]> git.ipfire.org Git - people/ms/dnsmasq.git/blame - src/forward.c
projects / people / ms / dnsmasq.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Tweak EDNS timeout code.
[people/ms/dnsmasq.git] / src / forward.c
CommitLineData
aff33962 1/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
9e4abcb5
SK		 2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
824af85b
SK		 5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
9e4abcb5
SK		 8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
824af85b 12
73a08a24
SK		 13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
9e4abcb5
SK		 15*/
16
9e4abcb5
SK		 17#include "dnsmasq.h"
18
8a9be9e4 19static struct frec *lookup_frec(unsigned short id, void *hash);
9e4abcb5 20static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481 21 union mysockaddr *addr,
8a9be9e4
SK		 22 void *hash);
23static unsigned short get_id(void);
1a6bca81 24static void free_frec(struct frec *f);
9e4abcb5 25
00a5b5d4
SK		 26#ifdef HAVE_DNSSEC
27static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
28 int class, char *name, char *keyname, struct server *server, int *keycount);
97e618a0
SK		 29static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname);
30static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
31 char *name, char *keyname);
00a5b5d4
SK		 32#endif
33
34
824af85b 35/* Send a UDP packet with its source address set as "source"
44a2a316 36 unless nowild is true, when we just send it with the kernel default */
29689cfa
SK		 37int send_from(int fd, int nowild, char *packet, size_t len,
38 union mysockaddr *to, struct all_addr *source,
50303b19 39 unsigned int iface)
9e4abcb5 40{
44a2a316
SK		 41 struct msghdr msg;
42 struct iovec iov[1];
44a2a316
SK		 43 union {
44 struct cmsghdr align; /* this ensures alignment */
5e9e0efb 45#if defined(HAVE_LINUX_NETWORK)
44a2a316
SK		 46 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
47#elif defined(IP_SENDSRCADDR)
48 char control[CMSG_SPACE(sizeof(struct in_addr))];
49#endif
50#ifdef HAVE_IPV6
51 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
52#endif
53 } control_u;
feba5c1d 54
44a2a316
SK		 55 iov[0].iov_base = packet;
56 iov[0].iov_len = len;
57
feba5c1d
SK		 58 msg.msg_control = NULL;
59 msg.msg_controllen = 0;
44a2a316
SK		 60 msg.msg_flags = 0;
61 msg.msg_name = to;
62 msg.msg_namelen = sa_len(to);
63 msg.msg_iov = iov;
64 msg.msg_iovlen = 1;
feba5c1d 65
26128d27 66 if (!nowild)
44a2a316 67 {
26128d27 68 struct cmsghdr *cmptr;
feba5c1d
SK		 69 msg.msg_control = &control_u;
70 msg.msg_controllen = sizeof(control_u);
26128d27
SK		 71 cmptr = CMSG_FIRSTHDR(&msg);
72
73 if (to->sa.sa_family == AF_INET)
74 {
5e9e0efb 75#if defined(HAVE_LINUX_NETWORK)
8ef5ada2
SK		 76 struct in_pktinfo p;
77 p.ipi_ifindex = 0;
78 p.ipi_spec_dst = source->addr.addr4;
79 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 80 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
c72daea8 81 cmptr->cmsg_level = IPPROTO_IP;
26128d27 82 cmptr->cmsg_type = IP_PKTINFO;
44a2a316 83#elif defined(IP_SENDSRCADDR)
8ef5ada2 84 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
26128d27
SK		 85 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
86 cmptr->cmsg_level = IPPROTO_IP;
87 cmptr->cmsg_type = IP_SENDSRCADDR;
44a2a316 88#endif
26128d27 89 }
26128d27 90 else
b8187c80 91#ifdef HAVE_IPV6
26128d27 92 {
8ef5ada2
SK		 93 struct in6_pktinfo p;
94 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
95 p.ipi6_addr = source->addr.addr6;
96 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 97 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
316e2730 98 cmptr->cmsg_type = daemon->v6pktinfo;
c72daea8 99 cmptr->cmsg_level = IPPROTO_IPV6;
26128d27 100 }
3d8df260 101#else
c72daea8 102 (void)iface; /* eliminate warning */
44a2a316 103#endif
26128d27 104 }
feba5c1d 105
ff841ebf
SK		 106 while (retry_send(sendmsg(fd, &msg, 0)));
107
108 /* If interface is still in DAD, EINVAL results - ignore that. */
109 if (errno != 0 && errno != EINVAL)
feba5c1d 110 {
29d28dda 111 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
29689cfa 112 return 0;
feba5c1d 113 }
29d28dda 114
29689cfa 115 return 1;
9e4abcb5 116}
44a2a316 117
28866e95
SK		 118static unsigned int search_servers(time_t now, struct all_addr **addrpp,
119 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
feba5c1d
SK		 120
121{
122 /* If the query ends in the domain in one of our servers, set
123 domain to point to that name. We find the largest match to allow both
124 domain.org and sub.domain.org to exist. */
125
126 unsigned int namelen = strlen(qdomain);
127 unsigned int matchlen = 0;
128 struct server *serv;
28866e95 129 unsigned int flags = 0;
feba5c1d 130
3be34541 131 for (serv = daemon->servers; serv; serv=serv->next)
feba5c1d 132 /* domain matches take priority over NODOTS matches */
3d8df260 133 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
feba5c1d 134 {
28866e95 135 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
feba5c1d 136 *type = SERV_FOR_NODOTS;
feba5c1d 137 if (serv->flags & SERV_NO_ADDR)
36717eee
SK		 138 flags = F_NXDOMAIN;
139 else if (serv->flags & SERV_LITERAL_ADDRESS)
140 {
141 if (sflag & qtype)
142 {
143 flags = sflag;
144 if (serv->addr.sa.sa_family == AF_INET)
145 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 146#ifdef HAVE_IPV6
36717eee
SK		 147 else
148 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 149#endif
36717eee 150 }
824af85b 151 else if (!flags || (flags & F_NXDOMAIN))
36717eee
SK		 152 flags = F_NOERR;
153 }
feba5c1d
SK		 154 }
155 else if (serv->flags & SERV_HAS_DOMAIN)
156 {
157 unsigned int domainlen = strlen(serv->domain);
b8187c80 158 char *matchstart = qdomain + namelen - domainlen;
feba5c1d 159 if (namelen >= domainlen &&
b8187c80 160 hostname_isequal(matchstart, serv->domain) &&
8ef5ada2 161 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
feba5c1d 162 {
8ef5ada2
SK		 163 if (serv->flags & SERV_NO_REBIND)
164 *norebind = 1;
28866e95 165 else
feba5c1d 166 {
28866e95
SK		 167 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
168 /* implement priority rules for --address and --server for same domain.
169 --address wins if the address is for the correct AF
170 --server wins otherwise. */
171 if (domainlen != 0 && domainlen == matchlen)
36717eee 172 {
28866e95 173 if ((serv->flags & SERV_LITERAL_ADDRESS))
8ef5ada2 174 {
28866e95
SK		 175 if (!(sflag & qtype) && flags == 0)
176 continue;
177 }
178 else
179 {
180 if (flags & (F_IPV4 | F_IPV6))
181 continue;
182 }
183 }
184
185 if (domainlen >= matchlen)
186 {
187 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
188 *domain = serv->domain;
189 matchlen = domainlen;
190 if (serv->flags & SERV_NO_ADDR)
191 flags = F_NXDOMAIN;
192 else if (serv->flags & SERV_LITERAL_ADDRESS)
193 {
194 if (sflag & qtype)
195 {
196 flags = sflag;
197 if (serv->addr.sa.sa_family == AF_INET)
198 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 199#ifdef HAVE_IPV6
28866e95
SK		 200 else
201 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 202#endif
28866e95
SK		 203 }
204 else if (!flags || (flags & F_NXDOMAIN))
205 flags = F_NOERR;
8ef5ada2 206 }
28866e95
SK		 207 else
208 flags = 0;
209 }
210 }
8ef5ada2 211 }
feba5c1d 212 }
8ef5ada2 213
7de060b0 214 if (flags == 0 && !(qtype & F_QUERY) &&
28866e95 215 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
7de060b0
SK		 216 /* don't forward A or AAAA queries for simple names, except the empty name */
217 flags = F_NOERR;
8ef5ada2 218
5aabfc78 219 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
c1bb8504 220 flags = F_NOERR;
feba5c1d 221
824af85b
SK		 222 if (flags)
223 {
224 int logflags = 0;
225
226 if (flags == F_NXDOMAIN || flags == F_NOERR)
227 logflags = F_NEG | qtype;
228
1a6bca81 229 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
824af85b 230 }
8ef5ada2
SK		 231 else if ((*type) & SERV_USE_RESOLV)
232 {
233 *type = 0; /* use normal servers for this domain */
234 *domain = NULL;
235 }
feba5c1d
SK		 236 return flags;
237}
44a2a316 238
824af85b
SK		 239static int forward_query(int udpfd, union mysockaddr *udpaddr,
240 struct all_addr *dst_addr, unsigned int dst_iface,
83349b8a 241 struct dns_header *header, size_t plen, time_t now,
613ad15d 242 struct frec *forward, int ad_reqd, int do_bit)
9e4abcb5 243{
9e4abcb5 244 char *domain = NULL;
8ef5ada2 245 int type = 0, norebind = 0;
9e4abcb5 246 struct all_addr *addrp = NULL;
28866e95 247 unsigned int flags = 0;
de37951c 248 struct server *start = NULL;
8a9be9e4
SK		 249#ifdef HAVE_DNSSEC
250 void *hash = hash_questions(header, plen, daemon->namebuff);
251#else
252 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
253 void *hash = &crc;
254#endif
255 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
a77cec8d 256 unsigned char *pheader;
8a9be9e4 257
00a5b5d4
SK		 258 (void)do_bit;
259
3d8df260
SK		 260 /* may be no servers available. */
261 if (!daemon->servers)
9e4abcb5 262 forward = NULL;
8a9be9e4 263 else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
9e4abcb5 264 {
a77cec8d
SK		 265 /* If we didn't get an answer advertising a maximal packet in EDNS,
266 fall back to 1280, which should work everywhere on IPv6.
267 If that generates an answer, it will become the new default
268 for this server */
269 forward->flags |= FREC_TEST_PKTSZ;
270
e0c0ad3b 271#ifdef HAVE_DNSSEC
dac74312 272 /* If we've already got an answer to this query, but we're awaiting keys for validation,
e0c0ad3b
SK		 273 there's no point retrying the query, retry the key query instead...... */
274 if (forward->blocking_query)
275 {
276 int fd;
a77cec8d
SK		 277
278 forward->flags &= ~FREC_TEST_PKTSZ;
279
e0c0ad3b
SK		 280 while (forward->blocking_query)
281 forward = forward->blocking_query;
a77cec8d
SK		 282
283 forward->flags |= FREC_TEST_PKTSZ;
e0c0ad3b
SK		 284
285 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
286 plen = forward->stash_len;
287
a77cec8d
SK		 288 if (find_pseudoheader(header, plen, NULL, &pheader, NULL))
289 PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : forward->sentto->edns_pktsz, pheader);
290
2b29191e 291 if (forward->sentto->addr.sa.sa_family == AF_INET)
25cf5e37 292 log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
e0c0ad3b
SK		 293#ifdef HAVE_IPV6
294 else
25cf5e37 295 log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
e0c0ad3b
SK		 296#endif
297
298 if (forward->sentto->sfd)
299 fd = forward->sentto->sfd->fd;
300 else
301 {
302#ifdef HAVE_IPV6
303 if (forward->sentto->addr.sa.sa_family == AF_INET6)
304 fd = forward->rfd6->fd;
305 else
306#endif
307 fd = forward->rfd4->fd;
308 }
309
ff841ebf
SK		 310 while (retry_send( sendto(fd, (char *)header, plen, 0,
311 &forward->sentto->addr.sa,
312 sa_len(&forward->sentto->addr))));
e0c0ad3b
SK		 313
314 return 1;
315 }
316#endif
317
de37951c 318 /* retry on existing query, send to all available servers */
9e4abcb5 319 domain = forward->sentto->domain;
824af85b 320 forward->sentto->failed_queries++;
28866e95 321 if (!option_bool(OPT_ORDER))
de37951c 322 {
0a852541 323 forward->forwardall = 1;
3be34541 324 daemon->last_server = NULL;
de37951c 325 }
9e4abcb5 326 type = forward->sentto->flags & SERV_TYPE;
de37951c 327 if (!(start = forward->sentto->next))
3be34541 328 start = daemon->servers; /* at end of list, recycle */
9e4abcb5
SK		 329 header->id = htons(forward->new_id);
330 }
331 else
332 {
333 if (gotname)
8ef5ada2 334 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
9e4abcb5 335
3a237152 336 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
feba5c1d
SK		 337 /* table full - server failure. */
338 flags = F_NEG;
9e4abcb5
SK		 339
340 if (forward)
341 {
0a852541
SK		 342 forward->source = *udpaddr;
343 forward->dest = *dst_addr;
344 forward->iface = dst_iface;
0a852541 345 forward->orig_id = ntohs(header->id);
8a9be9e4 346 forward->new_id = get_id();
832af0ba 347 forward->fd = udpfd;
8a9be9e4 348 memcpy(forward->hash, hash, HASH_SIZE);
0a852541 349 forward->forwardall = 0;
ed4c0767 350 forward->flags = 0;
28866e95
SK		 351 if (norebind)
352 forward->flags |= FREC_NOREBIND;
572b41eb 353 if (header->hb4 & HB4_CD)
28866e95 354 forward->flags |= FREC_CHECKING_DISABLED;
83349b8a
SK		 355 if (ad_reqd)
356 forward->flags |= FREC_AD_QUESTION;
7fa836e1
SK		 357#ifdef HAVE_DNSSEC
358 forward->work_counter = DNSSEC_WORK;
613ad15d
SK		 359 if (do_bit)
360 forward->flags |= FREC_DO_QUESTION;
7fa836e1 361#endif
613ad15d 362
28866e95
SK		 363 header->id = htons(forward->new_id);
364
8ef5ada2
SK		 365 /* In strict_order mode, always try servers in the order
366 specified in resolv.conf, if a domain is given
367 always try all the available servers,
9e4abcb5
SK		 368 otherwise, use the one last known to work. */
369
8ef5ada2
SK		 370 if (type == 0)
371 {
28866e95 372 if (option_bool(OPT_ORDER))
8ef5ada2
SK		 373 start = daemon->servers;
374 else if (!(start = daemon->last_server) ||
375 daemon->forwardcount++ > FORWARD_TEST ||
376 difftime(now, daemon->forwardtime) > FORWARD_TIME)
377 {
378 start = daemon->servers;
379 forward->forwardall = 1;
380 daemon->forwardcount = 0;
381 daemon->forwardtime = now;
382 }
383 }
384 else
de37951c 385 {
3be34541 386 start = daemon->servers;
28866e95 387 if (!option_bool(OPT_ORDER))
8ef5ada2 388 forward->forwardall = 1;
de37951c 389 }
9e4abcb5
SK		 390 }
391 }
feba5c1d 392
9e4abcb5
SK		 393 /* check for send errors here (no route to host)
394 if we fail to send to all nameservers, send back an error
395 packet straight away (helps modem users when offline) */
396
397 if (!flags && forward)
398 {
de37951c
SK		 399 struct server *firstsentto = start;
400 int forwarded = 0;
28866e95 401
25cf5e37
SK		 402 /* If a query is retried, use the log_id for the retry when logging the answer. */
403 forward->log_id = daemon->log_id;
404
797a7afb 405 if (option_bool(OPT_ADD_MAC))
60b68069 406 plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
28866e95 407
ed4c0767
SK		 408 if (option_bool(OPT_CLIENT_SUBNET))
409 {
60b68069 410 size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
ed4c0767
SK		 411 if (new != plen)
412 {
413 plen = new;
414 forward->flags |= FREC_HAS_SUBNET;
415 }
416 }
417
3a237152
SK		 418#ifdef HAVE_DNSSEC
419 if (option_bool(OPT_DNSSEC_VALID))
0fc2f313 420 {
613ad15d
SK		 421 size_t new_plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
422
5b3bf921
SK		 423 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
424 this allows it to select auth servers when one is returning bad data. */
425 if (option_bool(OPT_DNSSEC_DEBUG))
426 header->hb4 |= HB4_CD;
613ad15d
SK		 427
428 if (new_plen != plen)
429 forward->flags |= FREC_ADDED_PHEADER;
430
431 plen = new_plen;
0fc2f313 432 }
3a237152 433#endif
a77cec8d 434
9e4abcb5
SK		 435 while (1)
436 {
9e4abcb5
SK		 437 /* only send to servers dealing with our domain.
438 domain may be NULL, in which case server->domain
439 must be NULL also. */
440
de37951c 441 if (type == (start->flags & SERV_TYPE) &&
fd9fa481 442 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
b5ea1cc2 443 !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
9e4abcb5 444 {
1a6bca81
SK		 445 int fd;
446
447 /* find server socket to use, may need to get random one. */
448 if (start->sfd)
449 fd = start->sfd->fd;
450 else
451 {
452#ifdef HAVE_IPV6
453 if (start->addr.sa.sa_family == AF_INET6)
454 {
455 if (!forward->rfd6 &&
456 !(forward->rfd6 = allocate_rfd(AF_INET6)))
457 break;
3927da46 458 daemon->rfd_save = forward->rfd6;
1a6bca81
SK		 459 fd = forward->rfd6->fd;
460 }
461 else
462#endif
463 {
464 if (!forward->rfd4 &&
465 !(forward->rfd4 = allocate_rfd(AF_INET)))
466 break;
3927da46 467 daemon->rfd_save = forward->rfd4;
1a6bca81
SK		 468 fd = forward->rfd4->fd;
469 }
7de060b0
SK		 470
471#ifdef HAVE_CONNTRACK
472 /* Copy connection mark of incoming query to outgoing connection. */
473 if (option_bool(OPT_CONNTRACK))
474 {
475 unsigned int mark;
797a7afb 476 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
7de060b0
SK		 477 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
478 }
479#endif
1a6bca81 480 }
a77cec8d
SK		 481
482 if (find_pseudoheader(header, plen, NULL, &pheader, NULL))
483 PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : start->edns_pktsz, pheader);
1a6bca81 484
ff841ebf
SK		 485 if (retry_send(sendto(fd, (char *)header, plen, 0,
486 &start->addr.sa,
487 sa_len(&start->addr))))
488 continue;
489
490 if (errno == 0)
9e4abcb5 491 {
cdeda28f
SK		 492 /* Keep info in case we want to re-send this packet */
493 daemon->srv_save = start;
494 daemon->packet_len = plen;
495
de37951c 496 if (!gotname)
3be34541 497 strcpy(daemon->namebuff, "query");
de37951c 498 if (start->addr.sa.sa_family == AF_INET)
3be34541 499 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 500 (struct all_addr *)&start->addr.in.sin_addr, NULL);
de37951c
SK		 501#ifdef HAVE_IPV6
502 else
3be34541 503 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 504 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
de37951c 505#endif
824af85b 506 start->queries++;
de37951c
SK		 507 forwarded = 1;
508 forward->sentto = start;
0a852541 509 if (!forward->forwardall)
de37951c 510 break;
0a852541 511 forward->forwardall++;
9e4abcb5
SK		 512 }
513 }
514
de37951c 515 if (!(start = start->next))
3be34541 516 start = daemon->servers;
9e4abcb5 517
de37951c 518 if (start == firstsentto)
9e4abcb5
SK		 519 break;
520 }
521
de37951c 522 if (forwarded)
824af85b 523 return 1;
de37951c 524
9e4abcb5
SK		 525 /* could not send on, prepare to return */
526 header->id = htons(forward->orig_id);
1a6bca81 527 free_frec(forward); /* cancel */
9e4abcb5
SK		 528 }
529
530 /* could not send on, return empty answer or address if known for whole domain */
b8187c80
SK		 531 if (udpfd != -1)
532 {
cdeda28f 533 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
54dd393f 534 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
b8187c80
SK		 535 }
536
824af85b 537 return 0;
9e4abcb5
SK		 538}
539
ed4c0767 540static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
fe3992f9
SK		 541 int no_cache, int cache_secure, int bogusanswer, int ad_reqd, int do_bit, int added_pheader,
542 int check_subnet, union mysockaddr *query_source)
feba5c1d 543{
36717eee 544 unsigned char *pheader, *sizep;
13d86c73 545 char **sets = 0;
832af0ba 546 int munged = 0, is_sign;
cdeda28f
SK		 547 size_t plen;
548
83349b8a 549 (void)ad_reqd;
982faf40
SK		 550 (void)do_bit;
551 (void)bogusanswer;
83349b8a 552
13d86c73 553#ifdef HAVE_IPSET
82a14af5 554 if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
13d86c73 555 {
82a14af5
SK		 556 /* Similar algorithm to search_servers. */
557 struct ipsets *ipset_pos;
558 unsigned int namelen = strlen(daemon->namebuff);
559 unsigned int matchlen = 0;
560 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
6c0cb858 561 {
82a14af5
SK		 562 unsigned int domainlen = strlen(ipset_pos->domain);
563 char *matchstart = daemon->namebuff + namelen - domainlen;
564 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
565 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
566 domainlen >= matchlen)
567 {
568 matchlen = domainlen;
569 sets = ipset_pos->sets;
570 }
6c0cb858 571 }
13d86c73
JD		 572 }
573#endif
574
feba5c1d 575 /* If upstream is advertising a larger UDP packet size
9009d746
SK		 576 than we allow, trim it so that we don't get overlarge
577 requests for the client. We can't do this for signed packets. */
feba5c1d 578
ed4c0767 579 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
feba5c1d 580 {
83349b8a
SK		 581 unsigned short udpsz;
582 unsigned char *psave = sizep;
583
584 GETSHORT(udpsz, sizep);
585
586 if (!is_sign && udpsz > daemon->edns_pktsz)
587 PUTSHORT(daemon->edns_pktsz, psave);
feba5c1d 588
ed4c0767
SK		 589 if (check_subnet && !check_source(header, plen, pheader, query_source))
590 {
591 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
592 return 0;
593 }
613ad15d
SK		 594
595 if (added_pheader)
596 {
597 pheader = 0;
598 header->arcount = htons(0);
599 }
feba5c1d 600 }
83349b8a 601
28866e95 602 /* RFC 4035 sect 4.6 para 3 */
237724c0 603 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
795501bc 604 header->hb4 &= ~HB4_AD;
3a237152 605
572b41eb 606 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
8938ae05 607 return resize_packet(header, n, pheader, plen);
0a852541 608
feba5c1d 609 /* Complain loudly if the upstream server is non-recursive. */
572b41eb 610 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
0a852541 611 server && !(server->flags & SERV_WARNED_RECURSIVE))
feba5c1d 612 {
3d8df260 613 prettyprint_addr(&server->addr, daemon->namebuff);
f2621c7f 614 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
28866e95 615 if (!option_bool(OPT_LOG))
0a852541
SK		 616 server->flags |= SERV_WARNED_RECURSIVE;
617 }
e292e93d 618
572b41eb 619 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
fd9fa481 620 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
feba5c1d 621 {
fd9fa481 622 munged = 1;
572b41eb
SK		 623 SET_RCODE(header, NXDOMAIN);
624 header->hb3 &= ~HB3_AA;
6938f347 625 cache_secure = 0;
36717eee 626 }
fd9fa481 627 else
36717eee 628 {
6938f347
SK		 629 int doctored = 0;
630
572b41eb 631 if (RCODE(header) == NXDOMAIN &&
fd9fa481 632 extract_request(header, n, daemon->namebuff, NULL) &&
5aabfc78 633 check_for_local_domain(daemon->namebuff, now))
36717eee
SK		 634 {
635 /* if we forwarded a query for a locally known name (because it was for
636 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
637 since we know that the domain exists, even if upstream doesn't */
fd9fa481 638 munged = 1;
572b41eb
SK		 639 header->hb3 |= HB3_AA;
640 SET_RCODE(header, NOERROR);
6938f347 641 cache_secure = 0;
feba5c1d 642 }
832af0ba 643
6938f347 644 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
824af85b 645 {
8ef5ada2 646 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
824af85b 647 munged = 1;
6938f347 648 cache_secure = 0;
824af85b 649 }
6938f347
SK		 650
651 if (doctored)
652 cache_secure = 0;
feba5c1d 653 }
fd9fa481 654
a25720a3 655#ifdef HAVE_DNSSEC
fe3992f9 656 if (bogusanswer && !(header->hb4 & HB4_CD))
a25720a3 657 {
7d23a66f 658 if (!option_bool(OPT_DNSSEC_DEBUG))
a25720a3
SK		 659 {
660 /* Bogus reply, turn into SERVFAIL */
661 SET_RCODE(header, SERVFAIL);
662 munged = 1;
663 }
664 }
6938f347
SK		 665
666 if (option_bool(OPT_DNSSEC_VALID))
667 header->hb4 &= ~HB4_AD;
668
83349b8a 669 if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
6938f347 670 header->hb4 |= HB4_AD;
613ad15d
SK		 671
672 /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
673 if (!do_bit)
674 n = filter_rrsigs(header, n);
a25720a3
SK		 675#endif
676
fd9fa481
SK		 677 /* do this after extract_addresses. Ensure NODATA reply and remove
678 nameserver info. */
679
680 if (munged)
681 {
682 header->ancount = htons(0);
683 header->nscount = htons(0);
684 header->arcount = htons(0);
150162bc 685 header->hb3 &= ~HB3_TC;
fd9fa481
SK		 686 }
687
36717eee
SK		 688 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
689 sections of the packet. Find the new length here and put back pseudoheader
690 if it was removed. */
691 return resize_packet(header, n, pheader, plen);
feba5c1d
SK		 692}
693
3be34541 694/* sets new last_server */
1a6bca81 695void reply_query(int fd, int family, time_t now)
9e4abcb5
SK		 696{
697 /* packet from peer server, extract data for cache, and send to
698 original requester */
572b41eb 699 struct dns_header *header;
de37951c 700 union mysockaddr serveraddr;
832af0ba 701 struct frec *forward;
de37951c 702 socklen_t addrlen = sizeof(serveraddr);
60b68069 703 ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
cdeda28f 704 size_t nn;
1a6bca81 705 struct server *server;
8a9be9e4
SK		 706 void *hash;
707#ifndef HAVE_DNSSEC
708 unsigned int crc;
709#endif
710
cdeda28f
SK		 711 /* packet buffer overwritten */
712 daemon->srv_save = NULL;
832af0ba 713
de37951c 714 /* Determine the address of the server replying so that we can mark that as good */
1a6bca81 715 serveraddr.sa.sa_family = family;
de37951c
SK		 716#ifdef HAVE_IPV6
717 if (serveraddr.sa.sa_family == AF_INET6)
5e9e0efb 718 serveraddr.in6.sin6_flowinfo = 0;
de37951c 719#endif
9e4abcb5 720
490f9075
SK		 721 header = (struct dns_header *)daemon->packet;
722
723 if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR))
724 return;
725
1a6bca81
SK		 726 /* spoof check: answer must come from known server, */
727 for (server = daemon->servers; server; server = server->next)
728 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
729 sockaddr_isequal(&server->addr, &serveraddr))
730 break;
490f9075
SK		 731
732 if (!server)
733 return;
734
8a9be9e4
SK		 735#ifdef HAVE_DNSSEC
736 hash = hash_questions(header, n, daemon->namebuff);
737#else
738 hash = &crc;
739 crc = questions_crc(header, n, daemon->namebuff);
740#endif
fd9fa481 741
490f9075 742 if (!(forward = lookup_frec(ntohs(header->id), hash)))
1a6bca81 743 return;
490f9075 744
25cf5e37
SK		 745 /* log_query gets called indirectly all over the place, so
746 pass these in global variables - sorry. */
747 daemon->log_display_id = forward->log_id;
748 daemon->log_source_addr = &forward->source;
749
32fc6dbe
GH		 750 if (daemon->ignore_addr && RCODE(header) == NOERROR &&
751 check_for_ignored_address(header, n, daemon->ignore_addr))
752 return;
753
2ae195f5 754 if (RCODE(header) == REFUSED &&
28866e95 755 !option_bool(OPT_ORDER) &&
1a6bca81
SK		 756 forward->forwardall == 0)
757 /* for broken servers, attempt to send to another one. */
9e4abcb5 758 {
1a6bca81
SK		 759 unsigned char *pheader;
760 size_t plen;
761 int is_sign;
832af0ba 762
1a6bca81
SK		 763 /* recreate query from reply */
764 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
765 if (!is_sign)
832af0ba 766 {
1a6bca81
SK		 767 header->ancount = htons(0);
768 header->nscount = htons(0);
769 header->arcount = htons(0);
770 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
832af0ba 771 {
572b41eb 772 header->hb3 &= ~(HB3_QR | HB3_TC);
613ad15d 773 forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0, 0);
1a6bca81 774 return;
832af0ba 775 }
832af0ba 776 }
1a6bca81 777 }
3a237152
SK		 778
779 server = forward->sentto;
1a6bca81
SK		 780 if ((forward->sentto->flags & SERV_TYPE) == 0)
781 {
51967f98 782 if (RCODE(header) == REFUSED)
1a6bca81
SK		 783 server = NULL;
784 else
b8187c80 785 {
1a6bca81
SK		 786 struct server *last_server;
787
788 /* find good server by address if possible, otherwise assume the last one we sent to */
789 for (last_server = daemon->servers; last_server; last_server = last_server->next)
790 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
791 sockaddr_isequal(&last_server->addr, &serveraddr))
792 {
793 server = last_server;
794 break;
795 }
796 }
28866e95 797 if (!option_bool(OPT_ALL_SERVERS))
1a6bca81
SK		 798 daemon->last_server = server;
799 }
a77cec8d
SK		 800
801 /* We tried resending to this server with a smaller maximum size and got an answer.
86fa1046
SK		 802 Make that permanent. To avoid reduxing the packet size for an single dropped packet,
803 only do this when we get a truncated answer, or one larger than the safe size. */
804 if (server && (forward->flags & FREC_TEST_PKTSZ) &&
805 ((header->hb3 & HB3_TC) || n >= SAFE_PKTSZ))
a77cec8d
SK		 806 server->edns_pktsz = SAFE_PKTSZ;
807
1a6bca81
SK		 808 /* If the answer is an error, keep the forward record in place in case
809 we get a good reply from another server. Kill it when we've
810 had replies from all to avoid filling the forwarding table when
811 everything is broken */
51967f98 812 if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL)
1a6bca81 813 {
fe3992f9 814 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
3a237152
SK		 815
816 if (option_bool(OPT_NO_REBIND))
817 check_rebind = !(forward->flags & FREC_NOREBIND);
818
819 /* Don't cache replies where DNSSEC validation was turned off, either
820 the upstream server told us so, or the original query specified it. */
821 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
822 no_cache_dnssec = 1;
823
824#ifdef HAVE_DNSSEC
51967f98 825 if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
3a237152 826 {
9d633048 827 int status;
0fc2f313
SK		 828
829 /* We've had a reply already, which we're validating. Ignore this duplicate */
e0c0ad3b 830 if (forward->blocking_query)
0fc2f313 831 return;
9d633048 832
871417d4
SK		 833 if (header->hb3 & HB3_TC)
834 {
835 /* Truncated answer can't be validated.
5d3b87a4
SK		 836 If this is an answer to a DNSSEC-generated query, we still
837 need to get the client to retry over TCP, so return
838 an answer with the TC bit set, even if the actual answer fits.
839 */
840 status = STAT_TRUNCATED;
871417d4
SK		 841 }
842 else if (forward->flags & FREC_DNSKEY_QUERY)
8d718cbb 843 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
c3e0b9b6 844 else if (forward->flags & FREC_DS_QUERY)
00a5b5d4
SK		 845 {
846 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
fe3992f9
SK		 847 /* Provably no DS, everything below is insecure, even if signatures are offered */
848 if (status == STAT_NO_DS)
849 /* We only cache sigs when we've validated a reply.
850 Avoid caching a reply with sigs if there's a vaildated break in the
851 DS chain, so we don't return replies from cache missing sigs. */
852 status = STAT_INSECURE_DS;
853 else if (status == STAT_NO_NS)
97e618a0 854 status = STAT_BOGUS;
00a5b5d4
SK		 855 }
856 else if (forward->flags & FREC_CHECK_NOSIGN)
97e618a0
SK		 857 {
858 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
859 if (status != STAT_NEED_KEY)
860 status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
861 }
9d633048 862 else
00a5b5d4 863 {
97e618a0 864 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
00a5b5d4
SK		 865 if (status == STAT_NO_SIG)
866 {
867 if (option_bool(OPT_DNSSEC_NO_SIGN))
97e618a0 868 status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
00a5b5d4
SK		 869 else
870 status = STAT_INSECURE;
871 }
872 }
3a237152
SK		 873 /* Can't validate, as we're missing key data. Put this
874 answer aside, whilst we get that. */
00a5b5d4 875 if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
3a237152 876 {
7fa836e1
SK		 877 struct frec *new, *orig;
878
879 /* Free any saved query */
880 if (forward->stash)
881 blockdata_free(forward->stash);
882
883 /* Now save reply pending receipt of key data */
884 if (!(forward->stash = blockdata_alloc((char *)header, n)))
885 return;
886 forward->stash_len = n;
0fc2f313 887
7fa836e1
SK		 888 anotherkey:
889 /* Find the original query that started it all.... */
890 for (orig = forward; orig->dependent; orig = orig->dependent);
891
892 if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1)))
893 status = STAT_INSECURE;
894 else
3a237152 895 {
7fa836e1 896 int fd;
0fc2f313
SK		 897 struct frec *next = new->next;
898 *new = *forward; /* copy everything, then overwrite */
899 new->next = next;
0fc2f313 900 new->blocking_query = NULL;
8a8bbad0 901 new->sentto = server;
f1668d27 902 new->rfd4 = NULL;
97e618a0 903 new->orig_domain = NULL;
f1668d27
SK		 904#ifdef HAVE_IPV6
905 new->rfd6 = NULL;
906#endif
00a5b5d4 907 new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN);
9d633048 908
7fa836e1
SK		 909 new->dependent = forward; /* to find query awaiting new one. */
910 forward->blocking_query = new; /* for garbage cleaning */
911 /* validate routines leave name of required record in daemon->keyname */
912 if (status == STAT_NEED_KEY)
913 {
914 new->flags |= FREC_DNSKEY_QUERY;
915 nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
a77cec8d 916 daemon->keyname, forward->class, T_DNSKEY, &server->addr, server->edns_pktsz);
7fa836e1
SK		 917 }
918 else
919 {
00a5b5d4
SK		 920 if (status == STAT_NEED_DS_NEG)
921 new->flags |= FREC_CHECK_NOSIGN;
922 else
923 new->flags |= FREC_DS_QUERY;
7fa836e1 924 nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
a77cec8d 925 daemon->keyname, forward->class, T_DS, &server->addr, server->edns_pktsz);
7fa836e1
SK		 926 }
927 if ((hash = hash_questions(header, nn, daemon->namebuff)))
928 memcpy(new->hash, hash, HASH_SIZE);
929 new->new_id = get_id();
930 header->id = htons(new->new_id);
931 /* Save query for retransmission */
97e618a0
SK		 932 if (!(new->stash = blockdata_alloc((char *)header, nn)))
933 return;
934
7fa836e1
SK		 935 new->stash_len = nn;
936
937 /* Don't resend this. */
938 daemon->srv_save = NULL;
e0c0ad3b 939
7fa836e1
SK		 940 if (server->sfd)
941 fd = server->sfd->fd;
e0c0ad3b 942 else
3a237152 943 {
7fa836e1
SK		 944 fd = -1;
945#ifdef HAVE_IPV6
946 if (server->addr.sa.sa_family == AF_INET6)
9d633048 947 {
7fa836e1
SK		 948 if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
949 fd = new->rfd6->fd;
9d633048 950 }
3a237152 951 else
3a237152 952#endif
f1668d27 953 {
7fa836e1
SK		 954 if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
955 fd = new->rfd4->fd;
f1668d27 956 }
3a237152 957 }
7fa836e1
SK		 958
959 if (fd != -1)
960 {
ff841ebf
SK		 961 while (retry_send(sendto(fd, (char *)header, nn, 0,
962 &server->addr.sa,
963 sa_len(&server->addr))));
7fa836e1
SK		 964 server->queries++;
965 }
966
967 return;
3a237152 968 }
3a237152
SK		 969 }
970
971 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
972 Now wind back down, pulling back answers which wouldn't previously validate
7fa836e1
SK		 973 and validate them with the new data. Note that if an answer needs multiple
974 keys to validate, we may find another key is needed, in which case we set off
975 down another branch of the tree. Once we get to the original answer
976 (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
0744ca66 977 while (forward->dependent)
3a237152 978 {
0744ca66
SK		 979 struct frec *prev = forward->dependent;
980 free_frec(forward);
981 forward = prev;
982 forward->blocking_query = NULL; /* already gone */
983 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
984 n = forward->stash_len;
985
986 if (status == STAT_SECURE)
3a237152 987 {
0744ca66
SK		 988 if (forward->flags & FREC_DNSKEY_QUERY)
989 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
990 else if (forward->flags & FREC_DS_QUERY)
00a5b5d4
SK		 991 {
992 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
fe3992f9
SK		 993 /* Provably no DS, everything below is insecure, even if signatures are offered */
994 if (status == STAT_NO_DS)
995 /* We only cache sigs when we've validated a reply.
996 Avoid caching a reply with sigs if there's a vaildated break in the
997 DS chain, so we don't return replies from cache missing sigs. */
998 status = STAT_INSECURE_DS;
999 else if (status == STAT_NO_NS)
1000 status = STAT_BOGUS;
00a5b5d4
SK		 1001 }
1002 else if (forward->flags & FREC_CHECK_NOSIGN)
97e618a0
SK		 1003 {
1004 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
1005 if (status != STAT_NEED_KEY)
1006 status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
1007 }
0744ca66 1008 else
00a5b5d4 1009 {
97e618a0 1010 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
00a5b5d4
SK		 1011 if (status == STAT_NO_SIG)
1012 {
1013 if (option_bool(OPT_DNSSEC_NO_SIGN))
97e618a0 1014 status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
00a5b5d4
SK		 1015 else
1016 status = STAT_INSECURE;
1017 }
1018 }
1019
1020 if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
7fa836e1 1021 goto anotherkey;
3a237152
SK		 1022 }
1023 }
5d3b87a4 1024
fe3992f9
SK		 1025 no_cache_dnssec = 0;
1026
1027 if (status == STAT_INSECURE_DS)
1028 {
1029 /* We only cache sigs when we've validated a reply.
1030 Avoid caching a reply with sigs if there's a vaildated break in the
1031 DS chain, so we don't return replies from cache missing sigs. */
1032 status = STAT_INSECURE;
1033 no_cache_dnssec = 1;
1034 }
1035
5d3b87a4 1036 if (status == STAT_TRUNCATED)
0744ca66 1037 header->hb3 |= HB3_TC;
5d3b87a4 1038 else
7fa836e1 1039 {
554b580e 1040 char *result, *domain = "result";
7fa836e1
SK		 1041
1042 if (forward->work_counter == 0)
150162bc
SK		 1043 {
1044 result = "ABANDONED";
1045 status = STAT_BOGUS;
1046 }
7fa836e1
SK		 1047 else
1048 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1049
554b580e
SK		 1050 if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL))
1051 domain = daemon->namebuff;
1052
1053 log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
7fa836e1 1054 }
5d3b87a4 1055
3a237152
SK		 1056 if (status == STAT_SECURE)
1057 cache_secure = 1;
3a237152 1058 else if (status == STAT_BOGUS)
fe3992f9
SK		 1059 {
1060 no_cache_dnssec = 1;
1061 bogusanswer = 1;
1062 }
3a237152 1063 }
83349b8a
SK		 1064#endif
1065
1066 /* restore CD bit to the value in the query */
1067 if (forward->flags & FREC_CHECKING_DISABLED)
1068 header->hb4 |= HB4_CD;
1069 else
1070 header->hb4 &= ~HB4_CD;
8ef5ada2 1071
fe3992f9 1072 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer,
613ad15d
SK		 1073 forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
1074 forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
1a6bca81
SK		 1075 {
1076 header->id = htons(forward->orig_id);
572b41eb 1077 header->hb4 |= HB4_RA; /* recursion if available */
54dd393f 1078 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
50303b19 1079 &forward->source, &forward->dest, forward->iface);
b8187c80 1080 }
1a6bca81 1081 free_frec(forward); /* cancel */
9e4abcb5 1082 }
9e4abcb5 1083}
44a2a316 1084
1a6bca81 1085
5aabfc78 1086void receive_query(struct listener *listen, time_t now)
44a2a316 1087{
572b41eb 1088 struct dns_header *header = (struct dns_header *)daemon->packet;
44a2a316 1089 union mysockaddr source_addr;
c1bb8504 1090 unsigned short type;
44a2a316 1091 struct all_addr dst_addr;
f6b7dc47 1092 struct in_addr netmask, dst_addr_4;
cdeda28f
SK		 1093 size_t m;
1094 ssize_t n;
3b195961
VG		 1095 int if_index = 0, auth_dns = 0;
1096#ifdef HAVE_AUTH
1097 int local_auth = 0;
1098#endif
44a2a316
SK		 1099 struct iovec iov[1];
1100 struct msghdr msg;
1101 struct cmsghdr *cmptr;
44a2a316
SK		 1102 union {
1103 struct cmsghdr align; /* this ensures alignment */
1104#ifdef HAVE_IPV6
1105 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
1106#endif
5e9e0efb 1107#if defined(HAVE_LINUX_NETWORK)
44a2a316 1108 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
824af85b
SK		 1109#elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1110 char control[CMSG_SPACE(sizeof(struct in_addr)) +
1111 CMSG_SPACE(sizeof(unsigned int))];
44a2a316
SK		 1112#elif defined(IP_RECVDSTADDR)
1113 char control[CMSG_SPACE(sizeof(struct in_addr)) +
1114 CMSG_SPACE(sizeof(struct sockaddr_dl))];
1115#endif
1116 } control_u;
2329bef5
SK		 1117#ifdef HAVE_IPV6
1118 /* Can always get recvd interface for IPv6 */
1119 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
1120#else
1121 int check_dst = !option_bool(OPT_NOWILD);
1122#endif
1123
cdeda28f
SK		 1124 /* packet buffer overwritten */
1125 daemon->srv_save = NULL;
1126
98906275 1127 dst_addr_4.s_addr = dst_addr.addr.addr4.s_addr = 0;
4f7b304f
SK		 1128 netmask.s_addr = 0;
1129
7e5664bd 1130 if (option_bool(OPT_NOWILD) && listen->iface)
3d8df260 1131 {
4f7b304f
SK		 1132 auth_dns = listen->iface->dns_auth;
1133
1134 if (listen->family == AF_INET)
1135 {
98906275 1136 dst_addr_4 = dst_addr.addr.addr4 = listen->iface->addr.in.sin_addr;
4f7b304f
SK		 1137 netmask = listen->iface->netmask;
1138 }
3d8df260 1139 }
4f7b304f 1140
3be34541
SK		 1141 iov[0].iov_base = daemon->packet;
1142 iov[0].iov_len = daemon->edns_pktsz;
44a2a316
SK		 1143
1144 msg.msg_control = control_u.control;
1145 msg.msg_controllen = sizeof(control_u);
1146 msg.msg_flags = 0;
1147 msg.msg_name = &source_addr;
1148 msg.msg_namelen = sizeof(source_addr);
1149 msg.msg_iov = iov;
1150 msg.msg_iovlen = 1;
1151
de37951c 1152 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
3be34541 1153 return;
44a2a316 1154
572b41eb 1155 if (n < (int)sizeof(struct dns_header) ||
5e9e0efb 1156 (msg.msg_flags & MSG_TRUNC) ||
572b41eb 1157 (header->hb3 & HB3_QR))
26128d27
SK		 1158 return;
1159
44a2a316 1160 source_addr.sa.sa_family = listen->family;
2a7a2b84
SK		 1161
1162 if (listen->family == AF_INET)
1163 {
1164 /* Source-port == 0 is an error, we can't send back to that.
1165 http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1166 if (source_addr.in.sin_port == 0)
1167 return;
1168 }
44a2a316 1169#ifdef HAVE_IPV6
2a7a2b84
SK		 1170 else
1171 {
1172 /* Source-port == 0 is an error, we can't send back to that. */
1173 if (source_addr.in6.sin6_port == 0)
1174 return;
1175 source_addr.in6.sin6_flowinfo = 0;
1176 }
44a2a316 1177#endif
2a7a2b84 1178
c8a80487
SK		 1179 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1180 if (option_bool(OPT_LOCAL_SERVICE))
1181 {
1182 struct addrlist *addr;
1183#ifdef HAVE_IPV6
1184 if (listen->family == AF_INET6)
1185 {
1186 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1187 if ((addr->flags & ADDRLIST_IPV6) &&
1188 is_same_net6(&addr->addr.addr.addr6, &source_addr.in6.sin6_addr, addr->prefixlen))
1189 break;
1190 }
1191 else
1192#endif
1193 {
1194 struct in_addr netmask;
1195 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1196 {
15b1b7e9 1197 netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
c8a80487
SK		 1198 if (!(addr->flags & ADDRLIST_IPV6) &&
1199 is_same_net(addr->addr.addr.addr4, source_addr.in.sin_addr, netmask))
1200 break;
1201 }
1202 }
1203 if (!addr)
1204 {
0c8584ea
SK		 1205 static int warned = 0;
1206 if (!warned)
1207 {
1208 my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1209 warned = 1;
1210 }
c8a80487
SK		 1211 return;
1212 }
1213 }
1214
2329bef5 1215 if (check_dst)
26128d27
SK		 1216 {
1217 struct ifreq ifr;
1218
1219 if (msg.msg_controllen < sizeof(struct cmsghdr))
1220 return;
44a2a316 1221
5e9e0efb 1222#if defined(HAVE_LINUX_NETWORK)
26128d27
SK		 1223 if (listen->family == AF_INET)
1224 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 1225 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
26128d27 1226 {
8ef5ada2
SK		 1227 union {
1228 unsigned char *c;
1229 struct in_pktinfo *p;
1230 } p;
1231 p.c = CMSG_DATA(cmptr);
1232 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
1233 if_index = p.p->ipi_ifindex;
26128d27
SK		 1234 }
1235#elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1236 if (listen->family == AF_INET)
44a2a316 1237 {
26128d27 1238 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
8ef5ada2
SK		 1239 {
1240 union {
1241 unsigned char *c;
1242 unsigned int *i;
1243 struct in_addr *a;
1244#ifndef HAVE_SOLARIS_NETWORK
1245 struct sockaddr_dl *s;
1246#endif
1247 } p;
1248 p.c = CMSG_DATA(cmptr);
1249 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
1250 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
1251 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
824af85b 1252#ifdef HAVE_SOLARIS_NETWORK
8ef5ada2 1253 if_index = *(p.i);
824af85b 1254#else
8ef5ada2 1255 if_index = p.s->sdl_index;
824af85b 1256#endif
8ef5ada2 1257 }
44a2a316 1258 }
44a2a316 1259#endif
26128d27 1260
44a2a316 1261#ifdef HAVE_IPV6
26128d27
SK		 1262 if (listen->family == AF_INET6)
1263 {
1264 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 1265 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
26128d27 1266 {
8ef5ada2
SK		 1267 union {
1268 unsigned char *c;
1269 struct in6_pktinfo *p;
1270 } p;
1271 p.c = CMSG_DATA(cmptr);
1272
1273 dst_addr.addr.addr6 = p.p->ipi6_addr;
1274 if_index = p.p->ipi6_ifindex;
26128d27
SK		 1275 }
1276 }
44a2a316 1277#endif
26128d27
SK		 1278
1279 /* enforce available interface configuration */
1280
e25db1f2 1281 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
5e9e0efb 1282 return;
832af0ba 1283
e25db1f2
SK		 1284 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
1285 {
1286 if (!option_bool(OPT_CLEVERBIND))
115ac3e4 1287 enumerate_interfaces(0);
3f2873d4
SK		 1288 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
1289 !label_exception(if_index, listen->family, &dst_addr))
e25db1f2
SK		 1290 return;
1291 }
1292
552af8b9
SK		 1293 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
1294 {
1295 struct irec *iface;
1296
1297 /* get the netmask of the interface whch has the address we were sent to.
1298 This is no neccessarily the interface we arrived on. */
1299
1300 for (iface = daemon->interfaces; iface; iface = iface->next)
1301 if (iface->addr.sa.sa_family == AF_INET &&
1302 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1303 break;
1304
1305 /* interface may be new */
e25db1f2 1306 if (!iface && !option_bool(OPT_CLEVERBIND))
115ac3e4 1307 enumerate_interfaces(0);
552af8b9
SK		 1308
1309 for (iface = daemon->interfaces; iface; iface = iface->next)
1310 if (iface->addr.sa.sa_family == AF_INET &&
1311 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1312 break;
1313
1314 /* If we failed, abandon localisation */
1315 if (iface)
1316 netmask = iface->netmask;
1317 else
1318 dst_addr_4.s_addr = 0;
1319 }
44a2a316 1320 }
25cf5e37
SK		 1321
1322 /* log_query gets called indirectly all over the place, so
1323 pass these in global variables - sorry. */
1324 daemon->log_display_id = ++daemon->log_id;
1325 daemon->log_source_addr = &source_addr;
44a2a316 1326
cdeda28f 1327 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
44a2a316 1328 {
b485ed97
SK		 1329#ifdef HAVE_AUTH
1330 struct auth_zone *zone;
1331#endif
610e782a
SK		 1332 char *types = querystr(auth_dns ? "auth" : "query", type);
1333
44a2a316 1334 if (listen->family == AF_INET)
3be34541 1335 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 1336 (struct all_addr *)&source_addr.in.sin_addr, types);
44a2a316
SK		 1337#ifdef HAVE_IPV6
1338 else
3be34541 1339 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 1340 (struct all_addr *)&source_addr.in6.sin6_addr, types);
44a2a316 1341#endif
44a2a316 1342
b485ed97
SK		 1343#ifdef HAVE_AUTH
1344 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1345 if (!auth_dns)
1346 for (zone = daemon->auth_zones; zone; zone = zone->next)
1347 if (in_zone(zone, daemon->namebuff, NULL))
1348 {
1349 auth_dns = 1;
1350 local_auth = 1;
1351 break;
1352 }
b485ed97 1353#endif
b5ea1cc2
SK		 1354
1355#ifdef HAVE_LOOP
1356 /* Check for forwarding loop */
1357 if (detect_loop(daemon->namebuff, type))
1358 return;
1359#endif
b485ed97
SK		 1360 }
1361
4820dce9 1362#ifdef HAVE_AUTH
4f7b304f 1363 if (auth_dns)
824af85b 1364 {
60b68069 1365 m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
4f7b304f 1366 if (m >= 1)
b485ed97
SK		 1367 {
1368 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1369 (char *)header, m, &source_addr, &dst_addr, if_index);
1370 daemon->auth_answer++;
1371 }
824af85b 1372 }
44a2a316 1373 else
4820dce9 1374#endif
4f7b304f 1375 {
613ad15d 1376 int ad_reqd, do_bit;
60b68069 1377 m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
613ad15d 1378 dst_addr_4, netmask, now, &ad_reqd, &do_bit);
4f7b304f
SK		 1379
1380 if (m >= 1)
1381 {
1382 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1383 (char *)header, m, &source_addr, &dst_addr, if_index);
1384 daemon->local_answer++;
1385 }
1386 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
613ad15d 1387 header, (size_t)n, now, NULL, ad_reqd, do_bit))
4f7b304f
SK		 1388 daemon->queries_forwarded++;
1389 else
1390 daemon->local_answer++;
1391 }
44a2a316
SK		 1392}
1393
7d7b7b31 1394#ifdef HAVE_DNSSEC
00a5b5d4
SK		 1395
1396/* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1397 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1398 STAT_NEED_DS_NEG and keyname if we need to do the query. */
97e618a0
SK		 1399static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
1400 char *name, char *keyname)
00a5b5d4 1401{
00a5b5d4
SK		 1402 int status = dnssec_chase_cname(now, header, plen, name, keyname);
1403
1404 if (status != STAT_INSECURE)
1405 return status;
1406
97e618a0
SK		 1407 /* Store the domain we're trying to check. */
1408 forward->name_start = strlen(name);
1409 forward->name_len = forward->name_start + 1;
1410 if (!(forward->orig_domain = blockdata_alloc(name, forward->name_len)))
1411 return STAT_BOGUS;
1412
1413 return do_check_sign(forward, 0, now, name, keyname);
1414}
1415
1416/* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
1417static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname)
1418{
1419 /* get domain we're checking back from blockdata store, it's stored on the original query. */
1420 while (forward->dependent)
1421 forward = forward->dependent;
1422
1423 blockdata_retrieve(forward->orig_domain, forward->name_len, name);
1424
00a5b5d4
SK		 1425 while (1)
1426 {
97e618a0
SK		 1427 char *p;
1428
1429 if (status == 0)
00a5b5d4 1430 {
97e618a0
SK		 1431 struct crec *crecp;
1432
1433 /* Haven't received answer, see if in cache */
1434 if (!(crecp = cache_find_by_name(NULL, &name[forward->name_start], now, F_DS)))
1435 {
1436 /* put name of DS record we're missing into keyname */
1437 strcpy(keyname, &name[forward->name_start]);
1438 /* and wait for reply to arrive */
1439 return STAT_NEED_DS_NEG;
1440 }
1441
1442 /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
1443 if (!(crecp->flags & F_NEG))
1444 status = STAT_SECURE;
1445 else if (crecp->flags & F_DNSSECOK)
1446 status = STAT_NO_DS;
1447 else
1448 status = STAT_NO_NS;
00a5b5d4 1449 }
97e618a0
SK		 1450
1451 /* Have entered non-signed part of DNS tree. */
1452 if (status == STAT_NO_DS)
1453 return STAT_INSECURE;
00a5b5d4 1454
97e618a0 1455 if (status == STAT_BOGUS)
4e1fe444
SK		 1456 return STAT_BOGUS;
1457
97e618a0
SK		 1458 /* There's a proven DS record, or we're within a zone, where there doesn't need
1459 to be a DS record. Add a name and try again.
1460 If we've already tried the whole name, then fail */
00a5b5d4 1461
97e618a0
SK		 1462 if (forward->name_start == 0)
1463 return STAT_BOGUS;
4872aa74 1464
97e618a0
SK		 1465 for (p = &name[forward->name_start-2]; (*p != '.') && (p != name); p--);
1466
1467 if (p != name)
1468 p++;
1469
1470 forward->name_start = p - name;
1471 status = 0; /* force to cache when we iterate. */
00a5b5d4 1472 }
00a5b5d4
SK		 1473}
1474
fe3992f9 1475/* Move down from the root, until we find a signed non-existance of a DS, in which case
00a5b5d4
SK		 1476 an unsigned answer is OK, or we find a signed DS, in which case there should be
1477 a signature, and the answer is BOGUS */
1478static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name,
1479 char *keyname, struct server *server, int *keycount)
1480{
1481 size_t m;
1482 unsigned char *packet, *payload;
1483 u16 *length;
97e618a0
SK		 1484 int status, name_len;
1485 struct blockdata *block;
1486
1487 char *name_start;
00a5b5d4
SK		 1488
1489 /* Get first insecure entry in CNAME chain */
1490 status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount);
1491 if (status == STAT_BOGUS)
1492 return STAT_BOGUS;
1493
1494 if (!(packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16))))
1495 return STAT_BOGUS;
1496
1497 payload = &packet[2];
1498 header = (struct dns_header *)payload;
1499 length = (u16 *)packet;
97e618a0
SK		 1500
1501 /* Stash the name away, since the buffer will be trashed when we recurse */
1502 name_len = strlen(name) + 1;
1503 name_start = name + name_len - 1;
00a5b5d4 1504
97e618a0
SK		 1505 if (!(block = blockdata_alloc(name, name_len)))
1506 {
1507 free(packet);
1508 return STAT_BOGUS;
1509 }
1510
00a5b5d4
SK		 1511 while (1)
1512 {
00a5b5d4 1513 unsigned char c1, c2;
97e618a0
SK		 1514 struct crec *crecp;
1515
00a5b5d4 1516 if (--(*keycount) == 0)
fc2833f1
TH		 1517 {
1518 free(packet);
97e618a0 1519 blockdata_free(block);
fc2833f1
TH		 1520 return STAT_BOGUS;
1521 }
00a5b5d4 1522
424c4a8a 1523 while ((crecp = cache_find_by_name(NULL, name_start, now, F_DS)))
97e618a0
SK		 1524 {
1525 if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK))
1526 {
1527 /* Found a secure denial of DS - delegation is indeed insecure */
1528 free(packet);
1529 blockdata_free(block);
1530 return STAT_INSECURE;
1531 }
1532
1533 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1534 Add another label and continue. */
1535
1536 if (name_start == name)
1537 {
1538 free(packet);
1539 blockdata_free(block);
1540 return STAT_BOGUS; /* run out of labels */
1541 }
1542
1543 name_start -= 2;
1544 while (*name_start != '.' && name_start != name)
1545 name_start--;
1546 if (name_start != name)
1547 name_start++;
4e1fe444 1548 }
97e618a0
SK		 1549
1550 /* Can't find it in the cache, have to send a query */
4e1fe444 1551
a77cec8d 1552 m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr, server->edns_pktsz);
00a5b5d4 1553
97e618a0 1554 *length = htons(m);
b37f8b99 1555
97e618a0
SK		 1556 if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
1557 read_write(server->tcpfd, &c1, 1, 1) &&
1558 read_write(server->tcpfd, &c2, 1, 1) &&
1559 read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1560 {
1561 m = (c1 << 8) | c2;
00a5b5d4 1562
97e618a0
SK		 1563 /* Note this trashes all three name workspaces */
1564 status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
1565
1566 if (status == STAT_NO_DS)
00a5b5d4 1567 {
97e618a0
SK		 1568 /* Found a secure denial of DS - delegation is indeed insecure */
1569 free(packet);
1570 blockdata_free(block);
1571 return STAT_INSECURE;
1572 }
1573
1574 if (status == STAT_BOGUS)
1575 {
1576 free(packet);
1577 blockdata_free(block);
1578 return STAT_BOGUS;
1579 }
1580
1581 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1582 Add another label and continue. */
1583
1584 /* Get name we're checking back. */
1585 blockdata_retrieve(block, name_len, name);
1586
1587 if (name_start == name)
1588 {
1589 free(packet);
1590 blockdata_free(block);
1591 return STAT_BOGUS; /* run out of labels */
00a5b5d4 1592 }
97e618a0
SK		 1593
1594 name_start -= 2;
1595 while (*name_start != '.' && name_start != name)
1596 name_start--;
1597 if (name_start != name)
1598 name_start++;
1599 }
1600 else
1601 {
1602 /* IO failure */
1603 free(packet);
1604 blockdata_free(block);
1605 return STAT_BOGUS; /* run out of labels */
00a5b5d4 1606 }
00a5b5d4
SK		 1607 }
1608}
1609
7fa836e1
SK		 1610static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
1611 int class, char *name, char *keyname, struct server *server, int *keycount)
7d7b7b31
SK		 1612{
1613 /* Recurse up the key heirarchy */
7d7b7b31 1614 int new_status;
7d7b7b31 1615
7fa836e1
SK		 1616 /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1617 if (--(*keycount) == 0)
1618 return STAT_INSECURE;
7d7b7b31 1619
7fa836e1
SK		 1620 if (status == STAT_NEED_KEY)
1621 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
00a5b5d4
SK		 1622 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1623 {
1624 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
fe3992f9
SK		 1625 if (status == STAT_NEED_DS)
1626 {
1627 if (new_status == STAT_NO_DS)
1628 new_status = STAT_INSECURE_DS;
1629 else if (new_status == STAT_NO_NS)
1630 new_status = STAT_BOGUS;
1631 }
00a5b5d4
SK		 1632 }
1633 else if (status == STAT_CHASE_CNAME)
1634 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1635 else
1636 {
97e618a0 1637 new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
00a5b5d4
SK		 1638
1639 if (new_status == STAT_NO_SIG)
1640 {
1641 if (option_bool(OPT_DNSSEC_NO_SIGN))
1642 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1643 else
1644 new_status = STAT_INSECURE;
1645 }
1646 }
1647
7fa836e1
SK		 1648 /* Can't validate because we need a key/DS whose name now in keyname.
1649 Make query for same, and recurse to validate */
1650 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
7d7b7b31 1651 {
7fa836e1
SK		 1652 size_t m;
1653 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1654 unsigned char *payload = &packet[2];
1655 struct dns_header *new_header = (struct dns_header *)payload;
1656 u16 *length = (u16 *)packet;
1657 unsigned char c1, c2;
1658
1659 if (!packet)
1660 return STAT_INSECURE;
1661
1662 another_tcp_key:
1663 m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class,
a77cec8d 1664 new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr, server->edns_pktsz);
7d7b7b31 1665
7fa836e1 1666 *length = htons(m);
7d7b7b31 1667
7fa836e1
SK		 1668 if (!read_write(server->tcpfd, packet, m + sizeof(u16), 0) ||
1669 !read_write(server->tcpfd, &c1, 1, 1) ||
1670 !read_write(server->tcpfd, &c2, 1, 1) ||
1671 !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1672 new_status = STAT_INSECURE;
1673 else
7d7b7b31 1674 {
7fa836e1
SK		 1675 m = (c1 << 8) | c2;
1676
00a5b5d4
SK		 1677 new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount);
1678
1679 if (new_status == STAT_SECURE)
7d7b7b31 1680 {
7fa836e1
SK		 1681 /* Reached a validated record, now try again at this level.
1682 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1683 If so, go round again. */
7d7b7b31 1684
7fa836e1
SK		 1685 if (status == STAT_NEED_KEY)
1686 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
00a5b5d4
SK		 1687 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1688 {
1689 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
fe3992f9
SK		 1690 if (status == STAT_NEED_DS)
1691 {
1692 if (new_status == STAT_NO_DS)
1693 new_status = STAT_INSECURE_DS;
1694 else if (new_status == STAT_NO_NS)
1695 new_status = STAT_BOGUS; /* Validated no DS */
1696 }
00a5b5d4
SK		 1697 }
1698 else if (status == STAT_CHASE_CNAME)
1699 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1700 else
1701 {
97e618a0 1702 new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
00a5b5d4
SK		 1703
1704 if (new_status == STAT_NO_SIG)
1705 {
1706 if (option_bool(OPT_DNSSEC_NO_SIGN))
1707 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1708 else
1709 new_status = STAT_INSECURE;
1710 }
1711 }
1712
7d7b7b31 1713 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
7fa836e1 1714 goto another_tcp_key;
7d7b7b31
SK		 1715 }
1716 }
fe3992f9 1717
7fa836e1
SK		 1718 free(packet);
1719 }
7d7b7b31
SK		 1720 return new_status;
1721}
1722#endif
1723
1724
feba5c1d
SK		 1725/* The daemon forks before calling this: it should deal with one connection,
1726 blocking as neccessary, and then return. Note, need to be a bit careful
1727 about resources for debug mode, when the fork is suppressed: that's
1728 done by the caller. */
5aabfc78 1729unsigned char *tcp_request(int confd, time_t now,
4f7b304f 1730 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
feba5c1d 1731{
28866e95
SK		 1732 size_t size = 0;
1733 int norebind = 0;
3b195961 1734#ifdef HAVE_AUTH
19b16891 1735 int local_auth = 0;
3b195961 1736#endif
613ad15d 1737 int checking_disabled, ad_question, do_bit, added_pheader = 0;
fe3992f9 1738 int check_subnet, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
cdeda28f 1739 size_t m;
ee86ce68
SK		 1740 unsigned short qtype;
1741 unsigned int gotname;
feba5c1d 1742 unsigned char c1, c2;
4b5ea12e
SK		 1743 /* Max TCP packet + slop + size */
1744 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1745 unsigned char *payload = &packet[2];
1746 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1747 struct dns_header *header = (struct dns_header *)payload;
1748 u16 *length = (u16 *)packet;
3be34541 1749 struct server *last_server;
7de060b0
SK		 1750 struct in_addr dst_addr_4;
1751 union mysockaddr peer_addr;
1752 socklen_t peer_len = sizeof(union mysockaddr);
25cf5e37
SK		 1753 int query_count = 0;
1754
7de060b0
SK		 1755 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1756 return packet;
c8a80487
SK		 1757
1758 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1759 if (option_bool(OPT_LOCAL_SERVICE))
1760 {
1761 struct addrlist *addr;
1762#ifdef HAVE_IPV6
1763 if (peer_addr.sa.sa_family == AF_INET6)
1764 {
1765 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1766 if ((addr->flags & ADDRLIST_IPV6) &&
1767 is_same_net6(&addr->addr.addr.addr6, &peer_addr.in6.sin6_addr, addr->prefixlen))
1768 break;
1769 }
1770 else
1771#endif
1772 {
1773 struct in_addr netmask;
1774 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1775 {
15b1b7e9 1776 netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
c8a80487
SK		 1777 if (!(addr->flags & ADDRLIST_IPV6) &&
1778 is_same_net(addr->addr.addr.addr4, peer_addr.in.sin_addr, netmask))
1779 break;
1780 }
1781 }
1782 if (!addr)
1783 {
1784 my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1785 return packet;
1786 }
1787 }
7de060b0 1788
feba5c1d
SK		 1789 while (1)
1790 {
25cf5e37
SK		 1791 if (query_count == TCP_MAX_QUERIES ||
1792 !packet ||
feba5c1d
SK		 1793 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1794 !(size = c1 << 8 | c2) ||
4b5ea12e 1795 !read_write(confd, payload, size, 1))
feba5c1d
SK		 1796 return packet;
1797
572b41eb 1798 if (size < (int)sizeof(struct dns_header))
feba5c1d
SK		 1799 continue;
1800
25cf5e37
SK		 1801 query_count++;
1802
1803 /* log_query gets called indirectly all over the place, so
1804 pass these in global variables - sorry. */
1805 daemon->log_display_id = ++daemon->log_id;
1806 daemon->log_source_addr = &peer_addr;
1807
ed4c0767
SK		 1808 check_subnet = 0;
1809
28866e95 1810 /* save state of "cd" flag in query */
7d7b7b31
SK		 1811 if ((checking_disabled = header->hb4 & HB4_CD))
1812 no_cache_dnssec = 1;
28866e95 1813
3be34541 1814 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
feba5c1d 1815 {
b485ed97
SK		 1816#ifdef HAVE_AUTH
1817 struct auth_zone *zone;
1818#endif
610e782a 1819 char *types = querystr(auth_dns ? "auth" : "query", qtype);
7de060b0
SK		 1820
1821 if (peer_addr.sa.sa_family == AF_INET)
1822 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1823 (struct all_addr *)&peer_addr.in.sin_addr, types);
feba5c1d 1824#ifdef HAVE_IPV6
7de060b0
SK		 1825 else
1826 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1827 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
feba5c1d 1828#endif
b485ed97
SK		 1829
1830#ifdef HAVE_AUTH
1831 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1832 if (!auth_dns)
1833 for (zone = daemon->auth_zones; zone; zone = zone->next)
1834 if (in_zone(zone, daemon->namebuff, NULL))
1835 {
1836 auth_dns = 1;
1837 local_auth = 1;
1838 break;
1839 }
b485ed97 1840#endif
feba5c1d
SK		 1841 }
1842
7de060b0
SK		 1843 if (local_addr->sa.sa_family == AF_INET)
1844 dst_addr_4 = local_addr->in.sin_addr;
1845 else
1846 dst_addr_4.s_addr = 0;
1847
4820dce9 1848#ifdef HAVE_AUTH
4f7b304f 1849 if (auth_dns)
19b16891 1850 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
4f7b304f 1851 else
4820dce9 1852#endif
feba5c1d 1853 {
4f7b304f
SK		 1854 /* m > 0 if answered from cache */
1855 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
613ad15d 1856 dst_addr_4, netmask, now, &ad_question, &do_bit);
feba5c1d 1857
4f7b304f
SK		 1858 /* Do this by steam now we're not in the select() loop */
1859 check_log_writer(NULL);
1860
1861 if (m == 0)
feba5c1d 1862 {
4f7b304f
SK		 1863 unsigned int flags = 0;
1864 struct all_addr *addrp = NULL;
1865 int type = 0;
1866 char *domain = NULL;
feba5c1d 1867
4f7b304f
SK		 1868 if (option_bool(OPT_ADD_MAC))
1869 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
ed4c0767
SK		 1870
1871 if (option_bool(OPT_CLIENT_SUBNET))
1872 {
1873 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1874 if (size != new)
1875 {
1876 size = new;
1877 check_subnet = 1;
1878 }
1879 }
1880
4f7b304f
SK		 1881 if (gotname)
1882 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1883
1884 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1885 last_server = daemon->servers;
1886 else
1887 last_server = daemon->last_server;
1888
1889 if (!flags && last_server)
1890 {
1891 struct server *firstsendto = NULL;
8a9be9e4 1892#ifdef HAVE_DNSSEC
703c7ff4 1893 unsigned char *newhash, hash[HASH_SIZE];
63758384 1894 if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff)))
8a9be9e4 1895 memcpy(hash, newhash, HASH_SIZE);
b37f8b99
TH		 1896 else
1897 memset(hash, 0, HASH_SIZE);
8a9be9e4 1898#else
4f7b304f 1899 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
8a9be9e4 1900#endif
4f7b304f
SK		 1901 /* Loop round available servers until we succeed in connecting to one.
1902 Note that this code subtley ensures that consecutive queries on this connection
1903 which can go to the same server, do so. */
1904 while (1)
feba5c1d 1905 {
4f7b304f
SK		 1906 if (!firstsendto)
1907 firstsendto = last_server;
1908 else
1909 {
1910 if (!(last_server = last_server->next))
1911 last_server = daemon->servers;
1912
1913 if (last_server == firstsendto)
1914 break;
1915 }
1916
1917 /* server for wrong domain */
1918 if (type != (last_server->flags & SERV_TYPE) ||
b5ea1cc2
SK		 1919 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)) ||
1920 (last_server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
7de060b0
SK		 1921 continue;
1922
4f7b304f 1923 if (last_server->tcpfd == -1)
7de060b0 1924 {
4f7b304f
SK		 1925 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1926 continue;
1927
e9828b6f
KV		 1928#ifdef HAVE_CONNTRACK
1929 /* Copy connection mark of incoming query to outgoing connection. */
1930 if (option_bool(OPT_CONNTRACK))
1931 {
1932 unsigned int mark;
1933 struct all_addr local;
1934#ifdef HAVE_IPV6
1935 if (local_addr->sa.sa_family == AF_INET6)
1936 local.addr.addr6 = local_addr->in6.sin6_addr;
1937 else
1938#endif
1939 local.addr.addr4 = local_addr->in.sin_addr;
1940
1941 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1942 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1943 }
1944#endif
1945
4f7b304f
SK		 1946 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1947 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1948 {
1949 close(last_server->tcpfd);
1950 last_server->tcpfd = -1;
1951 continue;
1952 }
1953
7d7b7b31
SK		 1954#ifdef HAVE_DNSSEC
1955 if (option_bool(OPT_DNSSEC_VALID))
1956 {
613ad15d
SK		 1957 size_t new_size = add_do_bit(header, size, ((char *) header) + 65536);
1958
2ecd9bd5
SK		 1959 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
1960 this allows it to select auth servers when one is returning bad data. */
1961 if (option_bool(OPT_DNSSEC_DEBUG))
1962 header->hb4 |= HB4_CD;
613ad15d
SK		 1963
1964 if (size != new_size)
1965 added_pheader = 1;
1966
1967 size = new_size;
7d7b7b31
SK		 1968 }
1969#endif
4f7b304f
SK		 1970 }
1971
4b5ea12e 1972 *length = htons(size);
1fc02680
SK		 1973
1974 /* get query name again for logging - may have been overwritten */
1975 if (!(gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
1976 strcpy(daemon->namebuff, "query");
4f7b304f 1977
4b5ea12e 1978 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
4f7b304f 1979 !read_write(last_server->tcpfd, &c1, 1, 1) ||
7d7b7b31
SK		 1980 !read_write(last_server->tcpfd, &c2, 1, 1) ||
1981 !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
4f7b304f
SK		 1982 {
1983 close(last_server->tcpfd);
1984 last_server->tcpfd = -1;
1985 continue;
1986 }
1987
1988 m = (c1 << 8) | c2;
4f7b304f 1989
4f7b304f
SK		 1990 if (last_server->addr.sa.sa_family == AF_INET)
1991 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1992 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
feba5c1d 1993#ifdef HAVE_IPV6
4f7b304f
SK		 1994 else
1995 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1996 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
feba5c1d 1997#endif
7d7b7b31
SK		 1998
1999#ifdef HAVE_DNSSEC
2000 if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
2001 {
7fa836e1
SK		 2002 int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
2003 int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
554b580e 2004 char *result, *domain = "result";
7fa836e1 2005
fe3992f9
SK		 2006 if (status == STAT_INSECURE_DS)
2007 {
2008 /* We only cache sigs when we've validated a reply.
2009 Avoid caching a reply with sigs if there's a vaildated break in the
2010 DS chain, so we don't return replies from cache missing sigs. */
2011 status = STAT_INSECURE;
2012 no_cache_dnssec = 1;
2013 }
2014
7fa836e1 2015 if (keycount == 0)
150162bc
SK		 2016 {
2017 result = "ABANDONED";
2018 status = STAT_BOGUS;
2019 }
7fa836e1
SK		 2020 else
2021 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
e66b4dff
SK		 2022
2023 if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL))
2024 domain = daemon->namebuff;
554b580e
SK		 2025
2026 log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
7d7b7b31 2027
7d7b7b31 2028 if (status == STAT_BOGUS)
fe3992f9
SK		 2029 {
2030 no_cache_dnssec = 1;
2031 bogusanswer = 1;
2032 }
2033
7d7b7b31
SK		 2034 if (status == STAT_SECURE)
2035 cache_secure = 1;
2036 }
2037#endif
2038
2039 /* restore CD bit to the value in the query */
2040 if (checking_disabled)
2041 header->hb4 |= HB4_CD;
2042 else
2043 header->hb4 &= ~HB4_CD;
4f7b304f
SK		 2044
2045 /* There's no point in updating the cache, since this process will exit and
2046 lose the information after a few queries. We make this call for the alias and
2047 bogus-nxdomain side-effects. */
2048 /* If the crc of the question section doesn't match the crc we sent, then
2049 someone might be attempting to insert bogus values into the cache by
2050 sending replies containing questions and bogus answers. */
8a9be9e4
SK		 2051#ifdef HAVE_DNSSEC
2052 newhash = hash_questions(header, (unsigned int)m, daemon->namebuff);
2053 if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0)
703c7ff4
SK		 2054 {
2055 m = 0;
2056 break;
2057 }
8a9be9e4
SK		 2058#else
2059 if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff))
703c7ff4
SK		 2060 {
2061 m = 0;
2062 break;
2063 }
8a9be9e4
SK		 2064#endif
2065
2066 m = process_reply(header, now, last_server, (unsigned int)m,
e66b4dff
SK		 2067 option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer,
2068 ad_question, do_bit, added_pheader, check_subnet, &peer_addr);
4f7b304f
SK		 2069
2070 break;
2071 }
feba5c1d 2072 }
4f7b304f
SK		 2073
2074 /* In case of local answer or no connections made. */
2075 if (m == 0)
2076 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
feba5c1d 2077 }
feba5c1d 2078 }
4f7b304f 2079
5aabfc78 2080 check_log_writer(NULL);
feba5c1d 2081
4b5ea12e
SK		 2082 *length = htons(m);
2083
2084 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
feba5c1d
SK		 2085 return packet;
2086 }
2087}
2088
1697269c 2089static struct frec *allocate_frec(time_t now)
9e4abcb5 2090{
1697269c
SK		 2091 struct frec *f;
2092
5aabfc78 2093 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
9e4abcb5 2094 {
1a6bca81 2095 f->next = daemon->frec_list;
1697269c 2096 f->time = now;
832af0ba 2097 f->sentto = NULL;
1a6bca81 2098 f->rfd4 = NULL;
28866e95 2099 f->flags = 0;
1a6bca81
SK		 2100#ifdef HAVE_IPV6
2101 f->rfd6 = NULL;
3a237152
SK		 2102#endif
2103#ifdef HAVE_DNSSEC
97bc798b 2104 f->dependent = NULL;
3a237152 2105 f->blocking_query = NULL;
4619d946 2106 f->stash = NULL;
97e618a0 2107 f->orig_domain = NULL;
1a6bca81
SK		 2108#endif
2109 daemon->frec_list = f;
1697269c 2110 }
9e4abcb5 2111
1697269c
SK		 2112 return f;
2113}
9e4abcb5 2114
b5ea1cc2 2115struct randfd *allocate_rfd(int family)
1a6bca81
SK		 2116{
2117 static int finger = 0;
2118 int i;
2119
2120 /* limit the number of sockets we have open to avoid starvation of
2121 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
2122
2123 for (i = 0; i < RANDOM_SOCKS; i++)
9009d746 2124 if (daemon->randomsocks[i].refcount == 0)
1a6bca81 2125 {
9009d746
SK		 2126 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
2127 break;
2128
1a6bca81
SK		 2129 daemon->randomsocks[i].refcount = 1;
2130 daemon->randomsocks[i].family = family;
2131 return &daemon->randomsocks[i];
2132 }
2133
9009d746 2134 /* No free ones or cannot get new socket, grab an existing one */
1a6bca81
SK		 2135 for (i = 0; i < RANDOM_SOCKS; i++)
2136 {
2137 int j = (i+finger) % RANDOM_SOCKS;
9009d746
SK		 2138 if (daemon->randomsocks[j].refcount != 0 &&
2139 daemon->randomsocks[j].family == family &&
2140 daemon->randomsocks[j].refcount != 0xffff)
1a6bca81
SK		 2141 {
2142 finger = j;
2143 daemon->randomsocks[j].refcount++;
2144 return &daemon->randomsocks[j];
2145 }
2146 }
2147
2148 return NULL; /* doom */
2149}
b5ea1cc2
SK		 2150
2151void free_rfd(struct randfd *rfd)
2152{
2153 if (rfd && --(rfd->refcount) == 0)
2154 close(rfd->fd);
2155}
2156
1a6bca81
SK		 2157static void free_frec(struct frec *f)
2158{
b5ea1cc2 2159 free_rfd(f->rfd4);
1a6bca81
SK		 2160 f->rfd4 = NULL;
2161 f->sentto = NULL;
28866e95 2162 f->flags = 0;
1a6bca81
SK		 2163
2164#ifdef HAVE_IPV6
b5ea1cc2 2165 free_rfd(f->rfd6);
1a6bca81
SK		 2166 f->rfd6 = NULL;
2167#endif
3a237152
SK		 2168
2169#ifdef HAVE_DNSSEC
2170 if (f->stash)
0fc2f313
SK		 2171 {
2172 blockdata_free(f->stash);
2173 f->stash = NULL;
2174 }
3a237152 2175
97e618a0
SK		 2176 if (f->orig_domain)
2177 {
2178 blockdata_free(f->orig_domain);
2179 f->orig_domain = NULL;
2180 }
2181
3a237152
SK		 2182 /* Anything we're waiting on is pointless now, too */
2183 if (f->blocking_query)
2184 free_frec(f->blocking_query);
2185 f->blocking_query = NULL;
39048ad1 2186 f->dependent = NULL;
3a237152 2187#endif
1a6bca81
SK		 2188}
2189
1697269c
SK		 2190/* if wait==NULL return a free or older than TIMEOUT record.
2191 else return *wait zero if one available, or *wait is delay to
1a6bca81 2192 when the oldest in-use record will expire. Impose an absolute
3a237152
SK		 2193 limit of 4*TIMEOUT before we wipe things (for random sockets).
2194 If force is set, always return a result, even if we have
2195 to allocate above the limit. */
2196struct frec *get_new_frec(time_t now, int *wait, int force)
1697269c 2197{
1a6bca81 2198 struct frec *f, *oldest, *target;
1697269c
SK		 2199 int count;
2200
2201 if (wait)
2202 *wait = 0;
2203
1a6bca81 2204 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
832af0ba 2205 if (!f->sentto)
1a6bca81
SK		 2206 target = f;
2207 else
1697269c 2208 {
1a6bca81
SK		 2209 if (difftime(now, f->time) >= 4*TIMEOUT)
2210 {
2211 free_frec(f);
2212 target = f;
2213 }
2214
2215 if (!oldest || difftime(f->time, oldest->time) <= 0)
2216 oldest = f;
1697269c 2217 }
1a6bca81
SK		 2218
2219 if (target)
2220 {
2221 target->time = now;
2222 return target;
2223 }
9e4abcb5
SK		 2224
2225 /* can't find empty one, use oldest if there is one
2226 and it's older than timeout */
1697269c 2227 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
9e4abcb5 2228 {
1697269c
SK		 2229 /* keep stuff for twice timeout if we can by allocating a new
2230 record instead */
2231 if (difftime(now, oldest->time) < 2*TIMEOUT &&
2232 count <= daemon->ftabsize &&
2233 (f = allocate_frec(now)))
2234 return f;
2235
2236 if (!wait)
2237 {
1a6bca81 2238 free_frec(oldest);
1697269c
SK		 2239 oldest->time = now;
2240 }
9e4abcb5
SK		 2241 return oldest;
2242 }
2243
1697269c 2244 /* none available, calculate time 'till oldest record expires */
3a237152 2245 if (!force && count > daemon->ftabsize)
1697269c 2246 {
0da5e897
MSB		 2247 static time_t last_log = 0;
2248
1697269c
SK		 2249 if (oldest && wait)
2250 *wait = oldest->time + (time_t)TIMEOUT - now;
0da5e897
MSB		 2251
2252 if ((int)difftime(now, last_log) > 5)
2253 {
2254 last_log = now;
2255 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
2256 }
2257
9e4abcb5
SK		 2258 return NULL;
2259 }
1697269c
SK		 2260
2261 if (!(f = allocate_frec(now)) && wait)
2262 /* wait one second on malloc failure */
2263 *wait = 1;
9e4abcb5 2264
9e4abcb5
SK		 2265 return f; /* OK if malloc fails and this is NULL */
2266}
2267
832af0ba 2268/* crc is all-ones if not known. */
8a9be9e4 2269static struct frec *lookup_frec(unsigned short id, void *hash)
9e4abcb5
SK		 2270{
2271 struct frec *f;
2272
1a6bca81 2273 for(f = daemon->frec_list; f; f = f->next)
832af0ba 2274 if (f->sentto && f->new_id == id &&
8a9be9e4 2275 (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0))
9e4abcb5
SK		 2276 return f;
2277
2278 return NULL;
2279}
2280
2281static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481 2282 union mysockaddr *addr,
8a9be9e4 2283 void *hash)
9e4abcb5 2284{
feba5c1d
SK		 2285 struct frec *f;
2286
1a6bca81 2287 for(f = daemon->frec_list; f; f = f->next)
832af0ba 2288 if (f->sentto &&
9e4abcb5 2289 f->orig_id == id &&
8a9be9e4 2290 memcmp(hash, f->hash, HASH_SIZE) == 0 &&
9e4abcb5
SK		 2291 sockaddr_isequal(&f->source, addr))
2292 return f;
2293
2294 return NULL;
2295}
47a95169
SK		 2296
2297/* Send query packet again, if we can. */
2298void resend_query()
2299{
2300 if (daemon->srv_save)
2301 {
2302 int fd;
2303
2304 if (daemon->srv_save->sfd)
2305 fd = daemon->srv_save->sfd->fd;
2306 else if (daemon->rfd_save && daemon->rfd_save->refcount != 0)
2307 fd = daemon->rfd_save->fd;
2308 else
2309 return;
2310
ff841ebf
SK		 2311 while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0,
2312 &daemon->srv_save->addr.sa,
2313 sa_len(&daemon->srv_save->addr))));
47a95169
SK		 2314 }
2315}
9e4abcb5 2316
849a8357 2317/* A server record is going away, remove references to it */
5aabfc78 2318void server_gone(struct server *server)
849a8357
SK		 2319{
2320 struct frec *f;
2321
1a6bca81 2322 for (f = daemon->frec_list; f; f = f->next)
832af0ba 2323 if (f->sentto && f->sentto == server)
1a6bca81 2324 free_frec(f);
849a8357
SK		 2325
2326 if (daemon->last_server == server)
2327 daemon->last_server = NULL;
2328
2329 if (daemon->srv_save == server)
2330 daemon->srv_save = NULL;
2331}
9e4abcb5 2332
316e2730 2333/* return unique random ids. */
8a9be9e4 2334static unsigned short get_id(void)
9e4abcb5
SK		 2335{
2336 unsigned short ret = 0;
832af0ba 2337
316e2730 2338 do
832af0ba 2339 ret = rand16();
8a9be9e4 2340 while (lookup_frec(ret, NULL));
832af0ba 2341
9e4abcb5
SK		 2342 return ret;
2343}
2344
2345
2346
2347
2348
Michael's tree of dnsmasq.