static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
  28                            int class, char *name, char *keyname, struct server *server, int *keycount);
  29 static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname);
  30 static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
  31                            char *name, char *keyname);
  32 #endif
  33
  34
  35 /* Send a UDP packet with its source address set as "source"
  36    unless nowild is true, when we just send it with the kernel default */
  37 int send_from(int fd, int nowild, char *packet, size_t len,
  38               union mysockaddr *to, struct all_addr *source,
  39               unsigned int iface)
  40 {
  41   struct msghdr msg;
  42   struct iovec iov[1];
  43   union {
  44     struct cmsghdr align; /* this ensures alignment */
  45 #if defined(HAVE_LINUX_NETWORK)
  46     char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
  47 #elif defined(IP_SENDSRCADDR)
  48     char control[CMSG_SPACE(sizeof(struct in_addr))];
  49 #endif
  50 #ifdef HAVE_IPV6
  51     char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
  52 #endif
  53   } control_u;
  54
  55   iov[0].iov_base = packet;
  56   iov[0].iov_len = len;
  57
  58   msg.msg_control = NULL;
  59   msg.msg_controllen = 0;
  60   msg.msg_flags = 0;
  61   msg.msg_name = to;
  62   msg.msg_namelen = sa_len(to);
  63   msg.msg_iov = iov;
  64   msg.msg_iovlen = 1;
  65
  66   if (!nowild)
  67     {
  68       struct cmsghdr *cmptr;
  69       msg.msg_control = &control_u;
  70       msg.msg_controllen = sizeof(control_u);
  71       cmptr = CMSG_FIRSTHDR(&msg);
  72
  73       if (to->sa.sa_family == AF_INET)
  74         {
  75 #if defined(HAVE_LINUX_NETWORK)
  76           struct in_pktinfo p;
  77           p.ipi_ifindex = 0;
  78           p.ipi_spec_dst = source->addr.addr4;
  79           memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
  80           msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
  81           cmptr->cmsg_level = IPPROTO_IP;
  82           cmptr->cmsg_type = IP_PKTINFO;
  83 #elif defined(IP_SENDSRCADDR)
  84           memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
  85           msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
  86           cmptr->cmsg_level = IPPROTO_IP;
  87           cmptr->cmsg_type = IP_SENDSRCADDR;
  88 #endif
  89         }
  90       else
  91 #ifdef HAVE_IPV6
  92         {
  93           struct in6_pktinfo p;
  94           p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
  95           p.ipi6_addr = source->addr.addr6;
  96           memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
  97           msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
  98           cmptr->cmsg_type = daemon->v6pktinfo;
  99           cmptr->cmsg_level = IPPROTO_IPV6;
 100         }
 101 #else
 102       (void)iface; /* eliminate warning */
 103 #endif
 104     }
 105
 106   while (retry_send(sendmsg(fd, &msg, 0)));
 107
 108   /* If interface is still in DAD, EINVAL results - ignore that. */
 109   if (errno != 0 && errno != EINVAL)
 110     {
 111       my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
 112       return 0;
 113     }
 114
 115   return 1;
 116 }
 117
 118 static unsigned int search_servers(time_t now, struct all_addr **addrpp,
 119                                      unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
 120
 121 {
 122   /* If the query ends in the domain in one of our servers, set
 123      domain to point to that name. We find the largest match to allow both
 124      domain.org and sub.domain.org to exist. */
 125
 126   unsigned int namelen = strlen(qdomain);
 127   unsigned int matchlen = 0;
 128   struct server *serv;
 129   unsigned int flags = 0;
 130
 131   for (serv = daemon->servers; serv; serv=serv->next)
 132     /* domain matches take priority over NODOTS matches */
 133     if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
 134       {
 135         unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
 136         *type = SERV_FOR_NODOTS;
 137         if (serv->flags & SERV_NO_ADDR)
 138           flags = F_NXDOMAIN;
 139         else if (serv->flags & SERV_LITERAL_ADDRESS)
 140           {
 141             if (sflag & qtype)
 142               {
 143                 flags = sflag;
 144                 if (serv->addr.sa.sa_family == AF_INET)
 145                   *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
 146 #ifdef HAVE_IPV6
 147                 else
 148                   *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
 149 #endif
 150               }
 151             else if (!flags || (flags & F_NXDOMAIN))
 152               flags = F_NOERR;
 153           }
 154       }
 155     else if (serv->flags & SERV_HAS_DOMAIN)
 156       {
 157         unsigned int domainlen = strlen(serv->domain);
 158         char *matchstart = qdomain + namelen - domainlen;
 159         if (namelen >= domainlen &&
 160             hostname_isequal(matchstart, serv->domain) &&
 161             (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
 162           {
 163             if (serv->flags & SERV_NO_REBIND)
 164               *norebind = 1;
 165             else
 166               {
 167                 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
 168                 /* implement priority rules for --address and --server for same domain.
 169                    --address wins if the address is for the correct AF
 170                    --server wins otherwise. */
 171                 if (domainlen != 0 && domainlen == matchlen)
 172                   {
 173                     if ((serv->flags & SERV_LITERAL_ADDRESS))
 174                       {
 175                         if (!(sflag & qtype) && flags == 0)
 176                           continue;
 177                       }
 178                     else
 179                       {
 180                         if (flags & (F_IPV4 | F_IPV6))
 181                           continue;
 182                       }
 183                   }
 184
 185                 if (domainlen >= matchlen)
 186                   {
 187                     *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
 188                     *domain = serv->domain;
 189                     matchlen = domainlen;
 190                     if (serv->flags & SERV_NO_ADDR)
 191                       flags = F_NXDOMAIN;
 192                     else if (serv->flags & SERV_LITERAL_ADDRESS)
 193                       {
 194                         if (sflag & qtype)
 195                           {
 196                             flags = sflag;
 197                             if (serv->addr.sa.sa_family == AF_INET)
 198                               *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
 199 #ifdef HAVE_IPV6
 200                             else
 201                               *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
 202 #endif
 203                           }
 204                         else if (!flags || (flags & F_NXDOMAIN))
 205                           flags = F_NOERR;
 206                       }
 207                     else
 208                       flags = 0;
 209                   }
 210               }
 211           }
 212       }
 213
 214   if (flags == 0 && !(qtype & F_QUERY) &&
 215       option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
 216     /* don't forward A or AAAA queries for simple names, except the empty name */
 217     flags = F_NOERR;
 218
 219   if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
 220     flags = F_NOERR;
 221
 222   if (flags)
 223     {
 224       int logflags = 0;
 225
 226       if (flags == F_NXDOMAIN || flags == F_NOERR)
 227         logflags = F_NEG | qtype;
 228
 229       log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
 230     }
 231   else if ((*type) & SERV_USE_RESOLV)
 232     {
 233       *type = 0; /* use normal servers for this domain */
 234       *domain = NULL;
 235     }
 236   return  flags;
 237 }
 238
 239 static int forward_query(int udpfd, union mysockaddr *udpaddr,
 240                          struct all_addr *dst_addr, unsigned int dst_iface,
 241                          struct dns_header *header, size_t plen, time_t now,
 242                          struct frec *forward, int ad_reqd, int do_bit)
 243 {
 244   char *domain = NULL;
 245   int type = 0, norebind = 0;
 246   struct all_addr *addrp = NULL;
 247   unsigned int flags = 0;
 248   struct server *start = NULL;
 249 #ifdef HAVE_DNSSEC
 250   void *hash = hash_questions(header, plen, daemon->namebuff);
 251 #else
 252   unsigned int crc = questions_crc(header, plen, daemon->namebuff);
 253   void *hash = &crc;
 254 #endif
 255  unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
 256  unsigned char *pheader;
 257
 258  (void)do_bit;
 259
 260   /* may be no servers available. */
 261   if (!daemon->servers)
 262     forward = NULL;
 263   else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
 264     {
 265       /* If we didn't get an answer advertising a maximal packet in EDNS,
 266          fall back to 1280, which should work everywhere on IPv6.
 267          If that generates an answer, it will become the new default
 268          for this server */
 269       forward->flags |= FREC_TEST_PKTSZ;
 270
 271 #ifdef HAVE_DNSSEC
 272       /* If we've already got an answer to this query, but we're awaiting keys for validation,
 273          there's no point retrying the query, retry the key query instead...... */
 274       if (forward->blocking_query)
 275         {
 276           int fd;
 277
 278           forward->flags &= ~FREC_TEST_PKTSZ;
 279
 280           while (forward->blocking_query)
 281             forward = forward->blocking_query;
 282
 283           forward->flags |= FREC_TEST_PKTSZ;
 284
 285           blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
 286           plen = forward->stash_len;
 287
 288           if (find_pseudoheader(header, plen, NULL, &pheader, NULL))
 289             PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : forward->sentto->edns_pktsz, pheader);
 290
 291           if (forward->sentto->addr.sa.sa_family == AF_INET)
 292             log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
 293 #ifdef HAVE_IPV6
 294           else
 295             log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
 296 #endif
 297
 298           if (forward->sentto->sfd)
 299             fd = forward->sentto->sfd->fd;
 300           else
 301             {
 302 #ifdef HAVE_IPV6
 303               if (forward->sentto->addr.sa.sa_family == AF_INET6)
 304                 fd = forward->rfd6->fd;
 305               else
 306 #endif
 307                 fd = forward->rfd4->fd;
 308             }
 309
 310           while (retry_send( sendto(fd, (char *)header, plen, 0,
 311                                     &forward->sentto->addr.sa,
 312                                     sa_len(&forward->sentto->addr))));
 313
 314           return 1;
 315         }
 316 #endif
 317
 318       /* retry on existing query, send to all available servers  */
 319       domain = forward->sentto->domain;
 320       forward->sentto->failed_queries++;
 321       if (!option_bool(OPT_ORDER))
 322         {
 323           forward->forwardall = 1;
 324           daemon->last_server = NULL;
 325         }
 326       type = forward->sentto->flags & SERV_TYPE;
 327       if (!(start = forward->sentto->next))
 328         start = daemon->servers; /* at end of list, recycle */
 329       header->id = htons(forward->new_id);
 330     }
 331   else
 332     {
 333       if (gotname)
 334         flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
 335
 336       if (!flags && !(forward = get_new_frec(now, NULL, 0)))
 337         /* table full - server failure. */
 338         flags = F_NEG;
 339
 340       if (forward)
 341         {
 342           forward->source = *udpaddr;
 343           forward->dest = *dst_addr;
 344           forward->iface = dst_iface;
 345           forward->orig_id = ntohs(header->id);
 346           forward->new_id = get_id();
 347           forward->fd = udpfd;
 348           memcpy(forward->hash, hash, HASH_SIZE);
 349           forward->forwardall = 0;
 350           forward->flags = 0;
 351           if (norebind)
 352             forward->flags |= FREC_NOREBIND;
 353           if (header->hb4 & HB4_CD)
 354             forward->flags |= FREC_CHECKING_DISABLED;
 355           if (ad_reqd)
 356             forward->flags |= FREC_AD_QUESTION;
 357 #ifdef HAVE_DNSSEC
 358           forward->work_counter = DNSSEC_WORK;
 359           if (do_bit)
 360             forward->flags |= FREC_DO_QUESTION;
 361 #endif
 362
 363           header->id = htons(forward->new_id);
 364
 365           /* In strict_order mode, always try servers in the order
 366              specified in resolv.conf, if a domain is given
 367              always try all the available servers,
 368              otherwise, use the one last known to work. */
 369
 370           if (type == 0)
 371             {
 372               if (option_bool(OPT_ORDER))
 373                 start = daemon->servers;
 374               else if (!(start = daemon->last_server) ||
 375                        daemon->forwardcount++ > FORWARD_TEST ||
 376                        difftime(now, daemon->forwardtime) > FORWARD_TIME)
 377                 {
 378                   start = daemon->servers;
 379                   forward->forwardall = 1;
 380                   daemon->forwardcount = 0;
 381                   daemon->forwardtime = now;
 382                 }
 383             }
 384           else
 385             {
 386               start = daemon->servers;
 387               if (!option_bool(OPT_ORDER))
 388                 forward->forwardall = 1;
 389             }
 390         }
 391     }
 392
 393   /* check for send errors here (no route to host)
 394      if we fail to send to all nameservers, send back an error
 395      packet straight away (helps modem users when offline)  */
 396
 397   if (!flags && forward)
 398     {
 399       struct server *firstsentto = start;
 400       int forwarded = 0;
 401
 402       /* If a query is retried, use the log_id for the retry when logging the answer. */
 403       forward->log_id = daemon->log_id;
 404
 405       if (option_bool(OPT_ADD_MAC))
 406         plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
 407
 408       if (option_bool(OPT_CLIENT_SUBNET))
 409         {
 410           size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
 411           if (new != plen)
 412             {
 413               plen = new;
 414               forward->flags |= FREC_HAS_SUBNET;
 415             }
 416         }
 417
 418 #ifdef HAVE_DNSSEC
 419       if (option_bool(OPT_DNSSEC_VALID))
 420         {
 421           size_t new_plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
 422
 423           /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
 424              this allows it to select auth servers when one is returning bad data. */
 425           if (option_bool(OPT_DNSSEC_DEBUG))
 426             header->hb4 |= HB4_CD;
 427
 428           if (new_plen != plen)
 429             forward->flags |= FREC_ADDED_PHEADER;
 430
 431           plen = new_plen;
 432         }
 433 #endif
 434
 435       while (1)
 436         {
 437           /* only send to servers dealing with our domain.
 438              domain may be NULL, in which case server->domain
 439              must be NULL also. */
 440
 441           if (type == (start->flags & SERV_TYPE) &&
 442               (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
 443               !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
 444             {
 445               int fd;
 446
 447               /* find server socket to use, may need to get random one. */
 448               if (start->sfd)
 449                 fd = start->sfd->fd;
 450               else
 451                 {
 452 #ifdef HAVE_IPV6
 453                   if (start->addr.sa.sa_family == AF_INET6)
 454                     {
 455                       if (!forward->rfd6 &&
 456                           !(forward->rfd6 = allocate_rfd(AF_INET6)))
 457                         break;
 458                       daemon->rfd_save = forward->rfd6;
 459                       fd = forward->rfd6->fd;
 460                     }
 461                   else
 462 #endif
 463                     {
 464                       if (!forward->rfd4 &&
 465                           !(forward->rfd4 = allocate_rfd(AF_INET)))
 466                         break;
 467                       daemon->rfd_save = forward->rfd4;
 468                       fd = forward->rfd4->fd;
 469                     }
 470
 471 #ifdef HAVE_CONNTRACK
 472                   /* Copy connection mark of incoming query to outgoing connection. */
 473                   if (option_bool(OPT_CONNTRACK))
 474                     {
 475                       unsigned int mark;
 476                       if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
 477                         setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
 478                     }
 479 #endif
 480                 }
 481
 482               if (find_pseudoheader(header, plen, NULL, &pheader, NULL))
 483                 PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : start->edns_pktsz, pheader);
 484
 485               if (retry_send(sendto(fd, (char *)header, plen, 0,
 486                                     &start->addr.sa,
 487                                     sa_len(&start->addr))))
 488                 continue;
 489
 490               if (errno == 0)
 491                 {
 492                   /* Keep info in case we want to re-send this packet */
 493                   daemon->srv_save = start;
 494                   daemon->packet_len = plen;
 495
 496                   if (!gotname)
 497                     strcpy(daemon->namebuff, "query");
 498                   if (start->addr.sa.sa_family == AF_INET)
 499                     log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
 500                               (struct all_addr *)&start->addr.in.sin_addr, NULL);
 501 #ifdef HAVE_IPV6
 502                   else
 503                     log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
 504                               (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
 505 #endif
 506                   start->queries++;
 507                   forwarded = 1;
 508                   forward->sentto = start;
 509                   if (!forward->forwardall)
 510                     break;
 511                   forward->forwardall++;
 512                 }
 513             }
 514
 515           if (!(start = start->next))
 516             start = daemon->servers;
 517
 518           if (start == firstsentto)
 519             break;
 520         }
 521
 522       if (forwarded)
 523         return 1;
 524
 525       /* could not send on, prepare to return */
 526       header->id = htons(forward->orig_id);
 527       free_frec(forward); /* cancel */
 528     }
 529
 530   /* could not send on, return empty answer or address if known for whole domain */
 531   if (udpfd != -1)
 532     {
 533       plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
 534       send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
 535     }
 536
 537   return 0;
 538 }
 539
 540 static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
 541                             int no_cache, int cache_secure, int bogusanswer, int ad_reqd, int do_bit, int added_pheader,
 542                             int check_subnet, union mysockaddr *query_source)
 543 {
 544   unsigned char *pheader, *sizep;
 545   char **sets = 0;
 546   int munged = 0, is_sign;
 547   size_t plen;
 548
 549   (void)ad_reqd;
 550   (void)do_bit;
 551   (void)bogusanswer;
 552
 553 #ifdef HAVE_IPSET
 554   if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
 555     {
 556       /* Similar algorithm to search_servers. */
 557       struct ipsets *ipset_pos;
 558       unsigned int namelen = strlen(daemon->namebuff);
 559       unsigned int matchlen = 0;
 560       for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
 561         {
 562           unsigned int domainlen = strlen(ipset_pos->domain);
 563           char *matchstart = daemon->namebuff + namelen - domainlen;
 564           if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
 565               (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
 566               domainlen >= matchlen)
 567             {
 568               matchlen = domainlen;
 569               sets = ipset_pos->sets;
 570             }
 571         }
 572     }
 573 #endif
 574
 575   /* If upstream is advertising a larger UDP packet size
 576      than we allow, trim it so that we don't get overlarge
 577      requests for the client. We can't do this for signed packets. */
 578
 579   if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
 580     {
 581       unsigned short udpsz;
 582       unsigned char *psave = sizep;
 583
 584       GETSHORT(udpsz, sizep);
 585
 586       if (!is_sign && udpsz > daemon->edns_pktsz)
 587         PUTSHORT(daemon->edns_pktsz, psave);
 588
 589       if (check_subnet && !check_source(header, plen, pheader, query_source))
 590         {
 591           my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
 592           return 0;
 593         }
 594
 595       if (added_pheader)
 596         {
 597           pheader = 0;
 598           header->arcount = htons(0);
 599         }
 600     }
 601
 602   /* RFC 4035 sect 4.6 para 3 */
 603   if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
 604      header->hb4 &= ~HB4_AD;
 605
 606   if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
 607     return resize_packet(header, n, pheader, plen);
 608
 609   /* Complain loudly if the upstream server is non-recursive. */
 610   if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
 611       server && !(server->flags & SERV_WARNED_RECURSIVE))
 612     {
 613       prettyprint_addr(&server->addr, daemon->namebuff);
 614       my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
 615       if (!option_bool(OPT_LOG))
 616         server->flags |= SERV_WARNED_RECURSIVE;
 617     }
 618
 619   if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
 620       check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
 621     {
 622       munged = 1;
 623       SET_RCODE(header, NXDOMAIN);
 624       header->hb3 &= ~HB3_AA;
 625       cache_secure = 0;
 626     }
 627   else
 628     {
 629       int doctored = 0;
 630
 631       if (RCODE(header) == NXDOMAIN &&
 632           extract_request(header, n, daemon->namebuff, NULL) &&
 633           check_for_local_domain(daemon->namebuff, now))
 634         {
 635           /* if we forwarded a query for a locally known name (because it was for
 636              an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
 637              since we know that the domain exists, even if upstream doesn't */
 638           munged = 1;
 639           header->hb3 |= HB3_AA;
 640           SET_RCODE(header, NOERROR);
 641           cache_secure = 0;
 642         }
 643
 644       if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
 645         {
 646           my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
 647           munged = 1;
 648           cache_secure = 0;
 649         }
 650
 651       if (doctored)
 652         cache_secure = 0;
 653     }
 654
 655 #ifdef HAVE_DNSSEC
 656   if (bogusanswer && !(header->hb4 & HB4_CD))
 657     {
 658       if (!option_bool(OPT_DNSSEC_DEBUG))
 659         {
 660           /* Bogus reply, turn into SERVFAIL */
 661           SET_RCODE(header, SERVFAIL);
 662           munged = 1;
 663         }
 664     }
 665
 666   if (option_bool(OPT_DNSSEC_VALID))
 667     header->hb4 &= ~HB4_AD;
 668
 669   if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
 670     header->hb4 |= HB4_AD;
 671
 672   /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
 673   if (!do_bit)
 674     n = filter_rrsigs(header, n);
 675 #endif
 676
 677   /* do this after extract_addresses. Ensure NODATA reply and remove
 678      nameserver info. */
 679
 680   if (munged)
 681     {
 682       header->ancount = htons(0);
 683       header->nscount = htons(0);
 684       header->arcount = htons(0);
 685       header->hb3 &= ~HB3_TC;
 686     }
 687
 688   /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
 689      sections of the packet. Find the new length here and put back pseudoheader
 690      if it was removed. */
 691   return resize_packet(header, n, pheader, plen);
 692 }
 693
 694 /* sets new last_server */
 695 void reply_query(int fd, int family, time_t now)
 696 {
 697   /* packet from peer server, extract data for cache, and send to
 698      original requester */
 699   struct dns_header *header;
 700   union mysockaddr serveraddr;
 701   struct frec *forward;
 702   socklen_t addrlen = sizeof(serveraddr);
 703   ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
 704   size_t nn;
 705   struct server *server;
 706   void *hash;
 707 #ifndef HAVE_DNSSEC
 708   unsigned int crc;
 709 #endif
 710
 711   /* packet buffer overwritten */
 712   daemon->srv_save = NULL;
 713
 714   /* Determine the address of the server replying  so that we can mark that as good */
 715   serveraddr.sa.sa_family = family;
 716 #ifdef HAVE_IPV6
 717   if (serveraddr.sa.sa_family == AF_INET6)
 718     serveraddr.in6.sin6_flowinfo = 0;
 719 #endif
 720
 721   header = (struct dns_header *)daemon->packet;
 722
 723   if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR))
 724     return;
 725
 726   /* spoof check: answer must come from known server, */
 727   for (server = daemon->servers; server; server = server->next)
 728     if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
 729         sockaddr_isequal(&server->addr, &serveraddr))
 730       break;
 731
 732   if (!server)
 733     return;
 734
 735 #ifdef HAVE_DNSSEC
 736   hash = hash_questions(header, n, daemon->namebuff);
 737 #else
 738   hash = &crc;
 739   crc = questions_crc(header, n, daemon->namebuff);
 740 #endif
 741
 742   if (!(forward = lookup_frec(ntohs(header->id), hash)))
 743     return;
 744
 745   /* log_query gets called indirectly all over the place, so
 746      pass these in global variables - sorry. */
 747   daemon->log_display_id = forward->log_id;
 748   daemon->log_source_addr = &forward->source;
 749
 750   if (daemon->ignore_addr && RCODE(header) == NOERROR &&
 751       check_for_ignored_address(header, n, daemon->ignore_addr))
 752     return;
 753
 754   if (RCODE(header) == REFUSED &&
 755       !option_bool(OPT_ORDER) &&
 756       forward->forwardall == 0)
 757     /* for broken servers, attempt to send to another one. */
 758     {
 759       unsigned char *pheader;
 760       size_t plen;
 761       int is_sign;
 762
 763       /* recreate query from reply */
 764       pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
 765       if (!is_sign)
 766         {
 767           header->ancount = htons(0);
 768           header->nscount = htons(0);
 769           header->arcount = htons(0);
 770           if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
 771             {
 772               header->hb3 &= ~(HB3_QR | HB3_AA | HB3_TC);
 773               header->hb4 &= ~(HB4_RA | HB4_RCODE);
 774               forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0, 0);
 775               return;
 776             }
 777         }
 778     }
 779
 780   server = forward->sentto;
 781   if ((forward->sentto->flags & SERV_TYPE) == 0)
 782     {
 783       if (RCODE(header) == REFUSED)
 784         server = NULL;
 785       else
 786         {
 787           struct server *last_server;
 788
 789           /* find good server by address if possible, otherwise assume the last one we sent to */
 790           for (last_server = daemon->servers; last_server; last_server = last_server->next)
 791             if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
 792                 sockaddr_isequal(&last_server->addr, &serveraddr))
 793               {
 794                 server = last_server;
 795                 break;
 796               }
 797         }
 798       if (!option_bool(OPT_ALL_SERVERS))
 799         daemon->last_server = server;
 800     }
 801
 802   /* We tried resending to this server with a smaller maximum size and got an answer.
 803      Make that permanent. To avoid reduxing the packet size for an single dropped packet,
 804      only do this when we get a truncated answer, or one larger than the safe size. */
 805   if (server && (forward->flags & FREC_TEST_PKTSZ) &&
 806       ((header->hb3 & HB3_TC) || n >= SAFE_PKTSZ))
 807     server->edns_pktsz = SAFE_PKTSZ;
 808
 809   /* If the answer is an error, keep the forward record in place in case
 810      we get a good reply from another server. Kill it when we've
 811      had replies from all to avoid filling the forwarding table when
 812      everything is broken */
 813   if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL)
 814     {
 815       int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
 816
 817       if (option_bool(OPT_NO_REBIND))
 818         check_rebind = !(forward->flags & FREC_NOREBIND);
 819
 820       /*   Don't cache replies where DNSSEC validation was turned off, either
 821            the upstream server told us so, or the original query specified it.  */
 822       if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
 823         no_cache_dnssec = 1;
 824
 825 #ifdef HAVE_DNSSEC
 826       if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
 827         {
 828           int status;
 829
 830           /* We've had a reply already, which we're validating. Ignore this duplicate */
 831           if (forward->blocking_query)
 832             return;
 833
 834           if (header->hb3 & HB3_TC)
 835             {
 836               /* Truncated answer can't be validated.
 837                  If this is an answer to a DNSSEC-generated query, we still
 838                  need to get the client to retry over TCP, so return
 839                  an answer with the TC bit set, even if the actual answer fits.
 840               */
 841               status = STAT_TRUNCATED;
 842             }
 843           else if (forward->flags & FREC_DNSKEY_QUERY)
 844             status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
 845           else if (forward->flags & FREC_DS_QUERY)
 846             {
 847               status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
 848               /* Provably no DS, everything below is insecure, even if signatures are offered */
 849               if (status == STAT_NO_DS)
 850                 /* We only cache sigs when we've validated a reply.
 851                    Avoid caching a reply with sigs if there's a vaildated break in the
 852                    DS chain, so we don't return replies from cache missing sigs. */
 853                 status = STAT_INSECURE_DS;
 854               else if (status == STAT_NO_SIG)
 855                 {
 856                   if (option_bool(OPT_DNSSEC_NO_SIGN))
 857                     {
 858                       status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
 859                       if (status == STAT_INSECURE)
 860                         status = STAT_INSECURE_DS;
 861                     }
 862                   else
 863                     status = STAT_INSECURE_DS;
 864                 }
 865               else if (status == STAT_NO_NS)
 866                 status = STAT_BOGUS;
 867             }
 868           else if (forward->flags & FREC_CHECK_NOSIGN)
 869             {
 870               status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
 871               if (status != STAT_NEED_KEY)
 872                 status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
 873             }
 874           else
 875             {
 876               status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
 877               if (status == STAT_NO_SIG)
 878                 {
 879                   if (option_bool(OPT_DNSSEC_NO_SIGN))
 880                     status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
 881                   else
 882                     status = STAT_INSECURE;
 883                 }
 884             }
 885           /* Can't validate, as we're missing key data. Put this
 886              answer aside, whilst we get that. */
 887           if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
 888             {
 889               struct frec *new, *orig;
 890
 891               /* Free any saved query */
 892               if (forward->stash)
 893                 blockdata_free(forward->stash);
 894
 895               /* Now save reply pending receipt of key data */
 896               if (!(forward->stash = blockdata_alloc((char *)header, n)))
 897                 return;
 898               forward->stash_len = n;
 899
 900             anotherkey:
 901               /* Find the original query that started it all.... */
 902               for (orig = forward; orig->dependent; orig = orig->dependent);
 903
 904               if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1)))
 905                 status = STAT_INSECURE;
 906               else
 907                 {
 908                   int fd;
 909                   struct frec *next = new->next;
 910                   *new = *forward; /* copy everything, then overwrite */
 911                   new->next = next;
 912                   new->blocking_query = NULL;
 913                   new->sentto = server;
 914                   new->rfd4 = NULL;
 915                   new->orig_domain = NULL;
 916 #ifdef HAVE_IPV6
 917                   new->rfd6 = NULL;
 918 #endif
 919                   new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN);
 920
 921                   new->dependent = forward; /* to find query awaiting new one. */
 922                   forward->blocking_query = new; /* for garbage cleaning */
 923                   /* validate routines leave name of required record in daemon->keyname */
 924                   if (status == STAT_NEED_KEY)
 925                     {
 926                       new->flags |= FREC_DNSKEY_QUERY;
 927                       nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
 928                                                  daemon->keyname, forward->class, T_DNSKEY, &server->addr, server->edns_pktsz);
 929                     }
 930                   else
 931                     {
 932                       if (status == STAT_NEED_DS_NEG)
 933                         new->flags |= FREC_CHECK_NOSIGN;
 934                       else
 935                         new->flags |= FREC_DS_QUERY;
 936                       nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
 937                                                  daemon->keyname, forward->class, T_DS, &server->addr, server->edns_pktsz);
 938                     }
 939                   if ((hash = hash_questions(header, nn, daemon->namebuff)))
 940                     memcpy(new->hash, hash, HASH_SIZE);
 941                   new->new_id = get_id();
 942                   header->id = htons(new->new_id);
 943                   /* Save query for retransmission */
 944                   if (!(new->stash = blockdata_alloc((char *)header, nn)))
 945                     return;
 946
 947                   new->stash_len = nn;
 948
 949                   /* Don't resend this. */
 950                   daemon->srv_save = NULL;
 951
 952                   if (server->sfd)
 953                     fd = server->sfd->fd;
 954                   else
 955                     {
 956                       fd = -1;
 957 #ifdef HAVE_IPV6
 958                       if (server->addr.sa.sa_family == AF_INET6)
 959                         {
 960                           if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
 961                             fd = new->rfd6->fd;
 962                         }
 963                       else
 964 #endif
 965                         {
 966                           if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
 967                             fd = new->rfd4->fd;
 968                         }
 969                     }
 970
 971                   if (fd != -1)
 972                     {
 973                       while (retry_send(sendto(fd, (char *)header, nn, 0,
 974                                                &server->addr.sa,
 975                                                sa_len(&server->addr))));
 976                       server->queries++;
 977                     }
 978
 979                   return;
 980                 }
 981             }
 982
 983           /* Ok, we reached far enough up the chain-of-trust that we can validate something.
 984              Now wind back down, pulling back answers which wouldn't previously validate
 985              and validate them with the new data. Note that if an answer needs multiple
 986              keys to validate, we may find another key is needed, in which case we set off
 987              down another branch of the tree. Once we get to the original answer
 988              (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
 989           while (forward->dependent)
 990             {
 991               struct frec *prev = forward->dependent;
 992               free_frec(forward);
 993               forward = prev;
 994               forward->blocking_query = NULL; /* already gone */
 995               blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
 996               n = forward->stash_len;
 997
 998               if (status == STAT_SECURE)
 999                 {
1000                   if (forward->flags & FREC_DNSKEY_QUERY)
1001                     status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
1002                   else if (forward->flags & FREC_DS_QUERY)
1003                     {
1004                       status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
1005                        /* Provably no DS, everything below is insecure, even if signatures are offered */
1006                       if (status == STAT_NO_DS)
1007                         /* We only cache sigs when we've validated a reply.
1008                            Avoid caching a reply with sigs if there's a vaildated break in the
1009                            DS chain, so we don't return replies from cache missing sigs. */
1010                         status = STAT_INSECURE_DS;
1011                        else if (status == STAT_NO_SIG)
1012                          {
1013                            if (option_bool(OPT_DNSSEC_NO_SIGN))
1014                              {
1015                                status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
1016                                if (status == STAT_INSECURE)
1017                                  status = STAT_INSECURE_DS;
1018                              }
1019                            else
1020                              status = STAT_INSECURE_DS;
1021                          }
1022                        else if (status == STAT_NO_NS)
1023                          status = STAT_BOGUS;
1024                     }
1025                   else if (forward->flags & FREC_CHECK_NOSIGN)
1026                     {
1027                       status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
1028                       if (status != STAT_NEED_KEY)
1029                         status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
1030                     }
1031                   else
1032                     {
1033                       status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
1034                       if (status == STAT_NO_SIG)
1035                         {
1036                           if (option_bool(OPT_DNSSEC_NO_SIGN))
1037                             status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
1038                           else
1039                             status = STAT_INSECURE;
1040                         }
1041                     }
1042
1043                   if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
1044                     goto anotherkey;
1045                 }
1046             }
1047
1048           no_cache_dnssec = 0;
1049
1050           if (status == STAT_INSECURE_DS)
1051             {
1052               /* We only cache sigs when we've validated a reply.
1053                  Avoid caching a reply with sigs if there's a vaildated break in the
1054                  DS chain, so we don't return replies from cache missing sigs. */
1055               status = STAT_INSECURE;
1056               no_cache_dnssec = 1;
1057             }
1058
1059           if (status == STAT_TRUNCATED)
1060             header->hb3 |= HB3_TC;
1061           else
1062             {
1063               char *result, *domain = "result";
1064
1065               if (forward->work_counter == 0)
1066                 {
1067                   result = "ABANDONED";
1068                   status = STAT_BOGUS;
1069                 }
1070               else
1071                 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1072
1073               if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL))
1074                 domain = daemon->namebuff;
1075
1076               log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
1077             }
1078
1079           if (status == STAT_SECURE)
1080             cache_secure = 1;
1081           else if (status == STAT_BOGUS)
1082             {
1083               no_cache_dnssec = 1;
1084               bogusanswer = 1;
1085             }
1086         }
1087 #endif
1088
1089       /* restore CD bit to the value in the query */
1090       if (forward->flags & FREC_CHECKING_DISABLED)
1091         header->hb4 |= HB4_CD;
1092       else
1093         header->hb4 &= ~HB4_CD;
1094
1095       if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer,
1096                               forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
1097                               forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
1098         {
1099           header->id = htons(forward->orig_id);
1100           header->hb4 |= HB4_RA; /* recursion if available */
1101           send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
1102                     &forward->source, &forward->dest, forward->iface);
1103         }
1104       free_frec(forward); /* cancel */
1105     }
1106 }
1107
1108
1109 void receive_query(struct listener *listen, time_t now)
1110 {
1111   struct dns_header *header = (struct dns_header *)daemon->packet;
1112   union mysockaddr source_addr;
1113   unsigned short type;
1114   struct all_addr dst_addr;
1115   struct in_addr netmask, dst_addr_4;
1116   size_t m;
1117   ssize_t n;
1118   int if_index = 0, auth_dns = 0;
1119 #ifdef HAVE_AUTH
1120   int local_auth = 0;
1121 #endif
1122   struct iovec iov[1];
1123   struct msghdr msg;
1124   struct cmsghdr *cmptr;
1125   union {
1126     struct cmsghdr align; /* this ensures alignment */
1127 #ifdef HAVE_IPV6
1128     char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
1129 #endif
1130 #if defined(HAVE_LINUX_NETWORK)
1131     char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
1132 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1133     char control[CMSG_SPACE(sizeof(struct in_addr)) +
1134                  CMSG_SPACE(sizeof(unsigned int))];
1135 #elif defined(IP_RECVDSTADDR)
1136     char control[CMSG_SPACE(sizeof(struct in_addr)) +
1137                  CMSG_SPACE(sizeof(struct sockaddr_dl))];
1138 #endif
1139   } control_u;
1140 #ifdef HAVE_IPV6
1141    /* Can always get recvd interface for IPv6 */
1142   int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
1143 #else
1144   int check_dst = !option_bool(OPT_NOWILD);
1145 #endif
1146
1147   /* packet buffer overwritten */
1148   daemon->srv_save = NULL;
1149
1150   dst_addr_4.s_addr = dst_addr.addr.addr4.s_addr = 0;
1151   netmask.s_addr = 0;
1152
1153   if (option_bool(OPT_NOWILD) && listen->iface)
1154     {
1155       auth_dns = listen->iface->dns_auth;
1156
1157       if (listen->family == AF_INET)
1158         {
1159           dst_addr_4 = dst_addr.addr.addr4 = listen->iface->addr.in.sin_addr;
1160           netmask = listen->iface->netmask;
1161         }
1162     }
1163
1164   iov[0].iov_base = daemon->packet;
1165   iov[0].iov_len = daemon->edns_pktsz;
1166
1167   msg.msg_control = control_u.control;
1168   msg.msg_controllen = sizeof(control_u);
1169   msg.msg_flags = 0;
1170   msg.msg_name = &source_addr;
1171   msg.msg_namelen = sizeof(source_addr);
1172   msg.msg_iov = iov;
1173   msg.msg_iovlen = 1;
1174
1175   if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
1176     return;
1177
1178   if (n < (int)sizeof(struct dns_header) ||
1179       (msg.msg_flags & MSG_TRUNC) ||
1180       (header->hb3 & HB3_QR))
1181     return;
1182
1183   source_addr.sa.sa_family = listen->family;
1184
1185   if (listen->family == AF_INET)
1186     {
1187        /* Source-port == 0 is an error, we can't send back to that.
1188           http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1189       if (source_addr.in.sin_port == 0)
1190         return;
1191     }
1192 #ifdef HAVE_IPV6
1193   else
1194     {
1195       /* Source-port == 0 is an error, we can't send back to that. */
1196       if (source_addr.in6.sin6_port == 0)
1197         return;
1198       source_addr.in6.sin6_flowinfo = 0;
1199     }
1200 #endif
1201
1202   /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1203   if (option_bool(OPT_LOCAL_SERVICE))
1204     {
1205       struct addrlist *addr;
1206 #ifdef HAVE_IPV6
1207       if (listen->family == AF_INET6)
1208         {
1209           for (addr = daemon->interface_addrs; addr; addr = addr->next)
1210             if ((addr->flags & ADDRLIST_IPV6) &&
1211                 is_same_net6(&addr->addr.addr.addr6, &source_addr.in6.sin6_addr, addr->prefixlen))
1212               break;
1213         }
1214       else
1215 #endif
1216         {
1217           struct in_addr netmask;
1218           for (addr = daemon->interface_addrs; addr; addr = addr->next)
1219             {
1220               netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
1221               if (!(addr->flags & ADDRLIST_IPV6) &&
1222                   is_same_net(addr->addr.addr.addr4, source_addr.in.sin_addr, netmask))
1223                 break;
1224             }
1225         }
1226       if (!addr)
1227         {
1228           static int warned = 0;
1229           if (!warned)
1230             {
1231               my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1232               warned = 1;
1233             }
1234           return;
1235         }
1236     }
1237
1238   if (check_dst)
1239     {
1240       struct ifreq ifr;
1241
1242       if (msg.msg_controllen < sizeof(struct cmsghdr))
1243         return;
1244
1245 #if defined(HAVE_LINUX_NETWORK)
1246       if (listen->family == AF_INET)
1247         for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1248           if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
1249             {
1250               union {
1251                 unsigned char *c;
1252                 struct in_pktinfo *p;
1253               } p;
1254               p.c = CMSG_DATA(cmptr);
1255               dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
1256               if_index = p.p->ipi_ifindex;
1257             }
1258 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1259       if (listen->family == AF_INET)
1260         {
1261           for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1262             {
1263               union {
1264                 unsigned char *c;
1265                 unsigned int *i;
1266                 struct in_addr *a;
1267 #ifndef HAVE_SOLARIS_NETWORK
1268                 struct sockaddr_dl *s;
1269 #endif
1270               } p;
1271                p.c = CMSG_DATA(cmptr);
1272                if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
1273                  dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
1274                else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
1275 #ifdef HAVE_SOLARIS_NETWORK
1276                  if_index = *(p.i);
1277 #else
1278                  if_index = p.s->sdl_index;
1279 #endif
1280             }
1281         }
1282 #endif
1283
1284 #ifdef HAVE_IPV6
1285       if (listen->family == AF_INET6)
1286         {
1287           for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1288             if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
1289               {
1290                 union {
1291                   unsigned char *c;
1292                   struct in6_pktinfo *p;
1293                 } p;
1294                 p.c = CMSG_DATA(cmptr);
1295
1296                 dst_addr.addr.addr6 = p.p->ipi6_addr;
1297                 if_index = p.p->ipi6_ifindex;
1298               }
1299         }
1300 #endif
1301
1302       /* enforce available interface configuration */
1303
1304       if (!indextoname(listen->fd, if_index, ifr.ifr_name))
1305         return;
1306
1307       if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
1308         {
1309            if (!option_bool(OPT_CLEVERBIND))
1310              enumerate_interfaces(0);
1311            if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
1312                !label_exception(if_index, listen->family, &dst_addr))
1313              return;
1314         }
1315
1316       if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
1317         {
1318           struct irec *iface;
1319
1320           /* get the netmask of the interface whch has the address we were sent to.
1321              This is no neccessarily the interface we arrived on. */
1322
1323           for (iface = daemon->interfaces; iface; iface = iface->next)
1324             if (iface->addr.sa.sa_family == AF_INET &&
1325                 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1326               break;
1327
1328           /* interface may be new */
1329           if (!iface && !option_bool(OPT_CLEVERBIND))
1330             enumerate_interfaces(0);
1331
1332           for (iface = daemon->interfaces; iface; iface = iface->next)
1333             if (iface->addr.sa.sa_family == AF_INET &&
1334                 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1335               break;
1336
1337           /* If we failed, abandon localisation */
1338           if (iface)
1339             netmask = iface->netmask;
1340           else
1341             dst_addr_4.s_addr = 0;
1342         }
1343     }
1344
1345   /* log_query gets called indirectly all over the place, so
1346      pass these in global variables - sorry. */
1347   daemon->log_display_id = ++daemon->log_id;
1348   daemon->log_source_addr = &source_addr;
1349
1350   if (extract_request(header, (size_t)n, daemon->namebuff, &type))
1351     {
1352 #ifdef HAVE_AUTH
1353       struct auth_zone *zone;
1354 #endif
1355       char *types = querystr(auth_dns ? "auth" : "query", type);
1356
1357       if (listen->family == AF_INET)
1358         log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1359                   (struct all_addr *)&source_addr.in.sin_addr, types);
1360 #ifdef HAVE_IPV6
1361       else
1362         log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1363                   (struct all_addr *)&source_addr.in6.sin6_addr, types);
1364 #endif
1365
1366 #ifdef HAVE_AUTH
1367       /* find queries for zones we're authoritative for, and answer them directly */
1368       if (!auth_dns)
1369         for (zone = daemon->auth_zones; zone; zone = zone->next)
1370           if (in_zone(zone, daemon->namebuff, NULL))
1371             {
1372               auth_dns = 1;
1373               local_auth = 1;
1374               break;
1375             }
1376 #endif
1377
1378 #ifdef HAVE_LOOP
1379       /* Check for forwarding loop */
1380       if (detect_loop(daemon->namebuff, type))
1381         return;
1382 #endif
1383     }
1384
1385 #ifdef HAVE_AUTH
1386   if (auth_dns)
1387     {
1388       m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
1389       if (m >= 1)
1390         {
1391           send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1392                     (char *)header, m, &source_addr, &dst_addr, if_index);
1393           daemon->auth_answer++;
1394         }
1395     }
1396   else
1397 #endif
1398     {
1399       int ad_reqd, do_bit;
1400       m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
1401                          dst_addr_4, netmask, now, &ad_reqd, &do_bit);
1402
1403       if (m >= 1)
1404         {
1405           send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1406                     (char *)header, m, &source_addr, &dst_addr, if_index);
1407           daemon->local_answer++;
1408         }
1409       else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
1410                              header, (size_t)n, now, NULL, ad_reqd, do_bit))
1411         daemon->queries_forwarded++;
1412       else
1413         daemon->local_answer++;
1414     }
1415 }
1416
1417 #ifdef HAVE_DNSSEC
1418
1419 /* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1420    and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1421    STAT_NEED_DS_NEG and keyname if we need to do the query. */
1422 static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
1423                            char *name, char *keyname)
1424 {
1425   int status = dnssec_chase_cname(now, header, plen, name, keyname);
1426
1427   if (status != STAT_INSECURE)
1428     return status;
1429
1430   /* Store the domain we're trying to check. */
1431   forward->name_start = strlen(name);
1432   forward->name_len = forward->name_start + 1;
1433   if (!(forward->orig_domain = blockdata_alloc(name, forward->name_len)))
1434     return STAT_BOGUS;
1435
1436   return do_check_sign(forward, 0, now, name, keyname);
1437 }
1438
1439 /* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
1440 static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname)
1441 {
1442   /* get domain we're checking back from blockdata store, it's stored on the original query. */
1443   while (forward->dependent && !forward->orig_domain)
1444     forward = forward->dependent;
1445
1446   blockdata_retrieve(forward->orig_domain, forward->name_len, name);
1447
1448   while (1)
1449     {
1450       char *p;
1451
1452       if (status == 0)
1453         {
1454           struct crec *crecp;
1455
1456           /* Haven't received answer, see if in cache */
1457           if (!(crecp = cache_find_by_name(NULL, &name[forward->name_start], now, F_DS)))
1458             {
1459               /* put name of DS record we're missing into keyname */
1460               strcpy(keyname, &name[forward->name_start]);
1461               /* and wait for reply to arrive */
1462               return STAT_NEED_DS_NEG;
1463             }
1464
1465           /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
1466           if (!(crecp->flags & F_NEG))
1467             status = STAT_SECURE;
1468           else if (crecp->flags & F_DNSSECOK)
1469             status = STAT_NO_DS;
1470           else
1471             status = STAT_NO_NS;
1472         }
1473
1474       /* Have entered non-signed part of DNS tree. */
1475       if (status == STAT_NO_DS)
1476         return forward->dependent ? STAT_INSECURE_DS : STAT_INSECURE;
1477
1478       if (status == STAT_BOGUS)
1479         return STAT_BOGUS;
1480
1481       if (status == STAT_NO_SIG && *keyname != 0)
1482         {
1483           /* There is a validated CNAME chain that doesn't end in a DS record. Start
1484              the search again in that domain. */
1485           blockdata_free(forward->orig_domain);
1486           forward->name_start = strlen(keyname);
1487           forward->name_len = forward->name_start + 1;
1488           if (!(forward->orig_domain = blockdata_alloc(keyname, forward->name_len)))
1489             return STAT_BOGUS;
1490
1491           strcpy(name, keyname);
1492           status = 0; /* force to cache when we iterate. */
1493           continue;
1494         }
1495
1496       /* There's a proven DS record, or we're within a zone, where there doesn't need
1497          to be a DS record. Add a name and try again.
1498          If we've already tried the whole name, then fail */
1499
1500       if (forward->name_start == 0)
1501         return STAT_BOGUS;
1502
1503       for (p = &name[forward->name_start-2]; (*p != '.') && (p != name); p--);
1504
1505       if (p != name)
1506         p++;
1507
1508       forward->name_start = p - name;
1509       status = 0; /* force to cache when we iterate. */
1510     }
1511 }
1512
1513 /* Move down from the root, until we find a signed non-existance of a DS, in which case
1514    an unsigned answer is OK, or we find a signed DS, in which case there should be
1515    a signature, and the answer is BOGUS */
1516 static int  tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name,
1517                                         char *keyname, struct server *server, int *keycount)
1518 {
1519   size_t m;
1520   unsigned char *packet, *payload;
1521   u16 *length;
1522   int status, name_len;
1523   struct blockdata *block;
1524
1525   char *name_start;
1526
1527   /* Get first insecure entry in CNAME chain */
1528   status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount);
1529   if (status == STAT_BOGUS)
1530     return STAT_BOGUS;
1531
1532   if (!(packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16))))
1533     return STAT_BOGUS;
1534
1535   payload = &packet[2];
1536   header = (struct dns_header *)payload;
1537   length = (u16 *)packet;
1538
1539   /* Stash the name away, since the buffer will be trashed when we recurse */
1540   name_len = strlen(name) + 1;
1541   name_start = name + name_len - 1;
1542
1543   if (!(block = blockdata_alloc(name, name_len)))
1544     {
1545       free(packet);
1546       return STAT_BOGUS;
1547     }
1548
1549   while (1)
1550     {
1551       unsigned char c1, c2;
1552       struct crec *crecp;
1553
1554       if (--(*keycount) == 0)
1555         {
1556           free(packet);
1557           blockdata_free(block);
1558           return STAT_BOGUS;
1559         }
1560
1561       while ((crecp = cache_find_by_name(NULL, name_start, now, F_DS)))
1562         {
1563           if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK))
1564             {
1565               /* Found a secure denial of DS - delegation is indeed insecure */
1566               free(packet);
1567               blockdata_free(block);
1568               return STAT_INSECURE;
1569             }
1570
1571           /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1572              Add another label and continue. */
1573
1574           if (name_start == name)
1575             {
1576               free(packet);
1577               blockdata_free(block);
1578               return STAT_BOGUS; /* run out of labels */
1579             }
1580
1581           name_start -= 2;
1582           while (*name_start != '.' && name_start != name)
1583             name_start--;
1584           if (name_start != name)
1585             name_start++;
1586         }
1587
1588       /* Can't find it in the cache, have to send a query */
1589
1590       m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr, server->edns_pktsz);
1591
1592       *length = htons(m);
1593
1594       if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
1595           read_write(server->tcpfd, &c1, 1, 1) &&
1596           read_write(server->tcpfd, &c2, 1, 1) &&
1597           read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1598         {
1599           m = (c1 << 8) | c2;
1600
1601           /* Note this trashes all three name workspaces */
1602           status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
1603
1604           if (status == STAT_NO_DS)
1605             {
1606               /* Found a secure denial of DS - delegation is indeed insecure */
1607               free(packet);
1608               blockdata_free(block);
1609               return STAT_INSECURE;
1610             }
1611
1612           if (status == STAT_NO_SIG && *keyname != 0)
1613             {
1614               /* There is a validated CNAME chain that doesn't end in a DS record. Start
1615                  the search again in that domain. */
1616               blockdata_free(block);
1617               name_len = strlen(keyname) + 1;
1618               name_start = name + name_len - 1;
1619
1620               if (!(block = blockdata_alloc(keyname, name_len)))
1621                 return STAT_BOGUS;
1622
1623               strcpy(name, keyname);
1624               continue;
1625             }
1626
1627           if (status == STAT_BOGUS)
1628             {
1629               free(packet);
1630               blockdata_free(block);
1631               return STAT_BOGUS;
1632             }
1633
1634           /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1635              Add another label and continue. */
1636
1637           /* Get name we're checking back. */
1638           blockdata_retrieve(block, name_len, name);
1639
1640           if (name_start == name)
1641             {
1642               free(packet);
1643               blockdata_free(block);
1644               return STAT_BOGUS; /* run out of labels */
1645             }
1646
1647           name_start -= 2;
1648           while (*name_start != '.' && name_start != name)
1649             name_start--;
1650           if (name_start != name)
1651             name_start++;
1652         }
1653       else
1654         {
1655           /* IO failure */
1656           free(packet);
1657           blockdata_free(block);
1658           return STAT_BOGUS; /* run out of labels */
1659         }
1660     }
1661 }
1662
1663 static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
1664                            int class, char *name, char *keyname, struct server *server, int *keycount)
1665 {
1666   /* Recurse up the key heirarchy */
1667   int new_status;
1668
1669   /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1670   if (--(*keycount) == 0)
1671     return STAT_INSECURE;
1672
1673   if (status == STAT_NEED_KEY)
1674     new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
1675   else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1676     {
1677       new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
1678       if (status == STAT_NEED_DS)
1679         {
1680           if (new_status == STAT_NO_DS)
1681             new_status = STAT_INSECURE_DS;
1682           if (new_status == STAT_NO_SIG)
1683            {
1684              if (option_bool(OPT_DNSSEC_NO_SIGN))
1685                {
1686                  new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1687                  if (new_status == STAT_INSECURE)
1688                    new_status = STAT_INSECURE_DS;
1689                }
1690              else
1691                new_status = STAT_INSECURE_DS;
1692            }
1693           else if (new_status == STAT_NO_NS)
1694             new_status = STAT_BOGUS;
1695         }
1696     }
1697   else if (status == STAT_CHASE_CNAME)
1698     new_status = dnssec_chase_cname(now, header, n, name, keyname);
1699   else
1700     {
1701       new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
1702
1703       if (new_status == STAT_NO_SIG)
1704         {
1705           if (option_bool(OPT_DNSSEC_NO_SIGN))
1706             new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1707           else
1708             new_status = STAT_INSECURE;
1709         }
1710     }
1711
1712   /* Can't validate because we need a key/DS whose name now in keyname.
1713      Make query for same, and recurse to validate */
1714   if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1715     {
1716       size_t m;
1717       unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1718       unsigned char *payload = &packet[2];
1719       struct dns_header *new_header = (struct dns_header *)payload;
1720       u16 *length = (u16 *)packet;
1721       unsigned char c1, c2;
1722
1723       if (!packet)
1724         return STAT_INSECURE;
1725
1726     another_tcp_key:
1727       m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class,
1728                                 new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr, server->edns_pktsz);
1729
1730       *length = htons(m);
1731
1732       if (!read_write(server->tcpfd, packet, m + sizeof(u16), 0) ||
1733           !read_write(server->tcpfd, &c1, 1, 1) ||
1734           !read_write(server->tcpfd, &c2, 1, 1) ||
1735           !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1736         new_status = STAT_INSECURE;
1737       else
1738         {
1739           m = (c1 << 8) | c2;
1740
1741           new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount);
1742
1743           if (new_status == STAT_SECURE)
1744             {
1745               /* Reached a validated record, now try again at this level.
1746                  Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1747                  If so, go round again. */
1748
1749               if (status == STAT_NEED_KEY)
1750                 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
1751               else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1752                 {
1753                   new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
1754                   if (status == STAT_NEED_DS)
1755                     {
1756                       if (new_status == STAT_NO_DS)
1757                         new_status = STAT_INSECURE_DS;
1758                       else if (new_status == STAT_NO_SIG)
1759                         {
1760                           if (option_bool(OPT_DNSSEC_NO_SIGN))
1761                             {
1762                               new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1763                               if (new_status == STAT_INSECURE)
1764                                 new_status = STAT_INSECURE_DS;
1765                             }
1766                           else
1767                             new_status = STAT_INSECURE_DS;
1768                         }
1769                       else if (new_status == STAT_NO_NS)
1770                         new_status = STAT_BOGUS;
1771                     }
1772                 }
1773               else if (status == STAT_CHASE_CNAME)
1774                 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1775               else
1776                 {
1777                   new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
1778
1779                   if (new_status == STAT_NO_SIG)
1780                     {
1781                       if (option_bool(OPT_DNSSEC_NO_SIGN))
1782                         new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1783                       else
1784                         new_status = STAT_INSECURE;
1785                     }
1786                 }
1787
1788               if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1789                 goto another_tcp_key;
1790             }
1791         }
1792
1793       free(packet);
1794     }
1795   return new_status;
1796 }
1797 #endif
1798
1799
1800 /* The daemon forks before calling this: it should deal with one connection,
1801    blocking as neccessary, and then return. Note, need to be a bit careful
1802    about resources for debug mode, when the fork is suppressed: that's
1803    done by the caller. */
1804 unsigned char *tcp_request(int confd, time_t now,
1805                            union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
1806 {
1807   size_t size = 0;
1808   int norebind = 0;
1809 #ifdef HAVE_AUTH
1810   int local_auth = 0;
1811 #endif
1812   int checking_disabled, ad_question, do_bit, added_pheader = 0;
1813   int check_subnet, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
1814   size_t m;
1815   unsigned short qtype;
1816   unsigned int gotname;
1817   unsigned char c1, c2;
1818   /* Max TCP packet + slop + size */
1819   unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1820   unsigned char *payload = &packet[2];
1821   /* largest field in header is 16-bits, so this is still sufficiently aligned */
1822   struct dns_header *header = (struct dns_header *)payload;
1823   u16 *length = (u16 *)packet;
1824   struct server *last_server;
1825   struct in_addr dst_addr_4;
1826   union mysockaddr peer_addr;
1827   socklen_t peer_len = sizeof(union mysockaddr);
1828   int query_count = 0;
1829
1830   if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1831     return packet;
1832
1833   /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1834   if (option_bool(OPT_LOCAL_SERVICE))
1835     {
1836       struct addrlist *addr;
1837 #ifdef HAVE_IPV6
1838       if (peer_addr.sa.sa_family == AF_INET6)
1839         {
1840           for (addr = daemon->interface_addrs; addr; addr = addr->next)
1841             if ((addr->flags & ADDRLIST_IPV6) &&
1842                 is_same_net6(&addr->addr.addr.addr6, &peer_addr.in6.sin6_addr, addr->prefixlen))
1843               break;
1844         }
1845       else
1846 #endif
1847         {
1848           struct in_addr netmask;
1849           for (addr = daemon->interface_addrs; addr; addr = addr->next)
1850             {
1851               netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
1852               if (!(addr->flags & ADDRLIST_IPV6) &&
1853                   is_same_net(addr->addr.addr.addr4, peer_addr.in.sin_addr, netmask))
1854                 break;
1855             }
1856         }
1857       if (!addr)
1858         {
1859           my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1860           return packet;
1861         }
1862     }
1863
1864   while (1)
1865     {
1866       if (query_count == TCP_MAX_QUERIES ||
1867           !packet ||
1868           !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1869           !(size = c1 << 8 | c2) ||
1870           !read_write(confd, payload, size, 1))
1871         return packet;
1872
1873       if (size < (int)sizeof(struct dns_header))
1874         continue;
1875
1876       query_count++;
1877
1878       /* log_query gets called indirectly all over the place, so
1879          pass these in global variables - sorry. */
1880       daemon->log_display_id = ++daemon->log_id;
1881       daemon->log_source_addr = &peer_addr;
1882
1883       check_subnet = 0;
1884
1885       /* save state of "cd" flag in query */
1886       if ((checking_disabled = header->hb4 & HB4_CD))
1887         no_cache_dnssec = 1;
1888
1889       if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
1890         {
1891 #ifdef HAVE_AUTH
1892           struct auth_zone *zone;
1893 #endif
1894           char *types = querystr(auth_dns ? "auth" : "query", qtype);
1895
1896           if (peer_addr.sa.sa_family == AF_INET)
1897             log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1898                       (struct all_addr *)&peer_addr.in.sin_addr, types);
1899 #ifdef HAVE_IPV6
1900           else
1901             log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1902                       (struct all_addr *)&peer_addr.in6.sin6_addr, types);
1903 #endif
1904
1905 #ifdef HAVE_AUTH
1906           /* find queries for zones we're authoritative for, and answer them directly */
1907           if (!auth_dns)
1908             for (zone = daemon->auth_zones; zone; zone = zone->next)
1909               if (in_zone(zone, daemon->namebuff, NULL))
1910                 {
1911                   auth_dns = 1;
1912                   local_auth = 1;
1913                   break;
1914                 }
1915 #endif
1916         }
1917
1918       if (local_addr->sa.sa_family == AF_INET)
1919         dst_addr_4 = local_addr->in.sin_addr;
1920       else
1921         dst_addr_4.s_addr = 0;
1922
1923 #ifdef HAVE_AUTH
1924       if (auth_dns)
1925         m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
1926       else
1927 #endif
1928         {
1929           /* m > 0 if answered from cache */
1930           m = answer_request(header, ((char *) header) + 65536, (size_t)size,
1931                              dst_addr_4, netmask, now, &ad_question, &do_bit);
1932
1933           /* Do this by steam now we're not in the select() loop */
1934           check_log_writer(1);
1935
1936           if (m == 0)
1937             {
1938               unsigned int flags = 0;
1939               struct all_addr *addrp = NULL;
1940               int type = 0;
1941               char *domain = NULL;
1942
1943               if (option_bool(OPT_ADD_MAC))
1944                 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
1945
1946               if (option_bool(OPT_CLIENT_SUBNET))
1947                 {
1948                   size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1949                   if (size != new)
1950                     {
1951                       size = new;
1952                       check_subnet = 1;
1953                     }
1954                 }
1955
1956               if (gotname)
1957                 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1958
1959               if (type != 0  || option_bool(OPT_ORDER) || !daemon->last_server)
1960                 last_server = daemon->servers;
1961               else
1962                 last_server = daemon->last_server;
1963
1964               if (!flags && last_server)
1965                 {
1966                   struct server *firstsendto = NULL;
1967 #ifdef HAVE_DNSSEC
1968                   unsigned char *newhash, hash[HASH_SIZE];
1969                   if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff)))
1970                     memcpy(hash, newhash, HASH_SIZE);
1971                   else
1972                     memset(hash, 0, HASH_SIZE);
1973 #else
1974                   unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
1975 #endif
1976                   /* Loop round available servers until we succeed in connecting to one.
1977                      Note that this code subtley ensures that consecutive queries on this connection
1978                      which can go to the same server, do so. */
1979                   while (1)
1980                     {
1981                       if (!firstsendto)
1982                         firstsendto = last_server;
1983                       else
1984                         {
1985                           if (!(last_server = last_server->next))
1986                             last_server = daemon->servers;
1987
1988                           if (last_server == firstsendto)
1989                             break;
1990                         }
1991
1992                       /* server for wrong domain */
1993                       if (type != (last_server->flags & SERV_TYPE) ||
1994                           (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)) ||
1995                           (last_server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
1996                         continue;
1997
1998                       if (last_server->tcpfd == -1)
1999                         {
2000                           if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
2001                             continue;
2002
2003 #ifdef HAVE_CONNTRACK
2004                           /* Copy connection mark of incoming query to outgoing connection. */
2005                           if (option_bool(OPT_CONNTRACK))
2006                             {
2007                               unsigned int mark;
2008                               struct all_addr local;
2009 #ifdef HAVE_IPV6
2010                               if (local_addr->sa.sa_family == AF_INET6)
2011                                 local.addr.addr6 = local_addr->in6.sin6_addr;
2012                               else
2013 #endif
2014                                 local.addr.addr4 = local_addr->in.sin_addr;
2015
2016                               if (get_incoming_mark(&peer_addr, &local, 1, &mark))
2017                                 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
2018                             }
2019 #endif
2020
2021                           if ((!local_bind(last_server->tcpfd,  &last_server->source_addr, last_server->interface, 1) ||
2022                                connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
2023                             {
2024                               close(last_server->tcpfd);
2025                               last_server->tcpfd = -1;
2026                               continue;
2027                             }
2028
2029 #ifdef HAVE_DNSSEC
2030                           if (option_bool(OPT_DNSSEC_VALID))
2031                             {
2032                               size_t new_size = add_do_bit(header, size, ((char *) header) + 65536);
2033
2034                               /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
2035                                  this allows it to select auth servers when one is returning bad data. */
2036                               if (option_bool(OPT_DNSSEC_DEBUG))
2037                                 header->hb4 |= HB4_CD;
2038
2039                               if (size != new_size)
2040                                 added_pheader = 1;
2041
2042                               size = new_size;
2043                             }
2044 #endif
2045                         }
2046
2047                       *length = htons(size);
2048
2049                       /* get query name again for logging - may have been overwritten */
2050                       if (!(gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
2051                         strcpy(daemon->namebuff, "query");
2052
2053                       if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
2054                           !read_write(last_server->tcpfd, &c1, 1, 1) ||
2055                           !read_write(last_server->tcpfd, &c2, 1, 1) ||
2056                           !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
2057                         {
2058                           close(last_server->tcpfd);
2059                           last_server->tcpfd = -1;
2060                           continue;
2061                         }
2062
2063                       m = (c1 << 8) | c2;
2064
2065                       if (last_server->addr.sa.sa_family == AF_INET)
2066                         log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
2067                                   (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
2068 #ifdef HAVE_IPV6
2069                       else
2070                         log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
2071                                   (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
2072 #endif
2073
2074 #ifdef HAVE_DNSSEC
2075                       if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
2076                         {
2077                           int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
2078                           int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
2079                           char *result, *domain = "result";
2080
2081                           if (status == STAT_INSECURE_DS)
2082                             {
2083                               /* We only cache sigs when we've validated a reply.
2084                                  Avoid caching a reply with sigs if there's a vaildated break in the
2085                                  DS chain, so we don't return replies from cache missing sigs. */
2086                               status = STAT_INSECURE;
2087                               no_cache_dnssec = 1;
2088                             }
2089
2090                           if (keycount == 0)
2091                             {
2092                               result = "ABANDONED";
2093                               status = STAT_BOGUS;
2094                             }
2095                           else
2096                             result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
2097
2098                           if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL))
2099                             domain = daemon->namebuff;
2100
2101                           log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
2102
2103                           if (status == STAT_BOGUS)
2104                             {
2105                               no_cache_dnssec = 1;
2106                               bogusanswer = 1;
2107                             }
2108
2109                           if (status == STAT_SECURE)
2110                             cache_secure = 1;
2111                         }
2112 #endif
2113
2114                       /* restore CD bit to the value in the query */
2115                       if (checking_disabled)
2116                         header->hb4 |= HB4_CD;
2117                       else
2118                         header->hb4 &= ~HB4_CD;
2119
2120                       /* There's no point in updating the cache, since this process will exit and
2121                          lose the information after a few queries. We make this call for the alias and
2122                          bogus-nxdomain side-effects. */
2123                       /* If the crc of the question section doesn't match the crc we sent, then
2124                          someone might be attempting to insert bogus values into the cache by
2125                          sending replies containing questions and bogus answers. */
2126 #ifdef HAVE_DNSSEC
2127                       newhash = hash_questions(header, (unsigned int)m, daemon->namebuff);
2128                       if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0)
2129                         {
2130                           m = 0;
2131                           break;
2132                         }
2133 #else
2134                       if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff))
2135                         {
2136                           m = 0;
2137                           break;
2138                         }
2139 #endif
2140
2141                       m = process_reply(header, now, last_server, (unsigned int)m,
2142                                         option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer,
2143                                         ad_question, do_bit, added_pheader, check_subnet, &peer_addr);
2144
2145                       break;
2146                     }
2147                 }
2148
2149               /* In case of local answer or no connections made. */
2150               if (m == 0)
2151                 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
2152             }
2153         }
2154
2155       check_log_writer(1);
2156
2157       *length = htons(m);
2158
2159       if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
2160         return packet;
2161     }
2162 }
2163
2164 static struct frec *allocate_frec(time_t now)
2165 {
2166   struct frec *f;
2167
2168   if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
2169     {
2170       f->next = daemon->frec_list;
2171       f->time = now;
2172       f->sentto = NULL;
2173       f->rfd4 = NULL;
2174       f->flags = 0;
2175 #ifdef HAVE_IPV6
2176       f->rfd6 = NULL;
2177 #endif
2178 #ifdef HAVE_DNSSEC
2179       f->dependent = NULL;
2180       f->blocking_query = NULL;
2181       f->stash = NULL;
2182       f->orig_domain = NULL;
2183 #endif
2184       daemon->frec_list = f;
2185     }
2186
2187   return f;
2188 }
2189
2190 struct randfd *allocate_rfd(int family)
2191 {
2192   static int finger = 0;
2193   int i;
2194
2195   /* limit the number of sockets we have open to avoid starvation of
2196      (eg) TFTP. Once we have a reasonable number, randomness should be OK */
2197
2198   for (i = 0; i < RANDOM_SOCKS; i++)
2199     if (daemon->randomsocks[i].refcount == 0)
2200       {
2201         if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
2202           break;
2203
2204         daemon->randomsocks[i].refcount = 1;
2205         daemon->randomsocks[i].family = family;
2206         return &daemon->randomsocks[i];
2207       }
2208
2209   /* No free ones or cannot get new socket, grab an existing one */
2210   for (i = 0; i < RANDOM_SOCKS; i++)
2211     {
2212       int j = (i+finger) % RANDOM_SOCKS;
2213       if (daemon->randomsocks[j].refcount != 0 &&
2214           daemon->randomsocks[j].family == family &&
2215           daemon->randomsocks[j].refcount != 0xffff)
2216         {
2217           finger = j;
2218           daemon->randomsocks[j].refcount++;
2219           return &daemon->randomsocks[j];
2220         }
2221     }
2222
2223   return NULL; /* doom */
2224 }
2225
2226 void free_rfd(struct randfd *rfd)
2227 {
2228   if (rfd && --(rfd->refcount) == 0)
2229     close(rfd->fd);
2230 }
2231
2232 static void free_frec(struct frec *f)
2233 {
2234   free_rfd(f->rfd4);
2235   f->rfd4 = NULL;
2236   f->sentto = NULL;
2237   f->flags = 0;
2238
2239 #ifdef HAVE_IPV6
2240   free_rfd(f->rfd6);
2241   f->rfd6 = NULL;
2242 #endif
2243
2244 #ifdef HAVE_DNSSEC
2245   if (f->stash)
2246     {
2247       blockdata_free(f->stash);
2248       f->stash = NULL;
2249     }
2250
2251   if (f->orig_domain)
2252     {
2253       blockdata_free(f->orig_domain);
2254       f->orig_domain = NULL;
2255     }
2256
2257   /* Anything we're waiting on is pointless now, too */
2258   if (f->blocking_query)
2259     free_frec(f->blocking_query);
2260   f->blocking_query = NULL;
2261   f->dependent = NULL;
2262 #endif
2263 }
2264
2265 /* if wait==NULL return a free or older than TIMEOUT record.
2266    else return *wait zero if one available, or *wait is delay to
2267    when the oldest in-use record will expire. Impose an absolute
2268    limit of 4*TIMEOUT before we wipe things (for random sockets).
2269    If force is set, always return a result, even if we have
2270    to allocate above the limit. */
2271 struct frec *get_new_frec(time_t now, int *wait, int force)
2272 {
2273   struct frec *f, *oldest, *target;
2274   int count;
2275
2276   if (wait)
2277     *wait = 0;
2278
2279   for (f = daemon->frec_list, oldest = NULL, target =  NULL, count = 0; f; f = f->next, count++)
2280     if (!f->sentto)
2281       target = f;
2282     else
2283       {
2284         if (difftime(now, f->time) >= 4*TIMEOUT)
2285           {
2286             free_frec(f);
2287             target = f;
2288           }
2289
2290         if (!oldest || difftime(f->time, oldest->time) <= 0)
2291           oldest = f;
2292       }
2293
2294   if (target)
2295     {
2296       target->time = now;
2297       return target;
2298     }
2299
2300   /* can't find empty one, use oldest if there is one
2301      and it's older than timeout */
2302   if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
2303     {
2304       /* keep stuff for twice timeout if we can by allocating a new
2305          record instead */
2306       if (difftime(now, oldest->time) < 2*TIMEOUT &&
2307           count <= daemon->ftabsize &&
2308           (f = allocate_frec(now)))
2309         return f;
2310
2311       if (!wait)
2312         {
2313           free_frec(oldest);
2314           oldest->time = now;
2315         }
2316       return oldest;
2317     }
2318
2319   /* none available, calculate time 'till oldest record expires */
2320   if (!force && count > daemon->ftabsize)
2321     {
2322       static time_t last_log = 0;
2323
2324       if (oldest && wait)
2325         *wait = oldest->time + (time_t)TIMEOUT - now;
2326
2327       if ((int)difftime(now, last_log) > 5)
2328         {
2329           last_log = now;
2330           my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
2331         }
2332
2333       return NULL;
2334     }
2335
2336   if (!(f = allocate_frec(now)) && wait)
2337     /* wait one second on malloc failure */
2338     *wait = 1;
2339
2340   return f; /* OK if malloc fails and this is NULL */
2341 }
2342
2343 /* crc is all-ones if not known. */
2344 static struct frec *lookup_frec(unsigned short id, void *hash)
2345 {
2346   struct frec *f;
2347
2348   for(f = daemon->frec_list; f; f = f->next)
2349     if (f->sentto && f->new_id == id &&
2350         (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0))
2351       return f;
2352
2353   return NULL;
2354 }
2355
2356 static struct frec *lookup_frec_by_sender(unsigned short id,
2357                                           union mysockaddr *addr,
2358                                           void *hash)
2359 {
2360   struct frec *f;
2361
2362   for(f = daemon->frec_list; f; f = f->next)
2363     if (f->sentto &&
2364         f->orig_id == id &&
2365         memcmp(hash, f->hash, HASH_SIZE) == 0 &&
2366         sockaddr_isequal(&f->source, addr))
2367       return f;
2368
2369   return NULL;
2370 }
2371
2372 /* Send query packet again, if we can. */
2373 void resend_query()
2374 {
2375   if (daemon->srv_save)
2376     {
2377       int fd;
2378
2379       if (daemon->srv_save->sfd)
2380         fd = daemon->srv_save->sfd->fd;
2381       else if (daemon->rfd_save && daemon->rfd_save->refcount != 0)
2382         fd = daemon->rfd_save->fd;
2383       else
2384         return;
2385
2386       while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0,
2387                               &daemon->srv_save->addr.sa,
2388                               sa_len(&daemon->srv_save->addr))));
2389     }
2390 }
2391
2392 /* A server record is going away, remove references to it */
2393 void server_gone(struct server *server)
2394 {
2395   struct frec *f;
2396
2397   for (f = daemon->frec_list; f; f = f->next)
2398     if (f->sentto && f->sentto == server)
2399       free_frec(f);
2400
2401   if (daemon->last_server == server)
2402     daemon->last_server = NULL;
2403
2404   if (daemon->srv_save == server)
2405     daemon->srv_save = NULL;
2406 }
2407
2408 /* return unique random ids. */
2409 static unsigned short get_id(void)
2410 {
2411   unsigned short ret = 0;
2412
2413   do
2414     ret = rand16();
2415   while (lookup_frec(ret, NULL));
2416
2417   return ret;
2418 }
2419
2420
2421
2422
2423