]> git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
projects / people / ms / dnsmasq.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add --log-queries=extra option for more complete logging.
[people/ms/dnsmasq.git] / src / forward.c
1 /* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
12
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
15 */
16
17 #include "dnsmasq.h"
18
19 static struct frec *lookup_frec(unsigned short id, void *hash);
20 static struct frec *lookup_frec_by_sender(unsigned short id,
21 union mysockaddr *addr,
22 void *hash);
23 static unsigned short get_id(void);
24 static void free_frec(struct frec *f);
25
26 #ifdef HAVE_DNSSEC
27 static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
28 int class, char *name, char *keyname, struct server *server, int *keycount);
29 static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname);
30 static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
31 char *name, char *keyname);
32 #endif
33
34
35 /* Send a UDP packet with its source address set as "source"
36 unless nowild is true, when we just send it with the kernel default */
37 int send_from(int fd, int nowild, char *packet, size_t len,
38 union mysockaddr *to, struct all_addr *source,
39 unsigned int iface)
40 {
41 struct msghdr msg;
42 struct iovec iov[1];
43 union {
44 struct cmsghdr align; /* this ensures alignment */
45 #if defined(HAVE_LINUX_NETWORK)
46 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
47 #elif defined(IP_SENDSRCADDR)
48 char control[CMSG_SPACE(sizeof(struct in_addr))];
49 #endif
50 #ifdef HAVE_IPV6
51 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
52 #endif
53 } control_u;
54
55 iov[0].iov_base = packet;
56 iov[0].iov_len = len;
57
58 msg.msg_control = NULL;
59 msg.msg_controllen = 0;
60 msg.msg_flags = 0;
61 msg.msg_name = to;
62 msg.msg_namelen = sa_len(to);
63 msg.msg_iov = iov;
64 msg.msg_iovlen = 1;
65
66 if (!nowild)
67 {
68 struct cmsghdr *cmptr;
69 msg.msg_control = &control_u;
70 msg.msg_controllen = sizeof(control_u);
71 cmptr = CMSG_FIRSTHDR(&msg);
72
73 if (to->sa.sa_family == AF_INET)
74 {
75 #if defined(HAVE_LINUX_NETWORK)
76 struct in_pktinfo p;
77 p.ipi_ifindex = 0;
78 p.ipi_spec_dst = source->addr.addr4;
79 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
80 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
81 cmptr->cmsg_level = IPPROTO_IP;
82 cmptr->cmsg_type = IP_PKTINFO;
83 #elif defined(IP_SENDSRCADDR)
84 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
85 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
86 cmptr->cmsg_level = IPPROTO_IP;
87 cmptr->cmsg_type = IP_SENDSRCADDR;
88 #endif
89 }
90 else
91 #ifdef HAVE_IPV6
92 {
93 struct in6_pktinfo p;
94 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
95 p.ipi6_addr = source->addr.addr6;
96 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
97 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
98 cmptr->cmsg_type = daemon->v6pktinfo;
99 cmptr->cmsg_level = IPPROTO_IPV6;
100 }
101 #else
102 (void)iface; /* eliminate warning */
103 #endif
104 }
105
106 while (sendmsg(fd, &msg, 0) == -1)
107 {
108 if (retry_send())
109 continue;
110
111 /* If interface is still in DAD, EINVAL results - ignore that. */
112 if (errno == EINVAL)
113 break;
114
115 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
116 return 0;
117 }
118
119 return 1;
120 }
121
122 static unsigned int search_servers(time_t now, struct all_addr **addrpp,
123 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
124
125 {
126 /* If the query ends in the domain in one of our servers, set
127 domain to point to that name. We find the largest match to allow both
128 domain.org and sub.domain.org to exist. */
129
130 unsigned int namelen = strlen(qdomain);
131 unsigned int matchlen = 0;
132 struct server *serv;
133 unsigned int flags = 0;
134
135 for (serv = daemon->servers; serv; serv=serv->next)
136 /* domain matches take priority over NODOTS matches */
137 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
138 {
139 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
140 *type = SERV_FOR_NODOTS;
141 if (serv->flags & SERV_NO_ADDR)
142 flags = F_NXDOMAIN;
143 else if (serv->flags & SERV_LITERAL_ADDRESS)
144 {
145 if (sflag & qtype)
146 {
147 flags = sflag;
148 if (serv->addr.sa.sa_family == AF_INET)
149 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
150 #ifdef HAVE_IPV6
151 else
152 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
153 #endif
154 }
155 else if (!flags || (flags & F_NXDOMAIN))
156 flags = F_NOERR;
157 }
158 }
159 else if (serv->flags & SERV_HAS_DOMAIN)
160 {
161 unsigned int domainlen = strlen(serv->domain);
162 char *matchstart = qdomain + namelen - domainlen;
163 if (namelen >= domainlen &&
164 hostname_isequal(matchstart, serv->domain) &&
165 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
166 {
167 if (serv->flags & SERV_NO_REBIND)
168 *norebind = 1;
169 else
170 {
171 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
172 /* implement priority rules for --address and --server for same domain.
173 --address wins if the address is for the correct AF
174 --server wins otherwise. */
175 if (domainlen != 0 && domainlen == matchlen)
176 {
177 if ((serv->flags & SERV_LITERAL_ADDRESS))
178 {
179 if (!(sflag & qtype) && flags == 0)
180 continue;
181 }
182 else
183 {
184 if (flags & (F_IPV4 | F_IPV6))
185 continue;
186 }
187 }
188
189 if (domainlen >= matchlen)
190 {
191 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
192 *domain = serv->domain;
193 matchlen = domainlen;
194 if (serv->flags & SERV_NO_ADDR)
195 flags = F_NXDOMAIN;
196 else if (serv->flags & SERV_LITERAL_ADDRESS)
197 {
198 if (sflag & qtype)
199 {
200 flags = sflag;
201 if (serv->addr.sa.sa_family == AF_INET)
202 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
203 #ifdef HAVE_IPV6
204 else
205 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
206 #endif
207 }
208 else if (!flags || (flags & F_NXDOMAIN))
209 flags = F_NOERR;
210 }
211 else
212 flags = 0;
213 }
214 }
215 }
216 }
217
218 if (flags == 0 && !(qtype & F_QUERY) &&
219 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
220 /* don't forward A or AAAA queries for simple names, except the empty name */
221 flags = F_NOERR;
222
223 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
224 flags = F_NOERR;
225
226 if (flags)
227 {
228 int logflags = 0;
229
230 if (flags == F_NXDOMAIN || flags == F_NOERR)
231 logflags = F_NEG | qtype;
232
233 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
234 }
235 else if ((*type) & SERV_USE_RESOLV)
236 {
237 *type = 0; /* use normal servers for this domain */
238 *domain = NULL;
239 }
240 return flags;
241 }
242
243 static int forward_query(int udpfd, union mysockaddr *udpaddr,
244 struct all_addr *dst_addr, unsigned int dst_iface,
245 struct dns_header *header, size_t plen, time_t now,
246 struct frec *forward, int ad_reqd, int do_bit)
247 {
248 char *domain = NULL;
249 int type = 0, norebind = 0;
250 struct all_addr *addrp = NULL;
251 unsigned int flags = 0;
252 struct server *start = NULL;
253 #ifdef HAVE_DNSSEC
254 void *hash = hash_questions(header, plen, daemon->namebuff);
255 #else
256 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
257 void *hash = &crc;
258 #endif
259 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
260
261 (void)do_bit;
262
263 /* may be no servers available. */
264 if (!daemon->servers)
265 forward = NULL;
266 else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
267 {
268 #ifdef HAVE_DNSSEC
269 /* If we've already got an answer to this query, but we're awaiting keys for validation,
270 there's no point retrying the query, retry the key query instead...... */
271 if (forward->blocking_query)
272 {
273 int fd;
274
275 while (forward->blocking_query)
276 forward = forward->blocking_query;
277
278 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
279 plen = forward->stash_len;
280
281 if (forward->sentto->addr.sa.sa_family == AF_INET)
282 log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
283 #ifdef HAVE_IPV6
284 else
285 log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
286 #endif
287
288 if (forward->sentto->sfd)
289 fd = forward->sentto->sfd->fd;
290 else
291 {
292 #ifdef HAVE_IPV6
293 if (forward->sentto->addr.sa.sa_family == AF_INET6)
294 fd = forward->rfd6->fd;
295 else
296 #endif
297 fd = forward->rfd4->fd;
298 }
299
300 while (sendto(fd, (char *)header, plen, 0,
301 &forward->sentto->addr.sa,
302 sa_len(&forward->sentto->addr)) == -1 && retry_send());
303
304 return 1;
305 }
306 #endif
307
308 /* retry on existing query, send to all available servers */
309 domain = forward->sentto->domain;
310 forward->sentto->failed_queries++;
311 if (!option_bool(OPT_ORDER))
312 {
313 forward->forwardall = 1;
314 daemon->last_server = NULL;
315 }
316 type = forward->sentto->flags & SERV_TYPE;
317 if (!(start = forward->sentto->next))
318 start = daemon->servers; /* at end of list, recycle */
319 header->id = htons(forward->new_id);
320 }
321 else
322 {
323 if (gotname)
324 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
325
326 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
327 /* table full - server failure. */
328 flags = F_NEG;
329
330 if (forward)
331 {
332 forward->source = *udpaddr;
333 forward->dest = *dst_addr;
334 forward->iface = dst_iface;
335 forward->orig_id = ntohs(header->id);
336 forward->new_id = get_id();
337 forward->fd = udpfd;
338 memcpy(forward->hash, hash, HASH_SIZE);
339 forward->forwardall = 0;
340 forward->flags = 0;
341 if (norebind)
342 forward->flags |= FREC_NOREBIND;
343 if (header->hb4 & HB4_CD)
344 forward->flags |= FREC_CHECKING_DISABLED;
345 if (ad_reqd)
346 forward->flags |= FREC_AD_QUESTION;
347 #ifdef HAVE_DNSSEC
348 forward->work_counter = DNSSEC_WORK;
349 if (do_bit)
350 forward->flags |= FREC_DO_QUESTION;
351 #endif
352
353 header->id = htons(forward->new_id);
354
355 /* In strict_order mode, always try servers in the order
356 specified in resolv.conf, if a domain is given
357 always try all the available servers,
358 otherwise, use the one last known to work. */
359
360 if (type == 0)
361 {
362 if (option_bool(OPT_ORDER))
363 start = daemon->servers;
364 else if (!(start = daemon->last_server) ||
365 daemon->forwardcount++ > FORWARD_TEST ||
366 difftime(now, daemon->forwardtime) > FORWARD_TIME)
367 {
368 start = daemon->servers;
369 forward->forwardall = 1;
370 daemon->forwardcount = 0;
371 daemon->forwardtime = now;
372 }
373 }
374 else
375 {
376 start = daemon->servers;
377 if (!option_bool(OPT_ORDER))
378 forward->forwardall = 1;
379 }
380 }
381 }
382
383 /* check for send errors here (no route to host)
384 if we fail to send to all nameservers, send back an error
385 packet straight away (helps modem users when offline) */
386
387 if (!flags && forward)
388 {
389 struct server *firstsentto = start;
390 int forwarded = 0;
391
392 /* If a query is retried, use the log_id for the retry when logging the answer. */
393 forward->log_id = daemon->log_id;
394
395 if (option_bool(OPT_ADD_MAC))
396 plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
397
398 if (option_bool(OPT_CLIENT_SUBNET))
399 {
400 size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
401 if (new != plen)
402 {
403 plen = new;
404 forward->flags |= FREC_HAS_SUBNET;
405 }
406 }
407
408 #ifdef HAVE_DNSSEC
409 if (option_bool(OPT_DNSSEC_VALID))
410 {
411 size_t new_plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
412
413 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
414 this allows it to select auth servers when one is returning bad data. */
415 if (option_bool(OPT_DNSSEC_DEBUG))
416 header->hb4 |= HB4_CD;
417
418 if (new_plen != plen)
419 forward->flags |= FREC_ADDED_PHEADER;
420
421 plen = new_plen;
422 }
423 #endif
424
425 while (1)
426 {
427 /* only send to servers dealing with our domain.
428 domain may be NULL, in which case server->domain
429 must be NULL also. */
430
431 if (type == (start->flags & SERV_TYPE) &&
432 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
433 !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
434 {
435 int fd;
436
437 /* find server socket to use, may need to get random one. */
438 if (start->sfd)
439 fd = start->sfd->fd;
440 else
441 {
442 #ifdef HAVE_IPV6
443 if (start->addr.sa.sa_family == AF_INET6)
444 {
445 if (!forward->rfd6 &&
446 !(forward->rfd6 = allocate_rfd(AF_INET6)))
447 break;
448 daemon->rfd_save = forward->rfd6;
449 fd = forward->rfd6->fd;
450 }
451 else
452 #endif
453 {
454 if (!forward->rfd4 &&
455 !(forward->rfd4 = allocate_rfd(AF_INET)))
456 break;
457 daemon->rfd_save = forward->rfd4;
458 fd = forward->rfd4->fd;
459 }
460
461 #ifdef HAVE_CONNTRACK
462 /* Copy connection mark of incoming query to outgoing connection. */
463 if (option_bool(OPT_CONNTRACK))
464 {
465 unsigned int mark;
466 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
467 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
468 }
469 #endif
470 }
471
472 if (sendto(fd, (char *)header, plen, 0,
473 &start->addr.sa,
474 sa_len(&start->addr)) == -1)
475 {
476 if (retry_send())
477 continue;
478 }
479 else
480 {
481 /* Keep info in case we want to re-send this packet */
482 daemon->srv_save = start;
483 daemon->packet_len = plen;
484
485 if (!gotname)
486 strcpy(daemon->namebuff, "query");
487 if (start->addr.sa.sa_family == AF_INET)
488 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
489 (struct all_addr *)&start->addr.in.sin_addr, NULL);
490 #ifdef HAVE_IPV6
491 else
492 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
493 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
494 #endif
495 start->queries++;
496 forwarded = 1;
497 forward->sentto = start;
498 if (!forward->forwardall)
499 break;
500 forward->forwardall++;
501 }
502 }
503
504 if (!(start = start->next))
505 start = daemon->servers;
506
507 if (start == firstsentto)
508 break;
509 }
510
511 if (forwarded)
512 return 1;
513
514 /* could not send on, prepare to return */
515 header->id = htons(forward->orig_id);
516 free_frec(forward); /* cancel */
517 }
518
519 /* could not send on, return empty answer or address if known for whole domain */
520 if (udpfd != -1)
521 {
522 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
523 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
524 }
525
526 return 0;
527 }
528
529 static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
530 int no_cache, int cache_secure, int ad_reqd, int do_bit, int added_pheader, int check_subnet, union mysockaddr *query_source)
531 {
532 unsigned char *pheader, *sizep;
533 char **sets = 0;
534 int munged = 0, is_sign;
535 size_t plen;
536
537 (void)ad_reqd;
538 (void) do_bit;
539
540 #ifdef HAVE_IPSET
541 if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
542 {
543 /* Similar algorithm to search_servers. */
544 struct ipsets *ipset_pos;
545 unsigned int namelen = strlen(daemon->namebuff);
546 unsigned int matchlen = 0;
547 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
548 {
549 unsigned int domainlen = strlen(ipset_pos->domain);
550 char *matchstart = daemon->namebuff + namelen - domainlen;
551 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
552 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
553 domainlen >= matchlen)
554 {
555 matchlen = domainlen;
556 sets = ipset_pos->sets;
557 }
558 }
559 }
560 #endif
561
562 /* If upstream is advertising a larger UDP packet size
563 than we allow, trim it so that we don't get overlarge
564 requests for the client. We can't do this for signed packets. */
565
566 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
567 {
568 unsigned short udpsz;
569 unsigned char *psave = sizep;
570
571 GETSHORT(udpsz, sizep);
572
573 if (!is_sign && udpsz > daemon->edns_pktsz)
574 PUTSHORT(daemon->edns_pktsz, psave);
575
576 if (check_subnet && !check_source(header, plen, pheader, query_source))
577 {
578 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
579 return 0;
580 }
581
582 if (added_pheader)
583 {
584 pheader = 0;
585 header->arcount = htons(0);
586 }
587 }
588
589 /* RFC 4035 sect 4.6 para 3 */
590 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
591 header->hb4 &= ~HB4_AD;
592
593 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
594 return resize_packet(header, n, pheader, plen);
595
596 /* Complain loudly if the upstream server is non-recursive. */
597 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
598 server && !(server->flags & SERV_WARNED_RECURSIVE))
599 {
600 prettyprint_addr(&server->addr, daemon->namebuff);
601 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
602 if (!option_bool(OPT_LOG))
603 server->flags |= SERV_WARNED_RECURSIVE;
604 }
605
606 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
607 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
608 {
609 munged = 1;
610 SET_RCODE(header, NXDOMAIN);
611 header->hb3 &= ~HB3_AA;
612 cache_secure = 0;
613 }
614 else
615 {
616 int doctored = 0;
617
618 if (RCODE(header) == NXDOMAIN &&
619 extract_request(header, n, daemon->namebuff, NULL) &&
620 check_for_local_domain(daemon->namebuff, now))
621 {
622 /* if we forwarded a query for a locally known name (because it was for
623 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
624 since we know that the domain exists, even if upstream doesn't */
625 munged = 1;
626 header->hb3 |= HB3_AA;
627 SET_RCODE(header, NOERROR);
628 cache_secure = 0;
629 }
630
631 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
632 {
633 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
634 munged = 1;
635 cache_secure = 0;
636 }
637
638 if (doctored)
639 cache_secure = 0;
640 }
641
642 #ifdef HAVE_DNSSEC
643 if (no_cache && !(header->hb4 & HB4_CD))
644 {
645 if (!option_bool(OPT_DNSSEC_DEBUG))
646 {
647 /* Bogus reply, turn into SERVFAIL */
648 SET_RCODE(header, SERVFAIL);
649 munged = 1;
650 }
651 }
652
653 if (option_bool(OPT_DNSSEC_VALID))
654 header->hb4 &= ~HB4_AD;
655
656 if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
657 header->hb4 |= HB4_AD;
658
659 /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
660 if (!do_bit)
661 n = filter_rrsigs(header, n);
662 #endif
663
664 /* do this after extract_addresses. Ensure NODATA reply and remove
665 nameserver info. */
666
667 if (munged)
668 {
669 header->ancount = htons(0);
670 header->nscount = htons(0);
671 header->arcount = htons(0);
672 }
673
674 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
675 sections of the packet. Find the new length here and put back pseudoheader
676 if it was removed. */
677 return resize_packet(header, n, pheader, plen);
678 }
679
680 /* sets new last_server */
681 void reply_query(int fd, int family, time_t now)
682 {
683 /* packet from peer server, extract data for cache, and send to
684 original requester */
685 struct dns_header *header;
686 union mysockaddr serveraddr;
687 struct frec *forward;
688 socklen_t addrlen = sizeof(serveraddr);
689 ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
690 size_t nn;
691 struct server *server;
692 void *hash;
693 #ifndef HAVE_DNSSEC
694 unsigned int crc;
695 #endif
696
697 /* packet buffer overwritten */
698 daemon->srv_save = NULL;
699
700 /* Determine the address of the server replying so that we can mark that as good */
701 serveraddr.sa.sa_family = family;
702 #ifdef HAVE_IPV6
703 if (serveraddr.sa.sa_family == AF_INET6)
704 serveraddr.in6.sin6_flowinfo = 0;
705 #endif
706
707 header = (struct dns_header *)daemon->packet;
708
709 if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR))
710 return;
711
712 /* spoof check: answer must come from known server, */
713 for (server = daemon->servers; server; server = server->next)
714 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
715 sockaddr_isequal(&server->addr, &serveraddr))
716 break;
717
718 if (!server)
719 return;
720
721 #ifdef HAVE_DNSSEC
722 hash = hash_questions(header, n, daemon->namebuff);
723 #else
724 hash = &crc;
725 crc = questions_crc(header, n, daemon->namebuff);
726 #endif
727
728 if (!(forward = lookup_frec(ntohs(header->id), hash)))
729 return;
730
731 /* log_query gets called indirectly all over the place, so
732 pass these in global variables - sorry. */
733 daemon->log_display_id = forward->log_id;
734 daemon->log_source_addr = &forward->source;
735
736 if (daemon->ignore_addr && RCODE(header) == NOERROR &&
737 check_for_ignored_address(header, n, daemon->ignore_addr))
738 return;
739
740 if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
741 !option_bool(OPT_ORDER) &&
742 forward->forwardall == 0)
743 /* for broken servers, attempt to send to another one. */
744 {
745 unsigned char *pheader;
746 size_t plen;
747 int is_sign;
748
749 /* recreate query from reply */
750 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
751 if (!is_sign)
752 {
753 header->ancount = htons(0);
754 header->nscount = htons(0);
755 header->arcount = htons(0);
756 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
757 {
758 header->hb3 &= ~(HB3_QR | HB3_TC);
759 forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0, 0);
760 return;
761 }
762 }
763 }
764
765 server = forward->sentto;
766
767 if ((forward->sentto->flags & SERV_TYPE) == 0)
768 {
769 if (RCODE(header) == REFUSED)
770 server = NULL;
771 else
772 {
773 struct server *last_server;
774
775 /* find good server by address if possible, otherwise assume the last one we sent to */
776 for (last_server = daemon->servers; last_server; last_server = last_server->next)
777 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
778 sockaddr_isequal(&last_server->addr, &serveraddr))
779 {
780 server = last_server;
781 break;
782 }
783 }
784 if (!option_bool(OPT_ALL_SERVERS))
785 daemon->last_server = server;
786 }
787
788 /* If the answer is an error, keep the forward record in place in case
789 we get a good reply from another server. Kill it when we've
790 had replies from all to avoid filling the forwarding table when
791 everything is broken */
792 if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL)
793 {
794 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
795
796 if (option_bool(OPT_NO_REBIND))
797 check_rebind = !(forward->flags & FREC_NOREBIND);
798
799 /* Don't cache replies where DNSSEC validation was turned off, either
800 the upstream server told us so, or the original query specified it. */
801 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
802 no_cache_dnssec = 1;
803
804 #ifdef HAVE_DNSSEC
805 if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
806 {
807 int status;
808
809 /* We've had a reply already, which we're validating. Ignore this duplicate */
810 if (forward->blocking_query)
811 return;
812
813 if (header->hb3 & HB3_TC)
814 {
815 /* Truncated answer can't be validated.
816 If this is an answer to a DNSSEC-generated query, we still
817 need to get the client to retry over TCP, so return
818 an answer with the TC bit set, even if the actual answer fits.
819 */
820 status = STAT_TRUNCATED;
821 }
822 else if (forward->flags & FREC_DNSKEY_QUERY)
823 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
824 else if (forward->flags & FREC_DS_QUERY)
825 {
826 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
827 if (status == STAT_NO_DS || status == STAT_NO_NS)
828 status = STAT_BOGUS;
829 }
830 else if (forward->flags & FREC_CHECK_NOSIGN)
831 {
832 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
833 if (status != STAT_NEED_KEY)
834 status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
835 }
836 else
837 {
838 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
839 if (status == STAT_NO_SIG)
840 {
841 if (option_bool(OPT_DNSSEC_NO_SIGN))
842 status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
843 else
844 status = STAT_INSECURE;
845 }
846 }
847 /* Can't validate, as we're missing key data. Put this
848 answer aside, whilst we get that. */
849 if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
850 {
851 struct frec *new, *orig;
852
853 /* Free any saved query */
854 if (forward->stash)
855 blockdata_free(forward->stash);
856
857 /* Now save reply pending receipt of key data */
858 if (!(forward->stash = blockdata_alloc((char *)header, n)))
859 return;
860 forward->stash_len = n;
861
862 anotherkey:
863 /* Find the original query that started it all.... */
864 for (orig = forward; orig->dependent; orig = orig->dependent);
865
866 if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1)))
867 status = STAT_INSECURE;
868 else
869 {
870 int fd;
871 struct frec *next = new->next;
872 *new = *forward; /* copy everything, then overwrite */
873 new->next = next;
874 new->blocking_query = NULL;
875 new->sentto = server;
876 new->rfd4 = NULL;
877 new->orig_domain = NULL;
878 #ifdef HAVE_IPV6
879 new->rfd6 = NULL;
880 #endif
881 new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN);
882
883 new->dependent = forward; /* to find query awaiting new one. */
884 forward->blocking_query = new; /* for garbage cleaning */
885 /* validate routines leave name of required record in daemon->keyname */
886 if (status == STAT_NEED_KEY)
887 {
888 new->flags |= FREC_DNSKEY_QUERY;
889 nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
890 daemon->keyname, forward->class, T_DNSKEY, &server->addr);
891 }
892 else
893 {
894 if (status == STAT_NEED_DS_NEG)
895 new->flags |= FREC_CHECK_NOSIGN;
896 else
897 new->flags |= FREC_DS_QUERY;
898 nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
899 daemon->keyname, forward->class, T_DS, &server->addr);
900 }
901 if ((hash = hash_questions(header, nn, daemon->namebuff)))
902 memcpy(new->hash, hash, HASH_SIZE);
903 new->new_id = get_id();
904 header->id = htons(new->new_id);
905 /* Save query for retransmission */
906 if (!(new->stash = blockdata_alloc((char *)header, nn)))
907 return;
908
909 new->stash_len = nn;
910
911 /* Don't resend this. */
912 daemon->srv_save = NULL;
913
914 if (server->sfd)
915 fd = server->sfd->fd;
916 else
917 {
918 fd = -1;
919 #ifdef HAVE_IPV6
920 if (server->addr.sa.sa_family == AF_INET6)
921 {
922 if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
923 fd = new->rfd6->fd;
924 }
925 else
926 #endif
927 {
928 if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
929 fd = new->rfd4->fd;
930 }
931 }
932
933 if (fd != -1)
934 {
935 while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
936 server->queries++;
937 }
938
939 return;
940 }
941 }
942
943 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
944 Now wind back down, pulling back answers which wouldn't previously validate
945 and validate them with the new data. Note that if an answer needs multiple
946 keys to validate, we may find another key is needed, in which case we set off
947 down another branch of the tree. Once we get to the original answer
948 (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
949 while (forward->dependent)
950 {
951 struct frec *prev = forward->dependent;
952 free_frec(forward);
953 forward = prev;
954 forward->blocking_query = NULL; /* already gone */
955 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
956 n = forward->stash_len;
957
958 if (status == STAT_SECURE)
959 {
960 if (forward->flags & FREC_DNSKEY_QUERY)
961 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
962 else if (forward->flags & FREC_DS_QUERY)
963 {
964 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
965 if (status == STAT_NO_DS || status == STAT_NO_NS)
966 status = STAT_BOGUS;
967 }
968 else if (forward->flags & FREC_CHECK_NOSIGN)
969 {
970 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
971 if (status != STAT_NEED_KEY)
972 status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
973 }
974 else
975 {
976 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
977 if (status == STAT_NO_SIG)
978 {
979 if (option_bool(OPT_DNSSEC_NO_SIGN))
980 status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
981 else
982 status = STAT_INSECURE;
983 }
984 }
985
986 if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
987 goto anotherkey;
988 }
989 }
990
991 if (status == STAT_TRUNCATED)
992 header->hb3 |= HB3_TC;
993 else
994 {
995 char *result;
996
997 if (forward->work_counter == 0)
998 result = "ABANDONED";
999 else
1000 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1001
1002 log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
1003 }
1004
1005 no_cache_dnssec = 0;
1006
1007 if (status == STAT_SECURE)
1008 cache_secure = 1;
1009 else if (status == STAT_BOGUS)
1010 no_cache_dnssec = 1;
1011 }
1012 #endif
1013
1014 /* restore CD bit to the value in the query */
1015 if (forward->flags & FREC_CHECKING_DISABLED)
1016 header->hb4 |= HB4_CD;
1017 else
1018 header->hb4 &= ~HB4_CD;
1019
1020 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
1021 forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
1022 forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
1023 {
1024 header->id = htons(forward->orig_id);
1025 header->hb4 |= HB4_RA; /* recursion if available */
1026 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
1027 &forward->source, &forward->dest, forward->iface);
1028 }
1029 free_frec(forward); /* cancel */
1030 }
1031 }
1032
1033
1034 void receive_query(struct listener *listen, time_t now)
1035 {
1036 struct dns_header *header = (struct dns_header *)daemon->packet;
1037 union mysockaddr source_addr;
1038 unsigned short type;
1039 struct all_addr dst_addr;
1040 struct in_addr netmask, dst_addr_4;
1041 size_t m;
1042 ssize_t n;
1043 int if_index = 0, auth_dns = 0;
1044 #ifdef HAVE_AUTH
1045 int local_auth = 0;
1046 #endif
1047 struct iovec iov[1];
1048 struct msghdr msg;
1049 struct cmsghdr *cmptr;
1050 union {
1051 struct cmsghdr align; /* this ensures alignment */
1052 #ifdef HAVE_IPV6
1053 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
1054 #endif
1055 #if defined(HAVE_LINUX_NETWORK)
1056 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
1057 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1058 char control[CMSG_SPACE(sizeof(struct in_addr)) +
1059 CMSG_SPACE(sizeof(unsigned int))];
1060 #elif defined(IP_RECVDSTADDR)
1061 char control[CMSG_SPACE(sizeof(struct in_addr)) +
1062 CMSG_SPACE(sizeof(struct sockaddr_dl))];
1063 #endif
1064 } control_u;
1065 #ifdef HAVE_IPV6
1066 /* Can always get recvd interface for IPv6 */
1067 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
1068 #else
1069 int check_dst = !option_bool(OPT_NOWILD);
1070 #endif
1071
1072 /* packet buffer overwritten */
1073 daemon->srv_save = NULL;
1074
1075 dst_addr_4.s_addr = dst_addr.addr.addr4.s_addr = 0;
1076 netmask.s_addr = 0;
1077
1078 if (option_bool(OPT_NOWILD) && listen->iface)
1079 {
1080 auth_dns = listen->iface->dns_auth;
1081
1082 if (listen->family == AF_INET)
1083 {
1084 dst_addr_4 = dst_addr.addr.addr4 = listen->iface->addr.in.sin_addr;
1085 netmask = listen->iface->netmask;
1086 }
1087 }
1088
1089 iov[0].iov_base = daemon->packet;
1090 iov[0].iov_len = daemon->edns_pktsz;
1091
1092 msg.msg_control = control_u.control;
1093 msg.msg_controllen = sizeof(control_u);
1094 msg.msg_flags = 0;
1095 msg.msg_name = &source_addr;
1096 msg.msg_namelen = sizeof(source_addr);
1097 msg.msg_iov = iov;
1098 msg.msg_iovlen = 1;
1099
1100 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
1101 return;
1102
1103 if (n < (int)sizeof(struct dns_header) ||
1104 (msg.msg_flags & MSG_TRUNC) ||
1105 (header->hb3 & HB3_QR))
1106 return;
1107
1108 source_addr.sa.sa_family = listen->family;
1109
1110 if (listen->family == AF_INET)
1111 {
1112 /* Source-port == 0 is an error, we can't send back to that.
1113 http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1114 if (source_addr.in.sin_port == 0)
1115 return;
1116 }
1117 #ifdef HAVE_IPV6
1118 else
1119 {
1120 /* Source-port == 0 is an error, we can't send back to that. */
1121 if (source_addr.in6.sin6_port == 0)
1122 return;
1123 source_addr.in6.sin6_flowinfo = 0;
1124 }
1125 #endif
1126
1127 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1128 if (option_bool(OPT_LOCAL_SERVICE))
1129 {
1130 struct addrlist *addr;
1131 #ifdef HAVE_IPV6
1132 if (listen->family == AF_INET6)
1133 {
1134 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1135 if ((addr->flags & ADDRLIST_IPV6) &&
1136 is_same_net6(&addr->addr.addr.addr6, &source_addr.in6.sin6_addr, addr->prefixlen))
1137 break;
1138 }
1139 else
1140 #endif
1141 {
1142 struct in_addr netmask;
1143 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1144 {
1145 netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
1146 if (!(addr->flags & ADDRLIST_IPV6) &&
1147 is_same_net(addr->addr.addr.addr4, source_addr.in.sin_addr, netmask))
1148 break;
1149 }
1150 }
1151 if (!addr)
1152 {
1153 static int warned = 0;
1154 if (!warned)
1155 {
1156 my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1157 warned = 1;
1158 }
1159 return;
1160 }
1161 }
1162
1163 if (check_dst)
1164 {
1165 struct ifreq ifr;
1166
1167 if (msg.msg_controllen < sizeof(struct cmsghdr))
1168 return;
1169
1170 #if defined(HAVE_LINUX_NETWORK)
1171 if (listen->family == AF_INET)
1172 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1173 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
1174 {
1175 union {
1176 unsigned char *c;
1177 struct in_pktinfo *p;
1178 } p;
1179 p.c = CMSG_DATA(cmptr);
1180 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
1181 if_index = p.p->ipi_ifindex;
1182 }
1183 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1184 if (listen->family == AF_INET)
1185 {
1186 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1187 {
1188 union {
1189 unsigned char *c;
1190 unsigned int *i;
1191 struct in_addr *a;
1192 #ifndef HAVE_SOLARIS_NETWORK
1193 struct sockaddr_dl *s;
1194 #endif
1195 } p;
1196 p.c = CMSG_DATA(cmptr);
1197 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
1198 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
1199 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
1200 #ifdef HAVE_SOLARIS_NETWORK
1201 if_index = *(p.i);
1202 #else
1203 if_index = p.s->sdl_index;
1204 #endif
1205 }
1206 }
1207 #endif
1208
1209 #ifdef HAVE_IPV6
1210 if (listen->family == AF_INET6)
1211 {
1212 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1213 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
1214 {
1215 union {
1216 unsigned char *c;
1217 struct in6_pktinfo *p;
1218 } p;
1219 p.c = CMSG_DATA(cmptr);
1220
1221 dst_addr.addr.addr6 = p.p->ipi6_addr;
1222 if_index = p.p->ipi6_ifindex;
1223 }
1224 }
1225 #endif
1226
1227 /* enforce available interface configuration */
1228
1229 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
1230 return;
1231
1232 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
1233 {
1234 if (!option_bool(OPT_CLEVERBIND))
1235 enumerate_interfaces(0);
1236 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
1237 !label_exception(if_index, listen->family, &dst_addr))
1238 return;
1239 }
1240
1241 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
1242 {
1243 struct irec *iface;
1244
1245 /* get the netmask of the interface whch has the address we were sent to.
1246 This is no neccessarily the interface we arrived on. */
1247
1248 for (iface = daemon->interfaces; iface; iface = iface->next)
1249 if (iface->addr.sa.sa_family == AF_INET &&
1250 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1251 break;
1252
1253 /* interface may be new */
1254 if (!iface && !option_bool(OPT_CLEVERBIND))
1255 enumerate_interfaces(0);
1256
1257 for (iface = daemon->interfaces; iface; iface = iface->next)
1258 if (iface->addr.sa.sa_family == AF_INET &&
1259 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1260 break;
1261
1262 /* If we failed, abandon localisation */
1263 if (iface)
1264 netmask = iface->netmask;
1265 else
1266 dst_addr_4.s_addr = 0;
1267 }
1268 }
1269
1270 /* log_query gets called indirectly all over the place, so
1271 pass these in global variables - sorry. */
1272 daemon->log_display_id = ++daemon->log_id;
1273 daemon->log_source_addr = &source_addr;
1274
1275 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
1276 {
1277 #ifdef HAVE_AUTH
1278 struct auth_zone *zone;
1279 #endif
1280 char *types = querystr(auth_dns ? "auth" : "query", type);
1281
1282 if (listen->family == AF_INET)
1283 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1284 (struct all_addr *)&source_addr.in.sin_addr, types);
1285 #ifdef HAVE_IPV6
1286 else
1287 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1288 (struct all_addr *)&source_addr.in6.sin6_addr, types);
1289 #endif
1290
1291 #ifdef HAVE_AUTH
1292 /* find queries for zones we're authoritative for, and answer them directly */
1293 if (!auth_dns)
1294 for (zone = daemon->auth_zones; zone; zone = zone->next)
1295 if (in_zone(zone, daemon->namebuff, NULL))
1296 {
1297 auth_dns = 1;
1298 local_auth = 1;
1299 break;
1300 }
1301 #endif
1302
1303 #ifdef HAVE_LOOP
1304 /* Check for forwarding loop */
1305 if (detect_loop(daemon->namebuff, type))
1306 return;
1307 #endif
1308 }
1309
1310 #ifdef HAVE_AUTH
1311 if (auth_dns)
1312 {
1313 m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
1314 if (m >= 1)
1315 {
1316 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1317 (char *)header, m, &source_addr, &dst_addr, if_index);
1318 daemon->auth_answer++;
1319 }
1320 }
1321 else
1322 #endif
1323 {
1324 int ad_reqd, do_bit;
1325 m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
1326 dst_addr_4, netmask, now, &ad_reqd, &do_bit);
1327
1328 if (m >= 1)
1329 {
1330 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1331 (char *)header, m, &source_addr, &dst_addr, if_index);
1332 daemon->local_answer++;
1333 }
1334 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
1335 header, (size_t)n, now, NULL, ad_reqd, do_bit))
1336 daemon->queries_forwarded++;
1337 else
1338 daemon->local_answer++;
1339 }
1340 }
1341
1342 #ifdef HAVE_DNSSEC
1343
1344 /* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1345 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1346 STAT_NEED_DS_NEG and keyname if we need to do the query. */
1347 static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
1348 char *name, char *keyname)
1349 {
1350 int status = dnssec_chase_cname(now, header, plen, name, keyname);
1351
1352 if (status != STAT_INSECURE)
1353 return status;
1354
1355 /* Store the domain we're trying to check. */
1356 forward->name_start = strlen(name);
1357 forward->name_len = forward->name_start + 1;
1358 if (!(forward->orig_domain = blockdata_alloc(name, forward->name_len)))
1359 return STAT_BOGUS;
1360
1361 return do_check_sign(forward, 0, now, name, keyname);
1362 }
1363
1364 /* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
1365 static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname)
1366 {
1367 /* get domain we're checking back from blockdata store, it's stored on the original query. */
1368 while (forward->dependent)
1369 forward = forward->dependent;
1370
1371 blockdata_retrieve(forward->orig_domain, forward->name_len, name);
1372
1373 while (1)
1374 {
1375 char *p;
1376
1377 if (status == 0)
1378 {
1379 struct crec *crecp;
1380
1381 /* Haven't received answer, see if in cache */
1382 if (!(crecp = cache_find_by_name(NULL, &name[forward->name_start], now, F_DS)))
1383 {
1384 /* put name of DS record we're missing into keyname */
1385 strcpy(keyname, &name[forward->name_start]);
1386 /* and wait for reply to arrive */
1387 return STAT_NEED_DS_NEG;
1388 }
1389
1390 /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
1391 if (!(crecp->flags & F_NEG))
1392 status = STAT_SECURE;
1393 else if (crecp->flags & F_DNSSECOK)
1394 status = STAT_NO_DS;
1395 else
1396 status = STAT_NO_NS;
1397 }
1398
1399 /* Have entered non-signed part of DNS tree. */
1400 if (status == STAT_NO_DS)
1401 return STAT_INSECURE;
1402
1403 if (status == STAT_BOGUS)
1404 return STAT_BOGUS;
1405
1406 /* There's a proven DS record, or we're within a zone, where there doesn't need
1407 to be a DS record. Add a name and try again.
1408 If we've already tried the whole name, then fail */
1409
1410 if (forward->name_start == 0)
1411 return STAT_BOGUS;
1412
1413 for (p = &name[forward->name_start-2]; (*p != '.') && (p != name); p--);
1414
1415 if (p != name)
1416 p++;
1417
1418 forward->name_start = p - name;
1419 status = 0; /* force to cache when we iterate. */
1420 }
1421 }
1422
1423 /* Move toward the root, until we find a signed non-existance of a DS, in which case
1424 an unsigned answer is OK, or we find a signed DS, in which case there should be
1425 a signature, and the answer is BOGUS */
1426 static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name,
1427 char *keyname, struct server *server, int *keycount)
1428 {
1429 size_t m;
1430 unsigned char *packet, *payload;
1431 u16 *length;
1432 int status, name_len;
1433 struct blockdata *block;
1434
1435 char *name_start;
1436
1437 /* Get first insecure entry in CNAME chain */
1438 status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount);
1439 if (status == STAT_BOGUS)
1440 return STAT_BOGUS;
1441
1442 if (!(packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16))))
1443 return STAT_BOGUS;
1444
1445 payload = &packet[2];
1446 header = (struct dns_header *)payload;
1447 length = (u16 *)packet;
1448
1449 /* Stash the name away, since the buffer will be trashed when we recurse */
1450 name_len = strlen(name) + 1;
1451 name_start = name + name_len - 1;
1452
1453 if (!(block = blockdata_alloc(name, name_len)))
1454 {
1455 free(packet);
1456 return STAT_BOGUS;
1457 }
1458
1459 while (1)
1460 {
1461 unsigned char c1, c2;
1462 struct crec *crecp;
1463
1464 if (--(*keycount) == 0)
1465 {
1466 free(packet);
1467 blockdata_free(block);
1468 return STAT_BOGUS;
1469 }
1470
1471 while ((crecp = cache_find_by_name(NULL, name_start, now, F_DS)))
1472 {
1473 if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK))
1474 {
1475 /* Found a secure denial of DS - delegation is indeed insecure */
1476 free(packet);
1477 blockdata_free(block);
1478 return STAT_INSECURE;
1479 }
1480
1481 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1482 Add another label and continue. */
1483
1484 if (name_start == name)
1485 {
1486 free(packet);
1487 blockdata_free(block);
1488 return STAT_BOGUS; /* run out of labels */
1489 }
1490
1491 name_start -= 2;
1492 while (*name_start != '.' && name_start != name)
1493 name_start--;
1494 if (name_start != name)
1495 name_start++;
1496 }
1497
1498 /* Can't find it in the cache, have to send a query */
1499
1500 m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr);
1501
1502 *length = htons(m);
1503
1504 if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
1505 read_write(server->tcpfd, &c1, 1, 1) &&
1506 read_write(server->tcpfd, &c2, 1, 1) &&
1507 read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1508 {
1509 m = (c1 << 8) | c2;
1510
1511 /* Note this trashes all three name workspaces */
1512 status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
1513
1514 if (status == STAT_NO_DS)
1515 {
1516 /* Found a secure denial of DS - delegation is indeed insecure */
1517 free(packet);
1518 blockdata_free(block);
1519 return STAT_INSECURE;
1520 }
1521
1522 if (status == STAT_BOGUS)
1523 {
1524 free(packet);
1525 blockdata_free(block);
1526 return STAT_BOGUS;
1527 }
1528
1529 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1530 Add another label and continue. */
1531
1532 /* Get name we're checking back. */
1533 blockdata_retrieve(block, name_len, name);
1534
1535 if (name_start == name)
1536 {
1537 free(packet);
1538 blockdata_free(block);
1539 return STAT_BOGUS; /* run out of labels */
1540 }
1541
1542 name_start -= 2;
1543 while (*name_start != '.' && name_start != name)
1544 name_start--;
1545 if (name_start != name)
1546 name_start++;
1547 }
1548 else
1549 {
1550 /* IO failure */
1551 free(packet);
1552 blockdata_free(block);
1553 return STAT_BOGUS; /* run out of labels */
1554 }
1555 }
1556 }
1557
1558 static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
1559 int class, char *name, char *keyname, struct server *server, int *keycount)
1560 {
1561 /* Recurse up the key heirarchy */
1562 int new_status;
1563
1564 /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1565 if (--(*keycount) == 0)
1566 return STAT_INSECURE;
1567
1568 if (status == STAT_NEED_KEY)
1569 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
1570 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1571 {
1572 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
1573 if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS))
1574 new_status = STAT_BOGUS;
1575 }
1576 else if (status == STAT_CHASE_CNAME)
1577 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1578 else
1579 {
1580 new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
1581
1582 if (new_status == STAT_NO_SIG)
1583 {
1584 if (option_bool(OPT_DNSSEC_NO_SIGN))
1585 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1586 else
1587 new_status = STAT_INSECURE;
1588 }
1589 }
1590
1591 /* Can't validate because we need a key/DS whose name now in keyname.
1592 Make query for same, and recurse to validate */
1593 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1594 {
1595 size_t m;
1596 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1597 unsigned char *payload = &packet[2];
1598 struct dns_header *new_header = (struct dns_header *)payload;
1599 u16 *length = (u16 *)packet;
1600 unsigned char c1, c2;
1601
1602 if (!packet)
1603 return STAT_INSECURE;
1604
1605 another_tcp_key:
1606 m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class,
1607 new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
1608
1609 *length = htons(m);
1610
1611 if (!read_write(server->tcpfd, packet, m + sizeof(u16), 0) ||
1612 !read_write(server->tcpfd, &c1, 1, 1) ||
1613 !read_write(server->tcpfd, &c2, 1, 1) ||
1614 !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1615 new_status = STAT_INSECURE;
1616 else
1617 {
1618 m = (c1 << 8) | c2;
1619
1620 new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount);
1621
1622 if (new_status == STAT_SECURE)
1623 {
1624 /* Reached a validated record, now try again at this level.
1625 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1626 If so, go round again. */
1627
1628 if (status == STAT_NEED_KEY)
1629 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
1630 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1631 {
1632 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
1633 if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS))
1634 new_status = STAT_BOGUS; /* Validated no DS */
1635 }
1636 else if (status == STAT_CHASE_CNAME)
1637 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1638 else
1639 {
1640 new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
1641
1642 if (new_status == STAT_NO_SIG)
1643 {
1644 if (option_bool(OPT_DNSSEC_NO_SIGN))
1645 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1646 else
1647 new_status = STAT_INSECURE;
1648 }
1649 }
1650
1651 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1652 goto another_tcp_key;
1653 }
1654 }
1655
1656 free(packet);
1657 }
1658 return new_status;
1659 }
1660 #endif
1661
1662
1663 /* The daemon forks before calling this: it should deal with one connection,
1664 blocking as neccessary, and then return. Note, need to be a bit careful
1665 about resources for debug mode, when the fork is suppressed: that's
1666 done by the caller. */
1667 unsigned char *tcp_request(int confd, time_t now,
1668 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
1669 {
1670 size_t size = 0;
1671 int norebind = 0;
1672 #ifdef HAVE_AUTH
1673 int local_auth = 0;
1674 #endif
1675 int checking_disabled, ad_question, do_bit, added_pheader = 0;
1676 int check_subnet, no_cache_dnssec = 0, cache_secure = 0;
1677 size_t m;
1678 unsigned short qtype;
1679 unsigned int gotname;
1680 unsigned char c1, c2;
1681 /* Max TCP packet + slop + size */
1682 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1683 unsigned char *payload = &packet[2];
1684 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1685 struct dns_header *header = (struct dns_header *)payload;
1686 u16 *length = (u16 *)packet;
1687 struct server *last_server;
1688 struct in_addr dst_addr_4;
1689 union mysockaddr peer_addr;
1690 socklen_t peer_len = sizeof(union mysockaddr);
1691 int query_count = 0;
1692
1693 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1694 return packet;
1695
1696 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1697 if (option_bool(OPT_LOCAL_SERVICE))
1698 {
1699 struct addrlist *addr;
1700 #ifdef HAVE_IPV6
1701 if (peer_addr.sa.sa_family == AF_INET6)
1702 {
1703 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1704 if ((addr->flags & ADDRLIST_IPV6) &&
1705 is_same_net6(&addr->addr.addr.addr6, &peer_addr.in6.sin6_addr, addr->prefixlen))
1706 break;
1707 }
1708 else
1709 #endif
1710 {
1711 struct in_addr netmask;
1712 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1713 {
1714 netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
1715 if (!(addr->flags & ADDRLIST_IPV6) &&
1716 is_same_net(addr->addr.addr.addr4, peer_addr.in.sin_addr, netmask))
1717 break;
1718 }
1719 }
1720 if (!addr)
1721 {
1722 my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1723 return packet;
1724 }
1725 }
1726
1727 while (1)
1728 {
1729 if (query_count == TCP_MAX_QUERIES ||
1730 !packet ||
1731 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1732 !(size = c1 << 8 | c2) ||
1733 !read_write(confd, payload, size, 1))
1734 return packet;
1735
1736 if (size < (int)sizeof(struct dns_header))
1737 continue;
1738
1739 query_count++;
1740
1741 /* log_query gets called indirectly all over the place, so
1742 pass these in global variables - sorry. */
1743 daemon->log_display_id = ++daemon->log_id;
1744 daemon->log_source_addr = &peer_addr;
1745
1746 check_subnet = 0;
1747
1748 /* save state of "cd" flag in query */
1749 if ((checking_disabled = header->hb4 & HB4_CD))
1750 no_cache_dnssec = 1;
1751
1752 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
1753 {
1754 #ifdef HAVE_AUTH
1755 struct auth_zone *zone;
1756 #endif
1757 char *types = querystr(auth_dns ? "auth" : "query", qtype);
1758
1759 if (peer_addr.sa.sa_family == AF_INET)
1760 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1761 (struct all_addr *)&peer_addr.in.sin_addr, types);
1762 #ifdef HAVE_IPV6
1763 else
1764 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1765 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
1766 #endif
1767
1768 #ifdef HAVE_AUTH
1769 /* find queries for zones we're authoritative for, and answer them directly */
1770 if (!auth_dns)
1771 for (zone = daemon->auth_zones; zone; zone = zone->next)
1772 if (in_zone(zone, daemon->namebuff, NULL))
1773 {
1774 auth_dns = 1;
1775 local_auth = 1;
1776 break;
1777 }
1778 #endif
1779 }
1780
1781 if (local_addr->sa.sa_family == AF_INET)
1782 dst_addr_4 = local_addr->in.sin_addr;
1783 else
1784 dst_addr_4.s_addr = 0;
1785
1786 #ifdef HAVE_AUTH
1787 if (auth_dns)
1788 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
1789 else
1790 #endif
1791 {
1792 /* m > 0 if answered from cache */
1793 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
1794 dst_addr_4, netmask, now, &ad_question, &do_bit);
1795
1796 /* Do this by steam now we're not in the select() loop */
1797 check_log_writer(NULL);
1798
1799 if (m == 0)
1800 {
1801 unsigned int flags = 0;
1802 struct all_addr *addrp = NULL;
1803 int type = 0;
1804 char *domain = NULL;
1805
1806 if (option_bool(OPT_ADD_MAC))
1807 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
1808
1809 if (option_bool(OPT_CLIENT_SUBNET))
1810 {
1811 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1812 if (size != new)
1813 {
1814 size = new;
1815 check_subnet = 1;
1816 }
1817 }
1818
1819 if (gotname)
1820 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1821
1822 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1823 last_server = daemon->servers;
1824 else
1825 last_server = daemon->last_server;
1826
1827 if (!flags && last_server)
1828 {
1829 struct server *firstsendto = NULL;
1830 #ifdef HAVE_DNSSEC
1831 unsigned char *newhash, hash[HASH_SIZE];
1832 if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff)))
1833 memcpy(hash, newhash, HASH_SIZE);
1834 else
1835 memset(hash, 0, HASH_SIZE);
1836 #else
1837 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
1838 #endif
1839 /* Loop round available servers until we succeed in connecting to one.
1840 Note that this code subtley ensures that consecutive queries on this connection
1841 which can go to the same server, do so. */
1842 while (1)
1843 {
1844 if (!firstsendto)
1845 firstsendto = last_server;
1846 else
1847 {
1848 if (!(last_server = last_server->next))
1849 last_server = daemon->servers;
1850
1851 if (last_server == firstsendto)
1852 break;
1853 }
1854
1855 /* server for wrong domain */
1856 if (type != (last_server->flags & SERV_TYPE) ||
1857 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)) ||
1858 (last_server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
1859 continue;
1860
1861 if (last_server->tcpfd == -1)
1862 {
1863 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1864 continue;
1865
1866 #ifdef HAVE_CONNTRACK
1867 /* Copy connection mark of incoming query to outgoing connection. */
1868 if (option_bool(OPT_CONNTRACK))
1869 {
1870 unsigned int mark;
1871 struct all_addr local;
1872 #ifdef HAVE_IPV6
1873 if (local_addr->sa.sa_family == AF_INET6)
1874 local.addr.addr6 = local_addr->in6.sin6_addr;
1875 else
1876 #endif
1877 local.addr.addr4 = local_addr->in.sin_addr;
1878
1879 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1880 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1881 }
1882 #endif
1883
1884 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1885 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1886 {
1887 close(last_server->tcpfd);
1888 last_server->tcpfd = -1;
1889 continue;
1890 }
1891
1892 #ifdef HAVE_DNSSEC
1893 if (option_bool(OPT_DNSSEC_VALID))
1894 {
1895 size_t new_size = add_do_bit(header, size, ((char *) header) + 65536);
1896
1897 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
1898 this allows it to select auth servers when one is returning bad data. */
1899 if (option_bool(OPT_DNSSEC_DEBUG))
1900 header->hb4 |= HB4_CD;
1901
1902 if (size != new_size)
1903 added_pheader = 1;
1904
1905 size = new_size;
1906 }
1907 #endif
1908 }
1909
1910 *length = htons(size);
1911
1912 /* get query name again for logging - may have been overwritten */
1913 if (!(gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
1914 strcpy(daemon->namebuff, "query");
1915
1916 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
1917 !read_write(last_server->tcpfd, &c1, 1, 1) ||
1918 !read_write(last_server->tcpfd, &c2, 1, 1) ||
1919 !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
1920 {
1921 close(last_server->tcpfd);
1922 last_server->tcpfd = -1;
1923 continue;
1924 }
1925
1926 m = (c1 << 8) | c2;
1927
1928 if (last_server->addr.sa.sa_family == AF_INET)
1929 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1930 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
1931 #ifdef HAVE_IPV6
1932 else
1933 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1934 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
1935 #endif
1936
1937 #ifdef HAVE_DNSSEC
1938 if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
1939 {
1940 int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
1941 int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
1942 char *result;
1943
1944 if (keycount == 0)
1945 result = "ABANDONED";
1946 else
1947 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1948
1949 log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
1950
1951 if (status == STAT_BOGUS)
1952 no_cache_dnssec = 1;
1953
1954 if (status == STAT_SECURE)
1955 cache_secure = 1;
1956 }
1957 #endif
1958
1959 /* restore CD bit to the value in the query */
1960 if (checking_disabled)
1961 header->hb4 |= HB4_CD;
1962 else
1963 header->hb4 &= ~HB4_CD;
1964
1965 /* There's no point in updating the cache, since this process will exit and
1966 lose the information after a few queries. We make this call for the alias and
1967 bogus-nxdomain side-effects. */
1968 /* If the crc of the question section doesn't match the crc we sent, then
1969 someone might be attempting to insert bogus values into the cache by
1970 sending replies containing questions and bogus answers. */
1971 #ifdef HAVE_DNSSEC
1972 newhash = hash_questions(header, (unsigned int)m, daemon->namebuff);
1973 if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0)
1974 {
1975 m = 0;
1976 break;
1977 }
1978 #else
1979 if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff))
1980 {
1981 m = 0;
1982 break;
1983 }
1984 #endif
1985
1986 m = process_reply(header, now, last_server, (unsigned int)m,
1987 option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
1988 cache_secure, ad_question, do_bit, added_pheader, check_subnet, &peer_addr);
1989
1990 break;
1991 }
1992 }
1993
1994 /* In case of local answer or no connections made. */
1995 if (m == 0)
1996 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
1997 }
1998 }
1999
2000 check_log_writer(NULL);
2001
2002 *length = htons(m);
2003
2004 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
2005 return packet;
2006 }
2007 }
2008
2009 static struct frec *allocate_frec(time_t now)
2010 {
2011 struct frec *f;
2012
2013 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
2014 {
2015 f->next = daemon->frec_list;
2016 f->time = now;
2017 f->sentto = NULL;
2018 f->rfd4 = NULL;
2019 f->flags = 0;
2020 #ifdef HAVE_IPV6
2021 f->rfd6 = NULL;
2022 #endif
2023 #ifdef HAVE_DNSSEC
2024 f->dependent = NULL;
2025 f->blocking_query = NULL;
2026 f->stash = NULL;
2027 f->orig_domain = NULL;
2028 #endif
2029 daemon->frec_list = f;
2030 }
2031
2032 return f;
2033 }
2034
2035 struct randfd *allocate_rfd(int family)
2036 {
2037 static int finger = 0;
2038 int i;
2039
2040 /* limit the number of sockets we have open to avoid starvation of
2041 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
2042
2043 for (i = 0; i < RANDOM_SOCKS; i++)
2044 if (daemon->randomsocks[i].refcount == 0)
2045 {
2046 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
2047 break;
2048
2049 daemon->randomsocks[i].refcount = 1;
2050 daemon->randomsocks[i].family = family;
2051 return &daemon->randomsocks[i];
2052 }
2053
2054 /* No free ones or cannot get new socket, grab an existing one */
2055 for (i = 0; i < RANDOM_SOCKS; i++)
2056 {
2057 int j = (i+finger) % RANDOM_SOCKS;
2058 if (daemon->randomsocks[j].refcount != 0 &&
2059 daemon->randomsocks[j].family == family &&
2060 daemon->randomsocks[j].refcount != 0xffff)
2061 {
2062 finger = j;
2063 daemon->randomsocks[j].refcount++;
2064 return &daemon->randomsocks[j];
2065 }
2066 }
2067
2068 return NULL; /* doom */
2069 }
2070
2071 void free_rfd(struct randfd *rfd)
2072 {
2073 if (rfd && --(rfd->refcount) == 0)
2074 close(rfd->fd);
2075 }
2076
2077 static void free_frec(struct frec *f)
2078 {
2079 free_rfd(f->rfd4);
2080 f->rfd4 = NULL;
2081 f->sentto = NULL;
2082 f->flags = 0;
2083
2084 #ifdef HAVE_IPV6
2085 free_rfd(f->rfd6);
2086 f->rfd6 = NULL;
2087 #endif
2088
2089 #ifdef HAVE_DNSSEC
2090 if (f->stash)
2091 {
2092 blockdata_free(f->stash);
2093 f->stash = NULL;
2094 }
2095
2096 if (f->orig_domain)
2097 {
2098 blockdata_free(f->orig_domain);
2099 f->orig_domain = NULL;
2100 }
2101
2102 /* Anything we're waiting on is pointless now, too */
2103 if (f->blocking_query)
2104 free_frec(f->blocking_query);
2105 f->blocking_query = NULL;
2106 f->dependent = NULL;
2107 #endif
2108 }
2109
2110 /* if wait==NULL return a free or older than TIMEOUT record.
2111 else return *wait zero if one available, or *wait is delay to
2112 when the oldest in-use record will expire. Impose an absolute
2113 limit of 4*TIMEOUT before we wipe things (for random sockets).
2114 If force is set, always return a result, even if we have
2115 to allocate above the limit. */
2116 struct frec *get_new_frec(time_t now, int *wait, int force)
2117 {
2118 struct frec *f, *oldest, *target;
2119 int count;
2120
2121 if (wait)
2122 *wait = 0;
2123
2124 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
2125 if (!f->sentto)
2126 target = f;
2127 else
2128 {
2129 if (difftime(now, f->time) >= 4*TIMEOUT)
2130 {
2131 free_frec(f);
2132 target = f;
2133 }
2134
2135 if (!oldest || difftime(f->time, oldest->time) <= 0)
2136 oldest = f;
2137 }
2138
2139 if (target)
2140 {
2141 target->time = now;
2142 return target;
2143 }
2144
2145 /* can't find empty one, use oldest if there is one
2146 and it's older than timeout */
2147 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
2148 {
2149 /* keep stuff for twice timeout if we can by allocating a new
2150 record instead */
2151 if (difftime(now, oldest->time) < 2*TIMEOUT &&
2152 count <= daemon->ftabsize &&
2153 (f = allocate_frec(now)))
2154 return f;
2155
2156 if (!wait)
2157 {
2158 free_frec(oldest);
2159 oldest->time = now;
2160 }
2161 return oldest;
2162 }
2163
2164 /* none available, calculate time 'till oldest record expires */
2165 if (!force && count > daemon->ftabsize)
2166 {
2167 static time_t last_log = 0;
2168
2169 if (oldest && wait)
2170 *wait = oldest->time + (time_t)TIMEOUT - now;
2171
2172 if ((int)difftime(now, last_log) > 5)
2173 {
2174 last_log = now;
2175 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
2176 }
2177
2178 return NULL;
2179 }
2180
2181 if (!(f = allocate_frec(now)) && wait)
2182 /* wait one second on malloc failure */
2183 *wait = 1;
2184
2185 return f; /* OK if malloc fails and this is NULL */
2186 }
2187
2188 /* crc is all-ones if not known. */
2189 static struct frec *lookup_frec(unsigned short id, void *hash)
2190 {
2191 struct frec *f;
2192
2193 for(f = daemon->frec_list; f; f = f->next)
2194 if (f->sentto && f->new_id == id &&
2195 (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0))
2196 return f;
2197
2198 return NULL;
2199 }
2200
2201 static struct frec *lookup_frec_by_sender(unsigned short id,
2202 union mysockaddr *addr,
2203 void *hash)
2204 {
2205 struct frec *f;
2206
2207 for(f = daemon->frec_list; f; f = f->next)
2208 if (f->sentto &&
2209 f->orig_id == id &&
2210 memcmp(hash, f->hash, HASH_SIZE) == 0 &&
2211 sockaddr_isequal(&f->source, addr))
2212 return f;
2213
2214 return NULL;
2215 }
2216
2217 /* Send query packet again, if we can. */
2218 void resend_query()
2219 {
2220 if (daemon->srv_save)
2221 {
2222 int fd;
2223
2224 if (daemon->srv_save->sfd)
2225 fd = daemon->srv_save->sfd->fd;
2226 else if (daemon->rfd_save && daemon->rfd_save->refcount != 0)
2227 fd = daemon->rfd_save->fd;
2228 else
2229 return;
2230
2231 while(sendto(fd, daemon->packet, daemon->packet_len, 0,
2232 &daemon->srv_save->addr.sa, sa_len(&daemon->srv_save->addr)) == -1 && retry_send());
2233 }
2234 }
2235
2236 /* A server record is going away, remove references to it */
2237 void server_gone(struct server *server)
2238 {
2239 struct frec *f;
2240
2241 for (f = daemon->frec_list; f; f = f->next)
2242 if (f->sentto && f->sentto == server)
2243 free_frec(f);
2244
2245 if (daemon->last_server == server)
2246 daemon->last_server = NULL;
2247
2248 if (daemon->srv_save == server)
2249 daemon->srv_save = NULL;
2250 }
2251
2252 /* return unique random ids. */
2253 static unsigned short get_id(void)
2254 {
2255 unsigned short ret = 0;
2256
2257 do
2258 ret = rand16();
2259 while (lookup_frec(ret, NULL));
2260
2261 return ret;
2262 }
2263
2264
2265
2266
2267
Michael's tree of dnsmasq.