]>
git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
1 /* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 static struct frec
*lookup_frec(unsigned short id
, void *hash
);
20 static struct frec
*lookup_frec_by_sender(unsigned short id
,
21 union mysockaddr
*addr
,
23 static unsigned short get_id(void);
24 static void free_frec(struct frec
*f
);
27 static int tcp_key_recurse(time_t now
, int status
, struct dns_header
*header
, size_t n
,
28 int class, char *name
, char *keyname
, struct server
*server
, int *keycount
);
29 static int do_check_sign(struct frec
*forward
, int status
, time_t now
, char *name
, char *keyname
);
30 static int send_check_sign(struct frec
*forward
, time_t now
, struct dns_header
*header
, size_t plen
,
31 char *name
, char *keyname
);
35 /* Send a UDP packet with its source address set as "source"
36 unless nowild is true, when we just send it with the kernel default */
37 int send_from(int fd
, int nowild
, char *packet
, size_t len
,
38 union mysockaddr
*to
, struct all_addr
*source
,
44 struct cmsghdr align
; /* this ensures alignment */
45 #if defined(HAVE_LINUX_NETWORK)
46 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
47 #elif defined(IP_SENDSRCADDR)
48 char control
[CMSG_SPACE(sizeof(struct in_addr
))];
51 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
55 iov
[0].iov_base
= packet
;
58 msg
.msg_control
= NULL
;
59 msg
.msg_controllen
= 0;
62 msg
.msg_namelen
= sa_len(to
);
68 struct cmsghdr
*cmptr
;
69 msg
.msg_control
= &control_u
;
70 msg
.msg_controllen
= sizeof(control_u
);
71 cmptr
= CMSG_FIRSTHDR(&msg
);
73 if (to
->sa
.sa_family
== AF_INET
)
75 #if defined(HAVE_LINUX_NETWORK)
78 p
.ipi_spec_dst
= source
->addr
.addr4
;
79 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
80 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
81 cmptr
->cmsg_level
= IPPROTO_IP
;
82 cmptr
->cmsg_type
= IP_PKTINFO
;
83 #elif defined(IP_SENDSRCADDR)
84 memcpy(CMSG_DATA(cmptr
), &(source
->addr
.addr4
), sizeof(source
->addr
.addr4
));
85 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_addr
));
86 cmptr
->cmsg_level
= IPPROTO_IP
;
87 cmptr
->cmsg_type
= IP_SENDSRCADDR
;
94 p
.ipi6_ifindex
= iface
; /* Need iface for IPv6 to handle link-local addrs */
95 p
.ipi6_addr
= source
->addr
.addr6
;
96 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
97 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
98 cmptr
->cmsg_type
= daemon
->v6pktinfo
;
99 cmptr
->cmsg_level
= IPPROTO_IPV6
;
102 (void)iface
; /* eliminate warning */
106 while (retry_send(sendmsg(fd
, &msg
, 0)));
108 /* If interface is still in DAD, EINVAL results - ignore that. */
109 if (errno
!= 0 && errno
!= EINVAL
)
111 my_syslog(LOG_ERR
, _("failed to send packet: %s"), strerror(errno
));
118 static unsigned int search_servers(time_t now
, struct all_addr
**addrpp
,
119 unsigned int qtype
, char *qdomain
, int *type
, char **domain
, int *norebind
)
122 /* If the query ends in the domain in one of our servers, set
123 domain to point to that name. We find the largest match to allow both
124 domain.org and sub.domain.org to exist. */
126 unsigned int namelen
= strlen(qdomain
);
127 unsigned int matchlen
= 0;
129 unsigned int flags
= 0;
131 for (serv
= daemon
->servers
; serv
; serv
=serv
->next
)
132 /* domain matches take priority over NODOTS matches */
133 if ((serv
->flags
& SERV_FOR_NODOTS
) && *type
!= SERV_HAS_DOMAIN
&& !strchr(qdomain
, '.') && namelen
!= 0)
135 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
136 *type
= SERV_FOR_NODOTS
;
137 if (serv
->flags
& SERV_NO_ADDR
)
139 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
144 if (serv
->addr
.sa
.sa_family
== AF_INET
)
145 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
148 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
151 else if (!flags
|| (flags
& F_NXDOMAIN
))
155 else if (serv
->flags
& SERV_HAS_DOMAIN
)
157 unsigned int domainlen
= strlen(serv
->domain
);
158 char *matchstart
= qdomain
+ namelen
- domainlen
;
159 if (namelen
>= domainlen
&&
160 hostname_isequal(matchstart
, serv
->domain
) &&
161 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
-1) == '.' ))
163 if (serv
->flags
& SERV_NO_REBIND
)
167 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
168 /* implement priority rules for --address and --server for same domain.
169 --address wins if the address is for the correct AF
170 --server wins otherwise. */
171 if (domainlen
!= 0 && domainlen
== matchlen
)
173 if ((serv
->flags
& SERV_LITERAL_ADDRESS
))
175 if (!(sflag
& qtype
) && flags
== 0)
180 if (flags
& (F_IPV4
| F_IPV6
))
185 if (domainlen
>= matchlen
)
187 *type
= serv
->flags
& (SERV_HAS_DOMAIN
| SERV_USE_RESOLV
| SERV_NO_REBIND
);
188 *domain
= serv
->domain
;
189 matchlen
= domainlen
;
190 if (serv
->flags
& SERV_NO_ADDR
)
192 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
197 if (serv
->addr
.sa
.sa_family
== AF_INET
)
198 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
201 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
204 else if (!flags
|| (flags
& F_NXDOMAIN
))
214 if (flags
== 0 && !(qtype
& F_QUERY
) &&
215 option_bool(OPT_NODOTS_LOCAL
) && !strchr(qdomain
, '.') && namelen
!= 0)
216 /* don't forward A or AAAA queries for simple names, except the empty name */
219 if (flags
== F_NXDOMAIN
&& check_for_local_domain(qdomain
, now
))
226 if (flags
== F_NXDOMAIN
|| flags
== F_NOERR
)
227 logflags
= F_NEG
| qtype
;
229 log_query(logflags
| flags
| F_CONFIG
| F_FORWARD
, qdomain
, *addrpp
, NULL
);
231 else if ((*type
) & SERV_USE_RESOLV
)
233 *type
= 0; /* use normal servers for this domain */
239 static int forward_query(int udpfd
, union mysockaddr
*udpaddr
,
240 struct all_addr
*dst_addr
, unsigned int dst_iface
,
241 struct dns_header
*header
, size_t plen
, time_t now
,
242 struct frec
*forward
, int ad_reqd
, int do_bit
)
245 int type
= 0, norebind
= 0;
246 struct all_addr
*addrp
= NULL
;
247 unsigned int flags
= 0;
248 struct server
*start
= NULL
;
250 void *hash
= hash_questions(header
, plen
, daemon
->namebuff
);
252 unsigned int crc
= questions_crc(header
, plen
, daemon
->namebuff
);
255 unsigned int gotname
= extract_request(header
, plen
, daemon
->namebuff
, NULL
);
256 unsigned char *pheader
;
260 /* may be no servers available. */
261 if (!daemon
->servers
)
263 else if (forward
|| (hash
&& (forward
= lookup_frec_by_sender(ntohs(header
->id
), udpaddr
, hash
))))
265 /* If we didn't get an answer advertising a maximal packet in EDNS,
266 fall back to 1280, which should work everywhere on IPv6.
267 If that generates an answer, it will become the new default
269 forward
->flags
|= FREC_TEST_PKTSZ
;
272 /* If we've already got an answer to this query, but we're awaiting keys for validation,
273 there's no point retrying the query, retry the key query instead...... */
274 if (forward
->blocking_query
)
278 forward
->flags
&= ~FREC_TEST_PKTSZ
;
280 while (forward
->blocking_query
)
281 forward
= forward
->blocking_query
;
283 forward
->flags
|= FREC_TEST_PKTSZ
;
285 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
286 plen
= forward
->stash_len
;
288 if (find_pseudoheader(header
, plen
, NULL
, &pheader
, NULL
))
289 PUTSHORT((forward
->flags
& FREC_TEST_PKTSZ
) ? SAFE_PKTSZ
: forward
->sentto
->edns_pktsz
, pheader
);
291 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET
)
292 log_query(F_NOEXTRA
| F_DNSSEC
| F_IPV4
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in
.sin_addr
, "dnssec");
295 log_query(F_NOEXTRA
| F_DNSSEC
| F_IPV6
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in6
.sin6_addr
, "dnssec");
298 if (forward
->sentto
->sfd
)
299 fd
= forward
->sentto
->sfd
->fd
;
303 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET6
)
304 fd
= forward
->rfd6
->fd
;
307 fd
= forward
->rfd4
->fd
;
310 while (retry_send( sendto(fd
, (char *)header
, plen
, 0,
311 &forward
->sentto
->addr
.sa
,
312 sa_len(&forward
->sentto
->addr
))));
318 /* retry on existing query, send to all available servers */
319 domain
= forward
->sentto
->domain
;
320 forward
->sentto
->failed_queries
++;
321 if (!option_bool(OPT_ORDER
))
323 forward
->forwardall
= 1;
324 daemon
->last_server
= NULL
;
326 type
= forward
->sentto
->flags
& SERV_TYPE
;
327 if (!(start
= forward
->sentto
->next
))
328 start
= daemon
->servers
; /* at end of list, recycle */
329 header
->id
= htons(forward
->new_id
);
334 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
336 if (!flags
&& !(forward
= get_new_frec(now
, NULL
, 0)))
337 /* table full - server failure. */
342 forward
->source
= *udpaddr
;
343 forward
->dest
= *dst_addr
;
344 forward
->iface
= dst_iface
;
345 forward
->orig_id
= ntohs(header
->id
);
346 forward
->new_id
= get_id();
348 memcpy(forward
->hash
, hash
, HASH_SIZE
);
349 forward
->forwardall
= 0;
352 forward
->flags
|= FREC_NOREBIND
;
353 if (header
->hb4
& HB4_CD
)
354 forward
->flags
|= FREC_CHECKING_DISABLED
;
356 forward
->flags
|= FREC_AD_QUESTION
;
358 forward
->work_counter
= DNSSEC_WORK
;
360 forward
->flags
|= FREC_DO_QUESTION
;
363 header
->id
= htons(forward
->new_id
);
365 /* In strict_order mode, always try servers in the order
366 specified in resolv.conf, if a domain is given
367 always try all the available servers,
368 otherwise, use the one last known to work. */
372 if (option_bool(OPT_ORDER
))
373 start
= daemon
->servers
;
374 else if (!(start
= daemon
->last_server
) ||
375 daemon
->forwardcount
++ > FORWARD_TEST
||
376 difftime(now
, daemon
->forwardtime
) > FORWARD_TIME
)
378 start
= daemon
->servers
;
379 forward
->forwardall
= 1;
380 daemon
->forwardcount
= 0;
381 daemon
->forwardtime
= now
;
386 start
= daemon
->servers
;
387 if (!option_bool(OPT_ORDER
))
388 forward
->forwardall
= 1;
393 /* check for send errors here (no route to host)
394 if we fail to send to all nameservers, send back an error
395 packet straight away (helps modem users when offline) */
397 if (!flags
&& forward
)
399 struct server
*firstsentto
= start
;
402 /* If a query is retried, use the log_id for the retry when logging the answer. */
403 forward
->log_id
= daemon
->log_id
;
405 if (option_bool(OPT_ADD_MAC
))
406 plen
= add_mac(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
408 if (option_bool(OPT_CLIENT_SUBNET
))
410 size_t new = add_source_addr(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
414 forward
->flags
|= FREC_HAS_SUBNET
;
419 if (option_bool(OPT_DNSSEC_VALID
))
421 size_t new_plen
= add_do_bit(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
);
423 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
424 this allows it to select auth servers when one is returning bad data. */
425 if (option_bool(OPT_DNSSEC_DEBUG
))
426 header
->hb4
|= HB4_CD
;
428 if (new_plen
!= plen
)
429 forward
->flags
|= FREC_ADDED_PHEADER
;
437 /* only send to servers dealing with our domain.
438 domain may be NULL, in which case server->domain
439 must be NULL also. */
441 if (type
== (start
->flags
& SERV_TYPE
) &&
442 (type
!= SERV_HAS_DOMAIN
|| hostname_isequal(domain
, start
->domain
)) &&
443 !(start
->flags
& (SERV_LITERAL_ADDRESS
| SERV_LOOP
)))
447 /* find server socket to use, may need to get random one. */
453 if (start
->addr
.sa
.sa_family
== AF_INET6
)
455 if (!forward
->rfd6
&&
456 !(forward
->rfd6
= allocate_rfd(AF_INET6
)))
458 daemon
->rfd_save
= forward
->rfd6
;
459 fd
= forward
->rfd6
->fd
;
464 if (!forward
->rfd4
&&
465 !(forward
->rfd4
= allocate_rfd(AF_INET
)))
467 daemon
->rfd_save
= forward
->rfd4
;
468 fd
= forward
->rfd4
->fd
;
471 #ifdef HAVE_CONNTRACK
472 /* Copy connection mark of incoming query to outgoing connection. */
473 if (option_bool(OPT_CONNTRACK
))
476 if (get_incoming_mark(&forward
->source
, &forward
->dest
, 0, &mark
))
477 setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
482 if (find_pseudoheader(header
, plen
, NULL
, &pheader
, NULL
))
483 PUTSHORT((forward
->flags
& FREC_TEST_PKTSZ
) ? SAFE_PKTSZ
: start
->edns_pktsz
, pheader
);
485 if (retry_send(sendto(fd
, (char *)header
, plen
, 0,
487 sa_len(&start
->addr
))))
492 /* Keep info in case we want to re-send this packet */
493 daemon
->srv_save
= start
;
494 daemon
->packet_len
= plen
;
497 strcpy(daemon
->namebuff
, "query");
498 if (start
->addr
.sa
.sa_family
== AF_INET
)
499 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
500 (struct all_addr
*)&start
->addr
.in
.sin_addr
, NULL
);
503 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
504 (struct all_addr
*)&start
->addr
.in6
.sin6_addr
, NULL
);
508 forward
->sentto
= start
;
509 if (!forward
->forwardall
)
511 forward
->forwardall
++;
515 if (!(start
= start
->next
))
516 start
= daemon
->servers
;
518 if (start
== firstsentto
)
525 /* could not send on, prepare to return */
526 header
->id
= htons(forward
->orig_id
);
527 free_frec(forward
); /* cancel */
530 /* could not send on, return empty answer or address if known for whole domain */
533 plen
= setup_reply(header
, plen
, addrp
, flags
, daemon
->local_ttl
);
534 send_from(udpfd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
), (char *)header
, plen
, udpaddr
, dst_addr
, dst_iface
);
540 static size_t process_reply(struct dns_header
*header
, time_t now
, struct server
*server
, size_t n
, int check_rebind
,
541 int no_cache
, int cache_secure
, int bogusanswer
, int ad_reqd
, int do_bit
, int added_pheader
,
542 int check_subnet
, union mysockaddr
*query_source
)
544 unsigned char *pheader
, *sizep
;
546 int munged
= 0, is_sign
;
554 if (daemon
->ipsets
&& extract_request(header
, n
, daemon
->namebuff
, NULL
))
556 /* Similar algorithm to search_servers. */
557 struct ipsets
*ipset_pos
;
558 unsigned int namelen
= strlen(daemon
->namebuff
);
559 unsigned int matchlen
= 0;
560 for (ipset_pos
= daemon
->ipsets
; ipset_pos
; ipset_pos
= ipset_pos
->next
)
562 unsigned int domainlen
= strlen(ipset_pos
->domain
);
563 char *matchstart
= daemon
->namebuff
+ namelen
- domainlen
;
564 if (namelen
>= domainlen
&& hostname_isequal(matchstart
, ipset_pos
->domain
) &&
565 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
- 1) == '.' ) &&
566 domainlen
>= matchlen
)
568 matchlen
= domainlen
;
569 sets
= ipset_pos
->sets
;
575 /* If upstream is advertising a larger UDP packet size
576 than we allow, trim it so that we don't get overlarge
577 requests for the client. We can't do this for signed packets. */
579 if ((pheader
= find_pseudoheader(header
, n
, &plen
, &sizep
, &is_sign
)))
581 unsigned short udpsz
;
582 unsigned char *psave
= sizep
;
584 GETSHORT(udpsz
, sizep
);
586 if (!is_sign
&& udpsz
> daemon
->edns_pktsz
)
587 PUTSHORT(daemon
->edns_pktsz
, psave
);
589 if (check_subnet
&& !check_source(header
, plen
, pheader
, query_source
))
591 my_syslog(LOG_WARNING
, _("discarding DNS reply: subnet option mismatch"));
598 header
->arcount
= htons(0);
602 /* RFC 4035 sect 4.6 para 3 */
603 if (!is_sign
&& !option_bool(OPT_DNSSEC_PROXY
))
604 header
->hb4
&= ~HB4_AD
;
606 if (OPCODE(header
) != QUERY
|| (RCODE(header
) != NOERROR
&& RCODE(header
) != NXDOMAIN
))
607 return resize_packet(header
, n
, pheader
, plen
);
609 /* Complain loudly if the upstream server is non-recursive. */
610 if (!(header
->hb4
& HB4_RA
) && RCODE(header
) == NOERROR
&& ntohs(header
->ancount
) == 0 &&
611 server
&& !(server
->flags
& SERV_WARNED_RECURSIVE
))
613 prettyprint_addr(&server
->addr
, daemon
->namebuff
);
614 my_syslog(LOG_WARNING
, _("nameserver %s refused to do a recursive query"), daemon
->namebuff
);
615 if (!option_bool(OPT_LOG
))
616 server
->flags
|= SERV_WARNED_RECURSIVE
;
619 if (daemon
->bogus_addr
&& RCODE(header
) != NXDOMAIN
&&
620 check_for_bogus_wildcard(header
, n
, daemon
->namebuff
, daemon
->bogus_addr
, now
))
623 SET_RCODE(header
, NXDOMAIN
);
624 header
->hb3
&= ~HB3_AA
;
631 if (RCODE(header
) == NXDOMAIN
&&
632 extract_request(header
, n
, daemon
->namebuff
, NULL
) &&
633 check_for_local_domain(daemon
->namebuff
, now
))
635 /* if we forwarded a query for a locally known name (because it was for
636 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
637 since we know that the domain exists, even if upstream doesn't */
639 header
->hb3
|= HB3_AA
;
640 SET_RCODE(header
, NOERROR
);
644 if (extract_addresses(header
, n
, daemon
->namebuff
, now
, sets
, is_sign
, check_rebind
, no_cache
, cache_secure
, &doctored
))
646 my_syslog(LOG_WARNING
, _("possible DNS-rebind attack detected: %s"), daemon
->namebuff
);
656 if (bogusanswer
&& !(header
->hb4
& HB4_CD
))
658 if (!option_bool(OPT_DNSSEC_DEBUG
))
660 /* Bogus reply, turn into SERVFAIL */
661 SET_RCODE(header
, SERVFAIL
);
666 if (option_bool(OPT_DNSSEC_VALID
))
667 header
->hb4
&= ~HB4_AD
;
669 if (!(header
->hb4
& HB4_CD
) && ad_reqd
&& cache_secure
)
670 header
->hb4
|= HB4_AD
;
672 /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
674 n
= filter_rrsigs(header
, n
);
677 /* do this after extract_addresses. Ensure NODATA reply and remove
682 header
->ancount
= htons(0);
683 header
->nscount
= htons(0);
684 header
->arcount
= htons(0);
685 header
->hb3
&= ~HB3_TC
;
688 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
689 sections of the packet. Find the new length here and put back pseudoheader
690 if it was removed. */
691 return resize_packet(header
, n
, pheader
, plen
);
694 /* sets new last_server */
695 void reply_query(int fd
, int family
, time_t now
)
697 /* packet from peer server, extract data for cache, and send to
698 original requester */
699 struct dns_header
*header
;
700 union mysockaddr serveraddr
;
701 struct frec
*forward
;
702 socklen_t addrlen
= sizeof(serveraddr
);
703 ssize_t n
= recvfrom(fd
, daemon
->packet
, daemon
->packet_buff_sz
, 0, &serveraddr
.sa
, &addrlen
);
705 struct server
*server
;
711 /* packet buffer overwritten */
712 daemon
->srv_save
= NULL
;
714 /* Determine the address of the server replying so that we can mark that as good */
715 serveraddr
.sa
.sa_family
= family
;
717 if (serveraddr
.sa
.sa_family
== AF_INET6
)
718 serveraddr
.in6
.sin6_flowinfo
= 0;
721 header
= (struct dns_header
*)daemon
->packet
;
723 if (n
< (int)sizeof(struct dns_header
) || !(header
->hb3
& HB3_QR
))
726 /* spoof check: answer must come from known server, */
727 for (server
= daemon
->servers
; server
; server
= server
->next
)
728 if (!(server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
)) &&
729 sockaddr_isequal(&server
->addr
, &serveraddr
))
736 hash
= hash_questions(header
, n
, daemon
->namebuff
);
739 crc
= questions_crc(header
, n
, daemon
->namebuff
);
742 if (!(forward
= lookup_frec(ntohs(header
->id
), hash
)))
745 /* log_query gets called indirectly all over the place, so
746 pass these in global variables - sorry. */
747 daemon
->log_display_id
= forward
->log_id
;
748 daemon
->log_source_addr
= &forward
->source
;
750 if (daemon
->ignore_addr
&& RCODE(header
) == NOERROR
&&
751 check_for_ignored_address(header
, n
, daemon
->ignore_addr
))
754 if (RCODE(header
) == REFUSED
&&
755 !option_bool(OPT_ORDER
) &&
756 forward
->forwardall
== 0)
757 /* for broken servers, attempt to send to another one. */
759 unsigned char *pheader
;
763 /* recreate query from reply */
764 pheader
= find_pseudoheader(header
, (size_t)n
, &plen
, NULL
, &is_sign
);
767 header
->ancount
= htons(0);
768 header
->nscount
= htons(0);
769 header
->arcount
= htons(0);
770 if ((nn
= resize_packet(header
, (size_t)n
, pheader
, plen
)))
772 header
->hb3
&= ~(HB3_QR
| HB3_AA
| HB3_TC
);
773 header
->hb4
&= ~(HB4_RA
| HB4_RCODE
);
774 forward_query(-1, NULL
, NULL
, 0, header
, nn
, now
, forward
, 0, 0);
780 server
= forward
->sentto
;
781 if ((forward
->sentto
->flags
& SERV_TYPE
) == 0)
783 if (RCODE(header
) == REFUSED
)
787 struct server
*last_server
;
789 /* find good server by address if possible, otherwise assume the last one we sent to */
790 for (last_server
= daemon
->servers
; last_server
; last_server
= last_server
->next
)
791 if (!(last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_NO_ADDR
)) &&
792 sockaddr_isequal(&last_server
->addr
, &serveraddr
))
794 server
= last_server
;
798 if (!option_bool(OPT_ALL_SERVERS
))
799 daemon
->last_server
= server
;
802 /* We tried resending to this server with a smaller maximum size and got an answer.
803 Make that permanent. To avoid reduxing the packet size for an single dropped packet,
804 only do this when we get a truncated answer, or one larger than the safe size. */
805 if (server
&& (forward
->flags
& FREC_TEST_PKTSZ
) &&
806 ((header
->hb3
& HB3_TC
) || n
>= SAFE_PKTSZ
))
807 server
->edns_pktsz
= SAFE_PKTSZ
;
809 /* If the answer is an error, keep the forward record in place in case
810 we get a good reply from another server. Kill it when we've
811 had replies from all to avoid filling the forwarding table when
812 everything is broken */
813 if (forward
->forwardall
== 0 || --forward
->forwardall
== 1 || RCODE(header
) != SERVFAIL
)
815 int check_rebind
= 0, no_cache_dnssec
= 0, cache_secure
= 0, bogusanswer
= 0;
817 if (option_bool(OPT_NO_REBIND
))
818 check_rebind
= !(forward
->flags
& FREC_NOREBIND
);
820 /* Don't cache replies where DNSSEC validation was turned off, either
821 the upstream server told us so, or the original query specified it. */
822 if ((header
->hb4
& HB4_CD
) || (forward
->flags
& FREC_CHECKING_DISABLED
))
826 if (server
&& option_bool(OPT_DNSSEC_VALID
) && !(forward
->flags
& FREC_CHECKING_DISABLED
))
830 /* We've had a reply already, which we're validating. Ignore this duplicate */
831 if (forward
->blocking_query
)
834 if (header
->hb3
& HB3_TC
)
836 /* Truncated answer can't be validated.
837 If this is an answer to a DNSSEC-generated query, we still
838 need to get the client to retry over TCP, so return
839 an answer with the TC bit set, even if the actual answer fits.
841 status
= STAT_TRUNCATED
;
843 else if (forward
->flags
& FREC_DNSKEY_QUERY
)
844 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
845 else if (forward
->flags
& FREC_DS_QUERY
)
847 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
848 /* Provably no DS, everything below is insecure, even if signatures are offered */
849 if (status
== STAT_NO_DS
)
850 /* We only cache sigs when we've validated a reply.
851 Avoid caching a reply with sigs if there's a vaildated break in the
852 DS chain, so we don't return replies from cache missing sigs. */
853 status
= STAT_INSECURE_DS
;
854 else if (status
== STAT_NO_SIG
)
856 if (option_bool(OPT_DNSSEC_NO_SIGN
))
858 status
= send_check_sign(forward
, now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
859 if (status
== STAT_INSECURE
)
860 status
= STAT_INSECURE_DS
;
863 status
= STAT_INSECURE_DS
;
865 else if (status
== STAT_NO_NS
)
868 else if (forward
->flags
& FREC_CHECK_NOSIGN
)
870 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
871 if (status
!= STAT_NEED_KEY
)
872 status
= do_check_sign(forward
, status
, now
, daemon
->namebuff
, daemon
->keyname
);
876 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class, NULL
, NULL
);
877 if (status
== STAT_NO_SIG
)
879 if (option_bool(OPT_DNSSEC_NO_SIGN
))
880 status
= send_check_sign(forward
, now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
882 status
= STAT_INSECURE
;
885 /* Can't validate, as we're missing key data. Put this
886 answer aside, whilst we get that. */
887 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
|| status
== STAT_NEED_KEY
)
889 struct frec
*new, *orig
;
891 /* Free any saved query */
893 blockdata_free(forward
->stash
);
895 /* Now save reply pending receipt of key data */
896 if (!(forward
->stash
= blockdata_alloc((char *)header
, n
)))
898 forward
->stash_len
= n
;
901 /* Find the original query that started it all.... */
902 for (orig
= forward
; orig
->dependent
; orig
= orig
->dependent
);
904 if (--orig
->work_counter
== 0 || !(new = get_new_frec(now
, NULL
, 1)))
905 status
= STAT_INSECURE
;
909 struct frec
*next
= new->next
;
910 *new = *forward
; /* copy everything, then overwrite */
912 new->blocking_query
= NULL
;
913 new->sentto
= server
;
915 new->orig_domain
= NULL
;
919 new->flags
&= ~(FREC_DNSKEY_QUERY
| FREC_DS_QUERY
| FREC_CHECK_NOSIGN
);
921 new->dependent
= forward
; /* to find query awaiting new one. */
922 forward
->blocking_query
= new; /* for garbage cleaning */
923 /* validate routines leave name of required record in daemon->keyname */
924 if (status
== STAT_NEED_KEY
)
926 new->flags
|= FREC_DNSKEY_QUERY
;
927 nn
= dnssec_generate_query(header
, ((char *) header
) + daemon
->packet_buff_sz
,
928 daemon
->keyname
, forward
->class, T_DNSKEY
, &server
->addr
, server
->edns_pktsz
);
932 if (status
== STAT_NEED_DS_NEG
)
933 new->flags
|= FREC_CHECK_NOSIGN
;
935 new->flags
|= FREC_DS_QUERY
;
936 nn
= dnssec_generate_query(header
,((char *) header
) + daemon
->packet_buff_sz
,
937 daemon
->keyname
, forward
->class, T_DS
, &server
->addr
, server
->edns_pktsz
);
939 if ((hash
= hash_questions(header
, nn
, daemon
->namebuff
)))
940 memcpy(new->hash
, hash
, HASH_SIZE
);
941 new->new_id
= get_id();
942 header
->id
= htons(new->new_id
);
943 /* Save query for retransmission */
944 if (!(new->stash
= blockdata_alloc((char *)header
, nn
)))
949 /* Don't resend this. */
950 daemon
->srv_save
= NULL
;
953 fd
= server
->sfd
->fd
;
958 if (server
->addr
.sa
.sa_family
== AF_INET6
)
960 if (new->rfd6
|| (new->rfd6
= allocate_rfd(AF_INET6
)))
966 if (new->rfd4
|| (new->rfd4
= allocate_rfd(AF_INET
)))
973 while (retry_send(sendto(fd
, (char *)header
, nn
, 0,
975 sa_len(&server
->addr
))));
983 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
984 Now wind back down, pulling back answers which wouldn't previously validate
985 and validate them with the new data. Note that if an answer needs multiple
986 keys to validate, we may find another key is needed, in which case we set off
987 down another branch of the tree. Once we get to the original answer
988 (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
989 while (forward
->dependent
)
991 struct frec
*prev
= forward
->dependent
;
994 forward
->blocking_query
= NULL
; /* already gone */
995 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
996 n
= forward
->stash_len
;
998 if (status
== STAT_SECURE
)
1000 if (forward
->flags
& FREC_DNSKEY_QUERY
)
1001 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
1002 else if (forward
->flags
& FREC_DS_QUERY
)
1004 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
1005 /* Provably no DS, everything below is insecure, even if signatures are offered */
1006 if (status
== STAT_NO_DS
)
1007 /* We only cache sigs when we've validated a reply.
1008 Avoid caching a reply with sigs if there's a vaildated break in the
1009 DS chain, so we don't return replies from cache missing sigs. */
1010 status
= STAT_INSECURE_DS
;
1011 else if (status
== STAT_NO_SIG
)
1013 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1015 status
= send_check_sign(forward
, now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
1016 if (status
== STAT_INSECURE
)
1017 status
= STAT_INSECURE_DS
;
1020 status
= STAT_INSECURE_DS
;
1022 else if (status
== STAT_NO_NS
)
1023 status
= STAT_BOGUS
;
1025 else if (forward
->flags
& FREC_CHECK_NOSIGN
)
1027 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
1028 if (status
!= STAT_NEED_KEY
)
1029 status
= do_check_sign(forward
, status
, now
, daemon
->namebuff
, daemon
->keyname
);
1033 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class, NULL
, NULL
);
1034 if (status
== STAT_NO_SIG
)
1036 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1037 status
= send_check_sign(forward
, now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
1039 status
= STAT_INSECURE
;
1043 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
|| status
== STAT_NEED_KEY
)
1048 no_cache_dnssec
= 0;
1050 if (status
== STAT_INSECURE_DS
)
1052 /* We only cache sigs when we've validated a reply.
1053 Avoid caching a reply with sigs if there's a vaildated break in the
1054 DS chain, so we don't return replies from cache missing sigs. */
1055 status
= STAT_INSECURE
;
1056 no_cache_dnssec
= 1;
1059 if (status
== STAT_TRUNCATED
)
1060 header
->hb3
|= HB3_TC
;
1063 char *result
, *domain
= "result";
1065 if (forward
->work_counter
== 0)
1067 result
= "ABANDONED";
1068 status
= STAT_BOGUS
;
1071 result
= (status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
1073 if (status
== STAT_BOGUS
&& extract_request(header
, n
, daemon
->namebuff
, NULL
))
1074 domain
= daemon
->namebuff
;
1076 log_query(F_KEYTAG
| F_SECSTAT
, domain
, NULL
, result
);
1079 if (status
== STAT_SECURE
)
1081 else if (status
== STAT_BOGUS
)
1083 no_cache_dnssec
= 1;
1089 /* restore CD bit to the value in the query */
1090 if (forward
->flags
& FREC_CHECKING_DISABLED
)
1091 header
->hb4
|= HB4_CD
;
1093 header
->hb4
&= ~HB4_CD
;
1095 if ((nn
= process_reply(header
, now
, server
, (size_t)n
, check_rebind
, no_cache_dnssec
, cache_secure
, bogusanswer
,
1096 forward
->flags
& FREC_AD_QUESTION
, forward
->flags
& FREC_DO_QUESTION
,
1097 forward
->flags
& FREC_ADDED_PHEADER
, forward
->flags
& FREC_HAS_SUBNET
, &forward
->source
)))
1099 header
->id
= htons(forward
->orig_id
);
1100 header
->hb4
|= HB4_RA
; /* recursion if available */
1101 send_from(forward
->fd
, option_bool(OPT_NOWILD
) || option_bool (OPT_CLEVERBIND
), daemon
->packet
, nn
,
1102 &forward
->source
, &forward
->dest
, forward
->iface
);
1104 free_frec(forward
); /* cancel */
1109 void receive_query(struct listener
*listen
, time_t now
)
1111 struct dns_header
*header
= (struct dns_header
*)daemon
->packet
;
1112 union mysockaddr source_addr
;
1113 unsigned short type
;
1114 struct all_addr dst_addr
;
1115 struct in_addr netmask
, dst_addr_4
;
1118 int if_index
= 0, auth_dns
= 0;
1122 struct iovec iov
[1];
1124 struct cmsghdr
*cmptr
;
1126 struct cmsghdr align
; /* this ensures alignment */
1128 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
1130 #if defined(HAVE_LINUX_NETWORK)
1131 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
1132 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1133 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
1134 CMSG_SPACE(sizeof(unsigned int))];
1135 #elif defined(IP_RECVDSTADDR)
1136 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
1137 CMSG_SPACE(sizeof(struct sockaddr_dl
))];
1141 /* Can always get recvd interface for IPv6 */
1142 int check_dst
= !option_bool(OPT_NOWILD
) || listen
->family
== AF_INET6
;
1144 int check_dst
= !option_bool(OPT_NOWILD
);
1147 /* packet buffer overwritten */
1148 daemon
->srv_save
= NULL
;
1150 dst_addr_4
.s_addr
= dst_addr
.addr
.addr4
.s_addr
= 0;
1153 if (option_bool(OPT_NOWILD
) && listen
->iface
)
1155 auth_dns
= listen
->iface
->dns_auth
;
1157 if (listen
->family
== AF_INET
)
1159 dst_addr_4
= dst_addr
.addr
.addr4
= listen
->iface
->addr
.in
.sin_addr
;
1160 netmask
= listen
->iface
->netmask
;
1164 iov
[0].iov_base
= daemon
->packet
;
1165 iov
[0].iov_len
= daemon
->edns_pktsz
;
1167 msg
.msg_control
= control_u
.control
;
1168 msg
.msg_controllen
= sizeof(control_u
);
1170 msg
.msg_name
= &source_addr
;
1171 msg
.msg_namelen
= sizeof(source_addr
);
1175 if ((n
= recvmsg(listen
->fd
, &msg
, 0)) == -1)
1178 if (n
< (int)sizeof(struct dns_header
) ||
1179 (msg
.msg_flags
& MSG_TRUNC
) ||
1180 (header
->hb3
& HB3_QR
))
1183 source_addr
.sa
.sa_family
= listen
->family
;
1185 if (listen
->family
== AF_INET
)
1187 /* Source-port == 0 is an error, we can't send back to that.
1188 http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1189 if (source_addr
.in
.sin_port
== 0)
1195 /* Source-port == 0 is an error, we can't send back to that. */
1196 if (source_addr
.in6
.sin6_port
== 0)
1198 source_addr
.in6
.sin6_flowinfo
= 0;
1202 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1203 if (option_bool(OPT_LOCAL_SERVICE
))
1205 struct addrlist
*addr
;
1207 if (listen
->family
== AF_INET6
)
1209 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1210 if ((addr
->flags
& ADDRLIST_IPV6
) &&
1211 is_same_net6(&addr
->addr
.addr
.addr6
, &source_addr
.in6
.sin6_addr
, addr
->prefixlen
))
1217 struct in_addr netmask
;
1218 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1220 netmask
.s_addr
= htonl(~(in_addr_t
)0 << (32 - addr
->prefixlen
));
1221 if (!(addr
->flags
& ADDRLIST_IPV6
) &&
1222 is_same_net(addr
->addr
.addr
.addr4
, source_addr
.in
.sin_addr
, netmask
))
1228 static int warned
= 0;
1231 my_syslog(LOG_WARNING
, _("Ignoring query from non-local network"));
1242 if (msg
.msg_controllen
< sizeof(struct cmsghdr
))
1245 #if defined(HAVE_LINUX_NETWORK)
1246 if (listen
->family
== AF_INET
)
1247 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1248 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
1252 struct in_pktinfo
*p
;
1254 p
.c
= CMSG_DATA(cmptr
);
1255 dst_addr_4
= dst_addr
.addr
.addr4
= p
.p
->ipi_spec_dst
;
1256 if_index
= p
.p
->ipi_ifindex
;
1258 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1259 if (listen
->family
== AF_INET
)
1261 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1267 #ifndef HAVE_SOLARIS_NETWORK
1268 struct sockaddr_dl
*s
;
1271 p
.c
= CMSG_DATA(cmptr
);
1272 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
1273 dst_addr_4
= dst_addr
.addr
.addr4
= *(p
.a
);
1274 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
1275 #ifdef HAVE_SOLARIS_NETWORK
1278 if_index
= p
.s
->sdl_index
;
1285 if (listen
->family
== AF_INET6
)
1287 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1288 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
1292 struct in6_pktinfo
*p
;
1294 p
.c
= CMSG_DATA(cmptr
);
1296 dst_addr
.addr
.addr6
= p
.p
->ipi6_addr
;
1297 if_index
= p
.p
->ipi6_ifindex
;
1302 /* enforce available interface configuration */
1304 if (!indextoname(listen
->fd
, if_index
, ifr
.ifr_name
))
1307 if (!iface_check(listen
->family
, &dst_addr
, ifr
.ifr_name
, &auth_dns
))
1309 if (!option_bool(OPT_CLEVERBIND
))
1310 enumerate_interfaces(0);
1311 if (!loopback_exception(listen
->fd
, listen
->family
, &dst_addr
, ifr
.ifr_name
) &&
1312 !label_exception(if_index
, listen
->family
, &dst_addr
))
1316 if (listen
->family
== AF_INET
&& option_bool(OPT_LOCALISE
))
1320 /* get the netmask of the interface whch has the address we were sent to.
1321 This is no neccessarily the interface we arrived on. */
1323 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1324 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1325 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1328 /* interface may be new */
1329 if (!iface
&& !option_bool(OPT_CLEVERBIND
))
1330 enumerate_interfaces(0);
1332 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1333 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1334 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1337 /* If we failed, abandon localisation */
1339 netmask
= iface
->netmask
;
1341 dst_addr_4
.s_addr
= 0;
1345 /* log_query gets called indirectly all over the place, so
1346 pass these in global variables - sorry. */
1347 daemon
->log_display_id
= ++daemon
->log_id
;
1348 daemon
->log_source_addr
= &source_addr
;
1350 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
1353 struct auth_zone
*zone
;
1355 char *types
= querystr(auth_dns
? "auth" : "query", type
);
1357 if (listen
->family
== AF_INET
)
1358 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1359 (struct all_addr
*)&source_addr
.in
.sin_addr
, types
);
1362 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1363 (struct all_addr
*)&source_addr
.in6
.sin6_addr
, types
);
1367 /* find queries for zones we're authoritative for, and answer them directly */
1369 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1370 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1379 /* Check for forwarding loop */
1380 if (detect_loop(daemon
->namebuff
, type
))
1388 m
= answer_auth(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
, now
, &source_addr
, local_auth
);
1391 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1392 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1393 daemon
->auth_answer
++;
1399 int ad_reqd
, do_bit
;
1400 m
= answer_request(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
,
1401 dst_addr_4
, netmask
, now
, &ad_reqd
, &do_bit
);
1405 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1406 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1407 daemon
->local_answer
++;
1409 else if (forward_query(listen
->fd
, &source_addr
, &dst_addr
, if_index
,
1410 header
, (size_t)n
, now
, NULL
, ad_reqd
, do_bit
))
1411 daemon
->queries_forwarded
++;
1413 daemon
->local_answer
++;
1419 /* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1420 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1421 STAT_NEED_DS_NEG and keyname if we need to do the query. */
1422 static int send_check_sign(struct frec
*forward
, time_t now
, struct dns_header
*header
, size_t plen
,
1423 char *name
, char *keyname
)
1425 int status
= dnssec_chase_cname(now
, header
, plen
, name
, keyname
);
1427 if (status
!= STAT_INSECURE
)
1430 /* Store the domain we're trying to check. */
1431 forward
->name_start
= strlen(name
);
1432 forward
->name_len
= forward
->name_start
+ 1;
1433 if (!(forward
->orig_domain
= blockdata_alloc(name
, forward
->name_len
)))
1436 return do_check_sign(forward
, 0, now
, name
, keyname
);
1439 /* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
1440 static int do_check_sign(struct frec
*forward
, int status
, time_t now
, char *name
, char *keyname
)
1442 /* get domain we're checking back from blockdata store, it's stored on the original query. */
1443 while (forward
->dependent
&& !forward
->orig_domain
)
1444 forward
= forward
->dependent
;
1446 blockdata_retrieve(forward
->orig_domain
, forward
->name_len
, name
);
1456 /* Haven't received answer, see if in cache */
1457 if (!(crecp
= cache_find_by_name(NULL
, &name
[forward
->name_start
], now
, F_DS
)))
1459 /* put name of DS record we're missing into keyname */
1460 strcpy(keyname
, &name
[forward
->name_start
]);
1461 /* and wait for reply to arrive */
1462 return STAT_NEED_DS_NEG
;
1465 /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
1466 if (!(crecp
->flags
& F_NEG
))
1467 status
= STAT_SECURE
;
1468 else if (crecp
->flags
& F_DNSSECOK
)
1469 status
= STAT_NO_DS
;
1471 status
= STAT_NO_NS
;
1474 /* Have entered non-signed part of DNS tree. */
1475 if (status
== STAT_NO_DS
)
1476 return forward
->dependent
? STAT_INSECURE_DS
: STAT_INSECURE
;
1478 if (status
== STAT_BOGUS
)
1481 if (status
== STAT_NO_SIG
&& *keyname
!= 0)
1483 /* There is a validated CNAME chain that doesn't end in a DS record. Start
1484 the search again in that domain. */
1485 blockdata_free(forward
->orig_domain
);
1486 forward
->name_start
= strlen(keyname
);
1487 forward
->name_len
= forward
->name_start
+ 1;
1488 if (!(forward
->orig_domain
= blockdata_alloc(keyname
, forward
->name_len
)))
1491 strcpy(name
, keyname
);
1492 status
= 0; /* force to cache when we iterate. */
1496 /* There's a proven DS record, or we're within a zone, where there doesn't need
1497 to be a DS record. Add a name and try again.
1498 If we've already tried the whole name, then fail */
1500 if (forward
->name_start
== 0)
1503 for (p
= &name
[forward
->name_start
-2]; (*p
!= '.') && (p
!= name
); p
--);
1508 forward
->name_start
= p
- name
;
1509 status
= 0; /* force to cache when we iterate. */
1513 /* Move down from the root, until we find a signed non-existance of a DS, in which case
1514 an unsigned answer is OK, or we find a signed DS, in which case there should be
1515 a signature, and the answer is BOGUS */
1516 static int tcp_check_for_unsigned_zone(time_t now
, struct dns_header
*header
, size_t plen
, int class, char *name
,
1517 char *keyname
, struct server
*server
, int *keycount
)
1520 unsigned char *packet
, *payload
;
1522 int status
, name_len
;
1523 struct blockdata
*block
;
1527 /* Get first insecure entry in CNAME chain */
1528 status
= tcp_key_recurse(now
, STAT_CHASE_CNAME
, header
, plen
, class, name
, keyname
, server
, keycount
);
1529 if (status
== STAT_BOGUS
)
1532 if (!(packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
))))
1535 payload
= &packet
[2];
1536 header
= (struct dns_header
*)payload
;
1537 length
= (u16
*)packet
;
1539 /* Stash the name away, since the buffer will be trashed when we recurse */
1540 name_len
= strlen(name
) + 1;
1541 name_start
= name
+ name_len
- 1;
1543 if (!(block
= blockdata_alloc(name
, name_len
)))
1551 unsigned char c1
, c2
;
1554 if (--(*keycount
) == 0)
1557 blockdata_free(block
);
1561 while ((crecp
= cache_find_by_name(NULL
, name_start
, now
, F_DS
)))
1563 if ((crecp
->flags
& F_NEG
) && (crecp
->flags
& F_DNSSECOK
))
1565 /* Found a secure denial of DS - delegation is indeed insecure */
1567 blockdata_free(block
);
1568 return STAT_INSECURE
;
1571 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1572 Add another label and continue. */
1574 if (name_start
== name
)
1577 blockdata_free(block
);
1578 return STAT_BOGUS
; /* run out of labels */
1582 while (*name_start
!= '.' && name_start
!= name
)
1584 if (name_start
!= name
)
1588 /* Can't find it in the cache, have to send a query */
1590 m
= dnssec_generate_query(header
, ((char *) header
) + 65536, name_start
, class, T_DS
, &server
->addr
, server
->edns_pktsz
);
1594 if (read_write(server
->tcpfd
, packet
, m
+ sizeof(u16
), 0) &&
1595 read_write(server
->tcpfd
, &c1
, 1, 1) &&
1596 read_write(server
->tcpfd
, &c2
, 1, 1) &&
1597 read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1601 /* Note this trashes all three name workspaces */
1602 status
= tcp_key_recurse(now
, STAT_NEED_DS_NEG
, header
, m
, class, name
, keyname
, server
, keycount
);
1604 if (status
== STAT_NO_DS
)
1606 /* Found a secure denial of DS - delegation is indeed insecure */
1608 blockdata_free(block
);
1609 return STAT_INSECURE
;
1612 if (status
== STAT_NO_SIG
&& *keyname
!= 0)
1614 /* There is a validated CNAME chain that doesn't end in a DS record. Start
1615 the search again in that domain. */
1616 blockdata_free(block
);
1617 name_len
= strlen(keyname
) + 1;
1618 name_start
= name
+ name_len
- 1;
1620 if (!(block
= blockdata_alloc(keyname
, name_len
)))
1623 strcpy(name
, keyname
);
1627 if (status
== STAT_BOGUS
)
1630 blockdata_free(block
);
1634 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1635 Add another label and continue. */
1637 /* Get name we're checking back. */
1638 blockdata_retrieve(block
, name_len
, name
);
1640 if (name_start
== name
)
1643 blockdata_free(block
);
1644 return STAT_BOGUS
; /* run out of labels */
1648 while (*name_start
!= '.' && name_start
!= name
)
1650 if (name_start
!= name
)
1657 blockdata_free(block
);
1658 return STAT_BOGUS
; /* run out of labels */
1663 static int tcp_key_recurse(time_t now
, int status
, struct dns_header
*header
, size_t n
,
1664 int class, char *name
, char *keyname
, struct server
*server
, int *keycount
)
1666 /* Recurse up the key heirarchy */
1669 /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1670 if (--(*keycount
) == 0)
1671 return STAT_INSECURE
;
1673 if (status
== STAT_NEED_KEY
)
1674 new_status
= dnssec_validate_by_ds(now
, header
, n
, name
, keyname
, class);
1675 else if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
)
1677 new_status
= dnssec_validate_ds(now
, header
, n
, name
, keyname
, class);
1678 if (status
== STAT_NEED_DS
)
1680 if (new_status
== STAT_NO_DS
)
1681 new_status
= STAT_INSECURE_DS
;
1682 if (new_status
== STAT_NO_SIG
)
1684 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1686 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1687 if (new_status
== STAT_INSECURE
)
1688 new_status
= STAT_INSECURE_DS
;
1691 new_status
= STAT_INSECURE_DS
;
1693 else if (new_status
== STAT_NO_NS
)
1694 new_status
= STAT_BOGUS
;
1697 else if (status
== STAT_CHASE_CNAME
)
1698 new_status
= dnssec_chase_cname(now
, header
, n
, name
, keyname
);
1701 new_status
= dnssec_validate_reply(now
, header
, n
, name
, keyname
, &class, NULL
, NULL
);
1703 if (new_status
== STAT_NO_SIG
)
1705 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1706 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1708 new_status
= STAT_INSECURE
;
1712 /* Can't validate because we need a key/DS whose name now in keyname.
1713 Make query for same, and recurse to validate */
1714 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1717 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1718 unsigned char *payload
= &packet
[2];
1719 struct dns_header
*new_header
= (struct dns_header
*)payload
;
1720 u16
*length
= (u16
*)packet
;
1721 unsigned char c1
, c2
;
1724 return STAT_INSECURE
;
1727 m
= dnssec_generate_query(new_header
, ((char *) new_header
) + 65536, keyname
, class,
1728 new_status
== STAT_NEED_KEY
? T_DNSKEY
: T_DS
, &server
->addr
, server
->edns_pktsz
);
1732 if (!read_write(server
->tcpfd
, packet
, m
+ sizeof(u16
), 0) ||
1733 !read_write(server
->tcpfd
, &c1
, 1, 1) ||
1734 !read_write(server
->tcpfd
, &c2
, 1, 1) ||
1735 !read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1736 new_status
= STAT_INSECURE
;
1741 new_status
= tcp_key_recurse(now
, new_status
, new_header
, m
, class, name
, keyname
, server
, keycount
);
1743 if (new_status
== STAT_SECURE
)
1745 /* Reached a validated record, now try again at this level.
1746 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1747 If so, go round again. */
1749 if (status
== STAT_NEED_KEY
)
1750 new_status
= dnssec_validate_by_ds(now
, header
, n
, name
, keyname
, class);
1751 else if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
)
1753 new_status
= dnssec_validate_ds(now
, header
, n
, name
, keyname
, class);
1754 if (status
== STAT_NEED_DS
)
1756 if (new_status
== STAT_NO_DS
)
1757 new_status
= STAT_INSECURE_DS
;
1758 else if (new_status
== STAT_NO_SIG
)
1760 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1762 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1763 if (new_status
== STAT_INSECURE
)
1764 new_status
= STAT_INSECURE_DS
;
1767 new_status
= STAT_INSECURE_DS
;
1769 else if (new_status
== STAT_NO_NS
)
1770 new_status
= STAT_BOGUS
;
1773 else if (status
== STAT_CHASE_CNAME
)
1774 new_status
= dnssec_chase_cname(now
, header
, n
, name
, keyname
);
1777 new_status
= dnssec_validate_reply(now
, header
, n
, name
, keyname
, &class, NULL
, NULL
);
1779 if (new_status
== STAT_NO_SIG
)
1781 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1782 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1784 new_status
= STAT_INSECURE
;
1788 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1789 goto another_tcp_key
;
1800 /* The daemon forks before calling this: it should deal with one connection,
1801 blocking as neccessary, and then return. Note, need to be a bit careful
1802 about resources for debug mode, when the fork is suppressed: that's
1803 done by the caller. */
1804 unsigned char *tcp_request(int confd
, time_t now
,
1805 union mysockaddr
*local_addr
, struct in_addr netmask
, int auth_dns
)
1812 int checking_disabled
, ad_question
, do_bit
, added_pheader
= 0;
1813 int check_subnet
, no_cache_dnssec
= 0, cache_secure
= 0, bogusanswer
= 0;
1815 unsigned short qtype
;
1816 unsigned int gotname
;
1817 unsigned char c1
, c2
;
1818 /* Max TCP packet + slop + size */
1819 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1820 unsigned char *payload
= &packet
[2];
1821 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1822 struct dns_header
*header
= (struct dns_header
*)payload
;
1823 u16
*length
= (u16
*)packet
;
1824 struct server
*last_server
;
1825 struct in_addr dst_addr_4
;
1826 union mysockaddr peer_addr
;
1827 socklen_t peer_len
= sizeof(union mysockaddr
);
1828 int query_count
= 0;
1830 if (getpeername(confd
, (struct sockaddr
*)&peer_addr
, &peer_len
) == -1)
1833 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1834 if (option_bool(OPT_LOCAL_SERVICE
))
1836 struct addrlist
*addr
;
1838 if (peer_addr
.sa
.sa_family
== AF_INET6
)
1840 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1841 if ((addr
->flags
& ADDRLIST_IPV6
) &&
1842 is_same_net6(&addr
->addr
.addr
.addr6
, &peer_addr
.in6
.sin6_addr
, addr
->prefixlen
))
1848 struct in_addr netmask
;
1849 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1851 netmask
.s_addr
= htonl(~(in_addr_t
)0 << (32 - addr
->prefixlen
));
1852 if (!(addr
->flags
& ADDRLIST_IPV6
) &&
1853 is_same_net(addr
->addr
.addr
.addr4
, peer_addr
.in
.sin_addr
, netmask
))
1859 my_syslog(LOG_WARNING
, _("Ignoring query from non-local network"));
1866 if (query_count
== TCP_MAX_QUERIES
||
1868 !read_write(confd
, &c1
, 1, 1) || !read_write(confd
, &c2
, 1, 1) ||
1869 !(size
= c1
<< 8 | c2
) ||
1870 !read_write(confd
, payload
, size
, 1))
1873 if (size
< (int)sizeof(struct dns_header
))
1878 /* log_query gets called indirectly all over the place, so
1879 pass these in global variables - sorry. */
1880 daemon
->log_display_id
= ++daemon
->log_id
;
1881 daemon
->log_source_addr
= &peer_addr
;
1885 /* save state of "cd" flag in query */
1886 if ((checking_disabled
= header
->hb4
& HB4_CD
))
1887 no_cache_dnssec
= 1;
1889 if ((gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1892 struct auth_zone
*zone
;
1894 char *types
= querystr(auth_dns
? "auth" : "query", qtype
);
1896 if (peer_addr
.sa
.sa_family
== AF_INET
)
1897 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1898 (struct all_addr
*)&peer_addr
.in
.sin_addr
, types
);
1901 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1902 (struct all_addr
*)&peer_addr
.in6
.sin6_addr
, types
);
1906 /* find queries for zones we're authoritative for, and answer them directly */
1908 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1909 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1918 if (local_addr
->sa
.sa_family
== AF_INET
)
1919 dst_addr_4
= local_addr
->in
.sin_addr
;
1921 dst_addr_4
.s_addr
= 0;
1925 m
= answer_auth(header
, ((char *) header
) + 65536, (size_t)size
, now
, &peer_addr
, local_auth
);
1929 /* m > 0 if answered from cache */
1930 m
= answer_request(header
, ((char *) header
) + 65536, (size_t)size
,
1931 dst_addr_4
, netmask
, now
, &ad_question
, &do_bit
);
1933 /* Do this by steam now we're not in the select() loop */
1934 check_log_writer(1);
1938 unsigned int flags
= 0;
1939 struct all_addr
*addrp
= NULL
;
1941 char *domain
= NULL
;
1943 if (option_bool(OPT_ADD_MAC
))
1944 size
= add_mac(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1946 if (option_bool(OPT_CLIENT_SUBNET
))
1948 size_t new = add_source_addr(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1957 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
1959 if (type
!= 0 || option_bool(OPT_ORDER
) || !daemon
->last_server
)
1960 last_server
= daemon
->servers
;
1962 last_server
= daemon
->last_server
;
1964 if (!flags
&& last_server
)
1966 struct server
*firstsendto
= NULL
;
1968 unsigned char *newhash
, hash
[HASH_SIZE
];
1969 if ((newhash
= hash_questions(header
, (unsigned int)size
, daemon
->namebuff
)))
1970 memcpy(hash
, newhash
, HASH_SIZE
);
1972 memset(hash
, 0, HASH_SIZE
);
1974 unsigned int crc
= questions_crc(header
, (unsigned int)size
, daemon
->namebuff
);
1976 /* Loop round available servers until we succeed in connecting to one.
1977 Note that this code subtley ensures that consecutive queries on this connection
1978 which can go to the same server, do so. */
1982 firstsendto
= last_server
;
1985 if (!(last_server
= last_server
->next
))
1986 last_server
= daemon
->servers
;
1988 if (last_server
== firstsendto
)
1992 /* server for wrong domain */
1993 if (type
!= (last_server
->flags
& SERV_TYPE
) ||
1994 (type
== SERV_HAS_DOMAIN
&& !hostname_isequal(domain
, last_server
->domain
)) ||
1995 (last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_LOOP
)))
1998 if (last_server
->tcpfd
== -1)
2000 if ((last_server
->tcpfd
= socket(last_server
->addr
.sa
.sa_family
, SOCK_STREAM
, 0)) == -1)
2003 #ifdef HAVE_CONNTRACK
2004 /* Copy connection mark of incoming query to outgoing connection. */
2005 if (option_bool(OPT_CONNTRACK
))
2008 struct all_addr local
;
2010 if (local_addr
->sa
.sa_family
== AF_INET6
)
2011 local
.addr
.addr6
= local_addr
->in6
.sin6_addr
;
2014 local
.addr
.addr4
= local_addr
->in
.sin_addr
;
2016 if (get_incoming_mark(&peer_addr
, &local
, 1, &mark
))
2017 setsockopt(last_server
->tcpfd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
2021 if ((!local_bind(last_server
->tcpfd
, &last_server
->source_addr
, last_server
->interface
, 1) ||
2022 connect(last_server
->tcpfd
, &last_server
->addr
.sa
, sa_len(&last_server
->addr
)) == -1))
2024 close(last_server
->tcpfd
);
2025 last_server
->tcpfd
= -1;
2030 if (option_bool(OPT_DNSSEC_VALID
))
2032 size_t new_size
= add_do_bit(header
, size
, ((char *) header
) + 65536);
2034 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
2035 this allows it to select auth servers when one is returning bad data. */
2036 if (option_bool(OPT_DNSSEC_DEBUG
))
2037 header
->hb4
|= HB4_CD
;
2039 if (size
!= new_size
)
2047 *length
= htons(size
);
2049 /* get query name again for logging - may have been overwritten */
2050 if (!(gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
2051 strcpy(daemon
->namebuff
, "query");
2053 if (!read_write(last_server
->tcpfd
, packet
, size
+ sizeof(u16
), 0) ||
2054 !read_write(last_server
->tcpfd
, &c1
, 1, 1) ||
2055 !read_write(last_server
->tcpfd
, &c2
, 1, 1) ||
2056 !read_write(last_server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
2058 close(last_server
->tcpfd
);
2059 last_server
->tcpfd
= -1;
2065 if (last_server
->addr
.sa
.sa_family
== AF_INET
)
2066 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
2067 (struct all_addr
*)&last_server
->addr
.in
.sin_addr
, NULL
);
2070 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
2071 (struct all_addr
*)&last_server
->addr
.in6
.sin6_addr
, NULL
);
2075 if (option_bool(OPT_DNSSEC_VALID
) && !checking_disabled
)
2077 int keycount
= DNSSEC_WORK
; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
2078 int status
= tcp_key_recurse(now
, STAT_TRUNCATED
, header
, m
, 0, daemon
->namebuff
, daemon
->keyname
, last_server
, &keycount
);
2079 char *result
, *domain
= "result";
2081 if (status
== STAT_INSECURE_DS
)
2083 /* We only cache sigs when we've validated a reply.
2084 Avoid caching a reply with sigs if there's a vaildated break in the
2085 DS chain, so we don't return replies from cache missing sigs. */
2086 status
= STAT_INSECURE
;
2087 no_cache_dnssec
= 1;
2092 result
= "ABANDONED";
2093 status
= STAT_BOGUS
;
2096 result
= (status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
2098 if (status
== STAT_BOGUS
&& extract_request(header
, m
, daemon
->namebuff
, NULL
))
2099 domain
= daemon
->namebuff
;
2101 log_query(F_KEYTAG
| F_SECSTAT
, domain
, NULL
, result
);
2103 if (status
== STAT_BOGUS
)
2105 no_cache_dnssec
= 1;
2109 if (status
== STAT_SECURE
)
2114 /* restore CD bit to the value in the query */
2115 if (checking_disabled
)
2116 header
->hb4
|= HB4_CD
;
2118 header
->hb4
&= ~HB4_CD
;
2120 /* There's no point in updating the cache, since this process will exit and
2121 lose the information after a few queries. We make this call for the alias and
2122 bogus-nxdomain side-effects. */
2123 /* If the crc of the question section doesn't match the crc we sent, then
2124 someone might be attempting to insert bogus values into the cache by
2125 sending replies containing questions and bogus answers. */
2127 newhash
= hash_questions(header
, (unsigned int)m
, daemon
->namebuff
);
2128 if (!newhash
|| memcmp(hash
, newhash
, HASH_SIZE
) != 0)
2134 if (crc
!= questions_crc(header
, (unsigned int)m
, daemon
->namebuff
))
2141 m
= process_reply(header
, now
, last_server
, (unsigned int)m
,
2142 option_bool(OPT_NO_REBIND
) && !norebind
, no_cache_dnssec
, cache_secure
, bogusanswer
,
2143 ad_question
, do_bit
, added_pheader
, check_subnet
, &peer_addr
);
2149 /* In case of local answer or no connections made. */
2151 m
= setup_reply(header
, (unsigned int)size
, addrp
, flags
, daemon
->local_ttl
);
2155 check_log_writer(1);
2159 if (m
== 0 || !read_write(confd
, packet
, m
+ sizeof(u16
), 0))
2164 static struct frec
*allocate_frec(time_t now
)
2168 if ((f
= (struct frec
*)whine_malloc(sizeof(struct frec
))))
2170 f
->next
= daemon
->frec_list
;
2179 f
->dependent
= NULL
;
2180 f
->blocking_query
= NULL
;
2182 f
->orig_domain
= NULL
;
2184 daemon
->frec_list
= f
;
2190 struct randfd
*allocate_rfd(int family
)
2192 static int finger
= 0;
2195 /* limit the number of sockets we have open to avoid starvation of
2196 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
2198 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
2199 if (daemon
->randomsocks
[i
].refcount
== 0)
2201 if ((daemon
->randomsocks
[i
].fd
= random_sock(family
)) == -1)
2204 daemon
->randomsocks
[i
].refcount
= 1;
2205 daemon
->randomsocks
[i
].family
= family
;
2206 return &daemon
->randomsocks
[i
];
2209 /* No free ones or cannot get new socket, grab an existing one */
2210 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
2212 int j
= (i
+finger
) % RANDOM_SOCKS
;
2213 if (daemon
->randomsocks
[j
].refcount
!= 0 &&
2214 daemon
->randomsocks
[j
].family
== family
&&
2215 daemon
->randomsocks
[j
].refcount
!= 0xffff)
2218 daemon
->randomsocks
[j
].refcount
++;
2219 return &daemon
->randomsocks
[j
];
2223 return NULL
; /* doom */
2226 void free_rfd(struct randfd
*rfd
)
2228 if (rfd
&& --(rfd
->refcount
) == 0)
2232 static void free_frec(struct frec
*f
)
2247 blockdata_free(f
->stash
);
2253 blockdata_free(f
->orig_domain
);
2254 f
->orig_domain
= NULL
;
2257 /* Anything we're waiting on is pointless now, too */
2258 if (f
->blocking_query
)
2259 free_frec(f
->blocking_query
);
2260 f
->blocking_query
= NULL
;
2261 f
->dependent
= NULL
;
2265 /* if wait==NULL return a free or older than TIMEOUT record.
2266 else return *wait zero if one available, or *wait is delay to
2267 when the oldest in-use record will expire. Impose an absolute
2268 limit of 4*TIMEOUT before we wipe things (for random sockets).
2269 If force is set, always return a result, even if we have
2270 to allocate above the limit. */
2271 struct frec
*get_new_frec(time_t now
, int *wait
, int force
)
2273 struct frec
*f
, *oldest
, *target
;
2279 for (f
= daemon
->frec_list
, oldest
= NULL
, target
= NULL
, count
= 0; f
; f
= f
->next
, count
++)
2284 if (difftime(now
, f
->time
) >= 4*TIMEOUT
)
2290 if (!oldest
|| difftime(f
->time
, oldest
->time
) <= 0)
2300 /* can't find empty one, use oldest if there is one
2301 and it's older than timeout */
2302 if (oldest
&& ((int)difftime(now
, oldest
->time
)) >= TIMEOUT
)
2304 /* keep stuff for twice timeout if we can by allocating a new
2306 if (difftime(now
, oldest
->time
) < 2*TIMEOUT
&&
2307 count
<= daemon
->ftabsize
&&
2308 (f
= allocate_frec(now
)))
2319 /* none available, calculate time 'till oldest record expires */
2320 if (!force
&& count
> daemon
->ftabsize
)
2322 static time_t last_log
= 0;
2325 *wait
= oldest
->time
+ (time_t)TIMEOUT
- now
;
2327 if ((int)difftime(now
, last_log
) > 5)
2330 my_syslog(LOG_WARNING
, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon
->ftabsize
);
2336 if (!(f
= allocate_frec(now
)) && wait
)
2337 /* wait one second on malloc failure */
2340 return f
; /* OK if malloc fails and this is NULL */
2343 /* crc is all-ones if not known. */
2344 static struct frec
*lookup_frec(unsigned short id
, void *hash
)
2348 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
2349 if (f
->sentto
&& f
->new_id
== id
&&
2350 (!hash
|| memcmp(hash
, f
->hash
, HASH_SIZE
) == 0))
2356 static struct frec
*lookup_frec_by_sender(unsigned short id
,
2357 union mysockaddr
*addr
,
2362 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
2365 memcmp(hash
, f
->hash
, HASH_SIZE
) == 0 &&
2366 sockaddr_isequal(&f
->source
, addr
))
2372 /* Send query packet again, if we can. */
2375 if (daemon
->srv_save
)
2379 if (daemon
->srv_save
->sfd
)
2380 fd
= daemon
->srv_save
->sfd
->fd
;
2381 else if (daemon
->rfd_save
&& daemon
->rfd_save
->refcount
!= 0)
2382 fd
= daemon
->rfd_save
->fd
;
2386 while(retry_send(sendto(fd
, daemon
->packet
, daemon
->packet_len
, 0,
2387 &daemon
->srv_save
->addr
.sa
,
2388 sa_len(&daemon
->srv_save
->addr
))));
2392 /* A server record is going away, remove references to it */
2393 void server_gone(struct server
*server
)
2397 for (f
= daemon
->frec_list
; f
; f
= f
->next
)
2398 if (f
->sentto
&& f
->sentto
== server
)
2401 if (daemon
->last_server
== server
)
2402 daemon
->last_server
= NULL
;
2404 if (daemon
->srv_save
== server
)
2405 daemon
->srv_save
= NULL
;
2408 /* return unique random ids. */
2409 static unsigned short get_id(void)
2411 unsigned short ret
= 0;
2415 while (lookup_frec(ret
, NULL
));