]> git.ipfire.org Git - people/ms/dnsmasq.git/blame - src/forward.c
projects / people / ms / dnsmasq.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Memory stats for DNSSEC.
[people/ms/dnsmasq.git] / src / forward.c
CommitLineData
c47e3ba4 1/* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
9e4abcb5
SK		 2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
824af85b
SK		 5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
9e4abcb5
SK		 8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
824af85b 12
73a08a24
SK		 13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
9e4abcb5
SK		 15*/
16
9e4abcb5
SK		 17#include "dnsmasq.h"
18
832af0ba 19static struct frec *lookup_frec(unsigned short id, unsigned int crc);
9e4abcb5 20static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481
SK		 21 union mysockaddr *addr,
22 unsigned int crc);
316e2730 23static unsigned short get_id(unsigned int crc);
1a6bca81
SK		 24static void free_frec(struct frec *f);
25static struct randfd *allocate_rfd(int family);
9e4abcb5 26
824af85b 27/* Send a UDP packet with its source address set as "source"
44a2a316 28 unless nowild is true, when we just send it with the kernel default */
29689cfa
SK		 29int send_from(int fd, int nowild, char *packet, size_t len,
30 union mysockaddr *to, struct all_addr *source,
50303b19 31 unsigned int iface)
9e4abcb5 32{
44a2a316
SK		 33 struct msghdr msg;
34 struct iovec iov[1];
44a2a316
SK		 35 union {
36 struct cmsghdr align; /* this ensures alignment */
5e9e0efb 37#if defined(HAVE_LINUX_NETWORK)
44a2a316
SK		 38 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
39#elif defined(IP_SENDSRCADDR)
40 char control[CMSG_SPACE(sizeof(struct in_addr))];
41#endif
42#ifdef HAVE_IPV6
43 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
44#endif
45 } control_u;
feba5c1d 46
44a2a316
SK		 47 iov[0].iov_base = packet;
48 iov[0].iov_len = len;
49
feba5c1d
SK		 50 msg.msg_control = NULL;
51 msg.msg_controllen = 0;
44a2a316
SK		 52 msg.msg_flags = 0;
53 msg.msg_name = to;
54 msg.msg_namelen = sa_len(to);
55 msg.msg_iov = iov;
56 msg.msg_iovlen = 1;
feba5c1d 57
26128d27 58 if (!nowild)
44a2a316 59 {
26128d27 60 struct cmsghdr *cmptr;
feba5c1d
SK		 61 msg.msg_control = &control_u;
62 msg.msg_controllen = sizeof(control_u);
26128d27
SK		 63 cmptr = CMSG_FIRSTHDR(&msg);
64
65 if (to->sa.sa_family == AF_INET)
66 {
5e9e0efb 67#if defined(HAVE_LINUX_NETWORK)
8ef5ada2
SK		 68 struct in_pktinfo p;
69 p.ipi_ifindex = 0;
70 p.ipi_spec_dst = source->addr.addr4;
71 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 72 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
c72daea8 73 cmptr->cmsg_level = IPPROTO_IP;
26128d27 74 cmptr->cmsg_type = IP_PKTINFO;
44a2a316 75#elif defined(IP_SENDSRCADDR)
8ef5ada2 76 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
26128d27
SK		 77 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
78 cmptr->cmsg_level = IPPROTO_IP;
79 cmptr->cmsg_type = IP_SENDSRCADDR;
44a2a316 80#endif
26128d27 81 }
26128d27 82 else
b8187c80 83#ifdef HAVE_IPV6
26128d27 84 {
8ef5ada2
SK		 85 struct in6_pktinfo p;
86 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
87 p.ipi6_addr = source->addr.addr6;
88 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 89 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
316e2730 90 cmptr->cmsg_type = daemon->v6pktinfo;
c72daea8 91 cmptr->cmsg_level = IPPROTO_IPV6;
26128d27 92 }
3d8df260 93#else
c72daea8 94 (void)iface; /* eliminate warning */
44a2a316 95#endif
26128d27 96 }
feba5c1d 97
29d28dda 98 while (sendmsg(fd, &msg, 0) == -1)
feba5c1d 99 {
fd9fa481 100 if (retry_send())
29d28dda 101 continue;
22d904db 102
29d28dda
SK		 103 /* If interface is still in DAD, EINVAL results - ignore that. */
104 if (errno == EINVAL)
105 break;
29689cfa 106
29d28dda 107 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
29689cfa 108 return 0;
feba5c1d 109 }
29d28dda 110
29689cfa 111 return 1;
9e4abcb5 112}
44a2a316 113
28866e95
SK		 114static unsigned int search_servers(time_t now, struct all_addr **addrpp,
115 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
feba5c1d
SK		 116
117{
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
121
122 unsigned int namelen = strlen(qdomain);
123 unsigned int matchlen = 0;
124 struct server *serv;
28866e95 125 unsigned int flags = 0;
feba5c1d 126
3be34541 127 for (serv = daemon->servers; serv; serv=serv->next)
feba5c1d 128 /* domain matches take priority over NODOTS matches */
3d8df260 129 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
feba5c1d 130 {
28866e95 131 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
feba5c1d 132 *type = SERV_FOR_NODOTS;
feba5c1d 133 if (serv->flags & SERV_NO_ADDR)
36717eee
SK		 134 flags = F_NXDOMAIN;
135 else if (serv->flags & SERV_LITERAL_ADDRESS)
136 {
137 if (sflag & qtype)
138 {
139 flags = sflag;
140 if (serv->addr.sa.sa_family == AF_INET)
141 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 142#ifdef HAVE_IPV6
36717eee
SK		 143 else
144 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 145#endif
36717eee 146 }
824af85b 147 else if (!flags || (flags & F_NXDOMAIN))
36717eee
SK		 148 flags = F_NOERR;
149 }
feba5c1d
SK		 150 }
151 else if (serv->flags & SERV_HAS_DOMAIN)
152 {
153 unsigned int domainlen = strlen(serv->domain);
b8187c80 154 char *matchstart = qdomain + namelen - domainlen;
feba5c1d 155 if (namelen >= domainlen &&
b8187c80 156 hostname_isequal(matchstart, serv->domain) &&
8ef5ada2 157 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
feba5c1d 158 {
8ef5ada2
SK		 159 if (serv->flags & SERV_NO_REBIND)
160 *norebind = 1;
28866e95 161 else
feba5c1d 162 {
28866e95
SK		 163 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen != 0 && domainlen == matchlen)
36717eee 168 {
28866e95 169 if ((serv->flags & SERV_LITERAL_ADDRESS))
8ef5ada2 170 {
28866e95
SK		 171 if (!(sflag & qtype) && flags == 0)
172 continue;
173 }
174 else
175 {
176 if (flags & (F_IPV4 | F_IPV6))
177 continue;
178 }
179 }
180
181 if (domainlen >= matchlen)
182 {
183 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
184 *domain = serv->domain;
185 matchlen = domainlen;
186 if (serv->flags & SERV_NO_ADDR)
187 flags = F_NXDOMAIN;
188 else if (serv->flags & SERV_LITERAL_ADDRESS)
189 {
190 if (sflag & qtype)
191 {
192 flags = sflag;
193 if (serv->addr.sa.sa_family == AF_INET)
194 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 195#ifdef HAVE_IPV6
28866e95
SK		 196 else
197 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 198#endif
28866e95
SK		 199 }
200 else if (!flags || (flags & F_NXDOMAIN))
201 flags = F_NOERR;
8ef5ada2 202 }
28866e95
SK		 203 else
204 flags = 0;
205 }
206 }
8ef5ada2 207 }
feba5c1d 208 }
8ef5ada2 209
7de060b0 210 if (flags == 0 && !(qtype & F_QUERY) &&
28866e95 211 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
7de060b0
SK		 212 /* don't forward A or AAAA queries for simple names, except the empty name */
213 flags = F_NOERR;
8ef5ada2 214
5aabfc78 215 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
c1bb8504 216 flags = F_NOERR;
feba5c1d 217
824af85b
SK		 218 if (flags)
219 {
220 int logflags = 0;
221
222 if (flags == F_NXDOMAIN || flags == F_NOERR)
223 logflags = F_NEG | qtype;
224
1a6bca81 225 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
824af85b 226 }
8ef5ada2
SK		 227 else if ((*type) & SERV_USE_RESOLV)
228 {
229 *type = 0; /* use normal servers for this domain */
230 *domain = NULL;
231 }
feba5c1d
SK		 232 return flags;
233}
44a2a316 234
824af85b
SK		 235static int forward_query(int udpfd, union mysockaddr *udpaddr,
236 struct all_addr *dst_addr, unsigned int dst_iface,
572b41eb 237 struct dns_header *header, size_t plen, time_t now, struct frec *forward)
9e4abcb5 238{
9e4abcb5 239 char *domain = NULL;
8ef5ada2 240 int type = 0, norebind = 0;
9e4abcb5 241 struct all_addr *addrp = NULL;
cdeda28f 242 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
28866e95
SK		 243 unsigned int flags = 0;
244 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
de37951c 245 struct server *start = NULL;
7de060b0 246
28866e95 247 /* RFC 4035: sect 4.6 para 2 */
572b41eb
SK		 248 header->hb4 &= ~HB4_AD;
249
3d8df260
SK		 250 /* may be no servers available. */
251 if (!daemon->servers)
9e4abcb5 252 forward = NULL;
b8187c80 253 else if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, crc)))
9e4abcb5 254 {
de37951c 255 /* retry on existing query, send to all available servers */
9e4abcb5 256 domain = forward->sentto->domain;
824af85b 257 forward->sentto->failed_queries++;
28866e95 258 if (!option_bool(OPT_ORDER))
de37951c 259 {
0a852541 260 forward->forwardall = 1;
3be34541 261 daemon->last_server = NULL;
de37951c 262 }
9e4abcb5 263 type = forward->sentto->flags & SERV_TYPE;
de37951c 264 if (!(start = forward->sentto->next))
3be34541 265 start = daemon->servers; /* at end of list, recycle */
9e4abcb5
SK		 266 header->id = htons(forward->new_id);
267 }
268 else
269 {
270 if (gotname)
8ef5ada2 271 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
9e4abcb5 272
3a237152 273 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
feba5c1d
SK		 274 /* table full - server failure. */
275 flags = F_NEG;
9e4abcb5
SK		 276
277 if (forward)
278 {
0a852541
SK		 279 forward->source = *udpaddr;
280 forward->dest = *dst_addr;
281 forward->iface = dst_iface;
0a852541 282 forward->orig_id = ntohs(header->id);
316e2730 283 forward->new_id = get_id(crc);
832af0ba 284 forward->fd = udpfd;
0a852541
SK		 285 forward->crc = crc;
286 forward->forwardall = 0;
ed4c0767 287 forward->flags = 0;
28866e95
SK		 288 if (norebind)
289 forward->flags |= FREC_NOREBIND;
572b41eb 290 if (header->hb4 & HB4_CD)
28866e95 291 forward->flags |= FREC_CHECKING_DISABLED;
0a852541 292
28866e95
SK		 293 header->id = htons(forward->new_id);
294
8ef5ada2
SK		 295 /* In strict_order mode, always try servers in the order
296 specified in resolv.conf, if a domain is given
297 always try all the available servers,
9e4abcb5
SK		 298 otherwise, use the one last known to work. */
299
8ef5ada2
SK		 300 if (type == 0)
301 {
28866e95 302 if (option_bool(OPT_ORDER))
8ef5ada2
SK		 303 start = daemon->servers;
304 else if (!(start = daemon->last_server) ||
305 daemon->forwardcount++ > FORWARD_TEST ||
306 difftime(now, daemon->forwardtime) > FORWARD_TIME)
307 {
308 start = daemon->servers;
309 forward->forwardall = 1;
310 daemon->forwardcount = 0;
311 daemon->forwardtime = now;
312 }
313 }
314 else
de37951c 315 {
3be34541 316 start = daemon->servers;
28866e95 317 if (!option_bool(OPT_ORDER))
8ef5ada2 318 forward->forwardall = 1;
de37951c 319 }
9e4abcb5
SK		 320 }
321 }
feba5c1d 322
9e4abcb5
SK		 323 /* check for send errors here (no route to host)
324 if we fail to send to all nameservers, send back an error
325 packet straight away (helps modem users when offline) */
326
327 if (!flags && forward)
328 {
de37951c
SK		 329 struct server *firstsentto = start;
330 int forwarded = 0;
28866e95 331
797a7afb 332 if (option_bool(OPT_ADD_MAC))
60b68069 333 plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
28866e95 334
ed4c0767
SK		 335 if (option_bool(OPT_CLIENT_SUBNET))
336 {
60b68069 337 size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
ed4c0767
SK		 338 if (new != plen)
339 {
340 plen = new;
341 forward->flags |= FREC_HAS_SUBNET;
342 }
343 }
344
3a237152
SK		 345#ifdef HAVE_DNSSEC
346 if (option_bool(OPT_DNSSEC_VALID))
0fc2f313 347 {
60b68069 348 plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
0fc2f313
SK		 349 header->hb4 |= HB4_CD;
350 }
3a237152
SK		 351#endif
352
9e4abcb5
SK		 353 while (1)
354 {
9e4abcb5
SK		 355 /* only send to servers dealing with our domain.
356 domain may be NULL, in which case server->domain
357 must be NULL also. */
358
de37951c 359 if (type == (start->flags & SERV_TYPE) &&
fd9fa481
SK		 360 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
361 !(start->flags & SERV_LITERAL_ADDRESS))
9e4abcb5 362 {
1a6bca81
SK		 363 int fd;
364
365 /* find server socket to use, may need to get random one. */
366 if (start->sfd)
367 fd = start->sfd->fd;
368 else
369 {
370#ifdef HAVE_IPV6
371 if (start->addr.sa.sa_family == AF_INET6)
372 {
373 if (!forward->rfd6 &&
374 !(forward->rfd6 = allocate_rfd(AF_INET6)))
375 break;
3927da46 376 daemon->rfd_save = forward->rfd6;
1a6bca81
SK		 377 fd = forward->rfd6->fd;
378 }
379 else
380#endif
381 {
382 if (!forward->rfd4 &&
383 !(forward->rfd4 = allocate_rfd(AF_INET)))
384 break;
3927da46 385 daemon->rfd_save = forward->rfd4;
1a6bca81
SK		 386 fd = forward->rfd4->fd;
387 }
7de060b0
SK		 388
389#ifdef HAVE_CONNTRACK
390 /* Copy connection mark of incoming query to outgoing connection. */
391 if (option_bool(OPT_CONNTRACK))
392 {
393 unsigned int mark;
797a7afb 394 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
7de060b0
SK		 395 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
396 }
397#endif
1a6bca81
SK		 398 }
399
400 if (sendto(fd, (char *)header, plen, 0,
feba5c1d 401 &start->addr.sa,
fd9fa481
SK		 402 sa_len(&start->addr)) == -1)
403 {
404 if (retry_send())
405 continue;
406 }
407 else
9e4abcb5 408 {
cdeda28f
SK		 409 /* Keep info in case we want to re-send this packet */
410 daemon->srv_save = start;
411 daemon->packet_len = plen;
412
de37951c 413 if (!gotname)
3be34541 414 strcpy(daemon->namebuff, "query");
de37951c 415 if (start->addr.sa.sa_family == AF_INET)
3be34541 416 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 417 (struct all_addr *)&start->addr.in.sin_addr, NULL);
de37951c
SK		 418#ifdef HAVE_IPV6
419 else
3be34541 420 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 421 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
de37951c 422#endif
824af85b 423 start->queries++;
de37951c
SK		 424 forwarded = 1;
425 forward->sentto = start;
0a852541 426 if (!forward->forwardall)
de37951c 427 break;
0a852541 428 forward->forwardall++;
9e4abcb5
SK		 429 }
430 }
431
de37951c 432 if (!(start = start->next))
3be34541 433 start = daemon->servers;
9e4abcb5 434
de37951c 435 if (start == firstsentto)
9e4abcb5
SK		 436 break;
437 }
438
de37951c 439 if (forwarded)
824af85b 440 return 1;
de37951c 441
9e4abcb5
SK		 442 /* could not send on, prepare to return */
443 header->id = htons(forward->orig_id);
1a6bca81 444 free_frec(forward); /* cancel */
9e4abcb5
SK		 445 }
446
447 /* could not send on, return empty answer or address if known for whole domain */
b8187c80
SK		 448 if (udpfd != -1)
449 {
cdeda28f 450 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
54dd393f 451 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
b8187c80
SK		 452 }
453
824af85b 454 return 0;
9e4abcb5
SK		 455}
456
ed4c0767 457static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
3a237152 458 int no_cache, int cache_secure, int check_subnet, union mysockaddr *query_source)
feba5c1d 459{
36717eee 460 unsigned char *pheader, *sizep;
13d86c73 461 char **sets = 0;
832af0ba 462 int munged = 0, is_sign;
cdeda28f 463 size_t plen;
3a237152 464 int squash_ad = 0;
cdeda28f 465
13d86c73
JD		 466#ifdef HAVE_IPSET
467 /* Similar algorithm to search_servers. */
468 struct ipsets *ipset_pos;
469 unsigned int namelen = strlen(daemon->namebuff);
470 unsigned int matchlen = 0;
471 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
472 {
473 unsigned int domainlen = strlen(ipset_pos->domain);
474 char *matchstart = daemon->namebuff + namelen - domainlen;
475 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
476 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
477 domainlen >= matchlen) {
478 matchlen = domainlen;
479 sets = ipset_pos->sets;
480 }
481 }
482#endif
483
feba5c1d 484 /* If upstream is advertising a larger UDP packet size
9009d746
SK		 485 than we allow, trim it so that we don't get overlarge
486 requests for the client. We can't do this for signed packets. */
feba5c1d 487
ed4c0767 488 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
feba5c1d 489 {
ed4c0767
SK		 490 if (!is_sign)
491 {
492 unsigned short udpsz;
493 unsigned char *psave = sizep;
494
495 GETSHORT(udpsz, sizep);
496 if (udpsz > daemon->edns_pktsz)
497 PUTSHORT(daemon->edns_pktsz, psave);
498 }
feba5c1d 499
ed4c0767
SK		 500 if (check_subnet && !check_source(header, plen, pheader, query_source))
501 {
502 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
503 return 0;
504 }
feba5c1d 505 }
ed4c0767 506
28866e95 507 /* RFC 4035 sect 4.6 para 3 */
237724c0 508 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
3a237152
SK		 509 squash_ad = 1;
510
511#ifdef HAVE_DNSSEC
512 if (option_bool(OPT_DNSSEC_VALID))
513 squash_ad = no_cache;
28866e95 514
3a237152
SK		 515 if (cache_secure)
516 header->hb4 |= HB4_AD;
517#endif
518
519 if (squash_ad)
520 header->hb4 &= ~HB4_AD;
521
572b41eb 522 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
0a852541
SK		 523 return n;
524
feba5c1d 525 /* Complain loudly if the upstream server is non-recursive. */
572b41eb 526 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
0a852541 527 server && !(server->flags & SERV_WARNED_RECURSIVE))
feba5c1d 528 {
3d8df260 529 prettyprint_addr(&server->addr, daemon->namebuff);
f2621c7f 530 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
28866e95 531 if (!option_bool(OPT_LOG))
0a852541
SK		 532 server->flags |= SERV_WARNED_RECURSIVE;
533 }
e292e93d 534
572b41eb 535 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
fd9fa481 536 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
feba5c1d 537 {
fd9fa481 538 munged = 1;
572b41eb
SK		 539 SET_RCODE(header, NXDOMAIN);
540 header->hb3 &= ~HB3_AA;
36717eee 541 }
fd9fa481 542 else
36717eee 543 {
572b41eb 544 if (RCODE(header) == NXDOMAIN &&
fd9fa481 545 extract_request(header, n, daemon->namebuff, NULL) &&
5aabfc78 546 check_for_local_domain(daemon->namebuff, now))
36717eee
SK		 547 {
548 /* if we forwarded a query for a locally known name (because it was for
549 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
550 since we know that the domain exists, even if upstream doesn't */
fd9fa481 551 munged = 1;
572b41eb
SK		 552 header->hb3 |= HB3_AA;
553 SET_RCODE(header, NOERROR);
feba5c1d 554 }
832af0ba 555
0fc2f313 556 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure))
824af85b 557 {
8ef5ada2 558 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
824af85b
SK		 559 munged = 1;
560 }
feba5c1d 561 }
fd9fa481
SK		 562
563 /* do this after extract_addresses. Ensure NODATA reply and remove
564 nameserver info. */
565
566 if (munged)
567 {
568 header->ancount = htons(0);
569 header->nscount = htons(0);
570 header->arcount = htons(0);
571 }
572
36717eee
SK		 573 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
574 sections of the packet. Find the new length here and put back pseudoheader
575 if it was removed. */
576 return resize_packet(header, n, pheader, plen);
feba5c1d
SK		 577}
578
3be34541 579/* sets new last_server */
1a6bca81 580void reply_query(int fd, int family, time_t now)
9e4abcb5
SK		 581{
582 /* packet from peer server, extract data for cache, and send to
583 original requester */
572b41eb 584 struct dns_header *header;
de37951c 585 union mysockaddr serveraddr;
832af0ba 586 struct frec *forward;
de37951c 587 socklen_t addrlen = sizeof(serveraddr);
60b68069 588 ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
cdeda28f 589 size_t nn;
1a6bca81
SK		 590 struct server *server;
591
cdeda28f
SK		 592 /* packet buffer overwritten */
593 daemon->srv_save = NULL;
832af0ba 594
de37951c 595 /* Determine the address of the server replying so that we can mark that as good */
1a6bca81 596 serveraddr.sa.sa_family = family;
de37951c
SK		 597#ifdef HAVE_IPV6
598 if (serveraddr.sa.sa_family == AF_INET6)
5e9e0efb 599 serveraddr.in6.sin6_flowinfo = 0;
de37951c 600#endif
9e4abcb5 601
1a6bca81
SK		 602 /* spoof check: answer must come from known server, */
603 for (server = daemon->servers; server; server = server->next)
604 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
605 sockaddr_isequal(&server->addr, &serveraddr))
606 break;
607
572b41eb 608 header = (struct dns_header *)daemon->packet;
fd9fa481 609
1a6bca81 610 if (!server ||
572b41eb 611 n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
1a6bca81
SK		 612 !(forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
613 return;
3a237152 614
572b41eb 615 if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
28866e95 616 !option_bool(OPT_ORDER) &&
1a6bca81
SK		 617 forward->forwardall == 0)
618 /* for broken servers, attempt to send to another one. */
9e4abcb5 619 {
1a6bca81
SK		 620 unsigned char *pheader;
621 size_t plen;
622 int is_sign;
832af0ba 623
1a6bca81
SK		 624 /* recreate query from reply */
625 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
626 if (!is_sign)
832af0ba 627 {
1a6bca81
SK		 628 header->ancount = htons(0);
629 header->nscount = htons(0);
630 header->arcount = htons(0);
631 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
832af0ba 632 {
572b41eb 633 header->hb3 &= ~(HB3_QR | HB3_TC);
1a6bca81
SK		 634 forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
635 return;
832af0ba 636 }
832af0ba 637 }
1a6bca81 638 }
3a237152
SK		 639
640 server = forward->sentto;
1a6bca81
SK		 641
642 if ((forward->sentto->flags & SERV_TYPE) == 0)
643 {
572b41eb 644 if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
1a6bca81
SK		 645 server = NULL;
646 else
b8187c80 647 {
1a6bca81
SK		 648 struct server *last_server;
649
650 /* find good server by address if possible, otherwise assume the last one we sent to */
651 for (last_server = daemon->servers; last_server; last_server = last_server->next)
652 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
653 sockaddr_isequal(&last_server->addr, &serveraddr))
654 {
655 server = last_server;
656 break;
657 }
658 }
28866e95 659 if (!option_bool(OPT_ALL_SERVERS))
1a6bca81
SK		 660 daemon->last_server = server;
661 }
3a237152 662
1a6bca81
SK		 663 /* If the answer is an error, keep the forward record in place in case
664 we get a good reply from another server. Kill it when we've
665 had replies from all to avoid filling the forwarding table when
666 everything is broken */
667 if (forward->forwardall == 0 || --forward->forwardall == 1 ||
572b41eb 668 (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
1a6bca81 669 {
3a237152
SK		 670 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
671
672 if (option_bool(OPT_NO_REBIND))
673 check_rebind = !(forward->flags & FREC_NOREBIND);
674
675 /* Don't cache replies where DNSSEC validation was turned off, either
676 the upstream server told us so, or the original query specified it. */
677 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
678 no_cache_dnssec = 1;
679
680#ifdef HAVE_DNSSEC
681 if (option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
682 {
9d633048 683 int status;
0fc2f313
SK		 684
685 /* We've had a reply already, which we're validating. Ignore this duplicate */
686 if (forward->stash)
687 return;
9d633048 688
871417d4
SK		 689 if (header->hb3 & HB3_TC)
690 {
691 /* Truncated answer can't be validated.
692 The client will retry over TCP, but if this is an answer to a
693 DNSSEC-generated query, we have a problem. Should really re-send
694 over TCP. No-one with any sense will make a DNSKEY or DS RRset
695 exceed 4096, so this may not be a real problem. Just log
696 for now. */
697 if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
698 my_syslog(LOG_ERR, _("Reply to DNSSEC query truncated - validation fails."));
699 status = STAT_INSECURE;
700 }
701 else if (forward->flags & FREC_DNSKEY_QUERY)
0fc2f313 702 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
c3e0b9b6
SK		 703 else if (forward->flags & FREC_DS_QUERY)
704 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
9d633048 705 else
0fc2f313 706 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
3a237152
SK		 707
708 /* Can't validate, as we're missing key data. Put this
709 answer aside, whilst we get that. */
710 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
711 {
712 struct frec *new;
0fc2f313
SK		 713
714 if ((new = get_new_frec(now, NULL, 1)))
3a237152 715 {
0fc2f313
SK		 716 struct frec *next = new->next;
717 *new = *forward; /* copy everything, then overwrite */
718 new->next = next;
719 new->stash = NULL;
720 new->blocking_query = NULL;
f1668d27
SK		 721 new->rfd4 = NULL;
722#ifdef HAVE_IPV6
723 new->rfd6 = NULL;
724#endif
0fc2f313 725 new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY);
9d633048 726
0fc2f313 727 if ((forward->stash = blockdata_alloc((char *)header, n)))
3a237152
SK		 728 {
729 int fd;
9d633048 730
0fc2f313
SK		 731 forward->stash_len = n;
732
3a237152
SK		 733 new->dependent = forward; /* to find query awaiting new one. */
734 forward->blocking_query = new; /* for garbage cleaning */
0fc2f313 735 /* validate routines leave name of required record in daemon->keyname */
3a237152 736 if (status == STAT_NEED_KEY)
9d633048
SK		 737 {
738 new->flags |= FREC_DNSKEY_QUERY;
60b68069
SK		 739 nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
740 daemon->keyname, forward->class, T_DNSKEY, &server->addr);
9d633048 741 }
3a237152 742 else if (status == STAT_NEED_DS)
9d633048
SK		 743 {
744 new->flags |= FREC_DS_QUERY;
60b68069
SK		 745 nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
746 daemon->keyname, forward->class, T_DS, &server->addr);
9d633048 747 }
3a237152
SK		 748 new->crc = questions_crc(header, nn, daemon->namebuff);
749 new->new_id = get_id(new->crc);
c3e0b9b6 750 header->id = htons(new->new_id);
9d633048 751
3a237152
SK		 752 /* Don't resend this. */
753 daemon->srv_save = NULL;
754
755 if (server->sfd)
756 fd = server->sfd->fd;
757 else
f1668d27
SK		 758 {
759 fd = -1;
3a237152 760#ifdef HAVE_IPV6
f1668d27
SK		 761 if (server->addr.sa.sa_family == AF_INET6)
762 {
763 if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
764 fd = new->rfd6->fd;
765 }
766 else
3a237152 767#endif
f1668d27
SK		 768 {
769 if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
770 fd = new->rfd4->fd;
771 }
772 }
9d633048 773
f1668d27
SK		 774 if (fd != -1)
775 {
776 while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
777 server->queries++;
778 }
3a237152
SK		 779 }
780 }
0fc2f313 781
3a237152
SK		 782 return;
783 }
784
785 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
786 Now wind back down, pulling back answers which wouldn't previously validate
787 and validate them with the new data. Failure to find needed data here is an internal error.
788 Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
789 return it to the original requestor. */
0fc2f313 790 if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
3a237152 791 {
0fc2f313 792 while (forward->dependent)
3a237152 793 {
0fc2f313 794 struct frec *prev;
c3e0b9b6 795
0fc2f313
SK		 796 if (status == STAT_SECURE)
797 {
798 if (forward->flags & FREC_DNSKEY_QUERY)
799 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
800 else if (forward->flags & FREC_DS_QUERY)
801 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
802 }
803
804 prev = forward->dependent;
805 free_frec(forward);
806 forward = prev;
807 forward->blocking_query = NULL; /* already gone */
808 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
809 n = forward->stash_len;
810 }
811
812 /* All DNSKEY and DS records done and in cache, now finally validate original
813 answer, provided last DNSKEY is OK. */
814 if (status == STAT_SECURE)
815 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
816
817 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
818 {
819 my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
820 status = STAT_INSECURE;
3a237152
SK		 821 }
822 }
0fc2f313
SK		 823
824 log_query(F_KEYTAG | F_SECSTAT, "result", NULL,
825 status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
826
827 no_cache_dnssec = 0;
c3e0b9b6 828
3a237152
SK		 829 if (status == STAT_SECURE)
830 cache_secure = 1;
831 /* TODO return SERVFAIL here */
832 else if (status == STAT_BOGUS)
833 no_cache_dnssec = 1;
0fc2f313
SK		 834
835 /* restore CD bit to the value in the query */
836 if (forward->flags & FREC_CHECKING_DISABLED)
837 header->hb4 |= HB4_CD;
838 else
839 header->hb4 &= ~HB4_CD;
3a237152
SK		 840 }
841#endif
8ef5ada2 842
3a237152 843 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
ed4c0767 844 forward->flags & FREC_HAS_SUBNET, &forward->source)))
1a6bca81
SK		 845 {
846 header->id = htons(forward->orig_id);
572b41eb 847 header->hb4 |= HB4_RA; /* recursion if available */
54dd393f 848 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
50303b19 849 &forward->source, &forward->dest, forward->iface);
b8187c80 850 }
1a6bca81 851 free_frec(forward); /* cancel */
9e4abcb5 852 }
9e4abcb5 853}
44a2a316 854
1a6bca81 855
5aabfc78 856void receive_query(struct listener *listen, time_t now)
44a2a316 857{
572b41eb 858 struct dns_header *header = (struct dns_header *)daemon->packet;
44a2a316 859 union mysockaddr source_addr;
c1bb8504 860 unsigned short type;
44a2a316 861 struct all_addr dst_addr;
f6b7dc47 862 struct in_addr netmask, dst_addr_4;
cdeda28f
SK		 863 size_t m;
864 ssize_t n;
3b195961
VG		 865 int if_index = 0, auth_dns = 0;
866#ifdef HAVE_AUTH
867 int local_auth = 0;
868#endif
44a2a316
SK		 869 struct iovec iov[1];
870 struct msghdr msg;
871 struct cmsghdr *cmptr;
44a2a316
SK		 872 union {
873 struct cmsghdr align; /* this ensures alignment */
874#ifdef HAVE_IPV6
875 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
876#endif
5e9e0efb 877#if defined(HAVE_LINUX_NETWORK)
44a2a316 878 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
824af85b
SK		 879#elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
880 char control[CMSG_SPACE(sizeof(struct in_addr)) +
881 CMSG_SPACE(sizeof(unsigned int))];
44a2a316
SK		 882#elif defined(IP_RECVDSTADDR)
883 char control[CMSG_SPACE(sizeof(struct in_addr)) +
884 CMSG_SPACE(sizeof(struct sockaddr_dl))];
885#endif
886 } control_u;
2329bef5
SK		 887#ifdef HAVE_IPV6
888 /* Can always get recvd interface for IPv6 */
889 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
890#else
891 int check_dst = !option_bool(OPT_NOWILD);
892#endif
893
cdeda28f
SK		 894 /* packet buffer overwritten */
895 daemon->srv_save = NULL;
896
4f7b304f
SK		 897 dst_addr_4.s_addr = 0;
898 netmask.s_addr = 0;
899
7e5664bd 900 if (option_bool(OPT_NOWILD) && listen->iface)
3d8df260 901 {
4f7b304f
SK		 902 auth_dns = listen->iface->dns_auth;
903
904 if (listen->family == AF_INET)
905 {
906 dst_addr_4 = listen->iface->addr.in.sin_addr;
907 netmask = listen->iface->netmask;
908 }
3d8df260 909 }
4f7b304f 910
3be34541
SK		 911 iov[0].iov_base = daemon->packet;
912 iov[0].iov_len = daemon->edns_pktsz;
44a2a316
SK		 913
914 msg.msg_control = control_u.control;
915 msg.msg_controllen = sizeof(control_u);
916 msg.msg_flags = 0;
917 msg.msg_name = &source_addr;
918 msg.msg_namelen = sizeof(source_addr);
919 msg.msg_iov = iov;
920 msg.msg_iovlen = 1;
921
de37951c 922 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
3be34541 923 return;
44a2a316 924
572b41eb 925 if (n < (int)sizeof(struct dns_header) ||
5e9e0efb 926 (msg.msg_flags & MSG_TRUNC) ||
572b41eb 927 (header->hb3 & HB3_QR))
26128d27
SK		 928 return;
929
44a2a316
SK		 930 source_addr.sa.sa_family = listen->family;
931#ifdef HAVE_IPV6
932 if (listen->family == AF_INET6)
5e9e0efb 933 source_addr.in6.sin6_flowinfo = 0;
44a2a316 934#endif
28866e95 935
2329bef5 936 if (check_dst)
26128d27
SK		 937 {
938 struct ifreq ifr;
939
940 if (msg.msg_controllen < sizeof(struct cmsghdr))
941 return;
44a2a316 942
5e9e0efb 943#if defined(HAVE_LINUX_NETWORK)
26128d27
SK		 944 if (listen->family == AF_INET)
945 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 946 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
26128d27 947 {
8ef5ada2
SK		 948 union {
949 unsigned char *c;
950 struct in_pktinfo *p;
951 } p;
952 p.c = CMSG_DATA(cmptr);
953 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
954 if_index = p.p->ipi_ifindex;
26128d27
SK		 955 }
956#elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
957 if (listen->family == AF_INET)
44a2a316 958 {
26128d27 959 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
8ef5ada2
SK		 960 {
961 union {
962 unsigned char *c;
963 unsigned int *i;
964 struct in_addr *a;
965#ifndef HAVE_SOLARIS_NETWORK
966 struct sockaddr_dl *s;
967#endif
968 } p;
969 p.c = CMSG_DATA(cmptr);
970 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
971 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
972 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
824af85b 973#ifdef HAVE_SOLARIS_NETWORK
8ef5ada2 974 if_index = *(p.i);
824af85b 975#else
8ef5ada2 976 if_index = p.s->sdl_index;
824af85b 977#endif
8ef5ada2 978 }
44a2a316 979 }
44a2a316 980#endif
26128d27 981
44a2a316 982#ifdef HAVE_IPV6
26128d27
SK		 983 if (listen->family == AF_INET6)
984 {
985 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 986 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
26128d27 987 {
8ef5ada2
SK		 988 union {
989 unsigned char *c;
990 struct in6_pktinfo *p;
991 } p;
992 p.c = CMSG_DATA(cmptr);
993
994 dst_addr.addr.addr6 = p.p->ipi6_addr;
995 if_index = p.p->ipi6_ifindex;
26128d27
SK		 996 }
997 }
44a2a316 998#endif
26128d27
SK		 999
1000 /* enforce available interface configuration */
1001
e25db1f2 1002 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
5e9e0efb 1003 return;
832af0ba 1004
e25db1f2
SK		 1005 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
1006 {
1007 if (!option_bool(OPT_CLEVERBIND))
115ac3e4 1008 enumerate_interfaces(0);
3f2873d4
SK		 1009 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
1010 !label_exception(if_index, listen->family, &dst_addr))
e25db1f2
SK		 1011 return;
1012 }
1013
552af8b9
SK		 1014 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
1015 {
1016 struct irec *iface;
1017
1018 /* get the netmask of the interface whch has the address we were sent to.
1019 This is no neccessarily the interface we arrived on. */
1020
1021 for (iface = daemon->interfaces; iface; iface = iface->next)
1022 if (iface->addr.sa.sa_family == AF_INET &&
1023 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1024 break;
1025
1026 /* interface may be new */
e25db1f2 1027 if (!iface && !option_bool(OPT_CLEVERBIND))
115ac3e4 1028 enumerate_interfaces(0);
552af8b9
SK		 1029
1030 for (iface = daemon->interfaces; iface; iface = iface->next)
1031 if (iface->addr.sa.sa_family == AF_INET &&
1032 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1033 break;
1034
1035 /* If we failed, abandon localisation */
1036 if (iface)
1037 netmask = iface->netmask;
1038 else
1039 dst_addr_4.s_addr = 0;
1040 }
44a2a316
SK		 1041 }
1042
cdeda28f 1043 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
44a2a316 1044 {
1a6bca81 1045 char types[20];
b485ed97
SK		 1046#ifdef HAVE_AUTH
1047 struct auth_zone *zone;
1048#endif
1a6bca81 1049
4f7b304f 1050 querystr(auth_dns ? "auth" : "query", types, type);
1a6bca81 1051
44a2a316 1052 if (listen->family == AF_INET)
3be34541 1053 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 1054 (struct all_addr *)&source_addr.in.sin_addr, types);
44a2a316
SK		 1055#ifdef HAVE_IPV6
1056 else
3be34541 1057 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 1058 (struct all_addr *)&source_addr.in6.sin6_addr, types);
44a2a316 1059#endif
44a2a316 1060
b485ed97
SK		 1061#ifdef HAVE_AUTH
1062 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1063 if (!auth_dns)
1064 for (zone = daemon->auth_zones; zone; zone = zone->next)
1065 if (in_zone(zone, daemon->namebuff, NULL))
1066 {
1067 auth_dns = 1;
1068 local_auth = 1;
1069 break;
1070 }
b485ed97
SK		 1071#endif
1072 }
1073
4820dce9 1074#ifdef HAVE_AUTH
4f7b304f 1075 if (auth_dns)
824af85b 1076 {
60b68069 1077 m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
4f7b304f 1078 if (m >= 1)
b485ed97
SK		 1079 {
1080 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1081 (char *)header, m, &source_addr, &dst_addr, if_index);
1082 daemon->auth_answer++;
1083 }
824af85b 1084 }
44a2a316 1085 else
4820dce9 1086#endif
4f7b304f 1087 {
60b68069 1088 m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
4f7b304f
SK		 1089 dst_addr_4, netmask, now);
1090
1091 if (m >= 1)
1092 {
1093 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1094 (char *)header, m, &source_addr, &dst_addr, if_index);
1095 daemon->local_answer++;
1096 }
1097 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
1098 header, (size_t)n, now, NULL))
1099 daemon->queries_forwarded++;
1100 else
1101 daemon->local_answer++;
1102 }
44a2a316
SK		 1103}
1104
7d7b7b31
SK		 1105#ifdef HAVE_DNSSEC
1106static int tcp_key_recurse(time_t now, int status, int class, char *keyname, struct server *server)
1107{
1108 /* Recurse up the key heirarchy */
1109 size_t n;
1110 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1111 unsigned char *payload = &packet[2];
1112 struct dns_header *header = (struct dns_header *)payload;
1113 u16 *length = (u16 *)packet;
1114 int new_status;
1115 unsigned char c1, c2;
1116
1117 n = dnssec_generate_query(header, ((char *) header) + 65536, keyname, class,
1118 status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
1119
1120 *length = htons(n);
1121
1122 if (!read_write(server->tcpfd, packet, n + sizeof(u16), 0) ||
1123 !read_write(server->tcpfd, &c1, 1, 1) ||
1124 !read_write(server->tcpfd, &c2, 1, 1) ||
1125 !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1126 {
1127 close(server->tcpfd);
1128 server->tcpfd = -1;
1129 new_status = STAT_INSECURE;
1130 }
1131 else
1132 {
1133 n = (c1 << 8) | c2;
1134
1135 if (status == STAT_NEED_KEY)
1136 new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1137 else
1138 new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1139
1140 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1141 {
1142 if ((new_status = tcp_key_recurse(now, new_status, class, daemon->keyname, server) == STAT_SECURE))
1143 {
1144 if (status == STAT_NEED_KEY)
1145 new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1146 else
1147 new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1148
1149 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1150 {
1151 my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
1152 status = STAT_INSECURE;
f1668d27 1153 }
7d7b7b31
SK		 1154 }
1155 }
1156 }
1157
1158 free(packet);
1159
1160 return new_status;
1161}
1162#endif
1163
1164
feba5c1d
SK		 1165/* The daemon forks before calling this: it should deal with one connection,
1166 blocking as neccessary, and then return. Note, need to be a bit careful
1167 about resources for debug mode, when the fork is suppressed: that's
1168 done by the caller. */
5aabfc78 1169unsigned char *tcp_request(int confd, time_t now,
4f7b304f 1170 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
feba5c1d 1171{
28866e95
SK		 1172 size_t size = 0;
1173 int norebind = 0;
3b195961 1174#ifdef HAVE_AUTH
19b16891 1175 int local_auth = 0;
3b195961 1176#endif
7d7b7b31 1177 int checking_disabled, check_subnet, no_cache_dnssec = 0, cache_secure = 0;
cdeda28f 1178 size_t m;
ee86ce68
SK		 1179 unsigned short qtype;
1180 unsigned int gotname;
feba5c1d 1181 unsigned char c1, c2;
4b5ea12e
SK		 1182 /* Max TCP packet + slop + size */
1183 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1184 unsigned char *payload = &packet[2];
1185 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1186 struct dns_header *header = (struct dns_header *)payload;
1187 u16 *length = (u16 *)packet;
3be34541 1188 struct server *last_server;
7de060b0
SK		 1189 struct in_addr dst_addr_4;
1190 union mysockaddr peer_addr;
1191 socklen_t peer_len = sizeof(union mysockaddr);
3be34541 1192
7de060b0
SK		 1193 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1194 return packet;
1195
feba5c1d
SK		 1196 while (1)
1197 {
1198 if (!packet ||
1199 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1200 !(size = c1 << 8 | c2) ||
4b5ea12e 1201 !read_write(confd, payload, size, 1))
feba5c1d
SK		 1202 return packet;
1203
572b41eb 1204 if (size < (int)sizeof(struct dns_header))
feba5c1d
SK		 1205 continue;
1206
ed4c0767
SK		 1207 check_subnet = 0;
1208
28866e95 1209 /* save state of "cd" flag in query */
7d7b7b31
SK		 1210 if ((checking_disabled = header->hb4 & HB4_CD))
1211 no_cache_dnssec = 1;
28866e95
SK		 1212
1213 /* RFC 4035: sect 4.6 para 2 */
572b41eb 1214 header->hb4 &= ~HB4_AD;
feba5c1d 1215
3be34541 1216 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
feba5c1d 1217 {
7de060b0 1218 char types[20];
b485ed97
SK		 1219#ifdef HAVE_AUTH
1220 struct auth_zone *zone;
1221#endif
4f7b304f 1222 querystr(auth_dns ? "auth" : "query", types, qtype);
7de060b0
SK		 1223
1224 if (peer_addr.sa.sa_family == AF_INET)
1225 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1226 (struct all_addr *)&peer_addr.in.sin_addr, types);
feba5c1d 1227#ifdef HAVE_IPV6
7de060b0
SK		 1228 else
1229 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1230 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
feba5c1d 1231#endif
b485ed97
SK		 1232
1233#ifdef HAVE_AUTH
1234 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1235 if (!auth_dns)
1236 for (zone = daemon->auth_zones; zone; zone = zone->next)
1237 if (in_zone(zone, daemon->namebuff, NULL))
1238 {
1239 auth_dns = 1;
1240 local_auth = 1;
1241 break;
1242 }
b485ed97 1243#endif
feba5c1d
SK		 1244 }
1245
7de060b0
SK		 1246 if (local_addr->sa.sa_family == AF_INET)
1247 dst_addr_4 = local_addr->in.sin_addr;
1248 else
1249 dst_addr_4.s_addr = 0;
1250
4820dce9 1251#ifdef HAVE_AUTH
4f7b304f 1252 if (auth_dns)
19b16891 1253 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
4f7b304f 1254 else
4820dce9 1255#endif
feba5c1d 1256 {
4f7b304f
SK		 1257 /* m > 0 if answered from cache */
1258 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
1259 dst_addr_4, netmask, now);
feba5c1d 1260
4f7b304f
SK		 1261 /* Do this by steam now we're not in the select() loop */
1262 check_log_writer(NULL);
1263
1264 if (m == 0)
feba5c1d 1265 {
4f7b304f
SK		 1266 unsigned int flags = 0;
1267 struct all_addr *addrp = NULL;
1268 int type = 0;
1269 char *domain = NULL;
feba5c1d 1270
4f7b304f
SK		 1271 if (option_bool(OPT_ADD_MAC))
1272 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
ed4c0767
SK		 1273
1274 if (option_bool(OPT_CLIENT_SUBNET))
1275 {
1276 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1277 if (size != new)
1278 {
1279 size = new;
1280 check_subnet = 1;
1281 }
1282 }
1283
4f7b304f
SK		 1284 if (gotname)
1285 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1286
1287 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1288 last_server = daemon->servers;
1289 else
1290 last_server = daemon->last_server;
1291
1292 if (!flags && last_server)
1293 {
1294 struct server *firstsendto = NULL;
1295 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
1296
1297 /* Loop round available servers until we succeed in connecting to one.
1298 Note that this code subtley ensures that consecutive queries on this connection
1299 which can go to the same server, do so. */
1300 while (1)
feba5c1d 1301 {
4f7b304f
SK		 1302 if (!firstsendto)
1303 firstsendto = last_server;
1304 else
1305 {
1306 if (!(last_server = last_server->next))
1307 last_server = daemon->servers;
1308
1309 if (last_server == firstsendto)
1310 break;
1311 }
1312
1313 /* server for wrong domain */
1314 if (type != (last_server->flags & SERV_TYPE) ||
1315 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
7de060b0
SK		 1316 continue;
1317
4f7b304f 1318 if (last_server->tcpfd == -1)
7de060b0 1319 {
4f7b304f
SK		 1320 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1321 continue;
1322
1323 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1324 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1325 {
1326 close(last_server->tcpfd);
1327 last_server->tcpfd = -1;
1328 continue;
1329 }
1330
7d7b7b31
SK		 1331#ifdef HAVE_DNSSEC
1332 if (option_bool(OPT_DNSSEC_VALID))
1333 {
1334 size = add_do_bit(header, size, ((char *) header) + 65536);
1335 header->hb4 |= HB4_CD;
1336 }
1337#endif
1338
7de060b0 1339#ifdef HAVE_CONNTRACK
4f7b304f
SK		 1340 /* Copy connection mark of incoming query to outgoing connection. */
1341 if (option_bool(OPT_CONNTRACK))
1342 {
1343 unsigned int mark;
1344 struct all_addr local;
7de060b0 1345#ifdef HAVE_IPV6
4f7b304f
SK		 1346 if (local_addr->sa.sa_family == AF_INET6)
1347 local.addr.addr6 = local_addr->in6.sin6_addr;
1348 else
7de060b0 1349#endif
4f7b304f
SK		 1350 local.addr.addr4 = local_addr->in.sin_addr;
1351
1352 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1353 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1354 }
7de060b0 1355#endif
4f7b304f
SK		 1356 }
1357
4b5ea12e 1358 *length = htons(size);
4f7b304f 1359
4b5ea12e 1360 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
4f7b304f 1361 !read_write(last_server->tcpfd, &c1, 1, 1) ||
7d7b7b31
SK		 1362 !read_write(last_server->tcpfd, &c2, 1, 1) ||
1363 !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
4f7b304f
SK		 1364 {
1365 close(last_server->tcpfd);
1366 last_server->tcpfd = -1;
1367 continue;
1368 }
1369
1370 m = (c1 << 8) | c2;
4f7b304f
SK		 1371
1372 if (!gotname)
1373 strcpy(daemon->namebuff, "query");
1374 if (last_server->addr.sa.sa_family == AF_INET)
1375 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1376 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
feba5c1d 1377#ifdef HAVE_IPV6
4f7b304f
SK		 1378 else
1379 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1380 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
feba5c1d 1381#endif
7d7b7b31
SK		 1382
1383#ifdef HAVE_DNSSEC
1384 if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
1385 {
1386 int class, status;
1387
1388 status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class);
1389
1390 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
1391 {
1392 if ((status = tcp_key_recurse(now, status, class, daemon->keyname, last_server)) == STAT_SECURE)
1393 status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class);
1394 }
1395
1396 log_query(F_KEYTAG | F_SECSTAT, "result", NULL,
1397 status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1398
1399 if (status == STAT_BOGUS)
1400 no_cache_dnssec = 1;
1401
1402 if (status == STAT_SECURE)
1403 cache_secure = 1;
1404 }
1405#endif
1406
1407 /* restore CD bit to the value in the query */
1408 if (checking_disabled)
1409 header->hb4 |= HB4_CD;
1410 else
1411 header->hb4 &= ~HB4_CD;
4f7b304f
SK		 1412
1413 /* There's no point in updating the cache, since this process will exit and
1414 lose the information after a few queries. We make this call for the alias and
1415 bogus-nxdomain side-effects. */
1416 /* If the crc of the question section doesn't match the crc we sent, then
1417 someone might be attempting to insert bogus values into the cache by
1418 sending replies containing questions and bogus answers. */
1419 if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
1420 m = process_reply(header, now, last_server, (unsigned int)m,
7d7b7b31
SK		 1421 option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
1422 cache_secure, check_subnet, &peer_addr);
4f7b304f
SK		 1423
1424 break;
1425 }
feba5c1d 1426 }
4f7b304f
SK		 1427
1428 /* In case of local answer or no connections made. */
1429 if (m == 0)
1430 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
feba5c1d 1431 }
feba5c1d 1432 }
4f7b304f 1433
5aabfc78 1434 check_log_writer(NULL);
feba5c1d 1435
4b5ea12e
SK		 1436 *length = htons(m);
1437
1438 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
feba5c1d
SK		 1439 return packet;
1440 }
1441}
1442
1697269c 1443static struct frec *allocate_frec(time_t now)
9e4abcb5 1444{
1697269c
SK		 1445 struct frec *f;
1446
5aabfc78 1447 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
9e4abcb5 1448 {
1a6bca81 1449 f->next = daemon->frec_list;
1697269c 1450 f->time = now;
832af0ba 1451 f->sentto = NULL;
1a6bca81 1452 f->rfd4 = NULL;
28866e95 1453 f->flags = 0;
1a6bca81
SK		 1454#ifdef HAVE_IPV6
1455 f->rfd6 = NULL;
3a237152
SK		 1456#endif
1457#ifdef HAVE_DNSSEC
1458 f->blocking_query = NULL;
1a6bca81
SK		 1459#endif
1460 daemon->frec_list = f;
1697269c 1461 }
9e4abcb5 1462
1697269c
SK		 1463 return f;
1464}
9e4abcb5 1465
1a6bca81
SK		 1466static struct randfd *allocate_rfd(int family)
1467{
1468 static int finger = 0;
1469 int i;
1470
1471 /* limit the number of sockets we have open to avoid starvation of
1472 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1473
1474 for (i = 0; i < RANDOM_SOCKS; i++)
9009d746 1475 if (daemon->randomsocks[i].refcount == 0)
1a6bca81 1476 {
9009d746
SK		 1477 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
1478 break;
1479
1a6bca81
SK		 1480 daemon->randomsocks[i].refcount = 1;
1481 daemon->randomsocks[i].family = family;
1482 return &daemon->randomsocks[i];
1483 }
1484
9009d746 1485 /* No free ones or cannot get new socket, grab an existing one */
1a6bca81
SK		 1486 for (i = 0; i < RANDOM_SOCKS; i++)
1487 {
1488 int j = (i+finger) % RANDOM_SOCKS;
9009d746
SK		 1489 if (daemon->randomsocks[j].refcount != 0 &&
1490 daemon->randomsocks[j].family == family &&
1491 daemon->randomsocks[j].refcount != 0xffff)
1a6bca81
SK		 1492 {
1493 finger = j;
1494 daemon->randomsocks[j].refcount++;
1495 return &daemon->randomsocks[j];
1496 }
1497 }
1498
1499 return NULL; /* doom */
1500}
1a6bca81
SK		 1501static void free_frec(struct frec *f)
1502{
1503 if (f->rfd4 && --(f->rfd4->refcount) == 0)
1504 close(f->rfd4->fd);
1505
1506 f->rfd4 = NULL;
1507 f->sentto = NULL;
28866e95 1508 f->flags = 0;
1a6bca81
SK		 1509
1510#ifdef HAVE_IPV6
1511 if (f->rfd6 && --(f->rfd6->refcount) == 0)
1512 close(f->rfd6->fd);
1513
1514 f->rfd6 = NULL;
1515#endif
3a237152
SK		 1516
1517#ifdef HAVE_DNSSEC
1518 if (f->stash)
0fc2f313
SK		 1519 {
1520 blockdata_free(f->stash);
1521 f->stash = NULL;
1522 }
3a237152
SK		 1523
1524 /* Anything we're waiting on is pointless now, too */
1525 if (f->blocking_query)
1526 free_frec(f->blocking_query);
1527 f->blocking_query = NULL;
1528
1529#endif
1a6bca81
SK		 1530}
1531
1697269c
SK		 1532/* if wait==NULL return a free or older than TIMEOUT record.
1533 else return *wait zero if one available, or *wait is delay to
1a6bca81 1534 when the oldest in-use record will expire. Impose an absolute
3a237152
SK		 1535 limit of 4*TIMEOUT before we wipe things (for random sockets).
1536 If force is set, always return a result, even if we have
1537 to allocate above the limit. */
1538struct frec *get_new_frec(time_t now, int *wait, int force)
1697269c 1539{
1a6bca81 1540 struct frec *f, *oldest, *target;
1697269c
SK		 1541 int count;
1542
1543 if (wait)
1544 *wait = 0;
1545
1a6bca81 1546 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
832af0ba 1547 if (!f->sentto)
1a6bca81
SK		 1548 target = f;
1549 else
1697269c 1550 {
1a6bca81
SK		 1551 if (difftime(now, f->time) >= 4*TIMEOUT)
1552 {
1553 free_frec(f);
1554 target = f;
1555 }
1556
1557 if (!oldest || difftime(f->time, oldest->time) <= 0)
1558 oldest = f;
1697269c 1559 }
1a6bca81
SK		 1560
1561 if (target)
1562 {
1563 target->time = now;
1564 return target;
1565 }
9e4abcb5
SK		 1566
1567 /* can't find empty one, use oldest if there is one
1568 and it's older than timeout */
1697269c 1569 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
9e4abcb5 1570 {
1697269c
SK		 1571 /* keep stuff for twice timeout if we can by allocating a new
1572 record instead */
1573 if (difftime(now, oldest->time) < 2*TIMEOUT &&
1574 count <= daemon->ftabsize &&
1575 (f = allocate_frec(now)))
1576 return f;
1577
1578 if (!wait)
1579 {
1a6bca81 1580 free_frec(oldest);
1697269c
SK		 1581 oldest->time = now;
1582 }
9e4abcb5
SK		 1583 return oldest;
1584 }
1585
1697269c 1586 /* none available, calculate time 'till oldest record expires */
3a237152 1587 if (!force && count > daemon->ftabsize)
1697269c 1588 {
0da5e897
MSB		 1589 static time_t last_log = 0;
1590
1697269c
SK		 1591 if (oldest && wait)
1592 *wait = oldest->time + (time_t)TIMEOUT - now;
0da5e897
MSB		 1593
1594 if ((int)difftime(now, last_log) > 5)
1595 {
1596 last_log = now;
1597 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
1598 }
1599
9e4abcb5
SK		 1600 return NULL;
1601 }
1697269c
SK		 1602
1603 if (!(f = allocate_frec(now)) && wait)
1604 /* wait one second on malloc failure */
1605 *wait = 1;
9e4abcb5 1606
9e4abcb5
SK		 1607 return f; /* OK if malloc fails and this is NULL */
1608}
1609
832af0ba
SK		 1610/* crc is all-ones if not known. */
1611static struct frec *lookup_frec(unsigned short id, unsigned int crc)
9e4abcb5
SK		 1612{
1613 struct frec *f;
1614
1a6bca81 1615 for(f = daemon->frec_list; f; f = f->next)
832af0ba
SK		 1616 if (f->sentto && f->new_id == id &&
1617 (f->crc == crc || crc == 0xffffffff))
9e4abcb5
SK		 1618 return f;
1619
1620 return NULL;
1621}
1622
1623static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481
SK		 1624 union mysockaddr *addr,
1625 unsigned int crc)
9e4abcb5 1626{
feba5c1d
SK		 1627 struct frec *f;
1628
1a6bca81 1629 for(f = daemon->frec_list; f; f = f->next)
832af0ba 1630 if (f->sentto &&
9e4abcb5 1631 f->orig_id == id &&
fd9fa481 1632 f->crc == crc &&
9e4abcb5
SK		 1633 sockaddr_isequal(&f->source, addr))
1634 return f;
1635
1636 return NULL;
1637}
1638
849a8357 1639/* A server record is going away, remove references to it */
5aabfc78 1640void server_gone(struct server *server)
849a8357
SK		 1641{
1642 struct frec *f;
1643
1a6bca81 1644 for (f = daemon->frec_list; f; f = f->next)
832af0ba 1645 if (f->sentto && f->sentto == server)
1a6bca81 1646 free_frec(f);
849a8357
SK		 1647
1648 if (daemon->last_server == server)
1649 daemon->last_server = NULL;
1650
1651 if (daemon->srv_save == server)
1652 daemon->srv_save = NULL;
1653}
9e4abcb5 1654
316e2730
SK		 1655/* return unique random ids. */
1656static unsigned short get_id(unsigned int crc)
9e4abcb5
SK		 1657{
1658 unsigned short ret = 0;
832af0ba 1659
316e2730 1660 do
832af0ba
SK		 1661 ret = rand16();
1662 while (lookup_frec(ret, crc));
1663
9e4abcb5
SK		 1664 return ret;
1665}
1666
1667
1668
1669
1670
Michael's tree of dnsmasq.