-/* dnsmasq is Copyright (c) 2000 - 2005 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2013 Simon Kelley
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; version 2 dated June, 1991.
-
+ the Free Software Foundation; version 2 dated June, 1991, or
+ (at your option) version 3 dated 29 June, 2007.
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "dnsmasq.h"
-static struct frec *frec_list = NULL;
-
static struct frec *lookup_frec(unsigned short id, unsigned int crc);
static struct frec *lookup_frec_by_sender(unsigned short id,
union mysockaddr *addr,
unsigned int crc);
-static unsigned short get_id(int force, unsigned short force_id, unsigned int crc);
+static unsigned short get_id(unsigned int crc);
+static void free_frec(struct frec *f);
+static struct randfd *allocate_rfd(int family);
-
-/* Send a UDP packet with it's source address set as "source"
+/* Send a UDP packet with its source address set as "source"
unless nowild is true, when we just send it with the kernel default */
-static void send_from(int fd, int nowild, char *packet, size_t len,
- union mysockaddr *to, struct all_addr *source,
- unsigned int iface)
+int send_from(int fd, int nowild, char *packet, size_t len,
+ union mysockaddr *to, struct all_addr *source,
+ unsigned int iface)
{
struct msghdr msg;
struct iovec iov[1];
if (to->sa.sa_family == AF_INET)
{
#if defined(HAVE_LINUX_NETWORK)
- struct in_pktinfo *pkt = (struct in_pktinfo *)CMSG_DATA(cmptr);
- pkt->ipi_ifindex = 0;
- pkt->ipi_spec_dst = source->addr.addr4;
+ struct in_pktinfo p;
+ p.ipi_ifindex = 0;
+ p.ipi_spec_dst = source->addr.addr4;
+ memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
- cmptr->cmsg_level = SOL_IP;
+ cmptr->cmsg_level = IPPROTO_IP;
cmptr->cmsg_type = IP_PKTINFO;
#elif defined(IP_SENDSRCADDR)
- struct in_addr *a = (struct in_addr *)CMSG_DATA(cmptr);
- *a = source->addr.addr4;
+ memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
cmptr->cmsg_level = IPPROTO_IP;
cmptr->cmsg_type = IP_SENDSRCADDR;
else
#ifdef HAVE_IPV6
{
- struct in6_pktinfo *pkt = (struct in6_pktinfo *)CMSG_DATA(cmptr);
- pkt->ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
- pkt->ipi6_addr = source->addr.addr6;
+ struct in6_pktinfo p;
+ p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
+ p.ipi6_addr = source->addr.addr6;
+ memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
- cmptr->cmsg_type = IPV6_PKTINFO;
- cmptr->cmsg_level = IPV6_LEVEL;
+ cmptr->cmsg_type = daemon->v6pktinfo;
+ cmptr->cmsg_level = IPPROTO_IPV6;
}
#else
- iface = 0; /* eliminate warning */
+ (void)iface; /* eliminate warning */
#endif
}
- retry:
- if (sendmsg(fd, &msg, 0) == -1)
+ while (sendmsg(fd, &msg, 0) == -1)
{
- /* certain Linux kernels seem to object to setting the source address in the IPv6 stack
- by returning EINVAL from sendmsg. In that case, try again without setting the
- source address, since it will nearly alway be correct anyway. IPv6 stinks. */
- if (errno == EINVAL && msg.msg_controllen)
- {
- msg.msg_controllen = 0;
- goto retry;
- }
if (retry_send())
- goto retry;
+ continue;
+
+ /* If interface is still in DAD, EINVAL results - ignore that. */
+ if (errno == EINVAL)
+ break;
+
+ my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
+ return 0;
}
+
+ return 1;
}
-static unsigned short search_servers(time_t now, struct all_addr **addrpp,
- unsigned short qtype, char *qdomain, int *type, char **domain)
+static unsigned int search_servers(time_t now, struct all_addr **addrpp,
+ unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
{
/* If the query ends in the domain in one of our servers, set
unsigned int namelen = strlen(qdomain);
unsigned int matchlen = 0;
struct server *serv;
- unsigned short flags = 0;
+ unsigned int flags = 0;
for (serv = daemon->servers; serv; serv=serv->next)
/* domain matches take priority over NODOTS matches */
if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
{
- unsigned short sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
+ unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
*type = SERV_FOR_NODOTS;
if (serv->flags & SERV_NO_ADDR)
flags = F_NXDOMAIN;
*addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
#endif
}
- else if (!flags)
+ else if (!flags || (flags & F_NXDOMAIN))
flags = F_NOERR;
}
}
char *matchstart = qdomain + namelen - domainlen;
if (namelen >= domainlen &&
hostname_isequal(matchstart, serv->domain) &&
- domainlen >= matchlen &&
- (domainlen == 0 || namelen == domainlen || *(serv->domain) == '.' || *(matchstart-1) == '.' ))
+ (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
{
- unsigned short sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
- *type = SERV_HAS_DOMAIN;
- *domain = serv->domain;
- matchlen = domainlen;
- if (serv->flags & SERV_NO_ADDR)
- flags = F_NXDOMAIN;
- else if (serv->flags & SERV_LITERAL_ADDRESS)
+ if (serv->flags & SERV_NO_REBIND)
+ *norebind = 1;
+ else
{
- if ((sflag | F_QUERY ) & qtype)
+ unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
+ /* implement priority rules for --address and --server for same domain.
+ --address wins if the address is for the correct AF
+ --server wins otherwise. */
+ if (domainlen != 0 && domainlen == matchlen)
{
- flags = qtype & ~F_BIGNAME;
- if (serv->addr.sa.sa_family == AF_INET)
- *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
-#ifdef HAVE_IPV6
+ if ((serv->flags & SERV_LITERAL_ADDRESS))
+ {
+ if (!(sflag & qtype) && flags == 0)
+ continue;
+ }
else
- *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
-#endif
+ {
+ if (flags & (F_IPV4 | F_IPV6))
+ continue;
+ }
}
- else if (!flags)
- flags = F_NOERR;
+
+ if (domainlen >= matchlen)
+ {
+ *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
+ *domain = serv->domain;
+ matchlen = domainlen;
+ if (serv->flags & SERV_NO_ADDR)
+ flags = F_NXDOMAIN;
+ else if (serv->flags & SERV_LITERAL_ADDRESS)
+ {
+ if (sflag & qtype)
+ {
+ flags = sflag;
+ if (serv->addr.sa.sa_family == AF_INET)
+ *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
+#ifdef HAVE_IPV6
+ else
+ *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
+#endif
+ }
+ else if (!flags || (flags & F_NXDOMAIN))
+ flags = F_NOERR;
+ }
+ else
+ flags = 0;
+ }
}
- }
+ }
}
-
- if (flags & ~(F_NOERR | F_NXDOMAIN)) /* flags set here means a literal found */
- {
- if (flags & F_QUERY)
- log_query(F_CONFIG | F_FORWARD | F_NEG, qdomain, NULL, 0, NULL, 0);
- else
- log_query(F_CONFIG | F_FORWARD | flags, qdomain, *addrpp, 0, NULL, 0);
- }
- else if (qtype && !(qtype & F_BIGNAME) &&
- (daemon->options & OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
- /* don't forward simple names, make exception from NS queries and empty name. */
- flags = F_NXDOMAIN;
-
+
+ if (flags == 0 && !(qtype & F_QUERY) &&
+ option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
+ /* don't forward A or AAAA queries for simple names, except the empty name */
+ flags = F_NOERR;
+
if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
flags = F_NOERR;
- if (flags == F_NXDOMAIN || flags == F_NOERR)
- log_query(F_CONFIG | F_FORWARD | F_NEG | qtype | (flags & F_NXDOMAIN), qdomain, NULL, 0, NULL, 0);
-
+ if (flags)
+ {
+ int logflags = 0;
+
+ if (flags == F_NXDOMAIN || flags == F_NOERR)
+ logflags = F_NEG | qtype;
+
+ log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
+ }
+ else if ((*type) & SERV_USE_RESOLV)
+ {
+ *type = 0; /* use normal servers for this domain */
+ *domain = NULL;
+ }
return flags;
}
-/* returns new last_server */
-static void forward_query(int udpfd, union mysockaddr *udpaddr,
- struct all_addr *dst_addr, unsigned int dst_iface,
- HEADER *header, size_t plen, time_t now, struct frec *forward)
+static int forward_query(int udpfd, union mysockaddr *udpaddr,
+ struct all_addr *dst_addr, unsigned int dst_iface,
+ struct dns_header *header, size_t plen, time_t now, struct frec *forward)
{
char *domain = NULL;
- int type = 0;
+ int type = 0, norebind = 0;
struct all_addr *addrp = NULL;
unsigned int crc = questions_crc(header, plen, daemon->namebuff);
- unsigned short flags = 0;
- unsigned short gotname = extract_request(header, plen, daemon->namebuff, NULL);
+ unsigned int flags = 0;
+ unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
struct server *start = NULL;
-
+
+ /* RFC 4035: sect 4.6 para 2 */
+ header->hb4 &= ~HB4_AD;
+
/* may be no servers available. */
if (!daemon->servers)
forward = NULL;
{
/* retry on existing query, send to all available servers */
domain = forward->sentto->domain;
- if (!(daemon->options & OPT_ORDER))
+ forward->sentto->failed_queries++;
+ if (!option_bool(OPT_ORDER))
{
forward->forwardall = 1;
daemon->last_server = NULL;
else
{
if (gotname)
- flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain);
+ flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
- if (!flags && !(forward = get_new_frec(now, NULL)))
+ if (!flags && !(forward = get_new_frec(now, NULL, 0)))
/* table full - server failure. */
flags = F_NEG;
if (forward)
{
- /* force unchanging id for signed packets */
- int is_sign;
- find_pseudoheader(header, plen, NULL, NULL, &is_sign);
-
forward->source = *udpaddr;
forward->dest = *dst_addr;
forward->iface = dst_iface;
forward->orig_id = ntohs(header->id);
- forward->new_id = get_id(is_sign, forward->orig_id, crc);
+ forward->new_id = get_id(crc);
forward->fd = udpfd;
forward->crc = crc;
forward->forwardall = 0;
- header->id = htons(forward->new_id);
+ forward->flags = 0;
+ if (norebind)
+ forward->flags |= FREC_NOREBIND;
+ if (header->hb4 & HB4_CD)
+ forward->flags |= FREC_CHECKING_DISABLED;
- /* In strict_order mode, or when using domain specific servers
- always try servers in the order specified in resolv.conf,
+ header->id = htons(forward->new_id);
+
+ /* In strict_order mode, always try servers in the order
+ specified in resolv.conf, if a domain is given
+ always try all the available servers,
otherwise, use the one last known to work. */
- if (type != 0 || (daemon->options & OPT_ORDER))
- start = daemon->servers;
- else if (!(start = daemon->last_server))
+ if (type == 0)
+ {
+ if (option_bool(OPT_ORDER))
+ start = daemon->servers;
+ else if (!(start = daemon->last_server) ||
+ daemon->forwardcount++ > FORWARD_TEST ||
+ difftime(now, daemon->forwardtime) > FORWARD_TIME)
+ {
+ start = daemon->servers;
+ forward->forwardall = 1;
+ daemon->forwardcount = 0;
+ daemon->forwardtime = now;
+ }
+ }
+ else
{
start = daemon->servers;
- forward->forwardall = 1;
+ if (!option_bool(OPT_ORDER))
+ forward->forwardall = 1;
}
}
}
{
struct server *firstsentto = start;
int forwarded = 0;
+
+ if (option_bool(OPT_ADD_MAC))
+ plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
+
+ if (option_bool(OPT_CLIENT_SUBNET))
+ {
+ size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
+ if (new != plen)
+ {
+ plen = new;
+ forward->flags |= FREC_HAS_SUBNET;
+ }
+ }
+
+#ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID))
+ {
+ plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
+ header->hb4 |= HB4_CD;
+ }
+#endif
while (1)
{
(type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
!(start->flags & SERV_LITERAL_ADDRESS))
{
- if (sendto(start->sfd->fd, (char *)header, plen, 0,
+ int fd;
+
+ /* find server socket to use, may need to get random one. */
+ if (start->sfd)
+ fd = start->sfd->fd;
+ else
+ {
+#ifdef HAVE_IPV6
+ if (start->addr.sa.sa_family == AF_INET6)
+ {
+ if (!forward->rfd6 &&
+ !(forward->rfd6 = allocate_rfd(AF_INET6)))
+ break;
+ daemon->rfd_save = forward->rfd6;
+ fd = forward->rfd6->fd;
+ }
+ else
+#endif
+ {
+ if (!forward->rfd4 &&
+ !(forward->rfd4 = allocate_rfd(AF_INET)))
+ break;
+ daemon->rfd_save = forward->rfd4;
+ fd = forward->rfd4->fd;
+ }
+
+#ifdef HAVE_CONNTRACK
+ /* Copy connection mark of incoming query to outgoing connection. */
+ if (option_bool(OPT_CONNTRACK))
+ {
+ unsigned int mark;
+ if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
+ setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
+ }
+#endif
+ }
+
+ if (sendto(fd, (char *)header, plen, 0,
&start->addr.sa,
sa_len(&start->addr)) == -1)
{
strcpy(daemon->namebuff, "query");
if (start->addr.sa.sa_family == AF_INET)
log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
- (struct all_addr *)&start->addr.in.sin_addr, 0,
- NULL, 0);
+ (struct all_addr *)&start->addr.in.sin_addr, NULL);
#ifdef HAVE_IPV6
else
log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
- (struct all_addr *)&start->addr.in6.sin6_addr, 0,
- NULL, 0);
+ (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
#endif
+ start->queries++;
forwarded = 1;
forward->sentto = start;
if (!forward->forwardall)
}
if (forwarded)
- return;
+ return 1;
/* could not send on, prepare to return */
header->id = htons(forward->orig_id);
- forward->sentto = NULL; /* cancel */
+ free_frec(forward); /* cancel */
}
/* could not send on, return empty answer or address if known for whole domain */
if (udpfd != -1)
{
plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
- send_from(udpfd, daemon->options & OPT_NOWILD, (char *)header, plen, udpaddr, dst_addr, dst_iface);
+ send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
}
- return;
+ return 0;
}
-static size_t process_reply(HEADER *header, time_t now,
- struct server *server, size_t n)
+static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
+ int no_cache, int cache_secure, int check_subnet, union mysockaddr *query_source)
{
unsigned char *pheader, *sizep;
+ char **sets = 0;
int munged = 0, is_sign;
size_t plen;
+ int squash_ad = 0;
+#ifdef HAVE_IPSET
+ /* Similar algorithm to search_servers. */
+ struct ipsets *ipset_pos;
+ unsigned int namelen = strlen(daemon->namebuff);
+ unsigned int matchlen = 0;
+ for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
+ {
+ unsigned int domainlen = strlen(ipset_pos->domain);
+ char *matchstart = daemon->namebuff + namelen - domainlen;
+ if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
+ (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
+ domainlen >= matchlen) {
+ matchlen = domainlen;
+ sets = ipset_pos->sets;
+ }
+ }
+#endif
+
/* If upstream is advertising a larger UDP packet size
- than we allow, trim it so that we don't get overlarge
- requests for the client. We can't do this for signed packets. */
+ than we allow, trim it so that we don't get overlarge
+ requests for the client. We can't do this for signed packets. */
- if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)) && !is_sign)
+ if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
{
- unsigned short udpsz;
- unsigned char *psave = sizep;
+ if (!is_sign)
+ {
+ unsigned short udpsz;
+ unsigned char *psave = sizep;
+
+ GETSHORT(udpsz, sizep);
+ if (udpsz > daemon->edns_pktsz)
+ PUTSHORT(daemon->edns_pktsz, psave);
+ }
- GETSHORT(udpsz, sizep);
- if (udpsz > daemon->edns_pktsz)
- PUTSHORT(daemon->edns_pktsz, psave);
+ if (check_subnet && !check_source(header, plen, pheader, query_source))
+ {
+ my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
+ return 0;
+ }
}
+
+ /* RFC 4035 sect 4.6 para 3 */
+ if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
+ squash_ad = 1;
+
+#ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID))
+ squash_ad = no_cache;
- if (header->opcode != QUERY || (header->rcode != NOERROR && header->rcode != NXDOMAIN))
+ if (cache_secure)
+ header->hb4 |= HB4_AD;
+#endif
+
+ if (squash_ad)
+ header->hb4 &= ~HB4_AD;
+
+ if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
return n;
/* Complain loudly if the upstream server is non-recursive. */
- if (!header->ra && header->rcode == NOERROR && ntohs(header->ancount) == 0 &&
+ if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
server && !(server->flags & SERV_WARNED_RECURSIVE))
{
prettyprint_addr(&server->addr, daemon->namebuff);
my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
- if (!(daemon->options & OPT_LOG))
+ if (!option_bool(OPT_LOG))
server->flags |= SERV_WARNED_RECURSIVE;
}
-
- if (daemon->bogus_addr && header->rcode != NXDOMAIN &&
+
+ if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
{
munged = 1;
- header->rcode = NXDOMAIN;
- header->aa = 0;
+ SET_RCODE(header, NXDOMAIN);
+ header->hb3 &= ~HB3_AA;
}
else
{
- if (header->rcode == NXDOMAIN &&
+ if (RCODE(header) == NXDOMAIN &&
extract_request(header, n, daemon->namebuff, NULL) &&
check_for_local_domain(daemon->namebuff, now))
{
an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
since we know that the domain exists, even if upstream doesn't */
munged = 1;
- header->aa = 1;
- header->rcode = NOERROR;
+ header->hb3 |= HB3_AA;
+ SET_RCODE(header, NOERROR);
}
- extract_addresses(header, n, daemon->namebuff, now);
+ if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure))
+ {
+ my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
+ munged = 1;
+ }
}
/* do this after extract_addresses. Ensure NODATA reply and remove
}
/* sets new last_server */
-void reply_query(struct serverfd *sfd, time_t now)
+void reply_query(int fd, int family, time_t now)
{
/* packet from peer server, extract data for cache, and send to
original requester */
- HEADER *header;
+ struct dns_header *header;
union mysockaddr serveraddr;
struct frec *forward;
socklen_t addrlen = sizeof(serveraddr);
- ssize_t n = recvfrom(sfd->fd, daemon->packet, daemon->edns_pktsz, 0, &serveraddr.sa, &addrlen);
+ ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
size_t nn;
-
+ struct server *server;
+
/* packet buffer overwritten */
daemon->srv_save = NULL;
/* Determine the address of the server replying so that we can mark that as good */
- serveraddr.sa.sa_family = sfd->source_addr.sa.sa_family;
+ serveraddr.sa.sa_family = family;
#ifdef HAVE_IPV6
if (serveraddr.sa.sa_family == AF_INET6)
serveraddr.in6.sin6_flowinfo = 0;
#endif
- header = (HEADER *)daemon->packet;
+ /* spoof check: answer must come from known server, */
+ for (server = daemon->servers; server; server = server->next)
+ if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
+ sockaddr_isequal(&server->addr, &serveraddr))
+ break;
+
+ header = (struct dns_header *)daemon->packet;
- if (n >= (int)sizeof(HEADER) && header->qr &&
- (forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
+ if (!server ||
+ n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
+ !(forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
+ return;
+
+ if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
+ !option_bool(OPT_ORDER) &&
+ forward->forwardall == 0)
+ /* for broken servers, attempt to send to another one. */
{
- struct server *server = forward->sentto;
+ unsigned char *pheader;
+ size_t plen;
+ int is_sign;
- if ((header->rcode == SERVFAIL || header->rcode == REFUSED) &&
- !(daemon->options & OPT_ORDER) &&
- forward->forwardall == 0)
- /* for broken servers, attempt to send to another one. */
+ /* recreate query from reply */
+ pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
+ if (!is_sign)
{
- unsigned char *pheader;
- size_t plen;
- int is_sign;
-
- /* recreate query from reply */
- pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
- if (!is_sign)
+ header->ancount = htons(0);
+ header->nscount = htons(0);
+ header->arcount = htons(0);
+ if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
{
- header->ancount = htons(0);
- header->nscount = htons(0);
- header->arcount = htons(0);
- if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
- {
- header->qr = 0;
- header->tc = 0;
- forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
- return;
- }
+ header->hb3 &= ~(HB3_QR | HB3_TC);
+ forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
+ return;
}
- }
+ }
+ }
+
+ server = forward->sentto;
+
+ if ((forward->sentto->flags & SERV_TYPE) == 0)
+ {
+ if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
+ server = NULL;
+ else
+ {
+ struct server *last_server;
+
+ /* find good server by address if possible, otherwise assume the last one we sent to */
+ for (last_server = daemon->servers; last_server; last_server = last_server->next)
+ if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
+ sockaddr_isequal(&last_server->addr, &serveraddr))
+ {
+ server = last_server;
+ break;
+ }
+ }
+ if (!option_bool(OPT_ALL_SERVERS))
+ daemon->last_server = server;
+ }
+
+ /* If the answer is an error, keep the forward record in place in case
+ we get a good reply from another server. Kill it when we've
+ had replies from all to avoid filling the forwarding table when
+ everything is broken */
+ if (forward->forwardall == 0 || --forward->forwardall == 1 ||
+ (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
+ {
+ int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
+
+ if (option_bool(OPT_NO_REBIND))
+ check_rebind = !(forward->flags & FREC_NOREBIND);
+
+ /* Don't cache replies where DNSSEC validation was turned off, either
+ the upstream server told us so, or the original query specified it. */
+ if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
+ no_cache_dnssec = 1;
- if ((forward->sentto->flags & SERV_TYPE) == 0)
+#ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
{
- if (header->rcode == SERVFAIL || header->rcode == REFUSED)
- server = NULL;
+ int status;
+
+ /* We've had a reply already, which we're validating. Ignore this duplicate */
+ if (forward->stash)
+ return;
+
+ if (header->hb3 & HB3_TC)
+ {
+ /* Truncated answer can't be validated.
+ The client will retry over TCP, but if this is an answer to a
+ DNSSEC-generated query, we have a problem. Should really re-send
+ over TCP. No-one with any sense will make a DNSKEY or DS RRset
+ exceed 4096, so this may not be a real problem. Just log
+ for now. */
+ if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
+ my_syslog(LOG_ERR, _("Reply to DNSSEC query truncated - validation fails."));
+ status = STAT_INSECURE;
+ }
+ else if (forward->flags & FREC_DNSKEY_QUERY)
+ status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
+ else if (forward->flags & FREC_DS_QUERY)
+ status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
else
+ status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
+
+ /* Can't validate, as we're missing key data. Put this
+ answer aside, whilst we get that. */
+ if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
{
- struct server *last_server;
- /* find good server by address if possible, otherwise assume the last one we sent to */
- for (last_server = daemon->servers; last_server; last_server = last_server->next)
- if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
- sockaddr_isequal(&last_server->addr, &serveraddr))
- {
- server = last_server;
- break;
- }
- }
- daemon->last_server = server;
+ struct frec *new;
+
+ if ((new = get_new_frec(now, NULL, 1)))
+ {
+ struct frec *next = new->next;
+ *new = *forward; /* copy everything, then overwrite */
+ new->next = next;
+ new->stash = NULL;
+ new->blocking_query = NULL;
+ new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY);
+
+ if ((forward->stash = blockdata_alloc((char *)header, n)))
+ {
+ int fd;
+
+ forward->stash_len = n;
+
+ new->dependent = forward; /* to find query awaiting new one. */
+ forward->blocking_query = new; /* for garbage cleaning */
+ /* validate routines leave name of required record in daemon->keyname */
+ if (status == STAT_NEED_KEY)
+ {
+ new->flags |= FREC_DNSKEY_QUERY;
+ nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
+ daemon->keyname, forward->class, T_DNSKEY, &server->addr);
+ }
+ else if (status == STAT_NEED_DS)
+ {
+ new->flags |= FREC_DS_QUERY;
+ nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
+ daemon->keyname, forward->class, T_DS, &server->addr);
+ }
+ new->crc = questions_crc(header, nn, daemon->namebuff);
+ new->new_id = get_id(new->crc);
+ header->id = htons(new->new_id);
+
+ /* Don't resend this. */
+ daemon->srv_save = NULL;
+
+ if (server->sfd)
+ fd = server->sfd->fd;
+ else
+#ifdef HAVE_IPV6
+ /* Note that we use the same random port for the DNSSEC stuff */
+ if (server->addr.sa.sa_family == AF_INET6)
+ {
+ fd = new->rfd6->fd;
+ new->rfd6->refcount++;
+ }
+ else
+#endif
+ {
+ fd = new->rfd4->fd;
+ new->rfd4->refcount++;
+ }
+
+ /* Send DNSSEC query to same server as original query */
+ while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
+ server->queries++;
+ }
+ }
+
+ return;
+ }
+
+ /* Ok, we reached far enough up the chain-of-trust that we can validate something.
+ Now wind back down, pulling back answers which wouldn't previously validate
+ and validate them with the new data. Failure to find needed data here is an internal error.
+ Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
+ return it to the original requestor. */
+ if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
+ {
+ while (forward->dependent)
+ {
+ struct frec *prev;
+
+ if (status == STAT_SECURE)
+ {
+ if (forward->flags & FREC_DNSKEY_QUERY)
+ status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
+ else if (forward->flags & FREC_DS_QUERY)
+ status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
+ }
+
+ prev = forward->dependent;
+ free_frec(forward);
+ forward = prev;
+ forward->blocking_query = NULL; /* already gone */
+ blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
+ n = forward->stash_len;
+ }
+
+ /* All DNSKEY and DS records done and in cache, now finally validate original
+ answer, provided last DNSKEY is OK. */
+ if (status == STAT_SECURE)
+ status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
+
+ if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
+ {
+ my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
+ status = STAT_INSECURE;
+ }
+ }
+
+ log_query(F_KEYTAG | F_SECSTAT, "result", NULL,
+ status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
+
+ no_cache_dnssec = 0;
+
+ if (status == STAT_SECURE)
+ cache_secure = 1;
+ /* TODO return SERVFAIL here */
+ else if (status == STAT_BOGUS)
+ no_cache_dnssec = 1;
+
+ /* restore CD bit to the value in the query */
+ if (forward->flags & FREC_CHECKING_DISABLED)
+ header->hb4 |= HB4_CD;
+ else
+ header->hb4 &= ~HB4_CD;
}
+#endif
- /* If the answer is an error, keep the forward record in place in case
- we get a good reply from another server. Kill it when we've
- had replies from all to avoid filling the forwarding table when
- everything is broken */
- if (forward->forwardall == 0 || --forward->forwardall == 1 ||
- (header->rcode != REFUSED && header->rcode != SERVFAIL))
+ if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
+ forward->flags & FREC_HAS_SUBNET, &forward->source)))
{
- if ((nn = process_reply(header, now, server, (size_t)n)))
- {
- header->id = htons(forward->orig_id);
- header->ra = 1; /* recursion if available */
- send_from(forward->fd, daemon->options & OPT_NOWILD, daemon->packet, nn,
- &forward->source, &forward->dest, forward->iface);
- }
- forward->sentto = NULL; /* cancel */
+ header->id = htons(forward->orig_id);
+ header->hb4 |= HB4_RA; /* recursion if available */
+ send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
+ &forward->source, &forward->dest, forward->iface);
}
+ free_frec(forward); /* cancel */
}
}
+
void receive_query(struct listener *listen, time_t now)
{
- HEADER *header = (HEADER *)daemon->packet;
+ struct dns_header *header = (struct dns_header *)daemon->packet;
union mysockaddr source_addr;
unsigned short type;
struct all_addr dst_addr;
struct in_addr netmask, dst_addr_4;
size_t m;
ssize_t n;
- int if_index = 0;
+ int if_index = 0, auth_dns = 0;
+#ifdef HAVE_AUTH
+ int local_auth = 0;
+#endif
struct iovec iov[1];
struct msghdr msg;
struct cmsghdr *cmptr;
#endif
#if defined(HAVE_LINUX_NETWORK)
char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
+#elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
+ char control[CMSG_SPACE(sizeof(struct in_addr)) +
+ CMSG_SPACE(sizeof(unsigned int))];
#elif defined(IP_RECVDSTADDR)
char control[CMSG_SPACE(sizeof(struct in_addr)) +
CMSG_SPACE(sizeof(struct sockaddr_dl))];
#endif
} control_u;
-
+#ifdef HAVE_IPV6
+ /* Can always get recvd interface for IPv6 */
+ int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
+#else
+ int check_dst = !option_bool(OPT_NOWILD);
+#endif
+
/* packet buffer overwritten */
daemon->srv_save = NULL;
- if (listen->family == AF_INET && (daemon->options & OPT_NOWILD))
- {
- dst_addr_4 = listen->iface->addr.in.sin_addr;
- netmask = listen->iface->netmask;
- }
- else
+ dst_addr_4.s_addr = 0;
+ netmask.s_addr = 0;
+
+ if (option_bool(OPT_NOWILD) && listen->iface)
{
- dst_addr_4.s_addr = 0;
- netmask.s_addr = 0;
+ auth_dns = listen->iface->dns_auth;
+
+ if (listen->family == AF_INET)
+ {
+ dst_addr_4 = listen->iface->addr.in.sin_addr;
+ netmask = listen->iface->netmask;
+ }
}
-
+
iov[0].iov_base = daemon->packet;
iov[0].iov_len = daemon->edns_pktsz;
if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
return;
- if (n < (int)sizeof(HEADER) ||
+ if (n < (int)sizeof(struct dns_header) ||
(msg.msg_flags & MSG_TRUNC) ||
- header->qr)
+ (header->hb3 & HB3_QR))
return;
source_addr.sa.sa_family = listen->family;
if (listen->family == AF_INET6)
source_addr.in6.sin6_flowinfo = 0;
#endif
-
- if (!(daemon->options & OPT_NOWILD))
+
+ if (check_dst)
{
struct ifreq ifr;
#if defined(HAVE_LINUX_NETWORK)
if (listen->family == AF_INET)
for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
- if (cmptr->cmsg_level == SOL_IP && cmptr->cmsg_type == IP_PKTINFO)
+ if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
{
- dst_addr_4 = dst_addr.addr.addr4 = ((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_spec_dst;
- if_index = ((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_ifindex;
+ union {
+ unsigned char *c;
+ struct in_pktinfo *p;
+ } p;
+ p.c = CMSG_DATA(cmptr);
+ dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
+ if_index = p.p->ipi_ifindex;
}
#elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
if (listen->family == AF_INET)
{
for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
- if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
- dst_addr_4 = dst_addr.addr.addr4 = *((struct in_addr *)CMSG_DATA(cmptr));
- else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
- if_index = ((struct sockaddr_dl *)CMSG_DATA(cmptr))->sdl_index;
+ {
+ union {
+ unsigned char *c;
+ unsigned int *i;
+ struct in_addr *a;
+#ifndef HAVE_SOLARIS_NETWORK
+ struct sockaddr_dl *s;
+#endif
+ } p;
+ p.c = CMSG_DATA(cmptr);
+ if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
+ dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
+ else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
+#ifdef HAVE_SOLARIS_NETWORK
+ if_index = *(p.i);
+#else
+ if_index = p.s->sdl_index;
+#endif
+ }
}
#endif
if (listen->family == AF_INET6)
{
for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
- if (cmptr->cmsg_level == IPV6_LEVEL && cmptr->cmsg_type == IPV6_PKTINFO)
+ if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
{
- dst_addr.addr.addr6 = ((struct in6_pktinfo *)CMSG_DATA(cmptr))->ipi6_addr;
- if_index =((struct in6_pktinfo *)CMSG_DATA(cmptr))->ipi6_ifindex;
+ union {
+ unsigned char *c;
+ struct in6_pktinfo *p;
+ } p;
+ p.c = CMSG_DATA(cmptr);
+
+ dst_addr.addr.addr6 = p.p->ipi6_addr;
+ if_index = p.p->ipi6_ifindex;
}
}
#endif
/* enforce available interface configuration */
- if (if_index == 0)
- return;
-
-#ifdef SIOCGIFNAME
- ifr.ifr_ifindex = if_index;
- if (ioctl(listen->fd, SIOCGIFNAME, &ifr) == -1)
- return;
-#else
- if (!if_indextoname(if_index, ifr.ifr_name))
- return;
-#endif
-
- if (!iface_check(listen->family, &dst_addr, &ifr, &if_index))
- return;
-
- if (listen->family == AF_INET &&
- (daemon->options & OPT_LOCALISE) &&
- ioctl(listen->fd, SIOCGIFNETMASK, &ifr) == -1)
+ if (!indextoname(listen->fd, if_index, ifr.ifr_name))
return;
- netmask = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
+ if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
+ {
+ if (!option_bool(OPT_CLEVERBIND))
+ enumerate_interfaces(0);
+ if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
+ !label_exception(if_index, listen->family, &dst_addr))
+ return;
+ }
+
+ if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
+ {
+ struct irec *iface;
+
+ /* get the netmask of the interface whch has the address we were sent to.
+ This is no neccessarily the interface we arrived on. */
+
+ for (iface = daemon->interfaces; iface; iface = iface->next)
+ if (iface->addr.sa.sa_family == AF_INET &&
+ iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
+ break;
+
+ /* interface may be new */
+ if (!iface && !option_bool(OPT_CLEVERBIND))
+ enumerate_interfaces(0);
+
+ for (iface = daemon->interfaces; iface; iface = iface->next)
+ if (iface->addr.sa.sa_family == AF_INET &&
+ iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
+ break;
+
+ /* If we failed, abandon localisation */
+ if (iface)
+ netmask = iface->netmask;
+ else
+ dst_addr_4.s_addr = 0;
+ }
}
if (extract_request(header, (size_t)n, daemon->namebuff, &type))
{
+ char types[20];
+#ifdef HAVE_AUTH
+ struct auth_zone *zone;
+#endif
+
+ querystr(auth_dns ? "auth" : "query", types, type);
+
if (listen->family == AF_INET)
log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
- (struct all_addr *)&source_addr.in.sin_addr, type, NULL, 0);
+ (struct all_addr *)&source_addr.in.sin_addr, types);
#ifdef HAVE_IPV6
else
log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
- (struct all_addr *)&source_addr.in6.sin6_addr, type, NULL, 0);
+ (struct all_addr *)&source_addr.in6.sin6_addr, types);
+#endif
+
+#ifdef HAVE_AUTH
+ /* find queries for zones we're authoritative for, and answer them directly */
+ if (!auth_dns)
+ for (zone = daemon->auth_zones; zone; zone = zone->next)
+ if (in_zone(zone, daemon->namebuff, NULL))
+ {
+ auth_dns = 1;
+ local_auth = 1;
+ break;
+ }
+#endif
+ }
+
+#ifdef HAVE_AUTH
+ if (auth_dns)
+ {
+ m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
+ if (m >= 1)
+ {
+ send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
+ (char *)header, m, &source_addr, &dst_addr, if_index);
+ daemon->auth_answer++;
+ }
+ }
+ else
#endif
+ {
+ m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
+ dst_addr_4, netmask, now);
+
+ if (m >= 1)
+ {
+ send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
+ (char *)header, m, &source_addr, &dst_addr, if_index);
+ daemon->local_answer++;
+ }
+ else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
+ header, (size_t)n, now, NULL))
+ daemon->queries_forwarded++;
+ else
+ daemon->local_answer++;
}
+}
+
+#ifdef HAVE_DNSSEC
+static int tcp_key_recurse(time_t now, int status, int class, char *keyname, struct server *server)
+{
+ /* Recurse up the key heirarchy */
+ size_t n;
+ unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
+ unsigned char *payload = &packet[2];
+ struct dns_header *header = (struct dns_header *)payload;
+ u16 *length = (u16 *)packet;
+ int new_status;
+ unsigned char c1, c2;
- m = answer_request (header, ((char *) header) + PACKETSZ, (size_t)n,
- dst_addr_4, netmask, now);
- if (m >= 1)
- send_from(listen->fd, daemon->options & OPT_NOWILD, (char *)header, m, &source_addr, &dst_addr, if_index);
+ n = dnssec_generate_query(header, ((char *) header) + 65536, keyname, class,
+ status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
+
+ *length = htons(n);
+
+ if (!read_write(server->tcpfd, packet, n + sizeof(u16), 0) ||
+ !read_write(server->tcpfd, &c1, 1, 1) ||
+ !read_write(server->tcpfd, &c2, 1, 1) ||
+ !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
+ {
+ close(server->tcpfd);
+ server->tcpfd = -1;
+ new_status = STAT_INSECURE;
+ }
else
- forward_query(listen->fd, &source_addr, &dst_addr, if_index,
- header, (size_t)n, now, NULL);
+ {
+ n = (c1 << 8) | c2;
+
+ if (status == STAT_NEED_KEY)
+ new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
+ else
+ new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
+
+ if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
+ {
+ if ((new_status = tcp_key_recurse(now, new_status, class, daemon->keyname, server) == STAT_SECURE))
+ {
+ if (status == STAT_NEED_KEY)
+ new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
+ else
+ new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
+
+ if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
+ {
+ my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
+ status = STAT_INSECURE;
+ }
+ }
+ }
+ }
+
+ free(packet);
+
+ return new_status;
}
+#endif
+
/* The daemon forks before calling this: it should deal with one connection,
blocking as neccessary, and then return. Note, need to be a bit careful
about resources for debug mode, when the fork is suppressed: that's
done by the caller. */
unsigned char *tcp_request(int confd, time_t now,
- struct in_addr local_addr, struct in_addr netmask)
+ union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
{
- int size = 0;
+ size_t size = 0;
+ int norebind = 0;
+#ifdef HAVE_AUTH
+ int local_auth = 0;
+#endif
+ int checking_disabled, check_subnet, no_cache_dnssec = 0, cache_secure = 0;
size_t m;
- unsigned short qtype, gotname;
+ unsigned short qtype;
+ unsigned int gotname;
unsigned char c1, c2;
- /* Max TCP packet + slop */
- unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ);
- HEADER *header;
+ /* Max TCP packet + slop + size */
+ unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
+ unsigned char *payload = &packet[2];
+ /* largest field in header is 16-bits, so this is still sufficiently aligned */
+ struct dns_header *header = (struct dns_header *)payload;
+ u16 *length = (u16 *)packet;
struct server *last_server;
+ struct in_addr dst_addr_4;
+ union mysockaddr peer_addr;
+ socklen_t peer_len = sizeof(union mysockaddr);
+ if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
+ return packet;
+
while (1)
{
if (!packet ||
!read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
!(size = c1 << 8 | c2) ||
- !read_write(confd, packet, size, 1))
+ !read_write(confd, payload, size, 1))
return packet;
- if (size < (int)sizeof(HEADER))
+ if (size < (int)sizeof(struct dns_header))
continue;
- header = (HEADER *)packet;
+ check_subnet = 0;
+
+ /* save state of "cd" flag in query */
+ if ((checking_disabled = header->hb4 & HB4_CD))
+ no_cache_dnssec = 1;
+
+ /* RFC 4035: sect 4.6 para 2 */
+ header->hb4 &= ~HB4_AD;
if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
{
- union mysockaddr peer_addr;
- socklen_t peer_len = sizeof(union mysockaddr);
+ char types[20];
+#ifdef HAVE_AUTH
+ struct auth_zone *zone;
+#endif
+ querystr(auth_dns ? "auth" : "query", types, qtype);
- if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) != -1)
- {
- if (peer_addr.sa.sa_family == AF_INET)
- log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
- (struct all_addr *)&peer_addr.in.sin_addr, qtype, NULL, 0);
+ if (peer_addr.sa.sa_family == AF_INET)
+ log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
+ (struct all_addr *)&peer_addr.in.sin_addr, types);
#ifdef HAVE_IPV6
- else
- log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
- (struct all_addr *)&peer_addr.in6.sin6_addr, qtype, NULL, 0);
+ else
+ log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
+ (struct all_addr *)&peer_addr.in6.sin6_addr, types);
+#endif
+
+#ifdef HAVE_AUTH
+ /* find queries for zones we're authoritative for, and answer them directly */
+ if (!auth_dns)
+ for (zone = daemon->auth_zones; zone; zone = zone->next)
+ if (in_zone(zone, daemon->namebuff, NULL))
+ {
+ auth_dns = 1;
+ local_auth = 1;
+ break;
+ }
#endif
- }
}
- /* m > 0 if answered from cache */
- m = answer_request(header, ((char *) header) + 65536, (unsigned int)size,
- local_addr, netmask, now);
-
- /* Do this by steam now we're not in the select() loop */
- check_log_writer(NULL);
+ if (local_addr->sa.sa_family == AF_INET)
+ dst_addr_4 = local_addr->in.sin_addr;
+ else
+ dst_addr_4.s_addr = 0;
- if (m == 0)
+#ifdef HAVE_AUTH
+ if (auth_dns)
+ m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
+ else
+#endif
{
- unsigned short flags = 0;
- struct all_addr *addrp = NULL;
- int type = 0;
- char *domain = NULL;
+ /* m > 0 if answered from cache */
+ m = answer_request(header, ((char *) header) + 65536, (size_t)size,
+ dst_addr_4, netmask, now);
- if (gotname)
- flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain);
+ /* Do this by steam now we're not in the select() loop */
+ check_log_writer(NULL);
- if (type != 0 || (daemon->options & OPT_ORDER) || !daemon->last_server)
- last_server = daemon->servers;
- else
- last_server = daemon->last_server;
-
- if (!flags && last_server)
+ if (m == 0)
{
- struct server *firstsendto = NULL;
- unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
-
- /* Loop round available servers until we succeed in connecting to one.
- Note that this code subtley ensures that consecutive queries on this connection
- which can go to the same server, do so. */
- while (1)
+ unsigned int flags = 0;
+ struct all_addr *addrp = NULL;
+ int type = 0;
+ char *domain = NULL;
+
+ if (option_bool(OPT_ADD_MAC))
+ size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
+
+ if (option_bool(OPT_CLIENT_SUBNET))
{
- if (!firstsendto)
- firstsendto = last_server;
- else
+ size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
+ if (size != new)
{
- if (!(last_server = last_server->next))
- last_server = daemon->servers;
-
- if (last_server == firstsendto)
- break;
+ size = new;
+ check_subnet = 1;
}
+ }
+
+ if (gotname)
+ flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
- /* server for wrong domain */
- if (type != (last_server->flags & SERV_TYPE) ||
- (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
- continue;
-
- if ((last_server->tcpfd == -1) &&
- (last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) != -1 &&
- connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1)
- {
- close(last_server->tcpfd);
- last_server->tcpfd = -1;
- }
-
- if (last_server->tcpfd == -1)
- continue;
-
- c1 = size >> 8;
- c2 = size;
-
- if (!read_write(last_server->tcpfd, &c1, 1, 0) ||
- !read_write(last_server->tcpfd, &c2, 1, 0) ||
- !read_write(last_server->tcpfd, packet, size, 0) ||
- !read_write(last_server->tcpfd, &c1, 1, 1) ||
- !read_write(last_server->tcpfd, &c2, 1, 1))
- {
- close(last_server->tcpfd);
- last_server->tcpfd = -1;
- continue;
- }
+ if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
+ last_server = daemon->servers;
+ else
+ last_server = daemon->last_server;
- m = (c1 << 8) | c2;
- if (!read_write(last_server->tcpfd, packet, m, 1))
- return packet;
+ if (!flags && last_server)
+ {
+ struct server *firstsendto = NULL;
+ unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
- if (!gotname)
- strcpy(daemon->namebuff, "query");
- if (last_server->addr.sa.sa_family == AF_INET)
- log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
- (struct all_addr *)&last_server->addr.in.sin_addr, 0, NULL, 0);
+ /* Loop round available servers until we succeed in connecting to one.
+ Note that this code subtley ensures that consecutive queries on this connection
+ which can go to the same server, do so. */
+ while (1)
+ {
+ if (!firstsendto)
+ firstsendto = last_server;
+ else
+ {
+ if (!(last_server = last_server->next))
+ last_server = daemon->servers;
+
+ if (last_server == firstsendto)
+ break;
+ }
+
+ /* server for wrong domain */
+ if (type != (last_server->flags & SERV_TYPE) ||
+ (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
+ continue;
+
+ if (last_server->tcpfd == -1)
+ {
+ if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
+ continue;
+
+ if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
+ connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
+ {
+ close(last_server->tcpfd);
+ last_server->tcpfd = -1;
+ continue;
+ }
+
+#ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID))
+ {
+ size = add_do_bit(header, size, ((char *) header) + 65536);
+ header->hb4 |= HB4_CD;
+ }
+#endif
+
+#ifdef HAVE_CONNTRACK
+ /* Copy connection mark of incoming query to outgoing connection. */
+ if (option_bool(OPT_CONNTRACK))
+ {
+ unsigned int mark;
+ struct all_addr local;
+#ifdef HAVE_IPV6
+ if (local_addr->sa.sa_family == AF_INET6)
+ local.addr.addr6 = local_addr->in6.sin6_addr;
+ else
+#endif
+ local.addr.addr4 = local_addr->in.sin_addr;
+
+ if (get_incoming_mark(&peer_addr, &local, 1, &mark))
+ setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
+ }
+#endif
+ }
+
+ *length = htons(size);
+
+ if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
+ !read_write(last_server->tcpfd, &c1, 1, 1) ||
+ !read_write(last_server->tcpfd, &c2, 1, 1) ||
+ !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
+ {
+ close(last_server->tcpfd);
+ last_server->tcpfd = -1;
+ continue;
+ }
+
+ m = (c1 << 8) | c2;
+
+ if (!gotname)
+ strcpy(daemon->namebuff, "query");
+ if (last_server->addr.sa.sa_family == AF_INET)
+ log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
+ (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
#ifdef HAVE_IPV6
- else
- log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
- (struct all_addr *)&last_server->addr.in6.sin6_addr, 0, NULL, 0);
+ else
+ log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
+ (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
#endif
-
- /* There's no point in updating the cache, since this process will exit and
- lose the information after a few queries. We make this call for the alias and
- bogus-nxdomain side-effects. */
- /* If the crc of the question section doesn't match the crc we sent, then
- someone might be attempting to insert bogus values into the cache by
- sending replies containing questions and bogus answers. */
- if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
- m = process_reply(header, now, last_server, (unsigned int)m);
-
- break;
+
+#ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
+ {
+ int class, status;
+
+ status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class);
+
+ if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
+ {
+ if ((status = tcp_key_recurse(now, status, class, daemon->keyname, last_server)) == STAT_SECURE)
+ status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class);
+ }
+
+ log_query(F_KEYTAG | F_SECSTAT, "result", NULL,
+ status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
+
+ if (status == STAT_BOGUS)
+ no_cache_dnssec = 1;
+
+ if (status == STAT_SECURE)
+ cache_secure = 1;
+ }
+#endif
+
+ /* restore CD bit to the value in the query */
+ if (checking_disabled)
+ header->hb4 |= HB4_CD;
+ else
+ header->hb4 &= ~HB4_CD;
+
+ /* There's no point in updating the cache, since this process will exit and
+ lose the information after a few queries. We make this call for the alias and
+ bogus-nxdomain side-effects. */
+ /* If the crc of the question section doesn't match the crc we sent, then
+ someone might be attempting to insert bogus values into the cache by
+ sending replies containing questions and bogus answers. */
+ if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
+ m = process_reply(header, now, last_server, (unsigned int)m,
+ option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
+ cache_secure, check_subnet, &peer_addr);
+
+ break;
+ }
}
+
+ /* In case of local answer or no connections made. */
+ if (m == 0)
+ m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
}
-
- /* In case of local answer or no connections made. */
- if (m == 0)
- m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
}
-
+
check_log_writer(NULL);
- c1 = m>>8;
- c2 = m;
- if (!read_write(confd, &c1, 1, 0) ||
- !read_write(confd, &c2, 1, 0) ||
- !read_write(confd, packet, m, 0))
+ *length = htons(m);
+
+ if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
return packet;
}
}
if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
{
- f->next = frec_list;
+ f->next = daemon->frec_list;
f->time = now;
f->sentto = NULL;
- frec_list = f;
+ f->rfd4 = NULL;
+ f->flags = 0;
+#ifdef HAVE_IPV6
+ f->rfd6 = NULL;
+#endif
+#ifdef HAVE_DNSSEC
+ f->blocking_query = NULL;
+#endif
+ daemon->frec_list = f;
}
return f;
}
+static struct randfd *allocate_rfd(int family)
+{
+ static int finger = 0;
+ int i;
+
+ /* limit the number of sockets we have open to avoid starvation of
+ (eg) TFTP. Once we have a reasonable number, randomness should be OK */
+
+ for (i = 0; i < RANDOM_SOCKS; i++)
+ if (daemon->randomsocks[i].refcount == 0)
+ {
+ if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
+ break;
+
+ daemon->randomsocks[i].refcount = 1;
+ daemon->randomsocks[i].family = family;
+ return &daemon->randomsocks[i];
+ }
+
+ /* No free ones or cannot get new socket, grab an existing one */
+ for (i = 0; i < RANDOM_SOCKS; i++)
+ {
+ int j = (i+finger) % RANDOM_SOCKS;
+ if (daemon->randomsocks[j].refcount != 0 &&
+ daemon->randomsocks[j].family == family &&
+ daemon->randomsocks[j].refcount != 0xffff)
+ {
+ finger = j;
+ daemon->randomsocks[j].refcount++;
+ return &daemon->randomsocks[j];
+ }
+ }
+
+ return NULL; /* doom */
+}
+static void free_frec(struct frec *f)
+{
+ if (f->rfd4 && --(f->rfd4->refcount) == 0)
+ close(f->rfd4->fd);
+
+ f->rfd4 = NULL;
+ f->sentto = NULL;
+ f->flags = 0;
+
+#ifdef HAVE_IPV6
+ if (f->rfd6 && --(f->rfd6->refcount) == 0)
+ close(f->rfd6->fd);
+
+ f->rfd6 = NULL;
+#endif
+
+#ifdef HAVE_DNSSEC
+ if (f->stash)
+ {
+ blockdata_free(f->stash);
+ f->stash = NULL;
+ }
+
+ /* Anything we're waiting on is pointless now, too */
+ if (f->blocking_query)
+ free_frec(f->blocking_query);
+ f->blocking_query = NULL;
+
+#endif
+}
+
/* if wait==NULL return a free or older than TIMEOUT record.
else return *wait zero if one available, or *wait is delay to
- when the oldest in-use record will expire. */
-struct frec *get_new_frec(time_t now, int *wait)
+ when the oldest in-use record will expire. Impose an absolute
+ limit of 4*TIMEOUT before we wipe things (for random sockets).
+ If force is set, always return a result, even if we have
+ to allocate above the limit. */
+struct frec *get_new_frec(time_t now, int *wait, int force)
{
- struct frec *f, *oldest;
+ struct frec *f, *oldest, *target;
int count;
if (wait)
*wait = 0;
- for (f = frec_list, oldest = NULL, count = 0; f; f = f->next, count++)
+ for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
if (!f->sentto)
+ target = f;
+ else
{
- f->time = now;
- return f;
+ if (difftime(now, f->time) >= 4*TIMEOUT)
+ {
+ free_frec(f);
+ target = f;
+ }
+
+ if (!oldest || difftime(f->time, oldest->time) <= 0)
+ oldest = f;
}
- else if (!oldest || difftime(f->time, oldest->time) <= 0)
- oldest = f;
+
+ if (target)
+ {
+ target->time = now;
+ return target;
+ }
/* can't find empty one, use oldest if there is one
and it's older than timeout */
if (!wait)
{
- oldest->sentto = 0;
+ free_frec(oldest);
oldest->time = now;
}
return oldest;
}
/* none available, calculate time 'till oldest record expires */
- if (count > daemon->ftabsize)
+ if (!force && count > daemon->ftabsize)
{
+ static time_t last_log = 0;
+
if (oldest && wait)
*wait = oldest->time + (time_t)TIMEOUT - now;
+
+ if ((int)difftime(now, last_log) > 5)
+ {
+ last_log = now;
+ my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
+ }
+
return NULL;
}
{
struct frec *f;
- for(f = frec_list; f; f = f->next)
+ for(f = daemon->frec_list; f; f = f->next)
if (f->sentto && f->new_id == id &&
(f->crc == crc || crc == 0xffffffff))
return f;
{
struct frec *f;
- for(f = frec_list; f; f = f->next)
+ for(f = daemon->frec_list; f; f = f->next)
if (f->sentto &&
f->orig_id == id &&
f->crc == crc &&
{
struct frec *f;
- for (f = frec_list; f; f = f->next)
+ for (f = daemon->frec_list; f; f = f->next)
if (f->sentto && f->sentto == server)
- f->sentto = NULL;
+ free_frec(f);
if (daemon->last_server == server)
daemon->last_server = NULL;
daemon->srv_save = NULL;
}
-/* return unique random ids.
- For signed packets we can't change the ID without breaking the
- signing, so we keep the same one. In this case force is set, and this
- routine degenerates into killing any conflicting forward record. */
-static unsigned short get_id(int force, unsigned short force_id, unsigned int crc)
+/* return unique random ids. */
+static unsigned short get_id(unsigned int crc)
{
unsigned short ret = 0;
- if (force)
- {
- struct frec *f = lookup_frec(force_id, crc);
- if (f)
- f->sentto = NULL; /* free */
- ret = force_id;
- }
- else do
+ do
ret = rand16();
while (lookup_frec(ret, crc));
projects / people / ms / dnsmasq.git / blobdiff