]> git.ipfire.org Git - people/ms/dnsmasq.git/blame - src/forward.c
projects / people / ms / dnsmasq.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
UDP retries for DNSSEC
[people/ms/dnsmasq.git] / src / forward.c
CommitLineData
c47e3ba4 1/* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
9e4abcb5
SK		 2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
824af85b
SK		 5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
9e4abcb5
SK		 8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
824af85b 12
73a08a24
SK		 13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
9e4abcb5
SK		 15*/
16
9e4abcb5
SK		 17#include "dnsmasq.h"
18
832af0ba 19static struct frec *lookup_frec(unsigned short id, unsigned int crc);
9e4abcb5 20static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481
SK		 21 union mysockaddr *addr,
22 unsigned int crc);
316e2730 23static unsigned short get_id(unsigned int crc);
1a6bca81
SK		 24static void free_frec(struct frec *f);
25static struct randfd *allocate_rfd(int family);
9e4abcb5 26
824af85b 27/* Send a UDP packet with its source address set as "source"
44a2a316 28 unless nowild is true, when we just send it with the kernel default */
29689cfa
SK		 29int send_from(int fd, int nowild, char *packet, size_t len,
30 union mysockaddr *to, struct all_addr *source,
50303b19 31 unsigned int iface)
9e4abcb5 32{
44a2a316
SK		 33 struct msghdr msg;
34 struct iovec iov[1];
44a2a316
SK		 35 union {
36 struct cmsghdr align; /* this ensures alignment */
5e9e0efb 37#if defined(HAVE_LINUX_NETWORK)
44a2a316
SK		 38 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
39#elif defined(IP_SENDSRCADDR)
40 char control[CMSG_SPACE(sizeof(struct in_addr))];
41#endif
42#ifdef HAVE_IPV6
43 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
44#endif
45 } control_u;
feba5c1d 46
44a2a316
SK		 47 iov[0].iov_base = packet;
48 iov[0].iov_len = len;
49
feba5c1d
SK		 50 msg.msg_control = NULL;
51 msg.msg_controllen = 0;
44a2a316
SK		 52 msg.msg_flags = 0;
53 msg.msg_name = to;
54 msg.msg_namelen = sa_len(to);
55 msg.msg_iov = iov;
56 msg.msg_iovlen = 1;
feba5c1d 57
26128d27 58 if (!nowild)
44a2a316 59 {
26128d27 60 struct cmsghdr *cmptr;
feba5c1d
SK		 61 msg.msg_control = &control_u;
62 msg.msg_controllen = sizeof(control_u);
26128d27
SK		 63 cmptr = CMSG_FIRSTHDR(&msg);
64
65 if (to->sa.sa_family == AF_INET)
66 {
5e9e0efb 67#if defined(HAVE_LINUX_NETWORK)
8ef5ada2
SK		 68 struct in_pktinfo p;
69 p.ipi_ifindex = 0;
70 p.ipi_spec_dst = source->addr.addr4;
71 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 72 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
c72daea8 73 cmptr->cmsg_level = IPPROTO_IP;
26128d27 74 cmptr->cmsg_type = IP_PKTINFO;
44a2a316 75#elif defined(IP_SENDSRCADDR)
8ef5ada2 76 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
26128d27
SK		 77 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
78 cmptr->cmsg_level = IPPROTO_IP;
79 cmptr->cmsg_type = IP_SENDSRCADDR;
44a2a316 80#endif
26128d27 81 }
26128d27 82 else
b8187c80 83#ifdef HAVE_IPV6
26128d27 84 {
8ef5ada2
SK		 85 struct in6_pktinfo p;
86 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
87 p.ipi6_addr = source->addr.addr6;
88 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 89 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
316e2730 90 cmptr->cmsg_type = daemon->v6pktinfo;
c72daea8 91 cmptr->cmsg_level = IPPROTO_IPV6;
26128d27 92 }
3d8df260 93#else
c72daea8 94 (void)iface; /* eliminate warning */
44a2a316 95#endif
26128d27 96 }
feba5c1d 97
29d28dda 98 while (sendmsg(fd, &msg, 0) == -1)
feba5c1d 99 {
fd9fa481 100 if (retry_send())
29d28dda 101 continue;
22d904db 102
29d28dda
SK		 103 /* If interface is still in DAD, EINVAL results - ignore that. */
104 if (errno == EINVAL)
105 break;
29689cfa 106
29d28dda 107 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
29689cfa 108 return 0;
feba5c1d 109 }
29d28dda 110
29689cfa 111 return 1;
9e4abcb5 112}
44a2a316 113
28866e95
SK		 114static unsigned int search_servers(time_t now, struct all_addr **addrpp,
115 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
feba5c1d
SK		 116
117{
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
121
122 unsigned int namelen = strlen(qdomain);
123 unsigned int matchlen = 0;
124 struct server *serv;
28866e95 125 unsigned int flags = 0;
feba5c1d 126
3be34541 127 for (serv = daemon->servers; serv; serv=serv->next)
feba5c1d 128 /* domain matches take priority over NODOTS matches */
3d8df260 129 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
feba5c1d 130 {
28866e95 131 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
feba5c1d 132 *type = SERV_FOR_NODOTS;
feba5c1d 133 if (serv->flags & SERV_NO_ADDR)
36717eee
SK		 134 flags = F_NXDOMAIN;
135 else if (serv->flags & SERV_LITERAL_ADDRESS)
136 {
137 if (sflag & qtype)
138 {
139 flags = sflag;
140 if (serv->addr.sa.sa_family == AF_INET)
141 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 142#ifdef HAVE_IPV6
36717eee
SK		 143 else
144 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 145#endif
36717eee 146 }
824af85b 147 else if (!flags || (flags & F_NXDOMAIN))
36717eee
SK		 148 flags = F_NOERR;
149 }
feba5c1d
SK		 150 }
151 else if (serv->flags & SERV_HAS_DOMAIN)
152 {
153 unsigned int domainlen = strlen(serv->domain);
b8187c80 154 char *matchstart = qdomain + namelen - domainlen;
feba5c1d 155 if (namelen >= domainlen &&
b8187c80 156 hostname_isequal(matchstart, serv->domain) &&
8ef5ada2 157 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
feba5c1d 158 {
8ef5ada2
SK		 159 if (serv->flags & SERV_NO_REBIND)
160 *norebind = 1;
28866e95 161 else
feba5c1d 162 {
28866e95
SK		 163 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen != 0 && domainlen == matchlen)
36717eee 168 {
28866e95 169 if ((serv->flags & SERV_LITERAL_ADDRESS))
8ef5ada2 170 {
28866e95
SK		 171 if (!(sflag & qtype) && flags == 0)
172 continue;
173 }
174 else
175 {
176 if (flags & (F_IPV4 | F_IPV6))
177 continue;
178 }
179 }
180
181 if (domainlen >= matchlen)
182 {
183 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
184 *domain = serv->domain;
185 matchlen = domainlen;
186 if (serv->flags & SERV_NO_ADDR)
187 flags = F_NXDOMAIN;
188 else if (serv->flags & SERV_LITERAL_ADDRESS)
189 {
190 if (sflag & qtype)
191 {
192 flags = sflag;
193 if (serv->addr.sa.sa_family == AF_INET)
194 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 195#ifdef HAVE_IPV6
28866e95
SK		 196 else
197 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 198#endif
28866e95
SK		 199 }
200 else if (!flags || (flags & F_NXDOMAIN))
201 flags = F_NOERR;
8ef5ada2 202 }
28866e95
SK		 203 else
204 flags = 0;
205 }
206 }
8ef5ada2 207 }
feba5c1d 208 }
8ef5ada2 209
7de060b0 210 if (flags == 0 && !(qtype & F_QUERY) &&
28866e95 211 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
7de060b0
SK		 212 /* don't forward A or AAAA queries for simple names, except the empty name */
213 flags = F_NOERR;
8ef5ada2 214
5aabfc78 215 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
c1bb8504 216 flags = F_NOERR;
feba5c1d 217
824af85b
SK		 218 if (flags)
219 {
220 int logflags = 0;
221
222 if (flags == F_NXDOMAIN || flags == F_NOERR)
223 logflags = F_NEG | qtype;
224
1a6bca81 225 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
824af85b 226 }
8ef5ada2
SK		 227 else if ((*type) & SERV_USE_RESOLV)
228 {
229 *type = 0; /* use normal servers for this domain */
230 *domain = NULL;
231 }
feba5c1d
SK		 232 return flags;
233}
44a2a316 234
824af85b
SK		 235static int forward_query(int udpfd, union mysockaddr *udpaddr,
236 struct all_addr *dst_addr, unsigned int dst_iface,
572b41eb 237 struct dns_header *header, size_t plen, time_t now, struct frec *forward)
9e4abcb5 238{
9e4abcb5 239 char *domain = NULL;
8ef5ada2 240 int type = 0, norebind = 0;
9e4abcb5 241 struct all_addr *addrp = NULL;
cdeda28f 242 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
28866e95
SK		 243 unsigned int flags = 0;
244 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
de37951c 245 struct server *start = NULL;
7de060b0 246
28866e95 247 /* RFC 4035: sect 4.6 para 2 */
572b41eb
SK		 248 header->hb4 &= ~HB4_AD;
249
3d8df260
SK		 250 /* may be no servers available. */
251 if (!daemon->servers)
9e4abcb5 252 forward = NULL;
b8187c80 253 else if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, crc)))
9e4abcb5 254 {
e0c0ad3b
SK		 255#ifdef HAVE_DNSSEC
256 /* If we've already got an answer to this query, but we're awaiting keys for vaildation,
257 there's no point retrying the query, retry the key query instead...... */
258 if (forward->blocking_query)
259 {
260 int fd;
261
262 while (forward->blocking_query)
263 forward = forward->blocking_query;
264
265 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
266 plen = forward->stash_len;
267
268 if (forward->sentto->addr.sa.sa_family)
269 log_query(F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
270#ifdef HAVE_IPV6
271 else
272 log_query(F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
273#endif
274
275 if (forward->sentto->sfd)
276 fd = forward->sentto->sfd->fd;
277 else
278 {
279#ifdef HAVE_IPV6
280 if (forward->sentto->addr.sa.sa_family == AF_INET6)
281 fd = forward->rfd6->fd;
282 else
283#endif
284 fd = forward->rfd4->fd;
285 }
286
287 while (sendto(fd, (char *)header, plen, 0,
288 &forward->sentto->addr.sa,
289 sa_len(&forward->sentto->addr)) == -1 && retry_send());
290
291 return 1;
292 }
293#endif
294
de37951c 295 /* retry on existing query, send to all available servers */
9e4abcb5 296 domain = forward->sentto->domain;
824af85b 297 forward->sentto->failed_queries++;
28866e95 298 if (!option_bool(OPT_ORDER))
de37951c 299 {
0a852541 300 forward->forwardall = 1;
3be34541 301 daemon->last_server = NULL;
de37951c 302 }
9e4abcb5 303 type = forward->sentto->flags & SERV_TYPE;
de37951c 304 if (!(start = forward->sentto->next))
3be34541 305 start = daemon->servers; /* at end of list, recycle */
9e4abcb5
SK		 306 header->id = htons(forward->new_id);
307 }
308 else
309 {
310 if (gotname)
8ef5ada2 311 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
9e4abcb5 312
3a237152 313 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
feba5c1d
SK		 314 /* table full - server failure. */
315 flags = F_NEG;
9e4abcb5
SK		 316
317 if (forward)
318 {
0a852541
SK		 319 forward->source = *udpaddr;
320 forward->dest = *dst_addr;
321 forward->iface = dst_iface;
0a852541 322 forward->orig_id = ntohs(header->id);
316e2730 323 forward->new_id = get_id(crc);
832af0ba 324 forward->fd = udpfd;
0a852541
SK		 325 forward->crc = crc;
326 forward->forwardall = 0;
ed4c0767 327 forward->flags = 0;
28866e95
SK		 328 if (norebind)
329 forward->flags |= FREC_NOREBIND;
572b41eb 330 if (header->hb4 & HB4_CD)
28866e95 331 forward->flags |= FREC_CHECKING_DISABLED;
0a852541 332
28866e95
SK		 333 header->id = htons(forward->new_id);
334
8ef5ada2
SK		 335 /* In strict_order mode, always try servers in the order
336 specified in resolv.conf, if a domain is given
337 always try all the available servers,
9e4abcb5
SK		 338 otherwise, use the one last known to work. */
339
8ef5ada2
SK		 340 if (type == 0)
341 {
28866e95 342 if (option_bool(OPT_ORDER))
8ef5ada2
SK		 343 start = daemon->servers;
344 else if (!(start = daemon->last_server) ||
345 daemon->forwardcount++ > FORWARD_TEST ||
346 difftime(now, daemon->forwardtime) > FORWARD_TIME)
347 {
348 start = daemon->servers;
349 forward->forwardall = 1;
350 daemon->forwardcount = 0;
351 daemon->forwardtime = now;
352 }
353 }
354 else
de37951c 355 {
3be34541 356 start = daemon->servers;
28866e95 357 if (!option_bool(OPT_ORDER))
8ef5ada2 358 forward->forwardall = 1;
de37951c 359 }
9e4abcb5
SK		 360 }
361 }
feba5c1d 362
9e4abcb5
SK		 363 /* check for send errors here (no route to host)
364 if we fail to send to all nameservers, send back an error
365 packet straight away (helps modem users when offline) */
366
367 if (!flags && forward)
368 {
de37951c
SK		 369 struct server *firstsentto = start;
370 int forwarded = 0;
28866e95 371
797a7afb 372 if (option_bool(OPT_ADD_MAC))
60b68069 373 plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
28866e95 374
ed4c0767
SK		 375 if (option_bool(OPT_CLIENT_SUBNET))
376 {
60b68069 377 size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
ed4c0767
SK		 378 if (new != plen)
379 {
380 plen = new;
381 forward->flags |= FREC_HAS_SUBNET;
382 }
383 }
384
3a237152
SK		 385#ifdef HAVE_DNSSEC
386 if (option_bool(OPT_DNSSEC_VALID))
0fc2f313 387 {
60b68069 388 plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
0fc2f313
SK		 389 header->hb4 |= HB4_CD;
390 }
3a237152
SK		 391#endif
392
9e4abcb5
SK		 393 while (1)
394 {
9e4abcb5
SK		 395 /* only send to servers dealing with our domain.
396 domain may be NULL, in which case server->domain
397 must be NULL also. */
398
de37951c 399 if (type == (start->flags & SERV_TYPE) &&
fd9fa481
SK		 400 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
401 !(start->flags & SERV_LITERAL_ADDRESS))
9e4abcb5 402 {
1a6bca81
SK		 403 int fd;
404
405 /* find server socket to use, may need to get random one. */
406 if (start->sfd)
407 fd = start->sfd->fd;
408 else
409 {
410#ifdef HAVE_IPV6
411 if (start->addr.sa.sa_family == AF_INET6)
412 {
413 if (!forward->rfd6 &&
414 !(forward->rfd6 = allocate_rfd(AF_INET6)))
415 break;
3927da46 416 daemon->rfd_save = forward->rfd6;
1a6bca81
SK		 417 fd = forward->rfd6->fd;
418 }
419 else
420#endif
421 {
422 if (!forward->rfd4 &&
423 !(forward->rfd4 = allocate_rfd(AF_INET)))
424 break;
3927da46 425 daemon->rfd_save = forward->rfd4;
1a6bca81
SK		 426 fd = forward->rfd4->fd;
427 }
7de060b0
SK		 428
429#ifdef HAVE_CONNTRACK
430 /* Copy connection mark of incoming query to outgoing connection. */
431 if (option_bool(OPT_CONNTRACK))
432 {
433 unsigned int mark;
797a7afb 434 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
7de060b0
SK		 435 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
436 }
437#endif
1a6bca81
SK		 438 }
439
440 if (sendto(fd, (char *)header, plen, 0,
feba5c1d 441 &start->addr.sa,
fd9fa481
SK		 442 sa_len(&start->addr)) == -1)
443 {
444 if (retry_send())
445 continue;
446 }
447 else
9e4abcb5 448 {
cdeda28f
SK		 449 /* Keep info in case we want to re-send this packet */
450 daemon->srv_save = start;
451 daemon->packet_len = plen;
452
de37951c 453 if (!gotname)
3be34541 454 strcpy(daemon->namebuff, "query");
de37951c 455 if (start->addr.sa.sa_family == AF_INET)
3be34541 456 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 457 (struct all_addr *)&start->addr.in.sin_addr, NULL);
de37951c
SK		 458#ifdef HAVE_IPV6
459 else
3be34541 460 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 461 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
de37951c 462#endif
824af85b 463 start->queries++;
de37951c
SK		 464 forwarded = 1;
465 forward->sentto = start;
0a852541 466 if (!forward->forwardall)
de37951c 467 break;
0a852541 468 forward->forwardall++;
9e4abcb5
SK		 469 }
470 }
471
de37951c 472 if (!(start = start->next))
3be34541 473 start = daemon->servers;
9e4abcb5 474
de37951c 475 if (start == firstsentto)
9e4abcb5
SK		 476 break;
477 }
478
de37951c 479 if (forwarded)
824af85b 480 return 1;
de37951c 481
9e4abcb5
SK		 482 /* could not send on, prepare to return */
483 header->id = htons(forward->orig_id);
1a6bca81 484 free_frec(forward); /* cancel */
9e4abcb5
SK		 485 }
486
487 /* could not send on, return empty answer or address if known for whole domain */
b8187c80
SK		 488 if (udpfd != -1)
489 {
cdeda28f 490 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
54dd393f 491 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
b8187c80
SK		 492 }
493
824af85b 494 return 0;
9e4abcb5
SK		 495}
496
ed4c0767 497static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
3a237152 498 int no_cache, int cache_secure, int check_subnet, union mysockaddr *query_source)
feba5c1d 499{
36717eee 500 unsigned char *pheader, *sizep;
13d86c73 501 char **sets = 0;
832af0ba 502 int munged = 0, is_sign;
cdeda28f
SK		 503 size_t plen;
504
13d86c73
JD		 505#ifdef HAVE_IPSET
506 /* Similar algorithm to search_servers. */
507 struct ipsets *ipset_pos;
508 unsigned int namelen = strlen(daemon->namebuff);
509 unsigned int matchlen = 0;
510 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
511 {
512 unsigned int domainlen = strlen(ipset_pos->domain);
513 char *matchstart = daemon->namebuff + namelen - domainlen;
514 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
515 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
516 domainlen >= matchlen) {
517 matchlen = domainlen;
518 sets = ipset_pos->sets;
519 }
520 }
521#endif
522
feba5c1d 523 /* If upstream is advertising a larger UDP packet size
9009d746
SK		 524 than we allow, trim it so that we don't get overlarge
525 requests for the client. We can't do this for signed packets. */
feba5c1d 526
ed4c0767 527 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
feba5c1d 528 {
ed4c0767
SK		 529 if (!is_sign)
530 {
531 unsigned short udpsz;
532 unsigned char *psave = sizep;
533
534 GETSHORT(udpsz, sizep);
535 if (udpsz > daemon->edns_pktsz)
536 PUTSHORT(daemon->edns_pktsz, psave);
537 }
feba5c1d 538
ed4c0767
SK		 539 if (check_subnet && !check_source(header, plen, pheader, query_source))
540 {
541 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
542 return 0;
543 }
feba5c1d 544 }
ed4c0767 545
28866e95 546 /* RFC 4035 sect 4.6 para 3 */
237724c0 547 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
795501bc 548 header->hb4 &= ~HB4_AD;
3a237152
SK		 549
550#ifdef HAVE_DNSSEC
551 if (option_bool(OPT_DNSSEC_VALID))
795501bc
SK		 552 header->hb4 &= ~HB4_AD;
553
a25720a3 554 if (!(header->hb4 & HB4_CD) && cache_secure)
3a237152
SK		 555 header->hb4 |= HB4_AD;
556#endif
557
572b41eb 558 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
0a852541
SK		 559 return n;
560
feba5c1d 561 /* Complain loudly if the upstream server is non-recursive. */
572b41eb 562 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
0a852541 563 server && !(server->flags & SERV_WARNED_RECURSIVE))
feba5c1d 564 {
3d8df260 565 prettyprint_addr(&server->addr, daemon->namebuff);
f2621c7f 566 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
28866e95 567 if (!option_bool(OPT_LOG))
0a852541
SK		 568 server->flags |= SERV_WARNED_RECURSIVE;
569 }
e292e93d 570
572b41eb 571 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
fd9fa481 572 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
feba5c1d 573 {
fd9fa481 574 munged = 1;
572b41eb
SK		 575 SET_RCODE(header, NXDOMAIN);
576 header->hb3 &= ~HB3_AA;
36717eee 577 }
fd9fa481 578 else
36717eee 579 {
572b41eb 580 if (RCODE(header) == NXDOMAIN &&
fd9fa481 581 extract_request(header, n, daemon->namebuff, NULL) &&
5aabfc78 582 check_for_local_domain(daemon->namebuff, now))
36717eee
SK		 583 {
584 /* if we forwarded a query for a locally known name (because it was for
585 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
586 since we know that the domain exists, even if upstream doesn't */
fd9fa481 587 munged = 1;
572b41eb
SK		 588 header->hb3 |= HB3_AA;
589 SET_RCODE(header, NOERROR);
feba5c1d 590 }
832af0ba 591
0fc2f313 592 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure))
824af85b 593 {
8ef5ada2 594 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
824af85b
SK		 595 munged = 1;
596 }
feba5c1d 597 }
fd9fa481 598
a25720a3
SK		 599#ifdef HAVE_DNSSEC
600 if (no_cache && !(header->hb4 & HB4_CD))
601 {
602 if (option_bool(OPT_DNSSEC_PERMISS))
603 {
604 unsigned short type;
605 char types[20];
606
607 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
608 {
609 querystr("", types, type);
610 my_syslog(LOG_WARNING, _("DNSSEC validation failed: query %s%s"), daemon->namebuff, types);
611 }
612 else
613 my_syslog(LOG_WARNING, _("DNSSEC validation failed for unknown query"));
614 }
615 else
616 {
617 /* Bogus reply, turn into SERVFAIL */
618 SET_RCODE(header, SERVFAIL);
619 munged = 1;
620 }
621 }
622#endif
623
fd9fa481
SK		 624 /* do this after extract_addresses. Ensure NODATA reply and remove
625 nameserver info. */
626
627 if (munged)
628 {
629 header->ancount = htons(0);
630 header->nscount = htons(0);
631 header->arcount = htons(0);
632 }
633
36717eee
SK		 634 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
635 sections of the packet. Find the new length here and put back pseudoheader
636 if it was removed. */
637 return resize_packet(header, n, pheader, plen);
feba5c1d
SK		 638}
639
3be34541 640/* sets new last_server */
1a6bca81 641void reply_query(int fd, int family, time_t now)
9e4abcb5
SK		 642{
643 /* packet from peer server, extract data for cache, and send to
644 original requester */
572b41eb 645 struct dns_header *header;
de37951c 646 union mysockaddr serveraddr;
832af0ba 647 struct frec *forward;
de37951c 648 socklen_t addrlen = sizeof(serveraddr);
60b68069 649 ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
cdeda28f 650 size_t nn;
1a6bca81
SK		 651 struct server *server;
652
cdeda28f
SK		 653 /* packet buffer overwritten */
654 daemon->srv_save = NULL;
832af0ba 655
de37951c 656 /* Determine the address of the server replying so that we can mark that as good */
1a6bca81 657 serveraddr.sa.sa_family = family;
de37951c
SK		 658#ifdef HAVE_IPV6
659 if (serveraddr.sa.sa_family == AF_INET6)
5e9e0efb 660 serveraddr.in6.sin6_flowinfo = 0;
de37951c 661#endif
9e4abcb5 662
1a6bca81
SK		 663 /* spoof check: answer must come from known server, */
664 for (server = daemon->servers; server; server = server->next)
665 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
666 sockaddr_isequal(&server->addr, &serveraddr))
667 break;
668
572b41eb 669 header = (struct dns_header *)daemon->packet;
fd9fa481 670
1a6bca81 671 if (!server ||
572b41eb 672 n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
1a6bca81
SK		 673 !(forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
674 return;
3a237152 675
572b41eb 676 if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
28866e95 677 !option_bool(OPT_ORDER) &&
1a6bca81
SK		 678 forward->forwardall == 0)
679 /* for broken servers, attempt to send to another one. */
9e4abcb5 680 {
1a6bca81
SK		 681 unsigned char *pheader;
682 size_t plen;
683 int is_sign;
832af0ba 684
1a6bca81
SK		 685 /* recreate query from reply */
686 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
687 if (!is_sign)
832af0ba 688 {
1a6bca81
SK		 689 header->ancount = htons(0);
690 header->nscount = htons(0);
691 header->arcount = htons(0);
692 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
832af0ba 693 {
572b41eb 694 header->hb3 &= ~(HB3_QR | HB3_TC);
1a6bca81
SK		 695 forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
696 return;
832af0ba 697 }
832af0ba 698 }
1a6bca81 699 }
3a237152
SK		 700
701 server = forward->sentto;
1a6bca81
SK		 702
703 if ((forward->sentto->flags & SERV_TYPE) == 0)
704 {
572b41eb 705 if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
1a6bca81
SK		 706 server = NULL;
707 else
b8187c80 708 {
1a6bca81
SK		 709 struct server *last_server;
710
711 /* find good server by address if possible, otherwise assume the last one we sent to */
712 for (last_server = daemon->servers; last_server; last_server = last_server->next)
713 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
714 sockaddr_isequal(&last_server->addr, &serveraddr))
715 {
716 server = last_server;
717 break;
718 }
719 }
28866e95 720 if (!option_bool(OPT_ALL_SERVERS))
1a6bca81
SK		 721 daemon->last_server = server;
722 }
3a237152 723
1a6bca81
SK		 724 /* If the answer is an error, keep the forward record in place in case
725 we get a good reply from another server. Kill it when we've
726 had replies from all to avoid filling the forwarding table when
727 everything is broken */
728 if (forward->forwardall == 0 || --forward->forwardall == 1 ||
572b41eb 729 (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
1a6bca81 730 {
3a237152
SK		 731 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
732
733 if (option_bool(OPT_NO_REBIND))
734 check_rebind = !(forward->flags & FREC_NOREBIND);
735
736 /* Don't cache replies where DNSSEC validation was turned off, either
737 the upstream server told us so, or the original query specified it. */
738 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
739 no_cache_dnssec = 1;
740
741#ifdef HAVE_DNSSEC
742 if (option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
743 {
9d633048 744 int status;
0fc2f313
SK		 745
746 /* We've had a reply already, which we're validating. Ignore this duplicate */
e0c0ad3b 747 if (forward->blocking_query)
0fc2f313 748 return;
9d633048 749
871417d4
SK		 750 if (header->hb3 & HB3_TC)
751 {
752 /* Truncated answer can't be validated.
753 The client will retry over TCP, but if this is an answer to a
754 DNSSEC-generated query, we have a problem. Should really re-send
755 over TCP. No-one with any sense will make a DNSKEY or DS RRset
756 exceed 4096, so this may not be a real problem. Just log
757 for now. */
758 if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
759 my_syslog(LOG_ERR, _("Reply to DNSSEC query truncated - validation fails."));
760 status = STAT_INSECURE;
761 }
762 else if (forward->flags & FREC_DNSKEY_QUERY)
0fc2f313 763 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
c3e0b9b6
SK		 764 else if (forward->flags & FREC_DS_QUERY)
765 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
9d633048 766 else
0fc2f313 767 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
3a237152
SK		 768
769 /* Can't validate, as we're missing key data. Put this
770 answer aside, whilst we get that. */
771 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
772 {
773 struct frec *new;
0fc2f313
SK		 774
775 if ((new = get_new_frec(now, NULL, 1)))
3a237152 776 {
0fc2f313
SK		 777 struct frec *next = new->next;
778 *new = *forward; /* copy everything, then overwrite */
779 new->next = next;
0fc2f313 780 new->blocking_query = NULL;
f1668d27
SK		 781 new->rfd4 = NULL;
782#ifdef HAVE_IPV6
783 new->rfd6 = NULL;
784#endif
0fc2f313 785 new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY);
9d633048 786
e0c0ad3b
SK		 787 /* Free any saved query */
788 if (forward->stash)
789 blockdata_free(forward->stash);
790
791 /* Now save reply pending receipt of key data */
792 if (!(forward->stash = blockdata_alloc((char *)header, n)))
793 free_frec(new); /* malloc failure, unwind */
794 else
3a237152
SK		 795 {
796 int fd;
9d633048 797
0fc2f313
SK		 798 forward->stash_len = n;
799
3a237152
SK		 800 new->dependent = forward; /* to find query awaiting new one. */
801 forward->blocking_query = new; /* for garbage cleaning */
0fc2f313 802 /* validate routines leave name of required record in daemon->keyname */
3a237152 803 if (status == STAT_NEED_KEY)
9d633048
SK		 804 {
805 new->flags |= FREC_DNSKEY_QUERY;
60b68069
SK		 806 nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
807 daemon->keyname, forward->class, T_DNSKEY, &server->addr);
9d633048 808 }
e0c0ad3b 809 else
9d633048
SK		 810 {
811 new->flags |= FREC_DS_QUERY;
60b68069
SK		 812 nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
813 daemon->keyname, forward->class, T_DS, &server->addr);
9d633048 814 }
3a237152
SK		 815 new->crc = questions_crc(header, nn, daemon->namebuff);
816 new->new_id = get_id(new->crc);
c3e0b9b6 817 header->id = htons(new->new_id);
e0c0ad3b
SK		 818 /* Save query for retransmission */
819 new->stash = blockdata_alloc((char *)header, nn);
820 new->stash_len = nn;
9d633048 821
3a237152
SK		 822 /* Don't resend this. */
823 daemon->srv_save = NULL;
824
825 if (server->sfd)
826 fd = server->sfd->fd;
827 else
f1668d27
SK		 828 {
829 fd = -1;
3a237152 830#ifdef HAVE_IPV6
f1668d27
SK		 831 if (server->addr.sa.sa_family == AF_INET6)
832 {
833 if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
834 fd = new->rfd6->fd;
835 }
836 else
3a237152 837#endif
f1668d27
SK		 838 {
839 if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
840 fd = new->rfd4->fd;
841 }
842 }
9d633048 843
f1668d27
SK		 844 if (fd != -1)
845 {
846 while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
847 server->queries++;
848 }
3a237152
SK		 849 }
850 }
0fc2f313 851
3a237152
SK		 852 return;
853 }
854
855 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
856 Now wind back down, pulling back answers which wouldn't previously validate
857 and validate them with the new data. Failure to find needed data here is an internal error.
858 Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
859 return it to the original requestor. */
0fc2f313 860 if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
3a237152 861 {
0fc2f313 862 while (forward->dependent)
3a237152 863 {
0fc2f313 864 struct frec *prev;
c3e0b9b6 865
0fc2f313
SK		 866 if (status == STAT_SECURE)
867 {
868 if (forward->flags & FREC_DNSKEY_QUERY)
869 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
870 else if (forward->flags & FREC_DS_QUERY)
871 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
872 }
873
874 prev = forward->dependent;
875 free_frec(forward);
876 forward = prev;
877 forward->blocking_query = NULL; /* already gone */
878 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
879 n = forward->stash_len;
880 }
881
882 /* All DNSKEY and DS records done and in cache, now finally validate original
883 answer, provided last DNSKEY is OK. */
884 if (status == STAT_SECURE)
885 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
886
887 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
888 {
889 my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
890 status = STAT_INSECURE;
3a237152
SK		 891 }
892 }
0fc2f313
SK		 893
894 log_query(F_KEYTAG | F_SECSTAT, "result", NULL,
895 status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
896
897 no_cache_dnssec = 0;
c3e0b9b6 898
3a237152
SK		 899 if (status == STAT_SECURE)
900 cache_secure = 1;
3a237152
SK		 901 else if (status == STAT_BOGUS)
902 no_cache_dnssec = 1;
0fc2f313
SK		 903
904 /* restore CD bit to the value in the query */
905 if (forward->flags & FREC_CHECKING_DISABLED)
906 header->hb4 |= HB4_CD;
907 else
908 header->hb4 &= ~HB4_CD;
3a237152
SK		 909 }
910#endif
8ef5ada2 911
3a237152 912 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
ed4c0767 913 forward->flags & FREC_HAS_SUBNET, &forward->source)))
1a6bca81
SK		 914 {
915 header->id = htons(forward->orig_id);
572b41eb 916 header->hb4 |= HB4_RA; /* recursion if available */
54dd393f 917 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
50303b19 918 &forward->source, &forward->dest, forward->iface);
b8187c80 919 }
1a6bca81 920 free_frec(forward); /* cancel */
9e4abcb5 921 }
9e4abcb5 922}
44a2a316 923
1a6bca81 924
5aabfc78 925void receive_query(struct listener *listen, time_t now)
44a2a316 926{
572b41eb 927 struct dns_header *header = (struct dns_header *)daemon->packet;
44a2a316 928 union mysockaddr source_addr;
c1bb8504 929 unsigned short type;
44a2a316 930 struct all_addr dst_addr;
f6b7dc47 931 struct in_addr netmask, dst_addr_4;
cdeda28f
SK		 932 size_t m;
933 ssize_t n;
3b195961
VG		 934 int if_index = 0, auth_dns = 0;
935#ifdef HAVE_AUTH
936 int local_auth = 0;
937#endif
44a2a316
SK		 938 struct iovec iov[1];
939 struct msghdr msg;
940 struct cmsghdr *cmptr;
44a2a316
SK		 941 union {
942 struct cmsghdr align; /* this ensures alignment */
943#ifdef HAVE_IPV6
944 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
945#endif
5e9e0efb 946#if defined(HAVE_LINUX_NETWORK)
44a2a316 947 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
824af85b
SK		 948#elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
949 char control[CMSG_SPACE(sizeof(struct in_addr)) +
950 CMSG_SPACE(sizeof(unsigned int))];
44a2a316
SK		 951#elif defined(IP_RECVDSTADDR)
952 char control[CMSG_SPACE(sizeof(struct in_addr)) +
953 CMSG_SPACE(sizeof(struct sockaddr_dl))];
954#endif
955 } control_u;
2329bef5
SK		 956#ifdef HAVE_IPV6
957 /* Can always get recvd interface for IPv6 */
958 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
959#else
960 int check_dst = !option_bool(OPT_NOWILD);
961#endif
962
cdeda28f
SK		 963 /* packet buffer overwritten */
964 daemon->srv_save = NULL;
965
4f7b304f
SK		 966 dst_addr_4.s_addr = 0;
967 netmask.s_addr = 0;
968
7e5664bd 969 if (option_bool(OPT_NOWILD) && listen->iface)
3d8df260 970 {
4f7b304f
SK		 971 auth_dns = listen->iface->dns_auth;
972
973 if (listen->family == AF_INET)
974 {
975 dst_addr_4 = listen->iface->addr.in.sin_addr;
976 netmask = listen->iface->netmask;
977 }
3d8df260 978 }
4f7b304f 979
3be34541
SK		 980 iov[0].iov_base = daemon->packet;
981 iov[0].iov_len = daemon->edns_pktsz;
44a2a316
SK		 982
983 msg.msg_control = control_u.control;
984 msg.msg_controllen = sizeof(control_u);
985 msg.msg_flags = 0;
986 msg.msg_name = &source_addr;
987 msg.msg_namelen = sizeof(source_addr);
988 msg.msg_iov = iov;
989 msg.msg_iovlen = 1;
990
de37951c 991 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
3be34541 992 return;
44a2a316 993
572b41eb 994 if (n < (int)sizeof(struct dns_header) ||
5e9e0efb 995 (msg.msg_flags & MSG_TRUNC) ||
572b41eb 996 (header->hb3 & HB3_QR))
26128d27
SK		 997 return;
998
44a2a316
SK		 999 source_addr.sa.sa_family = listen->family;
1000#ifdef HAVE_IPV6
1001 if (listen->family == AF_INET6)
5e9e0efb 1002 source_addr.in6.sin6_flowinfo = 0;
44a2a316 1003#endif
28866e95 1004
2329bef5 1005 if (check_dst)
26128d27
SK		 1006 {
1007 struct ifreq ifr;
1008
1009 if (msg.msg_controllen < sizeof(struct cmsghdr))
1010 return;
44a2a316 1011
5e9e0efb 1012#if defined(HAVE_LINUX_NETWORK)
26128d27
SK		 1013 if (listen->family == AF_INET)
1014 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 1015 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
26128d27 1016 {
8ef5ada2
SK		 1017 union {
1018 unsigned char *c;
1019 struct in_pktinfo *p;
1020 } p;
1021 p.c = CMSG_DATA(cmptr);
1022 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
1023 if_index = p.p->ipi_ifindex;
26128d27
SK		 1024 }
1025#elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1026 if (listen->family == AF_INET)
44a2a316 1027 {
26128d27 1028 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
8ef5ada2
SK		 1029 {
1030 union {
1031 unsigned char *c;
1032 unsigned int *i;
1033 struct in_addr *a;
1034#ifndef HAVE_SOLARIS_NETWORK
1035 struct sockaddr_dl *s;
1036#endif
1037 } p;
1038 p.c = CMSG_DATA(cmptr);
1039 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
1040 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
1041 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
824af85b 1042#ifdef HAVE_SOLARIS_NETWORK
8ef5ada2 1043 if_index = *(p.i);
824af85b 1044#else
8ef5ada2 1045 if_index = p.s->sdl_index;
824af85b 1046#endif
8ef5ada2 1047 }
44a2a316 1048 }
44a2a316 1049#endif
26128d27 1050
44a2a316 1051#ifdef HAVE_IPV6
26128d27
SK		 1052 if (listen->family == AF_INET6)
1053 {
1054 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 1055 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
26128d27 1056 {
8ef5ada2
SK		 1057 union {
1058 unsigned char *c;
1059 struct in6_pktinfo *p;
1060 } p;
1061 p.c = CMSG_DATA(cmptr);
1062
1063 dst_addr.addr.addr6 = p.p->ipi6_addr;
1064 if_index = p.p->ipi6_ifindex;
26128d27
SK		 1065 }
1066 }
44a2a316 1067#endif
26128d27
SK		 1068
1069 /* enforce available interface configuration */
1070
e25db1f2 1071 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
5e9e0efb 1072 return;
832af0ba 1073
e25db1f2
SK		 1074 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
1075 {
1076 if (!option_bool(OPT_CLEVERBIND))
115ac3e4 1077 enumerate_interfaces(0);
3f2873d4
SK		 1078 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
1079 !label_exception(if_index, listen->family, &dst_addr))
e25db1f2
SK		 1080 return;
1081 }
1082
552af8b9
SK		 1083 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
1084 {
1085 struct irec *iface;
1086
1087 /* get the netmask of the interface whch has the address we were sent to.
1088 This is no neccessarily the interface we arrived on. */
1089
1090 for (iface = daemon->interfaces; iface; iface = iface->next)
1091 if (iface->addr.sa.sa_family == AF_INET &&
1092 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1093 break;
1094
1095 /* interface may be new */
e25db1f2 1096 if (!iface && !option_bool(OPT_CLEVERBIND))
115ac3e4 1097 enumerate_interfaces(0);
552af8b9
SK		 1098
1099 for (iface = daemon->interfaces; iface; iface = iface->next)
1100 if (iface->addr.sa.sa_family == AF_INET &&
1101 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1102 break;
1103
1104 /* If we failed, abandon localisation */
1105 if (iface)
1106 netmask = iface->netmask;
1107 else
1108 dst_addr_4.s_addr = 0;
1109 }
44a2a316
SK		 1110 }
1111
cdeda28f 1112 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
44a2a316 1113 {
1a6bca81 1114 char types[20];
b485ed97
SK		 1115#ifdef HAVE_AUTH
1116 struct auth_zone *zone;
1117#endif
1a6bca81 1118
4f7b304f 1119 querystr(auth_dns ? "auth" : "query", types, type);
1a6bca81 1120
44a2a316 1121 if (listen->family == AF_INET)
3be34541 1122 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 1123 (struct all_addr *)&source_addr.in.sin_addr, types);
44a2a316
SK		 1124#ifdef HAVE_IPV6
1125 else
3be34541 1126 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 1127 (struct all_addr *)&source_addr.in6.sin6_addr, types);
44a2a316 1128#endif
44a2a316 1129
b485ed97
SK		 1130#ifdef HAVE_AUTH
1131 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1132 if (!auth_dns)
1133 for (zone = daemon->auth_zones; zone; zone = zone->next)
1134 if (in_zone(zone, daemon->namebuff, NULL))
1135 {
1136 auth_dns = 1;
1137 local_auth = 1;
1138 break;
1139 }
b485ed97
SK		 1140#endif
1141 }
1142
4820dce9 1143#ifdef HAVE_AUTH
4f7b304f 1144 if (auth_dns)
824af85b 1145 {
60b68069 1146 m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
4f7b304f 1147 if (m >= 1)
b485ed97
SK		 1148 {
1149 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1150 (char *)header, m, &source_addr, &dst_addr, if_index);
1151 daemon->auth_answer++;
1152 }
824af85b 1153 }
44a2a316 1154 else
4820dce9 1155#endif
4f7b304f 1156 {
60b68069 1157 m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
4f7b304f
SK		 1158 dst_addr_4, netmask, now);
1159
1160 if (m >= 1)
1161 {
1162 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1163 (char *)header, m, &source_addr, &dst_addr, if_index);
1164 daemon->local_answer++;
1165 }
1166 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
1167 header, (size_t)n, now, NULL))
1168 daemon->queries_forwarded++;
1169 else
1170 daemon->local_answer++;
1171 }
44a2a316
SK		 1172}
1173
7d7b7b31
SK		 1174#ifdef HAVE_DNSSEC
1175static int tcp_key_recurse(time_t now, int status, int class, char *keyname, struct server *server)
1176{
1177 /* Recurse up the key heirarchy */
1178 size_t n;
1179 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1180 unsigned char *payload = &packet[2];
1181 struct dns_header *header = (struct dns_header *)payload;
1182 u16 *length = (u16 *)packet;
1183 int new_status;
1184 unsigned char c1, c2;
1185
1186 n = dnssec_generate_query(header, ((char *) header) + 65536, keyname, class,
1187 status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
1188
1189 *length = htons(n);
1190
1191 if (!read_write(server->tcpfd, packet, n + sizeof(u16), 0) ||
1192 !read_write(server->tcpfd, &c1, 1, 1) ||
1193 !read_write(server->tcpfd, &c2, 1, 1) ||
1194 !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1195 {
1196 close(server->tcpfd);
1197 server->tcpfd = -1;
1198 new_status = STAT_INSECURE;
1199 }
1200 else
1201 {
1202 n = (c1 << 8) | c2;
1203
1204 if (status == STAT_NEED_KEY)
1205 new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1206 else
1207 new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1208
1209 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1210 {
1211 if ((new_status = tcp_key_recurse(now, new_status, class, daemon->keyname, server) == STAT_SECURE))
1212 {
1213 if (status == STAT_NEED_KEY)
1214 new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1215 else
1216 new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1217
1218 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1219 {
1220 my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
1221 status = STAT_INSECURE;
f1668d27 1222 }
7d7b7b31
SK		 1223 }
1224 }
1225 }
1226
1227 free(packet);
1228
1229 return new_status;
1230}
1231#endif
1232
1233
feba5c1d
SK		 1234/* The daemon forks before calling this: it should deal with one connection,
1235 blocking as neccessary, and then return. Note, need to be a bit careful
1236 about resources for debug mode, when the fork is suppressed: that's
1237 done by the caller. */
5aabfc78 1238unsigned char *tcp_request(int confd, time_t now,
4f7b304f 1239 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
feba5c1d 1240{
28866e95
SK		 1241 size_t size = 0;
1242 int norebind = 0;
3b195961 1243#ifdef HAVE_AUTH
19b16891 1244 int local_auth = 0;
3b195961 1245#endif
7d7b7b31 1246 int checking_disabled, check_subnet, no_cache_dnssec = 0, cache_secure = 0;
cdeda28f 1247 size_t m;
ee86ce68
SK		 1248 unsigned short qtype;
1249 unsigned int gotname;
feba5c1d 1250 unsigned char c1, c2;
4b5ea12e
SK		 1251 /* Max TCP packet + slop + size */
1252 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1253 unsigned char *payload = &packet[2];
1254 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1255 struct dns_header *header = (struct dns_header *)payload;
1256 u16 *length = (u16 *)packet;
3be34541 1257 struct server *last_server;
7de060b0
SK		 1258 struct in_addr dst_addr_4;
1259 union mysockaddr peer_addr;
1260 socklen_t peer_len = sizeof(union mysockaddr);
3be34541 1261
7de060b0
SK		 1262 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1263 return packet;
1264
feba5c1d
SK		 1265 while (1)
1266 {
1267 if (!packet ||
1268 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1269 !(size = c1 << 8 | c2) ||
4b5ea12e 1270 !read_write(confd, payload, size, 1))
feba5c1d
SK		 1271 return packet;
1272
572b41eb 1273 if (size < (int)sizeof(struct dns_header))
feba5c1d
SK		 1274 continue;
1275
ed4c0767
SK		 1276 check_subnet = 0;
1277
28866e95 1278 /* save state of "cd" flag in query */
7d7b7b31
SK		 1279 if ((checking_disabled = header->hb4 & HB4_CD))
1280 no_cache_dnssec = 1;
28866e95
SK		 1281
1282 /* RFC 4035: sect 4.6 para 2 */
572b41eb 1283 header->hb4 &= ~HB4_AD;
feba5c1d 1284
3be34541 1285 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
feba5c1d 1286 {
7de060b0 1287 char types[20];
b485ed97
SK		 1288#ifdef HAVE_AUTH
1289 struct auth_zone *zone;
1290#endif
4f7b304f 1291 querystr(auth_dns ? "auth" : "query", types, qtype);
7de060b0
SK		 1292
1293 if (peer_addr.sa.sa_family == AF_INET)
1294 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1295 (struct all_addr *)&peer_addr.in.sin_addr, types);
feba5c1d 1296#ifdef HAVE_IPV6
7de060b0
SK		 1297 else
1298 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1299 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
feba5c1d 1300#endif
b485ed97
SK		 1301
1302#ifdef HAVE_AUTH
1303 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1304 if (!auth_dns)
1305 for (zone = daemon->auth_zones; zone; zone = zone->next)
1306 if (in_zone(zone, daemon->namebuff, NULL))
1307 {
1308 auth_dns = 1;
1309 local_auth = 1;
1310 break;
1311 }
b485ed97 1312#endif
feba5c1d
SK		 1313 }
1314
7de060b0
SK		 1315 if (local_addr->sa.sa_family == AF_INET)
1316 dst_addr_4 = local_addr->in.sin_addr;
1317 else
1318 dst_addr_4.s_addr = 0;
1319
4820dce9 1320#ifdef HAVE_AUTH
4f7b304f 1321 if (auth_dns)
19b16891 1322 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
4f7b304f 1323 else
4820dce9 1324#endif
feba5c1d 1325 {
4f7b304f
SK		 1326 /* m > 0 if answered from cache */
1327 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
1328 dst_addr_4, netmask, now);
feba5c1d 1329
4f7b304f
SK		 1330 /* Do this by steam now we're not in the select() loop */
1331 check_log_writer(NULL);
1332
1333 if (m == 0)
feba5c1d 1334 {
4f7b304f
SK		 1335 unsigned int flags = 0;
1336 struct all_addr *addrp = NULL;
1337 int type = 0;
1338 char *domain = NULL;
feba5c1d 1339
4f7b304f
SK		 1340 if (option_bool(OPT_ADD_MAC))
1341 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
ed4c0767
SK		 1342
1343 if (option_bool(OPT_CLIENT_SUBNET))
1344 {
1345 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1346 if (size != new)
1347 {
1348 size = new;
1349 check_subnet = 1;
1350 }
1351 }
1352
4f7b304f
SK		 1353 if (gotname)
1354 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1355
1356 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1357 last_server = daemon->servers;
1358 else
1359 last_server = daemon->last_server;
1360
1361 if (!flags && last_server)
1362 {
1363 struct server *firstsendto = NULL;
1364 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
1365
1366 /* Loop round available servers until we succeed in connecting to one.
1367 Note that this code subtley ensures that consecutive queries on this connection
1368 which can go to the same server, do so. */
1369 while (1)
feba5c1d 1370 {
4f7b304f
SK		 1371 if (!firstsendto)
1372 firstsendto = last_server;
1373 else
1374 {
1375 if (!(last_server = last_server->next))
1376 last_server = daemon->servers;
1377
1378 if (last_server == firstsendto)
1379 break;
1380 }
1381
1382 /* server for wrong domain */
1383 if (type != (last_server->flags & SERV_TYPE) ||
1384 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
7de060b0
SK		 1385 continue;
1386
4f7b304f 1387 if (last_server->tcpfd == -1)
7de060b0 1388 {
4f7b304f
SK		 1389 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1390 continue;
1391
1392 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1393 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1394 {
1395 close(last_server->tcpfd);
1396 last_server->tcpfd = -1;
1397 continue;
1398 }
1399
7d7b7b31
SK		 1400#ifdef HAVE_DNSSEC
1401 if (option_bool(OPT_DNSSEC_VALID))
1402 {
1403 size = add_do_bit(header, size, ((char *) header) + 65536);
1404 header->hb4 |= HB4_CD;
1405 }
1406#endif
1407
7de060b0 1408#ifdef HAVE_CONNTRACK
4f7b304f
SK		 1409 /* Copy connection mark of incoming query to outgoing connection. */
1410 if (option_bool(OPT_CONNTRACK))
1411 {
1412 unsigned int mark;
1413 struct all_addr local;
7de060b0 1414#ifdef HAVE_IPV6
4f7b304f
SK		 1415 if (local_addr->sa.sa_family == AF_INET6)
1416 local.addr.addr6 = local_addr->in6.sin6_addr;
1417 else
7de060b0 1418#endif
4f7b304f
SK		 1419 local.addr.addr4 = local_addr->in.sin_addr;
1420
1421 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1422 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1423 }
7de060b0 1424#endif
4f7b304f
SK		 1425 }
1426
4b5ea12e 1427 *length = htons(size);
4f7b304f 1428
4b5ea12e 1429 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
4f7b304f 1430 !read_write(last_server->tcpfd, &c1, 1, 1) ||
7d7b7b31
SK		 1431 !read_write(last_server->tcpfd, &c2, 1, 1) ||
1432 !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
4f7b304f
SK		 1433 {
1434 close(last_server->tcpfd);
1435 last_server->tcpfd = -1;
1436 continue;
1437 }
1438
1439 m = (c1 << 8) | c2;
4f7b304f
SK		 1440
1441 if (!gotname)
1442 strcpy(daemon->namebuff, "query");
1443 if (last_server->addr.sa.sa_family == AF_INET)
1444 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1445 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
feba5c1d 1446#ifdef HAVE_IPV6
4f7b304f
SK		 1447 else
1448 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1449 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
feba5c1d 1450#endif
7d7b7b31
SK		 1451
1452#ifdef HAVE_DNSSEC
1453 if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
1454 {
1455 int class, status;
1456
1457 status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class);
1458
1459 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
1460 {
1461 if ((status = tcp_key_recurse(now, status, class, daemon->keyname, last_server)) == STAT_SECURE)
1462 status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class);
1463 }
1464
1465 log_query(F_KEYTAG | F_SECSTAT, "result", NULL,
1466 status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1467
1468 if (status == STAT_BOGUS)
1469 no_cache_dnssec = 1;
1470
1471 if (status == STAT_SECURE)
1472 cache_secure = 1;
1473 }
1474#endif
1475
1476 /* restore CD bit to the value in the query */
1477 if (checking_disabled)
1478 header->hb4 |= HB4_CD;
1479 else
1480 header->hb4 &= ~HB4_CD;
4f7b304f
SK		 1481
1482 /* There's no point in updating the cache, since this process will exit and
1483 lose the information after a few queries. We make this call for the alias and
1484 bogus-nxdomain side-effects. */
1485 /* If the crc of the question section doesn't match the crc we sent, then
1486 someone might be attempting to insert bogus values into the cache by
1487 sending replies containing questions and bogus answers. */
1488 if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
1489 m = process_reply(header, now, last_server, (unsigned int)m,
7d7b7b31
SK		 1490 option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
1491 cache_secure, check_subnet, &peer_addr);
4f7b304f
SK		 1492
1493 break;
1494 }
feba5c1d 1495 }
4f7b304f
SK		 1496
1497 /* In case of local answer or no connections made. */
1498 if (m == 0)
1499 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
feba5c1d 1500 }
feba5c1d 1501 }
4f7b304f 1502
5aabfc78 1503 check_log_writer(NULL);
feba5c1d 1504
4b5ea12e
SK		 1505 *length = htons(m);
1506
1507 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
feba5c1d
SK		 1508 return packet;
1509 }
1510}
1511
1697269c 1512static struct frec *allocate_frec(time_t now)
9e4abcb5 1513{
1697269c
SK		 1514 struct frec *f;
1515
5aabfc78 1516 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
9e4abcb5 1517 {
1a6bca81 1518 f->next = daemon->frec_list;
1697269c 1519 f->time = now;
832af0ba 1520 f->sentto = NULL;
1a6bca81 1521 f->rfd4 = NULL;
28866e95 1522 f->flags = 0;
1a6bca81
SK		 1523#ifdef HAVE_IPV6
1524 f->rfd6 = NULL;
3a237152
SK		 1525#endif
1526#ifdef HAVE_DNSSEC
1527 f->blocking_query = NULL;
4619d946 1528 f->stash = NULL;
1a6bca81
SK		 1529#endif
1530 daemon->frec_list = f;
1697269c 1531 }
9e4abcb5 1532
1697269c
SK		 1533 return f;
1534}
9e4abcb5 1535
1a6bca81
SK		 1536static struct randfd *allocate_rfd(int family)
1537{
1538 static int finger = 0;
1539 int i;
1540
1541 /* limit the number of sockets we have open to avoid starvation of
1542 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1543
1544 for (i = 0; i < RANDOM_SOCKS; i++)
9009d746 1545 if (daemon->randomsocks[i].refcount == 0)
1a6bca81 1546 {
9009d746
SK		 1547 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
1548 break;
1549
1a6bca81
SK		 1550 daemon->randomsocks[i].refcount = 1;
1551 daemon->randomsocks[i].family = family;
1552 return &daemon->randomsocks[i];
1553 }
1554
9009d746 1555 /* No free ones or cannot get new socket, grab an existing one */
1a6bca81
SK		 1556 for (i = 0; i < RANDOM_SOCKS; i++)
1557 {
1558 int j = (i+finger) % RANDOM_SOCKS;
9009d746
SK		 1559 if (daemon->randomsocks[j].refcount != 0 &&
1560 daemon->randomsocks[j].family == family &&
1561 daemon->randomsocks[j].refcount != 0xffff)
1a6bca81
SK		 1562 {
1563 finger = j;
1564 daemon->randomsocks[j].refcount++;
1565 return &daemon->randomsocks[j];
1566 }
1567 }
1568
1569 return NULL; /* doom */
1570}
1a6bca81
SK		 1571static void free_frec(struct frec *f)
1572{
1573 if (f->rfd4 && --(f->rfd4->refcount) == 0)
1574 close(f->rfd4->fd);
1575
1576 f->rfd4 = NULL;
1577 f->sentto = NULL;
28866e95 1578 f->flags = 0;
1a6bca81
SK		 1579
1580#ifdef HAVE_IPV6
1581 if (f->rfd6 && --(f->rfd6->refcount) == 0)
1582 close(f->rfd6->fd);
1583
1584 f->rfd6 = NULL;
1585#endif
3a237152
SK		 1586
1587#ifdef HAVE_DNSSEC
1588 if (f->stash)
0fc2f313
SK		 1589 {
1590 blockdata_free(f->stash);
1591 f->stash = NULL;
1592 }
3a237152
SK		 1593
1594 /* Anything we're waiting on is pointless now, too */
1595 if (f->blocking_query)
1596 free_frec(f->blocking_query);
1597 f->blocking_query = NULL;
1598
1599#endif
1a6bca81
SK		 1600}
1601
1697269c
SK		 1602/* if wait==NULL return a free or older than TIMEOUT record.
1603 else return *wait zero if one available, or *wait is delay to
1a6bca81 1604 when the oldest in-use record will expire. Impose an absolute
3a237152
SK		 1605 limit of 4*TIMEOUT before we wipe things (for random sockets).
1606 If force is set, always return a result, even if we have
1607 to allocate above the limit. */
1608struct frec *get_new_frec(time_t now, int *wait, int force)
1697269c 1609{
1a6bca81 1610 struct frec *f, *oldest, *target;
1697269c
SK		 1611 int count;
1612
1613 if (wait)
1614 *wait = 0;
1615
1a6bca81 1616 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
832af0ba 1617 if (!f->sentto)
1a6bca81
SK		 1618 target = f;
1619 else
1697269c 1620 {
1a6bca81
SK		 1621 if (difftime(now, f->time) >= 4*TIMEOUT)
1622 {
1623 free_frec(f);
1624 target = f;
1625 }
1626
1627 if (!oldest || difftime(f->time, oldest->time) <= 0)
1628 oldest = f;
1697269c 1629 }
1a6bca81
SK		 1630
1631 if (target)
1632 {
1633 target->time = now;
1634 return target;
1635 }
9e4abcb5
SK		 1636
1637 /* can't find empty one, use oldest if there is one
1638 and it's older than timeout */
1697269c 1639 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
9e4abcb5 1640 {
1697269c
SK		 1641 /* keep stuff for twice timeout if we can by allocating a new
1642 record instead */
1643 if (difftime(now, oldest->time) < 2*TIMEOUT &&
1644 count <= daemon->ftabsize &&
1645 (f = allocate_frec(now)))
1646 return f;
1647
1648 if (!wait)
1649 {
1a6bca81 1650 free_frec(oldest);
1697269c
SK		 1651 oldest->time = now;
1652 }
9e4abcb5
SK		 1653 return oldest;
1654 }
1655
1697269c 1656 /* none available, calculate time 'till oldest record expires */
3a237152 1657 if (!force && count > daemon->ftabsize)
1697269c 1658 {
0da5e897
MSB		 1659 static time_t last_log = 0;
1660
1697269c
SK		 1661 if (oldest && wait)
1662 *wait = oldest->time + (time_t)TIMEOUT - now;
0da5e897
MSB		 1663
1664 if ((int)difftime(now, last_log) > 5)
1665 {
1666 last_log = now;
1667 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
1668 }
1669
9e4abcb5
SK		 1670 return NULL;
1671 }
1697269c
SK		 1672
1673 if (!(f = allocate_frec(now)) && wait)
1674 /* wait one second on malloc failure */
1675 *wait = 1;
9e4abcb5 1676
9e4abcb5
SK		 1677 return f; /* OK if malloc fails and this is NULL */
1678}
1679
832af0ba
SK		 1680/* crc is all-ones if not known. */
1681static struct frec *lookup_frec(unsigned short id, unsigned int crc)
9e4abcb5
SK		 1682{
1683 struct frec *f;
1684
1a6bca81 1685 for(f = daemon->frec_list; f; f = f->next)
832af0ba
SK		 1686 if (f->sentto && f->new_id == id &&
1687 (f->crc == crc || crc == 0xffffffff))
9e4abcb5
SK		 1688 return f;
1689
1690 return NULL;
1691}
1692
1693static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481
SK		 1694 union mysockaddr *addr,
1695 unsigned int crc)
9e4abcb5 1696{
feba5c1d
SK		 1697 struct frec *f;
1698
1a6bca81 1699 for(f = daemon->frec_list; f; f = f->next)
832af0ba 1700 if (f->sentto &&
9e4abcb5 1701 f->orig_id == id &&
fd9fa481 1702 f->crc == crc &&
9e4abcb5
SK		 1703 sockaddr_isequal(&f->source, addr))
1704 return f;
1705
1706 return NULL;
1707}
1708
849a8357 1709/* A server record is going away, remove references to it */
5aabfc78 1710void server_gone(struct server *server)
849a8357
SK		 1711{
1712 struct frec *f;
1713
1a6bca81 1714 for (f = daemon->frec_list; f; f = f->next)
832af0ba 1715 if (f->sentto && f->sentto == server)
1a6bca81 1716 free_frec(f);
849a8357
SK		 1717
1718 if (daemon->last_server == server)
1719 daemon->last_server = NULL;
1720
1721 if (daemon->srv_save == server)
1722 daemon->srv_save = NULL;
1723}
9e4abcb5 1724
316e2730
SK		 1725/* return unique random ids. */
1726static unsigned short get_id(unsigned int crc)
9e4abcb5
SK		 1727{
1728 unsigned short ret = 0;
832af0ba 1729
316e2730 1730 do
832af0ba
SK		 1731 ret = rand16();
1732 while (lookup_frec(ret, crc));
1733
9e4abcb5
SK		 1734 return ret;
1735}
1736
1737
1738
1739
1740
Michael's tree of dnsmasq.