]> git.ipfire.org Git - people/ms/dnsmasq.git/blame - src/forward.c
projects / people / ms / dnsmasq.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
backup
[people/ms/dnsmasq.git] / src / forward.c
CommitLineData
61744359 1/* dnsmasq is Copyright (c) 2000-2013 Simon Kelley
9e4abcb5
SK		 2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
824af85b
SK		 5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
9e4abcb5
SK		 8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
824af85b 12
73a08a24
SK		 13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
9e4abcb5
SK		 15*/
16
9e4abcb5
SK		 17#include "dnsmasq.h"
18
832af0ba 19static struct frec *lookup_frec(unsigned short id, unsigned int crc);
9e4abcb5 20static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481
SK		 21 union mysockaddr *addr,
22 unsigned int crc);
316e2730 23static unsigned short get_id(unsigned int crc);
1a6bca81
SK		 24static void free_frec(struct frec *f);
25static struct randfd *allocate_rfd(int family);
9e4abcb5 26
824af85b 27/* Send a UDP packet with its source address set as "source"
44a2a316 28 unless nowild is true, when we just send it with the kernel default */
29689cfa
SK		 29int send_from(int fd, int nowild, char *packet, size_t len,
30 union mysockaddr *to, struct all_addr *source,
50303b19 31 unsigned int iface)
9e4abcb5 32{
44a2a316
SK		 33 struct msghdr msg;
34 struct iovec iov[1];
44a2a316
SK		 35 union {
36 struct cmsghdr align; /* this ensures alignment */
5e9e0efb 37#if defined(HAVE_LINUX_NETWORK)
44a2a316
SK		 38 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
39#elif defined(IP_SENDSRCADDR)
40 char control[CMSG_SPACE(sizeof(struct in_addr))];
41#endif
42#ifdef HAVE_IPV6
43 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
44#endif
45 } control_u;
feba5c1d 46
44a2a316
SK		 47 iov[0].iov_base = packet;
48 iov[0].iov_len = len;
49
feba5c1d
SK		 50 msg.msg_control = NULL;
51 msg.msg_controllen = 0;
44a2a316
SK		 52 msg.msg_flags = 0;
53 msg.msg_name = to;
54 msg.msg_namelen = sa_len(to);
55 msg.msg_iov = iov;
56 msg.msg_iovlen = 1;
feba5c1d 57
26128d27 58 if (!nowild)
44a2a316 59 {
26128d27 60 struct cmsghdr *cmptr;
feba5c1d
SK		 61 msg.msg_control = &control_u;
62 msg.msg_controllen = sizeof(control_u);
26128d27
SK		 63 cmptr = CMSG_FIRSTHDR(&msg);
64
65 if (to->sa.sa_family == AF_INET)
66 {
5e9e0efb 67#if defined(HAVE_LINUX_NETWORK)
8ef5ada2
SK		 68 struct in_pktinfo p;
69 p.ipi_ifindex = 0;
70 p.ipi_spec_dst = source->addr.addr4;
71 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 72 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
c72daea8 73 cmptr->cmsg_level = IPPROTO_IP;
26128d27 74 cmptr->cmsg_type = IP_PKTINFO;
44a2a316 75#elif defined(IP_SENDSRCADDR)
8ef5ada2 76 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
26128d27
SK		 77 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
78 cmptr->cmsg_level = IPPROTO_IP;
79 cmptr->cmsg_type = IP_SENDSRCADDR;
44a2a316 80#endif
26128d27 81 }
26128d27 82 else
b8187c80 83#ifdef HAVE_IPV6
26128d27 84 {
8ef5ada2
SK		 85 struct in6_pktinfo p;
86 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
87 p.ipi6_addr = source->addr.addr6;
88 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 89 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
316e2730 90 cmptr->cmsg_type = daemon->v6pktinfo;
c72daea8 91 cmptr->cmsg_level = IPPROTO_IPV6;
26128d27 92 }
3d8df260 93#else
c72daea8 94 (void)iface; /* eliminate warning */
44a2a316 95#endif
26128d27 96 }
feba5c1d 97
29d28dda 98 while (sendmsg(fd, &msg, 0) == -1)
feba5c1d 99 {
fd9fa481 100 if (retry_send())
29d28dda 101 continue;
22d904db 102
29d28dda
SK		 103 /* If interface is still in DAD, EINVAL results - ignore that. */
104 if (errno == EINVAL)
105 break;
29689cfa 106
29d28dda 107 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
29689cfa 108 return 0;
feba5c1d 109 }
29d28dda 110
29689cfa 111 return 1;
9e4abcb5 112}
44a2a316 113
28866e95
SK		 114static unsigned int search_servers(time_t now, struct all_addr **addrpp,
115 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
feba5c1d
SK		 116
117{
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
121
122 unsigned int namelen = strlen(qdomain);
123 unsigned int matchlen = 0;
124 struct server *serv;
28866e95 125 unsigned int flags = 0;
feba5c1d 126
3be34541 127 for (serv = daemon->servers; serv; serv=serv->next)
feba5c1d 128 /* domain matches take priority over NODOTS matches */
3d8df260 129 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
feba5c1d 130 {
28866e95 131 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
feba5c1d 132 *type = SERV_FOR_NODOTS;
feba5c1d 133 if (serv->flags & SERV_NO_ADDR)
36717eee
SK		 134 flags = F_NXDOMAIN;
135 else if (serv->flags & SERV_LITERAL_ADDRESS)
136 {
137 if (sflag & qtype)
138 {
139 flags = sflag;
140 if (serv->addr.sa.sa_family == AF_INET)
141 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 142#ifdef HAVE_IPV6
36717eee
SK		 143 else
144 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 145#endif
36717eee 146 }
824af85b 147 else if (!flags || (flags & F_NXDOMAIN))
36717eee
SK		 148 flags = F_NOERR;
149 }
feba5c1d
SK		 150 }
151 else if (serv->flags & SERV_HAS_DOMAIN)
152 {
153 unsigned int domainlen = strlen(serv->domain);
b8187c80 154 char *matchstart = qdomain + namelen - domainlen;
feba5c1d 155 if (namelen >= domainlen &&
b8187c80 156 hostname_isequal(matchstart, serv->domain) &&
8ef5ada2 157 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
feba5c1d 158 {
8ef5ada2
SK		 159 if (serv->flags & SERV_NO_REBIND)
160 *norebind = 1;
28866e95 161 else
feba5c1d 162 {
28866e95
SK		 163 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen != 0 && domainlen == matchlen)
36717eee 168 {
28866e95 169 if ((serv->flags & SERV_LITERAL_ADDRESS))
8ef5ada2 170 {
28866e95
SK		 171 if (!(sflag & qtype) && flags == 0)
172 continue;
173 }
174 else
175 {
176 if (flags & (F_IPV4 | F_IPV6))
177 continue;
178 }
179 }
180
181 if (domainlen >= matchlen)
182 {
183 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
184 *domain = serv->domain;
185 matchlen = domainlen;
186 if (serv->flags & SERV_NO_ADDR)
187 flags = F_NXDOMAIN;
188 else if (serv->flags & SERV_LITERAL_ADDRESS)
189 {
190 if (sflag & qtype)
191 {
192 flags = sflag;
193 if (serv->addr.sa.sa_family == AF_INET)
194 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 195#ifdef HAVE_IPV6
28866e95
SK		 196 else
197 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 198#endif
28866e95
SK		 199 }
200 else if (!flags || (flags & F_NXDOMAIN))
201 flags = F_NOERR;
8ef5ada2 202 }
28866e95
SK		 203 else
204 flags = 0;
205 }
206 }
8ef5ada2 207 }
feba5c1d 208 }
8ef5ada2 209
7de060b0 210 if (flags == 0 && !(qtype & F_QUERY) &&
28866e95 211 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
7de060b0
SK		 212 /* don't forward A or AAAA queries for simple names, except the empty name */
213 flags = F_NOERR;
8ef5ada2 214
5aabfc78 215 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
c1bb8504 216 flags = F_NOERR;
feba5c1d 217
824af85b
SK		 218 if (flags)
219 {
220 int logflags = 0;
221
222 if (flags == F_NXDOMAIN || flags == F_NOERR)
223 logflags = F_NEG | qtype;
224
1a6bca81 225 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
824af85b 226 }
8ef5ada2
SK		 227 else if ((*type) & SERV_USE_RESOLV)
228 {
229 *type = 0; /* use normal servers for this domain */
230 *domain = NULL;
231 }
feba5c1d
SK		 232 return flags;
233}
44a2a316 234
824af85b
SK		 235static int forward_query(int udpfd, union mysockaddr *udpaddr,
236 struct all_addr *dst_addr, unsigned int dst_iface,
572b41eb 237 struct dns_header *header, size_t plen, time_t now, struct frec *forward)
9e4abcb5 238{
9e4abcb5 239 char *domain = NULL;
8ef5ada2 240 int type = 0, norebind = 0;
9e4abcb5 241 struct all_addr *addrp = NULL;
cdeda28f 242 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
28866e95
SK		 243 unsigned int flags = 0;
244 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
de37951c 245 struct server *start = NULL;
7de060b0 246
28866e95 247 /* RFC 4035: sect 4.6 para 2 */
572b41eb
SK		 248 header->hb4 &= ~HB4_AD;
249
3d8df260
SK		 250 /* may be no servers available. */
251 if (!daemon->servers)
9e4abcb5 252 forward = NULL;
b8187c80 253 else if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, crc)))
9e4abcb5 254 {
de37951c 255 /* retry on existing query, send to all available servers */
9e4abcb5 256 domain = forward->sentto->domain;
824af85b 257 forward->sentto->failed_queries++;
28866e95 258 if (!option_bool(OPT_ORDER))
de37951c 259 {
0a852541 260 forward->forwardall = 1;
3be34541 261 daemon->last_server = NULL;
de37951c 262 }
9e4abcb5 263 type = forward->sentto->flags & SERV_TYPE;
de37951c 264 if (!(start = forward->sentto->next))
3be34541 265 start = daemon->servers; /* at end of list, recycle */
9e4abcb5
SK		 266 header->id = htons(forward->new_id);
267 }
268 else
269 {
270 if (gotname)
8ef5ada2 271 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
9e4abcb5 272
3a237152 273 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
feba5c1d
SK		 274 /* table full - server failure. */
275 flags = F_NEG;
9e4abcb5
SK		 276
277 if (forward)
278 {
0a852541
SK		 279 forward->source = *udpaddr;
280 forward->dest = *dst_addr;
281 forward->iface = dst_iface;
0a852541 282 forward->orig_id = ntohs(header->id);
316e2730 283 forward->new_id = get_id(crc);
832af0ba 284 forward->fd = udpfd;
0a852541
SK		 285 forward->crc = crc;
286 forward->forwardall = 0;
ed4c0767 287 forward->flags = 0;
28866e95
SK		 288 if (norebind)
289 forward->flags |= FREC_NOREBIND;
572b41eb 290 if (header->hb4 & HB4_CD)
28866e95 291 forward->flags |= FREC_CHECKING_DISABLED;
0a852541 292
28866e95
SK		 293 header->id = htons(forward->new_id);
294
8ef5ada2
SK		 295 /* In strict_order mode, always try servers in the order
296 specified in resolv.conf, if a domain is given
297 always try all the available servers,
9e4abcb5
SK		 298 otherwise, use the one last known to work. */
299
8ef5ada2
SK		 300 if (type == 0)
301 {
28866e95 302 if (option_bool(OPT_ORDER))
8ef5ada2
SK		 303 start = daemon->servers;
304 else if (!(start = daemon->last_server) ||
305 daemon->forwardcount++ > FORWARD_TEST ||
306 difftime(now, daemon->forwardtime) > FORWARD_TIME)
307 {
308 start = daemon->servers;
309 forward->forwardall = 1;
310 daemon->forwardcount = 0;
311 daemon->forwardtime = now;
312 }
313 }
314 else
de37951c 315 {
3be34541 316 start = daemon->servers;
28866e95 317 if (!option_bool(OPT_ORDER))
8ef5ada2 318 forward->forwardall = 1;
de37951c 319 }
9e4abcb5
SK		 320 }
321 }
feba5c1d 322
9e4abcb5
SK		 323 /* check for send errors here (no route to host)
324 if we fail to send to all nameservers, send back an error
325 packet straight away (helps modem users when offline) */
326
327 if (!flags && forward)
328 {
de37951c
SK		 329 struct server *firstsentto = start;
330 int forwarded = 0;
28866e95 331
797a7afb
GT		 332 if (option_bool(OPT_ADD_MAC))
333 plen = add_mac(header, plen, ((char *) header) + PACKETSZ, &forward->source);
28866e95 334
ed4c0767
SK		 335 if (option_bool(OPT_CLIENT_SUBNET))
336 {
337 size_t new = add_source_addr(header, plen, ((char *) header) + PACKETSZ, &forward->source);
338 if (new != plen)
339 {
340 plen = new;
341 forward->flags |= FREC_HAS_SUBNET;
342 }
343 }
344
3a237152
SK		 345#ifdef HAVE_DNSSEC
346 if (option_bool(OPT_DNSSEC_VALID))
347 plen = add_do_bit(header, plen, ((char *) header) + PACKETSZ);
348#endif
349
9e4abcb5
SK		 350 while (1)
351 {
9e4abcb5
SK		 352 /* only send to servers dealing with our domain.
353 domain may be NULL, in which case server->domain
354 must be NULL also. */
355
de37951c 356 if (type == (start->flags & SERV_TYPE) &&
fd9fa481
SK		 357 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
358 !(start->flags & SERV_LITERAL_ADDRESS))
9e4abcb5 359 {
1a6bca81
SK		 360 int fd;
361
362 /* find server socket to use, may need to get random one. */
363 if (start->sfd)
364 fd = start->sfd->fd;
365 else
366 {
367#ifdef HAVE_IPV6
368 if (start->addr.sa.sa_family == AF_INET6)
369 {
370 if (!forward->rfd6 &&
371 !(forward->rfd6 = allocate_rfd(AF_INET6)))
372 break;
3927da46 373 daemon->rfd_save = forward->rfd6;
1a6bca81
SK		 374 fd = forward->rfd6->fd;
375 }
376 else
377#endif
378 {
379 if (!forward->rfd4 &&
380 !(forward->rfd4 = allocate_rfd(AF_INET)))
381 break;
3927da46 382 daemon->rfd_save = forward->rfd4;
1a6bca81
SK		 383 fd = forward->rfd4->fd;
384 }
7de060b0
SK		 385
386#ifdef HAVE_CONNTRACK
387 /* Copy connection mark of incoming query to outgoing connection. */
388 if (option_bool(OPT_CONNTRACK))
389 {
390 unsigned int mark;
797a7afb 391 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
7de060b0
SK		 392 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
393 }
394#endif
1a6bca81
SK		 395 }
396
397 if (sendto(fd, (char *)header, plen, 0,
feba5c1d 398 &start->addr.sa,
fd9fa481
SK		 399 sa_len(&start->addr)) == -1)
400 {
401 if (retry_send())
402 continue;
403 }
404 else
9e4abcb5 405 {
cdeda28f
SK		 406 /* Keep info in case we want to re-send this packet */
407 daemon->srv_save = start;
408 daemon->packet_len = plen;
409
de37951c 410 if (!gotname)
3be34541 411 strcpy(daemon->namebuff, "query");
de37951c 412 if (start->addr.sa.sa_family == AF_INET)
3be34541 413 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 414 (struct all_addr *)&start->addr.in.sin_addr, NULL);
de37951c
SK		 415#ifdef HAVE_IPV6
416 else
3be34541 417 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 418 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
de37951c 419#endif
824af85b 420 start->queries++;
de37951c
SK		 421 forwarded = 1;
422 forward->sentto = start;
0a852541 423 if (!forward->forwardall)
de37951c 424 break;
0a852541 425 forward->forwardall++;
9e4abcb5
SK		 426 }
427 }
428
de37951c 429 if (!(start = start->next))
3be34541 430 start = daemon->servers;
9e4abcb5 431
de37951c 432 if (start == firstsentto)
9e4abcb5
SK		 433 break;
434 }
435
de37951c 436 if (forwarded)
824af85b 437 return 1;
de37951c 438
9e4abcb5
SK		 439 /* could not send on, prepare to return */
440 header->id = htons(forward->orig_id);
1a6bca81 441 free_frec(forward); /* cancel */
9e4abcb5
SK		 442 }
443
444 /* could not send on, return empty answer or address if known for whole domain */
b8187c80
SK		 445 if (udpfd != -1)
446 {
cdeda28f 447 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
54dd393f 448 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
b8187c80
SK		 449 }
450
824af85b 451 return 0;
9e4abcb5
SK		 452}
453
ed4c0767 454static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
3a237152 455 int no_cache, int cache_secure, int check_subnet, union mysockaddr *query_source)
feba5c1d 456{
36717eee 457 unsigned char *pheader, *sizep;
13d86c73 458 char **sets = 0;
832af0ba 459 int munged = 0, is_sign;
cdeda28f 460 size_t plen;
3a237152 461 int squash_ad = 0;
cdeda28f 462
13d86c73
JD		 463#ifdef HAVE_IPSET
464 /* Similar algorithm to search_servers. */
465 struct ipsets *ipset_pos;
466 unsigned int namelen = strlen(daemon->namebuff);
467 unsigned int matchlen = 0;
468 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
469 {
470 unsigned int domainlen = strlen(ipset_pos->domain);
471 char *matchstart = daemon->namebuff + namelen - domainlen;
472 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
473 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
474 domainlen >= matchlen) {
475 matchlen = domainlen;
476 sets = ipset_pos->sets;
477 }
478 }
479#endif
480
feba5c1d 481 /* If upstream is advertising a larger UDP packet size
9009d746
SK		 482 than we allow, trim it so that we don't get overlarge
483 requests for the client. We can't do this for signed packets. */
feba5c1d 484
ed4c0767 485 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
feba5c1d 486 {
ed4c0767
SK		 487 if (!is_sign)
488 {
489 unsigned short udpsz;
490 unsigned char *psave = sizep;
491
492 GETSHORT(udpsz, sizep);
493 if (udpsz > daemon->edns_pktsz)
494 PUTSHORT(daemon->edns_pktsz, psave);
495 }
feba5c1d 496
ed4c0767
SK		 497 if (check_subnet && !check_source(header, plen, pheader, query_source))
498 {
499 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
500 return 0;
501 }
feba5c1d 502 }
ed4c0767 503
28866e95 504 /* RFC 4035 sect 4.6 para 3 */
237724c0 505 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
3a237152
SK		 506 squash_ad = 1;
507
508#ifdef HAVE_DNSSEC
509 if (option_bool(OPT_DNSSEC_VALID))
510 squash_ad = no_cache;
28866e95 511
3a237152
SK		 512 if (cache_secure)
513 header->hb4 |= HB4_AD;
514#endif
515
516 if (squash_ad)
517 header->hb4 &= ~HB4_AD;
518
572b41eb 519 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
0a852541
SK		 520 return n;
521
feba5c1d 522 /* Complain loudly if the upstream server is non-recursive. */
572b41eb 523 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
0a852541 524 server && !(server->flags & SERV_WARNED_RECURSIVE))
feba5c1d 525 {
3d8df260 526 prettyprint_addr(&server->addr, daemon->namebuff);
f2621c7f 527 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
28866e95 528 if (!option_bool(OPT_LOG))
0a852541
SK		 529 server->flags |= SERV_WARNED_RECURSIVE;
530 }
e292e93d 531
572b41eb 532 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
fd9fa481 533 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
feba5c1d 534 {
fd9fa481 535 munged = 1;
572b41eb
SK		 536 SET_RCODE(header, NXDOMAIN);
537 header->hb3 &= ~HB3_AA;
36717eee 538 }
fd9fa481 539 else
36717eee 540 {
572b41eb 541 if (RCODE(header) == NXDOMAIN &&
fd9fa481 542 extract_request(header, n, daemon->namebuff, NULL) &&
5aabfc78 543 check_for_local_domain(daemon->namebuff, now))
36717eee
SK		 544 {
545 /* if we forwarded a query for a locally known name (because it was for
546 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
547 since we know that the domain exists, even if upstream doesn't */
fd9fa481 548 munged = 1;
572b41eb
SK		 549 header->hb3 |= HB3_AA;
550 SET_RCODE(header, NOERROR);
feba5c1d 551 }
832af0ba 552
3a237152 553 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache))
824af85b 554 {
8ef5ada2 555 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
824af85b
SK		 556 munged = 1;
557 }
feba5c1d 558 }
fd9fa481
SK		 559
560 /* do this after extract_addresses. Ensure NODATA reply and remove
561 nameserver info. */
562
563 if (munged)
564 {
565 header->ancount = htons(0);
566 header->nscount = htons(0);
567 header->arcount = htons(0);
568 }
569
36717eee
SK		 570 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
571 sections of the packet. Find the new length here and put back pseudoheader
572 if it was removed. */
573 return resize_packet(header, n, pheader, plen);
feba5c1d
SK		 574}
575
3be34541 576/* sets new last_server */
1a6bca81 577void reply_query(int fd, int family, time_t now)
9e4abcb5
SK		 578{
579 /* packet from peer server, extract data for cache, and send to
580 original requester */
572b41eb 581 struct dns_header *header;
de37951c 582 union mysockaddr serveraddr;
832af0ba 583 struct frec *forward;
de37951c 584 socklen_t addrlen = sizeof(serveraddr);
1a6bca81 585 ssize_t n = recvfrom(fd, daemon->packet, daemon->edns_pktsz, 0, &serveraddr.sa, &addrlen);
cdeda28f 586 size_t nn;
1a6bca81
SK		 587 struct server *server;
588
cdeda28f
SK		 589 /* packet buffer overwritten */
590 daemon->srv_save = NULL;
832af0ba 591
de37951c 592 /* Determine the address of the server replying so that we can mark that as good */
1a6bca81 593 serveraddr.sa.sa_family = family;
de37951c
SK		 594#ifdef HAVE_IPV6
595 if (serveraddr.sa.sa_family == AF_INET6)
5e9e0efb 596 serveraddr.in6.sin6_flowinfo = 0;
de37951c 597#endif
9e4abcb5 598
1a6bca81
SK		 599 /* spoof check: answer must come from known server, */
600 for (server = daemon->servers; server; server = server->next)
601 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
602 sockaddr_isequal(&server->addr, &serveraddr))
603 break;
604
572b41eb 605 header = (struct dns_header *)daemon->packet;
fd9fa481 606
1a6bca81 607 if (!server ||
572b41eb 608 n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
1a6bca81
SK		 609 !(forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
610 return;
3a237152 611
572b41eb 612 if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
28866e95 613 !option_bool(OPT_ORDER) &&
1a6bca81
SK		 614 forward->forwardall == 0)
615 /* for broken servers, attempt to send to another one. */
9e4abcb5 616 {
1a6bca81
SK		 617 unsigned char *pheader;
618 size_t plen;
619 int is_sign;
832af0ba 620
1a6bca81
SK		 621 /* recreate query from reply */
622 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
623 if (!is_sign)
832af0ba 624 {
1a6bca81
SK		 625 header->ancount = htons(0);
626 header->nscount = htons(0);
627 header->arcount = htons(0);
628 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
832af0ba 629 {
572b41eb 630 header->hb3 &= ~(HB3_QR | HB3_TC);
1a6bca81
SK		 631 forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
632 return;
832af0ba 633 }
832af0ba 634 }
1a6bca81 635 }
3a237152
SK		 636
637 server = forward->sentto;
1a6bca81
SK		 638
639 if ((forward->sentto->flags & SERV_TYPE) == 0)
640 {
572b41eb 641 if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
1a6bca81
SK		 642 server = NULL;
643 else
b8187c80 644 {
1a6bca81
SK		 645 struct server *last_server;
646
647 /* find good server by address if possible, otherwise assume the last one we sent to */
648 for (last_server = daemon->servers; last_server; last_server = last_server->next)
649 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
650 sockaddr_isequal(&last_server->addr, &serveraddr))
651 {
652 server = last_server;
653 break;
654 }
655 }
28866e95 656 if (!option_bool(OPT_ALL_SERVERS))
1a6bca81
SK		 657 daemon->last_server = server;
658 }
3a237152 659
1a6bca81
SK		 660 /* If the answer is an error, keep the forward record in place in case
661 we get a good reply from another server. Kill it when we've
662 had replies from all to avoid filling the forwarding table when
663 everything is broken */
664 if (forward->forwardall == 0 || --forward->forwardall == 1 ||
572b41eb 665 (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
1a6bca81 666 {
3a237152
SK		 667 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
668
669 if (option_bool(OPT_NO_REBIND))
670 check_rebind = !(forward->flags & FREC_NOREBIND);
671
672 /* Don't cache replies where DNSSEC validation was turned off, either
673 the upstream server told us so, or the original query specified it. */
674 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
675 no_cache_dnssec = 1;
676
677#ifdef HAVE_DNSSEC
678 if (option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
679 {
9d633048 680 int status;
9d633048
SK		 681 int class;
682
c3e0b9b6
SK		 683 if (forward->flags & FREC_DNSKEY_QUERY)
684 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
685 else if (forward->flags & FREC_DS_QUERY)
686 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
9d633048 687 else
c3e0b9b6 688 status = dnssec_validate_reply(header, n, daemon->namebuff, daemon->keyname, &forward->class);
3a237152
SK		 689
690 /* Can't validate, as we're missing key data. Put this
691 answer aside, whilst we get that. */
692 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
693 {
694 struct frec *new;
695 if ((forward->stash = blockdata_alloc((char *)header, n)))
696 {
697 forward->stash_len = n;
9d633048
SK		 698
699 if ((new = get_new_frec(now, NULL, 1)))
3a237152
SK		 700 {
701 int fd;
9d633048 702
3a237152
SK		 703 new = forward; /* copy everything, then overwrite */
704 new->dependent = forward; /* to find query awaiting new one. */
705 forward->blocking_query = new; /* for garbage cleaning */
9d633048 706 /* validate routines leave name of required record in daemon->namebuff */
3a237152 707 if (status == STAT_NEED_KEY)
9d633048
SK		 708 {
709 new->flags |= FREC_DNSKEY_QUERY;
710 nn = dnssec_generate_query(header, daemon->namebuff, class, T_DNSKEY);
711 }
3a237152 712 else if (status == STAT_NEED_DS)
9d633048
SK		 713 {
714 new->flags |= FREC_DS_QUERY;
715 nn = dnssec_generate_query(header, daemon->namebuff, class, T_DS);
716 }
3a237152
SK		 717 new->crc = questions_crc(header, nn, daemon->namebuff);
718 new->new_id = get_id(new->crc);
c3e0b9b6 719 header->id = htons(new->new_id);
9d633048 720
3a237152
SK		 721 /* Don't resend this. */
722 daemon->srv_save = NULL;
723
724 if (server->sfd)
725 fd = server->sfd->fd;
726 else
727#ifdef HAVE_IPV6
9d633048
SK		 728 /* Note that we use the same random port for the DNSSEC stuff */
729 if (server->addr.sa.sa_family == AF_INET6)
730 {
731 fd = new->rfd6->fd;
732 new->rfd6->refcount++;
733 }
734 else
3a237152 735#endif
9d633048
SK		 736 {
737 fd = new->rfd4->fd;
738 new->rfd4->refcount++;
739 }
740
3a237152
SK		 741 /* Send DNSSEC query to same server as original query */
742 while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
743 }
744 }
745 return;
746 }
747
748 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
749 Now wind back down, pulling back answers which wouldn't previously validate
750 and validate them with the new data. Failure to find needed data here is an internal error.
751 Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
752 return it to the original requestor. */
c3e0b9b6 753 while (forward->dependent)
3a237152 754 {
c3e0b9b6 755 struct frec *prev = forward->dependent;
3a237152 756 free_frec(forward);
c3e0b9b6 757 forward = prev;
3a237152
SK		 758 blockdata_retrieve_and_free(forward->stash, forward->stash_len, (void *)header);
759 n = forward->stash_len;
760 if (status == STAT_SECURE)
761 {
c3e0b9b6
SK		 762 if (forward->flags & FREC_DNSKEY_QUERY)
763 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
764 else if (forward->flags & FREC_DS_QUERY)
765 status = dnssec_validate_dnskey(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
766
767 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
768 my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
3a237152
SK		 769 }
770 }
771
c3e0b9b6
SK		 772 /* All DNSKEY and DS records done and in cache, now finally validate original
773 answer, provided last DNSKEY is OK. */
774 if (status == STAT_SECURE)
775 status = dnssec_validate_reply(header, n, daemon->namebuff, daemon->keyname, &forward->class);
776
3a237152
SK		 777 if (status == STAT_SECURE)
778 cache_secure = 1;
779 /* TODO return SERVFAIL here */
780 else if (status == STAT_BOGUS)
781 no_cache_dnssec = 1;
782 }
783#endif
8ef5ada2 784
3a237152 785 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
ed4c0767 786 forward->flags & FREC_HAS_SUBNET, &forward->source)))
1a6bca81
SK		 787 {
788 header->id = htons(forward->orig_id);
572b41eb 789 header->hb4 |= HB4_RA; /* recursion if available */
54dd393f 790 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
50303b19 791 &forward->source, &forward->dest, forward->iface);
b8187c80 792 }
1a6bca81 793 free_frec(forward); /* cancel */
9e4abcb5 794 }
9e4abcb5 795}
44a2a316 796
1a6bca81 797
5aabfc78 798void receive_query(struct listener *listen, time_t now)
44a2a316 799{
572b41eb 800 struct dns_header *header = (struct dns_header *)daemon->packet;
44a2a316 801 union mysockaddr source_addr;
c1bb8504 802 unsigned short type;
44a2a316 803 struct all_addr dst_addr;
f6b7dc47 804 struct in_addr netmask, dst_addr_4;
cdeda28f
SK		 805 size_t m;
806 ssize_t n;
3b195961
VG		 807 int if_index = 0, auth_dns = 0;
808#ifdef HAVE_AUTH
809 int local_auth = 0;
810#endif
44a2a316
SK		 811 struct iovec iov[1];
812 struct msghdr msg;
813 struct cmsghdr *cmptr;
44a2a316
SK		 814 union {
815 struct cmsghdr align; /* this ensures alignment */
816#ifdef HAVE_IPV6
817 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
818#endif
5e9e0efb 819#if defined(HAVE_LINUX_NETWORK)
44a2a316 820 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
824af85b
SK		 821#elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
822 char control[CMSG_SPACE(sizeof(struct in_addr)) +
823 CMSG_SPACE(sizeof(unsigned int))];
44a2a316
SK		 824#elif defined(IP_RECVDSTADDR)
825 char control[CMSG_SPACE(sizeof(struct in_addr)) +
826 CMSG_SPACE(sizeof(struct sockaddr_dl))];
827#endif
828 } control_u;
2329bef5
SK		 829#ifdef HAVE_IPV6
830 /* Can always get recvd interface for IPv6 */
831 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
832#else
833 int check_dst = !option_bool(OPT_NOWILD);
834#endif
835
cdeda28f
SK		 836 /* packet buffer overwritten */
837 daemon->srv_save = NULL;
838
4f7b304f
SK		 839 dst_addr_4.s_addr = 0;
840 netmask.s_addr = 0;
841
7e5664bd 842 if (option_bool(OPT_NOWILD) && listen->iface)
3d8df260 843 {
4f7b304f
SK		 844 auth_dns = listen->iface->dns_auth;
845
846 if (listen->family == AF_INET)
847 {
848 dst_addr_4 = listen->iface->addr.in.sin_addr;
849 netmask = listen->iface->netmask;
850 }
3d8df260 851 }
4f7b304f 852
3be34541
SK		 853 iov[0].iov_base = daemon->packet;
854 iov[0].iov_len = daemon->edns_pktsz;
44a2a316
SK		 855
856 msg.msg_control = control_u.control;
857 msg.msg_controllen = sizeof(control_u);
858 msg.msg_flags = 0;
859 msg.msg_name = &source_addr;
860 msg.msg_namelen = sizeof(source_addr);
861 msg.msg_iov = iov;
862 msg.msg_iovlen = 1;
863
de37951c 864 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
3be34541 865 return;
44a2a316 866
572b41eb 867 if (n < (int)sizeof(struct dns_header) ||
5e9e0efb 868 (msg.msg_flags & MSG_TRUNC) ||
572b41eb 869 (header->hb3 & HB3_QR))
26128d27
SK		 870 return;
871
44a2a316
SK		 872 source_addr.sa.sa_family = listen->family;
873#ifdef HAVE_IPV6
874 if (listen->family == AF_INET6)
5e9e0efb 875 source_addr.in6.sin6_flowinfo = 0;
44a2a316 876#endif
28866e95 877
2329bef5 878 if (check_dst)
26128d27
SK		 879 {
880 struct ifreq ifr;
881
882 if (msg.msg_controllen < sizeof(struct cmsghdr))
883 return;
44a2a316 884
5e9e0efb 885#if defined(HAVE_LINUX_NETWORK)
26128d27
SK		 886 if (listen->family == AF_INET)
887 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 888 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
26128d27 889 {
8ef5ada2
SK		 890 union {
891 unsigned char *c;
892 struct in_pktinfo *p;
893 } p;
894 p.c = CMSG_DATA(cmptr);
895 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
896 if_index = p.p->ipi_ifindex;
26128d27
SK		 897 }
898#elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
899 if (listen->family == AF_INET)
44a2a316 900 {
26128d27 901 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
8ef5ada2
SK		 902 {
903 union {
904 unsigned char *c;
905 unsigned int *i;
906 struct in_addr *a;
907#ifndef HAVE_SOLARIS_NETWORK
908 struct sockaddr_dl *s;
909#endif
910 } p;
911 p.c = CMSG_DATA(cmptr);
912 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
913 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
914 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
824af85b 915#ifdef HAVE_SOLARIS_NETWORK
8ef5ada2 916 if_index = *(p.i);
824af85b 917#else
8ef5ada2 918 if_index = p.s->sdl_index;
824af85b 919#endif
8ef5ada2 920 }
44a2a316 921 }
44a2a316 922#endif
26128d27 923
44a2a316 924#ifdef HAVE_IPV6
26128d27
SK		 925 if (listen->family == AF_INET6)
926 {
927 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 928 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
26128d27 929 {
8ef5ada2
SK		 930 union {
931 unsigned char *c;
932 struct in6_pktinfo *p;
933 } p;
934 p.c = CMSG_DATA(cmptr);
935
936 dst_addr.addr.addr6 = p.p->ipi6_addr;
937 if_index = p.p->ipi6_ifindex;
26128d27
SK		 938 }
939 }
44a2a316 940#endif
26128d27
SK		 941
942 /* enforce available interface configuration */
943
e25db1f2 944 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
5e9e0efb 945 return;
832af0ba 946
e25db1f2
SK		 947 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
948 {
949 if (!option_bool(OPT_CLEVERBIND))
115ac3e4 950 enumerate_interfaces(0);
3f2873d4
SK		 951 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
952 !label_exception(if_index, listen->family, &dst_addr))
e25db1f2
SK		 953 return;
954 }
955
552af8b9
SK		 956 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
957 {
958 struct irec *iface;
959
960 /* get the netmask of the interface whch has the address we were sent to.
961 This is no neccessarily the interface we arrived on. */
962
963 for (iface = daemon->interfaces; iface; iface = iface->next)
964 if (iface->addr.sa.sa_family == AF_INET &&
965 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
966 break;
967
968 /* interface may be new */
e25db1f2 969 if (!iface && !option_bool(OPT_CLEVERBIND))
115ac3e4 970 enumerate_interfaces(0);
552af8b9
SK		 971
972 for (iface = daemon->interfaces; iface; iface = iface->next)
973 if (iface->addr.sa.sa_family == AF_INET &&
974 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
975 break;
976
977 /* If we failed, abandon localisation */
978 if (iface)
979 netmask = iface->netmask;
980 else
981 dst_addr_4.s_addr = 0;
982 }
44a2a316
SK		 983 }
984
cdeda28f 985 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
44a2a316 986 {
1a6bca81 987 char types[20];
b485ed97
SK		 988#ifdef HAVE_AUTH
989 struct auth_zone *zone;
990#endif
1a6bca81 991
4f7b304f 992 querystr(auth_dns ? "auth" : "query", types, type);
1a6bca81 993
44a2a316 994 if (listen->family == AF_INET)
3be34541 995 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 996 (struct all_addr *)&source_addr.in.sin_addr, types);
44a2a316
SK		 997#ifdef HAVE_IPV6
998 else
3be34541 999 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 1000 (struct all_addr *)&source_addr.in6.sin6_addr, types);
44a2a316 1001#endif
44a2a316 1002
b485ed97
SK		 1003#ifdef HAVE_AUTH
1004 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1005 if (!auth_dns)
1006 for (zone = daemon->auth_zones; zone; zone = zone->next)
1007 if (in_zone(zone, daemon->namebuff, NULL))
1008 {
1009 auth_dns = 1;
1010 local_auth = 1;
1011 break;
1012 }
b485ed97
SK		 1013#endif
1014 }
1015
4820dce9 1016#ifdef HAVE_AUTH
4f7b304f 1017 if (auth_dns)
824af85b 1018 {
19b16891 1019 m = answer_auth(header, ((char *) header) + PACKETSZ, (size_t)n, now, &source_addr, local_auth);
4f7b304f 1020 if (m >= 1)
b485ed97
SK		 1021 {
1022 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1023 (char *)header, m, &source_addr, &dst_addr, if_index);
1024 daemon->auth_answer++;
1025 }
824af85b 1026 }
44a2a316 1027 else
4820dce9 1028#endif
4f7b304f
SK		 1029 {
1030 m = answer_request(header, ((char *) header) + PACKETSZ, (size_t)n,
1031 dst_addr_4, netmask, now);
1032
1033 if (m >= 1)
1034 {
1035 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1036 (char *)header, m, &source_addr, &dst_addr, if_index);
1037 daemon->local_answer++;
1038 }
1039 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
1040 header, (size_t)n, now, NULL))
1041 daemon->queries_forwarded++;
1042 else
1043 daemon->local_answer++;
1044 }
44a2a316
SK		 1045}
1046
feba5c1d
SK		 1047/* The daemon forks before calling this: it should deal with one connection,
1048 blocking as neccessary, and then return. Note, need to be a bit careful
1049 about resources for debug mode, when the fork is suppressed: that's
1050 done by the caller. */
5aabfc78 1051unsigned char *tcp_request(int confd, time_t now,
4f7b304f 1052 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
feba5c1d 1053{
28866e95
SK		 1054 size_t size = 0;
1055 int norebind = 0;
3b195961 1056#ifdef HAVE_AUTH
19b16891 1057 int local_auth = 0;
3b195961 1058#endif
ed4c0767 1059 int checking_disabled, check_subnet;
cdeda28f 1060 size_t m;
ee86ce68
SK		 1061 unsigned short qtype;
1062 unsigned int gotname;
feba5c1d 1063 unsigned char c1, c2;
4b5ea12e
SK		 1064 /* Max TCP packet + slop + size */
1065 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1066 unsigned char *payload = &packet[2];
1067 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1068 struct dns_header *header = (struct dns_header *)payload;
1069 u16 *length = (u16 *)packet;
3be34541 1070 struct server *last_server;
7de060b0
SK		 1071 struct in_addr dst_addr_4;
1072 union mysockaddr peer_addr;
1073 socklen_t peer_len = sizeof(union mysockaddr);
3be34541 1074
7de060b0
SK		 1075 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1076 return packet;
1077
feba5c1d
SK		 1078 while (1)
1079 {
1080 if (!packet ||
1081 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1082 !(size = c1 << 8 | c2) ||
4b5ea12e 1083 !read_write(confd, payload, size, 1))
feba5c1d
SK		 1084 return packet;
1085
572b41eb 1086 if (size < (int)sizeof(struct dns_header))
feba5c1d
SK		 1087 continue;
1088
ed4c0767
SK		 1089 check_subnet = 0;
1090
28866e95 1091 /* save state of "cd" flag in query */
572b41eb 1092 checking_disabled = header->hb4 & HB4_CD;
28866e95
SK		 1093
1094 /* RFC 4035: sect 4.6 para 2 */
572b41eb 1095 header->hb4 &= ~HB4_AD;
feba5c1d 1096
3be34541 1097 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
feba5c1d 1098 {
7de060b0 1099 char types[20];
b485ed97
SK		 1100#ifdef HAVE_AUTH
1101 struct auth_zone *zone;
1102#endif
4f7b304f 1103 querystr(auth_dns ? "auth" : "query", types, qtype);
7de060b0
SK		 1104
1105 if (peer_addr.sa.sa_family == AF_INET)
1106 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1107 (struct all_addr *)&peer_addr.in.sin_addr, types);
feba5c1d 1108#ifdef HAVE_IPV6
7de060b0
SK		 1109 else
1110 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1111 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
feba5c1d 1112#endif
b485ed97
SK		 1113
1114#ifdef HAVE_AUTH
1115 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1116 if (!auth_dns)
1117 for (zone = daemon->auth_zones; zone; zone = zone->next)
1118 if (in_zone(zone, daemon->namebuff, NULL))
1119 {
1120 auth_dns = 1;
1121 local_auth = 1;
1122 break;
1123 }
b485ed97 1124#endif
feba5c1d
SK		 1125 }
1126
7de060b0
SK		 1127 if (local_addr->sa.sa_family == AF_INET)
1128 dst_addr_4 = local_addr->in.sin_addr;
1129 else
1130 dst_addr_4.s_addr = 0;
1131
4820dce9 1132#ifdef HAVE_AUTH
4f7b304f 1133 if (auth_dns)
19b16891 1134 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
4f7b304f 1135 else
4820dce9 1136#endif
feba5c1d 1137 {
4f7b304f
SK		 1138 /* m > 0 if answered from cache */
1139 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
1140 dst_addr_4, netmask, now);
feba5c1d 1141
4f7b304f
SK		 1142 /* Do this by steam now we're not in the select() loop */
1143 check_log_writer(NULL);
1144
1145 if (m == 0)
feba5c1d 1146 {
4f7b304f
SK		 1147 unsigned int flags = 0;
1148 struct all_addr *addrp = NULL;
1149 int type = 0;
1150 char *domain = NULL;
feba5c1d 1151
4f7b304f
SK		 1152 if (option_bool(OPT_ADD_MAC))
1153 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
ed4c0767
SK		 1154
1155 if (option_bool(OPT_CLIENT_SUBNET))
1156 {
1157 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1158 if (size != new)
1159 {
1160 size = new;
1161 check_subnet = 1;
1162 }
1163 }
1164
4f7b304f
SK		 1165 if (gotname)
1166 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1167
1168 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1169 last_server = daemon->servers;
1170 else
1171 last_server = daemon->last_server;
1172
1173 if (!flags && last_server)
1174 {
1175 struct server *firstsendto = NULL;
1176 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
1177
1178 /* Loop round available servers until we succeed in connecting to one.
1179 Note that this code subtley ensures that consecutive queries on this connection
1180 which can go to the same server, do so. */
1181 while (1)
feba5c1d 1182 {
4f7b304f
SK		 1183 if (!firstsendto)
1184 firstsendto = last_server;
1185 else
1186 {
1187 if (!(last_server = last_server->next))
1188 last_server = daemon->servers;
1189
1190 if (last_server == firstsendto)
1191 break;
1192 }
1193
1194 /* server for wrong domain */
1195 if (type != (last_server->flags & SERV_TYPE) ||
1196 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
7de060b0
SK		 1197 continue;
1198
4f7b304f 1199 if (last_server->tcpfd == -1)
7de060b0 1200 {
4f7b304f
SK		 1201 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1202 continue;
1203
1204 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1205 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1206 {
1207 close(last_server->tcpfd);
1208 last_server->tcpfd = -1;
1209 continue;
1210 }
1211
7de060b0 1212#ifdef HAVE_CONNTRACK
4f7b304f
SK		 1213 /* Copy connection mark of incoming query to outgoing connection. */
1214 if (option_bool(OPT_CONNTRACK))
1215 {
1216 unsigned int mark;
1217 struct all_addr local;
7de060b0 1218#ifdef HAVE_IPV6
4f7b304f
SK		 1219 if (local_addr->sa.sa_family == AF_INET6)
1220 local.addr.addr6 = local_addr->in6.sin6_addr;
1221 else
7de060b0 1222#endif
4f7b304f
SK		 1223 local.addr.addr4 = local_addr->in.sin_addr;
1224
1225 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1226 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1227 }
7de060b0 1228#endif
4f7b304f
SK		 1229 }
1230
4b5ea12e 1231 *length = htons(size);
4f7b304f 1232
4b5ea12e 1233 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
4f7b304f
SK		 1234 !read_write(last_server->tcpfd, &c1, 1, 1) ||
1235 !read_write(last_server->tcpfd, &c2, 1, 1))
1236 {
1237 close(last_server->tcpfd);
1238 last_server->tcpfd = -1;
1239 continue;
1240 }
1241
1242 m = (c1 << 8) | c2;
4b5ea12e 1243 if (!read_write(last_server->tcpfd, payload, m, 1))
4f7b304f
SK		 1244 return packet;
1245
1246 if (!gotname)
1247 strcpy(daemon->namebuff, "query");
1248 if (last_server->addr.sa.sa_family == AF_INET)
1249 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1250 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
feba5c1d 1251#ifdef HAVE_IPV6
4f7b304f
SK		 1252 else
1253 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1254 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
feba5c1d 1255#endif
4f7b304f
SK		 1256
1257 /* There's no point in updating the cache, since this process will exit and
1258 lose the information after a few queries. We make this call for the alias and
1259 bogus-nxdomain side-effects. */
1260 /* If the crc of the question section doesn't match the crc we sent, then
1261 someone might be attempting to insert bogus values into the cache by
1262 sending replies containing questions and bogus answers. */
1263 if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
1264 m = process_reply(header, now, last_server, (unsigned int)m,
ed4c0767 1265 option_bool(OPT_NO_REBIND) && !norebind, checking_disabled,
3a237152 1266 0, check_subnet, &peer_addr); /* TODO - cache secure */
4f7b304f
SK		 1267
1268 break;
1269 }
feba5c1d 1270 }
4f7b304f
SK		 1271
1272 /* In case of local answer or no connections made. */
1273 if (m == 0)
1274 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
feba5c1d 1275 }
feba5c1d 1276 }
4f7b304f 1277
5aabfc78 1278 check_log_writer(NULL);
feba5c1d 1279
4b5ea12e
SK		 1280 *length = htons(m);
1281
1282 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
feba5c1d
SK		 1283 return packet;
1284 }
1285}
1286
1697269c 1287static struct frec *allocate_frec(time_t now)
9e4abcb5 1288{
1697269c
SK		 1289 struct frec *f;
1290
5aabfc78 1291 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
9e4abcb5 1292 {
1a6bca81 1293 f->next = daemon->frec_list;
1697269c 1294 f->time = now;
832af0ba 1295 f->sentto = NULL;
1a6bca81 1296 f->rfd4 = NULL;
28866e95 1297 f->flags = 0;
1a6bca81
SK		 1298#ifdef HAVE_IPV6
1299 f->rfd6 = NULL;
3a237152
SK		 1300#endif
1301#ifdef HAVE_DNSSEC
1302 f->blocking_query = NULL;
1a6bca81
SK		 1303#endif
1304 daemon->frec_list = f;
1697269c 1305 }
9e4abcb5 1306
1697269c
SK		 1307 return f;
1308}
9e4abcb5 1309
1a6bca81
SK		 1310static struct randfd *allocate_rfd(int family)
1311{
1312 static int finger = 0;
1313 int i;
1314
1315 /* limit the number of sockets we have open to avoid starvation of
1316 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1317
1318 for (i = 0; i < RANDOM_SOCKS; i++)
9009d746 1319 if (daemon->randomsocks[i].refcount == 0)
1a6bca81 1320 {
9009d746
SK		 1321 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
1322 break;
1323
1a6bca81
SK		 1324 daemon->randomsocks[i].refcount = 1;
1325 daemon->randomsocks[i].family = family;
1326 return &daemon->randomsocks[i];
1327 }
1328
9009d746 1329 /* No free ones or cannot get new socket, grab an existing one */
1a6bca81
SK		 1330 for (i = 0; i < RANDOM_SOCKS; i++)
1331 {
1332 int j = (i+finger) % RANDOM_SOCKS;
9009d746
SK		 1333 if (daemon->randomsocks[j].refcount != 0 &&
1334 daemon->randomsocks[j].family == family &&
1335 daemon->randomsocks[j].refcount != 0xffff)
1a6bca81
SK		 1336 {
1337 finger = j;
1338 daemon->randomsocks[j].refcount++;
1339 return &daemon->randomsocks[j];
1340 }
1341 }
1342
1343 return NULL; /* doom */
1344}
1345
1346static void free_frec(struct frec *f)
1347{
1348 if (f->rfd4 && --(f->rfd4->refcount) == 0)
1349 close(f->rfd4->fd);
1350
1351 f->rfd4 = NULL;
1352 f->sentto = NULL;
28866e95 1353 f->flags = 0;
1a6bca81
SK		 1354
1355#ifdef HAVE_IPV6
1356 if (f->rfd6 && --(f->rfd6->refcount) == 0)
1357 close(f->rfd6->fd);
1358
1359 f->rfd6 = NULL;
1360#endif
3a237152
SK		 1361
1362#ifdef HAVE_DNSSEC
1363 if (f->stash)
1364 blockdata_free(f->stash);
1365
1366 /* Anything we're waiting on is pointless now, too */
1367 if (f->blocking_query)
1368 free_frec(f->blocking_query);
1369 f->blocking_query = NULL;
1370
1371#endif
1a6bca81
SK		 1372}
1373
1697269c
SK		 1374/* if wait==NULL return a free or older than TIMEOUT record.
1375 else return *wait zero if one available, or *wait is delay to
1a6bca81 1376 when the oldest in-use record will expire. Impose an absolute
3a237152
SK		 1377 limit of 4*TIMEOUT before we wipe things (for random sockets).
1378 If force is set, always return a result, even if we have
1379 to allocate above the limit. */
1380struct frec *get_new_frec(time_t now, int *wait, int force)
1697269c 1381{
1a6bca81 1382 struct frec *f, *oldest, *target;
1697269c
SK		 1383 int count;
1384
1385 if (wait)
1386 *wait = 0;
1387
1a6bca81 1388 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
832af0ba 1389 if (!f->sentto)
1a6bca81
SK		 1390 target = f;
1391 else
1697269c 1392 {
1a6bca81
SK		 1393 if (difftime(now, f->time) >= 4*TIMEOUT)
1394 {
1395 free_frec(f);
1396 target = f;
1397 }
1398
1399 if (!oldest || difftime(f->time, oldest->time) <= 0)
1400 oldest = f;
1697269c 1401 }
1a6bca81
SK		 1402
1403 if (target)
1404 {
1405 target->time = now;
1406 return target;
1407 }
9e4abcb5
SK		 1408
1409 /* can't find empty one, use oldest if there is one
1410 and it's older than timeout */
1697269c 1411 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
9e4abcb5 1412 {
1697269c
SK		 1413 /* keep stuff for twice timeout if we can by allocating a new
1414 record instead */
1415 if (difftime(now, oldest->time) < 2*TIMEOUT &&
1416 count <= daemon->ftabsize &&
1417 (f = allocate_frec(now)))
1418 return f;
1419
1420 if (!wait)
1421 {
1a6bca81 1422 free_frec(oldest);
1697269c
SK		 1423 oldest->time = now;
1424 }
9e4abcb5
SK		 1425 return oldest;
1426 }
1427
1697269c 1428 /* none available, calculate time 'till oldest record expires */
3a237152 1429 if (!force && count > daemon->ftabsize)
1697269c 1430 {
0da5e897
MSB		 1431 static time_t last_log = 0;
1432
1697269c
SK		 1433 if (oldest && wait)
1434 *wait = oldest->time + (time_t)TIMEOUT - now;
0da5e897
MSB		 1435
1436 if ((int)difftime(now, last_log) > 5)
1437 {
1438 last_log = now;
1439 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
1440 }
1441
9e4abcb5
SK		 1442 return NULL;
1443 }
1697269c
SK		 1444
1445 if (!(f = allocate_frec(now)) && wait)
1446 /* wait one second on malloc failure */
1447 *wait = 1;
9e4abcb5 1448
9e4abcb5
SK		 1449 return f; /* OK if malloc fails and this is NULL */
1450}
1451
832af0ba
SK		 1452/* crc is all-ones if not known. */
1453static struct frec *lookup_frec(unsigned short id, unsigned int crc)
9e4abcb5
SK		 1454{
1455 struct frec *f;
1456
1a6bca81 1457 for(f = daemon->frec_list; f; f = f->next)
832af0ba
SK		 1458 if (f->sentto && f->new_id == id &&
1459 (f->crc == crc || crc == 0xffffffff))
9e4abcb5
SK		 1460 return f;
1461
1462 return NULL;
1463}
1464
1465static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481
SK		 1466 union mysockaddr *addr,
1467 unsigned int crc)
9e4abcb5 1468{
feba5c1d
SK		 1469 struct frec *f;
1470
1a6bca81 1471 for(f = daemon->frec_list; f; f = f->next)
832af0ba 1472 if (f->sentto &&
9e4abcb5 1473 f->orig_id == id &&
fd9fa481 1474 f->crc == crc &&
9e4abcb5
SK		 1475 sockaddr_isequal(&f->source, addr))
1476 return f;
1477
1478 return NULL;
1479}
1480
849a8357 1481/* A server record is going away, remove references to it */
5aabfc78 1482void server_gone(struct server *server)
849a8357
SK		 1483{
1484 struct frec *f;
1485
1a6bca81 1486 for (f = daemon->frec_list; f; f = f->next)
832af0ba 1487 if (f->sentto && f->sentto == server)
1a6bca81 1488 free_frec(f);
849a8357
SK		 1489
1490 if (daemon->last_server == server)
1491 daemon->last_server = NULL;
1492
1493 if (daemon->srv_save == server)
1494 daemon->srv_save = NULL;
1495}
9e4abcb5 1496
316e2730
SK		 1497/* return unique random ids. */
1498static unsigned short get_id(unsigned int crc)
9e4abcb5
SK		 1499{
1500 unsigned short ret = 0;
832af0ba 1501
316e2730 1502 do
832af0ba
SK		 1503 ret = rand16();
1504 while (lookup_frec(ret, crc));
1505
9e4abcb5
SK		 1506 return ret;
1507}
1508
1509
1510
1511
1512
Michael's tree of dnsmasq.