]> git.ipfire.org Git - people/ms/dnsmasq.git/blame - src/forward.c
projects / people / ms / dnsmasq.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'master' into dnssec
[people/ms/dnsmasq.git] / src / forward.c
CommitLineData
61744359 1/* dnsmasq is Copyright (c) 2000-2013 Simon Kelley
9e4abcb5
SK		 2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
824af85b
SK		 5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
9e4abcb5
SK		 8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
824af85b 12
73a08a24
SK		 13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
9e4abcb5
SK		 15*/
16
9e4abcb5
SK		 17#include "dnsmasq.h"
18
832af0ba 19static struct frec *lookup_frec(unsigned short id, unsigned int crc);
9e4abcb5 20static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481
SK		 21 union mysockaddr *addr,
22 unsigned int crc);
316e2730 23static unsigned short get_id(unsigned int crc);
1a6bca81
SK		 24static void free_frec(struct frec *f);
25static struct randfd *allocate_rfd(int family);
9e4abcb5 26
824af85b 27/* Send a UDP packet with its source address set as "source"
44a2a316 28 unless nowild is true, when we just send it with the kernel default */
29689cfa
SK		 29int send_from(int fd, int nowild, char *packet, size_t len,
30 union mysockaddr *to, struct all_addr *source,
50303b19 31 unsigned int iface)
9e4abcb5 32{
44a2a316
SK		 33 struct msghdr msg;
34 struct iovec iov[1];
44a2a316
SK		 35 union {
36 struct cmsghdr align; /* this ensures alignment */
5e9e0efb 37#if defined(HAVE_LINUX_NETWORK)
44a2a316
SK		 38 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
39#elif defined(IP_SENDSRCADDR)
40 char control[CMSG_SPACE(sizeof(struct in_addr))];
41#endif
42#ifdef HAVE_IPV6
43 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
44#endif
45 } control_u;
feba5c1d 46
44a2a316
SK		 47 iov[0].iov_base = packet;
48 iov[0].iov_len = len;
49
feba5c1d
SK		 50 msg.msg_control = NULL;
51 msg.msg_controllen = 0;
44a2a316
SK		 52 msg.msg_flags = 0;
53 msg.msg_name = to;
54 msg.msg_namelen = sa_len(to);
55 msg.msg_iov = iov;
56 msg.msg_iovlen = 1;
feba5c1d 57
26128d27 58 if (!nowild)
44a2a316 59 {
26128d27 60 struct cmsghdr *cmptr;
feba5c1d
SK		 61 msg.msg_control = &control_u;
62 msg.msg_controllen = sizeof(control_u);
26128d27
SK		 63 cmptr = CMSG_FIRSTHDR(&msg);
64
65 if (to->sa.sa_family == AF_INET)
66 {
5e9e0efb 67#if defined(HAVE_LINUX_NETWORK)
8ef5ada2
SK		 68 struct in_pktinfo p;
69 p.ipi_ifindex = 0;
70 p.ipi_spec_dst = source->addr.addr4;
71 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 72 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
c72daea8 73 cmptr->cmsg_level = IPPROTO_IP;
26128d27 74 cmptr->cmsg_type = IP_PKTINFO;
44a2a316 75#elif defined(IP_SENDSRCADDR)
8ef5ada2 76 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
26128d27
SK		 77 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
78 cmptr->cmsg_level = IPPROTO_IP;
79 cmptr->cmsg_type = IP_SENDSRCADDR;
44a2a316 80#endif
26128d27 81 }
26128d27 82 else
b8187c80 83#ifdef HAVE_IPV6
26128d27 84 {
8ef5ada2
SK		 85 struct in6_pktinfo p;
86 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
87 p.ipi6_addr = source->addr.addr6;
88 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 89 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
316e2730 90 cmptr->cmsg_type = daemon->v6pktinfo;
c72daea8 91 cmptr->cmsg_level = IPPROTO_IPV6;
26128d27 92 }
3d8df260 93#else
c72daea8 94 (void)iface; /* eliminate warning */
44a2a316 95#endif
26128d27 96 }
feba5c1d 97
29d28dda 98 while (sendmsg(fd, &msg, 0) == -1)
feba5c1d 99 {
fd9fa481 100 if (retry_send())
29d28dda 101 continue;
22d904db 102
29d28dda
SK		 103 /* If interface is still in DAD, EINVAL results - ignore that. */
104 if (errno == EINVAL)
105 break;
29689cfa 106
29d28dda 107 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
29689cfa 108 return 0;
feba5c1d 109 }
29d28dda 110
29689cfa 111 return 1;
9e4abcb5 112}
44a2a316 113
28866e95
SK		 114static unsigned int search_servers(time_t now, struct all_addr **addrpp,
115 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
feba5c1d
SK		 116
117{
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
121
122 unsigned int namelen = strlen(qdomain);
123 unsigned int matchlen = 0;
124 struct server *serv;
28866e95 125 unsigned int flags = 0;
feba5c1d 126
3be34541 127 for (serv = daemon->servers; serv; serv=serv->next)
feba5c1d 128 /* domain matches take priority over NODOTS matches */
3d8df260 129 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
feba5c1d 130 {
28866e95 131 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
feba5c1d 132 *type = SERV_FOR_NODOTS;
feba5c1d 133 if (serv->flags & SERV_NO_ADDR)
36717eee
SK		 134 flags = F_NXDOMAIN;
135 else if (serv->flags & SERV_LITERAL_ADDRESS)
136 {
137 if (sflag & qtype)
138 {
139 flags = sflag;
140 if (serv->addr.sa.sa_family == AF_INET)
141 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 142#ifdef HAVE_IPV6
36717eee
SK		 143 else
144 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 145#endif
36717eee 146 }
824af85b 147 else if (!flags || (flags & F_NXDOMAIN))
36717eee
SK		 148 flags = F_NOERR;
149 }
feba5c1d
SK		 150 }
151 else if (serv->flags & SERV_HAS_DOMAIN)
152 {
153 unsigned int domainlen = strlen(serv->domain);
b8187c80 154 char *matchstart = qdomain + namelen - domainlen;
feba5c1d 155 if (namelen >= domainlen &&
b8187c80 156 hostname_isequal(matchstart, serv->domain) &&
8ef5ada2 157 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
feba5c1d 158 {
8ef5ada2
SK		 159 if (serv->flags & SERV_NO_REBIND)
160 *norebind = 1;
28866e95 161 else
feba5c1d 162 {
28866e95
SK		 163 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen != 0 && domainlen == matchlen)
36717eee 168 {
28866e95 169 if ((serv->flags & SERV_LITERAL_ADDRESS))
8ef5ada2 170 {
28866e95
SK		 171 if (!(sflag & qtype) && flags == 0)
172 continue;
173 }
174 else
175 {
176 if (flags & (F_IPV4 | F_IPV6))
177 continue;
178 }
179 }
180
181 if (domainlen >= matchlen)
182 {
183 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
184 *domain = serv->domain;
185 matchlen = domainlen;
186 if (serv->flags & SERV_NO_ADDR)
187 flags = F_NXDOMAIN;
188 else if (serv->flags & SERV_LITERAL_ADDRESS)
189 {
190 if (sflag & qtype)
191 {
192 flags = sflag;
193 if (serv->addr.sa.sa_family == AF_INET)
194 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 195#ifdef HAVE_IPV6
28866e95
SK		 196 else
197 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 198#endif
28866e95
SK		 199 }
200 else if (!flags || (flags & F_NXDOMAIN))
201 flags = F_NOERR;
8ef5ada2 202 }
28866e95
SK		 203 else
204 flags = 0;
205 }
206 }
8ef5ada2 207 }
feba5c1d 208 }
8ef5ada2 209
7de060b0 210 if (flags == 0 && !(qtype & F_QUERY) &&
28866e95 211 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
7de060b0
SK		 212 /* don't forward A or AAAA queries for simple names, except the empty name */
213 flags = F_NOERR;
8ef5ada2 214
5aabfc78 215 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
c1bb8504 216 flags = F_NOERR;
feba5c1d 217
824af85b
SK		 218 if (flags)
219 {
220 int logflags = 0;
221
222 if (flags == F_NXDOMAIN || flags == F_NOERR)
223 logflags = F_NEG | qtype;
224
1a6bca81 225 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
824af85b 226 }
8ef5ada2
SK		 227 else if ((*type) & SERV_USE_RESOLV)
228 {
229 *type = 0; /* use normal servers for this domain */
230 *domain = NULL;
231 }
feba5c1d
SK		 232 return flags;
233}
44a2a316 234
824af85b
SK		 235static int forward_query(int udpfd, union mysockaddr *udpaddr,
236 struct all_addr *dst_addr, unsigned int dst_iface,
572b41eb 237 struct dns_header *header, size_t plen, time_t now, struct frec *forward)
9e4abcb5 238{
9e4abcb5 239 char *domain = NULL;
8ef5ada2 240 int type = 0, norebind = 0;
9e4abcb5 241 struct all_addr *addrp = NULL;
cdeda28f 242 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
28866e95
SK		 243 unsigned int flags = 0;
244 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
de37951c 245 struct server *start = NULL;
7de060b0 246
28866e95 247 /* RFC 4035: sect 4.6 para 2 */
572b41eb
SK		 248 header->hb4 &= ~HB4_AD;
249
3d8df260
SK		 250 /* may be no servers available. */
251 if (!daemon->servers)
9e4abcb5 252 forward = NULL;
b8187c80 253 else if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, crc)))
9e4abcb5 254 {
de37951c 255 /* retry on existing query, send to all available servers */
9e4abcb5 256 domain = forward->sentto->domain;
824af85b 257 forward->sentto->failed_queries++;
28866e95 258 if (!option_bool(OPT_ORDER))
de37951c 259 {
0a852541 260 forward->forwardall = 1;
3be34541 261 daemon->last_server = NULL;
de37951c 262 }
9e4abcb5 263 type = forward->sentto->flags & SERV_TYPE;
de37951c 264 if (!(start = forward->sentto->next))
3be34541 265 start = daemon->servers; /* at end of list, recycle */
9e4abcb5
SK		 266 header->id = htons(forward->new_id);
267 }
268 else
269 {
270 if (gotname)
8ef5ada2 271 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
9e4abcb5 272
3a237152 273 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
feba5c1d
SK		 274 /* table full - server failure. */
275 flags = F_NEG;
9e4abcb5
SK		 276
277 if (forward)
278 {
0a852541
SK		 279 forward->source = *udpaddr;
280 forward->dest = *dst_addr;
281 forward->iface = dst_iface;
0a852541 282 forward->orig_id = ntohs(header->id);
316e2730 283 forward->new_id = get_id(crc);
832af0ba 284 forward->fd = udpfd;
0a852541
SK		 285 forward->crc = crc;
286 forward->forwardall = 0;
ed4c0767 287 forward->flags = 0;
28866e95
SK		 288 if (norebind)
289 forward->flags |= FREC_NOREBIND;
572b41eb 290 if (header->hb4 & HB4_CD)
28866e95 291 forward->flags |= FREC_CHECKING_DISABLED;
0a852541 292
28866e95
SK		 293 header->id = htons(forward->new_id);
294
8ef5ada2
SK		 295 /* In strict_order mode, always try servers in the order
296 specified in resolv.conf, if a domain is given
297 always try all the available servers,
9e4abcb5
SK		 298 otherwise, use the one last known to work. */
299
8ef5ada2
SK		 300 if (type == 0)
301 {
28866e95 302 if (option_bool(OPT_ORDER))
8ef5ada2
SK		 303 start = daemon->servers;
304 else if (!(start = daemon->last_server) ||
305 daemon->forwardcount++ > FORWARD_TEST ||
306 difftime(now, daemon->forwardtime) > FORWARD_TIME)
307 {
308 start = daemon->servers;
309 forward->forwardall = 1;
310 daemon->forwardcount = 0;
311 daemon->forwardtime = now;
312 }
313 }
314 else
de37951c 315 {
3be34541 316 start = daemon->servers;
28866e95 317 if (!option_bool(OPT_ORDER))
8ef5ada2 318 forward->forwardall = 1;
de37951c 319 }
9e4abcb5
SK		 320 }
321 }
feba5c1d 322
9e4abcb5
SK		 323 /* check for send errors here (no route to host)
324 if we fail to send to all nameservers, send back an error
325 packet straight away (helps modem users when offline) */
326
327 if (!flags && forward)
328 {
de37951c
SK		 329 struct server *firstsentto = start;
330 int forwarded = 0;
28866e95 331
797a7afb
GT		 332 if (option_bool(OPT_ADD_MAC))
333 plen = add_mac(header, plen, ((char *) header) + PACKETSZ, &forward->source);
28866e95 334
ed4c0767
SK		 335 if (option_bool(OPT_CLIENT_SUBNET))
336 {
337 size_t new = add_source_addr(header, plen, ((char *) header) + PACKETSZ, &forward->source);
338 if (new != plen)
339 {
340 plen = new;
341 forward->flags |= FREC_HAS_SUBNET;
342 }
343 }
344
3a237152
SK		 345#ifdef HAVE_DNSSEC
346 if (option_bool(OPT_DNSSEC_VALID))
347 plen = add_do_bit(header, plen, ((char *) header) + PACKETSZ);
348#endif
349
9e4abcb5
SK		 350 while (1)
351 {
9e4abcb5
SK		 352 /* only send to servers dealing with our domain.
353 domain may be NULL, in which case server->domain
354 must be NULL also. */
355
de37951c 356 if (type == (start->flags & SERV_TYPE) &&
fd9fa481
SK		 357 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
358 !(start->flags & SERV_LITERAL_ADDRESS))
9e4abcb5 359 {
1a6bca81
SK		 360 int fd;
361
362 /* find server socket to use, may need to get random one. */
363 if (start->sfd)
364 fd = start->sfd->fd;
365 else
366 {
367#ifdef HAVE_IPV6
368 if (start->addr.sa.sa_family == AF_INET6)
369 {
370 if (!forward->rfd6 &&
371 !(forward->rfd6 = allocate_rfd(AF_INET6)))
372 break;
3927da46 373 daemon->rfd_save = forward->rfd6;
1a6bca81
SK		 374 fd = forward->rfd6->fd;
375 }
376 else
377#endif
378 {
379 if (!forward->rfd4 &&
380 !(forward->rfd4 = allocate_rfd(AF_INET)))
381 break;
3927da46 382 daemon->rfd_save = forward->rfd4;
1a6bca81
SK		 383 fd = forward->rfd4->fd;
384 }
7de060b0
SK		 385
386#ifdef HAVE_CONNTRACK
387 /* Copy connection mark of incoming query to outgoing connection. */
388 if (option_bool(OPT_CONNTRACK))
389 {
390 unsigned int mark;
797a7afb 391 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
7de060b0
SK		 392 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
393 }
394#endif
1a6bca81
SK		 395 }
396
397 if (sendto(fd, (char *)header, plen, 0,
feba5c1d 398 &start->addr.sa,
fd9fa481
SK		 399 sa_len(&start->addr)) == -1)
400 {
401 if (retry_send())
402 continue;
403 }
404 else
9e4abcb5 405 {
cdeda28f
SK		 406 /* Keep info in case we want to re-send this packet */
407 daemon->srv_save = start;
408 daemon->packet_len = plen;
409
de37951c 410 if (!gotname)
3be34541 411 strcpy(daemon->namebuff, "query");
de37951c 412 if (start->addr.sa.sa_family == AF_INET)
3be34541 413 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 414 (struct all_addr *)&start->addr.in.sin_addr, NULL);
de37951c
SK		 415#ifdef HAVE_IPV6
416 else
3be34541 417 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 418 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
de37951c 419#endif
824af85b 420 start->queries++;
de37951c
SK		 421 forwarded = 1;
422 forward->sentto = start;
0a852541 423 if (!forward->forwardall)
de37951c 424 break;
0a852541 425 forward->forwardall++;
9e4abcb5
SK		 426 }
427 }
428
de37951c 429 if (!(start = start->next))
3be34541 430 start = daemon->servers;
9e4abcb5 431
de37951c 432 if (start == firstsentto)
9e4abcb5
SK		 433 break;
434 }
435
de37951c 436 if (forwarded)
824af85b 437 return 1;
de37951c 438
9e4abcb5
SK		 439 /* could not send on, prepare to return */
440 header->id = htons(forward->orig_id);
1a6bca81 441 free_frec(forward); /* cancel */
9e4abcb5
SK		 442 }
443
444 /* could not send on, return empty answer or address if known for whole domain */
b8187c80
SK		 445 if (udpfd != -1)
446 {
cdeda28f 447 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
54dd393f 448 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
b8187c80
SK		 449 }
450
824af85b 451 return 0;
9e4abcb5
SK		 452}
453
ed4c0767 454static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
3a237152 455 int no_cache, int cache_secure, int check_subnet, union mysockaddr *query_source)
feba5c1d 456{
36717eee 457 unsigned char *pheader, *sizep;
13d86c73 458 char **sets = 0;
832af0ba 459 int munged = 0, is_sign;
cdeda28f 460 size_t plen;
3a237152 461 int squash_ad = 0;
cdeda28f 462
13d86c73
JD		 463#ifdef HAVE_IPSET
464 /* Similar algorithm to search_servers. */
465 struct ipsets *ipset_pos;
466 unsigned int namelen = strlen(daemon->namebuff);
467 unsigned int matchlen = 0;
468 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
469 {
470 unsigned int domainlen = strlen(ipset_pos->domain);
471 char *matchstart = daemon->namebuff + namelen - domainlen;
472 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
473 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
474 domainlen >= matchlen) {
475 matchlen = domainlen;
476 sets = ipset_pos->sets;
477 }
478 }
479#endif
480
feba5c1d 481 /* If upstream is advertising a larger UDP packet size
9009d746
SK		 482 than we allow, trim it so that we don't get overlarge
483 requests for the client. We can't do this for signed packets. */
feba5c1d 484
ed4c0767 485 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
feba5c1d 486 {
ed4c0767
SK		 487 if (!is_sign)
488 {
489 unsigned short udpsz;
490 unsigned char *psave = sizep;
491
492 GETSHORT(udpsz, sizep);
493 if (udpsz > daemon->edns_pktsz)
494 PUTSHORT(daemon->edns_pktsz, psave);
495 }
feba5c1d 496
ed4c0767
SK		 497 if (check_subnet && !check_source(header, plen, pheader, query_source))
498 {
499 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
500 return 0;
501 }
feba5c1d 502 }
ed4c0767 503
28866e95 504 /* RFC 4035 sect 4.6 para 3 */
237724c0 505 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
3a237152
SK		 506 squash_ad = 1;
507
508#ifdef HAVE_DNSSEC
509 if (option_bool(OPT_DNSSEC_VALID))
510 squash_ad = no_cache;
28866e95 511
3a237152
SK		 512 if (cache_secure)
513 header->hb4 |= HB4_AD;
514#endif
515
516 if (squash_ad)
517 header->hb4 &= ~HB4_AD;
518
572b41eb 519 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
0a852541
SK		 520 return n;
521
feba5c1d 522 /* Complain loudly if the upstream server is non-recursive. */
572b41eb 523 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
0a852541 524 server && !(server->flags & SERV_WARNED_RECURSIVE))
feba5c1d 525 {
3d8df260 526 prettyprint_addr(&server->addr, daemon->namebuff);
f2621c7f 527 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
28866e95 528 if (!option_bool(OPT_LOG))
0a852541
SK		 529 server->flags |= SERV_WARNED_RECURSIVE;
530 }
e292e93d 531
572b41eb 532 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
fd9fa481 533 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
feba5c1d 534 {
fd9fa481 535 munged = 1;
572b41eb
SK		 536 SET_RCODE(header, NXDOMAIN);
537 header->hb3 &= ~HB3_AA;
36717eee 538 }
fd9fa481 539 else
36717eee 540 {
572b41eb 541 if (RCODE(header) == NXDOMAIN &&
fd9fa481 542 extract_request(header, n, daemon->namebuff, NULL) &&
5aabfc78 543 check_for_local_domain(daemon->namebuff, now))
36717eee
SK		 544 {
545 /* if we forwarded a query for a locally known name (because it was for
546 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
547 since we know that the domain exists, even if upstream doesn't */
fd9fa481 548 munged = 1;
572b41eb
SK		 549 header->hb3 |= HB3_AA;
550 SET_RCODE(header, NOERROR);
feba5c1d 551 }
832af0ba 552
3a237152 553 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache))
824af85b 554 {
8ef5ada2 555 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
824af85b
SK		 556 munged = 1;
557 }
feba5c1d 558 }
fd9fa481
SK		 559
560 /* do this after extract_addresses. Ensure NODATA reply and remove
561 nameserver info. */
562
563 if (munged)
564 {
565 header->ancount = htons(0);
566 header->nscount = htons(0);
567 header->arcount = htons(0);
568 }
569
36717eee
SK		 570 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
571 sections of the packet. Find the new length here and put back pseudoheader
572 if it was removed. */
573 return resize_packet(header, n, pheader, plen);
feba5c1d
SK		 574}
575
3be34541 576/* sets new last_server */
1a6bca81 577void reply_query(int fd, int family, time_t now)
9e4abcb5
SK		 578{
579 /* packet from peer server, extract data for cache, and send to
580 original requester */
572b41eb 581 struct dns_header *header;
de37951c 582 union mysockaddr serveraddr;
832af0ba 583 struct frec *forward;
de37951c 584 socklen_t addrlen = sizeof(serveraddr);
1a6bca81 585 ssize_t n = recvfrom(fd, daemon->packet, daemon->edns_pktsz, 0, &serveraddr.sa, &addrlen);
cdeda28f 586 size_t nn;
1a6bca81
SK		 587 struct server *server;
588
cdeda28f
SK		 589 /* packet buffer overwritten */
590 daemon->srv_save = NULL;
832af0ba 591
de37951c 592 /* Determine the address of the server replying so that we can mark that as good */
1a6bca81 593 serveraddr.sa.sa_family = family;
de37951c
SK		 594#ifdef HAVE_IPV6
595 if (serveraddr.sa.sa_family == AF_INET6)
5e9e0efb 596 serveraddr.in6.sin6_flowinfo = 0;
de37951c 597#endif
9e4abcb5 598
1a6bca81
SK		 599 /* spoof check: answer must come from known server, */
600 for (server = daemon->servers; server; server = server->next)
601 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
602 sockaddr_isequal(&server->addr, &serveraddr))
603 break;
604
572b41eb 605 header = (struct dns_header *)daemon->packet;
fd9fa481 606
1a6bca81 607 if (!server ||
572b41eb 608 n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
1a6bca81
SK		 609 !(forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
610 return;
3a237152 611
572b41eb 612 if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
28866e95 613 !option_bool(OPT_ORDER) &&
1a6bca81
SK		 614 forward->forwardall == 0)
615 /* for broken servers, attempt to send to another one. */
9e4abcb5 616 {
1a6bca81
SK		 617 unsigned char *pheader;
618 size_t plen;
619 int is_sign;
832af0ba 620
1a6bca81
SK		 621 /* recreate query from reply */
622 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
623 if (!is_sign)
832af0ba 624 {
1a6bca81
SK		 625 header->ancount = htons(0);
626 header->nscount = htons(0);
627 header->arcount = htons(0);
628 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
832af0ba 629 {
572b41eb 630 header->hb3 &= ~(HB3_QR | HB3_TC);
1a6bca81
SK		 631 forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
632 return;
832af0ba 633 }
832af0ba 634 }
1a6bca81 635 }
3a237152
SK		 636
637 server = forward->sentto;
1a6bca81
SK		 638
639 if ((forward->sentto->flags & SERV_TYPE) == 0)
640 {
572b41eb 641 if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
1a6bca81
SK		 642 server = NULL;
643 else
b8187c80 644 {
1a6bca81
SK		 645 struct server *last_server;
646
647 /* find good server by address if possible, otherwise assume the last one we sent to */
648 for (last_server = daemon->servers; last_server; last_server = last_server->next)
649 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
650 sockaddr_isequal(&last_server->addr, &serveraddr))
651 {
652 server = last_server;
653 break;
654 }
655 }
28866e95 656 if (!option_bool(OPT_ALL_SERVERS))
1a6bca81
SK		 657 daemon->last_server = server;
658 }
3a237152 659
1a6bca81
SK		 660 /* If the answer is an error, keep the forward record in place in case
661 we get a good reply from another server. Kill it when we've
662 had replies from all to avoid filling the forwarding table when
663 everything is broken */
664 if (forward->forwardall == 0 || --forward->forwardall == 1 ||
572b41eb 665 (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
1a6bca81 666 {
3a237152
SK		 667 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
668
669 if (option_bool(OPT_NO_REBIND))
670 check_rebind = !(forward->flags & FREC_NOREBIND);
671
672 /* Don't cache replies where DNSSEC validation was turned off, either
673 the upstream server told us so, or the original query specified it. */
674 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
675 no_cache_dnssec = 1;
676
677#ifdef HAVE_DNSSEC
678 if (option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
679 {
9d633048
SK		 680 int status;
681 char rrbitmap[256/8];
682 int class;
683
684 if (forward->flags && FREC_DNSSKEY_QUERY)
685 status = dnssec_validate_by_ds(header, n, daemon->namebuff, &class);
686 else if (forward->flags && FREC_DS_QUERY)
687 status = dnssec_validate_dnskey(header, n, daemon->namebuff, &class);
688 else
689 status = dnssec_validate_reply(&rrbitmap, header, n, daemon->namebuff, &class);
3a237152
SK		 690
691 /* Can't validate, as we're missing key data. Put this
692 answer aside, whilst we get that. */
693 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
694 {
695 struct frec *new;
696 if ((forward->stash = blockdata_alloc((char *)header, n)))
697 {
698 forward->stash_len = n;
9d633048
SK		 699
700 if ((new = get_new_frec(now, NULL, 1)))
3a237152
SK		 701 {
702 int fd;
9d633048 703
3a237152
SK		 704 new = forward; /* copy everything, then overwrite */
705 new->dependent = forward; /* to find query awaiting new one. */
706 forward->blocking_query = new; /* for garbage cleaning */
9d633048 707 /* validate routines leave name of required record in daemon->namebuff */
3a237152 708 if (status == STAT_NEED_KEY)
9d633048
SK		 709 {
710 new->flags |= FREC_DNSKEY_QUERY;
711 nn = dnssec_generate_query(header, daemon->namebuff, class, T_DNSKEY);
712 }
3a237152 713 else if (status == STAT_NEED_DS)
9d633048
SK		 714 {
715 new->flags |= FREC_DS_QUERY;
716 nn = dnssec_generate_query(header, daemon->namebuff, class, T_DS);
717 }
3a237152
SK		 718 new->crc = questions_crc(header, nn, daemon->namebuff);
719 new->new_id = get_id(new->crc);
9d633048
SK		 720 header->id = htons(new->id);
721
3a237152
SK		 722 /* Don't resend this. */
723 daemon->srv_save = NULL;
724
725 if (server->sfd)
726 fd = server->sfd->fd;
727 else
728#ifdef HAVE_IPV6
9d633048
SK		 729 /* Note that we use the same random port for the DNSSEC stuff */
730 if (server->addr.sa.sa_family == AF_INET6)
731 {
732 fd = new->rfd6->fd;
733 new->rfd6->refcount++;
734 }
735 else
3a237152 736#endif
9d633048
SK		 737 {
738 fd = new->rfd4->fd;
739 new->rfd4->refcount++;
740 }
741
3a237152
SK		 742 /* Send DNSSEC query to same server as original query */
743 while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
744 }
745 }
746 return;
747 }
748
749 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
750 Now wind back down, pulling back answers which wouldn't previously validate
751 and validate them with the new data. Failure to find needed data here is an internal error.
752 Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
753 return it to the original requestor. */
754 while (forward->flags & FREC_DNSSEC_QUERY)
755 {
756 if (status == STAT_SECURE)
757 extract_dnssec_replies();
758 free_frec(forward);
759 forward = forward->dependent;
760 blockdata_retrieve_and_free(forward->stash, forward->stash_len, (void *)header);
761 n = forward->stash_len;
762 if (status == STAT_SECURE)
763 {
764 status = dnssec_validate(forward->flags, header, n);
765 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
766 my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
767 }
768 }
769
770 if (status == STAT_SECURE)
771 cache_secure = 1;
772 /* TODO return SERVFAIL here */
773 else if (status == STAT_BOGUS)
774 no_cache_dnssec = 1;
775 }
776#endif
8ef5ada2 777
3a237152 778 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
ed4c0767 779 forward->flags & FREC_HAS_SUBNET, &forward->source)))
1a6bca81
SK		 780 {
781 header->id = htons(forward->orig_id);
572b41eb 782 header->hb4 |= HB4_RA; /* recursion if available */
54dd393f 783 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
50303b19 784 &forward->source, &forward->dest, forward->iface);
b8187c80 785 }
1a6bca81 786 free_frec(forward); /* cancel */
9e4abcb5 787 }
9e4abcb5 788}
44a2a316 789
1a6bca81 790
5aabfc78 791void receive_query(struct listener *listen, time_t now)
44a2a316 792{
572b41eb 793 struct dns_header *header = (struct dns_header *)daemon->packet;
44a2a316 794 union mysockaddr source_addr;
c1bb8504 795 unsigned short type;
44a2a316 796 struct all_addr dst_addr;
f6b7dc47 797 struct in_addr netmask, dst_addr_4;
cdeda28f
SK		 798 size_t m;
799 ssize_t n;
3b195961
VG		 800 int if_index = 0, auth_dns = 0;
801#ifdef HAVE_AUTH
802 int local_auth = 0;
803#endif
44a2a316
SK		 804 struct iovec iov[1];
805 struct msghdr msg;
806 struct cmsghdr *cmptr;
44a2a316
SK		 807 union {
808 struct cmsghdr align; /* this ensures alignment */
809#ifdef HAVE_IPV6
810 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
811#endif
5e9e0efb 812#if defined(HAVE_LINUX_NETWORK)
44a2a316 813 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
824af85b
SK		 814#elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
815 char control[CMSG_SPACE(sizeof(struct in_addr)) +
816 CMSG_SPACE(sizeof(unsigned int))];
44a2a316
SK		 817#elif defined(IP_RECVDSTADDR)
818 char control[CMSG_SPACE(sizeof(struct in_addr)) +
819 CMSG_SPACE(sizeof(struct sockaddr_dl))];
820#endif
821 } control_u;
2329bef5
SK		 822#ifdef HAVE_IPV6
823 /* Can always get recvd interface for IPv6 */
824 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
825#else
826 int check_dst = !option_bool(OPT_NOWILD);
827#endif
828
cdeda28f
SK		 829 /* packet buffer overwritten */
830 daemon->srv_save = NULL;
831
4f7b304f
SK		 832 dst_addr_4.s_addr = 0;
833 netmask.s_addr = 0;
834
7e5664bd 835 if (option_bool(OPT_NOWILD) && listen->iface)
3d8df260 836 {
4f7b304f
SK		 837 auth_dns = listen->iface->dns_auth;
838
839 if (listen->family == AF_INET)
840 {
841 dst_addr_4 = listen->iface->addr.in.sin_addr;
842 netmask = listen->iface->netmask;
843 }
3d8df260 844 }
4f7b304f 845
3be34541
SK		 846 iov[0].iov_base = daemon->packet;
847 iov[0].iov_len = daemon->edns_pktsz;
44a2a316
SK		 848
849 msg.msg_control = control_u.control;
850 msg.msg_controllen = sizeof(control_u);
851 msg.msg_flags = 0;
852 msg.msg_name = &source_addr;
853 msg.msg_namelen = sizeof(source_addr);
854 msg.msg_iov = iov;
855 msg.msg_iovlen = 1;
856
de37951c 857 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
3be34541 858 return;
44a2a316 859
572b41eb 860 if (n < (int)sizeof(struct dns_header) ||
5e9e0efb 861 (msg.msg_flags & MSG_TRUNC) ||
572b41eb 862 (header->hb3 & HB3_QR))
26128d27
SK		 863 return;
864
44a2a316
SK		 865 source_addr.sa.sa_family = listen->family;
866#ifdef HAVE_IPV6
867 if (listen->family == AF_INET6)
5e9e0efb 868 source_addr.in6.sin6_flowinfo = 0;
44a2a316 869#endif
28866e95 870
2329bef5 871 if (check_dst)
26128d27
SK		 872 {
873 struct ifreq ifr;
874
875 if (msg.msg_controllen < sizeof(struct cmsghdr))
876 return;
44a2a316 877
5e9e0efb 878#if defined(HAVE_LINUX_NETWORK)
26128d27
SK		 879 if (listen->family == AF_INET)
880 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 881 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
26128d27 882 {
8ef5ada2
SK		 883 union {
884 unsigned char *c;
885 struct in_pktinfo *p;
886 } p;
887 p.c = CMSG_DATA(cmptr);
888 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
889 if_index = p.p->ipi_ifindex;
26128d27
SK		 890 }
891#elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
892 if (listen->family == AF_INET)
44a2a316 893 {
26128d27 894 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
8ef5ada2
SK		 895 {
896 union {
897 unsigned char *c;
898 unsigned int *i;
899 struct in_addr *a;
900#ifndef HAVE_SOLARIS_NETWORK
901 struct sockaddr_dl *s;
902#endif
903 } p;
904 p.c = CMSG_DATA(cmptr);
905 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
906 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
907 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
824af85b 908#ifdef HAVE_SOLARIS_NETWORK
8ef5ada2 909 if_index = *(p.i);
824af85b 910#else
8ef5ada2 911 if_index = p.s->sdl_index;
824af85b 912#endif
8ef5ada2 913 }
44a2a316 914 }
44a2a316 915#endif
26128d27 916
44a2a316 917#ifdef HAVE_IPV6
26128d27
SK		 918 if (listen->family == AF_INET6)
919 {
920 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 921 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
26128d27 922 {
8ef5ada2
SK		 923 union {
924 unsigned char *c;
925 struct in6_pktinfo *p;
926 } p;
927 p.c = CMSG_DATA(cmptr);
928
929 dst_addr.addr.addr6 = p.p->ipi6_addr;
930 if_index = p.p->ipi6_ifindex;
26128d27
SK		 931 }
932 }
44a2a316 933#endif
26128d27
SK		 934
935 /* enforce available interface configuration */
936
e25db1f2 937 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
5e9e0efb 938 return;
832af0ba 939
e25db1f2
SK		 940 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
941 {
942 if (!option_bool(OPT_CLEVERBIND))
115ac3e4 943 enumerate_interfaces(0);
3f2873d4
SK		 944 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
945 !label_exception(if_index, listen->family, &dst_addr))
e25db1f2
SK		 946 return;
947 }
948
552af8b9
SK		 949 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
950 {
951 struct irec *iface;
952
953 /* get the netmask of the interface whch has the address we were sent to.
954 This is no neccessarily the interface we arrived on. */
955
956 for (iface = daemon->interfaces; iface; iface = iface->next)
957 if (iface->addr.sa.sa_family == AF_INET &&
958 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
959 break;
960
961 /* interface may be new */
e25db1f2 962 if (!iface && !option_bool(OPT_CLEVERBIND))
115ac3e4 963 enumerate_interfaces(0);
552af8b9
SK		 964
965 for (iface = daemon->interfaces; iface; iface = iface->next)
966 if (iface->addr.sa.sa_family == AF_INET &&
967 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
968 break;
969
970 /* If we failed, abandon localisation */
971 if (iface)
972 netmask = iface->netmask;
973 else
974 dst_addr_4.s_addr = 0;
975 }
44a2a316
SK		 976 }
977
cdeda28f 978 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
44a2a316 979 {
1a6bca81 980 char types[20];
b485ed97
SK		 981#ifdef HAVE_AUTH
982 struct auth_zone *zone;
983#endif
1a6bca81 984
4f7b304f 985 querystr(auth_dns ? "auth" : "query", types, type);
1a6bca81 986
44a2a316 987 if (listen->family == AF_INET)
3be34541 988 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 989 (struct all_addr *)&source_addr.in.sin_addr, types);
44a2a316
SK		 990#ifdef HAVE_IPV6
991 else
3be34541 992 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 993 (struct all_addr *)&source_addr.in6.sin6_addr, types);
44a2a316 994#endif
44a2a316 995
b485ed97
SK		 996#ifdef HAVE_AUTH
997 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 998 if (!auth_dns)
999 for (zone = daemon->auth_zones; zone; zone = zone->next)
1000 if (in_zone(zone, daemon->namebuff, NULL))
1001 {
1002 auth_dns = 1;
1003 local_auth = 1;
1004 break;
1005 }
b485ed97
SK		 1006#endif
1007 }
1008
4820dce9 1009#ifdef HAVE_AUTH
4f7b304f 1010 if (auth_dns)
824af85b 1011 {
19b16891 1012 m = answer_auth(header, ((char *) header) + PACKETSZ, (size_t)n, now, &source_addr, local_auth);
4f7b304f 1013 if (m >= 1)
b485ed97
SK		 1014 {
1015 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1016 (char *)header, m, &source_addr, &dst_addr, if_index);
1017 daemon->auth_answer++;
1018 }
824af85b 1019 }
44a2a316 1020 else
4820dce9 1021#endif
4f7b304f
SK		 1022 {
1023 m = answer_request(header, ((char *) header) + PACKETSZ, (size_t)n,
1024 dst_addr_4, netmask, now);
1025
1026 if (m >= 1)
1027 {
1028 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1029 (char *)header, m, &source_addr, &dst_addr, if_index);
1030 daemon->local_answer++;
1031 }
1032 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
1033 header, (size_t)n, now, NULL))
1034 daemon->queries_forwarded++;
1035 else
1036 daemon->local_answer++;
1037 }
44a2a316
SK		 1038}
1039
feba5c1d
SK		 1040/* The daemon forks before calling this: it should deal with one connection,
1041 blocking as neccessary, and then return. Note, need to be a bit careful
1042 about resources for debug mode, when the fork is suppressed: that's
1043 done by the caller. */
5aabfc78 1044unsigned char *tcp_request(int confd, time_t now,
4f7b304f 1045 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
feba5c1d 1046{
28866e95
SK		 1047 size_t size = 0;
1048 int norebind = 0;
3b195961 1049#ifdef HAVE_AUTH
19b16891 1050 int local_auth = 0;
3b195961 1051#endif
ed4c0767 1052 int checking_disabled, check_subnet;
cdeda28f 1053 size_t m;
ee86ce68
SK		 1054 unsigned short qtype;
1055 unsigned int gotname;
feba5c1d 1056 unsigned char c1, c2;
4b5ea12e
SK		 1057 /* Max TCP packet + slop + size */
1058 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1059 unsigned char *payload = &packet[2];
1060 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1061 struct dns_header *header = (struct dns_header *)payload;
1062 u16 *length = (u16 *)packet;
3be34541 1063 struct server *last_server;
7de060b0
SK		 1064 struct in_addr dst_addr_4;
1065 union mysockaddr peer_addr;
1066 socklen_t peer_len = sizeof(union mysockaddr);
3be34541 1067
7de060b0
SK		 1068 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1069 return packet;
1070
feba5c1d
SK		 1071 while (1)
1072 {
1073 if (!packet ||
1074 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1075 !(size = c1 << 8 | c2) ||
4b5ea12e 1076 !read_write(confd, payload, size, 1))
feba5c1d
SK		 1077 return packet;
1078
572b41eb 1079 if (size < (int)sizeof(struct dns_header))
feba5c1d
SK		 1080 continue;
1081
ed4c0767
SK		 1082 check_subnet = 0;
1083
28866e95 1084 /* save state of "cd" flag in query */
572b41eb 1085 checking_disabled = header->hb4 & HB4_CD;
28866e95
SK		 1086
1087 /* RFC 4035: sect 4.6 para 2 */
572b41eb 1088 header->hb4 &= ~HB4_AD;
feba5c1d 1089
3be34541 1090 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
feba5c1d 1091 {
7de060b0 1092 char types[20];
b485ed97
SK		 1093#ifdef HAVE_AUTH
1094 struct auth_zone *zone;
1095#endif
4f7b304f 1096 querystr(auth_dns ? "auth" : "query", types, qtype);
7de060b0
SK		 1097
1098 if (peer_addr.sa.sa_family == AF_INET)
1099 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1100 (struct all_addr *)&peer_addr.in.sin_addr, types);
feba5c1d 1101#ifdef HAVE_IPV6
7de060b0
SK		 1102 else
1103 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1104 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
feba5c1d 1105#endif
b485ed97
SK		 1106
1107#ifdef HAVE_AUTH
1108 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1109 if (!auth_dns)
1110 for (zone = daemon->auth_zones; zone; zone = zone->next)
1111 if (in_zone(zone, daemon->namebuff, NULL))
1112 {
1113 auth_dns = 1;
1114 local_auth = 1;
1115 break;
1116 }
b485ed97 1117#endif
feba5c1d
SK		 1118 }
1119
7de060b0
SK		 1120 if (local_addr->sa.sa_family == AF_INET)
1121 dst_addr_4 = local_addr->in.sin_addr;
1122 else
1123 dst_addr_4.s_addr = 0;
1124
4820dce9 1125#ifdef HAVE_AUTH
4f7b304f 1126 if (auth_dns)
19b16891 1127 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
4f7b304f 1128 else
4820dce9 1129#endif
feba5c1d 1130 {
4f7b304f
SK		 1131 /* m > 0 if answered from cache */
1132 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
1133 dst_addr_4, netmask, now);
feba5c1d 1134
4f7b304f
SK		 1135 /* Do this by steam now we're not in the select() loop */
1136 check_log_writer(NULL);
1137
1138 if (m == 0)
feba5c1d 1139 {
4f7b304f
SK		 1140 unsigned int flags = 0;
1141 struct all_addr *addrp = NULL;
1142 int type = 0;
1143 char *domain = NULL;
feba5c1d 1144
4f7b304f
SK		 1145 if (option_bool(OPT_ADD_MAC))
1146 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
ed4c0767
SK		 1147
1148 if (option_bool(OPT_CLIENT_SUBNET))
1149 {
1150 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1151 if (size != new)
1152 {
1153 size = new;
1154 check_subnet = 1;
1155 }
1156 }
1157
4f7b304f
SK		 1158 if (gotname)
1159 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1160
1161 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1162 last_server = daemon->servers;
1163 else
1164 last_server = daemon->last_server;
1165
1166 if (!flags && last_server)
1167 {
1168 struct server *firstsendto = NULL;
1169 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
1170
1171 /* Loop round available servers until we succeed in connecting to one.
1172 Note that this code subtley ensures that consecutive queries on this connection
1173 which can go to the same server, do so. */
1174 while (1)
feba5c1d 1175 {
4f7b304f
SK		 1176 if (!firstsendto)
1177 firstsendto = last_server;
1178 else
1179 {
1180 if (!(last_server = last_server->next))
1181 last_server = daemon->servers;
1182
1183 if (last_server == firstsendto)
1184 break;
1185 }
1186
1187 /* server for wrong domain */
1188 if (type != (last_server->flags & SERV_TYPE) ||
1189 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
7de060b0
SK		 1190 continue;
1191
4f7b304f 1192 if (last_server->tcpfd == -1)
7de060b0 1193 {
4f7b304f
SK		 1194 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1195 continue;
1196
1197 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1198 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1199 {
1200 close(last_server->tcpfd);
1201 last_server->tcpfd = -1;
1202 continue;
1203 }
1204
7de060b0 1205#ifdef HAVE_CONNTRACK
4f7b304f
SK		 1206 /* Copy connection mark of incoming query to outgoing connection. */
1207 if (option_bool(OPT_CONNTRACK))
1208 {
1209 unsigned int mark;
1210 struct all_addr local;
7de060b0 1211#ifdef HAVE_IPV6
4f7b304f
SK		 1212 if (local_addr->sa.sa_family == AF_INET6)
1213 local.addr.addr6 = local_addr->in6.sin6_addr;
1214 else
7de060b0 1215#endif
4f7b304f
SK		 1216 local.addr.addr4 = local_addr->in.sin_addr;
1217
1218 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1219 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1220 }
7de060b0 1221#endif
4f7b304f
SK		 1222 }
1223
4b5ea12e 1224 *length = htons(size);
4f7b304f 1225
4b5ea12e 1226 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
4f7b304f
SK		 1227 !read_write(last_server->tcpfd, &c1, 1, 1) ||
1228 !read_write(last_server->tcpfd, &c2, 1, 1))
1229 {
1230 close(last_server->tcpfd);
1231 last_server->tcpfd = -1;
1232 continue;
1233 }
1234
1235 m = (c1 << 8) | c2;
4b5ea12e 1236 if (!read_write(last_server->tcpfd, payload, m, 1))
4f7b304f
SK		 1237 return packet;
1238
1239 if (!gotname)
1240 strcpy(daemon->namebuff, "query");
1241 if (last_server->addr.sa.sa_family == AF_INET)
1242 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1243 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
feba5c1d 1244#ifdef HAVE_IPV6
4f7b304f
SK		 1245 else
1246 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1247 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
feba5c1d 1248#endif
4f7b304f
SK		 1249
1250 /* There's no point in updating the cache, since this process will exit and
1251 lose the information after a few queries. We make this call for the alias and
1252 bogus-nxdomain side-effects. */
1253 /* If the crc of the question section doesn't match the crc we sent, then
1254 someone might be attempting to insert bogus values into the cache by
1255 sending replies containing questions and bogus answers. */
1256 if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
1257 m = process_reply(header, now, last_server, (unsigned int)m,
ed4c0767 1258 option_bool(OPT_NO_REBIND) && !norebind, checking_disabled,
3a237152 1259 0, check_subnet, &peer_addr); /* TODO - cache secure */
4f7b304f
SK		 1260
1261 break;
1262 }
feba5c1d 1263 }
4f7b304f
SK		 1264
1265 /* In case of local answer or no connections made. */
1266 if (m == 0)
1267 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
feba5c1d 1268 }
feba5c1d 1269 }
4f7b304f 1270
5aabfc78 1271 check_log_writer(NULL);
feba5c1d 1272
4b5ea12e
SK		 1273 *length = htons(m);
1274
1275 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
feba5c1d
SK		 1276 return packet;
1277 }
1278}
1279
1697269c 1280static struct frec *allocate_frec(time_t now)
9e4abcb5 1281{
1697269c
SK		 1282 struct frec *f;
1283
5aabfc78 1284 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
9e4abcb5 1285 {
1a6bca81 1286 f->next = daemon->frec_list;
1697269c 1287 f->time = now;
832af0ba 1288 f->sentto = NULL;
1a6bca81 1289 f->rfd4 = NULL;
28866e95 1290 f->flags = 0;
1a6bca81
SK		 1291#ifdef HAVE_IPV6
1292 f->rfd6 = NULL;
3a237152
SK		 1293#endif
1294#ifdef HAVE_DNSSEC
1295 f->blocking_query = NULL;
1a6bca81
SK		 1296#endif
1297 daemon->frec_list = f;
1697269c 1298 }
9e4abcb5 1299
1697269c
SK		 1300 return f;
1301}
9e4abcb5 1302
1a6bca81
SK		 1303static struct randfd *allocate_rfd(int family)
1304{
1305 static int finger = 0;
1306 int i;
1307
1308 /* limit the number of sockets we have open to avoid starvation of
1309 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1310
1311 for (i = 0; i < RANDOM_SOCKS; i++)
9009d746 1312 if (daemon->randomsocks[i].refcount == 0)
1a6bca81 1313 {
9009d746
SK		 1314 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
1315 break;
1316
1a6bca81
SK		 1317 daemon->randomsocks[i].refcount = 1;
1318 daemon->randomsocks[i].family = family;
1319 return &daemon->randomsocks[i];
1320 }
1321
9009d746 1322 /* No free ones or cannot get new socket, grab an existing one */
1a6bca81
SK		 1323 for (i = 0; i < RANDOM_SOCKS; i++)
1324 {
1325 int j = (i+finger) % RANDOM_SOCKS;
9009d746
SK		 1326 if (daemon->randomsocks[j].refcount != 0 &&
1327 daemon->randomsocks[j].family == family &&
1328 daemon->randomsocks[j].refcount != 0xffff)
1a6bca81
SK		 1329 {
1330 finger = j;
1331 daemon->randomsocks[j].refcount++;
1332 return &daemon->randomsocks[j];
1333 }
1334 }
1335
1336 return NULL; /* doom */
1337}
1338
1339static void free_frec(struct frec *f)
1340{
1341 if (f->rfd4 && --(f->rfd4->refcount) == 0)
1342 close(f->rfd4->fd);
1343
1344 f->rfd4 = NULL;
1345 f->sentto = NULL;
28866e95 1346 f->flags = 0;
1a6bca81
SK		 1347
1348#ifdef HAVE_IPV6
1349 if (f->rfd6 && --(f->rfd6->refcount) == 0)
1350 close(f->rfd6->fd);
1351
1352 f->rfd6 = NULL;
1353#endif
3a237152
SK		 1354
1355#ifdef HAVE_DNSSEC
1356 if (f->stash)
1357 blockdata_free(f->stash);
1358
1359 /* Anything we're waiting on is pointless now, too */
1360 if (f->blocking_query)
1361 free_frec(f->blocking_query);
1362 f->blocking_query = NULL;
1363
1364#endif
1a6bca81
SK		 1365}
1366
1697269c
SK		 1367/* if wait==NULL return a free or older than TIMEOUT record.
1368 else return *wait zero if one available, or *wait is delay to
1a6bca81 1369 when the oldest in-use record will expire. Impose an absolute
3a237152
SK		 1370 limit of 4*TIMEOUT before we wipe things (for random sockets).
1371 If force is set, always return a result, even if we have
1372 to allocate above the limit. */
1373struct frec *get_new_frec(time_t now, int *wait, int force)
1697269c 1374{
1a6bca81 1375 struct frec *f, *oldest, *target;
1697269c
SK		 1376 int count;
1377
1378 if (wait)
1379 *wait = 0;
1380
1a6bca81 1381 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
832af0ba 1382 if (!f->sentto)
1a6bca81
SK		 1383 target = f;
1384 else
1697269c 1385 {
1a6bca81
SK		 1386 if (difftime(now, f->time) >= 4*TIMEOUT)
1387 {
1388 free_frec(f);
1389 target = f;
1390 }
1391
1392 if (!oldest || difftime(f->time, oldest->time) <= 0)
1393 oldest = f;
1697269c 1394 }
1a6bca81
SK		 1395
1396 if (target)
1397 {
1398 target->time = now;
1399 return target;
1400 }
9e4abcb5
SK		 1401
1402 /* can't find empty one, use oldest if there is one
1403 and it's older than timeout */
1697269c 1404 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
9e4abcb5 1405 {
1697269c
SK		 1406 /* keep stuff for twice timeout if we can by allocating a new
1407 record instead */
1408 if (difftime(now, oldest->time) < 2*TIMEOUT &&
1409 count <= daemon->ftabsize &&
1410 (f = allocate_frec(now)))
1411 return f;
1412
1413 if (!wait)
1414 {
1a6bca81 1415 free_frec(oldest);
1697269c
SK		 1416 oldest->time = now;
1417 }
9e4abcb5
SK		 1418 return oldest;
1419 }
1420
1697269c 1421 /* none available, calculate time 'till oldest record expires */
3a237152 1422 if (!force && count > daemon->ftabsize)
1697269c 1423 {
0da5e897
MSB		 1424 static time_t last_log = 0;
1425
1697269c
SK		 1426 if (oldest && wait)
1427 *wait = oldest->time + (time_t)TIMEOUT - now;
0da5e897
MSB		 1428
1429 if ((int)difftime(now, last_log) > 5)
1430 {
1431 last_log = now;
1432 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
1433 }
1434
9e4abcb5
SK		 1435 return NULL;
1436 }
1697269c
SK		 1437
1438 if (!(f = allocate_frec(now)) && wait)
1439 /* wait one second on malloc failure */
1440 *wait = 1;
9e4abcb5 1441
9e4abcb5
SK		 1442 return f; /* OK if malloc fails and this is NULL */
1443}
1444
832af0ba
SK		 1445/* crc is all-ones if not known. */
1446static struct frec *lookup_frec(unsigned short id, unsigned int crc)
9e4abcb5
SK		 1447{
1448 struct frec *f;
1449
1a6bca81 1450 for(f = daemon->frec_list; f; f = f->next)
832af0ba
SK		 1451 if (f->sentto && f->new_id == id &&
1452 (f->crc == crc || crc == 0xffffffff))
9e4abcb5
SK		 1453 return f;
1454
1455 return NULL;
1456}
1457
1458static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481
SK		 1459 union mysockaddr *addr,
1460 unsigned int crc)
9e4abcb5 1461{
feba5c1d
SK		 1462 struct frec *f;
1463
1a6bca81 1464 for(f = daemon->frec_list; f; f = f->next)
832af0ba 1465 if (f->sentto &&
9e4abcb5 1466 f->orig_id == id &&
fd9fa481 1467 f->crc == crc &&
9e4abcb5
SK		 1468 sockaddr_isequal(&f->source, addr))
1469 return f;
1470
1471 return NULL;
1472}
1473
849a8357 1474/* A server record is going away, remove references to it */
5aabfc78 1475void server_gone(struct server *server)
849a8357
SK		 1476{
1477 struct frec *f;
1478
1a6bca81 1479 for (f = daemon->frec_list; f; f = f->next)
832af0ba 1480 if (f->sentto && f->sentto == server)
1a6bca81 1481 free_frec(f);
849a8357
SK		 1482
1483 if (daemon->last_server == server)
1484 daemon->last_server = NULL;
1485
1486 if (daemon->srv_save == server)
1487 daemon->srv_save = NULL;
1488}
9e4abcb5 1489
316e2730
SK		 1490/* return unique random ids. */
1491static unsigned short get_id(unsigned int crc)
9e4abcb5
SK		 1492{
1493 unsigned short ret = 0;
832af0ba 1494
316e2730 1495 do
832af0ba
SK		 1496 ret = rand16();
1497 while (lookup_frec(ret, crc));
1498
9e4abcb5
SK		 1499 return ret;
1500}
1501
1502
1503
1504
1505
Michael's tree of dnsmasq.